Today I updated both the gateway and the workstation and now I cannot access my shared folder in the workstation using Live Mode. The shared folder still works as normal if the workstation is running in Persistent Mode, but this is not optimal for me.
Using Live Mode now, the shared folder contains a single README file saying I have not set up shared folders, which is wrong, as I haven’t changed my configuration otherwise and it worked well using Live Mode until the update today.
For troubleshooting, I have read back on some similar topics here but none seem to apply for this problem. I reset my shared folders settings in the workstation properties and made certain that folder permissions were correct on the host, but still the Shared folder is blank in Live Mode, yet works in Persistent Mode. Any help would be appreciated.
This is intentional; /usr/lib/systemd/system/mnt-shared-vbox.service.d/30_grub-live.conf disables the shared folder mount service if the VM is booted in live mode. Live mode is supposed to be relatively ephemeral, saving files to a shared folder while booted in live mode would run somewhat counter to live mode’s intended purpose, depending on what exactly you use the shared folder for. If you need to write something to a shared folder but also don’t want your work to leave a trace inside the VM you use, I’d suggest cloning your workstation VM, using it in persistent mode to do what you need, then deleting it when you’re done. (This could leave traces behind on the disk, but it provides better isolation from a standpoint of avoiding malware.)
It would make sense to still be able to read data from shared folders in live mode. @Patrick Maybe we should allow the mount service to run and then use live-hardener to render the directory read-only? Also, we might want to make the “no writable shared folders” behavior user-configurable - right now we’re using ConditionKernelCommandLine in systemd, which I don’t think can be overridden using systemctl edit.
Systemd usually allows to clear configurations using =. I.e. ConditionKernelCommandLine should be able to be cleared with a drop-in configuraiton file declaring ConditionKernelCommandLine=. That’s why I have documented.
Comment for developers only:
That might be a bit cleaner. Then we would save the grub-live systemd drop-in configuration file. However, then we would need to offer some way to configure live-hardener to skip the shared folder because I am sure some users want read-write access to the shared folder in live mode.
Thank you for the reply @arraybolt3, this makes sense from a security perspective. I accept that security often comes with usability trade-offs and I will consider your suggestion or maybe just use snapshots when the need arises.
@Patrick, thank you for the updated documentation. I tested and Live Mode now works just like before.
I now have some indecision on which way to proceed but that’s entirely my problem!