|
|
@@ -7,9 +7,11 @@ $anyvm $dispvm allow
|
|
|
$anyvm $anyvm deny
|
|
|
|
|
|
# WARNING: The qubes.VMShell service is dangerous and there are really few
|
|
|
-# cases when it could be safely used. Allowing one VM to execute qubes.VMShell
|
|
|
-# over the other VM allows the former to TAKE FULL CONTROL over the later. In
|
|
|
-# most cases this is not what we want!
|
|
|
+# cases when it could be safely used. Especially when policy set to "ask" you
|
|
|
+# have no way to know for sure what command(s) will be called. Compromissed
|
|
|
+# source VM can substitute the command. Allowing one VM to execute
|
|
|
+# qubes.VMShell over the other VM allows the former to TAKE FULL CONTROL over
|
|
|
+# the later. In most cases this is not what we want!
|
|
|
#
|
|
|
# Instead we should be using task-specific qrexec services which provide
|
|
|
# assurance as to what program will be responding to the (untrusted) VM
|
Marek Marczykowski-Górecki