-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 23-10-24 12:32:50, Marek Marczykowski-Górecki wrote: > On Tue, Oct 24, 2023 at 09:54:21AM +0000, Ben Grande wrote: > > On 23-10-24 00:36:26, Marek Marczykowski-Górecki wrote: > > > On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote: > > > > Hello. > > > > > > > > Dom0 is not normally a client for extraneous qrexec calls, but in this > > > > case, I need dom0 to resolve the domain name from the token @default via > > > > policy. > > > > > > > > Policy: > > > > > > > > service * dom0 @default allow target=mydomain > > > > > > > > Call: > > > > > > > > qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0' > > > > > > > > Dom0 does not requires the policy the call to be allowed, as it is > > > > always > > > > allowed. Watching the qrexec policy logs, the call from Dom0 is not > > > > logged. > > > > > > > > If I run from dom0: > > > > > > > > qrexec-policy 0 dom0 @default service 1 > > > > > > > > It resolves the domain but fails to run the command: > > > > > > > > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git > > > > 2023-10-23 21:19:28.154 qrexec-client[32893]: > > > > qrexec-client.c:184:connect_unix_socket: connect: No such file or > > > > directory > > > > ERROR:policy:qrexec: service: dom0 -> @default: error while executing: > > > > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', > > > > 'mydomain', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service > > > > dom0'] > > > > > > > > If I run the command directly without the request id and the literal > > > > domain name, it works: > > > > > > > > qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service > > > > dom0' > > > > > > > > How can I force dom0 to use the '@default' token? > > > > As 'qrexec-client' does not allow tokens in the domain name yet, would > > > > this be interesting to have? > > > > > > > > Documents read: > > > > - https://www.qubes-os.org/doc/qrexec-internals/ > > > > - https://www.qubes-os.org/doc/qrexec-internals/ > > > > > > > > > I don't think there is one-step solution, but you can get policy > > > resolved by using `qrexec-policy` in the 3-arg form (skipping domain id > > > and process ident). Then, you'll get the result in key=value format, > > > including resolved target= that you can use in a qvm-run (or > > > qrexec-client) call. It even works with `ask` policy (you get the > > > prompt), which means we finally can implement qvm-copy (not just > > > qvm-copy-to-vm) in dom0 too :) > > > > > > -- > > > Best Regards, > > > Marek Marczykowski-Górecki > > > Invisible Things Lab > > > > I'm on R4.1. Up-to-date. > > > > Can you please give an example of a working 3-arg form as it seems that > > all positional arguments are required? > > Ah, right, 3-arg form is a R4.2 thing. > This: > > [user@dom0 ~]$ qrexec-policy --help > usage: qrexec-policy-exec -h > usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] > [--path PATH] SOURCE TARGET service+argument > usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] > [--path PATH] domain-id SOURCE TARGET service+argument process-ident > > To evaluate policy, pass 3 positional arguments: > > - Source domain name > - Target domain name > - Service name and argument separated by "+" > > To actually run a qrexec call, pass 5 positional arguments: > > - Source domain ID (Xen or similar, not Qubes ID) > - Source domain name > - Target domain name > - Service name and argument separated by "+" > - Qrexec process identifier (for data channel connection) > > Note that this usage is deprecated. > > positional arguments: > args > > options: > -h, --help show this help message and exit > --assume-yes-for-ask Allow run of service without confirmation if > policy say 'ask' > --just-evaluate Do not run the service, only evaluate policy; > retcode=0 means 'allow' > --path PATH Use alternative policy path > > > Policy: > > ``` > > ## Do not modify this file, create a new policy with with a lower number in > > the > > ## file name instead. For example `30-user.policy`. > > qusal.GitFetch * dom0 @default allow target=sys-git > > qusal.GitPush * dom0 @default allow target=sys-git > > qusal.GitInit * dom0 @default allow target=sys-git > > qusal.GitFetch * @adminvm @default allow target=sys-git > > qusal.GitPush * @adminvm @default allow target=sys-git > > qusal.GitInit * @adminvm @default allow target=sys-git > > > > qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git > > qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git > > qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git > > qusal.GitFetch * @anyvm @anyvm deny > > qusal.GitPush * @anyvm @anyvm deny > > qusal.GitInit * @anyvm @anyvm deny > > ``` > > Yes, I now currently dom0 is the only @adminvm. > > > > Trials: > > ```sh > > # 1 > > $ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal > > usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate] > > [--path PATH] > > src-domain-id SOURCE TARGET SERVICE+ARGUMENT > > process-ident > > qrexec-policy: error: the