Currently, non-existing VMs match $anyvm in qrexec-policy. I suggest that this is potentially dangerous when combined with innocent mistakes elsewhere, and should not be the default.
>From https://github.com/QubesOS/qubes-gui-daemon/pull/10: > I did not detect this sooner because if qubes-clipboard.bin.source had > a trailing newline, then evaluate_clipboard_policy() would not fail, > and my dom0 clipboard-copyout script produced such a trailing newline. This to me sounds like something that may cause trouble in the future, both in false-denies and more importantly potentially false-allows. If source vm names are being mangled somehow, `--assume-yes-for-ask` allows a specific policy to fall through in a potentially surprising way. Consider a policy like: $anyvm protected-thing deny $anyvm $anyvm ask or bad-vm $anyvm deny $anyvm $anyvm ask Consider this example: [user@dom0 qubes]$ /usr/lib/qubes/qrexec-policy --assume-yes-for-ask \ > --just-evaluate dummy_id some_source_vm_name_that_got_mangled_somehow \ > sys-firewall qubes.OpenInVM 0 && echo pwned || echo safe pwned This invocation of qrexec-policy was taken from gui-daemon/gui-daemon/xside.c: https://github.com/QubesOS/qubes-gui-daemon/blob/95417c573d9b24269d50b3733164c3c9e390851c/gui-daemon/xside.c#L753-L754 So, I propose we make qrexec-policy actually verify that an evaluated VM actually exists in order to match $anyvm. This would mean invalid sources would fall all the way through to the implicit deny, even in case of `--assume-yes-for-ask`. Thoughts? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_Bvj-cBWz3Gzd9kzvXkr4dizyLbOOBq2NU7ot9742KgQA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
