add flag to make a VM read-only in the Qube Manager and "Qube Settings"

[cfm]

The problem you're addressing (if any)

A VM marked internal can still be reconfigured via its "Qube Settings" menu entry. #8042 would make these internal VMs either (a) filterable or (b) hidden by default in the Qube Manager, but presumably the per-VM "Qube Settings" menu entries would still be available.

In addition, per #8042 (comment), it's not obvious whether the internal flag is intended to be used by non-system VMs.

The solution you'd like

An extra qvm-features feature like not-gui-editable that both:

1. makes a VM read-only in the Qube Manager and Qubes Template Manager, if Add option to hide 'internal' qubes in qube manager #8042 still lets users filter for VMs with internal=1; and

2. hides and/or makes read-only the VM's "Qube Settings" application.

A VM with not-gui-editable=1 would still be configurable via qvm-prefs, qvm-features, etc. at the command line, but not via any (official) Qubes GUI tool. The existing internal feature would remain unchanged per #8042.

The value to a user, and who that user might be

As in #8042 (comment), we (@freedomofpress) want to prevent users from being able to reconfigure SecureDrop Workstation‒provisioned VMs in the Qube Manager or any "Qube Settings" menu entry, for example by selecting a kernel other than the grsec-hardened one we provide.

More broadly, this provides developers, packagers, and administrators a feature for protecting applications like the SecureDrop Workstation that are "Qubes-native", in that VMs are managed by custom means and don't necessarily have normal Qubes entry-points (menu entries) for starting applications manually.

---

Cc: @eaon

[marmarta]

Other places that can be used to change VM settings: template GUI