Re: [qubes-users] qrexec policies broken after QSB #38 update

Tue, 20 Feb 2018 11:26:30 -0800 

On 02/20/2018 02:03 PM, Micah Lee wrote:

I just installed updates in dom0 (current-testing) after QSB #38, and
now my qrexec policies are semi-broken.

To demonstrate, I just made two new AppVMs, testvm1 and testvm2. I want
to copy a file from testvm1 to testvm2:

[user@testvm1 ~]$ echo test > test.txt
[user@testvm1 ~]$ qvm-copy test.txt
Request refused
[user@testvm1 ~]$

It immediately fails with "Request refused" and doesn't pop up a dom0
window asking where I want to copy it to. This is true when I run
`qvm-copy` in any VM, it is immediately denied without prompting me.

I'm running into the same problem with other qrexec services too, like:

[user@testvm1 ~]$ qvm-open-in-dvm https://www.eff.org/
Request refused
[user@testvm1 ~]$

My /etc/qubes-rpc/policy/qubes.Filecopy has only one line:

$anyvm $anyvm ask

However, if I edit it and add this line to the beginning:

testvm1 testvm2 allow

It works, but only if I use the deprecated `qvm-copy-to-vm`:

[user@testvm1 ~]$ qvm-copy test.txt
Request refused
[user@testvm1 ~]$ qvm-copy-to-vm testvm2 test.txt
qvm-copy-to-vm/qvm-move-to-vm tools are deprecated,
use qvm-copy/qvm-move to avoid typing target qube name twice
sent 0/1 KB
[user@testvm1 ~]$

And likewise, my qubes.Gpg policy works for the VMs where I explicitly
allow it.

I read the QSB, and it says that the '$' character is being deprecated
and replaced with the '@' character, but changing my qrexec policy to
this doesn't work:

@anyvm @anyvm ask

Is anyone else running into this problem? Any solutions?
Since several people are reporting this, I decided to try some simple qvm-copy tests and have been unable to reproduce the problem on R4.0-rc4. 

I updated with qubes*testing and then restarted per the QSB.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31326c3a-b63c-5b7f-e54d-258761ee3e8a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to