global config: policy rules for U2F incorrectly assume wildcard argument

marmarek commented 1 year ago

Qubes OS release

R4.2

Brief summary

A policy rule with explicit argument is parsed by settings as with wildcard argument and lands in section "Allow some qubes to access ALL keys stored on your U2F device".

Steps to reproduce

1.Add rule like u2f.Authenticate +8972493827349823 some-vm sys-usb allow to /etc/qubes/policy.d/50-config-u2f.policy

Open Global Config
Go to USB devices tab

Expected behavior

Either rule listed as unknown, or properly displayed as permission for a specific key (no section for that right now).

Actual behavior

Qube is listed as having access to all the keys.

marmarta commented 1 year ago

Is there anywhere a complete specification (as in, not "read the code and deduce what happens") of the qubes-u2f policy and how it works?

DemiMarie commented 1 year ago

@marmarta nope, sorry! There probably should be, though. @piotrbartman?

marmarek commented 1 year ago

See https://github.com/QubesOS/qubes-app-u2f/blob/main/Documentation/qrexec-transport.rst and the main README in the repo

qubesos-bot commented 1 year ago

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 testing repository for the Debian template. To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bullseye-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented 1 year ago

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 testing repository for the Debian template. To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bookworm-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented 1 year ago

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 testing repository for the Fedora template. To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

qubesos-bot commented 1 year ago

Automated announcement from builder-github

The package desktop-linux-manager has been pushed to the r4.2 testing repository for the CentOS centos-stream8 template. To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

qubesos-bot commented 1 year ago

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 testing repository for the Fedora template. To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

qubesos-bot commented 1 year ago

Automated announcement from builder-github

The component desktop-linux-manager (including package desktop-linux-manager) has been pushed to the r4.2 testing repository for the Fedora template. To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update