Merge remote-tracking branch 'origin/pull/90/head' into core3-devel

This commit is contained in:
Wojtek Porczyk 2017-03-02 13:19:57 +01:00
commit 4a247b1b1b
12 changed files with 318 additions and 174 deletions

View File

@ -290,11 +290,11 @@ case "$command" in
# Commit template changes # Commit template changes
domain=$(cat "$HOTPLUG_STORE-domain") domain=$(cat "$HOTPLUG_STORE-domain")
if [ "$domain" ]; then if [ "$domain" ]; then
# Dont stop on errors
if [ -r /var/lib/qubes/qubes-test.xml -a \ if [ -r /var/lib/qubes/qubes-test.xml -a \
"${domain#test-}" != "$domain" ]; then "${domain#test-}" != "$domain" ]; then
export QUBES_XML_PATH=/var/lib/qubes/qubes-test.xml export QUBES_XML_PATH=/var/lib/qubes/qubes-test.xml
fi fi
# Dont stop on errors
/usr/bin/qvm-template-commit --offline-mode "$domain" || true /usr/bin/qvm-template-commit --offline-mode "$domain" || true
fi fi
fi fi

View File

@ -306,6 +306,8 @@ class property(object): # pylint: disable=redefined-builtin,invalid-name
return NotImplemented return NotImplemented
def __eq__(self, other): def __eq__(self, other):
if isinstance(other, str):
return self.__name__ == other
return isinstance(other, property) and self.__name__ == other.__name__ return isinstance(other, property) and self.__name__ == other.__name__

View File

@ -22,8 +22,8 @@
from __future__ import unicode_literals from __future__ import unicode_literals
import itertools import itertools
import logging import logging
import functools import functools
import termios
from qubes.utils import size_to_human from qubes.utils import size_to_human
import sys import sys
@ -44,6 +44,7 @@ import qubes
import qubes.core2migration import qubes.core2migration
import qubes.storage import qubes.storage
import qubes.storage.file import qubes.storage.file
import qubes.vm.templatevm
QUEUE_ERROR = "ERROR" QUEUE_ERROR = "ERROR"
@ -51,18 +52,23 @@ QUEUE_FINISHED = "FINISHED"
HEADER_FILENAME = 'backup-header' HEADER_FILENAME = 'backup-header'
DEFAULT_CRYPTO_ALGORITHM = 'aes-256-cbc' DEFAULT_CRYPTO_ALGORITHM = 'aes-256-cbc'
DEFAULT_HMAC_ALGORITHM = 'SHA512' # 'scrypt' is not exactly HMAC algorithm, but a tool we use to
# integrity-protect the data
DEFAULT_HMAC_ALGORITHM = 'scrypt'
DEFAULT_COMPRESSION_FILTER = 'gzip' DEFAULT_COMPRESSION_FILTER = 'gzip'
CURRENT_BACKUP_FORMAT_VERSION = '4' CURRENT_BACKUP_FORMAT_VERSION = '4'
# Maximum size of error message get from process stderr (including VM process) # Maximum size of error message get from process stderr (including VM process)
MAX_STDERR_BYTES = 1024 MAX_STDERR_BYTES = 1024
# header + qubes.xml max size # header + qubes.xml max size
HEADER_QUBES_XML_MAX_SIZE = 1024 * 1024 HEADER_QUBES_XML_MAX_SIZE = 1024 * 1024
# hmac file max size - regardless of backup format version!
HMAC_MAX_SIZE = 4096
BLKSIZE = 512 BLKSIZE = 512
_re_alphanum = re.compile(r'^[A-Za-z0-9-]*$') _re_alphanum = re.compile(r'^[A-Za-z0-9-]*$')
class BackupCanceledError(qubes.exc.QubesException): class BackupCanceledError(qubes.exc.QubesException):
def __init__(self, msg, tmpdir=None): def __init__(self, msg, tmpdir=None):
super(BackupCanceledError, self).__init__(msg) super(BackupCanceledError, self).__init__(msg)
@ -219,6 +225,63 @@ class SendWorker(Process):
self.log.debug("Finished sending thread") self.log.debug("Finished sending thread")
def launch_proc_with_pty(args, stdin=None, stdout=None, stderr=None, echo=True):
"""Similar to pty.fork, but handle stdin/stdout according to parameters
instead of connecting to the pty
:return tuple (subprocess.Popen, pty_master)
"""
def set_ctty(ctty_fd, master_fd):
os.setsid()
os.close(master_fd)
fcntl.ioctl(ctty_fd, termios.TIOCSCTTY, 0)
if not echo:
termios_p = termios.tcgetattr(ctty_fd)
# termios_p.c_lflags
termios_p[3] &= ~termios.ECHO
termios.tcsetattr(ctty_fd, termios.TCSANOW, termios_p)
(pty_master, pty_slave) = os.openpty()
p = subprocess.Popen(args, stdin=stdin, stdout=stdout, stderr=stderr,
preexec_fn=lambda: set_ctty(pty_slave, pty_master))
os.close(pty_slave)
return p, os.fdopen(pty_master, 'wb+', buffering=0)
def launch_scrypt(action, input_name, output_name, passphrase):
'''
Launch 'scrypt' process, pass passphrase to it and return
subprocess.Popen object.
:param action: 'enc' or 'dec'
:param input_name: input path or '-' for stdin
:param output_name: output path or '-' for stdout
:param passphrase: passphrase
:return: subprocess.Popen object
'''
command_line = ['scrypt', action, input_name, output_name]
(p, pty) = launch_proc_with_pty(command_line,
stdin=subprocess.PIPE if input_name == '-' else None,
stdout=subprocess.PIPE if output_name == '-' else None,
stderr=subprocess.PIPE,
echo=False)
if action == 'enc':
prompts = (b'Please enter passphrase: ', b'Please confirm passphrase: ')
else:
prompts = (b'Please enter passphrase: ',)
for prompt in prompts:
actual_prompt = p.stderr.read(len(prompt))
if actual_prompt != prompt:
raise qubes.exc.QubesException(
'Unexpected prompt from scrypt: {}'.format(actual_prompt))
pty.write(passphrase.encode('utf-8') + b'\n')
pty.flush()
# save it here, so garbage collector would not close it (which would kill
# the child)
p.pty = pty
return p
class Backup(object): class Backup(object):
class FileToBackup(object): class FileToBackup(object):
def __init__(self, file_path, subdir=None, name=None): def __init__(self, file_path, subdir=None, name=None):
@ -489,15 +552,18 @@ class Backup(object):
backup_id=self.backup_id, backup_id=self.backup_id,
) )
backup_header.save(header_file_path) backup_header.save(header_file_path)
# Start encrypt, scrypt will also handle integrity
# protection
scrypt_passphrase = u'{filename}!{passphrase}'.format(
filename=HEADER_FILENAME, passphrase=self.passphrase)
scrypt = launch_scrypt(
'enc', header_file_path, header_file_path + '.hmac',
scrypt_passphrase)
hmac = subprocess.Popen( if scrypt.wait() != 0:
["openssl", "dgst", "-" + self.hmac_algorithm,
"-hmac", self.passphrase],
stdin=open(header_file_path, "r"),
stdout=open(header_file_path + ".hmac", "w"))
if hmac.wait() != 0:
raise qubes.exc.QubesException( raise qubes.exc.QubesException(
"Failed to compute hmac of header file") "Failed to compute hmac of header file: "
+ scrypt.stderr.read())
return HEADER_FILENAME, HEADER_FILENAME + ".hmac" return HEADER_FILENAME, HEADER_FILENAME + ".hmac"
@ -556,6 +622,7 @@ class Backup(object):
passio_popen=True, passio_stderr=True) passio_popen=True, passio_stderr=True)
vmproc.stdin.write((self.target_dir. vmproc.stdin.write((self.target_dir.
replace("\r", "").replace("\n", "") + "\n").encode()) replace("\r", "").replace("\n", "") + "\n").encode())
vmproc.stdin.flush()
backup_stdout = vmproc.stdin backup_stdout = vmproc.stdin
self.processes_to_kill_on_cancel.append(vmproc) self.processes_to_kill_on_cancel.append(vmproc)
else: else:
@ -639,7 +706,7 @@ class Backup(object):
# also use our tar writer when renaming file # also use our tar writer when renaming file
assert not stat.S_ISDIR(file_stat.st_mode),\ assert not stat.S_ISDIR(file_stat.st_mode),\
"Renaming directories not supported" "Renaming directories not supported"
tar_cmdline = ['python', '-m', 'qubes.tarwriter', tar_cmdline = ['python3', '-m', 'qubes.tarwriter',
'--override-name=%s' % ( '--override-name=%s' % (
os.path.join(file_info.subdir, os.path.basename( os.path.join(file_info.subdir, os.path.basename(
file_info.name))), file_info.name))),
@ -651,75 +718,53 @@ class Backup(object):
self.log.debug(" ".join(tar_cmdline)) self.log.debug(" ".join(tar_cmdline))
# Tips: Popen(bufsize=0) # Pipe: tar-sparse | scrypt | tar | backup_target
# Pipe: tar-sparse | encryptor [| hmac] | tar | backup_target
# Pipe: tar-sparse [| hmac] | tar | backup_target
# TODO: log handle stderr # TODO: log handle stderr
tar_sparse = subprocess.Popen( tar_sparse = subprocess.Popen(
tar_cmdline, stdin=subprocess.PIPE) tar_cmdline)
self.processes_to_kill_on_cancel.append(tar_sparse) self.processes_to_kill_on_cancel.append(tar_sparse)
# Wait for compressor (tar) process to finish or for any # Wait for compressor (tar) process to finish or for any
# error of other subprocesses # error of other subprocesses
i = 0 i = 0
pipe = open(backup_pipe, 'rb')
run_error = "paused" run_error = "paused"
encryptor = None
if self.encrypted:
# Start encrypt
# If no cipher is provided,
# the data is forwarded unencrypted !!!
encryptor = subprocess.Popen([
"openssl", "enc",
"-e", "-" + self.crypto_algorithm,
"-pass", "pass:" + passphrase],
stdin=open(backup_pipe, 'rb'),
stdout=subprocess.PIPE)
pipe = encryptor.stdout
else:
pipe = open(backup_pipe, 'rb')
while run_error == "paused": while run_error == "paused":
# Start HMAC
hmac = subprocess.Popen([
"openssl", "dgst", "-" + self.hmac_algorithm,
"-hmac", passphrase],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
# Prepare a first chunk # Prepare a first chunk
chunkfile = backup_tempfile + "." + "%03d" % i chunkfile = backup_tempfile + ".%03d.enc" % i
i += 1 i += 1
chunkfile_p = open(chunkfile, 'wb')
# Start encrypt, scrypt will also handle integrity
# protection
scrypt_passphrase = \
u'{backup_id}!{filename}!{passphrase}'.format(
backup_id=self.backup_id,
filename=os.path.relpath(chunkfile[:-4],
self.tmpdir),
passphrase=self.passphrase)
scrypt = launch_scrypt(
"enc", "-", chunkfile, scrypt_passphrase)
run_error = handle_streams( run_error = handle_streams(
pipe, pipe,
{'hmac_data': hmac.stdin, {'backup_target': scrypt.stdin},
'backup_target': chunkfile_p, {'vmproc': vmproc,
},
{'hmac': hmac,
'vmproc': vmproc,
'addproc': tar_sparse, 'addproc': tar_sparse,
'streamproc': encryptor, 'scrypt': scrypt,
}, },
self.chunk_size, self.chunk_size,
self._add_vm_progress self._add_vm_progress
) )
chunkfile_p.close()
self.log.debug( self.log.debug(
"12 returned: {}".format(run_error)) "Wait_backup_feedback returned: {}".format(run_error))
if self.canceled: if self.canceled:
try: try:
tar_sparse.terminate() tar_sparse.terminate()
except OSError: except OSError:
pass pass
try:
hmac.terminate()
except OSError:
pass
tar_sparse.wait() tar_sparse.wait()
hmac.wait()
to_send.put(QUEUE_ERROR) to_send.put(QUEUE_ERROR)
send_proc.join() send_proc.join()
