Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contrib: Even-more disposable core-dvm #20

Open
kennethrrosen opened this issue May 12, 2023 · 1 comment
Open

Contrib: Even-more disposable core-dvm #20

kennethrrosen opened this issue May 12, 2023 · 1 comment

Comments

@kennethrrosen
Copy link

Thanks so much for your work on this @a-barinov; aside from its usefulness, reading through the scripts and walking through the prcessess have been a great learning experience.

I wonder if the below would be of interest, installed as part of 1.Core or 2.Network and placed as another lq-script within /bin. I've found this to be an excellent, fast, easy experience and goes a long way toward plausible deniability (in part, one of your post 1.0 release goals) and keeps the system lean.

#!/bin/bash
#A script to create, launch, and clean up a truly disposable QubesOS qube for secure browsing.
#Tor browser can be replaced with your browser or template of choice.
#Just check the variables or add your own.
#This script assumes you have a kicksecure TemplateVM
#Inspired by unman: https://github.com/unman/notes/Really_Disposable_Qubes.md
#

set -e

TMP_DIR="/home/user/tmp"
TMPFS_SIZE="5G"
QUBE_NAME="shadow"
NET_VM="sys-whonix"
TEMP="kicksecure-16"
BROWSER="torbrowser"
MEM="1000"

if qvm-check "${QUBE_NAME}" > /dev/null 2>&1; then
        echo "A qube named \"${QUBE_NAME}\" already exists. Exiting."
        exit 1
fi

sudo swapoff -a
mkdir -p "${TMP_DIR}"

sudo mount -t tmpfs -o size="${TMPFS_SIZE}" shadowy "${TMP_DIR}"
qvm-pool add -o revisions_to_keep=1 -o dir_path="${TMP_DIR}" shadowy file
qvm-create "${QUBE_NAME}" -P shadowy -t "${TEMP}" -l red --property netvm="${NET_VM}" --property memory="${MEM}"
qvm-run -a "${QUBE_NAME}" "${BROWSER}"
wait

qvm-kill "${QUBE_NAME}"
qvm-remove -f "${QUBE_NAME}"
qvm-pool rm shadowy
sudo umount shadowy
sudo rm -rf "${TMP_DIR}" \
        /var/log/libvirt/1ibx1/new.log \
        /var/log/libvirt/1ibx1/new.log.old \
        /var/log/qubes/vm-new.log \
        /var/log/qubes/guid.new.log \
        /var/log/qubes/guid.new.log.old \
        /var/log/qubes/qrexec.new.log \
        /var/log/qubes/qubesdb.new.log \
        /var/log/qubesdb.new.log \
        /var/log/guid/new.log \
        /var/log/qrexec.new.log \
        /var/log/pacat.new.log \
        /var/log/xen/console/guest-new.log

notify-send -t 5000 "${QUBE_NAME} qube" "${QUBE_NAME} qube remnants cleared."

Happy to chat more or tweak it into one of the install scripts wherever you suggest.
@arkenoi
Copy link

arkenoi commented May 19, 2023
edited
Loading

I successfully followed the instruction to replace sys-whonix with core-tor, so I think sys-whonix is no longer needed at all. What would be cool, however, is pre-starting a disposable VM before it is going to be used the first time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arkenoi @kennethrrosen