Skip to content

Commit

Permalink
Implement UUID support in qrexec
Browse files Browse the repository at this point in the history
This allows using UUIDs in qrexec policy, using the syntax uuid:VM_UUID.
This works anywhere a VM name is expected.  Since ':' is not allowed in
VM names, there is no ambiguity.  This requires the corresponding change
to qubes-core-admin so that qubesd supports UUIDs in the admin and
internal APIs.
  • Loading branch information
DemiMarie committed Feb 14, 2024
1 parent 122466c commit d7e0f94
Show file tree
Hide file tree
Showing 13 changed files with 333 additions and 155 deletions.
2 changes: 1 addition & 1 deletion daemon/qrexec-client.c
Original file line number Diff line number Diff line change
Expand Up @@ -488,7 +488,7 @@ int main(int argc, char **argv)
usage(argv[0]);
}

if (strcmp(domname, "dom0") == 0 || strcmp(domname, "@adminvm") == 0) {
if (target_refers_to_dom0(domname)) {
if (request_id == NULL) {
fprintf(stderr, "ERROR: when target domain is 'dom0', -c must be specified\n");
usage(argv[0]);
Expand Down
14 changes: 14 additions & 0 deletions daemon/qrexec-daemon-common.c
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,20 @@ void negotiate_connection_params(int s, int other_domid, unsigned type,
*data_domain = params.connect_domain;
}

bool target_refers_to_dom0(const char *target)
{
switch (target[0]) {
case '@':
return strcmp(target + 1, "adminvm") == 0;
case 'd':
return strcmp(target + 1, "om0") == 0;
case 'u':
return strcmp(target + 1, "uid:00000000-0000-0000-0000-000000000000") == 0;
default:
return false;
}
}

int handle_daemon_handshake(int fd)
{
struct msg_header hdr;
Expand Down
1 change: 1 addition & 0 deletions daemon/qrexec-daemon-common.h
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ void negotiate_connection_params(int s, int other_domid, unsigned type,
int *data_domain, int *data_port);
void send_service_connect(int s, const char *conn_ident,
int connect_domain, int connect_port);
bool target_refers_to_dom0(const char *target);
153 changes: 99 additions & 54 deletions daemon/qrexec-daemon.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
*
*/

#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
Expand Down Expand Up @@ -147,28 +148,44 @@ static void sigchld_parent_handler(int UNUSED(x))
}


static char *remote_domain_name; // guess what
static const char *remote_domain_name; // guess what
static const char *remote_domain_uuid;
static int remote_domain_id;

static void unlink_qrexec_socket(void)
static void unlink_or_exit(const char *path)
{
char socket_address[40];
char link_to_socket_name[strlen(remote_domain_name) + sizeof(socket_address)];
int v = unlink(path);
if (v != 0 && !(v == -1 && errno == ENOENT))
err(1, "unlink(%s)", path);
}

int v = snprintf(socket_address, sizeof(socket_address),
"%s/qrexec.%d", socket_dir, remote_domain_id);
if (v < (int)sizeof("/qrexec.1") || v >= (int)sizeof(socket_address))
static char __attribute__((format(printf, 1, 2))) *xasprintf(const char *fmt, ...)
{
va_list x;
char *res;
va_start(x, fmt);
int r = vasprintf(&res, fmt, x);
va_end(x);
if (r < 0)
abort();
v = snprintf(link_to_socket_name, sizeof(link_to_socket_name),
"%s/qrexec.%s", socket_dir, remote_domain_name);
if (v < (int)sizeof("/qrexec.") || v >= (int)sizeof(link_to_socket_name))
return res;
}

static void unlink_qrexec_socket(void)
{
char *socket_name;
const char *p[2] = {remote_domain_name, remote_domain_uuid};
int i;

for (i = 0; i < 2; ++i) {
char *link_to_socket_name = xasprintf("%s/qrexec.%s%s", socket_dir, i > 0 ? "uuid:" : "", p[i]);
unlink_or_exit(link_to_socket_name);
free(link_to_socket_name);
}
if (asprintf(&socket_name, "%s/qrexec.%d", socket_dir, remote_domain_id) < 0)
abort();
v = unlink(socket_address);
if (v != 0 && !(v == -1 && errno == ENOENT))
err(1, "unlink(%s)", socket_address);
v = unlink(link_to_socket_name);
if (v != 0 && !(v == -1 && errno == ENOENT))
err(1, "unlink(%s)", link_to_socket_name);
unlink_or_exit(socket_name);
free(socket_name);
}

static void handle_vchan_error(const char *op)
Expand All @@ -177,27 +194,22 @@ static void handle_vchan_error(const char *op)
exit(1);
}


static int create_qrexec_socket(int domid, const char *domname)
static int create_qrexec_socket(int domid, const char *domname, const char *domuuid)
{
char socket_address[40];
char link_to_socket_name[strlen(domname) + sizeof(socket_address)];
int res;

if ((unsigned)snprintf(socket_address, sizeof(socket_address),
"%s/qrexec.%d", socket_dir, domid) >= sizeof(socket_address))
errx(1, "socket name too long");
if ((unsigned)snprintf(link_to_socket_name, sizeof link_to_socket_name,
"%s/qrexec.%s", socket_dir, domname) >= sizeof link_to_socket_name)
errx(1, "socket link name too long");
res = unlink(link_to_socket_name);
if (res != 0 && !(res == -1 && errno == ENOENT))
err(1, "unlink(%s)", link_to_socket_name);

