Rip out qubes-rpc-multiplexer #141
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DemiMarie
force-pushed
the
no-multiplexer
branch
4 times, most recently
from
189d832 to
b4a2de9
Compare
DemiMarie
force-pushed
the
no-multiplexer
branch
3 times, most recently
from
3de2f4b to
39f909f
Compare
DemiMarie
force-pushed
the
no-multiplexer
branch
from
39f909f to
2291280
Compare
DemiMarie
force-pushed
the
no-multiplexer
branch
3 times, most recently
from
9f69888 to
a4de39f
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #141 +/- ##
==========================================
- Coverage 79.01% 78.87% -0.14%
==========================================
Files 54 55 +1
Lines 9732 9839 +107
==========================================
+ Hits 7690 7761 +71
- Misses 2042 2078 +36
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
DemiMarie
changed the title
Merged
DemiMarie
force-pushed
the
no-multiplexer
branch
from
b7502bc to
b4d7ed6
Compare
OpenQA test summaryComplete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024092617-4.3&flavor=pull-requests Test run included the following:
New failures, excluding unstableCompared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024070519-4.3&flavor=update
Failed tests61 failures
Fixed failuresCompared to: https://openqa.qubes-os.org/tests/105374#dependencies 9 fixed
Unstable tests
|
This was referenced Jun 28, 2024
|
Ugh, upgrade will require a bit more care. Right now, just after upgrading dom0, qrexec calls (to dom0) fails for currently running VMs: Release upgrade script will need to handle this case. |
6 tasks
|
Maybe keep the script in repo, and remove only later (R4.4?) ? |
Have Keeping it present (but unused) until R4.4 is the simplest option. |
|
ping (not removing the script yet) |
This checks that the RPC multiplexer only allows calls with 2 or 4 arguments and sets environment variables $QREXEC_REQUESTED_TARGET_TYPE, $QREXEC_REQUESTED_TARGET, and $QREXEC_REQUESTED_TARGET_KEYWORD properly. Since it only affects the tests, it can safely be backported to R4.2.
No functional change.
Instead, directly execute the command from C. All variables with names beginning with QREXEC_ are stripped from the environment, except for QREXEC_SERVICE_PATH. This is a change in behavior compared to the current code. This is a backwards-incompatible change to exec_qubes_rpc_if_requested(), which now takes an extra argument. Therefore, it cannot be backported to R4.2. Fixes: QubesOS/qubes-issues#9062
It carries no information, and various parts of the code must strip it. Just omit it from the command entirely. Whether a command is an RPC command should be determined by the service descriptor being non-NULL. Review with "git diff --ignore-space-change".
The previous two changes were ABI breaks.
DemiMarie
force-pushed
the
no-multiplexer
branch
from
b4d7ed6 to
03c5257
Compare
This was referenced Sep 26, 2024
marmarek
requested changes
Sep 27, 2024
There was a problem hiding this comment.
I'm not sure what changed since last test, but now running services as root (or more likely - non-default user that don't use fork-server) fails due to SELinux:
user@dom0:~$ qvm-run -p --service sys-net qubes.GetDate; echo $?
2024-09-27T04:31:15+00:00
0
user@dom0:~$ qvm-run -p -u root --service sys-net qubes.GetDate; echo $?
125
user@dom0:~$ qvm-run -p sys-net sudo dmesg|grep denied
[ 18.800469] audit: type=1400 audit(1727411218.085:96): avc: denied { entrypoint } for pid=739 comm="qrexec-agent" path="/etc/qubes-rpc/qubes.GetDate" dev="xvda3" ino=971559 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Two options:
Is option 1 okay with you? It would require a relabel when the user upgrades. |
|
Yes, option 1 sounds fine. I think there is some rpm magic handling relabeling automatically already. |
That only works for TemplateVMs, not |
Right... I guess we need something like policy version flag in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Instead, directly execute the command from C.
All variables with names beginning with
QREXEC_are stripped from the environment, except forQREXEC_SERVICE_PATH. This is a change in behavior compared to the current code.This is a backwards-incompatible change to
exec_qubes_rpc_if_requested(), which now takes an extra argument and is renamedexec_qubes_rpc(). Therefore, it cannot be backported to R4.2.Fixes: QubesOS/qubes-issues#9062