Commit Graph

76 Commits

Author SHA1 Message Date
unman
194e0bc3cc
Prompt to create policy file for qubes-rpc if not present. 2017-04-20 22:27:36 +01:00
Marek Marczykowski-Górecki
dad208a0d5
qrexec: fix pending requests cleanup code
There was a logic error in pending requests cleanup code, causing
policy_pending_max being set to 0, even if there were more pending
requests. This effectively limited maximum pending requests to 1, after
some system uptime, because policy_pending_max set to 0 makes the code
looks only at the first pending request slot.

While at it, remove outdated FIXME comment, actually this bug is in the
code implementing this FIXME.

Fixes QubesOS/qubes-issues#2699
2017-03-13 03:17:27 +01:00
Marek Marczykowski-Górecki
981a11cee1
qrexec: really do not match 'dom0' at '$anyvm', as documented
Design documentation says:
'note string dom0 does not match the $anyvm pattern; all other names do'

This behaviour was broken, because 'is not' in python isn't the same as
string comparison. In theory this could result in some service
erroneously allowed to execute in dom0, but in practice such services are
not installed in dom0 at all, so the only impact was misleading error
message.

Fixes QubesOS/qubes-issues#2031
Reported by @Jeeppler
2016-11-18 02:51:25 +01:00
Marek Marczykowski-Górecki
610902a5c1
Revert "qrexec: fix "yes to all" for qrexec calls with custom argument"
Do not copy policy file at arbitrary time.
This reverts commit 1dff6361b7.
2016-10-31 14:17:54 +01:00
Marek Marczykowski-Górecki
1dff6361b7
qrexec: fix "yes to all" for qrexec calls with custom argument
If argument-specific policy file do not exists, create one based on
generic one.

Fixes QubesOS/qubes-issues#2403
Reported by @Rudd-O
2016-10-28 13:28:04 +02:00
Rusty Bird
c7ad14320f
qrexec-client: Also allow the bell character 2016-08-17 13:10:13 +00:00
Rusty Bird
e005836286
qrexec-client: Filter terminal output much more strictly
qrexec-client -t/-T (and therefore, qvm-run --pass-io) only handled the
escape character, \033. Everything else, such as Unicode and obscure
control characters, was passed through from the VM to the dom0 terminal.

Instead, replace all bytes except for a benign subset of ASCII. That's
still enough to allow progress bars to be drawn (tested using
"wget --progress=bar:force" and "pv --force").
2016-08-17 02:41:38 +02:00
Marek Marczykowski-Górecki
21bec492e8
qrexec: add service argument support
Fixes QubesOS/qubes-issues#1876

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:08 +02:00
Marek Marczykowski-Górecki
c629529565
qrexec: prefer VM-local service file (if present) over default one
This will allow a service to be overridden per-VM.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:08 +02:00
Wojtek Porczyk
c4cf6b646b
qubes-rpc-multiplexer: deprecate /etc/qubes_rpc, allow /usr/local
/usr/local resides in private.img, so it is possible to define per-appvm RPC

Also, with the upcoming 3.0 release support for old (R1) paths is
removed.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:08 +02:00
Marek Marczykowski-Górecki
f8d23d0d64
qrexec: execute RPC service directly (without a shell) if it has executable bit set
This will allow to use some different shell/language for a service (for
example python).

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:07 +02:00
Marek Marczykowski-Górecki
7b582e0339
qrexec: do not leak FDs to logger process
This would prevent qrexec from detecting EOF.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2016-05-19 15:39:07 +02:00
Marek Marczykowski-Górecki
0607d9021a
qrexec: add support for service argument
Fixes QubesOS/qubes-issues#1876
2016-03-27 04:31:11 +02:00
Marek Marczykowski-Górecki
ad28f4df62
qrexec: deny spaces in service domain name
Fixes QubesOS/qubes-issues#1877
2016-03-27 04:23:47 +02:00
Marek Marczykowski-Górecki
f8d8368b10
qrexec: add timeout for data vchan connection
When qrexec-agent crashes for any reason (for example
QubesOS/qubes-issues#1389), it will never connect back and qrexec-client
will wait forever. In worst case it may happen while holding qubes.xml
write lock (in case of DispVM startup) effectively locking the whole
system.

Fixes QubesOS/qubes-issues#1636
2016-02-22 22:24:04 +01:00
Marek Marczykowski-Górecki
fa8ebeb42d Fix typo in "d9d48e8 qrexec: use tray notification when..."
Fixes QubesOS/qubes-issues#1446

Thanks HW42 for the report.
2015-12-28 00:59:45 +01:00
Marek Marczykowski-Górecki
d9d48e8948
qrexec: use tray notification when VM needs to be started
For both successful start and the failed one

Fixes QubesOS/qubes-issues#1446
2015-12-26 02:09:06 +01:00
Marek Marczykowski-Górecki
0c288aa355
qrexec: implement buffered write to child stdin to prevent deadlock
Otherwise if the child process isn't reading its stdin at that time, it
would deadlock the whole qrexec connection (for example preventing
reading the data from the child, which may be a cause of that deadlock).

QubesOS/qubes-issues#1347
2015-10-30 14:16:53 +01:00
Marek Marczykowski-Górecki
c8ce468c7f
qrexec: fallback to kdialog if zenity is not installed
Fixes QubesOS/qubes-issues#1277
2015-10-11 01:55:46 +02:00
Marek Marczykowski-Górecki
63e74a01d3
qrexec: fix handling autostarting RPC target VM
Do not reimplement manual VM state checking in qrexec-policy.
`qubes.xml` is loaded anyway, so just use QubesVM object to check if
domain is running.