/* When running as root, make the socket accessible; perms on /var/run/qubes still apply */
umask(0);
if (symlink(socket_address, link_to_socket_name)) {
PERROR("symlink(%s,%s)", socket_address, link_to_socket_name);

const char *p[2] = { domuuid, domname };
char *socket_address = xasprintf("%s/qrexec.%d", socket_dir, domid);
for (int i = 0; i < 2; ++i) {
if (p[i] == NULL)
continue;
char *link_to_socket_name = xasprintf("%s/qrexec.%s%s", socket_dir, i ? "" : "uuid:", p[i]);
unlink_or_exit(link_to_socket_name);
if (symlink(socket_address, link_to_socket_name)) {
PERROR("symlink(%s,%s)", socket_address, link_to_socket_name);
}
free(link_to_socket_name);
}
int fd = get_server_socket(socket_address);
umask(0077);
Expand Down Expand Up @@ -396,7 +408,7 @@ static void init(int xid)

atexit(unlink_qrexec_socket);
qrexec_daemon_unix_socket_fd =
create_qrexec_socket(xid, remote_domain_name);
create_qrexec_socket(xid, remote_domain_name, remote_domain_uuid);

struct sigaction sigchld_action = {
.sa_handler = signal_handler,
Expand Down Expand Up @@ -800,11 +812,12 @@ static int parse_policy_response(
size_t result_bytes,
bool daemon,
char **user,
char **target_uuid,
char **target,
char **requested_target,
int *autostart
) {
*user = *target = *requested_target = NULL;
*user = *target_uuid = *target = *requested_target = NULL;
int result = *autostart = -1;
const char *const msg = daemon ? "qrexec-policy-daemon" : "qrexec-policy-exec";
// At least one byte must be returned
Expand Down Expand Up @@ -849,6 +862,13 @@ static int parse_policy_response(
*target = strdup(current_response + (sizeof("target=") - 1));
if (*target == NULL)
abort();
} else if (!strncmp(current_response, "target_uuid=", sizeof("target_uuid=") - 1)) {
if (*target_uuid != NULL)
goto bad_response;
*target_uuid = strdup(current_response + 7);
if (*target_uuid == NULL)
abort();
(*target_uuid)[4] = ':';
} else if (!strncmp(current_response, "autostart=", sizeof("autostart=") - 1)) {
current_response += sizeof("autostart=") - 1;
if (*autostart != -1)
Expand Down Expand Up @@ -937,6 +957,7 @@ static enum policy_response connect_daemon_socket(
const char *target_domain,
const char *service_name,
char **user,
char **target_uuid,
char **target,
char **requested_target,
int *autostart
Expand Down Expand Up @@ -964,7 +985,7 @@ static enum policy_response connect_daemon_socket(
size_t result_bytes;
// this closes the socket
char *result = qubes_read_all_to_malloc(daemon_socket, 64, 4096, &result_bytes);
int policy_result = parse_policy_response(result, result_bytes, true, user, target, requested_target, autostart);
int policy_result = parse_policy_response(result, result_bytes, true, user, target_uuid, target, requested_target, autostart);
if (policy_result != RESPONSE_MALFORMED) {
// This leaks 'result', but as the code execs later anyway this isn't a problem.
// 'result' cannot be freed as 'user', 'target', and 'requested_target' point into
Expand Down Expand Up @@ -1035,7 +1056,7 @@ static enum policy_response connect_daemon_socket(
// This leaks 'result', but as the code execs later anyway this isn't a problem.
// 'result' cannot be freed as 'user', 'target', and 'requested_target' point into
// the same buffer.
return parse_policy_response(result, result_bytes, true, user, target, requested_target, autostart);
return parse_policy_response(result, result_bytes, true, user, target_uuid, target, requested_target, autostart);
}
}

Expand Down Expand Up @@ -1083,19 +1104,18 @@ static void handle_execute_service(
for (i = 3; i < MAX_FDS; i++)
close(i);

char *user, *target, *requested_target;
int autostart;
char *user = NULL, *target = NULL, *requested_target = NULL, *target_uuid = NULL;
int autostart = -1;
int policy_response =
connect_daemon_socket(remote_domain_name, target_domain, service_name,
&user, &target, &requested_target, &autostart);
&user, &target_uuid, &target, &requested_target, &autostart);

if (policy_response != RESPONSE_ALLOW)
_exit(126);

