Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"foo $anyvm deny" policy overrides previous lines #4403

Closed
SuzanneSoy opened this issue Oct 18, 2018 · 2 comments · Fixed by QubesOS/qubes-doc#1148
Closed

"foo $anyvm deny" policy overrides previous lines #4403

SuzanneSoy opened this issue Oct 18, 2018 · 2 comments · Fixed by QubesOS/qubes-doc#1148
Labels
C: doc P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Non-release

Comments

@SuzanneSoy
Copy link

SuzanneSoy commented Oct 18, 2018
edited
Loading

Qubes OS version:

R4.0 (I installed updates in templates and for dom0 a few days ago and rebooted, but the issue persists)

Affected component(s):

Policy for qubes.Filecopy (I didn't try other policies)

Steps to reproduce the behavior:

In dom0, have the following policies for qubes.Filecopy:

less /etc/qubes-rpc/policy/qubes.Filecopy
foo bar allow
foo quux deny
foo $anyvm deny
$anyvm $anyvm ask

In VM foo, run:

qvm-copy example-file
# fails with Request refused

Expected behavior:

The confirmation dialog for qubes.Filecopy should pop up, listing only bar as a possible destination.

Actual behavior:

The qvm-copy example-file operation fails with Request refused

General notes:

If the policy line foo $anyvm deny is commented out, the confirmation dialog pops up as expected. It contains bar and other VMs, but correctly omits quux. The deny mechanism therefore works, but it seems that the foo $anyvm deny line overrides the previous lines.

The documentation at https://www.qubes-os.org/doc/rpc-policy/ and the comments at the top of /etc/qubes-rpc/policy/qubes.Filecopy indicate that lines at the top of the file have precedence over the lines below.

Related issues:
@marmarek
Copy link
Member

There is no "ask" action before "foo $anyvm deny", so it never gets to the last line when its coming from foo. Here you only allowed call to bar if specified explicitly (like qvm-copy-to-vm bar example-file).

You can specify "ask" action for calls without specific target (the one qvm-copy uses) with this rule:

foo $default ask

(of course before foo $anyvm deny)

@SuzanneSoy
Copy link
Author

Thanks, the following works with qvm-copy-to-vm (no prompt) and qvm-copy (with prompt):

less /etc/qubes-rpc/policy/qubes.Filecopy
foo $default ask
foo bar allow
foo $anyvm deny
$anyvm $anyvm ask

The following works for qvm-copy-to-vm and qvm-copy (both with prompt):

less /etc/qubes-rpc/policy/qubes.Filecopy
foo $default ask
foo bar ask
foo $anyvm deny
$anyvm $anyvm ask

The documentation didn't mention the points you explained, I'll send a PR for https://github.com/QubesOS/qubes-doc/blob/master/configuration/rpc-policy.md a bit later :) .

@andrewdavidwong andrewdavidwong added C: doc T: task Type: task. An action item that is neither a bug nor an enhancement. labels Oct 19, 2018
@andrewdavidwong andrewdavidwong added this to the Ongoing milestone Oct 19, 2018
@eloquence eloquence mentioned this issue Apr 10, 2020
Merged
15 tasks
@andrewdavidwong andrewdavidwong added the P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. label May 18, 2021
@andrewdavidwong andrewdavidwong added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. and removed T: task Type: task. An action item that is neither a bug nor an enhancement. labels May 18, 2021
SuzanneSoy pushed a commit to SuzanneSoy/qubes-doc that referenced this issue May 29, 2021
RPC policies: example with $default and qvm-copy (prompts for destina…
e908c32 
…tion VM)

Closes QubesOS/qubes-issues#4403
@SuzanneSoy SuzanneSoy mentioned this issue May 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: doc P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
Non-release
Development

Successfully merging a pull request may close this issue.

RPC policies: example with @default and qvm-copy (prompts for destination VM) SuzanneSoy/qubes-doc
3 participants
@SuzanneSoy @marmarek @andrewdavidwong