Commit Graph

81 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
1502eb4d59
qrexec: switch to new qrexec policy in core-admin
QubesOS/qubes-issues#910
2017-05-17 13:58:55 +02:00
Marek Marczykowski-Górecki
723d32b8b7
qrexec: fix pending requests cleanup code
There was a logic error in pending requests cleanup code, causing
policy_pending_max being set to 0, even if there were more pending
requests. This effectively limited maximum pending requests to 1, after
some system uptime, because policy_pending_max set to 0 makes the code
looks only at the first pending request slot.

While at it, remove outdated FIXME comment, actually this bug is in the
code implementing this FIXME.

Fixes QubesOS/qubes-issues#2699
2017-03-13 03:16:34 +01:00
Marek Marczykowski-Górecki
b253fdba33
qrexec: update qrexec-policy to python3 2017-02-22 12:14:50 +01:00
Marek Marczykowski-Górecki
40b139ab82
qrexec-policy: fix handling special target VM names
Function validate_target should return either valid QubesVM object or
None in case of success. And throw an exception in case of failure.
2016-09-05 14:38:47 +02:00
Marek Marczykowski-Górecki
a72d53ae1b
qrexec-policy: fix confirmation dialog call 2016-09-05 14:38:46 +02:00
Marek Marczykowski-Górecki
cce22c9517
qrexec-policy: new DispVM handling - $dispvm:DISP_VM keyword
Add support for `$dispvm:DISP_VM` syntax in target specification. At the
same time update the code for core3 API for handling DispVMs.

QubesOS/qubes-issues#2253
2016-09-05 14:38:46 +02:00
Marek Marczykowski-Górecki
009e2e6adb
qrexec-policy: prefer using VM objects
Pass VM object instead of just name - it will make extending much
easier. For example new DispVM handling.

QubesOS/qubes-issues#2253
2016-09-05 14:38:46 +02:00
Marek Marczykowski-Górecki
849b295384
qrexec: add option to wait for VM-VM connection termination
Normally when qrexec-client setup VM-VM connection it exits
immediatelly. But it may be useful to wait for the connection to
terminate - for example to cleanup DispVM.

qrexec-daemon (the one that allocated vchan port) do receive such
notification, so expose such option to qrexec-client.

QubesOS/qubes-issues#2253
2016-08-17 02:41:22 +02:00
Marek Marczykowski-Górecki
9192bb0d44
qrexec: don't call exit directly from qrexec-policy main
Use `return` instead. This makes possible to implement unit tests on
this function. And also makes static analysis a little happier.
2016-08-17 02:41:22 +02:00
Marek Marczykowski-Górecki
9a5bd57d1b
qrexec: switch to ArgumentParser in qrexec-policy 2016-08-17 02:41:22 +02:00
Marek Marczykowski-Górecki
8a780cb7f5
qrexec: reformat qrexec-policy
No functional change, just make it slightly less painful to read...
2016-08-16 02:58:04 +02:00
Marek Marczykowski-Górecki
0568d2ae3b
qrexec: initial convert qrexec-policy to core3 API 2016-08-08 00:47:18 +02:00
Marek Marczykowski-Górecki
21bec492e8
qrexec: add service argument support
Fixes QubesOS/qubes-issues#1876

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:08 +02:00
Marek Marczykowski-Górecki
c629529565
qrexec: prefer VM-local service file (if present) over default one
This will allow a service to be overridden per-VM.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:08 +02:00
Wojtek Porczyk
c4cf6b646b
qubes-rpc-multiplexer: deprecate /etc/qubes_rpc, allow /usr/local
/usr/local resides in private.img, so it is possible to define per-appvm RPC

Also, with the upcoming 3.0 release support for old (R1) paths is
removed.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:08 +02:00
Marek Marczykowski-Górecki
f8d23d0d64
qrexec: execute RPC service directly (without a shell) if it has executable bit set
This will allow to use some different shell/language for a service (for
example python).

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:07 +02:00
Marek Marczykowski-Górecki
7b582e0339
qrexec: do not leak FDs to logger process
This would prevent qrexec from detecting EOF.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:07 +02:00
Marek Marczykowski-Górecki
0607d9021a
qrexec: add support for service argument
Fixes QubesOS/qubes-issues#1876
2016-03-27 04:31:11 +02:00
Marek Marczykowski-Górecki
ad28f4df62
qrexec: deny spaces in service domain name
Fixes QubesOS/qubes-issues#1877
2016-03-27 04:23:47 +02:00
Marek Marczykowski-Górecki
f8d8368b10
qrexec: add timeout for data vchan connection
When qrexec-agent crashes for any reason (for example
QubesOS/qubes-issues#1389), it will never connect back and qrexec-client
will wait forever. In worst case it may happen while holding qubes.xml
write lock (in case of DispVM startup) effectively locking the whole
system.

Fixes QubesOS/qubes-issues#1636
2016-02-22 22:24:04 +01:00
Marek Marczykowski-Górecki
fa8ebeb42d Fix typo in "d9d48e8 qrexec: use tray notification when..."
Fixes QubesOS/qubes-issues#1446

Thanks HW42 for the report.
2015-12-28 00:59:45 +01:00
Marek Marczykowski-Górecki
d9d48e8948
qrexec: use tray notification when VM needs to be started
For both successful start and the failed one

Fixes QubesOS/qubes-issues#1446
2015-12-26 02:09:06 +01:00
Marek Marczykowski-Górecki
0c288aa355
qrexec: implement buffered write to child stdin to prevent deadlock
Otherwise if the child process isn't reading its stdin at that time, it
would deadlock the whole qrexec connection (for example preventing
reading the data from the child, which may be a cause of that deadlock).