shutil.rmtree(self.tmpdir) shutil.rmtree(self.tmpdir)
@ -735,29 +780,16 @@ class Backup(object):
"Failed to perform backup: error in " + "Failed to perform backup: error in " +
run_error) run_error)
scrypt.stdin.close()
scrypt.wait()
self.log.debug("scrypt return code: {}".format(
scrypt.poll()))
# Send the chunk to the backup target # Send the chunk to the backup target
self._queue_put_with_check( self._queue_put_with_check(
send_proc, vmproc, to_send, send_proc, vmproc, to_send,
os.path.relpath(chunkfile, self.tmpdir)) os.path.relpath(chunkfile, self.tmpdir))
# Close HMAC
hmac.stdin.close()
hmac.wait()
self.log.debug("HMAC proc return code: {}".format(
hmac.poll()))
# Write HMAC data next to the chunk file
hmac_data = hmac.stdout.read()
self.log.debug(
"Writing hmac to {}.hmac".format(chunkfile))
with open(chunkfile + ".hmac", 'w') as hmac_file:
hmac_file.write(hmac_data)
# Send the HMAC to the backup target
self._queue_put_with_check(
send_proc, vmproc, to_send,
os.path.relpath(chunkfile, self.tmpdir) + ".hmac")
if tar_sparse.poll() is None or run_error == "size_limit": if tar_sparse.poll() is None or run_error == "size_limit":
run_error = "paused" run_error = "paused"
else: else:
@ -951,7 +983,6 @@ class ExtractWorker2(Process):
try: try:
self.__run__() self.__run__()
except Exception as e: except Exception as e:
exc_type, exc_value, exc_traceback = sys.exc_info()
# Cleanup children # Cleanup children
for process in [self.decompressor_process, for process in [self.decompressor_process,
self.decryptor_process, self.decryptor_process,
@ -962,7 +993,7 @@ class ExtractWorker2(Process):
except OSError: except OSError:
pass pass
process.wait() process.wait()
self.log.error("ERROR: " + unicode(e)) self.log.error("ERROR: " + str(e))
raise raise
def handle_dir_relocations(self, dirname): def handle_dir_relocations(self, dirname):
@ -1100,12 +1131,6 @@ class ExtractWorker2(Process):
'vmproc': self.vmproc, 'vmproc': self.vmproc,
'addproc': self.tar2_process, 'addproc': self.tar2_process,
} }
common_args = {
'backup_target': pipe,
'hmac': None,
'vmproc': self.vmproc,
'addproc': self.tar2_process
}
if self.encrypted: if self.encrypted:
# Start decrypt # Start decrypt
self.decryptor_process = subprocess.Popen( self.decryptor_process = subprocess.Popen(
@ -1333,9 +1358,12 @@ def get_supported_hmac_algo(hmac_algorithm=None):
# Start with provided default # Start with provided default
if hmac_algorithm: if hmac_algorithm:
yield hmac_algorithm yield hmac_algorithm
if hmac_algorithm != 'scrypt':
yield 'scrypt'
proc = subprocess.Popen(['openssl', 'list-message-digest-algorithms'], proc = subprocess.Popen(['openssl', 'list-message-digest-algorithms'],
stdout=subprocess.PIPE) stdout=subprocess.PIPE)
for algo in proc.stdout.readlines(): for algo in proc.stdout.readlines():
algo = algo.decode('ascii')
if '=>' in algo: if '=>' in algo:
continue continue
yield algo.strip() yield algo.strip()
@ -1504,10 +1532,13 @@ class BackupRestore(object):
vmproc = self.backup_vm.run_service('qubes.Restore', vmproc = self.backup_vm.run_service('qubes.Restore',
passio_popen=True, passio_stderr=True) passio_popen=True, passio_stderr=True)
vmproc.stdin.write( vmproc.stdin.write(
self.backup_location.replace("\r", "").replace("\n", "") + "\n") (self.backup_location.replace("\r", "").replace("\n",
"") + "\n").encode())
vmproc.stdin.flush()
# Send to tar2qfile the VMs that should be extracted # Send to tar2qfile the VMs that should be extracted
vmproc.stdin.write(" ".join(filelist) + "\n") vmproc.stdin.write((" ".join(filelist) + "\n").encode())
vmproc.stdin.flush()
self.processes_to_kill_on_cancel.append(vmproc) self.processes_to_kill_on_cancel.append(vmproc)
backup_stdin = vmproc.stdout backup_stdin = vmproc.stdout
@ -1552,6 +1583,9 @@ class BackupRestore(object):
def _verify_hmac(self, filename, hmacfile, algorithm=None): def _verify_hmac(self, filename, hmacfile, algorithm=None):
def load_hmac(hmac_text): def load_hmac(hmac_text):
if any(ord(x) not in range(128) for x in hmac_text):
raise qubes.exc.QubesException(
"Invalid content of {}".format(hmacfile))
hmac_text = hmac_text.strip().split("=") hmac_text = hmac_text.strip().split("=")
if len(hmac_text) > 1: if len(hmac_text) > 1:
hmac_text = hmac_text[1].strip() hmac_text = hmac_text[1].strip()
@ -1565,11 +1599,28 @@ class BackupRestore(object):
passphrase = self.passphrase.encode('utf-8') passphrase = self.passphrase.encode('utf-8')
