Status bar security issue

Question

Status bar security issue

Closed this issue 8 years ago · 6 comments

About the status bar: We have to be very careful with everything which calls 'qvm-run -p'. This allows a potential vm breakout. Maybe we should deactivate the network status by default?

Maybe there are other ways to sanitize the qvm-run -p output?

ping @marmarek

Answer 1 · 2016-05-24T16:37:09.000Z

Yes, this is why I didn't want this in there and why there are two warnings on my blog. :p We could sanitize it, but as you know, my vote is on not including it in the first place. It's useless information that's already given by nm-applet for every netvm/proxy. We could sanitize it, but in my opinion it's not worth risking it just to show an ip/ssid that you already know.

Answer 2 · 2016-05-24T16:40:16.000Z

Lets not include it since it could potentially break the security model. But the other status infos are fine.

Answer 3 · 2016-05-24T16:41:38.000Z

I will redo the thing. I'm also not happy with the active qubes and the disk being there but not memory. Any other suggestions on other stats that we might want to show that are more useful?

Answer 4 · 2016-05-24T16:43:04.000Z

Memory always shows 99% for me. I like the active qubes :)

I am fine with the rest of the stats. We only shouldn't do any "qvm-run -p"

Answer 5 · 2016-05-24T16:53:27.000Z

What are your total_memory and free_memory?

Answer 6 · 2016-05-24T16:55:18.000Z

8G, ~60M free