Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sending service descriptor to socket qrexec service opt-out #9036

Closed
3 of 4 tasks
marmarek opened this issue Mar 16, 2024 · 4 comments · Fixed by QubesOS/qubes-core-qrexec#138 or QubesOS/qubes-core-qrexec#153
Closed
3 of 4 tasks

Make sending service descriptor to socket qrexec service opt-out #9036

marmarek opened this issue Mar 16, 2024 · 4 comments · Fixed by QubesOS/qubes-core-qrexec#138 or QubesOS/qubes-core-qrexec#153
Assignees
@DemiMarie
Labels
C: core C: doc C: tests P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@marmarek
Copy link
Member

marmarek commented Mar 16, 2024
edited by DemiMarie
Loading

How to file a helpful issue

The problem you're addressing (if any)

Currently, when making a some existing service available via qrexec, one needs to make a wrapper - either make a socket service that strips the initial part (connection metadata) and then passthrough data to the actual service. Or make an executable service that connects to a socket and then passthrough the data (this is how many services are done now, using socat).

The solution you'd like

  • Add new skip-service-descriptor=1 option support to qrexec-agent to RPC config (/etc/qubes/rpc-config/*) - when set, qrexec should skip sending service descriptor and go for the actual data directly.
  • Do the same in qrexec-daemon
  • Add tests
  • Update documentation. Preferably, document it in qubes-doc too (currently it's documented only in a /etc/qubes/rpc-config/README)

The value to a user, and who that user might be

Ease using qrexec to connect existing services.
@marmarek marmarek added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. C: core P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Mar 16, 2024
@marmarek marmarek moved this to Ready in Current team tasks Mar 16, 2024
@marmarek marmarek mentioned this issue Mar 16, 2024
Closed
3 tasks
@DemiMarie DemiMarie self-assigned this Mar 20, 2024
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 23, 2024
@DemiMarie
Support not passing metadata to socket-based services
fb9033b 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
@DemiMarie DemiMarie mentioned this issue Mar 23, 2024
Merged
@marmarek marmarek moved this from Ready to In progress in Current team tasks Mar 25, 2024
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 28, 2024
@DemiMarie
Support not passing metadata to socket-based services
6f33c47 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 28, 2024
@DemiMarie
Support not passing metadata to socket-based services
2dff3ac 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 30, 2024
@DemiMarie
Support not passing metadata to socket-based services
88073e5 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 30, 2024
@DemiMarie
Support not passing metadata to socket-based services
2b28b54 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 30, 2024
@DemiMarie
Support not passing metadata to socket-based services
ec77181 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 30, 2024
@DemiMarie
Support not passing metadata to socket-based services
979f4d8 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Mar 31, 2024
@DemiMarie
Support not passing metadata to socket-based services
ffaba54 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
DemiMarie added a commit to DemiMarie/qubes-core-qrexec that referenced this issue Apr 1, 2024
@DemiMarie
Support not passing metadata to socket-based services
1a237d0 
This makes it easier to implement socket-based services that do not
require the metadata.  This avoids having to use a slow executable-based
service or write a custom wrapper.

Fixes: QubesOS/qubes-issues#9036
@DemiMarie DemiMarie mentioned this issue Apr 2, 2024
Open
@marmarek marmarek moved this from In progress to In review in Current team tasks Apr 3, 2024
@github-project-automation github-project-automation bot moved this from In review to Done in Current team tasks Apr 3, 2024
@andrewdavidwong andrewdavidwong added the pr submitted A pull request has been submitted for this issue. label Apr 3, 2024
@ben-grande
Copy link

Update documentation. Preferably, document it in qubes-doc too (currently it's documented only in a /etc/qubes/rpc-config/README)

I can document this in rpc-config/README, as it seems very outdated.

But just to know if I got everything right:

Format:

  • Key and value must be separated by an = (equal sign), they may also be separated by spaces or tabs between the equal sign. e.g key=value, key = value;
  • Boolean values accept 0, 1, true and false;
  • String values must be enclosed by ' (single quotes), e.g. 'str'.

Keys:

  • user (str/int) can be a literal name or UID;
  • wait-for-session (bool);
  • skip-service-descriptor (bool).

@ben-grande
Copy link

I am not sure if user was changed to force-user. Is this correct?

ben-grande added a commit to ben-grande/vim-qrexec that referenced this issue Apr 29, 2024
@ben-grande
Add rpc-config key skip-service-descriptor
0335ab5 
Fixes: QubesOS/qubes-issues#9036
@DemiMarie
Copy link

Update documentation. Preferably, document it in qubes-doc too (currently it's documented only in a /etc/qubes/rpc-config/README)

I can document this in rpc-config/README, as it seems very outdated.

It is, want to make a PR?

But just to know if I got everything right:

Format:

  • Key and value must be separated by an = (equal sign), they may also be separated by spaces or tabs between the equal sign. e.g key=value, key = value;

Correct.

  • Boolean values accept 0, 1, true and false;

Booleans are true and false. wait-for-session accepts 0 and 1 for backwards compatibility.

  • String values must be enclosed by ' (single quotes), e.g. 'str'.

Keys:

  • user (str/int) can be a literal name or UID

Only names are supported. UIDs should be supported, but I’m not sure how to get them to work with PAM. Also, this is named force-user.

  • wait-for-session (bool);

Correct. It can also be 0 or 1 (but not any other integer) for compatibility.

  • skip-service-descriptor (bool).

Correct. If this is true (default is false), then force-user is invalid and the service must be a socket (not executable).

@ben-grande
Copy link

Update documentation. Preferably, document it in qubes-doc too (currently it's documented only in a /etc/qubes/rpc-config/README)

I can document this in rpc-config/README, as it seems very outdated.

It is, want to make a PR?

Yes, I want to help.

ben-grande added a commit to ben-grande/qubes-core-qrexec that referenced this issue Apr 30, 2024
@ben-grande
Document rpc-config until skip-service-descriptor
39d38b9 
Fixes: QubesOS/qubes-issues#9036
@ben-grande ben-grande mentioned this issue Apr 30, 2024
Merged
ben-grande added a commit to ben-grande/qubes-core-qrexec that referenced this issue May 2, 2024
@ben-grande
Document rpc-config until skip-service-descriptor
19f7a16 
Fixes: QubesOS/qubes-issues#9036
ben-grande added a commit to ben-grande/qubes-core-qrexec that referenced this issue May 2, 2024
@ben-grande
Document rpc-config until skip-service-descriptor
19ed045 
Fixes: QubesOS/qubes-issues#9036
This was referenced May 9, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DemiMarie DemiMarie

Labels
C: core C: doc C: tests P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
Current team tasks
Archived in project
Milestone
No milestone
4 participants
@marmarek @DemiMarie @andrewdavidwong @ben-grande