Have access to internet on dom0 only for checking email script

dallas87 · July 29, 2021, 7:08am

I’m using Qubes OS with i3 and polybar.
I have a module/script that check emails and notify if there are unread emails or not.
The problem is that from dom0 I can’t run it as there is no access to internet …
Is it there a way to allow ONLY access to my email in order to be able to receive if any unread emails?

daehawc · July 29, 2021, 1:44pm

It is possible to enable networking and internet access to dom0 but it is not intended to be used like that.
Is there a limitation to you running the module / script in an AppVM as intended?

dpr · July 29, 2021, 2:19pm

dom0 should never connect directly to the internet, you can use qvm-run from dom0 to retrieve your email in another VM and then copy that to dom0.

fsflover · July 29, 2021, 2:39pm

Dom0 should only be used for managing VMs, otherwise you are risking to compromise the whole system. Why can’t you do that in a VM? VMs can show notifications just fine.

dallas87 · July 29, 2021, 2:53pm

Not sure how to do that in a vm as I need polybar to start right after I logged in so the config should be in dom0.
Regarding having this task on another vm, how can I exucute the code from dom0 (or should i create a cron om that vm)?

fsflover · July 29, 2021, 2:59pm

You can autostart any VM when your system boots (there is a tick in the VM’s preferences) and autostart any script inside that VM (see instructions for the corresponding OS).

You should not touch dom0 at all if this is possible.

fsflover · July 29, 2021, 3:08pm

You can use qvm-run from dom0 to run apps in a VM. qvm-start will start a VM.

dallas87 · July 29, 2021, 4:05pm

Probably stupid question: polybar, i3, conky, rofi should still be installed on dom0, right?
But all scripts that require internet should be on another vm. Am I right?

fsflover · July 29, 2021, 7:05pm

In general, you should avoid installing anything in dom0 as much as possible: https://www.qubes-os.org/doc/how-to-install-software-in-dom0/.

However, you listed things connected to displaying, so yes, they have to be installed in dom0 to work. In the future version Qubes 4.1 there will be a separate VM for displaying things, sys-gui.

dallas87 · July 30, 2021, 6:03am

Nice. First time I’m using Qubes and like it. Sounds like the future of it it will be even better/safer.
Thanks

qubes83753 · July 30, 2021, 10:49am

You can achieve your goal by exploiting the Qrexec communication mechanism provided by Qubes and the qvm-run command line utility.

Some assumptions, feel free to replace:

my-qube is the name of the qube monitoring the email account
my.Service is the name of the qrexec service doing the monitoring
inside my-qube you have set up a monitoring script/executable in the path /my/monitoring/script
the monitoring script runs forever and outputs a polybar-formatted line in tail mode

Start with creating the file /rw/usrlocal/etc/qubes-rpc/my.Service with a content resembling the following (you can also symlink your monitoring script, just be sure it’s an executable):

#!/bin/sh
exec /my/monitoring/script

Then configure your custom/script with the following command in tail mode:
qvm-run --pass-io my-qube --service my.Service </dev/null

For more informations:
Qrexec: secure communication across domains | Qubes OS (qubes-os.org)
Qubes OS Forum (qubes-os.org)