-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Oct 24, 2023 at 09:54:21AM +0000, Ben Grande wrote: > On 23-10-24 00:36:26, Marek Marczykowski-Górecki wrote: > > On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote: > > > Hello. > > > > > > Dom0 is not normally a client for extraneous qrexec calls, but in this > > > case, I need dom0 to resolve the domain name from the token @default via > > > policy. > > > > > > Policy: > > > > > > service * dom0 @default allow target=mydomain > > > > > > Call: > > > > > > qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0' > > > > > > Dom0 does not requires the policy the call to be allowed, as it is always > > > allowed. Watching the qrexec policy logs, the call from Dom0 is not > > > logged. > > > > > > If I run from dom0: > > > > > > qrexec-policy 0 dom0 @default service 1 > > > > > > It resolves the domain but fails to run the command: > > > > > > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git > > > 2023-10-23 21:19:28.154 qrexec-client[32893]: > > > qrexec-client.c:184:connect_unix_socket: connect: No such file or > > > directory > > > ERROR:policy:qrexec: service: dom0 -> @default: error while executing: > > > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', > > > '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0'] > > > > > > If I run the command directly without the request id and the literal > > > domain name, it works: > > > > > > qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0' > > > > > > How can I force dom0 to use the '@default' token? > > > As 'qrexec-client' does not allow tokens in the domain name yet, would > > > this be interesting to have? > > > > > > Documents read: > > > - https://www.qubes-os.org/doc/qrexec-internals/ > > > - https://www.qubes-os.org/doc/qrexec-internals/ > > > > > > I don't think there is one-step solution, but you can get policy > > resolved by using `qrexec-policy` in the 3-arg form (skipping domain id > > and process ident). Then, you'll get the result in key=value format, > > including resolved target= that you can use in a qvm-run (or > > qrexec-client) call. It even works with `ask` policy (you get the > > prompt), which means we finally can implement qvm-copy (not just > > qvm-copy-to-vm) in dom0 too :) > > > > -- > > Best Regards, > > Marek Marczykowski-Górecki > > Invisible Things Lab > > I'm on R4.1. Up-to-date. > > Can you please give an example of a working 3-arg form as it seems that > all positional arguments are required?
Ah, right, 3-arg form is a R4.2 thing. This: [user@dom0 ~]$ qrexec-policy --help usage: qrexec-policy-exec -h usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path PATH] SOURCE TARGET service+argument usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path PATH] domain-id SOURCE TARGET service+argument process-ident To evaluate policy, pass 3 positional arguments: - Source domain name - Target domain name - Service name and argument separated by "+" To actually run a qrexec call, pass 5 positional arguments: - Source domain ID (Xen or similar, not Qubes ID) - Source domain name - Target domain name - Service name and argument separated by "+" - Qrexec process identifier (for data channel connection) Note that this usage is deprecated. positional arguments: args options: -h, --help show this help message and exit --assume-yes-for-ask Allow run of service without confirmation if policy say 'ask' --just-evaluate Do not run the service, only evaluate policy; retcode=0 means 'allow' --path PATH Use alternative policy path > Policy: > ``` > ## Do not modify this file, create a new policy with with a lower number in > the > ## file name instead. For example `30-user.policy`. > qusal.GitFetch * dom0 @default allow target=sys-git > qusal.GitPush * dom0 @default allow target=sys-git > qusal.GitInit * dom0 @default allow target=sys-git > qusal.GitFetch * @adminvm @default allow target=sys-git > qusal.GitPush * @adminvm @default allow target=sys-git > qusal.GitInit * @adminvm @default allow target=sys-git > > qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git > qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git > qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git > qusal.GitFetch * @anyvm @anyvm deny > qusal.GitPush * @anyvm @anyvm deny > qusal.GitInit * @anyvm @anyvm deny > ``` > Yes, I now currently dom0 is the only @adminvm. > > Trials: > ```sh > # 1 > $ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal > usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate] > [--path PATH] > src-domain-id SOURCE TARGET SERVICE+ARGUMENT > process-ident > qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT, > process-ident > > # 2 > $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1 > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > # exit code 0 > > # 3 > $ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1 > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target > @default is not a valid choice > > # 4 > $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1 > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", > but source domain has no GuiVM > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by > the user /etc/qubes/policy.d/80-sys-git.policy:12 > ``` > > On 1 there is no possibility to skip domain id and process ident because > they don't have nargs='?'. > On 3 we see that if we assume yes for ask, @default can't be used. > On 4 if we don't assume, it is actually failing on the following rule: > ``` > qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git > ``` > because "source domain has no GuiVM", but Dom0 has a GUI. Indeed this case needs fixing (class AdminVM doesn't have "guivm" property), as dom0 wasn't source of interactive prompt before (until this very thread). > But how to get the policy to "work" yesterday? > > Add "dom0" tag to "dom0" qube: > ``` > qvm-tags dom0 add dom0 > ``` > > Add rule allow "@tag:dom0" to "@default": > ``` > qusal.GitInit * @tag:dom0 @default allow target=sys-git > ``` > > Was the only call that was passed to qrexec-client and has the correct > target domain name but failed: > ``` > $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1 > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git > 2023-10-24 09:00:00.000 qrexec-client[42694]: > qrexec-client.c:184:connect_unix_socket: connect: No such file or directory > ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while > executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', > 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC > qusal.GitInit+qusal dom0'] > ``` > > And if I ask to just evaluate, it doens't print the rule: > ``` > $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1 > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > ``` > Exit code 0 Lets try: [user@dom0 ~]$ qrexec-policy dom0 @default qubes.ClipboardPaste WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution was "ask", but source domain has no GuiVM INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10 result=deny The missing "guivm" property case. Maybe with explicit target? [user@dom0 ~]$ qrexec-policy dom0 personal qubes.ClipboardPaste WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution was "ask", but source domain has no GuiVM INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> personal: denied: denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10 result=deny Still doesn't work, because "@anyvm" target has ask action. So, lets skip the prompt for now: [user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 personal qubes.ClipboardPaste WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated INFO:policy:qrexec: qubes.ClipboardPaste+: dom0 -> personal: allowed to personal user=DEFAULT result=allow target=personal autostart=True requested_target=personal Now you have the proper answer. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU3nVIACgkQ24/THMrX 1yxs8Af/fCaaVmwoRT5AC9D+QYjmfpk1RAm37tGkoY2Dfkr+N1Vi8spR90AtVdkD Mw3Quo9ZHYf5PLnlVSaQUve06lXMnSOFxn38hnGPWyEgpMCN8S2nK1du6IaHTqwI xA9VhjYUOJEhG/kmmYvW+HNpwFbleI9CsW4V5v3xBVuI33B2D51tCu+2sZXkU++B z/1lfXL6S+uJ7bfLw3FSxwPPJbsvPWxJj4p4qUmfFg06o0kJ9WFfD820NxEB57wK ni+isBITpC8BTOzBe/ZIvgrrNYW8e5QaVxxlzpiFIy9+sioHgWg80n0X6NVOEBY2 rdqmKM5XEUJIsr2ZxEZEEeEa/zUZWw== =NEcp -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZTedUvdVdgtHTY1z%40mail-itl.