Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rip out qubes-rpc-multiplexer #141

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

DemiMarie
Copy link
Contributor

@DemiMarie DemiMarie commented Apr 10, 2024

Instead, directly execute the command from C.

All variables with names beginning with QREXEC_ are stripped from the environment, except for QREXEC_SERVICE_PATH. This is a change in behavior compared to the current code.

This is a backwards-incompatible change to exec_qubes_rpc_if_requested(), which now takes an extra argument and is renamed exec_qubes_rpc(). Therefore, it cannot be backported to R4.2.

Fixes: QubesOS/qubes-issues#9062

@DemiMarie DemiMarie force-pushed the no-multiplexer branch 4 times, most recently from 189d832 to b4a2de9 Compare April 11, 2024 22:14
@DemiMarie DemiMarie force-pushed the no-multiplexer branch 3 times, most recently from 3de2f4b to 39f909f Compare April 16, 2024 23:58
@DemiMarie DemiMarie marked this pull request as ready for review April 17, 2024 00:03
@DemiMarie DemiMarie force-pushed the no-multiplexer branch 3 times, most recently from 9f69888 to a4de39f Compare May 4, 2024 00:10
Copy link

codecov bot commented May 4, 2024

Codecov Report

Attention: Patch coverage is 78.40376% with 46 lines in your changes missing coverage. Please review.

Project coverage is 79.11%. Comparing base (6077a10) to head (091f0ea).

Files with missing lines Patch % Lines
libqrexec/exec.c 76.19% 20 Missing ⚠️
libqrexec/open_logger.c 66.66% 7 Missing ⚠️
libqrexec/buffer.c 0.00% 5 Missing ⚠️
agent/qrexec-agent-data.c 87.50% 3 Missing ⚠️
agent/qrexec-fork-server.c 0.00% 3 Missing ⚠️
daemon/qrexec-daemon.c 0.00% 3 Missing ⚠️
agent/qrexec-agent.c 60.00% 2 Missing ⚠️
qrexec/tests/socket/agent.py 93.33% 2 Missing ⚠️
agent/qrexec-client-vm.c 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #141      +/-   ##
==========================================
- Coverage   79.17%   79.11%   -0.07%     
==========================================
  Files          54       55       +1     
  Lines        9953    10072     +119     
==========================================
+ Hits         7880     7968      +88     
- Misses       2073     2104      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@DemiMarie DemiMarie changed the title Draft: Rip out qubes-rpc-multiplexer Rip out qubes-rpc-multiplexer May 4, 2024
@marmarek marmarek mentioned this pull request May 18, 2024
@qubesos-bot
Copy link

qubesos-bot commented Jun 28, 2024

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025010404-4.3&flavor=pull-requests

Test run included the following:

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024111705-4.3&flavor=update

  • system_tests_whonix@hw7

    • startup: Failed (test died)
      # Test died: command 'qvm-run --nogui -u root sys-firewall qvm-sync...
  • system_tests_gui_interactive@hw1

    • screenlocker_leaks: Failed (test died)
      # Test died: command 'qvm-run -p -u root work "dnf -y install mate-...
  • system_tests_suspend@hw1

    • suspend: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui@hw7

    • startup: Failed (test died)
      # Test died: command 'qvm-run --nogui -u root sys-firewall qvm-sync...
  • system_tests_gui_tools@hw7

    • startup: Failed (test died)
      # Test died: command 'qvm-run --nogui -u root sys-firewall qvm-sync...
  • system_tests_whonix

    • whonixcheck: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_gui_tools

    • desktop_linux_manager_policy_edit: unnamed test (unknown)
    • desktop_linux_manager_policy_edit: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-policy-editor-g...
  • system_tests_suspend

    • suspend: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_gui_interactive

    • screenlocker_leaks: Failed (test died)
      # Test died: command 'qvm-run -p -u root work "dnf -y install mate-...
  • system_tests_guivm_gui_interactive

    • update_guivm: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_backupdispvm

    • startup: wait_serial (wait serial expected + timed out)
      # wait_serial expected: "# "...

    • startup: wait_serial (wait serial expected)
      # wait_serial expected: qr/xE1Ra-\d+-/...

    • startup: Failed (test died + timed out)
      # Test died: command 'export TERM=dumb; stty cols 2048 rows 25' tim...

    • startup: wait_serial (wait serial expected)
      # wait_serial expected: "# "...

    • startup: wait_serial (wait serial expected)
      # wait_serial expected: qr/2E8vz-\d+-/...

  • system_tests_kde_gui_interactive

    • kde_install: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_guivm_vnc_gui_interactive

    • update_guivm: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_btrfs

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_ext4

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_xfs

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...

Failed tests

22 failures
  • system_tests_whonix@hw7

    • startup: Failed (test died)
      # Test died: command 'qvm-run --nogui -u root sys-firewall qvm-sync...
  • system_tests_gui_interactive@hw1

    • screenlocker_leaks: Failed (test died)
      # Test died: command 'qvm-run -p -u root work "dnf -y install mate-...
  • system_tests_suspend@hw1

    • suspend: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui@hw7

    • startup: Failed (test died)
      # Test died: command 'qvm-run --nogui -u root sys-firewall qvm-sync...
  • system_tests_gui_tools@hw7

    • startup: Failed (test died)
      # Test died: command 'qvm-run --nogui -u root sys-firewall qvm-sync...
  • system_tests_whonix

    • whonixcheck: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_gui_tools

    • desktop_linux_manager_policy_edit: unnamed test (unknown)
    • desktop_linux_manager_policy_edit: Failed (test died)
      # Test died: no candidate needle with tag(s) 'qubes-policy-editor-g...
  • system_tests_suspend

    • suspend: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_gui_interactive

    • screenlocker_leaks: Failed (test died)
      # Test died: command 'qvm-run -p -u root work "dnf -y install mate-...
  • system_tests_guivm_gui_interactive

    • update_guivm: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_backupdispvm

    • startup: wait_serial (wait serial expected + timed out)
      # wait_serial expected: "# "...

    • startup: wait_serial (wait serial expected)
      # wait_serial expected: qr/xE1Ra-\d+-/...

    • startup: Failed (test died + timed out)
      # Test died: command 'export TERM=dumb; stty cols 2048 rows 25' tim...

    • startup: wait_serial (wait serial expected)
      # wait_serial expected: "# "...

    • startup: wait_serial (wait serial expected)
      # wait_serial expected: qr/2E8vz-\d+-/...

  • system_tests_kde_gui_interactive

    • kde_install: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_zfs

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_guivm_vnc_gui_interactive

    • update_guivm: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_btrfs

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_ext4

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...
  • system_tests_basic_vm_qrexec_gui_xfs

    • switch_pool: Failed (test died)
      # Test died: command 'qvm-run --no-gui -p -u root sys-net "command ...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/119126#dependencies

3 fixed
  • system_tests_audio@hw1

  • system_tests_extra

    • TC_00_QVCTest_whonix-gateway-17: test_010_screenshare (failure)
      ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^... AssertionError: 0 == 0
  • system_tests_kde_gui_interactive

    • gui_keyboard_layout: Failed (test died)
      # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

Unstable tests

  • system_tests_update@hw1

    update2/Failed (1/5 times with errors)
    • job 121711 # Test died: command '(set -o pipefail; qubesctl --show-output stat...
  • system_tests_update@hw7

    update2/Failed (1/5 times with errors)
    • job 121711 # Test died: command '(set -o pipefail; qubesctl --show-output stat...
  • system_tests_update

    update2/Failed (1/5 times with errors)
    • job 121711 # Test died: command '(set -o pipefail; qubesctl --show-output stat...

@marmarek
Copy link
Member

Ugh, upgrade will require a bit more care. Right now, just after upgrading dom0, qrexec calls (to dom0) fails for currently running VMs:

2024-06-28 13:11:55.919 qrexec-daemon[26518]: exec.c:85:exec_qubes_rpc_if_requested: exec qubes-rpc-multiplexer: No such file or directory

Release upgrade script will need to handle this case.

@marmarek
Copy link
Member

Maybe keep the script in repo, and remove only later (R4.4?) ?
I noticed the problem in dom0, but it probably affect domUs too.

@marmarek
Copy link
Member

marmarek commented Jan 4, 2025

This still fails:

[2025-01-04 06:39:04] [  188.534597] audit: type=1400 audit(1735972744.727:200): avc:  denied  { entrypoint } for  pid=1099 comm="qrexec-agent" path="/etc/qubes-rpc/qubes.VMShell" dev="xvda3" ino=917703 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0

I haven't checked yet if it's update problem (I did merged #184 already, so it should work...), or wrong file context in policy in the first place.

@marmarek
Copy link
Member

marmarek commented Jan 4, 2025

Manual restorecon call doesn't help, likely due to the above wrong path

This checks that the RPC multiplexer only allows calls with 2 or 4
arguments and sets environment variables $QREXEC_REQUESTED_TARGET_TYPE,
$QREXEC_REQUESTED_TARGET, and $QREXEC_REQUESTED_TARGET_KEYWORD properly.
Since it only affects the tests, it can safely be backported to R4.2.
Comment on lines -105 to -109
if VERSION == "dom0" and dest == "dom0":
# Invoke qubes-rpc-multiplexer directly. This will work for non-socket
# services only.
return [RPC_MULTIPLEXER, rpcname, "dom0"]

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, this needs a replacement, otherwise calling dom0->dom0 services fail. For example policy editor crashes with:

subprocess.CalledProcessError: Command '['/usr/bin/qrexec-client', '-d', 'dom0', 'DEFAULT:QUBESRPC policy.List dom0']' returned non-zero exit status 1.

@marmarek
Copy link
Member

marmarek commented Jan 5, 2025

Several of the failures suggest there is something wrong with the environment, at least PATH (see resize-rootfs failing by not finding sfdisk), but very likely more. Probably at least env set by PAM should be included (this should cover PATH I think), but there may be more needed (session bus address? various XDG vars etc?).

But there are also cases where I don't see what went wrong (which may mean missing error log somewhere):

# Test died: command 'qvm-run --no-gui -p -u root sys-net "command -v curl || (apt-get update --allow-releaseinfo-change && apt-get -y install curl ) || dnf install -y curl"' failed at qubesos/tests/suspend.pm line 30.

nothing on stderr from this command and all the logs from sys-net at the time:

[2025-01-04 07:17:14] [  294.547640] qrexec-agent[1104]: 2025-01-04 07:17:15.428 qrexec-agent[1104]: qrexec-agent-data.c:274:handle_new_process_common: executed: root:QUBESRPC qubes.VMShell dom0 (pid 1106)
[2025-01-04 07:17:14] [  294.921660] audit: type=1100 audit(1735993035.467:169): pid=1106 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/lib/qubes/qrexec-agent" hostname=? addr=? terminal=? res=success'
[2025-01-04 07:17:14] [  294.922201] audit: type=1103 audit(1735993035.468:170): pid=1106 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/lib/qubes/qrexec-agent" hostname=? addr=? terminal=? res=success'
[2025-01-04 07:17:14] [  294.922396] audit: type=1006 audit(1735993035.468:171): pid=1106 uid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=8 res=1
[2025-01-04 07:17:14] [  294.922535] audit: type=1300 audit(1735993035.468:171): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffcefe5380 a2=1 a3=0 items=0 ppid=1104 pid=1106 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="qrexec-agent" exe="/usr/lib/qubes/qrexec-agent" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
[2025-01-04 07:17:14] [  294.922851] audit: type=1327 audit(1735993035.468:171): proctitle="/usr/lib/qubes/qrexec-agent"
[2025-01-04 07:17:14] [  294.927077] audit: type=2300 audit(1735993035.473:172): pid=1106 uid=0 auid=0 ses=8 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=pam_selinux default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/qubes/qrexec-agent" hostname=? addr=? terminal=? res=success'
[2025-01-04 07:17:15] [  294.824812] systemd[1]: Created slice user-0.slice - User Slice of UID 0.
[2025-01-04 07:17:15] [  294.841070] systemd[1]: Starting [email protected] - User Runtime Directory /run/user/0...
[2025-01-04 07:17:15] [  294.903360] systemd[1]: Finished [email protected] - User Runtime Directory /run/user/0.
[2025-01-04 07:17:15] [  295.239406] audit: type=1130 audit(1735993035.785:173): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user-runtime-dir@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[2025-01-04 07:17:15] [  294.909066] systemd[1]: Starting [email protected] - User Manager for UID 0...
[2025-01-04 07:17:15] [  295.289896] audit: type=1101 audit(1735993035.835:174): pid=1110 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="root" exe="/usr/lib/systemd/systemd-executor" hostname=? addr=? terminal=? res=success'
[2025-01-04 07:17:15] [  295.289981] audit: type=1103 audit(1735993035.835:175): pid=1110 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct="root" exe="/usr/lib/systemd/systemd-executor" hostname=? addr=? terminal=? res=failed'
[2025-01-04 07:17:15] [  295.290052] audit: type=2300 audit(1735993035.836:176): pid=1110 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=pam_selinux default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd-executor" hostname=? addr=? terminal=? res=success'
[2025-01-04 07:17:15] [  295.010562] systemd-logind[530]: New session 9 of user root.
[2025-01-04 07:17:15] [  295.012654] (systemd)[1110]: pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
[2025-01-04 07:17:15] [  295.335833] systemd[1110]: Queued start job for default target default.target.
[2025-01-04 07:17:15] [  295.337263] systemd[1110]: Created slice app.slice - User Application Slice.
[2025-01-04 07:17:15] [  295.338069] systemd[1110]: Created slice session.slice - User Core Session Slice.
[2025-01-04 07:17:15] [  295.338889] systemd[1110]: grub-boot-success.timer - Mark boot as successful after the user session has run 2 minutes was skipped because of an unmet condition check (ConditionUser=!@system).
[2025-01-04 07:17:15] [  295.341287] systemd[1110]: Started systemd-tmpfiles-clean.timer - Daily Cleanup of User's Temporary Directories.
[2025-01-04 07:17:15] [  295.341625] systemd[1110]: Reached target paths.target - Paths.
[2025-01-04 07:17:15] [  295.341713] systemd[1110]: Reached target timers.target - Timers.
[2025-01-04 07:17:15] [  295.344181] systemd[1110]: Starting dbus.socket - D-Bus User Message Bus Socket...
[2025-01-04 07:17:15] [  295.344561] systemd[1110]: pipewire-pulse.socket - PipeWire PulseAudio was skipped because of an unmet condition check (ConditionUser=!root).
[2025-01-04 07:17:15] [  295.345258] systemd[1110]: Listening on pipewire.socket - PipeWire Multimedia System Sockets.
[2025-01-04 07:17:15] [  295.347522] systemd[1110]: Starting systemd-tmpfiles-setup.service - Create User Files and Directories...
[2025-01-04 07:17:15] [  295.366829] systemd[1110]: Listening on dbus.socket - D-Bus User Message Bus Socket.
[2025-01-04 07:17:15] [  295.368537] systemd[1110]: Reached target sockets.target - Sockets.
[2025-01-04 07:17:15] [  295.370438] systemd[1110]: Finished systemd-tmpfiles-setup.service - Create User Files and Directories.
[2025-01-04 07:17:15] [  295.371498] systemd[1110]: Reached target basic.target - Basic System.
[2025-01-04 07:17:15] [  295.371677] systemd[1110]: pipewire.service - PipeWire Multimedia Service was skipped because of an unmet condition check (ConditionPathExists=!/var/run/qubes-service/minimal-netvm).
[2025-01-04 07:17:15] [  295.372940] systemd[1110]: split-gpg2-client.service - split-gpg2 client was skipped because of an unmet condition check (ConditionPathExists=/run/qubes-service/split-gpg2-client).
[2025-01-04 07:17:15] [  295.373314] systemd[1110]: Reached target default.target - Main User Target.
[2025-01-04 07:17:15] [  295.374533] systemd[1110]: wireplumber.service - Multimedia Service Session Manager was skipped because of an unmet condition check (ConditionPathExists=!/var/run/qubes-service/minimal-netvm).
[2025-01-04 07:17:15] [  295.374679] systemd[1110]: Startup finished in 328ms.
[2025-01-04 07:17:15] [  295.374788] systemd[1]: Started [email protected] - User Manager for UID 0.
[2025-01-04 07:17:15] [  295.388502] systemd[1]: Started session-8.scope - Session 8 of User root.
[2025-01-04 07:17:15] [  295.393763] qrexec-agent[1106]: pam_unix(qrexec:session): session opened for user root(uid=0) by root(uid=0)
[2025-01-04 07:17:15] [  295.396441] qrexec-agent[1106]: pam_unix(qrexec:session): session closed for user root
[2025-01-04 07:17:15] [  295.398613] qrexec-agent[1104]: 2025-01-04 07:17:16.281 qrexec-agent[1104]: qrexec-agent-data.c:309:handle_new_process_common: pid 1106 exited with 125

@marmarek
Copy link
Member

marmarek commented Jan 5, 2025

Right... I guess we need something like policy version flag in /rw to detect the need to relabel? I'd say keep a version number inside /rw/.autorelabel, but that's incompatible with ConditionPathExists (or any other Condition), so maybe rename the flag instead? /rw/.autorelabel-done-version-1?

And just to not forget - this is still applicable

@DemiMarie
Copy link
Contributor Author

Right... I guess we need something like policy version flag in /rw to detect the need to relabel? I'd say keep a version number inside /rw/.autorelabel, but that's incompatible with ConditionPathExists (or any other Condition), so maybe rename the flag instead? /rw/.autorelabel-done-version-1?

And just to not forget - this is still applicable

Better solution: run a script at each boot that checks if the SELinux policy has changed since a relabel happened and relabels the priviate volume if it has. That is QubesOS/qubes-core-agent-linux#541 (draft because not tested yet).

@marmarek
Copy link
Member

marmarek commented Jan 6, 2025

That is QubesOS/qubes-core-agent-linux#541 (draft because not tested yet).

Currently that PR checks if full rootfs relabel happened since last /rw relabel, not if policy has changed. Most policy changes will not involve full relabel (rpm macros relabel only files affected by the update, using fixfiles -C ... restore). But yes, I agree, triggering /rw relabel if policy changed is a more generic approach. Just make sure it won't timeout VM boot on larger /rw ... (maybe using similar fixfiles trick?)

@DemiMarie
Copy link
Contributor Author

That is QubesOS/qubes-core-agent-linux#541 (draft because not tested yet).

Currently that PR checks if full rootfs relabel happened since last /rw relabel, not if policy has changed.

Indeed so, but it is easy to check if policy has changed by checking the timestamp on /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts.

Most policy changes will not involve full relabel (rpm macros relabel only files affected by the update, using fixfiles -C ... restore). But yes, I agree, triggering /rw relabel if policy changed is a more generic approach. Just make sure it won't timeout VM boot on larger /rw ... (maybe using similar fixfiles trick?)

fixfiles will try to relabel the whole root filesystem, which is bad, and it also excludes /home by default, so non-Qubes systems are actually broken! It is also a shell script that badly needs a rewrite in a better language and almost certainly relabels far more than it needs to.

What about using the -regex option to find?

@marmarek
Copy link
Member

marmarek commented Jan 6, 2025

fixfiles will try to relabel the whole root filesystem, which is bad

That's why I said "similar", not "the same".

What about using the -regex option to find?

Maybe, but remember there are a bunch of corner cases, like file_contexts.subs. If going with "similar to fixfiles" approach, maybe you can at least take the policy diff part from there.

@DemiMarie
Copy link
Contributor Author

Some local testing:

  • dom0 ⇒ VM calls that use the fork server work fine.
  • qvm-run --user=root --service runs the service with PATH=/usr/local/bin:/usr/bin (wrong).
  • Running a service in /usr/local/etc/qubes-rpc as root does not work at all (wrong).

@DemiMarie
Copy link
Contributor Author

dom0 ⇒ dom0 calls can be solved by either continuing to use qubes-rpc-multiplexer or just reimplementing the functionality in pure Python. The rest of the problems are either due to SELinux (which I will fix) or not using a login shell to spawn the process. The latter can be worked around in two ways:

  1. Always use a fork server, and create it lazily, on-demand.
  2. Run the command via /bin/sh -eulc 'exec "$@"' sh PROG ARGUMENT.

@marmarek
Copy link
Member

marmarek commented Jan 9, 2025

dom0 ⇒ dom0 calls can be solved by either continuing to use qubes-rpc-multiplexer or just reimplementing the functionality in pure Python

Both sounds good. There is one more place where qubes-rpc-multiplexer is used: https://github.com/QubesOS/qubes-core-admin/blob/main/qubes/vm/adminvm.py#L312-L320
TBH I'm surprised it isn't used in core-admin-client, but this one seems to re-implement it in a very limited way (see core-admin-client/qubesadmin/app.py:QubesLocal.run_service()).
I don't see any usages outside of python, so doing that in that python function directly should be fine too.

Always use a fork server, and create it lazily, on-demand.

How would it be started? The whole point of the fork-server is starting processes inside user session that is started independently of qrexec (in most cases by gui-agent, but in some cases by full lightdm or similar). Starting it from qrexec doesn't solve the issue of not having full user session...
The current code already opens user session for isolated calls (see agent/qrexec-agent.c:do_exec()) and as seen this is not enough, starting fork-server the same way wouldn't help - it would need to be adjusted anyway, at which point fork-server doesn't help with this issue (starting the service directly after the adjustments should also work).
On the other hand, fork-server may avoid having user session started over and over for repeated calls (not really common for non-default user). But also, IMO if going that way, it should have a timeout to not keep several processes running indefinitely if a service was called once. Sounds like a separate feature.

Run the command via /bin/sh -eulc 'exec "$@"' sh PROG ARGUMENT.

Will that solve setting up environment? Including /etc/environment.d This sounds like a simpler approach. It can be improved later if necessary.

See also QubesOS/qubes-issues#3434 - kinda related.

Instead, directly execute the command from C.

All variables with names beginning with QREXEC are stripped from the
environment, except for QREXEC_SERVICE_PATH.  This is a change in
behavior compared to the current code.

This is a backwards-incompatible change to
exec_qubes_rpc_if_requested(), which now takes an extra argument.
Therefore, it cannot be backported to R4.2.  It also requires changing
the SELinux policy so that the labels on /etc/qubes-rpc/ and
/usr/local/etc/qubes-rpc/ (and their contents) are correct.

Fixes: QubesOS/qubes-issues#9062
It carries no information, and various parts of the code must strip it.
Just omit it from the command entirely.  Whether a command is an RPC
command should be determined by the service descriptor being non-NULL.

Review with "git diff --ignore-space-change".
The previous two changes were ABI breaks.
This ensures that the program receives the proper environment variables.
argv[4] = argv[1];
argv[5] = NULL;
argv[0] = "-sh";
argv[1] = "-lcunset LESSOPEN LESSCLOSE&&exec \"$@\"";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely not the place for some random harcoded config overrides.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Stop using qubes-rpc-multiplexer
3 participants