Re: [qubes-devel] How to make dom0 qrexec call resolve @default token

[Ben Grande]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 23-10-24 00:36:26, Marek Marczykowski-Górecki wrote:
> On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote:
> > Hello.
> > 
> > Dom0 is not normally a client for extraneous qrexec calls, but in this
> > case, I need dom0 to resolve the domain name from the token @default via
> > policy.
> > 
> > Policy:
> > 
> >     service * dom0 @default allow target=mydomain
> > 
> > Call:
> > 
> >     qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
> > 
> > Dom0 does not requires the policy the call to be allowed, as it is always
> > allowed. Watching the qrexec policy logs, the call from Dom0 is not
> > logged.
> > 
> > If I run from dom0:
> > 
> >     qrexec-policy 0 dom0 @default service 1
> > 
> > It resolves the domain but fails to run the command:
> > 
> > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
> > 2023-10-23 21:19:28.154 qrexec-client[32893]: 
> > qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> > ERROR:policy:qrexec: service: dom0 -> @default: error while executing: 
> > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', 
> > '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']
> > 
> > If I run the command directly without the request id and the literal domain 
> > name, it works:
> > 
> >             qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'
> > 
> > How can I force dom0 to use the '@default' token?
> > As 'qrexec-client' does not allow tokens in the domain name yet, would
> > this be interesting to have?
> > 
> > Documents read:
> > - https://www.qubes-os.org/doc/qrexec-internals/
> > - https://www.qubes-os.org/doc/qrexec-internals/
> 
> 
> I don't think there is one-step solution, but you can get policy
> resolved by using `qrexec-policy` in the 3-arg form (skipping domain id
> and process ident). Then, you'll get the result in key=value format,
> including resolved target= that you can use in a qvm-run (or
> qrexec-client) call. It even works with `ask` policy (you get the
> prompt), which means we finally can implement qvm-copy (not just
> qvm-copy-to-vm) in dom0 too :)
> 
> -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab

I'm on R4.1. Up-to-date.

Can you please give an example of a working 3-arg form as it seems that
all positional arguments are required?

Policy:
```
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qusal.GitFetch * dom0 @default allow target=sys-git
qusal.GitPush  * dom0 @default allow target=sys-git
qusal.GitInit  * dom0 @default allow target=sys-git
qusal.GitFetch * @adminvm @default allow target=sys-git
qusal.GitPush  * @adminvm @default allow target=sys-git
qusal.GitInit  * @adminvm @default allow target=sys-git

qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitPush  * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitInit  * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitFetch * @anyvm @anyvm deny
qusal.GitPush  * @anyvm @anyvm deny
qusal.GitInit  * @anyvm @anyvm deny
```
Yes, I now currently dom0 is the only @adminvm.

Trials:
```sh
# 1
$ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal
usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate]
                     [--path PATH]
                     src-domain-id SOURCE TARGET SERVICE+ARGUMENT
                     process-ident
qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT, 
process-ident

# 2
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file 
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be 
deprecated
# exit code 0

# 3
$ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file 
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be 
deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target 
@default is not a valid choice

# 4
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file 
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be 
deprecated
ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", but 
source domain has no GuiVM
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by 
the user /etc/qubes/policy.d/80-sys-git.policy:12
```

On 1 there is no possibility to skip domain id and process ident because
they don't have nargs='?'.
On 3 we see that if we assume yes for ask, @default can't be used.
On 4 if we don't assume, it is actually failing on the following rule:
```
qusal.GitInit  * @anyvm @default ask target=sys-git default_target=sys-git
```
because "source domain has no GuiVM", but Dom0 has a GUI.

But how to get the policy to "work" yesterday?

Add "dom0" tag to "dom0" qube:
```
qvm-tags dom0 add dom0
```

Add rule allow "@tag:dom0" to "@default":
```
qusal.GitInit  * @tag:dom0 @default allow target=sys-git
```

Was the only call that was passed to qrexec-client and has the correct
target domain name but failed:
```
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file 
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be 
deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
2023-10-24 09:00:00.000 qrexec-client[42694]: 
qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while 
executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 
'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal 
dom0']
```

And if I ask to just evaluate, it doens't print the rule:
```
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file 
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be 
deprecated
```
Exit code 0

- -- 
Benjamin Grande
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTeUTV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
hyzNAP94F3mxlrABdkZVaak6vlWiMUNNha06Nl9/znrBkYuruwEAuUMQkyesv497
qSVtHjRH2i/7qrNs7f53tHX5wKGX8Ag=
=Orvt
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/ZTeUTRvQM9e-d_wS%40personal-mutt.