/* Replace the target domain with the version normalized by the policy engine */
target_domain = requested_target;
char *cmd = NULL;
bool disposable = false;
size_t resp_len;

/*
Expand All @@ -1105,8 +1125,7 @@ static void handle_execute_service(
const char *const trailer = strchr(service_name, '+') ? "" : "+";

/* Check if the target is dom0, which requires special handling. */
bool target_is_dom0 = strcmp(target, "@adminvm") == 0 ||
strcmp(target, "dom0") == 0;
bool target_is_dom0 = target_refers_to_dom0(target);
if (target_is_dom0) {
char *type;
bool target_is_keyword = target_domain[0] == '@';
Expand All @@ -1124,7 +1143,8 @@ static void handle_execute_service(
target_domain) <= 0)
_exit(126);
char *cid;
if (asprintf(&cid, "%s,%s,%d", request_id->ident, remote_domain_name, remote_domain_id) <= 0)
if (asprintf(&cid, "%s,%s,%d", request_id->ident, remote_domain_name,
remote_domain_id) <= 0)
_exit(126);

const char *to_exec[] = {
Expand All @@ -1140,15 +1160,36 @@ static void handle_execute_service(
LOG(ERROR, "execve() failed: %m");
_exit(126);
} else {
char *buf;
if (strncmp("@dispvm:", target, sizeof("@dispvm:") - 1) == 0) {
disposable = true;
buf = qubesd_call(target + 8, "admin.vm.CreateDisposable", "", &resp_len);
bool disposable = strncmp("@dispvm:", target, sizeof("@dispvm:") - 1) == 0;
bool use_uuid = target_uuid != NULL;
if (disposable) {
char *buf = qubesd_call2(use_uuid ? target_uuid : target + 8,
"admin.vm.CreateDisposable", "",
"uuid", use_uuid ? 4 : 0, &resp_len);
if (!buf) // error already printed by qubesd_call
_exit(126);
if (memcmp(buf, "0", 2) == 0) {
/* we exec later so memory leaks do not matter */
target = buf + 2;
if (strlen(buf + 2) != resp_len - 2) {
LOG(ERROR, "NUL byte in qubesd response");
_exit(126);
}
if (use_uuid) {
if (resp_len != sizeof("00000000-0000-0000-0000-000000000000") + 1) {
LOG(ERROR, "invalid UUID length");
_exit(126);
}
target = malloc(resp_len + (sizeof("uuid:") - 2));
if (target == NULL) {
LOG(ERROR, "out of memory");
_exit(126);
}
memcpy(target, "uuid:", 5);
memcpy(target + 5, buf + 2, resp_len - 1);
free(buf);
buf = NULL;
} else {
target = buf + 2;
}
} else {
if (memcmp(buf, "2", 2) == 0) {
LOG(ERROR, "qubesd could not create disposable VM: %s", buf + 2);
Expand All @@ -1165,7 +1206,7 @@ static void handle_execute_service(
remote_domain_name) <= 0)
_exit(126);
if (autostart) {
buf = qubesd_call(target, "admin.vm.Start", "", &resp_len);
char *buf = qubesd_call(target, "admin.vm.Start", "", &resp_len);
if (!buf) // error already printed by qubesd_call
_exit(126);
if (!((memcmp(buf, "0", 2) == 0) ||
Expand Down Expand Up @@ -1490,7 +1531,7 @@ static int handle_agent_restart(int xid) {
err(1, "sigaction");

qrexec_daemon_unix_socket_fd =
create_qrexec_socket(xid, remote_domain_name);
create_qrexec_socket(xid, remote_domain_name, remote_domain_uuid);
return 0;
}

Expand All @@ -1500,6 +1541,7 @@ static struct option longopts[] = {
{ "socket-dir", required_argument, 0, 'd' + 128 },
{ "policy-program", required_argument, 0, 'p' },
{ "direct", no_argument, 0, 'D' },
{ "uuid", required_argument, 0, 'u' },
{ NULL, 0, 0, 0 },
};

Expand All @@ -1524,7 +1566,7 @@ int main(int argc, char **argv)

setup_logging("qrexec-daemon");

while ((opt=getopt_long(argc, argv, "hqp:D", longopts, NULL)) != -1) {
while ((opt=getopt_long(argc, argv, "hqp:Du:", longopts, NULL)) != -1) {
switch (opt) {
case 'q':
opt_quiet = 1;
Expand All @@ -1540,6 +1582,9 @@ int main(int argc, char **argv)
case 'D':
opt_direct = 1;
break;
case 'u':
remote_domain_uuid = optarg;
break;
case 'h':
default: /* '?' */
usage(argv[0]);
Expand Down
Loading

0 comments on commit d7e0f94

Please sign in to comment.