From be1d984364de9641312f56def13b0af27cfe1cd4 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Sat, 26 Nov 2016 21:59:16 -0500 Subject: [PATCH] Mitigate GUI DoS (part 2: qvm-xkill) Can close windows of a VM while it's paused, and can not accidentally harm dom0 by errant clicking. Discussion in https://github.com/QubesOS/qubes-issues/issues/881 Thanks to rustybird for suggested implementation. --- qvm-xkill | 10 ++++++++++ rpm_spec/core-dom0-linux.spec | 3 +++ 2 files changed, 13 insertions(+) create mode 100644 qvm-xkill diff --git a/qvm-xkill b/qvm-xkill new file mode 100644 index 0000000..25e8316 --- /dev/null +++ b/qvm-xkill @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +ID=$(xdotool selectwindow) + +xprop -id "$ID" _QUBES_VMNAME | grep -q ' = ' \ + || { echo "${0##* /}: Not killing dom0 window $ID" >&2; exit 1; } + +xdotool windowkill "$ID" diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec index f043a4b..1c57783 100644 --- a/rpm_spec/core-dom0-linux.spec +++ b/rpm_spec/core-dom0-linux.spec @@ -48,6 +48,7 @@ BuildRequires: qubes-libvchan-devel Requires: qubes-core-dom0 Requires: qubes-utils >= 3.1.3 Requires: %{name}-kernel-install +Requires: xdotool %define _builddir %(pwd) @@ -159,6 +160,7 @@ install -m 644 -D system-config/75-qubes-dom0.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/75-qubes-dom0.preset install -m 644 -D system-config/99-qubes-default-disable.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset +install -m 755 qvm-xkill $RPM_BUILD_ROOT/usr/bin/ # file copy to VM install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -283,6 +285,7 @@ chmod -x /etc/grub.d/10_linux %config(noreplace) /etc/profile.d/zz-disable-lesspipe /usr/lib/systemd/system-preset/75-qubes-dom0.preset /usr/lib/systemd/system-preset/99-qubes-default-disable.preset +/usr/bin/qvm-xkill # Man %{_mandir}/man1/qvm-*.1* %{_mandir}/man1/qubes-*.1*