self.log.debug("Verifying file {}".format(filename)) self.log.debug("Verifying file {}".format(filename))
if os.stat(os.path.join(self.tmpdir, hmacfile)).st_size > \
HMAC_MAX_SIZE:
raise qubes.exc.QubesException('HMAC file {} too large'.format(
hmacfile))
if hmacfile != filename + ".hmac": if hmacfile != filename + ".hmac":
raise qubes.exc.QubesException( raise qubes.exc.QubesException(
"ERROR: expected hmac for {}, but got {}". "ERROR: expected hmac for {}, but got {}".
format(filename, hmacfile)) format(filename, hmacfile))
if algorithm == 'scrypt':
# in case of 'scrypt' _verify_hmac is only used for backup header
assert filename == HEADER_FILENAME
self._verify_and_decrypt(hmacfile, HEADER_FILENAME + '.dec')
if open(os.path.join(self.tmpdir, filename), 'rb').read() != \
open(os.path.join(self.tmpdir, filename + '.dec'),
'rb').read():
raise qubes.exc.QubesException(
'Invalid hmac on {}'.format(filename))
else:
return True
hmac_proc = subprocess.Popen( hmac_proc = subprocess.Popen(
["openssl", "dgst", "-" + algorithm, "-hmac", passphrase], ["openssl", "dgst", "-" + algorithm, "-hmac", passphrase],
stdin=open(os.path.join(self.tmpdir, filename), 'rb'), stdin=open(os.path.join(self.tmpdir, filename), 'rb'),
@ -1582,7 +1633,7 @@ class BackupRestore(object):
else: else:
self.log.debug("Loading hmac for file {}".format(filename)) self.log.debug("Loading hmac for file {}".format(filename))
hmac = load_hmac(open(os.path.join(self.tmpdir, hmacfile), hmac = load_hmac(open(os.path.join(self.tmpdir, hmacfile),
'r').read()) 'r', encoding='ascii').read())
if len(hmac) > 0 and load_hmac(hmac_stdout.decode('ascii')) == hmac: if len(hmac) > 0 and load_hmac(hmac_stdout.decode('ascii')) == hmac:
os.unlink(os.path.join(self.tmpdir, hmacfile)) os.unlink(os.path.join(self.tmpdir, hmacfile))
@ -1595,6 +1646,80 @@ class BackupRestore(object):
"Is the passphrase correct?". "Is the passphrase correct?".
format(filename, load_hmac(hmac_stdout.decode('ascii')))) format(filename, load_hmac(hmac_stdout.decode('ascii'))))
def _verify_and_decrypt(self, filename, output=None):
assert filename.endswith('.enc') or filename.endswith('.hmac')
fullname = os.path.join(self.tmpdir, filename)
(origname, _) = os.path.splitext(filename)
if output:
fulloutput = os.path.join(self.tmpdir, output)
else:
fulloutput = os.path.join(self.tmpdir, origname)
if origname == HEADER_FILENAME:
passphrase = u'{filename}!{passphrase}'.format(
filename=origname,
passphrase=self.passphrase)
else:
passphrase = u'{backup_id}!{filename}!{passphrase}'.format(
backup_id=self.header_data.backup_id,
filename=origname,
passphrase=self.passphrase)
p = launch_scrypt('dec', fullname, fulloutput, passphrase)
(_, stderr) = p.communicate()
if p.returncode != 0:
os.unlink(fulloutput)
raise qubes.exc.QubesException('failed to decrypt {}: {}'.format(
fullname, stderr))
# encrypted file is no longer needed
os.unlink(fullname)
return origname
def _retrieve_backup_header_files(self, files, allow_none=False):
(retrieve_proc, filelist_pipe, error_pipe) = \
self._start_retrieval_process(
files, len(files), 1024 * 1024)
filelist = filelist_pipe.read()
retrieve_proc_returncode = retrieve_proc.wait()
if retrieve_proc in self.processes_to_kill_on_cancel:
self.processes_to_kill_on_cancel.remove(retrieve_proc)
extract_stderr = error_pipe.read(MAX_STDERR_BYTES)
# wait for other processes (if any)
for proc in self.processes_to_kill_on_cancel:
if proc.wait() != 0:
raise qubes.exc.QubesException(
"Backup header retrieval failed (exit code {})".format(
proc.wait())
)
if retrieve_proc_returncode != 0:
if not filelist and 'Not found in archive' in extract_stderr:
if allow_none:
return None
else:
raise qubes.exc.QubesException(
"unable to read the qubes backup file {0} ({1}): {2}".format(
self.backup_location,
retrieve_proc.wait(),
extract_stderr
))
actual_files = filelist.decode('ascii').splitlines()
if sorted(actual_files) != sorted(files):
raise qubes.exc.QubesException(
'unexpected files in archive: got {!r}, expected {!r}'.format(
actual_files, files
))
for f in files:
if not os.path.exists(os.path.join(self.tmpdir, f)):
if allow_none:
return None
else:
raise qubes.exc.QubesException(
'Unable to retrieve file {} from backup {}: {}'.format(
f, self.backup_location, extract_stderr
)
)
return files
def _retrieve_backup_header(self): def _retrieve_backup_header(self):
"""Retrieve backup header and qubes.xml. Only backup header is """Retrieve backup header and qubes.xml. Only backup header is
analyzed, qubes.xml is left as-is analyzed, qubes.xml is left as-is
@ -1611,82 +1736,47 @@ class BackupRestore(object):
header_data.version = 1 header_data.version = 1
return header_data return header_data
(retrieve_proc, filelist_pipe, error_pipe) = \ header_files = self._retrieve_backup_header_files(
self._start_retrieval_process( ['backup-header', 'backup-header.hmac'], allow_none=True)
['backup-header', 'backup-header.hmac',
'qubes.xml.000', 'qubes.xml.000.hmac'], 4, 1024 * 1024)
expect_tar_error = False if not header_files:
# R2-Beta3 didn't have backup header, so if none is found,
filename = filelist_pipe.readline().strip().decode('ascii') # assume it's version=2 and use values present at that time
hmacfile = filelist_pipe.readline().strip().decode('ascii')
# tar output filename before actually extracting it, so wait for the
# next one before trying to access it
if not self.backup_vm:
filelist_pipe.readline().strip()
self.log.debug("Got backup header and hmac: {}, {}".format(
filename, hmacfile))
if not filename or filename == "EOF" or \
not hmacfile or hmacfile == "EOF":
retrieve_proc.wait()
proc_error_msg = error_pipe.read(MAX_STDERR_BYTES)
raise qubes.exc.QubesException(
"Premature end of archive while receiving "
"backup header. Process output:\n" + proc_error_msg)
file_ok = False
hmac_algorithm = DEFAULT_HMAC_ALGORITHM
for hmac_algo in get_supported_hmac_algo(hmac_algorithm):
try:
if self._verify_hmac(filename, hmacfile, hmac_algo):
file_ok = True
hmac_algorithm = hmac_algo
break
except qubes.exc.QubesException:
# Ignore exception here, try the next algo
pass
if not file_ok:
raise qubes.exc.QubesException(
"Corrupted backup header (hmac verification "
"failed). Is the password correct?")
if os.path.basename(filename) == HEADER_FILENAME:
filename = os.path.join(self.tmpdir, filename)
header_data = BackupHeader(open(filename, 'rb').read())
os.unlink(filename)
else:
# if no header found, create one with guessed HMAC algo
header_data = BackupHeader( header_data = BackupHeader(
version=2, version=2,
hmac_algorithm=hmac_algorithm,
# place explicitly this value, because it is what format_version # place explicitly this value, because it is what format_version
# 2 have # 2 have
hmac_algorithm='SHA1',
crypto_algorithm='aes-256-cbc', crypto_algorithm='aes-256-cbc',
# TODO: set encrypted to something... # TODO: set encrypted to something...
) )
# when tar do not find expected file in archive, it exit with else:
# code 2. This will happen because we've requested backup-header filename = HEADER_FILENAME
# file, but the archive do not contain it. Ignore this particular hmacfile = HEADER_FILENAME + '.hmac'
# error. self.log.debug("Got backup header and hmac: {}, {}".format(
if not self.backup_vm: filename, hmacfile))
expect_tar_error = True
if retrieve_proc.wait() != 0 and not expect_tar_error: file_ok = False
raise qubes.exc.QubesException( hmac_algorithm = DEFAULT_HMAC_ALGORITHM
"unable to read the qubes backup file {0} ({1}): {2}".format( for hmac_algo in get_supported_hmac_algo(hmac_algorithm):
self.backup_location, try:
retrieve_proc.wait(), if self._verify_hmac(filename, hmacfile, hmac_algo):
error_pipe.read(MAX_STDERR_BYTES) file_ok = True
)) break
if retrieve_proc in self.processes_to_kill_on_cancel: except qubes.exc.QubesException as e:
self.processes_to_kill_on_cancel.remove(retrieve_proc) self.log.debug(
# wait for other processes (if any) 'Failed to verify {} using {}: {}'.format(
for proc in self.processes_to_kill_on_cancel: hmacfile, hmac_algo, str(e)))
if proc.wait() != 0: # Ignore exception here, try the next algo
pass
if not file_ok:
raise qubes.exc.QubesException( raise qubes.exc.QubesException(
"Backup header retrieval failed (exit code {})".format( "Corrupted backup header (hmac verification "
proc.wait()) "failed). Is the password correct?")
) filename = os.path.join(self.tmpdir, filename)
header_data = BackupHeader(open(filename, 'rb').read())
os.unlink(filename)
return header_data return header_data
def _start_inner_extraction_worker(self, queue, relocate): def _start_inner_extraction_worker(self, queue, relocate):
@ -1719,6 +1809,9 @@ class BackupRestore(object):
elif format_version in [3, 4]: elif format_version in [3, 4]:
extractor_params['compression_filter'] = \ extractor_params['compression_filter'] = \
