/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Usable error message: qvm-move-to-vm and qvm-copy-to-vm target dom0 #2031

Closed
Jeeppler opened this Issue May 25, 2016 · 7 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
5 participants
@Jeeppler @andrewdavidwong @jpouellet @marmarek @qubesos-bot
@Jeeppler

Jeeppler commented May 25, 2016
edited
Edited 1 time
  • @Jeeppler Jeeppler edited May 25, 2016 (most recent)

Qubes OS version (e.g., R3.1):

R3.1

Affected TemplateVMs (e.g., fedora-23, if applicable):

all

Expected behavior:

Expect an error message like:

[user@qubes-dev qubes-cheatsheet]$ qvm-copy-to-vm dom0 qubes-cheatsheet.pdf
Request refused
[user@qubes-dev qubes-cheatsheet]$ qvm-move-to-vm dom0 qubes-cheatsheet.pdf
Request refused

or

[user@qubes-dev qubes-cheatsheet]$ qvm-copy-to-vm dom0 qubes-cheatsheet.pdf
Not allowed
[user@qubes-dev qubes-cheatsheet]$ qvm-move-to-vm dom0 qubes-cheatsheet.pdf
Not allowed

each with useful qrexec error dialog message.

Actual behavior:

No, useful error message:

[user@qubes-dev qubes-cheatsheet]$ qvm-move-to-vm dom0 qubes-cheatsheet.pdf
EOFt 0/177 KB
[user@qubes-dev qubes-cheatsheet]$ qvm-copy-to-vm dom0 qubes-cheatsheet.pdf
EOFt 0/177 KB

@andrewdavidwong andrewdavidwong added enhancement C: core P: minor UX labels May 25, 2016

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong May 25, 2016

Member

Related: #1839, #1324
Member

andrewdavidwong commented May 25, 2016

Related: #1839, #1324
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet Nov 15, 2016

Contributor

This happens because dom0 has a policy for qubes.Filecopy:

[user@dom0 ~]$ cat /etc/qubes-rpc/policy/qubes.Filecopy 
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

$anyvm  $anyvm  ask

but no actual RPC service (no /etc/qubes-rpc/qubes.Filecopy).

When a VM tries to invoke qubes.Filecopy on dom0, qrexec-policy is consulted as normal:

[user@dom0 bin]$ sudo /usr/local/bin/execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
   PID   PPID ARGS
...
  9318   8939 qrexec-policy -- 7 qubes-builder dom0 qubes.Filecopy SOCKET8
  9319   9318    qrexec-policy-9319  [003] d... 10555.510076: execsnoop_sys_execve: (SyS_execve+0x0/0x50)
  9320   9319 /sbin/ldconfig -p

You get a dialog asking to confirm. And if you do, then it tries to run the service:

  9318      0 qrexec-client -d dom0 -c SOCKET8,qubes-builder,7 /usr/lib/qubes/qubes-rpc-multiplexer qubes.Filecopy qubes-builder
  9323   9318 bash -c /usr/lib/qubes/qubes-rpc-multiplexer qubes.Filecopy qubes-builder
  9325   9323 mkfifo /tmp/qrexec-rpc-stderr.9323
  9326   9323 logger -t qubes.Filecopy-qubes-builder -f /tmp/qrexec-rpc-stderr.9323
  9327   9323 rm -f /tmp/qrexec-rpc-stderr.9323
  9323      0 /bin/sh -- /etc/qubes-rpc/qubes.Filecopy

but no such service exists.

One possible solution is to just add:

$anyvm  dom0    deny

to the top of the policy.

Thoughts?
Contributor

jpouellet commented Nov 15, 2016

This happens because dom0 has a policy for qubes.Filecopy:

[user@dom0 ~]$ cat /etc/qubes-rpc/policy/qubes.Filecopy 
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

$anyvm  $anyvm  ask

but no actual RPC service (no /etc/qubes-rpc/qubes.Filecopy).

When a VM tries to invoke qubes.Filecopy on dom0, qrexec-policy is consulted as normal:

[user@dom0 bin]$ sudo /usr/local/bin/execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
   PID   PPID ARGS
...
  9318   8939 qrexec-policy -- 7 qubes-builder dom0 qubes.Filecopy SOCKET8
  9319   9318    qrexec-policy-9319  [003] d... 10555.510076: execsnoop_sys_execve: (SyS_execve+0x0/0x50)
  9320   9319 /sbin/ldconfig -p

You get a dialog asking to confirm. And if you do, then it tries to run the service:

  9318      0 qrexec-client -d dom0 -c SOCKET8,qubes-builder,7 /usr/lib/qubes/qubes-rpc-multiplexer qubes.Filecopy qubes-builder
  9323   9318 bash -c /usr/lib/qubes/qubes-rpc-multiplexer qubes.Filecopy qubes-builder
  9325   9323 mkfifo /tmp/qrexec-rpc-stderr.9323
  9326   9323 logger -t qubes.Filecopy-qubes-builder -f /tmp/qrexec-rpc-stderr.9323
  9327   9323 rm -f /tmp/qrexec-rpc-stderr.9323
  9323      0 /bin/sh -- /etc/qubes-rpc/qubes.Filecopy

but no such service exists.

