-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 23-10-24 12:32:50, Marek Marczykowski-Górecki wrote:
> On Tue, Oct 24, 2023 at 09:54:21AM +0000, Ben Grande wrote:
> > On 23-10-24 00:36:26, Marek Marczykowski-Górecki wrote:
> > > On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote:
> > > > Hello.
> > > >
> > > > Dom0 is not normally a client for extraneous qrexec calls, but in this
> > > > case, I need dom0 to resolve the domain name from the token @default via
> > > > policy.
> > > >
> > > > Policy:
> > > >
> > > > service * dom0 @default allow target=mydomain
> > > >
> > > > Call:
> > > >
> > > > qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
> > > >
> > > > Dom0 does not requires the policy the call to be allowed, as it is
> > > > always
> > > > allowed. Watching the qrexec policy logs, the call from Dom0 is not
> > > > logged.
> > > >
> > > > If I run from dom0:
> > > >
> > > > qrexec-policy 0 dom0 @default service 1
> > > >
> > > > It resolves the domain but fails to run the command:
> > > >
> > > > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
> > > > 2023-10-23 21:19:28.154 qrexec-client[32893]:
> > > > qrexec-client.c:184:connect_unix_socket: connect: No such file or
> > > > directory
> > > > ERROR:policy:qrexec: service: dom0 -> @default: error while executing:
> > > > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d',
> > > > 'mydomain', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service
> > > > dom0']
> > > >
> > > > If I run the command directly without the request id and the literal
> > > > domain name, it works:
> > > >
> > > > qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service
> > > > dom0'
> > > >
> > > > How can I force dom0 to use the '@default' token?
> > > > As 'qrexec-client' does not allow tokens in the domain name yet, would
> > > > this be interesting to have?
> > > >
> > > > Documents read:
> > > > - https://www.qubes-os.org/doc/qrexec-internals/
> > > > - https://www.qubes-os.org/doc/qrexec-internals/
> > >
> > >
> > > I don't think there is one-step solution, but you can get policy
> > > resolved by using `qrexec-policy` in the 3-arg form (skipping domain id
> > > and process ident). Then, you'll get the result in key=value format,
> > > including resolved target= that you can use in a qvm-run (or
> > > qrexec-client) call. It even works with `ask` policy (you get the
> > > prompt), which means we finally can implement qvm-copy (not just
> > > qvm-copy-to-vm) in dom0 too :)
> > >
> > > --
> > > Best Regards,
> > > Marek Marczykowski-Górecki
> > > Invisible Things Lab
> >
> > I'm on R4.1. Up-to-date.
> >
> > Can you please give an example of a working 3-arg form as it seems that
> > all positional arguments are required?
>
> Ah, right, 3-arg form is a R4.2 thing.
> This:
>
> [user@dom0 ~]$ qrexec-policy --help
> usage: qrexec-policy-exec -h
> usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate]
> [--path PATH] SOURCE TARGET service+argument
> usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate]
> [--path PATH] domain-id SOURCE TARGET service+argument process-ident
>
> To evaluate policy, pass 3 positional arguments:
>
> - Source domain name
> - Target domain name
> - Service name and argument separated by "+"
>
> To actually run a qrexec call, pass 5 positional arguments:
>
> - Source domain ID (Xen or similar, not Qubes ID)
> - Source domain name
> - Target domain name
> - Service name and argument separated by "+"
> - Qrexec process identifier (for data channel connection)
>
> Note that this usage is deprecated.
>
> positional arguments:
> args
>
> options:
> -h, --help show this help message and exit
> --assume-yes-for-ask Allow run of service without confirmation if
> policy say 'ask'
> --just-evaluate Do not run the service, only evaluate policy;
> retcode=0 means 'allow'
> --path PATH Use alternative policy path
>
> > Policy:
> > ```
> > ## Do not modify this file, create a new policy with with a lower number in
> > the
> > ## file name instead. For example `30-user.policy`.
> > qusal.GitFetch * dom0 @default allow target=sys-git
> > qusal.GitPush * dom0 @default allow target=sys-git
> > qusal.GitInit * dom0 @default allow target=sys-git
> > qusal.GitFetch * @adminvm @default allow target=sys-git
> > qusal.GitPush * @adminvm @default allow target=sys-git
> > qusal.GitInit * @adminvm @default allow target=sys-git
> >
> > qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git
> > qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git
> > qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
> > qusal.GitFetch * @anyvm @anyvm deny
> > qusal.GitPush * @anyvm @anyvm deny
> > qusal.GitInit * @anyvm @anyvm deny
> > ```
> > Yes, I now currently dom0 is the only @adminvm.
> >
> > Trials:
> > ```sh
> > # 1
> > $ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal
> > usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate]
> > [--path PATH]
> > src-domain-id SOURCE TARGET SERVICE+ARGUMENT
> > process-ident
> > qrexec-policy: error: the following arguments are required:
> > SERVICE+ARGUMENT, process-ident
> >
> > # 2
> > $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
> > WARNING:root:warning: !compat-4.0 directive in file
> > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> > deprecated
> > # exit code 0
> >
> > # 3
> > $ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1
> > WARNING:root:warning: !compat-4.0 directive in file
> > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> > deprecated
> > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target
> > @default is not a valid choice
> >
> > # 4
> > $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
> > WARNING:root:warning: !compat-4.0 directive in file
> > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> > deprecated
> > ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask",
> > but source domain has no GuiVM
> > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied
> > by the user /etc/qubes/policy.d/80-sys-git.policy:12
> > ```
> >
> > On 1 there is no possibility to skip domain id and process ident because
> > they don't have nargs='?'.
> > On 3 we see that if we assume yes for ask, @default can't be used.
> > On 4 if we don't assume, it is actually failing on the following rule:
> > ```
> > qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
> > ```
> > because "source domain has no GuiVM", but Dom0 has a GUI.
>
> Indeed this case needs fixing (class AdminVM doesn't have "guivm"
> property), as dom0 wasn't source of interactive prompt before (until
> this very thread).
>
> > But how to get the policy to "work" yesterday?
> >
> > Add "dom0" tag to "dom0" qube:
> > ```
> > qvm-tags dom0 add dom0
> > ```
> >
> > Add rule allow "@tag:dom0" to "@default":
> > ```
> > qusal.GitInit * @tag:dom0 @default allow target=sys-git
> > ```
> >
> > Was the only call that was passed to qrexec-client and has the correct
> > target domain name but failed:
> > ```
> > $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
> > WARNING:root:warning: !compat-4.0 directive in file
> > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> > deprecated
> > INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to
> > sys-git
> > 2023-10-24 09:00:00.000 qrexec-client[42694]:
> > qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> > ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while
> > executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d',
> > 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC
> > qusal.GitInit+qusal dom0']
> > ```
> >
> > And if I ask to just evaluate, it doens't print the rule:
> > ```
> > $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
> > WARNING:root:warning: !compat-4.0 directive in file
> > /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> > deprecated
> > ```
> > Exit code 0
>
>
> Lets try:
>
> [user@dom0 ~]$ qrexec-policy dom0 @default qubes.ClipboardPaste
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution
> was "ask", but source domain has no GuiVM
> INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> @default: denied:
> denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
> result=deny
>
> The missing "guivm" property case. Maybe with explicit target?
>
> [user@dom0 ~]$ qrexec-policy dom0 personal qubes.ClipboardPaste
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution
> was "ask", but source domain has no GuiVM
> INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> personal: denied:
> denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
> result=deny
>
> Still doesn't work, because "@anyvm" target has ask action. So, lets
> skip the prompt for now:
>
> [user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 personal
> qubes.ClipboardPaste
> WARNING:root:warning: !compat-4.0 directive in file
> /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be
> deprecated
> INFO:policy:qrexec: qubes.ClipboardPaste+: dom0 -> personal: allowed to
> personal
> user=DEFAULT
> result=allow
> target=personal
> autostart=True
> requested_target=personal
>
> Now you have the proper answer.
>
Can you please test with a service not provided by default? The
qubes.ClipboardPaste has `@anyvm @anyvm ask` and it affects the
evaluation.
You might also try with qubes.ClipboardPaste. On
`90-default-gui-daemon.policy`, comment out the lines, run the
evaluation tool and alternate the commented lines. You will get the same
results as I got below. In fact, `@adminvm @anyvm ask` is not doing
anything as far as I can see from my tests.
Running the evaluation from Dom0, R4.2, qubes-core-qrexec 4.2.16.
Policy:
```
test * @anyvm @anyvm ask target=personal default_target=personal
```
Call:
$ qrexec-policy --assume-yes-for-ask dom0 personal test
INFO:policy:qrexec: test+: dom0 -> personal: allowed to personal
user=DEFAULT
result=allow
target=personal
autostart=True
requested_target=personal
Now change the source from `@anyvm` to `@adminvm`:
```
test * @adminvm @anyvm ask target=personal default_target=personal
```
Call:
$ qrexec-policy --assume-yes-for-ask dom0 personal test
INFO:policy:qrexec: test: dom0 -> personal: denied: no matching rule
found
result=deny
So what is happening? The evaluation is not considering dom0 to be an
@adminvm? I don't want to use the `@anyvm @anyvm ask` rule to avoid
qube existence probing.
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZYSt318UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
h/iMAQD98/G+Rww7Prz75gQxXfmkBg61P5UuxwXHnalwWR1YoQEAxd1OHFzCOyDe
p0JmTAObrIbY8a7NAzEe2JZqjnGvrAI=
=tw3H
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/ZYSt32bL5IpMGJbk%40personal-mutt.
