Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support additional policy directories #134

Merged
merged 2 commits into from
Sep 25, 2024

Conversation

DemiMarie
Copy link
Contributor

@DemiMarie DemiMarie commented Jan 13, 2024

This allows multiple directories to contain qrexec policy, which allows for transient policy that disappears on reboot.

Fixes: QubesOS/qubes-issues#8513

@DemiMarie DemiMarie force-pushed the runtime-policy-dir branch 5 times, most recently from 69f5fe1 to 23d87ef Compare January 14, 2024 03:59
@DemiMarie DemiMarie force-pushed the runtime-policy-dir branch from db6f542 to 1f83e62 Compare March 14, 2024 20:51
@deeplow
Copy link

deeplow commented May 6, 2024

There has been some community demand for having user directory on the user's home to ease backup and restore. Would this be a good place / timing to consider it?

@marmarek
Copy link
Member

marmarek commented May 6, 2024

I don't think keeping (some) policy in user home is a good idea. Better approach is to extend backup to include additional files/directories.

@deeplow
Copy link

deeplow commented May 6, 2024

I agree that's the correct approach. I was thinking here more pragmatically as to what could help users in the short-term, since policy backups will need careful consideration.

@marmarek
Copy link
Member

This needs a rebase now (probably simply dropping the 0bc884a commit, as #160 got merged)

@DemiMarie DemiMarie force-pushed the runtime-policy-dir branch from 1f83e62 to 1d301f4 Compare June 27, 2024 15:42
@marmarek
Copy link
Member

Pylint complains, looks like an import got lost in rebase.

@DemiMarie DemiMarie force-pushed the runtime-policy-dir branch from 1d301f4 to 820b383 Compare June 27, 2024 21:48
Copy link

codecov bot commented Jun 27, 2024

Codecov Report

Attention: Patch coverage is 93.33333% with 8 lines in your changes missing coverage. Please review.

Project coverage is 78.08%. Comparing base (60b54a6) to head (966e383).
Report is 17 commits behind head on main.

Files with missing lines Patch % Lines
qrexec/policy/parser.py 89.47% 4 Missing ⚠️
qrexec/tools/qrexec_policy_daemon.py 33.33% 2 Missing ⚠️
qrexec/tools/qrexec_legacy_convert.py 0.00% 1 Missing ⚠️
qrexec/tools/qrexec_policy_exec.py 83.33% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #134      +/-   ##
==========================================
+ Coverage   77.99%   78.08%   +0.09%     
==========================================
  Files          54       54              
  Lines        9664     9718      +54     
==========================================
+ Hits         7537     7588      +51     
- Misses       2127     2130       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@marmarek
Copy link
Member

A conflict on tests...

This allows multiple directories to contain qrexec policy, which allows
for transient policy that disappears on reboot.

Fixes: QubesOS/qubes-issues#8513
This avoids a deprecation warning from pylint.  Also fix an incorrect
comment.
@qubesos-bot
Copy link

qubesos-bot commented Jul 3, 2024

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024072115-4.3&flavor=pull-requests

Test run included the following:

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024070519-4.3&flavor=update

Failed tests

63 failures

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/105374#dependencies

4 fixed

Unstable tests

  • system_tests_basic_vm_qrexec_gui

    TC_20_AudioVM_Pulse_whonix-workstation-17/test_220_audio_play_pulseaudio (1/5 times with errors)
    • job 103642 AssertionError: too short audio, expected 10s, got 8.64043083900226...
    TC_20_AudioVM_Pulse_whonix-workstation-17/test_221_audio_rec_muted_pulseaudio (1/5 times with errors)
    • job 103642 Cannot process volume group qubes_dom0...
  • system_tests_splitgpg

    TC_10_Thunderbird_debian-12-xfce/test_010_send_receive_inline_signed_only (1/5 times with errors)
    • job 105472 dogtail.tree.SearchError: descendent of [application | Thunderbird]...
  • system_tests_extra

    TC_00_QVCTest_debian-12-xfce/test_020_webcam (1/5 times with errors)
    • job 104728 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    TC_00_QVCTest_fedora-40-xfce/test_020_webcam (3/5 times with errors)
    • job 105464 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 105868 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 106579 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    TC_00_QVCTest_whonix-gateway-17/test_020_webcam (4/5 times with errors)
    • job 103649 self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0
    • job 105464 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 105868 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 106579 self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0
    TC_00_QVCTest_whonix-workstation-17/test_020_webcam (4/5 times with errors)
    • job 103649 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 105464 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 105868 AssertionError: 'qubes-video-companion webcam' exited early (0): b'...
    • job 106579 self.assertNotEqual(vm.run('test -e /dev/vid... AssertionError: 0 == 0
  • system_tests_usbproxy

