How to make dom0 qrexec call resolve @default token
15 visualizzazioni
Passa al primo messaggio da leggere
Ben Grande
23 ott 2023, 17:25:1923/10/23
a qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
Dom0 is not normally a client for extraneous qrexec calls, but in this
case, I need dom0 to resolve the domain name from the token @default via
policy.
Policy:
service * dom0 @default allow target=mydomain
Call:
qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
Dom0 does not requires the policy the call to be allowed, as it is always
allowed. Watching the qrexec policy logs, the call from Dom0 is not
logged.
If I run from dom0:
qrexec-policy 0 dom0 @default service 1
It resolves the domain but fails to run the command:
INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
2023-10-23 21:19:28.154 qrexec-client[32893]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: service: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']
If I run the command directly without the request id and the literal domain name, it works:
qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'
How can I force dom0 to use the '@default' token?
As 'qrexec-client' does not allow tokens in the domain name yet, would
this be interesting to have?
Documents read:
- - https://www.qubes-os.org/doc/qrexec-internals/
- - https://www.qubes-os.org/doc/qrexec-internals/
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTbkfV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
h36QAP9Ks5IZFAAV3SsYoyyTeTKfdhyKRPlWwbT8/7qNyWjZ+wEAmSyicnTeFrFs
5AvGseUNDMFB+Hx7VmuQIeB/HayILQY=
=Dnl2
-----END PGP SIGNATURE-----
Hash: SHA512
Hello.
Dom0 is not normally a client for extraneous qrexec calls, but in this
case, I need dom0 to resolve the domain name from the token @default via
policy.
Policy:
service * dom0 @default allow target=mydomain
Call:
qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
Dom0 does not requires the policy the call to be allowed, as it is always
allowed. Watching the qrexec policy logs, the call from Dom0 is not
logged.
If I run from dom0:
qrexec-policy 0 dom0 @default service 1
It resolves the domain but fails to run the command:
INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
2023-10-23 21:19:28.154 qrexec-client[32893]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: service: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']
If I run the command directly without the request id and the literal domain name, it works:
qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'
How can I force dom0 to use the '@default' token?
As 'qrexec-client' does not allow tokens in the domain name yet, would
this be interesting to have?
Documents read:
- - https://www.qubes-os.org/doc/qrexec-internals/
- - https://www.qubes-os.org/doc/qrexec-internals/
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTbkfV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
h36QAP9Ks5IZFAAV3SsYoyyTeTKfdhyKRPlWwbT8/7qNyWjZ+wEAmSyicnTeFrFs
5AvGseUNDMFB+Hx7VmuQIeB/HayILQY=
=Dnl2
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
23 ott 2023, 18:36:3323/10/23
a qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote:
> Hello.
>
> Dom0 is not normally a client for extraneous qrexec calls, but in this
> case, I need dom0 to resolve the domain name from the token @default via
> policy.
>
> Policy:
>
> service * dom0 @default allow target=mydomain
>
> Call:
>
> qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
>
> Dom0 does not requires the policy the call to be allowed, as it is always
> allowed. Watching the qrexec policy logs, the call from Dom0 is not
> logged.
>
> If I run from dom0:
>
> qrexec-policy 0 dom0 @default service 1
>
> It resolves the domain but fails to run the command:
>
> INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
> 2023-10-23 21:19:28.154 qrexec-client[32893]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> ERROR:policy:qrexec: service: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']
>
> If I run the command directly without the request id and the literal domain name, it works:
>
> qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'
>
> How can I force dom0 to use the '@default' token?
> As 'qrexec-client' does not allow tokens in the domain name yet, would
> this be interesting to have?
