1. 28 Oct, 2020 1 commit
  2. 19 Oct, 2020 3 commits
  3. 18 Oct, 2020 2 commits
  4. 11 Oct, 2020 5 commits
    • Marek Marczykowski-Górecki's avatar
      version 4.1.10 · d9ad1979
      Marek Marczykowski-Górecki authored
    • Marek Marczykowski-Górecki's avatar
      Merge branch 'allow-dom0-fix' · c6b042d2
      Marek Marczykowski-Górecki authored
      * allow-dom0-fix:
        policy: adjust call target for allow action too
    • Marek Marczykowski-Górecki's avatar
      daemon: do not send MSG_SERVICE_* messages twice for a given connection · 7f348d12
      Marek Marczykowski-Górecki authored
      Record if the service call request was already answered and send the
      response only when it wasn't. The information about the request is
      stored until qrexec-policy-exec (or a process talking to
      qrexec-policy-daemon) terminates, so the qrexec-client needs to connect
      in that time frame. This is currently guaranteed property
      (qrexec-policy related process exits only after qrexec-client exits).
      Refuse to send a response to the same request twice. But also refuse to
      send a response for an unknown connection (not requested, or when
      qrexec-policy related process is already terminated).
      This is important, because qrexec-agent rely on getting exactly one
      response to a given request.
      With this change, if the qrexec-client is called twice for a given
      request, the other side of the connection may still be started (for the
      second time). In that case, it will timeout waiting for the data vchan
      connection. To avoid this properly, qrexec-client call should be made by
      the qrexec-daemon (perhaps even as a simple function call instead of
      separate process), instead of qrexec-policy related process. But that is
      a more elaborate change because of how Disposable VMs are handled.
      Fixes QubesOS/qubes-issues#6120
    • Marek Marczykowski-Górecki's avatar
      policy: adjust call target for allow action too · 1e973682
      Marek Marczykowski-Górecki authored
      Similarly to 'ask' default_target parameter, expand actual 'target'
      parameter in case of allow action (explicit or implicit via ask). This
      makes the '@adminvm' keyword isolated to the policy internal logic, but
      when communicating externally, it gets translated to the actual VM name
      (which currently always is 'dom0', but may be translated into "local
       AdminVM" in the future).
    • Marek Marczykowski-Górecki's avatar
      agent: do not crash on spurious MSG_SERVICE_CONNECT from the daemon · 25ee6203
      Marek Marczykowski-Górecki authored
      If (buggy) qrexec-daemon sends MSG_SERVICE_CONNECT for a given
      connection, do not crash on it, log an error and ignore the message.
      Blindly processing FD named in the message, makes qrexec-agent crash
      with "pselect: Bad file descriptor" error.
      Implement the fix naively - observe if the write() call fails with
      EBADF. If it doesn't fail, assume the FD is the right one. This still
      doesn't check if we are really waiting for the connection to establish
      (it may be already accepted connection that is still running), but at
      least avoid the service crash. The proper fix is needed on the daemon
      side, to not send spurious messages.
  5. 10 Oct, 2020 2 commits
  6. 20 Sep, 2020 2 commits
  7. 31 Aug, 2020 6 commits
  8. 25 Aug, 2020 5 commits
  9. 11 Aug, 2020 1 commit
  10. 07 Aug, 2020 1 commit
  11. 24 Jul, 2020 1 commit
  12. 23 Jul, 2020 1 commit
  13. 16 Jul, 2020 1 commit
    • Marek Marczykowski-Górecki's avatar
      policy: interpret invalid requested target as @default · 79e6bd01
      Marek Marczykowski-Górecki authored
      If the requested target does not exist, interpret it as it wasn't
      provided at all. This prevents the source domain learning if a given
      target exists when the policy is set to default `ask` action
      (`... @anyvm ask`). In such a case, previous behavior differed based on
      target existence: if it did exist, the user get a prompt, otherwise the
      request is immediately refused.
      Note it is still possible to write a policy that allows the source to
      confirm/deny existence of arbitrary domain (for example default `allow`
      action, or denying only `@default` target). But such policy would need
      to be specifically configured, it does no longer apply to default
      (innocently-looking) policy.
      Fixes QubesOS/qubes-issues#5955
  14. 24 May, 2020 3 commits
  15. 15 May, 2020 1 commit
  16. 14 May, 2020 2 commits
  17. 03 May, 2020 1 commit
  18. 02 May, 2020 2 commits