Hi,
Qubes global config manager allows to restrict singular qubes from accepting USB-devices.
I would like to disallow any qube tagged “internal” from accepting any USB devices, but the gui does not offer me that option.
Does anybody know where the config file for the policy is so i can edit it manually?
I was unable to find it in the usual location (by setting a qube with a unique name in the exceptions and grepping for all files in the config location with that name in them).
Edit a policy with Qubes Policy Editor. Tell me if the following isn’t already in this page but instead of editing the policy file, a better solution would be to add a new file with a higher priority.
The device attachment policy is stored in the devices_denied property of the specific VM:
$ qvm-prefs VMNAME devices_denied
I don’t think that’s possible.
Hi parulin,
thank you for you help. I am aware of the policy editor and went through all policies it can open, but i am not seeing any lines in any file corresponding to the “no devices for this qube”-rule from the global config editor.
Thank you! I thought this is probably saved like a policy.
That was the information i am looking for. So my plan will not work with tags, so i will hack together a bash script setting the qvm-prefs of the qubes or drop the goal.
Sorry, I answered to the “policy” part without checking that an actual policy exists. If I can try to be helpful, are you talking about a custom internal tag, or the internal feature? I don’t think policies can target a feature anyway.
You can also use salt to achieve the same result.
Thanks parulin,
i do pentests professionally from qubes, so i have the kinda untrusted YOLO pentest qubes, and a corresponding reporting qube with the internal VPN per project and many restrictions on what software is allowed. The latter one has my made up “internal” tag, like all other vms in this security context.
This tag is just there so i can target the whole qubes group in my qubes policies. (No Clipboard from “internal” qubes to qubes without that tag for example)
I plan on giving a demonstration and short talk about Qubes and my specific setup in my organization and show some possible hardening (that my collegues just cannot implement with their hypervisor setups easily :P).
Regarding salt: I heard that salt is rotting away and my plan is to learn ansible now that the integration is in the normal repo.
To solve another problem: pentest-qube-1 should only be able to transfer files to reporting-qube-1 but not reporting-qube-2. So tags wont work, i need dynamic qrexec policies that i plan to create with ansible. At this moment any pentest qube can transfer to any reporting qube by using tags.
There is a way, but a bit more complicated, requires writing in Python a core-admin extension.
Just to test the possibility, I edited /usr/lib/python3.13/site-packages/qubes/ext/block.py:
On device-pre-attach:block handler on_device_pre_attached_block(), I added:
if "internal" in vm.tags:
raise qubes.exc.QubesException("Blocked because of 'internal' tag")
and restarted qubesd:
systemctl restart qubesd
And got the exception when trying to attach via block device. Note this does not prevent attaching via other means of storage, such as whole USB device. I think that it works with other device classes also, if you add the proper handler.
Note that I edit the file in place instead of adding another extension, you should add another extension.