Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not allow to rename VMs directly #2868

Closed
marmarek opened this issue Jun 26, 2017 · 3 comments
Closed

Do not allow to rename VMs directly #2868

marmarek opened this issue Jun 26, 2017 · 3 comments
Assignees
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. r4.0-dom0-cur-test T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone

Comments

@marmarek
Copy link
Member

In Qubes 4.0 we want to forbid changing VM name property. This is mostly because VM name is used in Qubes RPC policy as identifier, so renaming VM can have severe security consequences. This is especially important when such operation could be performed by semi-trusted Management VM (through Admin API).

In practice changing VM name will still be possible, in two steps:

  1. Clone VM under new name (thanks to LVM, this operation is fast)
  2. Remove old VM
@marmarek marmarek added C: core T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. P: major Priority: major. Between "default" and "critical" in severity. labels Jun 26, 2017
@marmarek marmarek added this to the Release 4.0 milestone Jun 26, 2017
@marmarek marmarek self-assigned this Jun 26, 2017
@jpouellet
Copy link
Contributor

Are the initial and final system states as a result of "rename" vs. "clone & remove" different? How?

Are mgmt/admin VMs somehow restricted from performing the latter?

I believe I understand the underlying security motivation, but I do not see what is gained by only disallowing vm name change while clone & rm is still possible.

@marmarek
Copy link
Member Author

Yes, Mgmt VM needs permission to manage both "old" and "new" VMs. If it's limited only to set few properties, it can't perform full clone. For example if you don't allow it to add new tags to a VM, the new VM will not have those tags set (it's up to Mgmt VM what to do - either ignore the error, or abort operation).
As of security aspect - this is mostly because we use VM names to reference VMs - for example in qrexec policy, in created-by-* tag etc. If you consider VM rename, those things can easily end out of sync - so in many cases you'd block VM rename anyway.

Also, renaming VM have a lot of corner cases (technically-wise) - for example tracking VM rename over Admin API is tricky. New VM have new UUID, so it's easy to detect remove & create.
Even in personal system (with user having full control) this is sometimes tricky - like application menu being out of sync, or Qubes Manger not noticing renamed VM.

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jul 4, 2017
Since VM name in immutable now, drop rename-related methods.

QubesOS/qubes-issues#2868
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jul 4, 2017
Since VM name is immutable, rename method can be dropped from storage
API.

QubesOS/qubes-issues#2868
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jul 4, 2017
Since VM name in immutable now, drop rename-related methods.

QubesOS/qubes-issues#2868
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jul 4, 2017
Since VM name is immutable, rename method can be dropped from storage
API.

QubesOS/qubes-issues#2868
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-dom0-4.0.1-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. r4.0-dom0-cur-test T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Development

No branches or pull requests

3 participants