Apply Qubes 4.3 "prohibit-start" feature to sd-viewer

[legoktm]

• I have searched for duplicates or related issues

Description

Qubes 4.3 has a new "prohibit-start" feature that prevents a VM from being started. h/t to @deeplow for pointing out the new feature.

Prevents qube from being started in anyway. By setting prohibit-start feature value of a qube to any non-empty string, the system will refuse to start it at all conditions (via qvm-run, qrexec, Qube Manager, ...). This is useful for known compromised qubes, awating some forensic analysis; templates user really need to keep in the original, unmodified state; qubes user want to re-configure and need not automatically started but the qube is a target of frequent qrexec calls. Feature value could contain the rationale for the start ban.

Note: prohibit-start for a TemplateVM does not forbid start of AppVMs based on it.

We should apply this to our dispVM templates, which I believe is just sd-viewer.

How will this impact SecureDrop/SecureDrop Workstation users?

As a side-effect of the mime-handling service, we do trigger a shutdown of sd-viewer as soon as its started, but in theory that's susceptible to race conditions and really just is a side-effect.

How would this affect the SecureDrop Workstation threat model?

• Somewhat harder to compromise a sd-viewer dispVM by editing the template. More realistically, it prevents people from accidentally messing with dispVM templates.

User Stories