>
> Documents read:
> - https://www.qubes-os.org/doc/qrexec-internals/
> - https://www.qubes-os.org/doc/qrexec-internals/
I don't think there is one-step solution, but you can get policy
resolved by using `qrexec-policy` in the 3-arg form (skipping domain id
and process ident). Then, you'll get the result in key=value format,
including resolved target= that you can use in a qvm-run (or
qrexec-client) call. It even works with `ask` policy (you get the
prompt), which means we finally can implement qvm-copy (not just
qvm-copy-to-vm) in dom0 too :)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU29WoACgkQ24/THMrX
1ywsSAgAiLVRdMfihuve31orGwwKzLr158cfHVqVgiB93I4KulRJZJp5nWCMHn9N
RzfcLGE8fVbIXMdgSS2zkrRnerNQaJMMHsXr7T+zj1KRkyV3BFKAn0LuALITkV8z
W4ovnk2xtfuP2aDY13VoLCYllE8xPwbUBOUPLFQSMJiBLQVh0OfYNsbnyzITZ0W8
bbC20IGjMmvwj+HH91OyfhEphRZlDf8BpxCb1shpN7tdyBOelBiD4HyFP7BhJUZv
9lovughJRah6i0CDUfVI+eFVpsYM5owHCsa+OnUY5How4mu2H5rBYbEjbhxcY0gl
1E5RvgCuqCZp1W9o81mdJEGW7J2udQ==
=QTs9
-----END PGP SIGNATURE-----
Hash: SHA256
On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote:
> Hello.
>
> Dom0 is not normally a client for extraneous qrexec calls, but in this
> case, I need dom0 to resolve the domain name from the token @default via
> policy.
>
> Policy:
>
> service * dom0 @default allow target=mydomain
>
> Call:
>
> qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'
>
> Dom0 does not requires the policy the call to be allowed, as it is always
> allowed. Watching the qrexec policy logs, the call from Dom0 is not
> logged.
>
> If I run from dom0:
>
> qrexec-policy 0 dom0 @default service 1
>
> It resolves the domain but fails to run the command:
>
> INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
> 2023-10-23 21:19:28.154 qrexec-client[32893]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> ERROR:policy:qrexec: service: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']
>
> If I run the command directly without the request id and the literal domain name, it works:
>
> qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'
>
> How can I force dom0 to use the '@default' token?
> As 'qrexec-client' does not allow tokens in the domain name yet, would
> this be interesting to have?
>
> Documents read:
> - https://www.qubes-os.org/doc/qrexec-internals/
I don't think there is one-step solution, but you can get policy
resolved by using `qrexec-policy` in the 3-arg form (skipping domain id
and process ident). Then, you'll get the result in key=value format,
including resolved target= that you can use in a qvm-run (or
qrexec-client) call. It even works with `ask` policy (you get the
prompt), which means we finally can implement qvm-copy (not just
qvm-copy-to-vm) in dom0 too :)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU29WoACgkQ24/THMrX
1ywsSAgAiLVRdMfihuve31orGwwKzLr158cfHVqVgiB93I4KulRJZJp5nWCMHn9N
RzfcLGE8fVbIXMdgSS2zkrRnerNQaJMMHsXr7T+zj1KRkyV3BFKAn0LuALITkV8z
W4ovnk2xtfuP2aDY13VoLCYllE8xPwbUBOUPLFQSMJiBLQVh0OfYNsbnyzITZ0W8
bbC20IGjMmvwj+HH91OyfhEphRZlDf8BpxCb1shpN7tdyBOelBiD4HyFP7BhJUZv
9lovughJRah6i0CDUfVI+eFVpsYM5owHCsa+OnUY5How4mu2H5rBYbEjbhxcY0gl
1E5RvgCuqCZp1W9o81mdJEGW7J2udQ==
=QTs9
-----END PGP SIGNATURE-----
Ben Grande
24 ott 2023, 05:55:3224/10/23
a qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Can you please give an example of a working 3-arg form as it seems that
all positional arguments are required?
Policy:
```
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qusal.GitFetch * dom0 @default allow target=sys-git
qusal.GitPush * dom0 @default allow target=sys-git
qusal.GitInit * dom0 @default allow target=sys-git
qusal.GitFetch * @adminvm @default allow target=sys-git
qusal.GitPush * @adminvm @default allow target=sys-git
qusal.GitInit * @adminvm @default allow target=sys-git
qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitFetch * @anyvm @anyvm deny
qusal.GitPush * @anyvm @anyvm deny
qusal.GitInit * @anyvm @anyvm deny
```
Yes, I now currently dom0 is the only @adminvm.
Trials:
```sh
# 1
$ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal
usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate]
[--path PATH]
src-domain-id SOURCE TARGET SERVICE+ARGUMENT
process-ident
qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT, process-ident
# 2
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
# exit code 0
# 3
$ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target @default is not a valid choice
# 4
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", but source domain has no GuiVM
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/80-sys-git.policy:12
```
On 1 there is no possibility to skip domain id and process ident because
they don't have nargs='?'.
On 3 we see that if we assume yes for ask, @default can't be used.
On 4 if we don't assume, it is actually failing on the following rule:
```
qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
```
because "source domain has no GuiVM", but Dom0 has a GUI.
But how to get the policy to "work" yesterday?
Add "dom0" tag to "dom0" qube:
```
qvm-tags dom0 add dom0
```
Add rule allow "@tag:dom0" to "@default":
```
qusal.GitInit * @tag:dom0 @default allow target=sys-git
```
Was the only call that was passed to qrexec-client and has the correct
target domain name but failed:
```
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
2023-10-24 09:00:00.000 qrexec-client[42694]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal dom0']
```
And if I ask to just evaluate, it doens't print the rule:
```
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
```
Exit code 0
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTeUTV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
hyzNAP94F3mxlrABdkZVaak6vlWiMUNNha06Nl9/znrBkYuruwEAuUMQkyesv497
qSVtHjRH2i/7qrNs7f53tHX5wKGX8Ag=
=Orvt
-----END PGP SIGNATURE-----
Hash: SHA512
> --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
I'm on R4.1. Up-to-date.
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
Can you please give an example of a working 3-arg form as it seems that
all positional arguments are required?
Policy:
```
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qusal.GitFetch * dom0 @default allow target=sys-git
qusal.GitPush * dom0 @default allow target=sys-git
qusal.GitInit * dom0 @default allow target=sys-git
qusal.GitFetch * @adminvm @default allow target=sys-git
qusal.GitPush * @adminvm @default allow target=sys-git
qusal.GitInit * @adminvm @default allow target=sys-git
qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitFetch * @anyvm @anyvm deny
qusal.GitPush * @anyvm @anyvm deny
qusal.GitInit * @anyvm @anyvm deny
```
Yes, I now currently dom0 is the only @adminvm.
Trials:
```sh
# 1
$ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal
usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate]
[--path PATH]
src-domain-id SOURCE TARGET SERVICE+ARGUMENT
process-ident
qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT, process-ident
# 2
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
# exit code 0
# 3
$ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target @default is not a valid choice
# 4
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", but source domain has no GuiVM
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/80-sys-git.policy:12
```
On 1 there is no possibility to skip domain id and process ident because
they don't have nargs='?'.
On 3 we see that if we assume yes for ask, @default can't be used.
On 4 if we don't assume, it is actually failing on the following rule:
```
qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
```
because "source domain has no GuiVM", but Dom0 has a GUI.
But how to get the policy to "work" yesterday?
Add "dom0" tag to "dom0" qube:
```
qvm-tags dom0 add dom0
```
Add rule allow "@tag:dom0" to "@default":
```
qusal.GitInit * @tag:dom0 @default allow target=sys-git
```
Was the only call that was passed to qrexec-client and has the correct
target domain name but failed:
```
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
2023-10-24 09:00:00.000 qrexec-client[42694]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal dom0']
```
And if I ask to just evaluate, it doens't print the rule:
```
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
```
Exit code 0
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
hyzNAP94F3mxlrABdkZVaak6vlWiMUNNha06Nl9/znrBkYuruwEAuUMQkyesv497
qSVtHjRH2i/7qrNs7f53tHX5wKGX8Ag=
=Orvt
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
24 ott 2023, 06:32:5824/10/23
a qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ah, right, 3-arg form is a R4.2 thing.
This:
[user@dom0 ~]$ qrexec-policy --help
usage: qrexec-policy-exec -h
usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path PATH] SOURCE TARGET service+argument
usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path PATH] domain-id SOURCE TARGET service+argument process-ident
To evaluate policy, pass 3 positional arguments:
- Source domain name
- Target domain name
- Service name and argument separated by "+"
To actually run a qrexec call, pass 5 positional arguments:
- Source domain ID (Xen or similar, not Qubes ID)
- Source domain name
- Target domain name
- Service name and argument separated by "+"
- Qrexec process identifier (for data channel connection)
Note that this usage is deprecated.
positional arguments:
args
options:
-h, --help show this help message and exit
--assume-yes-for-ask Allow run of service without confirmation if policy say 'ask'
--just-evaluate Do not run the service, only evaluate policy; retcode=0 means 'allow'
--path PATH Use alternative policy path
Indeed this case needs fixing (class AdminVM doesn't have "guivm"
property), as dom0 wasn't source of interactive prompt before (until
this very thread).
> But how to get the policy to "work" yesterday?
>
> Add "dom0" tag to "dom0" qube:
> ```
> qvm-tags dom0 add dom0
> ```
>
> Add rule allow "@tag:dom0" to "@default":
> ```
> qusal.GitInit * @tag:dom0 @default allow target=sys-git
> ```
>
> Was the only call that was passed to qrexec-client and has the correct
> target domain name but failed:
> ```
> $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
> INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
> 2023-10-24 09:00:00.000 qrexec-client[42694]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal dom0']
> ```
>
> And if I ask to just evaluate, it doens't print the rule:
> ```
> $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
> ```
> Exit code 0
Lets try:
[user@dom0 ~]$ qrexec-policy dom0 @default qubes.ClipboardPaste
INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
result=deny
The missing "guivm" property case. Maybe with explicit target?
[user@dom0 ~]$ qrexec-policy dom0 personal qubes.ClipboardPaste
INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> personal: denied: denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
result=deny
Still doesn't work, because "@anyvm" target has ask action. So, lets
skip the prompt for now:
[user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 personal qubes.ClipboardPaste
user=DEFAULT
result=allow
target=personal
autostart=True
requested_target=personal
Now you have the proper answer.
- --
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU3nVIACgkQ24/THMrX
1yxs8Af/fCaaVmwoRT5AC9D+QYjmfpk1RAm37tGkoY2Dfkr+N1Vi8spR90AtVdkD
Mw3Quo9ZHYf5PLnlVSaQUve06lXMnSOFxn38hnGPWyEgpMCN8S2nK1du6IaHTqwI
xA9VhjYUOJEhG/kmmYvW+HNpwFbleI9CsW4V5v3xBVuI33B2D51tCu+2sZXkU++B
z/1lfXL6S+uJ7bfLw3FSxwPPJbsvPWxJj4p4qUmfFg06o0kJ9WFfD820NxEB57wK
ni+isBITpC8BTOzBe/ZIvgrrNYW8e5QaVxxlzpiFIy9+sioHgWg80n0X6NVOEBY2
rdqmKM5XEUJIsr2ZxEZEEeEa/zUZWw==
=NEcp
-----END PGP SIGNATURE-----
Hash: SHA256
This:
[user@dom0 ~]$ qrexec-policy --help
usage: qrexec-policy-exec -h
usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path PATH] SOURCE TARGET service+argument
usage: qrexec-policy-exec [--assume-yes-for-ask] [--just-evaluate] [--path PATH] domain-id SOURCE TARGET service+argument process-ident
To evaluate policy, pass 3 positional arguments:
- Source domain name
- Target domain name
- Service name and argument separated by "+"
To actually run a qrexec call, pass 5 positional arguments:
- Source domain ID (Xen or similar, not Qubes ID)
- Source domain name
- Target domain name
- Service name and argument separated by "+"
- Qrexec process identifier (for data channel connection)
Note that this usage is deprecated.
positional arguments:
args
options:
-h, --help show this help message and exit
--assume-yes-for-ask Allow run of service without confirmation if policy say 'ask'
--just-evaluate Do not run the service, only evaluate policy; retcode=0 means 'allow'
--path PATH Use alternative policy path
property), as dom0 wasn't source of interactive prompt before (until
this very thread).
> But how to get the policy to "work" yesterday?
>
> Add "dom0" tag to "dom0" qube:
> ```
> qvm-tags dom0 add dom0
> ```
>
> Add rule allow "@tag:dom0" to "@default":
> ```
> qusal.GitInit * @tag:dom0 @default allow target=sys-git
> ```
>
> Was the only call that was passed to qrexec-client and has the correct
> target domain name but failed:
> ```
> $ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
> INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
> 2023-10-24 09:00:00.000 qrexec-client[42694]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
> ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal dom0']
> ```
>
> And if I ask to just evaluate, it doens't print the rule:
> ```
> $ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
> WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
> ```
> Exit code 0
[user@dom0 ~]$ qrexec-policy dom0 @default qubes.ClipboardPaste
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution was "ask", but source domain has no GuiVM
INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
result=deny
The missing "guivm" property case. Maybe with explicit target?
[user@dom0 ~]$ qrexec-policy dom0 personal qubes.ClipboardPaste
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
ERROR:policy:qubes.ClipboardPaste not allowed from dom0: the resolution was "ask", but source domain has no GuiVM
INFO:policy:qrexec: qubes.ClipboardPaste: dom0 -> personal: denied: denied by the user /etc/qubes/policy.d/90-default-gui-daemon.policy:10
result=deny
Still doesn't work, because "@anyvm" target has ask action. So, lets
skip the prompt for now:
[user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 personal qubes.ClipboardPaste
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qubes.ClipboardPaste+: dom0 -> personal: allowed to personal
user=DEFAULT
result=allow
target=personal
autostart=True
requested_target=personal
Now you have the proper answer.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
Marek Marczykowski-Górecki
Invisible Things Lab
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU3nVIACgkQ24/THMrX
1yxs8Af/fCaaVmwoRT5AC9D+QYjmfpk1RAm37tGkoY2Dfkr+N1Vi8spR90AtVdkD
Mw3Quo9ZHYf5PLnlVSaQUve06lXMnSOFxn38hnGPWyEgpMCN8S2nK1du6IaHTqwI
xA9VhjYUOJEhG/kmmYvW+HNpwFbleI9CsW4V5v3xBVuI33B2D51tCu+2sZXkU++B
z/1lfXL6S+uJ7bfLw3FSxwPPJbsvPWxJj4p4qUmfFg06o0kJ9WFfD820NxEB57wK
ni+isBITpC8BTOzBe/ZIvgrrNYW8e5QaVxxlzpiFIy9+sioHgWg80n0X6NVOEBY2
rdqmKM5XEUJIsr2ZxEZEEeEa/zUZWw==
=NEcp
-----END PGP SIGNATURE-----
Ben Grande
24 ott 2023, 08:41:0324/10/23
a qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Thanks for the replies, always helpful :) .
Now I know how to do it... just have to wait till R4.2.
To track the Dom0 without GuiVM issue:
https://github.com/QubesOS/qubes-issues/issues/8646
I will assume the following output by your examples for my use case:
[user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 @default qusal.GitInit+qusal
result=allow
target=sys-git
autostart=True
requested_target=@default
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTe7F18UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
hwUsAQClk7zg62SG2eG1ilIm4e2u1ARoDx6dH7PIE0bs5IFsUAD/SEOg1OkOQHlF
qqcxcyhRWMVoFv0dnqFKhQCwP/HuPAU=
=+ngz
-----END PGP SIGNATURE-----
Hash: SHA512
Now I know how to do it... just have to wait till R4.2.
