Input proxy doesn't handle hybrid keyboard+mouse devices #1618

marmarek · Jan 13, 2016

In current settings, such devices would trigger two services: qubes.InputMouse and qubes.InputKeyboard, attached to the same device. Only the first one will succeed, the other one would not receive any events. Apparently in most cases mouse wins.

More info:
https://groups.google.com/d/msgid/qubes-users/56928E93.6030305%40noses.com

Surely qubes.InputMouse shouldn't be attached to such device (because it's meant to mouse-only devices). The question is what should be? I see a few options:

create another service qubes.InputKeyboardAndMouse, which would handle such devices
extend existing qubes.InputKeyboard to also allow mouse events (perhaps then rename it to qubes.inputKeyboardAndMouse...

@rootkovska any opinion?

marmarek · Jan 13, 2016

Surely qubes.InputMouse shouldn't be attached to such device (because it's meant to mouse-only devices). The question is what should be? I see a few options:

create another service qubes.InputKeyboardAndMouse, which would handle such devices
extend existing qubes.InputKeyboard to also allow mouse events (perhaps then rename it to qubes.inputKeyboardAndMouse...

@rootkovska any opinion?

A note about renaming service - it would break existing setups when only dom0 or only template got updated. This may mean cutting someone from keyboard access...
So preferably I'd either introduce new service for that and leave the old one too, or extend existing one, without renaming it.

marmarek · Jan 13, 2016

A note about renaming service - it would break existing setups when only dom0 or only template got updated. This may mean cutting someone from keyboard access...
So preferably I'd either introduce new service for that and leave the old one too, or extend existing one, without renaming it.

Yeah, we don't want to break existing services (especially they I use them on some of my machines already :P)

rootkovska · Jan 14, 2016

Yeah, we don't want to break existing services (especially they I use them on some of my machines already :P)

I would go with extending existing service - qubes.InputKeyboard would allow both keyboard and mouse events. Any security drawbacks with that?

marmarek · Jan 14, 2016

I would go with extending existing service - qubes.InputKeyboard would allow both keyboard and mouse events. Any security drawbacks with that?

Well qubes.InputKeyboard is already a serious security hole (and it's good it has "deny" policy by default), and I don't think adding mouse events to it might change much here.

rootkovska · Jan 14, 2016

Well qubes.InputKeyboard is already a serious security hole (and it's good it has "deny" policy by default), and I don't think adding mouse events to it might change much here.

... of course qubes.InputKeyboard is still much better than having USB controller in Dom0, which has been the only way so far to support keyboard on some systems. There is a limit to what we can do in software...

rootkovska · Jan 14, 2016

... of course qubes.InputKeyboard is still much better than having USB controller in Dom0, which has been the only way so far to support keyboard on some systems. There is a limit to what we can do in software...

@rootkovska do you have some wireless mouse? If so, could you check udevadm info -q all -n input/eventX (with appropriate event device) for ID_INPUT_* vars? To be sure that mouse is really visible as a mouse, not mouse+keyboard. Otherwise this change would break such setup...

marmarek · Jan 14, 2016

@rootkovska do you have some wireless mouse? If so, could you check udevadm info -q all -n input/eventX (with appropriate event device) for ID_INPUT_* vars? To be sure that mouse is really visible as a mouse, not mouse+keyboard. Otherwise this change would break such setup...

I've checked that in the meantime - Logitech Unifying Receiver is discovered as keyboard+mouse device, even when it's paired only with a mouse. So directing this to qubes.InputKeyboard unconditionally would make it impossible to use mouse-only device (with keyboard access blocked)...
As this decision (whether to allow USB keyboard or not) needs to be made, I think it may simply affect all the input devices connected to the USB VM. Not sure about the details yet, maybe simply qubes.Input service with a configuration what kind of events should be allowed?

marmarek · Jan 17, 2016

I've checked that in the meantime - Logitech Unifying Receiver is discovered as keyboard+mouse device, even when it's paired only with a mouse. So directing this to qubes.InputKeyboard unconditionally would make it impossible to use mouse-only device (with keyboard access blocked)...
As this decision (whether to allow USB keyboard or not) needs to be made, I think it may simply affect all the input devices connected to the USB VM. Not sure about the details yet, maybe simply qubes.Input service with a configuration what kind of events should be allowed?

On Jan 16, 2016 7:37 PM, "Marek Marczykowski-Górecki" <
notifications@github.com> wrote:

I've checked that in the meantime - Logitech Unifying Receiver is
discovered as keyboard+mouse device, even when it's paired only with a
mouse. So directing this to qubes.InputKeyboard unconditionally would make
it impossible to use mouse-only device (with keyboard access blocked)...
As this decision (whether to allow USB keyboard or not) needs to be made,
I think it may simply affect all the input devices connected to the USB VM.
Not sure about the details yet, maybe simply qubes.Input service with a
configuration what kind of events should be allowed?

Maybe I'm misreading this but it might be best to just make the proxy's
kb/mouse device as a user decision. With or without this proxy VM, it's
probably the right thing to do to ask if a user wants to limit kb/mouse and
provide a pretty UI to do so. OTOH, I think trying to automate this either
leads to a system that's too open or too closed (as seems to be the case
with the Logitech test).

Ie, I have no use for you reducing security to support any wireless
kb/mouse (I don't have any and kinda disagree with their use). But maybe
I'd want the proxy to 'bring up' whatever interface my Ducky kb shows for
reprogramming (I don't really care about this but...). Further, IIRC I've
got 4x kb types and 3x mouse types here, so if I wanted support for any
hardware I'm likely to use here, I'd need to configure 7x devices. All
(except the Ducky) only provide one simple HID and that's what I'd expect
to allow.

ag4ve · Feb 6, 2016

On Jan 16, 2016 7:37 PM, "Marek Marczykowski-Górecki" <
notifications@github.com> wrote:

I've checked that in the meantime - Logitech Unifying Receiver is
discovered as keyboard+mouse device, even when it's paired only with a
mouse. So directing this to qubes.InputKeyboard unconditionally would make
it impossible to use mouse-only device (with keyboard access blocked)...
As this decision (whether to allow USB keyboard or not) needs to be made,
I think it may simply affect all the input devices connected to the USB VM.
Not sure about the details yet, maybe simply qubes.Input service with a
configuration what kind of events should be allowed?

Maybe I'm misreading this but it might be best to just make the proxy's
kb/mouse device as a user decision. With or without this proxy VM, it's
probably the right thing to do to ask if a user wants to limit kb/mouse and
provide a pretty UI to do so. OTOH, I think trying to automate this either
leads to a system that's too open or too closed (as seems to be the case
with the Logitech test).

Ie, I have no use for you reducing security to support any wireless
kb/mouse (I don't have any and kinda disagree with their use). But maybe
I'd want the proxy to 'bring up' whatever interface my Ducky kb shows for
reprogramming (I don't really care about this but...). Further, IIRC I've
got 4x kb types and 3x mouse types here, so if I wanted support for any
hardware I'm likely to use here, I'd need to configure 7x devices. All
(except the Ducky) only provide one simple HID and that's what I'd expect
to allow.

The final solution is to try both in case of hybrid device. In short:

mouse only device - connect to qubes.InputMouse
keyboard only device - connect to qubes.InputKeyboard
keyboard+mouse device - connect to qubes.InputKeyboard, then if fails, connect to qubes.InputMouse

qubes.InputKeyboard allows both keyboard and mouse events.

This way, it's up to the user to either allow or deny keyboard devices connected to USB VM. And in case of deny (the default), mouse events will be still allowed from hybrid devices.

There is no GUI for setting qrexec policy yet, but that's just a single line in configuration.

marmarek · Feb 6, 2016

The final solution is to try both in case of hybrid device. In short:

mouse only device - connect to qubes.InputMouse
keyboard only device - connect to qubes.InputKeyboard
keyboard+mouse device - connect to qubes.InputKeyboard, then if fails, connect to qubes.InputMouse

qubes.InputKeyboard allows both keyboard and mouse events.

This way, it's up to the user to either allow or deny keyboard devices connected to USB VM. And in case of deny (the default), mouse events will be still allowed from hybrid devices.

There is no GUI for setting qrexec policy yet, but that's just a single line in configuration.

Automated announcement from builder-github

The package qubes-input-proxy-1.0.3-1.fc21 has been pushed to the r3.1 testing repository for the Fedora fc21 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

QubesOS/qubes-issues

Join GitHub today

Input proxy doesn't handle hybrid keyboard+mouse devices #1618

Comments

marmarek commented Jan 13, 2016

marmarek added bug C: other P: major labels Jan 13, 2016

marmarek added this to the Release 3.1 milestone Jan 13, 2016

This comment has been minimized.

marmarek commented Jan 13, 2016

This comment has been minimized.

marmarek commented Jan 13, 2016

This comment has been minimized.

rootkovska commented Jan 14, 2016

This comment has been minimized.

marmarek commented Jan 14, 2016

This comment has been minimized.

rootkovska commented Jan 14, 2016

This comment has been minimized.

rootkovska commented Jan 14, 2016

This comment has been minimized.

marmarek commented Jan 14, 2016

This comment has been minimized.

marmarek commented Jan 17, 2016

marmarek self-assigned this Feb 5, 2016

marmarek added a commit to marmarek/qubes-app-linux-input-proxy that referenced this issue Feb 5, 2016

marmarek added a commit to marmarek/qubes-app-linux-input-proxy that referenced this issue Feb 5, 2016

marmarek added a commit to marmarek/qubes-app-linux-input-proxy that referenced this issue Feb 5, 2016

marmarek closed this in marmarek/qubes-app-linux-input-proxy@0a0b886 Feb 5, 2016

This comment has been minimized.

ag4ve commented Feb 6, 2016

This comment has been minimized.

marmarek commented Feb 6, 2016

This comment has been minimized.

marmarek commented Feb 11, 2016

marmarek added the r3.1-fc21-cur-test label Feb 11, 2016

This comment has been minimized.

marmarek commented Feb 11, 2016

marmarek added the r3.1-fc22-cur-test label Feb 11, 2016

This comment has been minimized.

marmarek commented Feb 11, 2016

marmarek added the r3.1-fc23-cur-test label Feb 11, 2016

This comment has been minimized.

marmarek commented Feb 11, 2016

marmarek added the r3.1-dom0-cur-test label Feb 11, 2016

This comment has been minimized.

marmarek commented Feb 22, 2016

marmarek added r3.1-fc21-stable and removed r3.1-fc21-cur-test labels Feb 22, 2016

This comment has been minimized.

marmarek commented Feb 22, 2016

marmarek added r3.1-fc22-stable and removed r3.1-fc22-cur-test labels Feb 22, 2016

This comment has been minimized.

marmarek commented Feb 22, 2016

marmarek added r3.1-fc23-stable and removed r3.1-fc23-cur-test labels Feb 22, 2016

This comment has been minimized.

marmarek commented Feb 22, 2016

marmarek added r3.1-dom0-stable and removed r3.1-dom0-cur-test labels Feb 22, 2016

marmarek added a commit to marmarek/qubes-app-linux-input-proxy that referenced this issue Jul 17, 2016

marmarek closed this in `marmarek/qubes-app-linux-input-proxy@0a0b886` Feb 5, 2016