/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need a (safe) way to update installed qrexec policy when the defaults change #3941

Open
jpouellet opened this Issue May 30, 2018 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.1
3 participants
@jpouellet @marmarek @andrewdavidwong
@jpouellet
Contributor

jpouellet commented May 30, 2018
edited
Edited 1 time
  • @jpouellet jpouellet edited May 30, 2018 (most recent)
  • @jpouellet jpouellet created May 30, 2018

When we update the desired defaults for qrexec policies, package updates do not override the installed configuration. Obviously this is an easy solution to avoid accidental overwriting user-specified behavior (good, and very important), but it also means users can get out of sync policy causing subtle bugs (bad) or in the worst case result in potentially vulnerable configuration if a bug in policy is fixed (very bad).

One example of where this showed up is with the switch of target from sys-net to dom0 for qubes.GetClock. See this commit and issues #3588 & #3940. There are likely other bugs ultimately caused by this too which I have not identified.

Careful thought is required to avoid re-allowing behavior which was explicitly forbidden by the user (e.g. clipboard or file copy or such) as well as denying previously allowed actions (e.g. split-gpg, etc.) as are both undesirable failure modes.

Something involving comparing to previous defaults and involving manual user inspection of the result if it had been modified from defaults comes to mind, but I have not taken the time to fully think through all the implications.

@jpouellet jpouellet referenced this issue May 30, 2018

Open

qvm-sync-clock causes netvm to start on the hour #3588

@andrewdavidwong andrewdavidwong added enhancement C: core P: major security labels May 31, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.1 milestone May 31, 2018

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 6, 2018

Member

This is widespread issue I haven't seen fully satisfying solution yet. Most package managers leave config updates to the user - rpm create .rpmnew files, dpkg - .dpkg-new, etc. If the file was unchanged, it is replaced directly, but otherwise, the user need to merge the changes manually, which is far from optimal.

We have an developing idea of implementing .d approach for qrexec policy, but it isn't fully formed yet. Expect related qubes-devel thread in coming weeks.
Member

marmarek commented Jun 6, 2018

This is widespread issue I haven't seen fully satisfying solution yet. Most package managers leave config updates to the user - rpm create .rpmnew files, dpkg - .dpkg-new, etc. If the file was unchanged, it is replaced directly, but otherwise, the user need to merge the changes manually, which is far from optimal.

We have an developing idea of implementing .d approach for qrexec policy, but it isn't fully formed yet. Expect related qubes-devel thread in coming weeks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment