1. 28 Oct, 2020 1 commit
  2. 19 Oct, 2020 3 commits
  3. 18 Oct, 2020 2 commits
  4. 11 Oct, 2020 5 commits
    • marmarek's avatar
      version 4.1.10 · d9ad1979
      marmarek authored
    • marmarek's avatar
      Merge branch 'allow-dom0-fix' · c6b042d2
      marmarek authored
      * allow-dom0-fix:
        policy: adjust call target for allow action too
    • marmarek's avatar
      daemon: do not send MSG_SERVICE_* messages twice for a given connection · 7f348d12
      marmarek authored
      Record if the service call request was already answered and send the
      response only when it wasn't. The information about the request is
      stored until qrexec-policy-exec (or a process talking to
      qrexec-policy-daemon) terminates, so the qrexec-client needs to connect
      in that time frame. This is currently guaranteed property
      (qrexec-policy related process exits only after qrexec-client exits).
      Refuse to send a response to the same request twice. But also refuse to
      send a response for an unknown connection (not requested, or when
      qrexec-policy related process is already terminated).
      This is important, because qrexec-agent rely on getting exactly one
      response to a given request.
      With this change, if the qrexec-client is called twice for a given
      request, the other side of the connection may still be started (for the
      second time). In that case, it will timeout waiting for the data vchan
      connection. To avoid this properly, qrexec-client call should be made by
      the qrexec-daemon (perhaps even as a simple function call instead of
      separate process), instead of qrexec-policy related process. But that is
      a more elaborate change because of how Disposable VMs are handled.
      Fixes QubesOS/qubes-issues#6120
    • marmarek's avatar
      policy: adjust call target for allow action too · 1e973682
      marmarek authored
      Similarly to 'ask' default_target parameter, expand actual 'target'
      parameter in case of allow action (explicit or implicit via ask). This
      makes the '@adminvm' keyword isolated to the policy internal logic, but
      when communicating externally, it gets translated to the actual VM name
      (which currently always is 'dom0', but may be translated into "local
       AdminVM" in the future).
    • marmarek's avatar
      agent: do not crash on spurious MSG_SERVICE_CONNECT from the daemon · 25ee6203
      marmarek authored
      If (buggy) qrexec-daemon sends MSG_SERVICE_CONNECT for a given
      connection, do not crash on it, log an error and ignore the message.
      Blindly processing FD named in the message, makes qrexec-agent crash
      with "pselect: Bad file descriptor" error.
      Implement the fix naively - observe if the write() call fails with
      EBADF. If it doesn't fail, assume the FD is the right one. This still
      doesn't check if we are really waiting for the connection to establish
      (it may be already accepted connection that is still running), but at
      least avoid the service crash. The proper fix is needed on the daemon
      side, to not send spurious messages.
  5. 10 Oct, 2020 2 commits
    • marmarek's avatar
      version 4.1.9 · 1f5740ed
      marmarek authored
    • marmarek's avatar
      Fix handling default_target in ask action · bea8916b
      marmarek authored
      default_target needs to have keywords expanded before passing to the
      confirmation prompt. Otherwise default_target may not match any allowed
      targets. That's the case for at least @dispvm and @adminvm.
      Fixes QubesOS/qubes-issues#6112
  6. 20 Sep, 2020 2 commits
  7. 31 Aug, 2020 6 commits
  8. 25 Aug, 2020 5 commits
  9. 11 Aug, 2020 1 commit
  10. 07 Aug, 2020 1 commit
  11. 24 Jul, 2020 1 commit
  12. 23 Jul, 2020 1 commit
  13. 16 Jul, 2020 1 commit
    • marmarek's avatar
      policy: interpret invalid requested target as @default · 79e6bd01
      marmarek authored
      If the requested target does not exist, interpret it as it wasn't
      provided at all. This prevents the source domain learning if a given
      target exists when the policy is set to default `ask` action
      (`... @anyvm ask`). In such a case, previous behavior differed based on
      target existence: if it did exist, the user get a prompt, otherwise the
      request is immediately refused.
      Note it is still possible to write a policy that allows the source to
      confirm/deny existence of arbitrary domain (for example default `allow`
      action, or denying only `@default` target). But such policy would need
      to be specifically configured, it does no longer apply to default
      (innocently-looking) policy.
      Fixes QubesOS/qubes-issues#5955
  14. 24 May, 2020 3 commits
    • marmarek's avatar
      version 4.1.8 · ea0e7762
      marmarek authored
    • marmarek's avatar
      Merge branch 'qubesd-socket' · c909c5f6
      marmarek authored
      * qubesd-socket:
        rpm: adjust depencency on qubes-core-dom0
        Update qrexec-policy-graph tool for new qrexec module
        parser: ignore .rpmsave/.rpmnew/.swp and .* policy files...
        Fix documentation for relative paths in !include directive
        rpm: restart qrexec-policy-daemon on upgrade
        Update for changed qubesd socket protocol
    • marmarek's avatar
      rpm: adjust depencency on qubes-core-dom0 · ab7fd0fe
      marmarek authored
      Make sure qubesd socket protocol matches.
  15. 15 May, 2020 1 commit
  16. 14 May, 2020 2 commits
  17. 03 May, 2020 1 commit
  18. 02 May, 2020 2 commits