    TC_20_USBProxy_core3_fedora-40-xfce/test_070_attach_not_installed_front (1/5 times with errors)
    • job 105442 qubesusbproxy.core3ext.QubesUSBException: Device attach failed: 202...
  • system_tests_network_updates

    TC_11_QvmTemplateMgmtVM_debian-12-xfce/test_000_template_list (1/5 times with errors)
    • job 105469 AssertionError: libvirt event impl drain timeout
    TC_10_QvmTemplate_whonix-gateway-17/test_010_template_install (2/5 times with errors)
    • job 103656 AssertionError: libvirt event impl drain timeout
    • job 105873 AssertionError: libvirt event impl drain timeout
    VmUpdates_debian-12-xfce/test_020_updates_available_notification (1/5 times with errors)
    • job 104735 subprocess.CalledProcessError: Command '/usr/lib/qubes/upgrades-sta...
    VmUpdates_debian-12-xfce/test_110_update_via_proxy_qubes_vm_update (1/5 times with errors)
    • job 104735 AssertionError: 1 not found in [0] : dpkg -l test-pkg | grep 1.1: b''
    VmUpdates_fedora-40-xfce/test_110_update_via_proxy_qubes_vm_update (1/5 times with errors)
    • job 104735 AssertionError: 1 not found in [0, 100] : rpm -q test-pkg | grep 1....
    VmUpdates_debian-12-xfce/test_111_update_via_proxy_qubes_vm_update_cli (1/5 times with errors)
    • job 104735 AssertionError: 1 not found in [0] : dpkg -l test-pkg | grep 1.1: b''
    VmUpdates_fedora-40-xfce/test_111_update_via_proxy_qubes_vm_update_cli (1/5 times with errors)
    • job 104735 AssertionError: 1 not found in [0, 100] : rpm -q test-pkg | grep 1....
    VmUpdates_debian-12-xfce/test_130_no_network_qubes_vm_update (1/5 times with errors)
    • job 104735 AssertionError: qubes-vm-update return unexpected code: 0 in (1, 2, 5)
    VmUpdates_fedora-40-xfce/test_130_no_network_qubes_vm_update (1/5 times with errors)
    • job 104735 AssertionError: qubes-vm-update return unexpected code: 0 in (1, 2, 5)
    VmUpdates_debian-12-xfce/test_131_no_network_qubes_vm_update_cli (1/5 times with errors)
    • job 104735 AssertionError: qubes-vm-update return unexpected code: 0 in (1, 2, 5)
    VmUpdates_fedora-40-xfce/test_131_no_network_qubes_vm_update_cli (1/5 times with errors)
    • job 104735 AssertionError: qubes-vm-update return unexpected code: 0 in (1, 2, 5)
  • system_tests_basic_vm_qrexec_gui_zfs

    TC_20_AudioVM_Pulse_debian-12-xfce-pool/test_223_audio_play_hvm (1/5 times with errors)
    • job 103646 AssertionError: only silence detected, no useful audio data
  • system_tests_basic_vm_qrexec_gui@hw1

    TC_20_AudioVM_Pulse_whonix-workstation-17/test_220_audio_play_pulseaudio (1/5 times with errors)
    • job 103642 AssertionError: too short audio, expected 10s, got 8.64043083900226...
    TC_20_AudioVM_Pulse_whonix-workstation-17/test_221_audio_rec_muted_pulseaudio (1/5 times with errors)
    • job 103642 Cannot process volume group qubes_dom0...

Copy link
Member

@marmarek marmarek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is okay, but there needs to be matching documentation update, especially including info about extra directory, precedence order, behavior of same-named files, and how include interacts with it

@marmarek
Copy link
Member

ping (doc update)?

@DemiMarie
Copy link
Contributor Author

@marmarek marmarek merged commit 692209c into QubesOS:main Sep 25, 2024
4 checks passed
@DemiMarie DemiMarie deleted the runtime-policy-dir branch September 26, 2024 00:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Provide a directory in /run for temporary qrexec policy
4 participants