Discussing the security aspect of Ansible for Qubes OS

[kushaldas]

The questions is about the facts/other files/information coming back to the controller node (dom0 in this case), what if there is any hypothetical bug there which can compromise the dom0?

The way it is being handled in Salt right now is documented at QubesOS/qubes-issues#1541 (comment)

I would love to hear the thoughts of both the Ansible and Qubes developers on this point.

[ben-grande]

Some days after this issue was opened the QSB 45 was released which changed how Salt runs on DomUs:

• https://www.qubes-os.org/news/2018/12/03/qsb-45/

You possibly already now this by now but I don't see it being used on this repository so leaving it here for reference:

• https://github.com/QubesOS/qubes-mgmt-salt/blob/c5a8a5ade740eff1a507a65f8b89bfc7ea9dd573/qubessalt/__init__.py#L133

Dom0 copy files to management qube which runs a shell on the target. When dom0 runs directly a shell on the target, it can be compromised as it is way easier to make mistakes and apply filtering.

Dom0 cannot be compromised via escape characters as long as no colors (example) are shown (the default). Dom0 does not retrieve files from the minion (as far as I know), only the log.