/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qubes firewall - allowing temporary access causes python error #3661

Closed
mirrorway opened this Issue Mar 5, 2018 · 8 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
8 participants
@mirrorway @donob4n @pgporada @unman @qubesos-bot @tlaurion @marmarek @andrewdavidwong
@mirrorway

mirrorway commented Mar 5, 2018
edited
Edited 3 times
  • @mirrorway mirrorway edited Mar 15, 2018 (most recent)
  • @mirrorway mirrorway edited Mar 5, 2018
  • @mirrorway mirrorway edited Mar 5, 2018

Qubes OS version:

R4.0 rc4, current-testing

Affected component(s):

GUI firewall

Steps to reproduce the behavior:

  1. Create a VM with netvm := sys-firewall
  2. Limit outgoing connections, click okay.
  3. Allow full access for 5 mins

This affects existing VMs too.

Expected behavior:

Allows temporary net access.

Actual behavior:

ERROR: Firewall tab: Got empty response from qubesd. See journalctl in dom0 for details.

journalctl:

Mar 05 14:53:39 dom0 qubesd[15392]: unhandled exception while calling src=b'dom0' meth=b'admin.vm.firewall.Set' dest=b'test2' arg=b'' len(untrusted_payload)=101
Mar 05 14:53:39 dom0 qubesd[15392]: Traceback (most recent call last):
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262, in respond
Mar 05 14:53:39 dom0 qubesd[15392]:     untrusted_payload=untrusted_payload)
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__
Mar 05 14:53:39 dom0 qubesd[15392]:     yield self  # This tells Task to wait for completion.
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup
Mar 05 14:53:39 dom0 qubesd[15392]:     future.result()
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result
Mar 05 14:53:39 dom0 qubesd[15392]:     raise self._exception
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step
Mar 05 14:53:39 dom0 qubesd[15392]:     result = coro.send(None)
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro
Mar 05 14:53:39 dom0 qubesd[15392]:     res = func(*args, **kw)
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 1265, in vm_firewall_set
Mar 05 14:53:39 dom0 qubesd[15392]:     self.dest.firewall.save()
Mar 05 14:53:39 dom0 qubesd[15392]:   File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line 570, in save
Mar 05 14:53:39 dom0 qubesd[15392]:     nearest_expire:
Mar 05 14:53:39 dom0 qubesd[15392]: TypeError: unorderable types: datetime.datetime() < bool()

@andrewdavidwong andrewdavidwong added bug C: core labels Mar 6, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Mar 6, 2018

@donob4n

This comment has been minimized.

Show comment
Hide comment
@donob4n

donob4n Mar 7, 2018

I think I have this fixed but doing it I discovered a problem with https://github.com/QubesOS/qubes-core-admin/blob/a8784df349910c2f3acf503207084a663c30e400/qubes/firewall.py#L204-L207
and https://github.com/QubesOS/qubes-manager/blob/819f2f45d47899f1f89cbef63f3c5dc42a1ff9bc/qubesmanager/firewall.py#L338

The datetime is not properly restored and I personally have a 5h diff. I tried even calling utcfromtimestamp() in qubes-manager itself and the time was wrong.

Without using UTC it works fine.

donob4n commented Mar 7, 2018
edited
Edited 1 time
  • @donob4n donob4n edited Mar 7, 2018 (most recent)

I think I have this fixed but doing it I discovered a problem with https://github.com/QubesOS/qubes-core-admin/blob/a8784df349910c2f3acf503207084a663c30e400/qubes/firewall.py#L204-L207
and https://github.com/QubesOS/qubes-manager/blob/819f2f45d47899f1f89cbef63f3c5dc42a1ff9bc/qubesmanager/firewall.py#L338

The datetime is not properly restored and I personally have a 5h diff. I tried even calling utcfromtimestamp() in qubes-manager itself and the time was wrong.

Without using UTC it works fine.
@donob4n

This comment has been minimized.

Show comment
Hide comment
@donob4n

donob4n Mar 7, 2018

Now call_later() works fine but this comparison fails https://github.com/QubesOS/qubes-core-admin/blob/a8784df349910c2f3acf503207084a663c30e400/qubes/firewall.py#L551

Could you check @marmarek ?

donob4n commented Mar 7, 2018
edited
Edited 1 time
  • @donob4n donob4n edited Mar 7, 2018 (most recent)

Now call_later() works fine but this comparison fails https://github.com/QubesOS/qubes-core-admin/blob/a8784df349910c2f3acf503207084a663c30e400/qubes/firewall.py#L551

Could you check @marmarek ?

@donob4n donob4n referenced this issue in QubesOS/qubes-core-admin Mar 8, 2018

Merged

Fixes in firewall temporary access #200

@pgporada

This comment has been minimized.

Show comment
Hide comment
@pgporada

pgporada Mar 14, 2018

This just happened to me after the latest round of Qube updates. I'm running the latest Qubes 4.0 RC.

pgporada commented Mar 14, 2018
edited
Edited 1 time
  • @pgporada pgporada edited Mar 14, 2018 (most recent)

This just happened to me after the latest round of Qube updates. I'm running the latest Qubes 4.0 RC.
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Mar 14, 2018

Member

Confirmed in rc5
Member

unman commented Mar 14, 2018

Confirmed in rc5

@andrewdavidwong andrewdavidwong added the P: major label Mar 15, 2018

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Mar 20, 2018

@marmarek
Merge remote-tracking branch 'qubesos/pr/200' 
* qubesos/pr/200:
  Removed self.rules != old_rules
  Avoid UTC datetime
  Wrong init var to bool and missing call to total_seconds()

Fixes QubesOS/qubes-issues#3661
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
Loading status checks…
93bccf5

@marmarek marmarek closed this in marmarek/qubes-core-admin@b3b18f9 Mar 20, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Mar 29, 2018

Automated announcement from builder-github

The package qubes-core-dom0-4.0.25-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot commented Mar 29, 2018

Automated announcement from builder-github

The package qubes-core-dom0-4.0.25-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-dom0-cur-test label Mar 29, 2018

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Mar 29, 2018

Closed

core-admin v4.0.25 (r4.0) #469

@tlaurion

This comment has been minimized.

Show comment
Hide comment
@tlaurion

tlaurion Apr 9, 2018

Contributor

I confirm this bug is still present in Qubes 4 release, fully updated to current, and fixed by upgrading to qubes-dom0-current-testing.

This greatly impact installation of other package repos, importing their keys and general user experience.

@marmarek : That fix should be pushed into current repo!
Contributor

tlaurion commented Apr 9, 2018
edited
Edited 2 times
  • @tlaurion tlaurion edited Apr 9, 2018 (most recent)
  • @tlaurion tlaurion edited Apr 9, 2018

I confirm this bug is still present in Qubes 4 release, fully updated to current, and fixed by upgrading to qubes-dom0-current-testing.

This greatly impact installation of other package repos, importing their keys and general user experience.

@marmarek : That fix should be pushed into current repo!
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Apr 11, 2018

Member

@marmarek : That fix should be pushed into current repo!

Yes, it will be, after making sure it really didn't introduce any regression in any supported configuration.
Member

marmarek commented Apr 11, 2018

@marmarek : That fix should be pushed into current repo!

Yes, it will be, after making sure it really didn't introduce any regression in any supported configuration.
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot May 14, 2018

Automated announcement from builder-github

The package qubes-core-dom0-4.0.27-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

qubesos-bot commented May 14, 2018

Automated announcement from builder-github

The package qubes-core-dom0-4.0.27-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-dom0-stable and removed r4.0-dom0-cur-test labels May 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment