-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Oct 23, 2023 at 09:24:13PM +0000, Ben Grande wrote: > Hello. > > Dom0 is not normally a client for extraneous qrexec calls, but in this > case, I need dom0 to resolve the domain name from the token @default via > policy. > > Policy: > > service * dom0 @default allow target=mydomain > > Call: > > qrexec-client -d @default -- 'DEFAULT:QUBESRPC service dom0' > > Dom0 does not requires the policy the call to be allowed, as it is always > allowed. Watching the qrexec policy logs, the call from Dom0 is not > logged. > > If I run from dom0: > > qrexec-policy 0 dom0 @default service 1 > > It resolves the domain but fails to run the command: > > INFO:policy:qrexec: service: dom0 -> @default: allowed to sys-git > 2023-10-23 21:19:28.154 qrexec-client[32893]: > qrexec-client.c:184:connect_unix_socket: connect: No such file or directory > ERROR:policy:qrexec: service: dom0 -> @default: error while executing: > qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'mydomain', > '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC service dom0'] > > If I run the command directly without the request id and the literal domain > name, it works: > > qrexec-client -d mydomain -- 'DEFAULT:QUBESRPC service dom0' > > How can I force dom0 to use the '@default' token? > As 'qrexec-client' does not allow tokens in the domain name yet, would > this be interesting to have? > > Documents read: > - https://www.qubes-os.org/doc/qrexec-internals/ > - https://www.qubes-os.org/doc/qrexec-internals/
I don't think there is one-step solution, but you can get policy resolved by using `qrexec-policy` in the 3-arg form (skipping domain id and process ident). Then, you'll get the result in key=value format, including resolved target= that you can use in a qvm-run (or qrexec-client) call. It even works with `ask` policy (you get the prompt), which means we finally can implement qvm-copy (not just qvm-copy-to-vm) in dom0 too :) - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmU29WoACgkQ24/THMrX 1ywsSAgAiLVRdMfihuve31orGwwKzLr158cfHVqVgiB93I4KulRJZJp5nWCMHn9N RzfcLGE8fVbIXMdgSS2zkrRnerNQaJMMHsXr7T+zj1KRkyV3BFKAn0LuALITkV8z W4ovnk2xtfuP2aDY13VoLCYllE8xPwbUBOUPLFQSMJiBLQVh0OfYNsbnyzITZ0W8 bbC20IGjMmvwj+HH91OyfhEphRZlDf8BpxCb1shpN7tdyBOelBiD4HyFP7BhJUZv 9lovughJRah6i0CDUfVI+eFVpsYM5owHCsa+OnUY5How4mu2H5rBYbEjbhxcY0gl 1E5RvgCuqCZp1W9o81mdJEGW7J2udQ== =QTs9 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZTb1al5e6YHBtRR0%40mail-itl.