[WIP] Rewrite qrexec documentation (Phase 1) #847
Conversation
|
For a SecureDrop-related issue, see QubesOS/qubes-issues#3318. |
|
How does this diagram look for the Qrexec basics section? Made using mermaid here: https://mermaidjs.github.io/mermaid-live-editor/
|
I'd swap qrexec-client and qrexec-daemon places - it's qrexec-client initiating the action. Technically "sends request to start process" goes through qrexec-damon (but the data channel not). BTW I really like this diagrams tool. Looks very clean and source is very concise. |
Cool! I think I'll do a separate PR with this and any other diagrams created for qrexec3. I still have questions... 😉 |
|
Github doesn't have enough emotion icons to express how I'm happy about you doing this rewrite! |
|
This is fantastic. Thank you so much for doing this!! |
|
Not sure the best place to fit it in, but you might want to mention that in dom0 watches qrexec calls (to e.g. trace qrexec-policy issues, etc). |
|
@jpouellet: that's a great suggestion! I'll work on fitting that in. |
|
Hi everyone: Thanks for your feedback and enthusiasm! :) I'd like to make a proposal for moving forward with this project. We could go about it in phases:
If this plan makes general sense, let's rename this PR "[WIP] Rewrite qrexec documentation (Phase 1)". |
Sounds good to me. |
andrewdavidwong
changed the title
pierwill
force-pushed
the
edit-qrexec
branch
2 times, most recently
from
759e065 to
a63cdd2
Compare
|
I've addressed the feedback given so far, and split the docs into the overview and internals pages. Rendered locally, the links work fine. I think this is ready for another round of review. After merging Phase 1 I can do smaller PRs for other edits to these sections as necessary. |
|
I have limited capacity this week, so I can't provide full review right now. |
I recall having that discussion about the USB docs, but not these. |
|
I've found it - it is the very same issue about qrexec doc: QubesOS/qubes-issues#1392. I wasn't great fan of a single qrexec page back then. And I still think that separation makes sense (having clearly separated sections works, but separate pages could be better). |
|
I'm happy to keep them as one page if that's what folks prefer. I've got some ideas for the outline hierarchy that would make the page easier to navigate. I think I can easily kill de28e0f in a rebase to accomplish this.. Update: ah, I misread the comment above. |
|
Image for 98d9f12 is awaiting approval in QubesOS/qubes-attachment#22. |
Merged. |
There was a problem hiding this comment.
Thanks for this iteration!
I've added some comments. Note some are not necessary applicable in this iteration (for example notes about R4.1), but I've put them here anyway, since I've re-read this whole doc again.
I'm not yet sure how to handle differences in R4.1 here. There are few subtle one mentioned in comments, but also a bigger one: https://github.com/QubesOS/qubes-core-qrexec/blob/master/Documentation/multifile-policy.markdown (old policy location still works).
| For the implementation of qrexec2, see [here](/doc/qrexec2/#qubes-rpc-internals).*) | ||
|
|
||
| Qrexec framework consists of a number of processes communicating with each other using common IPC protocol (described in detail below). | ||
| Components residing in the same domain (`qrexec-client-vm` to `qrexec-agent`, `qrexec-client` to `qrexec-daemon`) use pipes as the underlying transport medium, while components in separate domains (`qrexec-daemon` to `qrexec-agent`, data channel between `qrexec-agent`s) use vchan link. |
| * Command line: `qrexec-daemon domain-id domain-name [default user]` | ||
| * `domain-id`: Numeric Qubes ID assigned to the associated domain. | ||
| * `domain-name`: Associated domain name. | ||
| * `default user`: Optional. If passed, `qrexec-daemon` uses this user as default for all execution requests that don't specify one. |
There was a problem hiding this comment.
Technically user field is mandatory, "requests that don't specify one" means "requests that specify DEFAULT user".
| * Command line: `qrexec-client-vm target-domain-name service-name local-program [local program arguments]` | ||
| * `target-domain-name`: Target domain for the service request. Source is the current domain. | ||
| * `service-name`: Requested service name. | ||
| * `local-program`: `local-program` is executed locally and its stdin/stdout are connected to the remote service endpoint. |
There was a problem hiding this comment.
Local program is optional. If not specified, qrexec-client-vm's stdin/stdout are connected to the remote service endpoint.
| * `-d target-domain-name`: Specifies the target for the execution/service request. | ||
| * `-l local-program`: Optional. If present, `local-program` is executed and its stdout/stdin are used when sending/receiving data to/from the remote peer. | ||
| * `-e`: Optional. If present, stdout/stdin are not connected to the remote peer. Only process creation status code is received. | ||
| * `-c <request-id,src-domain-name,src-domain-id>`: used for connecting a VM-VM service request by `qrexec-policy`. Details described below in the service example. |
There was a problem hiding this comment.
There are more options. The current qrexec-client --help output:
usage: qrexec-client [-w timeout] [-W] [-t] [-T] -d domain_name [-l local_prog|-c request_id,src_domain_name,src_domain_id|-e] remote_cmdline
-e means exit after sending cmd,
-t enables replacing problematic bytes with '_' in command output, -T is the same for stderr
-W waits for connection end even in case of VM-VM (-c)
-c: connect to existing process (response to trigger service call)
-w timeout: override default connection timeout of 5s (set 0 for no timeout)
| - **dom0**: `qrexec-client` starts a vchan server using the details received from `qrexec-daemon` and waits for connection from **domX**'s `qrexec-agent`. | ||
| - **domX**: `qrexec-agent` receives `MSG_EXEC_CMDLINE` header followed by `exec_params` from `qrexec-daemon` over vchan. | ||
| - **domX**: `qrexec-agent` connects to `qrexec-client` over vchan using the details from `exec_params`. | ||
| - **domX**: `qrexec-agent` executes `some_command` in **domX** and connects the child's stdin/stdout to the data vchan. If the process creation fails, `qrexec-agent` sends `MSG_DATA_EXIT_CODE` to `qrexec-client` followed by the status code (**int**) and disconnects from the data vchan. |
There was a problem hiding this comment.
"qrexec-agent executes some_command in domX" - this is a little incomplete, it isn't always qrexec-agent executing the command directly. On Linux there are two cases:
- target user has full GUI session running and
qrexec-fork-serveris running as part of it (default foruseraccount): in this caseqrexec-agentconnects toqrexec-fork-serverprocess (through/var/run/qubes/qrexec-server.<USERNAME>.socksocket) and delegate further steps to it. - no
qrexec-fork-serveris running for that user - in this caseqrexec-agentcreates a child process, opens a user session there (using PAM) and proceed there.
Main qrexec-agent process is involved only in control messages, actual data is always handled in a separate, usually not privileged process.
On Windows we don't have qrexec-fork-server and it's always handled like in the second point.
- Remove section on "Yes to All" RPC authorization (and add TODO item for if this feature is reintroduced) - Replace `$` keywords with `@` in qrexec policy docs - Incorporate Qubes 4.0 "Extra keywords" material into RPC admin docs - Move some material to a new section on RPC security concerns
Also add a shell prompt character
- remove absolute paths from qrexec-client calls - add shell prompt characters
- Several corrections and rewordings for accuracy - Fixes leftover outdated '$' keywords - Remove incomplete list of RPC services
|
(Force pushed a rebase onto current master.) |
|
With 7e7814f, I believe I've addressed all of Marek's comments on the main qrexec.md. The internals feedback I'll address in a later phase of this project. Thanks for everyone's help so far! 😃 👏 |
Sorts material under three headings.
|
@pierwill, it looks like the Travis CI log is showing that this PR would result in some broken links. Would you mind fixing those before we merge? |
|
Pushed fixes for most of those broken links. The last two are in release announcements: Should we fix those as well? Update: I have the changes to fix the release note links standing by. |
Yes, please do. |
|
Fixed those links and a couple misspellings pointed out by Travis CI. (The rest of the spelling errors were false positives.) |
|
Phase 1 complete! Thank you, @pierwill! |
|
Happy to help—and thank you! |
Greetings! 👋
I'm embarking on a project to address the qrexec docs in response to
I'm opening this PR as a way to track my progress, share my work, and discuss the technical specifics of qrexec with the Qubes and SD teams. Hopefully people find this work useful!