Fixes QubesOS/qubes-issues#1283
2015-10-11 01:52:40 +02:00
Marek Marczykowski-Górecki
1288a13520 qrexec: do not terminate before sending all the data
Make sure that all the data from local process is sent (including final
EOF), before handling its exit code - which would include terminating
qrexec-client process.
2015-06-23 02:44:59 +02:00
Marek Marczykowski-Górecki
3f29b411d0 qrexec: do not send spurious MSG_SERVICE_REFUSED
This causes closing connection (FD) to still alive client.

Fixes qubesos/qubes-issues#993
2015-05-10 04:36:33 +02:00
Marek Marczykowski-Górecki
d6f0cfcbad qrexec: fix waiting for qrexec-agent data connection
In case of vchan server libvchan_is_open() returns VCHAN_WAITING (2) when
client is not yet connected.
2015-04-20 05:46:47 +02:00
Marek Marczykowski-Górecki
51c736a92c qrexec: enable compiler optimization 2015-03-20 12:16:28 +01:00
Marek Marczykowski-Górecki
18d079a99a qrexec: fix compiler warnings 2015-03-20 12:16:19 +01:00
Marek Marczykowski-Górecki
b07475efea qrexec: make the log writable by qubes group
Otherwise if VM was started as root, it will never start as normal user
again.
2015-03-20 03:06:06 +01:00
Marek Marczykowski-Górecki
04816e014b qrexec: do not exit from qrexec-client until local process exit code is sent 2015-03-17 22:55:15 +01:00
Marek Marczykowski-Górecki
e76007fe20 qrexec: periodically check if remote domain/process still exists 2015-02-22 18:25:14 +01:00
Marek Marczykowski-Górecki
5645b4c307 qrexec: wait for remote exit code, even when both stdin/out are closed 2015-02-17 03:57:17 +01:00
Marek Marczykowski-Górecki
61eb2e7764 qrexec: fix handling of remote exit code 2015-02-11 16:11:38 +01:00
Marek Marczykowski-Górecki
d031126737 Add "--" to separate options from (untrusted) non-options arguments
This will prevent passing an option instead of command (qvm-run) /
domain name (qrexec-policy). In both cases when VM tries to pass some
option it would fail because missing argument then - VM can not pass
additional arguments, so if one act as an option, one argument will be
missing).
2015-02-10 01:57:33 +01:00
Marek Marczykowski-Górecki
1d017449d0 qrexec: fix compile warnings 2014-11-19 15:23:10 +01:00
Marek Marczykowski-Górecki
6efbbb88da qrexec: new protocol - direct data vchan connections 2014-11-19 15:23:10 +01:00
Marek Marczykowski-Górecki
0ba692c85a code style: change tabs to spaces 2014-11-19 15:21:42 +01:00
Marek Marczykowski-Górecki
6e47f12118 Revert "qrexec: fix deadlock in qrexec-client"
This reverts commit 79abec9038.

The problem will not be applicable in new protocol, where vchan
connection is directly between VMs, so there is no longer two connected
qrexec-clients - always one end of data flow in qrexec-client is vchan,
which provide information about amount of data to read or buffer
space to write (lack of the later in case of pipes was a cause of the
original problem).
2014-11-19 15:21:42 +01:00
Marek Marczykowski-Górecki
9a1c071f40 qrexec-policy: remove trailing spaces 2014-11-19 15:21:42 +01:00
Marek Marczykowski
0eaae9790c Use QubesVMMConnection object
Introduced in core-admin:
af521bd Wrap all VMM connection related object into QubesVMMConnection
class
2014-11-19 15:21:41 +01:00
Marek Marczykowski
43770dae36 qrexec: handle vchan connect errors 2014-11-19 15:21:41 +01:00
Marek Marczykowski
d08831cc7e qrexec: get domain name from cmdline
libvchan_get_domain_name will be removed
2014-11-19 15:21:41 +01:00
Marek Marczykowski
6d2755abe6 Use libvirt in qrexec-policy
Import connection for core qubes module.
2014-11-19 15:21:41 +01:00
Marek Marczykowski
7bdf7b3f36 use domain name in error messages and log file name
Should be much more convenient than XID.
2014-11-19 15:21:41 +01:00
Marek Marczykowski
9215c09656 update for new vchan API 2014-11-19 15:21:40 +01:00
Marek Marczykowski-Górecki
28dfdddc0e Minor fixes in messages 2014-10-28 05:28:13 +01:00
Marek Marczykowski-Górecki
6cca9a377f qrexec: add -q option to silence "Waiting for VM's qrexec agent" message 2014-10-24 22:03:46 +02:00
Marek Marczykowski-Górecki
79abec9038 qrexec: fix deadlock in qrexec-client
When VM-VM qrexec service is called, two qrexec-clients are connected in
dom0. If both VMs are sending data simultaneously it can happen that
both qrexec-client processes will call write(2) and none of them will be
reading -> deadlock.
Solve it by handling I/O in two separate threads (one for reading from
VM, another for writing), at any time qrexec-client is ready to accept
data from either direction.
2014-07-01 03:24:46 +02:00
Marek Marczykowski-Górecki
9de6171a43 qubes-rpc: log (local) service output to syslog, discard stderr from VMs (#842)
Basically - store the logs where the service is running.
2014-05-05 05:27:08 +02:00
Marek Marczykowski-Górecki
0be6f8431f qrexec: add support for filtering terminal escape chars 2014-04-15 03:12:53 +02:00
Marek Marczykowski-Górecki
3f9cbe63b8 qrexec: use proper unsigned type instead of muting compiler warning 2014-02-19 20:54:39 +01:00
Vincent Penquerc'h
36c8885ff2 Fix some potential aliasing issues 2014-02-16 11:44:30 +01:00
Marek Marczykowski-Górecki
2b95581928 Add -Wextra -Werror to all C compile flags 2014-02-16 10:29:22 +01:00