From 956cc10c1db1e6720c5ebd69d4ea600cc4706ad2 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Fri, 10 Apr 2020 14:04:14 -0700 Subject: [PATCH 1/7] Permit whitelisting VMs for copy/paste & copying logs via tags Adds RPC policies that let tagged VMs send clipboard pastes, receive clipboard pastes, and receive files from sd-log. --- dom0/sd-dom0-qvm-rpc.sls | 3 +++ tests/vars/qubes-rpc.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index f0d49dee..216a8673 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | + @tag:send-clipboard-to-sd @tag:sd-workstation ask + @tag:sd-workstation @tag:receive-clipboard-from-sd ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny dom0-rpc-qubes.FeaturesRequest: @@ -35,6 +37,7 @@ dom0-rpc-qubes.Filecopy: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | + sd-log @tag:receive-sd-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index 256f84f3..6ed3c507 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -1,6 +1,8 @@ - policy: qubes.ClipboardPaste starts_with: |- ### BEGIN securedrop-workstation ### + @tag:send-clipboard-to-sd @tag:sd-workstation ask + @tag:sd-workstation @tag:receive-clipboard-from-sd ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### @@ -15,6 +17,7 @@ - policy: qubes.Filecopy starts_with: |- ### BEGIN securedrop-workstation ### + sd-log @tag:receive-sd-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny From 846105ee6e6bb0045d6edd1224f2042adeeb65c7 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Fri, 10 Apr 2020 15:06:32 -0700 Subject: [PATCH 2/7] Add @default rule so qvm-copy works --- dom0/sd-dom0-qvm-rpc.sls | 1 + tests/vars/qubes-rpc.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index 216a8673..6af7d1df 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -37,6 +37,7 @@ dom0-rpc-qubes.Filecopy: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | + sd-log @default ask sd-log @tag:receive-sd-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index 6ed3c507..30d717ac 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -17,6 +17,7 @@ - policy: qubes.Filecopy starts_with: |- ### BEGIN securedrop-workstation ### + sd-log @default ask sd-log @tag:receive-sd-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny From 38dba621c6a36ce62c701cbf4de95ab40cd18b41 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 14 Apr 2020 13:14:12 -0700 Subject: [PATCH 3/7] Prefix all tags with sd- --- dom0/sd-dom0-qvm-rpc.sls | 6 +++--- tests/vars/qubes-rpc.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index 6af7d1df..74d5a60c 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -17,8 +17,8 @@ dom0-rpc-qubes.ClipboardPaste: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | - @tag:send-clipboard-to-sd @tag:sd-workstation ask - @tag:sd-workstation @tag:receive-clipboard-from-sd ask + @tag:sd-send-clipboard @tag:sd-workstation ask + @tag:sd-workstation @tag:sd-receive-clipboard ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny dom0-rpc-qubes.FeaturesRequest: @@ -38,7 +38,7 @@ dom0-rpc-qubes.Filecopy: - marker_end: "### END securedrop-workstation ###" - content: | sd-log @default ask - sd-log @tag:receive-sd-logs ask + sd-log @tag:sd-receive-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index 30d717ac..642ee32b 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -1,8 +1,8 @@ - policy: qubes.ClipboardPaste starts_with: |- ### BEGIN securedrop-workstation ### - @tag:send-clipboard-to-sd @tag:sd-workstation ask - @tag:sd-workstation @tag:receive-clipboard-from-sd ask + @tag:sd-send-clipboard @tag:sd-workstation ask + @tag:sd-workstation @tag:sd-receive-clipboard ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### @@ -18,7 +18,7 @@ starts_with: |- ### BEGIN securedrop-workstation ### sd-log @default ask - sd-log @tag:receive-sd-logs ask + sd-log @tag:sd-receive-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny From 3951038a2ca4e6d3993090b553dcd0e5197450b9 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Fri, 17 Apr 2020 00:10:50 -0700 Subject: [PATCH 4/7] Add script for removing SD tags from VMs --- Makefile | 1 + scripts/remove-tags | 32 ++++++++++++++++++++++++++++++++ scripts/securedrop-admin.py | 5 ++++- 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100755 scripts/remove-tags diff --git a/Makefile b/Makefile index bb9c20ac..8043c38b 100644 --- a/Makefile +++ b/Makefile @@ -110,6 +110,7 @@ clean: assert-dom0 prep-salt ## Destroys all SD VMs $(MAKE) destroy-all sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix sudo qubesctl --show-output state.sls sd-clean-all + ./scripts/remove-tags sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true $(MAKE) clean-salt diff --git a/scripts/remove-tags b/scripts/remove-tags new file mode 100755 index 00000000..0f034730 --- /dev/null +++ b/scripts/remove-tags @@ -0,0 +1,32 @@ +#!/usr/bin/env python3 +""" +Removes tags used for exempting VMs from default SecureDrop Workstation +RPC policies from all VMs (including non-SecureDrop ones). +""" +import qubesadmin + +q = qubesadmin.Qubes() + +TAGS_TO_REMOVE = ["sd-send-clipboard", "sd-receive-clipboard", "sd-receive-logs"] + + +def main(): + tags_removed = False + for vm in q.domains: + for tag in TAGS_TO_REMOVE: + if tag in q.domains[vm].tags: + print("Removing tag '{}' from VM '{}'.".format(tag, vm)) + try: + q.domains[vm].tags.remove(tag) + except Exception as error: + print("Error removing tag: '{}'".format(error)) + print("Aborting.") + exit(1) + tags_removed = True + + if tags_removed is False: + print("Tags {} not set on any VMs, nothing removed.".format(TAGS_TO_REMOVE)) + + +if __name__ == "__main__": + main() diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py index 695d8c17..b4df75d5 100644 --- a/scripts/securedrop-admin.py +++ b/scripts/securedrop-admin.py @@ -106,6 +106,8 @@ def perform_uninstall(): subprocess.check_call( ["sudo", "dnf", "-y", "-q", "remove", "qubes-template-securedrop-workstation-buster"] ) + print("Removing SecureDrop tags from remaining VMs") + subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/remove-tags")]) print("Uninstalling dom0 config package") subprocess.check_call( ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"] @@ -132,7 +134,8 @@ def main(): elif args.uninstall: print( "Uninstalling will remove all packages and destroy all VMs associated\n" - "with SecureDrop Workstation." + "with SecureDrop Workstation. It will also remove all SecureDrop tags\n" + "from other VMs on the system." ) response = input("Are you sure you want to uninstall (y/N)? ") if response.lower() != 'y': From d23dd8c3710e097940624d9538dbce5b90ba87cc Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Mon, 20 Apr 2020 17:47:22 -0700 Subject: [PATCH 5/7] Rescope clipboard permission to sd-app --- dom0/sd-dom0-qvm-rpc.sls | 4 ++-- scripts/remove-tags | 2 +- tests/vars/qubes-rpc.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index 74d5a60c..b6fc2fcb 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -17,8 +17,8 @@ dom0-rpc-qubes.ClipboardPaste: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | - @tag:sd-send-clipboard @tag:sd-workstation ask - @tag:sd-workstation @tag:sd-receive-clipboard ask + @tag:sd-send-app-clipboard sd-app ask + sd-app @tag:sd-receive-app-clipboard ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny dom0-rpc-qubes.FeaturesRequest: diff --git a/scripts/remove-tags b/scripts/remove-tags index 0f034730..3ef3e81a 100755 --- a/scripts/remove-tags +++ b/scripts/remove-tags @@ -7,7 +7,7 @@ import qubesadmin q = qubesadmin.Qubes() -TAGS_TO_REMOVE = ["sd-send-clipboard", "sd-receive-clipboard", "sd-receive-logs"] +TAGS_TO_REMOVE = ["sd-send-app-clipboard", "sd-receive-app-clipboard", "sd-receive-logs"] def main(): diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index 642ee32b..8b963eb9 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -1,8 +1,8 @@ - policy: qubes.ClipboardPaste starts_with: |- ### BEGIN securedrop-workstation ### - @tag:sd-send-clipboard @tag:sd-workstation ask - @tag:sd-workstation @tag:sd-receive-clipboard ask + @tag:sd-send-app-clipboard sd-app ask + sd-app @tag:sd-receive-app-clipboard ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### From 49916a21b7c163904d8c770092ea483a348f62ba Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 