make passed-through USB devs world-writable?
34 de afișări
Accesați primul mesaj necitit
Jean-Philippe Ouellet
28 nov. 2016, 06:29:4128.11.2016
– qubes-devel
If you use `qvm-usb` to assign a particular USB device to a particular
VM, it's probably because you wanted to actually use that device! (or
more likely some program which interfaces with that device)
Currently, such programs will likely fail due to the `user` account
not having write access to the device node.
Under Qubes' threat model, we assume there is no meaningful privilege
boundary between user and root[1], so would it make sense to just make
all passed-through USB devs world-writable (or at least user-writable)
to enable software using them to "Just Work" by default?
Right now things only work if some application provides udev rules
changing ownership/permissions, or if a user observes things failing
and happens to know to go chmod stuff in /dev.
[1]: https://www.qubes-os.org/doc/vm-sudo/
VM, it's probably because you wanted to actually use that device! (or
more likely some program which interfaces with that device)
Currently, such programs will likely fail due to the `user` account
not having write access to the device node.
Under Qubes' threat model, we assume there is no meaningful privilege
boundary between user and root[1], so would it make sense to just make
all passed-through USB devs world-writable (or at least user-writable)
to enable software using them to "Just Work" by default?
Right now things only work if some application provides udev rules
changing ownership/permissions, or if a user observes things failing
and happens to know to go chmod stuff in /dev.
[1]: https://www.qubes-os.org/doc/vm-sudo/
Andrew David Wong
28 nov. 2016, 09:16:2328.11.2016
– Jean-Philippe Ouellet, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This sounds reasonable to me. Tracking it here:
https://github.com/QubesOS/qubes-issues/issues/2465
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYPDwbAAoJENtN07w5UDAwbXoQAKk0skB46ZIk1LDwSNWlBzON
R3s7THaiHPMHPaQaW0EIp1DasUqHIKY+87/cKRrqraEQKRkoiVsPSyl22tqxj5sw
JKb2wq7mjBR5DuufISS0G+FSZUGCxehKOhvFY8cfVg9FgGi8b47XNH415JeTDXxQ
nlpurAcy2Bta55X2eU3vQBk33BK42uX2mQIjWseWYwsQZ6qmZdOZ7/orMKecWjHg
fYSq2F3nHil+qxyG3CIHofTfkwoNWii7dLsn6Yzt0UVnbjKjCP8LRCy1+a8kHGTU
BEHlWIYeTkhuUiZEo09zWjR/qLysnYHqjj+A1L43OsNgoS29Pdvzuw3DSoXi7t1C
62rz22uF/wmzAzy6IB1xIxgabiQtjMXRUkpD4OjV8DbpMt4IMbdlRusBXRm9O085
pR59gBUL29q68KpaMv1Ls+OSducwlHr59kO3jbCB1lCl7D2ZNmDch1r9Jwf/cxU9
D/83hvSYsSFiTujGIA/7xI0gwLDYgXL8vOtzPhQe8RphNf9vJ+gUjqv+mScNn+FE
aiFHGWyPAtw59QHmQLdhcYJMai52APCAgphzkoBxVve3fT0oBe6oGeq1eQ8T6Sik
kRen5Dov7syhUfA4kBGOci7Y5CiwTuSpNQCpQ2hpC8+7Z4RzOzKfUHz0Ce0JeuFo
IjC89+Z7jkLhjT6OKbp6
=l6n+
-----END PGP SIGNATURE-----
Hash: SHA512
https://github.com/QubesOS/qubes-issues/issues/2465
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYPDwbAAoJENtN07w5UDAwbXoQAKk0skB46ZIk1LDwSNWlBzON
R3s7THaiHPMHPaQaW0EIp1DasUqHIKY+87/cKRrqraEQKRkoiVsPSyl22tqxj5sw
JKb2wq7mjBR5DuufISS0G+FSZUGCxehKOhvFY8cfVg9FgGi8b47XNH415JeTDXxQ
nlpurAcy2Bta55X2eU3vQBk33BK42uX2mQIjWseWYwsQZ6qmZdOZ7/orMKecWjHg
fYSq2F3nHil+qxyG3CIHofTfkwoNWii7dLsn6Yzt0UVnbjKjCP8LRCy1+a8kHGTU
BEHlWIYeTkhuUiZEo09zWjR/qLysnYHqjj+A1L43OsNgoS29Pdvzuw3DSoXi7t1C
62rz22uF/wmzAzy6IB1xIxgabiQtjMXRUkpD4OjV8DbpMt4IMbdlRusBXRm9O085
pR59gBUL29q68KpaMv1Ls+OSducwlHr59kO3jbCB1lCl7D2ZNmDch1r9Jwf/cxU9
D/83hvSYsSFiTujGIA/7xI0gwLDYgXL8vOtzPhQe8RphNf9vJ+gUjqv+mScNn+FE
aiFHGWyPAtw59QHmQLdhcYJMai52APCAgphzkoBxVve3fT0oBe6oGeq1eQ8T6Sik
kRen5Dov7syhUfA4kBGOci7Y5CiwTuSpNQCpQ2hpC8+7Z4RzOzKfUHz0Ce0JeuFo
IjC89+Z7jkLhjT6OKbp6
=l6n+
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
28 nov. 2016, 09:31:5628.11.2016
– Andrew David Wong, Jean-Philippe Ouellet, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Nov 28, 2016 at 06:15:57AM -0800, Andrew David Wong wrote:
> On 2016-11-28 03:29, Jean-Philippe Ouellet wrote:
> > If you use `qvm-usb` to assign a particular USB device to a particular
> > VM, it's probably because you wanted to actually use that device! (or
> > more likely some program which interfaces with that device)
> >
> > Currently, such programs will likely fail due to the `user` account
> > not having write access to the device node.
> >
> > Under Qubes' threat model, we assume there is no meaningful privilege
> > boundary between user and root[1], so would it make sense to just make
> > all passed-through USB devs world-writable (or at least user-writable)
> > to enable software using them to "Just Work" by default?
> >
> > Right now things only work if some application provides udev rules
> > changing ownership/permissions, or if a user observes things failing
> > and happens to know to go chmod stuff in /dev.
> >
> > [1]: https://www.qubes-os.org/doc/vm-sudo/
> >
>
> This sounds reasonable to me. Tracking it here:
>
> https://github.com/QubesOS/qubes-issues/issues/2465
I wonder how it works on bare metal Fedora/Debian? Couldn't the same
mechanism be engaged in Qubes AppVM?
And actually it looks to be working (at least in Fedora 24 and Debian 8)
- - if I plug some USB webcam into USB VM, /dev/video0 automatically get
ACL allowing user "user" read-write access:
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:user:rw-
group::rw-
mask::rw-
other::---
So, if it does not work for some type of devices, I would say it's an
upstream issue.
Any particular example?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYPD/WAAoJENuP0xzK19csjlgH/RA1XhIy0sJ4Aa1RNopP/A+K
OuG3aW+2nUZU//NSPlSOh/vMWXDJKwbB3JWnvyt3kMPRgAC9mTFoq8M7HGvo8xGY
DSJFK8NqhI0CQzmb7/mUbUi+ZbCJ7nr5lpnGZkA51FoRYq0DFWhW8l8n8AFDwC0y
eDqC9ctOiBNw1LTIN+5nSPSurUylLffL7/usWT7G3oNR9s0/Sp9+1Ufd005aYr1G
xUiRSQSFrIioGJcDxG/wZYSKqQqT2vGdB7TeuIbckH3MTkvMXZ0Pe+SrNQNzPSlr
KPnDpvUut5N96VKt5T6lBtoWdeIkES6kY0YW8I4pMJQfn2BgotvxMxd++cqQiHc=
=TVEi
-----END PGP SIGNATURE-----
Hash: SHA256
On Mon, Nov 28, 2016 at 06:15:57AM -0800, Andrew David Wong wrote:
> On 2016-11-28 03:29, Jean-Philippe Ouellet wrote:
> > If you use `qvm-usb` to assign a particular USB device to a particular
> > VM, it's probably because you wanted to actually use that device! (or
> > more likely some program which interfaces with that device)
> >
> > Currently, such programs will likely fail due to the `user` account
> > not having write access to the device node.
> >
> > Under Qubes' threat model, we assume there is no meaningful privilege
> > boundary between user and root[1], so would it make sense to just make
> > all passed-through USB devs world-writable (or at least user-writable)
> > to enable software using them to "Just Work" by default?
> >
> > Right now things only work if some application provides udev rules
> > changing ownership/permissions, or if a user observes things failing
> > and happens to know to go chmod stuff in /dev.
> >
> > [1]: https://www.qubes-os.org/doc/vm-sudo/
> >
>
> This sounds reasonable to me. Tracking it here:
>
> https://github.com/QubesOS/qubes-issues/issues/2465
mechanism be engaged in Qubes AppVM?
And actually it looks to be working (at least in Fedora 24 and Debian 8)
- - if I plug some USB webcam into USB VM, /dev/video0 automatically get
ACL allowing user "user" read-write access:
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:user:rw-
group::rw-
mask::rw-
other::---
So, if it does not work for some type of devices, I would say it's an
upstream issue.
Any particular example?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYPD/WAAoJENuP0xzK19csjlgH/RA1XhIy0sJ4Aa1RNopP/A+K
OuG3aW+2nUZU//NSPlSOh/vMWXDJKwbB3JWnvyt3kMPRgAC9mTFoq8M7HGvo8xGY
DSJFK8NqhI0CQzmb7/mUbUi+ZbCJ7nr5lpnGZkA51FoRYq0DFWhW8l8n8AFDwC0y
eDqC9ctOiBNw1LTIN+5nSPSurUylLffL7/usWT7G3oNR9s0/Sp9+1Ufd005aYr1G
xUiRSQSFrIioGJcDxG/wZYSKqQqT2vGdB7TeuIbckH3MTkvMXZ0Pe+SrNQNzPSlr
KPnDpvUut5N96VKt5T6lBtoWdeIkES6kY0YW8I4pMJQfn2BgotvxMxd++cqQiHc=
=TVEi
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
28 nov. 2016, 12:26:3428.11.2016
– Marek Marczykowski-Górecki, Andrew David Wong, qubes-devel
On Mon, Nov 28, 2016 at 9:31 AM, Marek Marczykowski-Górecki
<marm...@invisiblethingslab.com> wrote:
> So, if it does not work for some type of devices, I would say it's an
> upstream issue.
> Any particular example?
In this case it was a JTAG programmer for an FPGA.
<marm...@invisiblethingslab.com> wrote:
> So, if it does not work for some type of devices, I would say it's an
> upstream issue.
> Any particular example?
But AFAICT:
>> On 2016-11-28 03:29, Jean-Philippe Ouellet wrote:
>> > Right now things only work if some application provides udev rules
>> > changing ownership/permissions, or if a user observes things failing
>> > and happens to know to go chmod stuff in /dev.
devices, because for devices to be present in Qubes they need to be
explicitly passed through, whereas this is not the case upstream.
Upstream it may indeed make sense to protect some devices from access
by default.
Răspundeți tuturor
Răspundeți autorului
Redirecționați
0 mesaje noi