Disconnect the BDVM from network

[v6ak]

The DVM that performs backup (BDVM) needs no network access. According to principle of least privileges, it should not have it.

Threats

• A VM with restricted (e.g., Torified) network access (=Attacking VM, AVM) creates a malformed filesystem on its private partition. The BDVM has some vulnerability in filesystem driver. As a result, AVM is able to execute arbitrary code in BDVM. Since the BDVM can be connected to Internet, AVM gets direct access to the Internet. This can lead to deanonymization.

Advantages

If BDVM had no direct access to the Internet, the adversary would not be able to get the Internet access and deanonymize the user this way. However, advantage of BDVM without Internet access is somewhat limited there. If adversary has an access to the backup storage, she can deanonymize the user anyway. Offloading encryption from BDVM could help partially, but attacker still would be able to observe backup sizes.

[v6ak]

This does not look so trivial. I remember having issues with other DVMs after setting NetVM to none. Will try and then report/find bug if needed.

[v6ak]

Seems to work now, so I have replanned it to do soon.