QubesOS/qubes-issues#1347
2015-10-30 14:16:53 +01:00
Marek Marczykowski-Górecki
c8ce468c7f
qrexec: fallback to kdialog if zenity is not installed
Fixes QubesOS/qubes-issues#1277
2015-10-11 01:55:46 +02:00
Marek Marczykowski-Górecki
63e74a01d3
qrexec: fix handling autostarting RPC target VM
Do not reimplement manual VM state checking in qrexec-policy.
`qubes.xml` is loaded anyway, so just use QubesVM object to check if
domain is running.

Fixes QubesOS/qubes-issues#1283
2015-10-11 01:52:40 +02:00
Marek Marczykowski-Górecki
1288a13520 qrexec: do not terminate before sending all the data
Make sure that all the data from local process is sent (including final
EOF), before handling its exit code - which would include terminating
qrexec-client process.
2015-06-23 02:44:59 +02:00
Marek Marczykowski-Górecki
3f29b411d0 qrexec: do not send spurious MSG_SERVICE_REFUSED
This causes closing connection (FD) to still alive client.

Fixes qubesos/qubes-issues#993
2015-05-10 04:36:33 +02:00
Marek Marczykowski-Górecki
d6f0cfcbad qrexec: fix waiting for qrexec-agent data connection
In case of vchan server libvchan_is_open() returns VCHAN_WAITING (2) when
client is not yet connected.
2015-04-20 05:46:47 +02:00
Marek Marczykowski-Górecki
51c736a92c qrexec: enable compiler optimization 2015-03-20 12:16:28 +01:00
Marek Marczykowski-Górecki
18d079a99a qrexec: fix compiler warnings 2015-03-20 12:16:19 +01:00
Marek Marczykowski-Górecki
b07475efea qrexec: make the log writable by qubes group
Otherwise if VM was started as root, it will never start as normal user
again.
2015-03-20 03:06:06 +01:00
Marek Marczykowski-Górecki
04816e014b qrexec: do not exit from qrexec-client until local process exit code is sent 2015-03-17 22:55:15 +01:00
Marek Marczykowski-Górecki
e76007fe20 qrexec: periodically check if remote domain/process still exists 2015-02-22 18:25:14 +01:00
Marek Marczykowski-Górecki
5645b4c307 qrexec: wait for remote exit code, even when both stdin/out are closed 2015-02-17 03:57:17 +01:00
Marek Marczykowski-Górecki
61eb2e7764 qrexec: fix handling of remote exit code 2015-02-11 16:11:38 +01:00
Marek Marczykowski-Górecki
d031126737 Add "--" to separate options from (untrusted) non-options arguments
This will prevent passing an option instead of command (qvm-run) /
domain name (qrexec-policy). In both cases when VM tries to pass some
option it would fail because missing argument then - VM can not pass
additional arguments, so if one act as an option, one argument will be
missing).
2015-02-10 01:57:33 +01:00
Marek Marczykowski-Górecki
1d017449d0 qrexec: fix compile warnings 2014-11-19 15:23:10 +01:00
Marek Marczykowski-Górecki
6efbbb88da qrexec: new protocol - direct data vchan connections 2014-11-19 15:23:10 +01:00
Marek Marczykowski-Górecki
0ba692c85a code style: change tabs to spaces 2014-11-19 15:21:42 +01:00
Marek Marczykowski-Górecki
6e47f12118 Revert "qrexec: fix deadlock in qrexec-client"
This reverts commit 79abec9038.

The problem will not be applicable in new protocol, where vchan
connection is directly between VMs, so there is no longer two connected
qrexec-clients - always one end of data flow in qrexec-client is vchan,
which provide information about amount of data to read or buffer
space to write (lack of the later in case of pipes was a cause of the
original problem).
2014-11-19 15:21:42 +01:00
Marek Marczykowski-Górecki
9a1c071f40 qrexec-policy: remove trailing spaces 2014-11-19 15:21:42 +01:00
Marek Marczykowski
0eaae9790c Use QubesVMMConnection object
Introduced in core-admin:
af521bd Wrap all VMM connection related object into QubesVMMConnection
class
2014-11-19 15:21:41 +01:00
Marek Marczykowski
43770dae36 qrexec: handle vchan connect errors 2014-11-19 15:21:41 +01:00
Marek Marczykowski
d08831cc7e qrexec: get domain name from cmdline
libvchan_get_domain_name will be removed
2014-11-19 15:21:41 +01:00
Marek Marczykowski
6d2755abe6 Use libvirt in qrexec-policy
Import connection for core qubes module.
2014-11-19 15:21:41 +01:00
Marek Marczykowski
7bdf7b3f36 use domain name in error messages and log file name
Should be much more convenient than XID.
2014-11-19 15:21:41 +01:00
Marek Marczykowski
9215c09656 update for new vchan API 2014-11-19 15:21:40 +01:00
Marek Marczykowski-Górecki
28dfdddc0e Minor fixes in messages 2014-10-28 05:28:13 +01:00
Marek Marczykowski-Górecki
6cca9a377f qrexec: add -q option to silence "Waiting for VM's qrexec agent" message 2014-10-24 22:03:46 +02:00
Marek Marczykowski-Górecki
79abec9038 qrexec: fix deadlock in qrexec-client
When VM-VM qrexec service is called, two qrexec-clients are connected in
dom0. If both VMs are sending data simultaneously it can happen that
both qrexec-client processes will call write(2) and none of them will be
reading -> deadlock.
Solve it by handling I/O in two separate threads (one for reading from
VM, another for writing), at any time qrexec-client is ready to accept
data from either direction.
2014-07-01 03:24:46 +02:00