To track the Dom0 without GuiVM issue:
https://github.com/QubesOS/qubes-issues/issues/8646
I will assume the following output by your examples for my use case:
[user@dom0 ~]$ qrexec-policy --assume-yes-for-ask dom0 @default qusal.GitInit+qusal
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
user=DEFAULT
result=allow
target=sys-git
autostart=True
requested_target=@default
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
hwUsAQClk7zg62SG2eG1ilIm4e2u1ARoDx6dH7PIE0bs5IFsUAD/SEOg1OkOQHlF
qqcxcyhRWMVoFv0dnqFKhQCwP/HuPAU=
=+ngz
-----END PGP SIGNATURE-----
Ben Grande
21 dic 2023, 16:28:0621/12/23
a qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Can you please test with a service not provided by default? The
qubes.ClipboardPaste has `@anyvm @anyvm ask` and it affects the
evaluation.
You might also try with qubes.ClipboardPaste. On
`90-default-gui-daemon.policy`, comment out the lines, run the
evaluation tool and alternate the commented lines. You will get the same
results as I got below. In fact, `@adminvm @anyvm ask` is not doing
anything as far as I can see from my tests.
Running the evaluation from Dom0, R4.2, qubes-core-qrexec 4.2.16.
Policy:
```
test * @anyvm @anyvm ask target=personal default_target=personal
```
Call:
$ qrexec-policy --assume-yes-for-ask dom0 personal test
INFO:policy:qrexec: test+: dom0 -> personal: allowed to personal
```
test * @adminvm @anyvm ask target=personal default_target=personal
```
Call:
$ qrexec-policy --assume-yes-for-ask dom0 personal test
INFO:policy:qrexec: test: dom0 -> personal: denied: no matching rule found
result=deny
So what is happening? The evaluation is not considering dom0 to be an
@adminvm? I don't want to use the `@anyvm @anyvm ask` rule to avoid
qube existence probing.
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZYSt318UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
h/iMAQD98/G+Rww7Prz75gQxXfmkBg61P5UuxwXHnalwWR1YoQEAxd1OHFzCOyDe
p0JmTAObrIbY8a7NAzEe2JZqjnGvrAI=
=tw3H
-----END PGP SIGNATURE-----
Hash: SHA512
On 23-10-24 12:32:50, Marek Marczykowski-Górecki wrote:
On 23-10-24 12:32:50, Marek Marczykowski-Górecki wrote:
qubes.ClipboardPaste has `@anyvm @anyvm ask` and it affects the
evaluation.
You might also try with qubes.ClipboardPaste. On
`90-default-gui-daemon.policy`, comment out the lines, run the
evaluation tool and alternate the commented lines. You will get the same
results as I got below. In fact, `@adminvm @anyvm ask` is not doing
anything as far as I can see from my tests.
Running the evaluation from Dom0, R4.2, qubes-core-qrexec 4.2.16.
Policy:
```
test * @anyvm @anyvm ask target=personal default_target=personal
```
Call:
$ qrexec-policy --assume-yes-for-ask dom0 personal test
INFO:policy:qrexec: test+: dom0 -> personal: allowed to personal
user=DEFAULT
result=allow
target=personal
autostart=True
requested_target=personal
Now change the source from `@anyvm` to `@adminvm`:
result=allow
target=personal
autostart=True
requested_target=personal
```
test * @adminvm @anyvm ask target=personal default_target=personal
```
Call:
$ qrexec-policy --assume-yes-for-ask dom0 personal test
INFO:policy:qrexec: test: dom0 -> personal: denied: no matching rule found
result=deny
So what is happening? The evaluation is not considering dom0 to be an
@adminvm? I don't want to use the `@anyvm @anyvm ask` rule to avoid
qube existence probing.
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
h/iMAQD98/G+Rww7Prz75gQxXfmkBg61P5UuxwXHnalwWR1YoQEAxd1OHFzCOyDe
p0JmTAObrIbY8a7NAzEe2JZqjnGvrAI=
=tw3H
-----END PGP SIGNATURE-----
Rispondi a tutti
Rispondi all'autore
Inoltra
0 nuovi messaggi