Merge pull request #533 from freedomofpress/526-529-copy-paste-and-lo…

…g-rpc Permit whitelisting VMs for copy/paste & copying logs via tags
freedomofpress · May 5, 2020 · 91c8eb5 · 91c8eb5
2 parents 079ff4e + a04589a
commit 91c8eb5
Show file tree

Hide file tree

Showing 7 changed files with 56 additions and 1 deletion.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -3,6 +3,7 @@ include dom0/*.top
 include dom0/*.j2
 include dom0/*.yml
 include dom0/*.conf
+include dom0/remove-tags
 include dom0/securedrop-admin
 include dom0/securedrop-login
 include dom0/securedrop-launcher.desktop

diff --git a/dom0/remove-tags b/dom0/remove-tags
@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+"""
+Removes tags used for exempting VMs from default SecureDrop Workstation
+RPC policies from all VMs (including non-SecureDrop ones).
+"""
+import qubesadmin
+
+q = qubesadmin.Qubes()
+
+TAGS_TO_REMOVE = ["sd-send-app-clipboard", "sd-receive-app-clipboard", "sd-receive-logs"]
+
+
+def main():
+    tags_removed = False
+    for vm in q.domains:
+        for tag in TAGS_TO_REMOVE:
+            if tag in q.domains[vm].tags:
+                print("Removing tag '{}' from VM '{}'.".format(tag, vm))
+                try:
+                    q.domains[vm].tags.remove(tag)
+                except Exception as error:
+                    print("Error removing tag: '{}'".format(error))
+                    print("Aborting.")
+                    exit(1)
+                tags_removed = True
+
+    if tags_removed is False:
+        print("Tags {} not set on any VMs, nothing removed.".format(TAGS_TO_REMOVE))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -46,15 +46,26 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
+
+# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user
+remove-rpc-policy-tags:
+  cmd.script:
+    - name: salt://remove-tags
+
 # Removes files that are provisioned by the dom0 RPM, only for the development
 # environment, since dnf takes care of those provisioned in the RPM
 {% if d.environment == "dev" %}
 remove-dom0-sdw-config-files-dev:
   file.absent:
     - names:
       - /opt/securedrop
+      - /srv/salt/remove-tags
       - /srv/salt/securedrop-update
       - /srv/salt/update-xfce-settings
+    # Do not remove these scripts before they have done their cleanup duties
+    - require:
+      - cmd: dom0-reset-icon-size-xfce
+      - cmd: remove-rpc-policy-tags
 {% endif %}
 
 sd-cleanup-etc-changes:

diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls
@@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
+        @tag:sd-send-app-clipboard sd-app ask
+        sd-app @tag:sd-receive-app-clipboard ask
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.FeaturesRequest:
@@ -35,6 +37,8 @@ dom0-rpc-qubes.Filecopy:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
+        sd-log @default ask
+        sd-log @tag:sd-receive-logs ask
         sd-proxy @tag:sd-client allow
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny

diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -59,6 +59,7 @@ install -m 644 dom0/*.top %{buildroot}/srv/salt/
 install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
 install -m 644 dom0/*.yml %{buildroot}/srv/salt/
 install -m 644 dom0/*.conf %{buildroot}/srv/salt/
+install -m 655 dom0/remove-tags %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
 install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
@@ -92,6 +93,7 @@ install -m 644 launcher/sdw_util/*.py %{buildroot}/srv/salt/launcher/sdw_util/
 /opt/securedrop/launcher/**/*.py
 /srv/salt/sd*
 /srv/salt/dom0-xfce-desktop-file.j2
+/srv/salt/remove-tags
 /srv/salt/securedrop-*
 /srv/salt/update-xfce-settings
 /srv/salt/fpf*

diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py
@@ -149,7 +149,8 @@ def main():
     elif args.uninstall:
         print(
             "Uninstalling will remove all packages and destroy all VMs associated\n"
-            "with SecureDrop Workstation."
+            "with SecureDrop Workstation. It will also remove all SecureDrop tags\n"
+            "from other VMs on the system."
         )
         response = input("Are you sure you want to uninstall (y/N)? ")
         if response.lower() != 'y':

diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml
@@ -1,6 +1,8 @@
 - policy: qubes.ClipboardPaste
   starts_with: |-
     ### BEGIN securedrop-workstation ###
+    @tag:sd-send-app-clipboard sd-app ask
+    sd-app @tag:sd-receive-app-clipboard ask
     @anyvm @tag:sd-workstation deny
     @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
@@ -15,6 +17,8 @@
 - policy: qubes.Filecopy
   starts_with: |-
     ### BEGIN securedrop-workstation ###
+    sd-log @default ask
+    sd-log @tag:sd-receive-logs ask
     sd-proxy @tag:sd-client allow
     @anyvm @tag:sd-workstation deny
     @tag:sd-workstation @anyvm deny