Those parameters eventually may eventually be passed to a shell script
(at least /usr/lib/qubes/qubes-rpc-multiplexer). While it is possible to
properly escape shell special characters, lets do safer and less fragile
thing: forbid such characters entirely.
In case of target name, qrexec policy keywords are allowed, and after
recent change, those contains '@', so allow this char.
Avoid passing special characters (like '$' or '@') to the service, even
if in environment variable. Use separate variable (and
qubes-rpc-multiplexer argument) to provide type of original target.
There are two:
- specific VM by name ("name")
- special name, like $adminvm, $dispvm etc ("keyword")
Then, use separate variables to provide actual value:
- QREXEC_REQUESTED_TARGET_KEYWORD (if _TYPE == "keyword")
- QREXEC_REQUESTED_TARGET (if _TYPE == "name")
The later one intentionally is the same as in previous implementation,
to preserve compatibility.
It's necessary to add the break at the end of "case -1" statement else the compiler will treat it as fall through and GCC 7 will throw an error because of -Werror=implicit-fallthrough=.
- only have one button, because "yes/no" makes no sense in this context
- inform use to use "-t pv" for xl console, because otherwise it won't
work for HVM domains.
- use the actual VM name, not "vmname"
There was a second place with exactly the same bug. See
dad208a "qrexec: fix pending requests cleanup code" for details.
FixesQubesOS/qubes-issues#2699
There was a logic error in pending requests cleanup code, causing
policy_pending_max being set to 0, even if there were more pending
requests. This effectively limited maximum pending requests to 1, after
some system uptime, because policy_pending_max set to 0 makes the code
looks only at the first pending request slot.
While at it, remove outdated FIXME comment, actually this bug is in the
code implementing this FIXME.
FixesQubesOS/qubes-issues#2699
There was a logic error in pending requests cleanup code, causing
policy_pending_max being set to 0, even if there were more pending
requests. This effectively limited maximum pending requests to 1, after
some system uptime, because policy_pending_max set to 0 makes the code
looks only at the first pending request slot.
While at it, remove outdated FIXME comment, actually this bug is in the
code implementing this FIXME.
FixesQubesOS/qubes-issues#2699
Design documentation says:
'note string dom0 does not match the $anyvm pattern; all other names do'
This behaviour was broken, because 'is not' in python isn't the same as
string comparison. In theory this could result in some service
erroneously allowed to execute in dom0, but in practice such services are
not installed in dom0 at all, so the only impact was misleading error
message.
FixesQubesOS/qubes-issues#2031
Reported by @Jeeppler
Add support for `$dispvm:DISP_VM` syntax in target specification. At the
same time update the code for core3 API for handling DispVMs.
QubesOS/qubes-issues#2253
qrexec-client -t/-T (and therefore, qvm-run --pass-io) only handled the
escape character, \033. Everything else, such as Unicode and obscure
control characters, was passed through from the VM to the dom0 terminal.
Instead, replace all bytes except for a benign subset of ASCII. That's
still enough to allow progress bars to be drawn (tested using
"wget --progress=bar:force" and "pv --force").
Normally when qrexec-client setup VM-VM connection it exits
immediatelly. But it may be useful to wait for the connection to
terminate - for example to cleanup DispVM.
qrexec-daemon (the one that allocated vchan port) do receive such
notification, so expose such option to qrexec-client.
QubesOS/qubes-issues#2253
/usr/local resides in private.img, so it is possible to define per-appvm RPC
Also, with the upcoming 3.0 release support for old (R1) paths is
removed.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
This will allow to use some different shell/language for a service (for
example python).
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
When qrexec-agent crashes for any reason (for example
QubesOS/qubes-issues#1389), it will never connect back and qrexec-client
will wait forever. In worst case it may happen while holding qubes.xml
write lock (in case of DispVM startup) effectively locking the whole
system.
FixesQubesOS/qubes-issues#1636
Otherwise if the child process isn't reading its stdin at that time, it
would deadlock the whole qrexec connection (for example preventing
reading the data from the child, which may be a cause of that deadlock).
QubesOS/qubes-issues#1347
Do not reimplement manual VM state checking in qrexec-policy.
`qubes.xml` is loaded anyway, so just use QubesVM object to check if
domain is running.
FixesQubesOS/qubes-issues#1283
Make sure that all the data from local process is sent (including final
EOF), before handling its exit code - which would include terminating
qrexec-client process.