self.header_data.compression_filter self.header_data.compression_filter
if format_version == 4:
# encryption already handled
extractor_params['encrypted'] = False
extract_proc = ExtractWorker3(**extractor_params) extract_proc = ExtractWorker3(**extractor_params)
else: else:
raise NotImplementedError( raise NotImplementedError(
@ -1737,7 +1830,14 @@ class BackupRestore(object):
offline_mode=True) offline_mode=True)
return backup_app return backup_app
else: else:
self._verify_hmac("qubes.xml.000", "qubes.xml.000.hmac") if self.header_data.version in [2, 3]:
self._retrieve_backup_header_files(
['qubes.xml.000', 'qubes.xml.000.hmac'])
self._verify_hmac("qubes.xml.000", "qubes.xml.000.hmac")
else:
self._retrieve_backup_header_files(['qubes.xml.000.enc'])
self._verify_and_decrypt('qubes.xml.000.enc')
queue = Queue() queue = Queue()
queue.put("qubes.xml.000") queue.put("qubes.xml.000")
queue.put(QUEUE_FINISHED) queue.put(QUEUE_FINISHED)
@ -1785,6 +1885,7 @@ class BackupRestore(object):
try: try:
filename = None filename = None
hmacfile = None
nextfile = None nextfile = None
while True: while True:
if self.canceled: if self.canceled:
@ -1801,37 +1902,67 @@ class BackupRestore(object):
if nextfile is not None: if nextfile is not None:
filename = nextfile filename = nextfile
else: else:
filename = filelist_pipe.readline().strip() filename = filelist_pipe.readline().decode('ascii').strip()
self.log.debug("Getting new file:" + filename) self.log.debug("Getting new file:" + filename)
if not filename or filename == "EOF": if not filename or filename == "EOF":
break break
hmacfile = filelist_pipe.readline().strip()
if self.canceled:
break
# if reading archive directly with tar, wait for next filename - # if reading archive directly with tar, wait for next filename -
# tar prints filename before processing it, so wait for # tar prints filename before processing it, so wait for
# the next one to be sure that whole file was extracted # the next one to be sure that whole file was extracted
if not self.backup_vm: if not self.backup_vm:
nextfile = filelist_pipe.readline().strip() nextfile = filelist_pipe.readline().decode('ascii').strip()
self.log.debug("Getting hmac:" + hmacfile) if self.header_data.version in [2, 3]:
if not hmacfile or hmacfile == "EOF": if not self.backup_vm:
# Premature end of archive, either of tar1_command or hmacfile = nextfile
# vmproc exited with error nextfile = filelist_pipe.readline().\
break decode('ascii').strip()
else:
hmacfile = filelist_pipe.readline().\
decode('ascii').strip()
if self.canceled:
break
self.log.debug("Getting hmac:" + hmacfile)
if not hmacfile or hmacfile == "EOF":
# Premature end of archive, either of tar1_command or
# vmproc exited with error
break
else: # self.header_data.version == 4
if not filename.endswith('.enc'):
raise qubes.exc.QubesException(
'Invalid file extension found in archive: {}'.
format(filename))
if not any(map(lambda x: filename.startswith(x), vms_dirs)): if not any(map(lambda x: filename.startswith(x), vms_dirs)):
self.log.debug("Ignoring VM not selected for restore") self.log.debug("Ignoring VM not selected for restore")
os.unlink(os.path.join(self.tmpdir, filename)) os.unlink(os.path.join(self.tmpdir, filename))
os.unlink(os.path.join(self.tmpdir, hmacfile)) if hmacfile:
os.unlink(os.path.join(self.tmpdir, hmacfile))
continue continue
if self._verify_hmac(filename, hmacfile): if self.header_data.version in [2, 3]:
to_extract.put(os.path.join(self.tmpdir, filename)) self._verify_hmac(filename, hmacfile)
else:
# _verify_and_decrypt will write output to a file with
# '.enc' extension cut off. This is safe because:
# - `scrypt` tool will override output, so if the file was
# already there (received from the VM), it will be removed
# - incoming archive extraction will refuse to override
# existing file, so if `scrypt` already created one,
# it can not be manipulated by the VM
# - when the file is retrieved from the VM, it appears at
# the final form - if it's visible, VM have no longer
# influence over its content
#
# This all means that if the file was correctly verified
# + decrypted, we will surely access the right file
filename = self._verify_and_decrypt(filename)
to_extract.put(os.path.join(self.tmpdir, filename))
if self.canceled: if self.canceled:
raise BackupCanceledError("Restore canceled", raise BackupCanceledError("Restore canceled",

