How to have read-only vm-config.* features?
2 views
Skip to first unread message
qubist
Feb 19, 2026, 1:53:07 PM (2 days ago) Feb 19
to qubes...@googlegroups.com
Hi,
I am looking for a secure way to handle external config values for
scripts running inside domUs.
Currently, I follow qvm-features(1):
user@dom0:~ > qvm-features domU vm-config.foo bar
user@domU:~ > qubesdb-read /vm-config/foo
bar
My concern is that values are not (quite) read-only:
user@domU:~ > qubesdb-write /vm-config/foo moo
user@domU:~ > qubesdb-read /vm-config/foo
moo
Such change obviously does not propagate upstream and does not survive
domU reboots, yet it creates a vulnerability.
Is there a recommended way to have read-only config values?
I am looking for a secure way to handle external config values for
scripts running inside domUs.
Currently, I follow qvm-features(1):
user@dom0:~ > qvm-features domU vm-config.foo bar
user@domU:~ > qubesdb-read /vm-config/foo
bar
My concern is that values are not (quite) read-only:
user@domU:~ > qubesdb-write /vm-config/foo moo
user@domU:~ > qubesdb-read /vm-config/foo
moo
Such change obviously does not propagate upstream and does not survive
domU reboots, yet it creates a vulnerability.
Is there a recommended way to have read-only config values?
Marek Marczykowski-Górecki
Feb 19, 2026, 1:58:26 PM (2 days ago) Feb 19
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Currently no, qubesdb doesn't support any permission model - anybody who
can read entries, can also write them.
What you can do, is to add an early startup service that reads the
value and save it in some read-only place (like a file writable only by
root, possibly somewhere in /run).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmmXCOsACgkQ24/THMrX
1yw2YQf+LaUeSpNrotk6nN7QP/kfFwSJ/KLzeU1ny7kKxD2I1eOGg0ME0oM45Ymr
nz5syKwRO6g59TaRhtSSksd0sUKFX+Nhw0Q2QzIJR+q/q29cANhFCkW60FV1laFF
7ufE05VUolIVyEJsiFmzOfeMU1MkoRU9PW0ukHR8qkKvAMNAOYflnQ2hoeVAKQ/H
ERO3D36q3DeMlthaIzqZTu0WDAb8O1GIJAp/s4D62YPpxog1rZlnSNESEri/k46Q
34T0l7mcfBEo0V+/t65CwSlslu2mjamHF0QkleA66b09D5zwh7deI0iKyTXD6lc2
axKDfNMwp7XlE/EazfsZhnvKCLDVAQ==
=a75q
-----END PGP SIGNATURE-----
Hash: SHA256
can read entries, can also write them.
What you can do, is to add an early startup service that reads the
value and save it in some read-only place (like a file writable only by
root, possibly somewhere in /run).
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmmXCOsACgkQ24/THMrX
1yw2YQf+LaUeSpNrotk6nN7QP/kfFwSJ/KLzeU1ny7kKxD2I1eOGg0ME0oM45Ymr
nz5syKwRO6g59TaRhtSSksd0sUKFX+Nhw0Q2QzIJR+q/q29cANhFCkW60FV1laFF
7ufE05VUolIVyEJsiFmzOfeMU1MkoRU9PW0ukHR8qkKvAMNAOYflnQ2hoeVAKQ/H
ERO3D36q3DeMlthaIzqZTu0WDAb8O1GIJAp/s4D62YPpxog1rZlnSNESEri/k46Q
34T0l7mcfBEo0V+/t65CwSlslu2mjamHF0QkleA66b09D5zwh7deI0iKyTXD6lc2
axKDfNMwp7XlE/EazfsZhnvKCLDVAQ==
=a75q
-----END PGP SIGNATURE-----
qubist
Feb 19, 2026, 2:29:23 PM (2 days ago) Feb 19
to qubes...@googlegroups.com
On Thu, 19 Feb 2026 13:58:19 +0100 Marek Marczykowski-Górecki wrote:
> Currently no, qubesdb doesn't support any permission model - anybody
> who can read entries, can also write them.
Is there an different mechanism for what I am after?
> Currently no, qubesdb doesn't support any permission model - anybody
> who can read entries, can also write them.
> What you can do, is to add an early startup service that reads the
> value and save it in some read-only place (like a file writable only
> by root, possibly somewhere in /run).
similar service messing things up.
qubist
Feb 19, 2026, 4:16:41 PM (2 days ago) Feb 19
to qubes...@googlegroups.com
Marek,
For this:
> What you can do, is to add an early startup service that reads the
> value and save it in some read-only place (like a file writable only
> by root, possibly somewhere in /run).
what settings for the unit file would you recommend to make it run as
early as possible? Currently, I am using:
[Unit]
...
After=local-fs.target
Before=qubes-early-vm-config.service
Requires=-.mount rw.mount
[Service]
Type=oneshot
ExecStart=/opt/bin/myscript
[Install]
RequiredBy=qubes-early-vm-config.service
Thank you.
For this:
> What you can do, is to add an early startup service that reads the
> value and save it in some read-only place (like a file writable only
> by root, possibly somewhere in /run).
early as possible? Currently, I am using:
[Unit]
...
After=local-fs.target
Before=qubes-early-vm-config.service
Requires=-.mount rw.mount
[Service]
Type=oneshot
ExecStart=/opt/bin/myscript
[Install]
RequiredBy=qubes-early-vm-config.service
Thank you.
Reply all
Reply to author
Forward
0 new messages