/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GUID: display message to the user if one of the VERIFY macro fails #530

Closed
marmarek opened this Issue Mar 8, 2015 · 19 comments

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 1
1 participant
@marmarek
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by joanna on 16 Apr 2012 15:28 UTC
... rather than silently exit()ing the guid.

Include as much info about the situation that casued this (window name, which VERIFY macro failed, what where the actual values), as possible.

Migrated-From: https://wiki.qubes-os.org/ticket/530
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by marmarek on 17 Apr 2012 10:17 UTC
Member

marmarek commented Mar 8, 2015

Modified by marmarek on 17 Apr 2012 10:17 UTC

@marmarek marmarek added this to the Release 1 milestone Mar 8, 2015

@marmarek marmarek added bug C: gui-virtualization P: major labels Mar 8, 2015

@marmarek marmarek self-assigned this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 17 Apr 2012 10:25 UTC
The only sensible information available for VERIFY is VM name, especially not every message is about specific window (eg clipboard copy). Anyway trusting any value (eg window XID, to get window name from Xorg) in message detected as malicious isn't good idea.
Of course failed condition will be included in message.
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 17 Apr 2012 10:25 UTC
The only sensible information available for VERIFY is VM name, especially not every message is about specific window (eg clipboard copy). Anyway trusting any value (eg window XID, to get window name from Xorg) in message detected as malicious isn't good idea.
Of course failed condition will be included in message.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 18 Apr 2012 15:25 UTC
http://git.qubes-os.org/?p=marmarek/gui.git;a=commit;h=3350efa82c5f4a423596d95f4f80237f7c73ee52
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 18 Apr 2012 15:25 UTC
http://git.qubes-os.org/?p=marmarek/gui.git;a=commit;h=3350efa82c5f4a423596d95f4f80237f7c73ee52

@marmarek marmarek closed this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 25 Apr 2012 23:35 UTC
This doesn't work!

handle_configure_from_vm, local 0x2e00010 remote 0x18000ec, 421/3851, was 421/900, ovr=1, xy 1179/-3637, was 0/0
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `kdialog --yesnocancel 'VMapp "rflab" has sent invalid message, it shouldn't normally happend. Condition: (int) untrusted_conf.y >= -g->root_height && (int) untrusted_conf.y <= 2 * g->root_height. Do you want to terminate this VM immediately? "No" will terminate only GUI daemon, cancel will just ignore this message''
release_all_mapped_mfns running
Member

marmarek commented Mar 8, 2015

Comment by joanna on 25 Apr 2012 23:35 UTC
This doesn't work!

handle_configure_from_vm, local 0x2e00010 remote 0x18000ec, 421/3851, was 421/900, ovr=1, xy 1179/-3637, was 0/0
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `kdialog --yesnocancel 'VMapp "rflab" has sent invalid message, it shouldn't normally happend. Condition: (int) untrusted_conf.y >= -g->root_height && (int) untrusted_conf.y <= 2 * g->root_height. Do you want to terminate this VM immediately? "No" will terminate only GUI daemon, cancel will just ignore this message''
release_all_mapped_mfns running

@marmarek marmarek reopened this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by marmarek on 26 Apr 2012 12:03 UTC
Member

marmarek commented Mar 8, 2015

Modified by marmarek on 26 Apr 2012 12:03 UTC
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 26 Apr 2012 12:55 UTC
Now (2.0.4) I can see the dialog window, but... it's essentially useless, as I cannot cancel it, because immediately after I click Cancel, a new window appears asking about the same...

Besides, the message in the dialogue box should be:

The domain $(vmname) attempted to perform an invalid or suspicious GUI request. This might be a sign that the domain has been compromised and is attempting to compromise the GUI daemon (Dom0 domain). In rare cases, however, it might be possible that a legitimate application trigger such condition (check the guid logs for more information).

Click "Terminate" to terminate this domain immediately, or "Ignore" to ignore this condition check and allow the GUI request to proceed, or "Ignore All" to ignore all further checks for this condition.

Buttons:

  1. Terminate (default)
  2. Ignore
  3. Ignore All
Member

marmarek commented Mar 8, 2015

Comment by joanna on 26 Apr 2012 12:55 UTC
Now (2.0.4) I can see the dialog window, but... it's essentially useless, as I cannot cancel it, because immediately after I click Cancel, a new window appears asking about the same...

Besides, the message in the dialogue box should be:

The domain $(vmname) attempted to perform an invalid or suspicious GUI request. This might be a sign that the domain has been compromised and is attempting to compromise the GUI daemon (Dom0 domain). In rare cases, however, it might be possible that a legitimate application trigger such condition (check the guid logs for more information).

Click "Terminate" to terminate this domain immediately, or "Ignore" to ignore this condition check and allow the GUI request to proceed, or "Ignore All" to ignore all further checks for this condition.

Buttons:

  1. Terminate (default)
  2. Ignore
  3. Ignore All
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 26 Apr 2012 19:13 UTC
"Ignore All" isn't trivial to implement. Should I do it at price of some complexity in security sensitive code?

PS Cancel action already fixed, but not pushed yet.
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 26 Apr 2012 19:13 UTC
"Ignore All" isn't trivial to implement. Should I do it at price of some complexity in security sensitive code?

PS Cancel action already fixed, but not pushed yet.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 26 Apr 2012 20:52 UTC
Ok, let's skip the Ignore All button for now. Let's see how this will work out after we remove this one "stupid" check...
Member

marmarek commented Mar 8, 2015

Comment by joanna on 26 Apr 2012 20:52 UTC
Ok, let's skip the Ignore All button for now. Let's see how this will work out after we remove this one "stupid" check...
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 28 Apr 2012 01:24 UTC
http://git.qubes-os.org/?p=marmarek/gui.git;a=commit;h=d815d24c4f5301244f0a629816b418350d5cedbe
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 28 Apr 2012 01:24 UTC
http://git.qubes-os.org/?p=marmarek/gui.git;a=commit;h=d815d24c4f5301244f0a629816b418350d5cedbe

@marmarek marmarek closed this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 8 May 2012 14:45 UTC
Hehe, still doesn't work:

Verify failed: (int) untrusted_shmcmd->width < 4096 && (int) untrusted_shmcmd->height < 3072
kdialog: Unknown option '-label'.
kdialog: Use --help to get a list of available command line options.
Problems executing kdialog ?
Member

marmarek commented Mar 8, 2015

Comment by joanna on 8 May 2012 14:45 UTC
Hehe, still doesn't work:

Verify failed: (int) untrusted_shmcmd->width < 4096 && (int) untrusted_shmcmd->height < 3072
kdialog: Unknown option '-label'.
kdialog: Use --help to get a list of available command line options.
Problems executing kdialog ?

@marmarek marmarek reopened this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 8 May 2012 14:54 UTC
Ah, we have to old version of kdialog in dom0, which doesn't support button label changing (in opposite to version provided by FC14, which supports it).
So we have two generic options (marked default choice): Yes/No or Continue/Cancel.
Which option use?
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 8 May 2012 14:54 UTC
Ah, we have to old version of kdialog in dom0, which doesn't support button label changing (in opposite to version provided by FC14, which supports it).
So we have two generic options (marked default choice): Yes/No or Continue/Cancel.
Which option use?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 8 May 2012 15:08 UTC
I think Continue/Cancel is more descriptive, than Yes/No (of course, nobody will read the text in dialog, right? ;)
Member

marmarek commented Mar 8, 2015

Comment by joanna on 8 May 2012 15:08 UTC
I think Continue/Cancel is more descriptive, than Yes/No (of course, nobody will read the text in dialog, right? ;)
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 8 May 2012 15:15 UTC
It has continue as default option... of course it will be the user fault if it choose "continue" for really malicious operation.
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 8 May 2012 15:15 UTC
It has continue as default option... of course it will be the user fault if it choose "continue" for really malicious operation.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 8 May 2012 15:17 UTC
:/ Can we set "Cancel" as default?
Member

marmarek commented Mar 8, 2015

Comment by joanna on 8 May 2012 15:17 UTC
:/ Can we set "Cancel" as default?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 8 May 2012 15:27 UTC
Not in this version of kdialog...

BTW I've just found that kdialog supports "do not ask again" feature, which can be easily used here (instead of "Ignore All" button). Check:

kdialog --dontagain qubes-guid-vmname:verify-condition --warningyesno "text"

If user checks "do not again option", future kdialog calls (with the same ID passed to --dontagain option) silently respond with saved choice.
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 8 May 2012 15:27 UTC
Not in this version of kdialog...

BTW I've just found that kdialog supports "do not ask again" feature, which can be easily used here (instead of "Ignore All" button). Check:

kdialog --dontagain qubes-guid-vmname:verify-condition --warningyesno "text"

If user checks "do not again option", future kdialog calls (with the same ID passed to --dontagain option) silently respond with saved choice.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 11 May 2012 09:36 UTC
So maybe we should use Yes/No version (which has "No" as default) with question like "Do you allow this VM to continue running?" or sth like this?
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 11 May 2012 09:36 UTC
So maybe we should use Yes/No version (which has "No" as default) with question like "Do you allow this VM to continue running?" or sth like this?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 11 May 2012 10:50 UTC
Aha, co "NO", can be set as a default, but "Cancel" not? Well, ok then.
Member

marmarek commented Mar 8, 2015

Comment by joanna on 11 May 2012 10:50 UTC
Aha, co "NO", can be set as a default, but "Cancel" not? Well, ok then.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 11 May 2012 10:54 UTC
There are hardcoded defaults for each dialog type (at lest in this version of kdialog)...
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 11 May 2012 10:54 UTC
There are hardcoded defaults for each dialog type (at lest in this version of kdialog)...
@marmarek

@marmarek marmarek closed this Mar 8, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment