Currently, non-existing VMs match $anyvm in qrexec-policy. I suggest
that this is potentially dangerous when combined with innocent
mistakes elsewhere, and should not be the default.
From
https://github.com/QubesOS/qubes-gui-daemon/pull/10:
> I did not detect this sooner because if qubes-clipboard.bin.source had
> a trailing newline, then evaluate_clipboard_policy() would not fail,
> and my dom0 clipboard-copyout script produced such a trailing newline.
This to me sounds like something that may cause trouble in the future,
both in false-denies and more importantly potentially false-allows.
If source vm names are being mangled somehow, `--assume-yes-for-ask`
allows a specific policy to fall through in a potentially surprising
way.
Consider a policy like:
$anyvm protected-thing deny
$anyvm $anyvm ask
or
bad-vm $anyvm deny
$anyvm $anyvm ask
Consider this example:
[user@dom0 qubes]$ /usr/lib/qubes/qrexec-policy --assume-yes-for-ask \
> --just-evaluate dummy_id some_source_vm_name_that_got_mangled_somehow \
> sys-firewall qubes.OpenInVM 0 && echo pwned || echo safe
pwned
This invocation of qrexec-policy was taken from
gui-daemon/gui-daemon/xside.c:
https://github.com/QubesOS/qubes-gui-daemon/blob/95417c573d9b24269d50b3733164c3c9e390851c/gui-daemon/xside.c#L753-L754
So, I propose we make qrexec-policy actually verify that an evaluated
VM actually exists in order to match $anyvm. This would mean invalid
sources would fall all the way through to the implicit deny, even in
case of `--assume-yes-for-ask`.
Thoughts?