[qubes-devel] How to make dom0 qrexec call resolve @default token

Mon, 23 Oct 2023 14:25:23 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

Dom0 is not normally a client for extraneous qrexec calls, but in this
case, I need dom0 to resolve the domain name from the token @default via
policy.

Policy:

        service * dom0 @default allow target=mydomain

Call:

        qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0'

Dom0 does not requires the policy the call to be allowed, as it is always
allowed. Watching the qrexec policy logs, the call from Dom0 is not
logged.

If I run from dom0:

        qrexec-policy 0 dom0 @default service 1

It resolves the domain but fails to run the command:

INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git
2023-10-23 21:19:28.154 qrexec-client[32893]: 
qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: service: dom0 -> @default: error while executing: 
qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', '-c', 
'1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0']

If I run the command directly without the request id and the literal domain 
name, it works:

                qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0'

How can I force dom0 to use the '@default' token?
As 'qrexec-client' does not allow tokens in the domain name yet, would
this be interesting to have?

Documents read:
- - https://www.qubes-os.org/doc/qrexec-internals/
- - https://www.qubes-os.org/doc/qrexec-internals/

- -- 
Benjamin Grande
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTbkfV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
h36QAP9Ks5IZFAAV3SsYoyyTeTKfdhyKRPlWwbT8/7qNyWjZ+wEAmSyicnTeFrFs
5AvGseUNDMFB+Hx7VmuQIeB/HayILQY=
=Dnl2
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/ZTbkfdrtXs_lTijA%40personal-mutt.

Reply via email to