New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
global config: policy rules for U2F incorrectly assume wildcard argument #8525
global config: policy rules for U2F incorrectly assume wildcard argument #8525
Comments
Is there anywhere a complete specification (as in, not "read the code and deduce what happens") of the qubes-u2f policy and how it works? |
@marmarta nope, sorry! There probably should be, though. @piotrbartman? |
See https://github.com/QubesOS/qubes-app-u2f/blob/main/Documentation/qrexec-transport.rst and the main README in the repo |
Automated announcement from builder-github The package
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The component
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The component
|
Automated announcement from builder-github The component
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The component
|
Automated announcement from builder-github The component
|
Automated announcement from builder-github The component
|
How to file a helpful issue
Qubes OS release
R4.2
Brief summary
A policy rule with explicit argument is parsed by settings as with wildcard argument and lands in section "Allow some qubes to access ALL keys stored on your U2F device".
Steps to reproduce
1.Add rule like
u2f.Authenticate +8972493827349823 some-vm sys-usb allow
to/etc/qubes/policy.d/50-config-u2f.policy
2. Open Global Config
3. Go to USB devices tab
Expected behavior
Either rule listed as unknown, or properly displayed as permission for a specific key (no section for that right now).
Actual behavior
Qube is listed as having access to all the keys.
The text was updated successfully, but these errors were encountered: