Wipe VM Clipboards With a Trigger?

Howdy,

At the moment when we use Ctrl+Shift+v the notification we receive is:

Qubes Clipboard
Qubes Clipboard has been copied to the VM and wiped…”

Which I believe means that Dom0 clipboard is wiped. Not the original outgoing VM, nor the receiving VM.

What I would like to learn how to configure is when certain steps of the Copy & Paste sequence between VMs are completed, for that to trigger a countdown timer that will automatically wipe the outgoing and incoming VM clipboard.

Time Trigger Example:

  1. (vm1) Ctrl+c: Bytes copied to vm1 clipboard, and 30 second wipe timer begins for vm1 clipboard;
    if Ctrl+c is used again in vm1 before 30 seconds has elapsed, it will wipe the previously copied bytes and replace with new.

  2. (vm1) Ctrl+Shift+c: Bytes transferred from vm1 clipboard to Qubes Clipboard.

  3. (vm2) Ctrl+Shift+v: Bytes transferred from Qubes Clipboard to vm2 clipboard, and immediately wipe Qubes Clipboard (already happens).

  4. (vm2) Ctrl+v: Bytes pasted from vm2 clipboard, and 30 second wipe timer begins for vm2 clipboard;
    if Ctrl+Shift+v is used again to transfer bytes from Qubes Clipboard to vm2 clipboard before 30 seconds has elapsed, it will wipe the previously copied bytes in vm2 clipboard and replace with new.

1 Like

Not the solution you asked for, but I’ve resorted to using yet another key combination to clear the clipboard within a VM. If you install xsel in your templates, xsel -b -c can be used to clear the clipboard. xclip is an alternative.

From dom0, I get the active window, figure out the qube since the window will have a _QUBES_VMNAME X property, and execute:

qvm-run --no-gui VM "xsel -b -c"

Put those sequence of commands in a script, assign the script a window manager keyboard shortcut and clearing the VM clipboard is one keypress (like ctrl+shift+x).

So copy/pasting from KeePassXC to a target VM is:

  1. [vault] ctrl+c
  2. [vault] ctrl+shift+c
  3. [target] ctrl+shift+v
  4. [target] ctrl+v
  5. [target] ctrl+shift+x

If the source VM doesn’t clear the clipboard after a timeout, I could just refocus source VM window and ctrl+shift+x in there.

Example: Feature Request: Single-click NetVM Disable/Enable · Issue #4834 · QubesOS/qubes-issues · GitHub

2 Likes

That comment from Mar 7 by donob4n would be great:

Why don’t just clear with a delay after copying? Generally, users copy something with the immediate intention of paste it somewhere. Copy is like a requirement for the act of paste. If they don’t do it in a reasonable interval of time it is very likely that they abandoned their objective and after some minutes they probably even forgot that they had something copied.

This would also void mistakes with inter-qube copy/pastes. If the user forgets the special combination, he will have more chances of paste nothing than something wrong.

Seems a bit of a pain & mildly concerning that the best answer is another program needs to be installed across multiple templates to accomplish this.

For now it seems this is a good option for accomplishing what I need, due to the limitation of what we have available to us in the toolbox. Thank you Ice.

However, before I go that route does anyone know the specifics of how the clipboard manages bytes; if I simply select something random to copy in ”vm2”, will that erase the previous content from vm2’s clipboard to a state that’s not retrievable? Or is there some persistence in clipboard history?

Example:

  1. Paste password on login page
  2. Copy the word ”Username” above it’s related text box field.

Result: wiped secret, replaced with nothing important

1 Like

Yes this accomplishes the same thing; overwrite the clipboard with something benign, or clear it.

1 Like

One additional note - I wouldn’t say this is the “best” answer…it was the most convenient for me. It also isn’t necessarily an ideal solution, as dom0 is simply executing arbitrary code inside the VM which might be frowned upon if we look at dom0 as the abstract “AdminVM”.

There may also be information leaks (for example, traces of the action performed in ~/.xsession-errors if all output is not captured).

(Forum migration-related) bumping this thread so that unman can hopefully respond via email again

1 Like

Lost in the mystery of the move:

One additional note - I wouldn’t say this is the “best” answer…it was the most convenient for me. It also isn’t necessarily an ideal solution, as dom0 is simply executing arbitrary code inside the VM which might be frowned upon if we look at dom0 as the abstract “AdminVM”.

There may also be information leaks (for example, traces of the action performed in ~/.xsession-errors if all output is not captured).

I don’t think this is necessarily concerning. Many answers require another
program to be installed. Where is the problem in that? You are already
trusting the source of these programs.
Or is it the “multiple templates” that’s the issue?
You can script this or (better) use salt to automate the installs in the
templates.

xclip is indeed a good alternative.
printf "" |xclip -selection clipboard will remove the clipboard.
You could save this in a script in the template, and then trigger it on
a perVM basis with a keyboard shortcut.

@unman

I don’t think this is necessarily concerning.

Qubes’ focus is security. Full stop.

When interacting with the OS, we have specific procedures protecting the user. Literally the most basic operations require you to essentially ‘consent’ to avoid accidental self-compromise. For instance:

  • Plug in USB thingamajig?
  • YOU SHALL NOT PASS (unless I give it a single-use key and escort it to the room and reserve the right to throw it out the window if my socks don’t match )

”Qubes is designed with the understanding that people make mistakes, and it allows you to protect yourself from your own mistakes.”

[Source: Introduction | Qubes OS ]

Therefore, by ”mildly concerning” (those 2 words were me being gentle) I mean that this is a glaring oversight that could Super-F-Up someone’s security resulting in a category 6 shiticane.

Or to be fair, they could accidentally search for
”gold booty shorts” when trying to show their boss the spec sheet for a better radio for their physical security op.

Ever watch Star Wars A New Hope?
SPOILER WARNING:

-\

This is akin to being Bevel Leme-something, who designed the thermal exhaust port on the death star.

(Extended Universe ftw!)

Sorry, I misunderstood.
What you said was that it was mildly concerning that another
program needs to be installed: this was the point I addressed.
That doesn’t seem to be what you meant.

Qubes focusses on providing security by compartmentalization. In general
it doesn’t change guest distros.
The mistake that Qubes guards against is pasting to the wrong qube.
(You can enhance the key combo by using a dialog, but this is not
standard Qubes.)
Otherwise you are in the same position as in a normal install of the
core distros, where the clipboard isn’t cleared after use.

If you are concerned about this, and you obviously are, and you don’t
want the simplicity of the scripts that have been put forward, you might
like to look at diodon, a clipboard manager which allows for clearing
the clipboard. I cant endorse this because there is a major bug whereby
data is retained in the database, but once this is fixed it may serve
your purposes.
There’s also xfce-clipman, and (probably) a host of other programs that
you could investigate.

On your original question, you could start by looking at the source in
gui-agent-linux/gui-agent/vmside.c - you can see where the paste event
occurs, so I think it would be possible to put a timer in there to clear
in the VM after pasting.
That said, I often keep stuff hanging about after copying, and then
paste it a number of times. I doubt I’m alone in this.

I haven’t seen Star Wars A New Hope.

Well in part that is the problem, it requires user intervention for a flaw that appears simple. I’m going to assume that it’s difficult for dev implementation or something…

Actually, I’m not that concerned about it for myself, and I was about to submit a ”post nap time edit” that said:

Once a user is familiar with Qubes they may form a solution. My point is that it’s of flawed (shit) design and could negatively affect new users in an off-putting way. It makes me think of a simple misaligned strike plate type of flaw.

This next part after quote was written before the edit of the 2 previous sentences.

On your original question, you could start by looking at the source in
gui-agent-linux/gui-agent/vmside.c - you can see where the paste event
occurs, so I think it would be possible to put a timer in there to clear
in the VM after pasting.

Excuse me while I pursue hopefully learning something thing new.

I haven’t seen Star Wars A New Hope.

Well, May 4th has already passed, but July 4th is soon. Watch the original trilogy!