Closed Jeeppler closed 7 years ago
Related: #1839, #1324
This happens because dom0 has a policy for qubes.Filecopy:
[user@dom0 ~]$ cat /etc/qubes-rpc/policy/qubes.Filecopy
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
$anyvm $anyvm ask
but no actual RPC service (no /etc/qubes-rpc/qubes.Filecopy
).
When a VM tries to invoke qubes.Filecopy on dom0, qrexec-policy is consulted as normal:
[user@dom0 bin]$ sudo /usr/local/bin/execsnoop
Tracing exec()s. Ctrl-C to end.
Instrumenting sys_execve
PID PPID ARGS
...
9318 8939 qrexec-policy -- 7 qubes-builder dom0 qubes.Filecopy SOCKET8
9319 9318 qrexec-policy-9319 [003] d... 10555.510076: execsnoop_sys_execve: (SyS_execve+0x0/0x50)
9320 9319 /sbin/ldconfig -p
You get a dialog asking to confirm. And if you do, then it tries to run the service:
9318 0 qrexec-client -d dom0 -c SOCKET8,qubes-builder,7 /usr/lib/qubes/qubes-rpc-multiplexer qubes.Filecopy qubes-builder
9323 9318 bash -c /usr/lib/qubes/qubes-rpc-multiplexer qubes.Filecopy qubes-builder
9325 9323 mkfifo /tmp/qrexec-rpc-stderr.9323
9326 9323 logger -t qubes.Filecopy-qubes-builder -f /tmp/qrexec-rpc-stderr.9323
9327 9323 rm -f /tmp/qrexec-rpc-stderr.9323
9323 0 /bin/sh -- /etc/qubes-rpc/qubes.Filecopy
but no such service exists.
One possible solution is to just add:
$anyvm dom0 deny
to the top of the policy.
Thoughts?
I think the bug is elsewhere: documentation says dom0 reserved keywords (note string dom0 does not match the $anyvm pattern; all other names do)
. Apparently this is broken...
Automated announcement from builder-github
The package qubes-core-dom0-linux-3.2.10-1.fc23
has been pushed to the r3.2
testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
Automated announcement from builder-github
The package qubes-core-dom0-linux-3.1.13-1.fc20
has been pushed to the r3.1
testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
Automated announcement from builder-github
The package qubes-core-dom0-linux-3.1.13-1.fc20
has been pushed to the r3.1
stable repository for dom0.
To install this update, please use the standard update command:
sudo qubes-dom0-update
Or update dom0 via Qubes Manager.
Automated announcement from builder-github
The package qubes-core-dom0-linux-3.2.11-1.fc23
has been pushed to the r3.2
stable repository for dom0.
To install this update, please use the standard update command:
sudo qubes-dom0-update
Or update dom0 via Qubes Manager.
Qubes OS version (e.g.,
R3.1
):R3.1
Affected TemplateVMs (e.g.,
fedora-23
, if applicable):all
Expected behavior:
Expect an error message like:
or
each with useful qrexec error dialog message.
Actual behavior:
No, useful error message: