Permit whitelisting VMs for copy/paste & copying logs via tags #533
Conversation
Adds RPC policies that let tagged VMs send clipboard pastes, receive clipboard pastes, and receive files from sd-log.
|
The use of |
This appears to be due to the somewhat confusing behavior with empty selection prompts described in QubesOS/qubes-issues#4403 ; the |
There was a problem hiding this comment.
A few suggestions for maintenance over time, but largely on board with the proposals here. Let's flesh out that test plan as much as possible, in particular the "Observe that you are not able to perform copy/paste or copy files from SDW VMs to other VMs, or from other VMs to SDW VMs" step.
dom0/sd-dom0-qvm-rpc.sls
Outdated
| @@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste: | |||
| - marker_start: "### BEGIN securedrop-workstation ###" | |||
| - marker_end: "### END securedrop-workstation ###" | |||
| - content: | | |||
| @tag:send-clipboard-to-sd @tag:sd-workstation ask | |||
| @tag:sd-workstation @tag:receive-clipboard-from-sd ask | |||
There was a problem hiding this comment.
Pleased to report that the directionality appears to work as intended: it's possible to allow clipboard pastes into e.g. sd-app, while still forbidding pastes out. Testing is critical here, will likely take the bulk of review time. Fleshing out the test plan with specific targets, even more verbose than already written, is likely to help coordinate testing.
There was a problem hiding this comment.
Test plan is plenty verbose now :)
dom0/sd-dom0-qvm-rpc.sls
Outdated
| @@ -35,6 +37,8 @@ dom0-rpc-qubes.Filecopy: | |||
| - marker_start: "### BEGIN securedrop-workstation ###" | |||
| - marker_end: "### END securedrop-workstation ###" | |||
| - content: | | |||
| sd-log @default ask | |||
| sd-log @tag:receive-sd-logs ask | |||
There was a problem hiding this comment.
Let's make sure all the tags added by the SDW config begin with sd-, for consistency. So: receive-sd-logs -> sd-receive-logs, etc. Will make it easier over time to reason about collections and interactions between RPC policies.
There was a problem hiding this comment.
The requirement to include @default ask here is far from intuitive, but the citation you provided was informative, and functional testing locally does indeed line up with what's intended.
tests/vars/qubes-rpc.yml
Outdated
| @@ -1,6 +1,8 @@ | |||
| - policy: qubes.ClipboardPaste | |||
| starts_with: |- | |||
| ### BEGIN securedrop-workstation ### | |||
| @tag:send-clipboard-to-sd @tag:sd-workstation ask | |||
| @tag:sd-workstation @tag:receive-clipboard-from-sd ask | |||
There was a problem hiding this comment.
Good to have the tests updated. We also need a clean action, though: uninstalling should handle removal of these custom SDW-related tags. For example:
qvm-ls --tags sd-receive-logs --raw-list | xargs --no-run-if-empty -I {} qvm-tags {} del sd-receive-logs
for each custom tag.
There was a problem hiding this comment.
Ended up adding a Python script leveraging qubesadmin for this purpose.
|
Thanks @conorsch! Let's discuss as a team if/how we would ship those policies, which I think will influence both the naming & uninstall policy:
I think it's worth considering putting together a small helper script for managing the creation of custom VMs, e.g.: (The goal would be to keep this tool as thin of an abstraction as possible, of course.) This would give us a supported customization path with some guardrails, abstracting tags and templates away from the user, and allowing us to add business logic as needed. In this model, I agree that the uninstall scenario should also remove the tags (or even the VMs!), as part of the managed configuration of the system. On the other hand, if we ask users to create/tag VMs using standard Qubes tooling, I'm not sure our uninstall script should remove those tags, at least not without some explicit Either way, I think some customization path is necessary so that we can use the pilot to determine which additional VMs we may want to ship by default. |
|
Talked to @emkll about this today. He's generally in favor of this approach during the pilot, until we have more data about what default VMs (and potential default policies for Main changes required:
Once all that is done, I'll promote this PR from draft, provided we all agree this is the way to go. For the cleanup logic, I'll also add a note to the docs and maybe the Regarding the idea of a script for creating custom VMs with our base template, let's take that off the table -- getting |
|
I've tested the new tag removal logic via I'll now add a parallel docs PR, flesh out the test plan, and then mark it as formally ready for review. |
|
I've significantly updated the test plan. I still want to add a section to the docs for managing the clipboard policies, but this should IMO be done in parallel with a first round review, just in case we make significant changes to this approach. The initial docs here should suffice as a starting point during review. |
There was a problem hiding this comment.
Thanks @eloquence . I have tested these changes in both dev and prod environments, and went through functional testing based on your excellent test plan. Please also see inline comments, for discussion.
Functional testing
- Observe that you are able to copy clipboard contents from the SecureDrop Client reply box to the target VM specified in step 3
- Observe that you are able to copy clipboard contents from the source VM specified in step 4 to an input field in the SecureDrop Client
- Observe that you are able to copy files from
sd-logto the target VM specified in step 5 usingqvm-copy-to-vmandqvm-copy. - Observe that you are not able to perform copy/paste from any SecureDrop VM to any VM except for the target VM you configured in step 3
- Observe that you are not able to perform copy/paste to any SecureDrop VM from any VM except for the source VM you configured in step 4.
- Observe that you are not able to perform qvm-copy to any SecureDrop VMs except from
sd-proxytosd-app. - Observe that you are not able to perform qvm-copy from any SecureDrop VMs except for
sd-logas permitted by thesd-logrules you configured.
Remove the tags by runningscripts/remove-tagsfrom this branch. - Observe via
qvm-tags <name of VM> lsthat tags were correctly removed. - Observe that the copy & paste rules you configured have been disabled.
- Observe that the
sd-logrules you configured have been disabled. - Spot check that the rules otherwise still behave as before.
Scenario: Uninstall (prod)
Installed via rpm moved to dom0
- Observe that the tags you added are correctly removed as part of the uninstall.
Scenario: Uninstall (dev)
- Observe that the tags are correctly removed as part of the uninstall.
dom0/sd-dom0-qvm-rpc.sls
Outdated
| @@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste: | |||
| - marker_start: "### BEGIN securedrop-workstation ###" | |||
| - marker_end: "### END securedrop-workstation ###" | |||
| - content: | | |||
| @tag:sd-send-clipboard @tag:sd-workstation ask | |||
There was a problem hiding this comment.
There's an sd-client tag that we assign to sd-app, to allow gpg operations. Perhaps we can use that one here instead?
#526 states the three use cases we are looking to enable are as follows:
* pasting passphrases into the login window from a vault VM
* copying messages from and to the conversation view (e.g., to another secure messaging app)
* copying logs and error messages
With those requirements in mind, a policy scoped to @tag:sd-client and the ability to copy logs via qvm-copy and centralized logging, what use case have we documented that require enabling copy paste to all workstation VMs?
There was a problem hiding this comment.
I was thinking about this as well a bit over the weekend. One use case is copying text out of disposable VMs used for viewing submissions. Right now this just works (with these changes) because the dispVMs have the sd-workstation tag. If we want to narrow the policies and still support that use case, we could perhaps use sd-client (two-directional copy/paste in and out) and sd-viewer-vm (one-directional copy/paste out).
There was a problem hiding this comment.
Echoing @emkll, I recommend we scope to @tag:sd-client (i.e. exclude disposable VMs), see this note in the qubes documentation discouraging copy/paste from less trusted to more trusted domains:
one should keep in mind that performing a copy and paste operation from less trusted to more trusted domain can always be potentially insecure, because the data that we insert might potentially try to exploit some hypothetical bug in the destination VM (e.g. the seemingly innocent link that we copy from untrusted domain, might turn out to be, in fact, a large buffer of junk that, when pasted into the destination VM’s word processor could exploit a hypothetical bug in the undo buffer). This is a general problem and applies to any data transfer between less trusted to more trusted domains.... So, you should always copy clipboard and data only from more trusted to less trusted domains.
However, if we are finding (or otherwise think that) data transfer from disposable VMs into trusted VMs is an important workflow to support, we can file a followup issue for further investigation to either determine how to decrease risk when copy/pasting data from sd-viewer to sd-client or to provide an alternate method to handle that use case (some of the workflows we need to support for removing identifying metadata could handle this use case, e.g. adding an OCR step after we convert documents to trusted PDFs).
There was a problem hiding this comment.
Sounds good; for now I'll call the permission sd-send-app-clipboard and sd-receive-app-clipboard to reflect its narrow scope.
There was a problem hiding this comment.
This is done in d23dd8c (I used sd-app rather than a tag for the SecureDrop VM since that seems the best way to ensure we have at most a many-to-one/one-to-many relationship here). The test plan has been updated; I've not re-tested yet.
Makefile
Outdated
| @@ -110,6 +110,7 @@ clean: assert-dom0 prep-salt ## Destroys all SD VMs | |||
| $(MAKE) destroy-all | |||
| sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix | |||
| sudo qubesctl --show-output state.sls sd-clean-all | |||
| ./scripts/remove-tags | |||
There was a problem hiding this comment.
do you think it would make sense to invoke this script/cleanup via sd-clean-all.sls? The challenge is that the path in dev environment will be different than the one in staging and production environments
There was a problem hiding this comment.
I agree that seems like the better way to do it, will poke.
There was a problem hiding this comment.
Definitely fold into clean-salt, as @emkll suggests. If we use a separate script, then the RPM spec will need to be updated, as well. Consider using the less elegant, but more simply xargs-based approach outlined above.
There was a problem hiding this comment.
The RPM spec already picks up the script by wildcard.
There was a problem hiding this comment.
What I would propose is this:
- Move
remove-tagsfromscriptstodom0 - Add it to RPM (I think that's what you meant, Conor?)
- Call it from
sd-clean-all.slsas we do forupdate-xfce-settingsresets. - Remove it from
securedrop-adminandMakefile.
Does that make sense?
There was a problem hiding this comment.
@eloquence Yes, those steps make sense. Moving the invocation to the salt clean-all state is sound at this point.
Ideally we'd call it from the scripts dir in /usr/share/, but before we can easily do that, we'll need to use the RPM in all environments, including make-dev, as described in #505 (comment)
There was a problem hiding this comment.
Done in 49916a2, not tested yet.
There was a problem hiding this comment.
Tested now, seems to work as intended (this is via securedrop-admin):
ID: remove-rpc-policy-tags
Function: cmd.script
Name: salt://remove-tags
Result: True
Comment: Command 'salt://remove-tags' run
Started: 17:49:47.430389
Duration: 267.274 ms
Changes:
----------
pid:
29831
retcode:
0
stderr:
stdout:
Removing tag 'sd-send-app-clipboard' from VM 'work'.
Removing tag 'sd-receive-app-clipboard' from VM 'work'.
----------
eloquence
force-pushed
the
526-529-copy-paste-and-log-rpc
branch
from
d50d2a5 to
d23dd8c
Compare
There was a problem hiding this comment.
Thanks for the changes @eloquence , pleased to report the test plan (including make clean in dev and securedrop-admin --uninstall in prod) work as expected with the recent changes.
As @redshiftzero suggested in #533 (comment) prior to merging this we should update the associated documentation in freedomofpress/securedrop-workstation-docs#35 linking out to the relevant Qubes disclaimers and clearly identifying the risks of using these RPC policies. Since, as of this review, the risks are not clearly presented in the docs, I propose we elaborate on the following three high-level risks:
- Altering the RPC policies (adding a tag to a VM) to copy out introduces risks to data confidentiality: there is a risk that sensitive data can be obtained by an unauthorized third party, when copying from a more secure domain (
sd-app, which has no network and is automatically managed by workstation code) to a less secure domain for example, a user-managed, networked domain), when the latter may contain vulnerabilities or be compromised. In this case, once the information leaves thesd-appVM, we have no controls in place to mitigate further risks. - Further risks to confidentiality through human error: when copying to or within
sd-app, there is a risk end-users can accidentally paste sensitive information and send them to an anonymous source. - Altering the RPC policies to copy into
sd-appintroduces risks to VM integrity: there is a risk that data pasted in compromises or otherwise corrupts the domain, when copying from a less secure domain (for example, a user-managed, network domain) to a more secure domain (sd-app, which has no network and is automatically managed by workstation code). In this case, we do have some mitigations in place that may reduce this risk (AppArmor non-networked VM)
| @@ -1,6 +1,8 @@ | |||
| - policy: qubes.ClipboardPaste | |||
| starts_with: |- | |||
| ### BEGIN securedrop-workstation ### | |||
| @tag:sd-send-app-clipboard sd-app ask | |||
There was a problem hiding this comment.
I also think using sd-app here makes sense: the intent of the sd-client tag is to support dev environment for opening in dispVM and using split GPG (see 784076d)
There was a problem hiding this comment.
We can revisit this later, should this be an issue in developer's environment. It should be a small diff that is easily applied on new and existing workstations
There was a problem hiding this comment.
Thanks @eloquence the changes look good to me, one comment inline
I've rebased this PR locally on latest master, built the resulting RPM and tested in a production install:
- Observe that you are able to copy clipboard contents from the SecureDrop Client reply box to the target VM specified in step 1
- Observe that you are able to copy clipboard contents from the source VM specified in step 2 to an input field in the SecureDrop Client
- Observe that you are able to copy files from
sd-logto the target VM specified in step 3 usingqvm-copy-to-vmandqvm-copy. - Observe that you are not able to perform copy/paste from any SecureDrop VM to any other VM, except from
sd-appto target VM you configured in step 1 - Observe that you are not able to perform copy/paste to any SecureDrop VM from any VM except from the source VM you configured in step 4 to
sd-app. - Observe that you are not able to perform qvm-copy to any SecureDrop VMs except from
sd-proxytosd-app. - Observe that you are not able to perform qvm-copy from any SecureDrop VMs except for
sd-logas permitted by thesd-logrules you configured. - Ran remove-tags script
- Observe via
qvm-tags <name of VM> lsthat tags were correctly removed. - Observe that the copy & paste rules you configured have been disabled.
- Observe that the
sd-logrules you configured have been disabled. - Spot check that the rules otherwise still behave as before.
- re-added tags
- Observe that the tags you added are correctly removed as part of the uninstall (
securedrop-admin --uninstall)
| remove-rpc-policy-tags: | ||
| cmd.script: | ||
| - name: salt://remove-tags | ||
|
|
||
| # Removes files that are provisioned by the dom0 RPM, only for the development | ||
| # environment, since dnf takes care of those provisioned in the RPM | ||
| {% if d.environment == "dev" %} | ||
| remove-dom0-sdw-config-files-dev: |
There was a problem hiding this comment.
We may want to require the remove-rpc-policy-tags here to avoid potential race conditions or precedence issues when applying this state on uninstall (though I did not observe any errors in local testing, this might happen if we add tasks in the future)
There was a problem hiding this comment.
Good point, done in a04589a (I added the XFCE script because the same logic seems to apply to it); haven't re-tested yet. Can test in dev tomorrow if nobody beats me to it.
There was a problem hiding this comment.
Re-tested in dev env w/ require logic, relevant output in https://gist.github.com/eloquence/9f9f8586034ccc4a57fe7bda900108cb, can confirm that files continue to be removed as expected.
There was a problem hiding this comment.
Thanks for your patience on this one, @eloquence . I've reviewed the docs in freedomofpress/securedrop-workstation-docs#35 , and this PR should be merged. Successfully went though your test plan in 2 different scenarios:
- In a dev environment to ensure the latest commit did not affect the
clean. Ran into issues due to some local modifications, reverting them resolved. Openedmake cleanandsdw-admin --uninstallhalt execution on error #545 to track what might cause configuration drift in the situation the workstation is uninstalled and then re-installed. - In a prod environment, simulated the in-place upgrade: Installed the rpm in dom0, and then ran the GUI updater, the RPC policies were added after the TemplateVM upgrades, during the dom0 state applied at the end of the update sequence.
| @@ -1,6 +1,8 @@ | |||
| - policy: qubes.ClipboardPaste | |||
| starts_with: |- | |||
| ### BEGIN securedrop-workstation ### | |||
| @tag:sd-send-app-clipboard sd-app ask | |||
There was a problem hiding this comment.
We can revisit this later, should this be an issue in developer's environment. It should be a small diff that is easily applied on new and existing workstations
Explains in detail how to set up a password manager, and how to configure tags for clipboard usage and logs. Depends on changes introduced in freedomofpress/securedrop-workstation#533
Explains in detail how to set up a password manager, and how to configure tags for clipboard usage and logs. Depends on changes introduced in freedomofpress/securedrop-workstation#533
Explains in detail how to set up a password manager, and how to configure tags for clipboard usage and logs. Depends on changes introduced in freedomofpress/securedrop-workstation#533
Explains in detail how to set up a password manager, and how to configure tags for clipboard usage and logs. Depends on changes introduced in freedomofpress/securedrop-workstation#533
…g-rpc Permit whitelisting VMs for copy/paste & copying logs via tags
Adds RPC policies that let tagged VMs send clipboard pastes to
sd-app, receive clipboard pastes fromsd-app, and receive files fromsd-log.Status
Ready for review; docs in progress at freedomofpress/securedrop-workstation-docs#35 and will need to be kept in sync with changes here.
Adds RPC policies for the following tags:
sd-receive-app-clipboard-- VMs with this tag will be able to receive clipboard contents fromsd-appsd-send-app-clipboard-- VMs with this tag will be able to send clipboard contents tosd-appsd-receive-logs-- VMs with this tags will be able to receive any file sent viaqvm-copyfromsd-logAdds a script in
scripts/remove-tagsthat removes all tags, and runs it formake clean/securedrop-admin --uninstalloperations.Description of Changes
Fixes #526
Towards #529
Testing
Scenario: Basic use
Prerequisites
sd-dom0-qvm-rpc.slsfrom this branch and apply it to your/srv/saltdirectory in an up-to-date production or staging install, or provision a dev environment usingmake devfrom this branch.securedrop-admin --applyto apply the change.Test
sd-appto a target VM, e.g.qvm-tags work add sd-receive-app-clipboard(qvm-tags <target VM name> add sd-receive-app-clipboard)sd-app, e.g.qvm-tags vault add sd-send-app-clipboard(qvm-tags <source VM name> add sd-send-app-clipboard).qvm-tags work add sd-receive-logssd-logto the target VM specified in step 3 usingqvm-copy-to-vmandqvm-copy.sd-appto target VM you configured in step 1sd-app.sd-proxytosd-app.sd-logas permitted by thesd-logrules you configured.scripts/remove-tagsfrom this branch.qvm-tags <name of VM> lsthat tags were correctly removed.sd-logrules you configured have been disabled.Scenario: Uninstall (prod)
Prerequisites
/binversion ofsecuredrop-admin, and to the files in/srv/salttouched by this PR (createremove-tags, updatesd-clean-all.sls)Test
securedrop-admin --uninstall.Scenario: Uninstall (dev)
Prerequisites
securedrop-workstationcheckout directory indom0is using this branch.Test
make cleanChecklist
make testruns fine indom0(not tested yet; test for RPC policies has been updated, however).