-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 23-10-24 00:36:26, Marek Marczykowski-Górecki wrote: > On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote: > > Hello. > > > > Dom0 is not normally a client for extraneous qrexec calls, but in this > > case, I need dom0 to resolve the domain name from the token @default via > > policy. > > > > Policy: > > > > service * dom0 @default allow target=mydomain > > > > Call: > > > > qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0' > > > > Dom0 does not requires the policy the call to be allowed, as it is always > > allowed. Watching the qrexec policy logs, the call from Dom0 is not > > logged. > > > > If I run from dom0: > > > > qrexec-policy 0 dom0 @default service 1 > > > > It resolves the domain but fails to run the command: > > > > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git > > 2023-10-23 21:19:28.154 qrexec-client[32893]: > > qrexec-client.c:184:connect_unix_socket: connect: No such file or directory > > ERROR:policy:qrexec: service: dom0 -> @default: error while executing: > > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', > > '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0'] > > > > If I run the command directly without the request id and the literal domain > > name, it works: > > > > qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0' > > > > How can I force dom0 to use the '@default' token? > > As 'qrexec-client' does not allow tokens in the domain name yet, would > > this be interesting to have? > > > > Documents read: > > - https://www.qubes-os.org/doc/qrexec-internals/ > > - https://www.qubes-os.org/doc/qrexec-internals/ > > > I don't think there is one-step solution, but you can get policy > resolved by using `qrexec-policy` in the 3-arg form (skipping domain id > and process ident). Then, you'll get the result in key=value format, > including resolved target= that you can use in a qvm-run (or > qrexec-client) call. It even works with `ask` policy (you get the > prompt), which means we finally can implement qvm-copy (not just > qvm-copy-to-vm) in dom0 too :) > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab
I'm on R4.1. Up-to-date. Can you please give an example of a working 3-arg form as it seems that all positional arguments are required? Policy: ``` ## Do not modify this file, create a new policy with with a lower number in the ## file name instead. For example `30-user.policy`. qusal.GitFetch * dom0 @default allow target=sys-git qusal.GitPush * dom0 @default allow target=sys-git qusal.GitInit * dom0 @default allow target=sys-git qusal.GitFetch * @adminvm @default allow target=sys-git qusal.GitPush * @adminvm @default allow target=sys-git qusal.GitInit * @adminvm @default allow target=sys-git qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git qusal.GitFetch * @anyvm @anyvm deny qusal.GitPush * @anyvm @anyvm deny qusal.GitInit * @anyvm @anyvm deny ``` Yes, I now currently dom0 is the only @adminvm. Trials: ```sh # 1 $ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate] [--path PATH] src-domain-id SOURCE TARGET SERVICE+ARGUMENT process-ident qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT, process-ident # 2 $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1 WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated # exit code 0 # 3 $ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1 WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target @default is not a valid choice # 4 $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1 WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", but source domain has no GuiVM INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/80-sys-git.policy:12 ``` On 1 there is no possibility to skip domain id and process ident because they don't have nargs='?'. On 3 we see that if we assume yes for ask, @default can't be used. On 4 if we don't assume, it is actually failing on the following rule: ``` qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git ``` because "source domain has no GuiVM", but Dom0 has a GUI. But how to get the policy to "work" yesterday? Add "dom0" tag to "dom0" qube: ``` qvm-tags dom0 add dom0 ``` Add rule allow "@tag:dom0" to "@default": ``` qusal.GitInit * @tag:dom0 @default allow target=sys-git ``` Was the only call that was passed to qrexec-client and has the correct target domain name but failed: ``` $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1 WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git 2023-10-24 09:00:00.000 qrexec-client[42694]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal dom0'] ``` And if I ask to just evaluate, it doens't print the rule: ``` $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1 WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated ``` Exit code 0 - -- Benjamin Grande -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTeUTV8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5 NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW hyzNAP94F3mxlrABdkZVaak6vlWiMUNNha06Nl9/znrBkYuruwEAuUMQkyesv497 qSVtHjRH2i/7qrNs7f53tHX5wKGX8Ag= =Orvt -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZTeUTRvQM9e-d_wS%40personal-mutt.