One possible solution is to just add:

$anyvm  dom0    deny

to the top of the policy.

Thoughts?

jpouellet added a commit to jpouellet/qubes-core-admin that referenced this issue Nov 15, 2016

@jpouellet
Explicitly deny qubes.Filecopy to dom0 in RPC policy 
It already wasn't possible to qubes.Filecopy to dom0 because dom0
had no actual qubes.Filecopy service.

The introduction of this policy only improves the error message when
someone tries.

Fixes QubesOS/qubes-issues#2031
Unverified
The key that signed this is expired.
GPG key ID: E7E455013D042EA1 Learn about signing commits
9835167

@jpouellet jpouellet referenced this issue in QubesOS/qubes-core-admin Nov 15, 2016

Closed

Explicitly deny qubes.Filecopy to dom0 in RPC policy #70

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 15, 2016

Member

I think the bug is elsewhere: documentation says dom0 reserved keywords (note string dom0 does not match the $anyvm pattern; all other names do). Apparently this is broken...
Member

marmarek commented Nov 15, 2016

I think the bug is elsewhere: documentation says dom0 reserved keywords (note string dom0 does not match the $anyvm pattern; all other names do). Apparently this is broken...

@marmarek marmarek closed this in marmarek/qubes-core-admin-linux@981a11c Nov 18, 2016

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Nov 18, 2016

@marmarek
tests: check '$anyvm' parsing in qrexec policy 
Regression test for QubesOS/qubes-issues#2031
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
68a116e
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 18, 2016

Member

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.2.10-1.fc23 has been pushed to the r3.2 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update
Member

marmarek commented Nov 18, 2016

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.2.10-1.fc23 has been pushed to the r3.2 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-dom0-cur-test label Nov 18, 2016

marmarek added a commit to QubesOS/qubes-core-admin that referenced this issue Nov 20, 2016

@marmarek
tests: check '$anyvm' parsing in qrexec policy 
Regression test for QubesOS/qubes-issues#2031

(cherry picked from commit 68a116e)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
d60bc28

marmarek added a commit to QubesOS/qubes-core-admin-linux that referenced this issue Nov 20, 2016

@marmarek
qrexec: really do not match 'dom0' at '$anyvm', as documented 
Design documentation says:
'note string dom0 does not match the $anyvm pattern; all other names do'

This behaviour was broken, because 'is not' in python isn't the same as
string comparison. In theory this could result in some service
erroneously allowed to execute in dom0, but in practice such services are
not installed in dom0 at all, so the only impact was misleading error
message.

Fixes QubesOS/qubes-issues#2031
Reported by @Jeeppler

(cherry picked from commit 981a11c)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
bc0d64b
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 20, 2016

Member

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.1.13-1.fc20 has been pushed to the r3.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update
Member

marmarek commented Nov 20, 2016

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.1.13-1.fc20 has been pushed to the r3.1 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-dom0-cur-test label Nov 20, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 4, 2016

Member

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.1.13-1.fc20 has been pushed to the r3.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update
Member

marmarek commented Dec 4, 2016

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.1.13-1.fc20 has been pushed to the r3.1 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@marmarek marmarek added r3.1-dom0-stable and removed r3.1-dom0-cur-test labels Dec 4, 2016

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 8, 2017

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.2.11-1.fc23 has been pushed to the r3.2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

qubesos-bot commented Jan 8, 2017

Automated announcement from builder-github

The package qubes-core-dom0-linux-3.2.11-1.fc23 has been pushed to the r3.2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-dom0-stable and removed r3.2-dom0-cur-test labels Jan 8, 2017

marmarek added a commit to QubesOS/qubes-core-admin that referenced this issue Mar 14, 2017

@marmarek
tests: check '$anyvm' parsing in qrexec policy 
Regression test for QubesOS/qubes-issues#2031

(cherry picked from commit 68a116e)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
20e4764

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Mar 16, 2017

Closed

core-admin v3.2.13 (r3.2) #13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment