-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
That explains why pass-through of an Android phone never worked!
> - unsupported data transfer mode (should be better now, since the
> current USBIP driver has XHCI support)
I am glad to know that that issue is fixed.
> > > > A better approach would be
> > > > to pass an AF_UNIX stream socket as file descriptor 3,
> > >
> > > Then, the qrexec doesn't know where to send the data...
> >
> > I meant to use file descriptor 3 for out-of-band control messages. On
> > further thought, I would actually prefer a *datagram* socket,
>
> I see, but TBH I don't like it that much. This makes writing a service
> significantly harder, because (in some cases) it is no longer enough to
> use standard read/write (or kill) which you can do trivially in any
> language/tool etc, sending/receiving datagram over AF_UNIX is rather
> uncommon thing (and often even sending UDP packets requires much less
> common API).
Good point. It is fairly easy in C, but doing it in most other
languages requires calling the C functions. That said, another (even
simpler) approach would be to treat data read from FD 0 as if it were
read from FD 1, which doesn’t even require sending a signal.
> On the other hand, I think one can rather easily get confirmation when
> the parent qrexec processes the SIGUSR1 - simply by waiting for EOF on FD 1.
I didn’t actually realize this. Since signals can’t actually be *lost*
(merely coalesced), and since only one signal is actually sent, signals
are actually reliable here. And I was not aware that qrexec would close
FD 1 after handling the signal; this allows the child process to confirm
that the signal was received.
FYI, there is a cute trick on Linux to send a signal to one’s parent
process, with no PID reuse race conditions: open a pidfd to the parent
process ID, then (if that succeeds) check that the parent process ID has
not changed. If it has not changed, send the signal via
pidfd_signal(2). In C:
#include <sys/types.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <signal.h>
int send_signal_to_parent(int sig) {
pid_t x = getppid();
int res = -1;
if (x <= 1)
return -1; /* parent in different PID namespace or init */
int fd = syscall(__NR_pidfd_open, x, 0);
if (fd < 0)
return -1; /* pidfd_open failed */
if (x == getppid())
res = syscall(__NR_pidfd_send_signal, fd, sig, (void *)0, 0);
close(fd);
return res;
}
> > with
> > checks that the message actually came from the correct child process.
>
> No, that's a bad idea. This forces specific process structure of a
> service, which will be limiting factor.
Indeed so, good point.
> > > > Second,
> > > > this would allow the child process to ptrace() the parent process and
> > > > obtain access to Xen file descriptors, which could potentially be used
> > > > to escalate privilege within the qube. While this isn’t an explicit
> > > > security boundary in Qubes OS, my understanding is that Qubes OS doesn’t
> > > > try to deliberately weaken it either.
> > >
> > > Well, user processes must have the ability to open vchan connections
> > > anyway, either for qrexec-client-vm to work, or for qrexec-fork-server.
> >
> > My understanding is that this typically requires membership in the
> > “qubes” group, which is the same group that
> > ‘qubes-core-agent-passwordless-root’ gives passwordless sudo access to.
>
> Yes. Which means, it would only change anything if running service as
> an user who is not member of the 'qubes' group.
Correct.
> > > > The second is that right now, one can use user= directives in
> > > > qrexec policy to control which qube has access to which keys. While
> > > > this is not best practice, on memory-constrained hardware it can be the
> > > > difference between being able to use split-gpg and not being able to do
> > > > so.
> > >
> > > That's true. In fact it's yet another case, where overriding the call
> > > argument at the policy level could be useful (something I consider
> > > adding for a long time already) - then you could have different sockets
> > > for different users.
> >
> > That is a good idea that I had not considered. That said, it does
> > conflict with having split-gpg2 use the call argument for filtering.
>
> Depending on what you put into that call argument. It may actually ease
> it, for example: qubes.Gpg2+Sign enforced to qubes.Gpg2+Sign+0xKEYID
> You may need to create some symlinks to the socket for various
> operations, but it shouldn't be an issue.
Indeed so. I hadn’t thought of creating the symlinks.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmFkhv0ACgkQsoi1X/+c
IsGgVhAAmNLuFDacJ3X6l4ZOaoo792Y47qNcgHQNeloWYnrvYYFo+WjMwDj3iDx0
ku01DXExpYS10+EUDKc+A2WHX32xHy8RvJN/syMzMUmPCpQHjGpaFdy0tcN9d62k
yJ7AP7E2vNFD97ZCp3CTbWOy9TFs2X1+2Icg9YBOCnKP2zNiNW3D+aozaew65HNM
egCb2Hl14DPpPsDyoSySp3KcSuTzLGv2xA6Lj/lD0j6pVr+athi56+bQiPh5XztL
uRdgksI/G2gC90g/fWFzcYAPf6ul6TdYyWth0okwC4D1Ci5DUScG0JbvUxxX9u65
8jCiBWYoLDRoybrwJ85sGXPJT5ai9xcMO281OA/4VkhhMUbmccBUuOT/hNvZ/zSk
7ve+RVsvyAGPUjkV++/KrObMLzc3NsTlDFQ/Tm6mxvTDxhaFfdCS5gP+hmxq+9ua
2cAkIFy7KQec5xay8g8itHjNpVNeTHKWJFHx8JmsBVHv5yUQqt73w1Q2lpLxwYFy
3PXCORVflikcbPz6MILb5HZgl0yhLpSjZ7Ab3I79dCoVOU5TDBsByNzpZAHWEwV/
ARfkAibcf+Db+NN/IK9Sb8CLIB9O/D547JnR4tOHF+Q/zFYDaFIwFa8KOpU6PBq+
gnLbhmx6hNPLH2klU7gPc1QGfoRfGWorUCxpGTXg/MjM587IbEA=
=9hXh
-----END PGP SIGNATURE-----