-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Oct 24, 2023 at 09:54:21AM +0000, Ben Grande wrote:
> On 23-10-24 00:36:26, Marek Marczykowski-Górecki wrote:
> > On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote:
> > > Hello.
> > >
> > > Dom0 is not normally a client for extraneous qrexec calls, but in this
> > > case, I need dom0 to resolve the domain name from the token @default via
> > > policy.
> > >
> > > Policy:
> > >
> > > service * dom0 @default allow target=mydomain
> > >
> > > Call:
> > >
> > > qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
> > >
> > > Dom0 does not requires the policy the call to be allowed, as it is always
> > > allowed. Watching the qrexec policy logs, the call from Dom0 is not
> > > logged.
> > >
> > > If I run from dom0:
> > >
> > > qrexec-policy 0 dom0 @default service 1
> > >
> > > It resolves the domain but fails to run the command:
> > >
> > > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
> > > 2023-10-23 21:19:28.154 qrexec-client[32893]:
> > > qrexec-client.c:184:connect_unix_socket: connect: No such file or
> > > directory
> > > ERROR:policy:qrexec: service: dom0 -> @default: error while executing:
> > > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain',
> > > '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']
> > >
> > > If I run the command directly without the request id and the literal
> > > domain name, it works:
> > >
> > > qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'
> > >
> > > How can I force dom0 to use the '@default' token?
> > > As 'qrexec-client' does not allow tokens in the domain name yet, would
> > > this be interesting to have?
> > >
> > > Documents read:
> > > - https://www.qubes-os.org/doc/qrexec-internals/
> > > - https://www.qubes-os.org/doc/qrexec-internals/
> >
> >
> > I don't think there is one-step solution, but you can get policy
> > resolved by using `qrexec-policy` in the 3-arg form (skipping domain id
> > and process ident). Then, you'll get the result in key=value format,
> > including resolved target= that you can use in a qvm-run (or
> > qrexec-client) call. It even works with `ask` policy (you get the
> > prompt), which means we finally can implement qvm-copy (not just
> > qvm-copy-to-vm) in dom0 too :)
> >
> > --
> > Best Regards,
> > Marek Marczykowski-Górecki
> > Invisible Things Lab
>
> I'm on R4.1. Up-to-date.
>
> Can you please give an example of a working 3-arg form as it seems that
> all positional arguments are required?
Ah, right, 3-arg form is a R4.2 thing.
This:
[user@dom0 ~]$ qrexec-policy --help
usage: qrexec-policy-exec -h
usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path
PATH] SOURCE TARGET service+argument
usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path
PATH] domain-id SOURCE TARGET service+argument process-ident
To evaluate policy, pass 3 positional arguments:
- Source domain name
- Target domain name
- Service name and argument separated by "+"
To actually run a qrexec call, pass 5 positional arguments:
- Source domain ID (Xen or similar, not Qubes ID)
- Source domain name
- Target domain name
- Service name and argument separated by "+"
- Qrexec process identifier (for data channel connection)
Note that this usage is deprecated.
positional arguments:
args
options:
-h, --help show this help message and exit
--assume-yes-for-ask Allow run of service without confirmation if policy
say 'ask'
--just-evaluate Do not run the service, only evaluate policy;
retcode=0 means 'allow'
--path PATH Use alternative policy path
> Policy:
> ```
> ## Do not modify this file, create a new policy with with a lower number in
> the
> ## file name instead. For example `30-user.policy`.
> qusal.GitFetch * dom0 @default allow target=sys-git
> qusal.GitPush * dom0 @default allow target=sys-git
> qusal.GitInit * dom0 @default allow target=sys-git
> qusal.GitFetch * @adminvm @default allow target=sys-git
> qusal.GitPush * @adminvm @default allow target=sys-git
> qusal.GitInit * @adminvm @default allow target=sys-git
>
> qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git
> qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git
> qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
> qusal.GitFetch * @anyvm @anyvm deny
> qusal.GitPush * @anyvm @anyvm deny
> qusal.GitInit * @anyvm @anyvm deny
> ```
> Yes, I now currently dom0 is the only @adminvm.
>
> Trials:
> ```sh
> # 1
> $ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal
> usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate]
> [--path PATH]
> src-domain-id SOURCE TARGET SERVICE+ARGUMENT
> process-ident
> qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT,
> process-ident
>
> # 2
> $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> # exit code 0
>
> # 3
> $ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target
> @default is not a valid choice
>
> # 4
> $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask",
> but source domain has no GuiVM
> INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by
> the user /etc/qubes/policy.d/80-sys-git.policy:12
> ```
>
> On 1 there is no possibility to skip domain id and process ident because
> they don't have nargs='?'.
> On 3 we see that if we assume yes for ask, @default can't be used.
> On 4 if we don't assume, it is actually failing on the following rule:
> ```
> qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
> ```
> because "source domain has no GuiVM", but Dom0 has a GUI.
Indeed this case needs fixing (class AdminVM doesn't have "guivm"
property), as dom0 wasn't source of interactive prompt before (until
this very thread).
> But how to get the policy to "work" yesterday?
>
> Add "dom0" tag to "dom0" qube:
> ```
> qvm-tags dom0 add dom0
> ```
>
> Add rule allow "@tag:dom0" to "@default":
> ```
> qusal.GitInit * @tag:dom0 @default allow target=sys-git
> ```
>
> Was the only call that was passed to qrexec-client and has the correct
> target domain name but failed:
> ```
> $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
> 2023-10-24 09:00:00.000 qrexec-client[42694]:
> qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while
> executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d',
> 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC
> qusal.GitInit+qusal dom0']
> ```
>
> And if I ask to just evaluate, it doens't print the rule:
> ```
> $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> ```
> Exit code 0
Lets try:
[user@dom0 ~]$ qrexec-policy dom0 @default qubes.ClipboardPaste
WARNING:root:warning: !compat-4.0 directive in file
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
deprecated
ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution was
"ask", but source domain has no GuiVM
INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> @default: denied: denied
by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
result=deny
The missing "guivm" property case. Maybe with explicit target?
[user@dom0 ~]$ qrexec-policy dom0 personal qubes.ClipboardPaste
WARNING:root:warning: !compat-4.0 directive in file
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
deprecated
ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution was
"ask", but source domain has no GuiVM
INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> personal: denied: denied
by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
result=deny
Still doesn't work, because "@anyvm" target has ask action. So, lets
skip the prompt for now:
[user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 personal
qubes.ClipboardPaste
WARNING:root:warning: !compat-4.0 directive in file
/etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
deprecated
INFO:policy:qrexec: qubes.ClipboardPaste+: dom0 -> personal: allowed to
personal
user=DEFAULT
result=allow
target=personal
autostart=True
requested_target=personal
Now you have the proper answer.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU3nVIACgkQ24/THMrX
1yxs8Af/fCaaVmwoRT5AC9D+QYjmfpk1RAm37tGkoY2Dfkr+N1Vi8spR90AtVdkD
Mw3Quo9ZHYf5PLnlVSaQUve06lXMnSOFxn38hnGPWyEgpMCN8S2nK1du6IaHTqwI
xA9VhjYUOJEhG/kmmYvW+HNpwFbleI9CsW4V5v3xBVuI33B2D51tCu+2sZXkU++B
z/1lfXL6S+uJ7bfLw3FSxwPPJbsvPWxJj4p4qUmfFg06o0kJ9WFfD820NxEB57wK
ni+isBITpC8BTOzBe/ZIvgrrNYW8e5QaVxxlzpiFIy9+sioHgWg80n0X6NVOEBY2
rdqmKM5XEUJIsr2ZxEZEEeEa/zUZWw==
=NEcp
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/ZTedUvdVdgtHTY1z%40mail-itl.
