Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make DispVMs started from a DispVM to use the same DVM template by default

Browse Source 
If a specific DVM template is used for given DispVM, make new DispVMs
called from it use the same DVM template (unless explicitly overridden).
This prevent various isolation bypass cases, like using a chain of
DispVMs to access network.
This commit is contained in:
Marek Marczykowski-Górecki 2019-02-18 19:25:26 +01:00
parent 322306ec65
commit 8962452502
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
qubes/vm/dispvm.py
View File

@ -45,6 +45,12 @@ class DispVM(qubes.vm.qubesvm.QubesVM):
default=(lambda self: not self.auto_cleanup), default=(lambda self: not self.auto_cleanup),
doc='If this domain is to be included in default backup.') doc='If this domain is to be included in default backup.')
default_dispvm = qubes.VMProperty('default_dispvm',
load_stage=4,
allow_none=True,
default=(lambda self: self.template),
doc='Default VM to be used as Disposable VM for service calls.')
def __init__(self, app, xml, *args, **kwargs): def __init__(self, app, xml, *args, **kwargs):
self.volume_config = { self.volume_config = {
'root': { 'root': {