qrexec policies broken after QSB #38 update
53 views
Skip to first unread message
Micah Lee
Feb 20, 2018, 2:03:31 PM2/20/18
to qubes-users
I just installed updates in dom0 (current-testing) after QSB #38, and
now my qrexec policies are semi-broken.
To demonstrate, I just made two new AppVMs, testvm1 and testvm2. I want
to copy a file from testvm1 to testvm2:
[user@testvm1 ~]$ echo test > test.txt
[user@testvm1 ~]$ qvm-copy test.txt
Request refused
[user@testvm1 ~]$
It immediately fails with "Request refused" and doesn't pop up a dom0
window asking where I want to copy it to. This is true when I run
`qvm-copy` in any VM, it is immediately denied without prompting me.
I'm running into the same problem with other qrexec services too, like:
[user@testvm1 ~]$ qvm-open-in-dvm https://www.eff.org/
Request refused
[user@testvm1 ~]$
My /etc/qubes-rpc/policy/qubes.Filecopy has only one line:
$anyvm $anyvm ask
However, if I edit it and add this line to the beginning:
testvm1 testvm2 allow
It works, but only if I use the deprecated `qvm-copy-to-vm`:
[user@testvm1 ~]$ qvm-copy test.txt
Request refused
[user@testvm1 ~]$ qvm-copy-to-vm testvm2 test.txt
qvm-copy-to-vm/qvm-move-to-vm tools are deprecated,
use qvm-copy/qvm-move to avoid typing target qube name twice
sent 0/1 KB
[user@testvm1 ~]$
And likewise, my qubes.Gpg policy works for the VMs where I explicitly
allow it.
I read the QSB, and it says that the '$' character is being deprecated
and replaced with the '@' character, but changing my qrexec policy to
this doesn't work:
@anyvm @anyvm ask
Is anyone else running into this problem? Any solutions?
now my qrexec policies are semi-broken.
To demonstrate, I just made two new AppVMs, testvm1 and testvm2. I want
to copy a file from testvm1 to testvm2:
[user@testvm1 ~]$ echo test > test.txt
[user@testvm1 ~]$ qvm-copy test.txt
Request refused
[user@testvm1 ~]$
It immediately fails with "Request refused" and doesn't pop up a dom0
window asking where I want to copy it to. This is true when I run
`qvm-copy` in any VM, it is immediately denied without prompting me.
I'm running into the same problem with other qrexec services too, like:
[user@testvm1 ~]$ qvm-open-in-dvm https://www.eff.org/
Request refused
[user@testvm1 ~]$
My /etc/qubes-rpc/policy/qubes.Filecopy has only one line:
$anyvm $anyvm ask
However, if I edit it and add this line to the beginning:
testvm1 testvm2 allow
It works, but only if I use the deprecated `qvm-copy-to-vm`:
[user@testvm1 ~]$ qvm-copy test.txt
Request refused
[user@testvm1 ~]$ qvm-copy-to-vm testvm2 test.txt
qvm-copy-to-vm/qvm-move-to-vm tools are deprecated,
use qvm-copy/qvm-move to avoid typing target qube name twice
sent 0/1 KB
[user@testvm1 ~]$
And likewise, my qubes.Gpg policy works for the VMs where I explicitly
allow it.
I read the QSB, and it says that the '$' character is being deprecated
and replaced with the '@' character, but changing my qrexec policy to
this doesn't work:
@anyvm @anyvm ask
Is anyone else running into this problem? Any solutions?
Yuraeitha
Feb 20, 2018, 2:17:34 PM2/20/18
to qubes-users
Yes, there is a new discussion over in Qubes devel https://groups.google.com/forum/#!topic/qubes-devel/c3ygyBTMVx0
I have the issue too btw, check the thread to see more.
Try a full system restart a second time, maybe that'll help? It seems restarting works for some, but at least it didn't for me, and it seems like it didn't for Elias either. So it's a bit of a mixed response atm.
Chris Laprise
Feb 20, 2018, 2:26:08 PM2/20/18
to Micah Lee, qubes-users
qvm-copy tests and have been unable to reproduce the problem on R4.0-rc4.
I updated with qubes*testing and then restarted per the QSB.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Micah Lee
Feb 20, 2018, 3:41:34 PM2/20/18
to qubes...@googlegroups.com
On 02/20/18 11:25, Chris Laprise wrote:
> Since several people are reporting this, I decided to try some simple
> qvm-copy tests and have been unable to reproduce the problem on R4.0-rc4.
>
> I updated with qubes*testing and then restarted per the QSB.
I realized that I had enabled the testing repo in dom0 but not in my
> Since several people are reporting this, I decided to try some simple
> qvm-copy tests and have been unable to reproduce the problem on R4.0-rc4.
>
> I updated with qubes*testing and then restarted per the QSB.
templates. After enabled the testing repo in my templates and installing
updates, I no longer have this problem.
Reply all
Reply to author
Forward
0 new messages