"Request refused" on every qvm-* command in VMs since 4.0-RC4

[arjan-s]

Qubes OS version:

R4.0 (RC4)

Affected component(s):

Qubes RPC policy

---

Steps to reproduce the behavior:

Run qvm-copy filename or qvm-sync-clock from a VM.

Expected behavior:

Qubes should ask where to copy the file, or sync the clock.

Actual behavior:

The command outputs "Request refused", and dom0 logs these kind of lines:

qubes.Filecopy: testvm -> _default: denied: no matching rule found
qubes.GetDate: personal -> _default: denied: no matching rule found

General notes:

Looking at the files in /etc/qubes-rpc/policy, it seems like everything is in order. For instance, the file qubes.Filecopy correctly contains the default line $anyvm $anyvm ask.

---

Related issues:

[marmarek]

Have you updated templates, as in https://www.qubes-os.org/news/2018/02/20/qsb-38/ ?

[marmarek]

Have you updated templates, as in https://www.qubes-os.org/news/2018/02/20/qsb-38/ ?

[arjan-s]

Oops, my bad! I thought I updated everything, but I now see that my Arch Linux template (which I use the most) didn't receive new Qubes packages. There are no updates available there, so I will look into updating them manually.
The qvm-* commands work just fine from AppVM's based on Fedora.
Thanks for pointing me in the right direction!

[arjan-s]

Oops, my bad! I thought I updated everything, but I now see that my Arch Linux template (which I use the most) didn't receive new Qubes packages. There are no updates available there, so I will look into updating them manually.
The qvm-* commands work just fine from AppVM's based on Fedora.
Thanks for pointing me in the right direction!

[andrewdavidwong]

Closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this. Thank you.

[andrewdavidwong]

Closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this. Thank you.

[Nexolight]

I have the same issues. However I'm creating my own packages for a new template vm. I'm using the latest tag from the qubes-core-agent-linux repository (v4.0.24).

It seems that here this line finally get's called when doing qvm-copy:
/usr/lib/qubes/qrexec-client-vm "$VM" qubes.Filecopy /usr/lib/qubes/qfile-agent "$@"

By testing a few things It seems that these symbols / $ ! # and most likely a few more are replaced with _ somewhere. When I execute this command I get the vmname displayed on dom0 which is supposed to be literally '$default' or an actual vm name.

I can send stuff just fine by using the full vmname. However qvm-copy uses '$default' and I want to use that command as well.

I searched about an hour but can't manage to find where this characters are replaced. Can anyone help?

I assume this piece of code, mentioned here is responsible:

static void sanitize_name(char * untrusted_s_signed, char *extra_allowed_chars)
    {
        unsigned char * untrusted_s;
        for (untrusted_s=(unsigned char*)untrusted_s_signed; *untrusted_s; untrusted_s++) {
            if (*untrusted_s >= 'a' && *untrusted_s <= 'z')
                continue;
            if (*untrusted_s >= 'A' && *untrusted_s <= 'Z')
                continue;
            if (*untrusted_s >= '0' && *untrusted_s <= '9')
                continue;
            if (*untrusted_s == '$' ||
                   *untrusted_s == '_' ||
                   *untrusted_s == '-' ||
                   *untrusted_s == '.')
                continue;
            if (extra_allowed_chars && strchr(extra_allowed_chars, *untrusted_s))
                continue;
            *untrusted_s = '_';
        }
    }

[Nexolight]

I have the same issues. However I'm creating my own packages for a new template vm. I'm using the latest tag from the qubes-core-agent-linux repository (v4.0.24).

It seems that here this line finally get's called when doing qvm-copy:
/usr/lib/qubes/qrexec-client-vm "$VM" qubes.Filecopy /usr/lib/qubes/qfile-agent "$@"

By testing a few things It seems that these symbols / $ ! # and most likely a few more are replaced with _ somewhere. When I execute this command I get the vmname displayed on dom0 which is supposed to be literally '$default' or an actual vm name.

I can send stuff just fine by using the full vmname. However qvm-copy uses '$default' and I want to use that command as well.

I searched about an hour but can't manage to find where this characters are replaced. Can anyone help?

I assume this piece of code, mentioned here is responsible:

static void sanitize_name(char * untrusted_s_signed, char *extra_allowed_chars)
    {
        unsigned char * untrusted_s;
        for (untrusted_s=(unsigned char*)untrusted_s_signed; *untrusted_s; untrusted_s++) {
            if (*untrusted_s >= 'a' && *untrusted_s <= 'z')
                continue;
            if (*untrusted_s >= 'A' && *untrusted_s <= 'Z')
                continue;
            if (*untrusted_s >= '0' && *untrusted_s <= '9')
                continue;
            if (*untrusted_s == '$' ||
                   *untrusted_s == '_' ||
                   *untrusted_s == '-' ||
                   *untrusted_s == '.')
                continue;
            if (extra_allowed_chars && strchr(extra_allowed_chars, *untrusted_s))
                continue;
            *untrusted_s = '_';
        }
    }

[marmarek]

qrexec-client-vm should convert '$' to '@'. Make sure you really use this version.

[marmarek]

qrexec-client-vm should convert '$' to '@'. Make sure you really use this version.

[Nexolight]

v4.0.24 contains that code and it probably does work. The problem is just that when I write:
/usr/lib/qubes/qrexec-client-vm '@default' qubes.Filecopy /usr/lib/qubes/qfile-agent somefile

then this appears still in the log of dom0: ..._default: denied...
When using as example @@default this happens __default: denied

seems like @ is also replaced.

[Nexolight]

v4.0.24 contains that code and it probably does work. The problem is just that when I write:
/usr/lib/qubes/qrexec-client-vm '@default' qubes.Filecopy /usr/lib/qubes/qfile-agent somefile

then this appears still in the log of dom0: ..._default: denied...
When using as example @@default this happens __default: denied

seems like @ is also replaced.

[marmarek]

Looks like you haven't updated dom0 packages.

[marmarek]

Looks like you haven't updated dom0 packages.

[Nexolight]

Indeed that was the case. After updating it works and the other vms have the problem. After updating them it should be fine. thanks :)

[Nexolight]

Indeed that was the case. After updating it works and the other vms have the problem. After updating them it should be fine. thanks :)