Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

global config: policy rules for U2F incorrectly assume wildcard argument #8525

Closed
marmarek opened this issue Sep 18, 2023 · 15 comments · Fixed by QubesOS/qubes-desktop-linux-manager#173
Closed

global config: policy rules for U2F incorrectly assume wildcard argument #8525

marmarek opened this issue Sep 18, 2023 · 15 comments · Fixed by QubesOS/qubes-desktop-linux-manager#173
Assignees
@marmarta
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: CTAP/U2F proxy Client to Authenticator Protocol (CTAP) / Universal 2nd Factor (U2F) proxy C: manager/widget diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. r4.2-host-stable r4.2-vm-bookworm-stable r4.2-vm-bullseye-stable r4.2-vm-centos-stream8-stable r4.2-vm-fc37-stable r4.2-vm-fc38-stable r4.2-vm-fc39-stable T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Milestone
Release 4.2

Comments

@marmarek
Copy link
Member

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

A policy rule with explicit argument is parsed by settings as with wildcard argument and lands in section "Allow some qubes to access ALL keys stored on your U2F device".

Steps to reproduce

1.Add rule like u2f.Authenticate +8972493827349823 some-vm sys-usb allow to /etc/qubes/policy.d/50-config-u2f.policy
2. Open Global Config
3. Go to USB devices tab

Expected behavior

Either rule listed as unknown, or properly displayed as permission for a specific key (no section for that right now).

Actual behavior

Qube is listed as having access to all the keys.
@marmarek marmarek added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. C: manager/widget P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. affects-4.2 This issue affects Qubes OS 4.2. labels Sep 18, 2023
@andrewdavidwong andrewdavidwong added the needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. label Sep 18, 2023
@marmarek marmarek mentioned this issue Sep 18, 2023
Merged
@andrewdavidwong andrewdavidwong added the C: CTAP/U2F proxy Client to Authenticator Protocol (CTAP) / Universal 2nd Factor (U2F) proxy label Sep 19, 2023
@marmarta
Copy link
Member

marmarta commented Sep 19, 2023
edited

Is there anywhere a complete specification (as in, not "read the code and deduce what happens") of the qubes-u2f policy and how it works?

@DemiMarie
Copy link

@marmarta nope, sorry! There probably should be, though. @piotrbartman?

@marmarek
Copy link
Member Author

See https://github.com/QubesOS/qubes-app-u2f/blob/main/Documentation/qrexec-transport.rst and the main README in the repo

@marmarta marmarta mentioned this issue Sep 26, 2023
Merged
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bullseye-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bookworm-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 testing repository for the CentOS centos-stream8 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Oct 10, 2023
@andrewdavidwong andrewdavidwong added the pr submitted A pull request has been submitted for this issue. label Oct 10, 2023
@andrewdavidwong andrewdavidwong added this to the Release 4.2 milestone Oct 10, 2023
@qubesos-bot
Copy link

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 stable repository for the CentOS centos-stream8 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo dnf update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo dnf update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo dnf update

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marmarta marmarta

Labels
affects-4.2 This issue affects Qubes OS 4.2. C: CTAP/U2F proxy Client to Authenticator Protocol (CTAP) / Universal 2nd Factor (U2F) proxy C: manager/widget diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. r4.2-host-stable r4.2-vm-bookworm-stable r4.2-vm-bullseye-stable r4.2-vm-centos-stream8-stable r4.2-vm-fc37-stable r4.2-vm-fc38-stable r4.2-vm-fc39-stable T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
Release 4.2
Development

Successfully merging a pull request may close this issue.

More strictly check against unexpected arguments in policy marmarta/qubes-desktop-linux-manager
5 participants
@marmarek @DemiMarie @marmarta @andrewdavidwong @qubesos-bot