21 Apr 2020 17:35:09 -0700 Subject: [PATCH 6/7] Run tag cleanup via Salt to avoid duplication --- MANIFEST.in | 1 + Makefile | 1 - {scripts => dom0}/remove-tags | 0 dom0/sd-clean-all.sls | 7 +++++++ rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 2 ++ scripts/securedrop-admin.py | 2 -- 6 files changed, 10 insertions(+), 3 deletions(-) rename {scripts => dom0}/remove-tags (100%) diff --git a/MANIFEST.in b/MANIFEST.in index a3f77ee9..7a10c4f6 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -3,6 +3,7 @@ include dom0/*.top include dom0/*.j2 include dom0/*.yml include dom0/*.conf +include dom0/remove-tags include dom0/securedrop-admin include dom0/securedrop-login include dom0/securedrop-launcher.desktop diff --git a/Makefile b/Makefile index 8043c38b..bb9c20ac 100644 --- a/Makefile +++ b/Makefile @@ -110,7 +110,6 @@ clean: assert-dom0 prep-salt ## Destroys all SD VMs $(MAKE) destroy-all sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix sudo qubesctl --show-output state.sls sd-clean-all - ./scripts/remove-tags sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true $(MAKE) clean-salt diff --git a/scripts/remove-tags b/dom0/remove-tags similarity index 100% rename from scripts/remove-tags rename to dom0/remove-tags diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index 1d5b5647..0778f2a0 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -46,6 +46,12 @@ remove-dom0-sdw-config-files: - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop - /home/{{ gui_user }}/.securedrop_launcher + +# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user +remove-rpc-policy-tags: + cmd.script: + - name: salt://remove-tags + # Removes files that are provisioned by the dom0 RPM, only for the development # environment, since dnf takes care of those provisioned in the RPM {% if d.environment == "dev" %} @@ -53,6 +59,7 @@ remove-dom0-sdw-config-files-dev: file.absent: - names: - /opt/securedrop + - /srv/salt/remove-tags - /srv/salt/securedrop-update - /srv/salt/update-xfce-settings {% endif %} diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index b38da295..c446c73a 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -59,6 +59,7 @@ install -m 644 dom0/*.top %{buildroot}/srv/salt/ install -m 644 dom0/*.j2 %{buildroot}/srv/salt/ install -m 644 dom0/*.yml %{buildroot}/srv/salt/ install -m 644 dom0/*.conf %{buildroot}/srv/salt/ +install -m 655 dom0/remove-tags %{buildroot}/srv/salt/ install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/ install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/ install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/ @@ -92,6 +93,7 @@ install -m 644 launcher/sdw_util/*.py %{buildroot}/srv/salt/launcher/sdw_util/ /opt/securedrop/launcher/**/*.py /srv/salt/sd* /srv/salt/dom0-xfce-desktop-file.j2 +/srv/salt/remove-tags /srv/salt/securedrop-* /srv/salt/update-xfce-settings /srv/salt/fpf* diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py index b4df75d5..b28c1e85 100644 --- a/scripts/securedrop-admin.py +++ b/scripts/securedrop-admin.py @@ -106,8 +106,6 @@ def perform_uninstall(): subprocess.check_call( ["sudo", "dnf", "-y", "-q", "remove", "qubes-template-securedrop-workstation-buster"] ) - print("Removing SecureDrop tags from remaining VMs") - subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/remove-tags")]) print("Uninstalling dom0 config package") subprocess.check_call( ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"] From a04589ab56e8aad6a833e06c602eeca508a25af4 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 28 Apr 2020 23:42:46 -0700 Subject: [PATCH 7/7] Add require logic to clean-all state --- dom0/sd-clean-all.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index 0778f2a0..069b84c7 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -62,6 +62,10 @@ remove-dom0-sdw-config-files-dev: - /srv/salt/remove-tags - /srv/salt/securedrop-update - /srv/salt/update-xfce-settings + # Do not remove these scripts before they have done their cleanup duties + - require: + - cmd: dom0-reset-icon-size-xfce + - cmd: remove-rpc-policy-tags {% endif %} sd-cleanup-etc-changes: