Running tar in dom0 with domU input
marmot1791 opened this issue · 2 comments
The suggested instructions invoke tar in dom0 using untrusted input from either the domain where mirage firewall is built or the downloaded mirage firewall binary. This seems unwise.
While we're placing a lot of trust in whatever domain is used to build the mirage-firewall, I don't think mirage-firewall actually does anything else that allows it to control the execution of code in dom0. Shouldn't the correct procedure be to untar the 3 files in the builder/downloader domain and then copy them individually to dom0?
Yes, that would be better. According to #70 we shouldn't need the extra files now, but I think last time I tried removing them it still didn't work.
not fully on-topic here, but a summary from the sidelines:
there is also the very different build+deploy path through qubes-builder: https://github.com/QubesOS/qubes-builder/blob/master/example-configs/mirage.conf
this is "worse" because it means installing an "untrusted" rpm in dom0 (which includes code execution in the form of rpm-scripts), otoh that can be done in a admin-dvm setting up the template: https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh
there is an open/vintage issue about the base problem of "how to ship templates for qubes": QubesOS/qubes-issues#2534