following arguments are required: > > SERVICE+ARGUMENT, process-ident > > > > # 2 > > $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1 > > WARNING:root:warning: !compat-4.0 directive in file > > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > > deprecated > > # exit code 0 > > > > # 3 > > $ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1 > > WARNING:root:warning: !compat-4.0 directive in file > > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > > deprecated > > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target > > @default is not a valid choice > > > > # 4 > > $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1 > > WARNING:root:warning: !compat-4.0 directive in file > > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > > deprecated > > ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", > > but source domain has no GuiVM > > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied > > by the user /etc/qubes/policy.d/80-sys-git.policy:12 > > ``` > > > > On 1 there is no possibility to skip domain id and process ident because > > they don't have nargs='?'. > > On 3 we see that if we assume yes for ask, @default can't be used. > > On 4 if we don't assume, it is actually failing on the following rule: > > ``` > > qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git > > ``` > > because "source domain has no GuiVM", but Dom0 has a GUI. > > Indeed this case needs fixing (class AdminVM doesn't have "guivm" > property), as dom0 wasn't source of interactive prompt before (until > this very thread). > > > But how to get the policy to "work" yesterday? > > > > Add "dom0" tag to "dom0" qube: > > ``` > > qvm-tags dom0 add dom0 > > ``` > > > > Add rule allow "@tag:dom0" to "@default": > > ``` > > qusal.GitInit * @tag:dom0 @default allow target=sys-git > > ``` > > > > Was the only call that was passed to qrexec-client and has the correct > > target domain name but failed: > > ``` > > $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1 > > WARNING:root:warning: !compat-4.0 directive in file > > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > > deprecated > > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to > > sys-git > > 2023-10-24 09:00:00.000 qrexec-client[42694]: > > qrexec-client.c:184:connect_unix_socket: connect: No such file or directory > > ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while > > executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', > > 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC > > qusal.GitInit+qusal dom0'] > > ``` > > > > And if I ask to just evaluate, it doens't print the rule: > > ``` > > $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1 > > WARNING:root:warning: !compat-4.0 directive in file > > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > > deprecated > > ``` > > Exit code 0 > > > Lets try: > > [user@dom0 ~]$ qrexec-policy dom0 @default qubes.ClipboardPaste > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution > was "ask", but source domain has no GuiVM > INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> @default: denied: > denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10 > result=deny > > The missing "guivm" property case. Maybe with explicit target? > > [user@dom0 ~]$ qrexec-policy dom0 personal qubes.ClipboardPaste > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution > was "ask", but source domain has no GuiVM > INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> personal: denied: > denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10 > result=deny > > Still doesn't work, because "@anyvm" target has ask action. So, lets > skip the prompt for now: > > [user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 personal > qubes.ClipboardPaste > WARNING:root:warning: !compat-4.0 directive in file > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be > deprecated > INFO:policy:qrexec: qubes.ClipboardPaste+: dom0 -> personal: allowed to > personal > user=DEFAULT > result=allow > target=personal > autostart=True > requested_target=personal > > Now you have the proper answer. > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab >
Thanks for the replies, always helpful :) . Now I know how to do it... just have to wait till R4.2. To track the Dom0 without GuiVM issue: https://github.com/QubesOS/qubes-issues/issues/8646 I will assume the following output by your examples for my use case: [user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 @default qusal.GitInit+qusal INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git user=DEFAULT result=allow target=sys-git autostart=True requested_target=@default - -- Benjamin Grande -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTe7F18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5 NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW hwUsAQClk7zg62SG2eG1ilIm4e2u1ARoDx6dH7PIE0bs5IFsUAD/SEOg1OkOQHlF qqcxcyhRWMVoFv0dnqFKhQCwP/HuPAU= =+ngz -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZTe7F6BoZve0mheD%40personal-mutt.