View File

@ -112,7 +112,7 @@ class QubesMgmt(object):
@not_in_api @not_in_api
def fire_event_for_permission(self, **kwargs): def fire_event_for_permission(self, **kwargs):
return self.src.fire_event_pre('mgmt-permission:{}'.format(self.method), return self.src.fire_event_pre('mgmt-permission:{}'.format(self.method),
self.dest, self.arg, **kwargs) dest=self.dest, arg=self.arg, **kwargs)
@not_in_api @not_in_api
def fire_event_for_filter(self, iterable, **kwargs): def fire_event_for_filter(self, iterable, **kwargs):
@ -138,7 +138,7 @@ class QubesMgmt(object):
domains = self.fire_event_for_filter(self.app.domains) domains = self.fire_event_for_filter(self.app.domains)
return ''.join('{} class={} state={}\n'.format( return ''.join('{} class={} state={}\n'.format(
self.repr(vm), vm.name,
vm.__class__.__name__, vm.__class__.__name__,
vm.get_power_state()) vm.get_power_state())
for vm in sorted(domains)) for vm in sorted(domains))

View File

@ -55,7 +55,7 @@ class DomainPool(Pool):
# /qubes-block-devices/foo/{desc,mode,size} we need to merge this # /qubes-block-devices/foo/{desc,mode,size} we need to merge this
devices = {} devices = {}
for untrusted_device_path in untrusted_qubes_devices: for untrusted_device_path in untrusted_qubes_devices:
if not all(c in safe_set for c in untrusted_device_path): if not all(chr(c) in safe_set for c in untrusted_device_path):
msg = ("%s vm's device path name contains unsafe characters. " msg = ("%s vm's device path name contains unsafe characters. "
"Skipping it.") "Skipping it.")
self.vm.log.warning(msg % self.vm.name) self.vm.log.warning(msg % self.vm.name)
@ -63,7 +63,8 @@ class DomainPool(Pool):
# name can be trusted because it was checked as a part of # name can be trusted because it was checked as a part of
# untrusted_device_path check above # untrusted_device_path check above
_, _, name, untrusted_atr = untrusted_device_path.split('/', 4) _, _, name, untrusted_atr = untrusted_device_path.\
decode('ascii').split('/', 4)
if untrusted_atr in allowed_attributes.keys(): if untrusted_atr in allowed_attributes.keys():
atr = untrusted_atr atr = untrusted_atr
@ -75,8 +76,8 @@ class DomainPool(Pool):
untrusted_value = qdb.read(untrusted_device_path) untrusted_value = qdb.read(untrusted_device_path)
allowed_characters = allowed_attributes[atr] allowed_characters = allowed_attributes[atr]
if all(c in allowed_characters for c in untrusted_value): if all(chr(c) in allowed_characters for c in untrusted_value):
value = untrusted_value value = untrusted_value.decode('ascii')
else: else:
msg = ("{!s} vm's device path {!s} contains unsafe characters") msg = ("{!s} vm's device path {!s} contains unsafe characters")
self.vm.log.error(msg.format(self.vm.name, atr)) self.vm.log.error(msg.format(self.vm.name, atr))

View File

@ -523,7 +523,8 @@ class SystemTestsMixin(object):
label='black') label='black')
for name, volume in template_vm.volumes.items(): for name, volume in template_vm.volumes.items():
if volume.pool != template.volumes[name].pool: if volume.pool != template.volumes[name].pool:
template_vm.storage.init_volume(name, volume.config) template_vm.storage.init_volume(name,
template.volumes[name].config)
self.app.default_template = template_vm self.app.default_template = template_vm
def init_networking(self): def init_networking(self):
@ -699,7 +700,7 @@ class SystemTestsMixin(object):
try: try:
cls.remove_vms(vm for vm in qubes.Qubes(xmlpath).domains cls.remove_vms(vm for vm in qubes.Qubes(xmlpath).domains
if vm.name.startswith(prefix)) if vm.name.startswith(prefix))
except qubes.exc.QubesException: except (qubes.exc.QubesException, lxml.etree.XMLSyntaxError):
# If qubes-test.xml is broken that much it doesn't even load, # If qubes-test.xml is broken that much it doesn't even load,
# simply remove it. VMs will be cleaned up the hard way. # simply remove it. VMs will be cleaned up the hard way.
# TODO logging? # TODO logging?

View File

@ -111,6 +111,7 @@ class TC_00_DeviceCollection(qubes.tests.QubesTestCase):
def test_013_list_attached_persistent(self): def test_013_list_attached_persistent(self):
self.assertEqual(set([]), set(self.collection.attached())) self.assertEqual(set([]), set(self.collection.attached()))
self.assertEventFired(self.emitter, 'device-list-attached:testclass')
self.collection.attach(self.device) self.collection.attach(self.device)
self.assertEqual({self.device}, set(self.collection.attached())) self.assertEqual({self.device}, set(self.collection.attached()))
self.assertEqual({self.device}, self.assertEqual({self.device},
@ -128,9 +129,11 @@ class TC_00_DeviceCollection(qubes.tests.QubesTestCase):
set(self.collection.attached(persistent=True))) set(self.collection.attached(persistent=True)))
self.assertEqual({self.device}, self.assertEqual({self.device},
set(self.collection.attached(persistent=False))) set(self.collection.attached(persistent=False)))
self.assertEventFired(self.emitter, 'device-list-attached:testclass')
def test_015_list_available(self): def test_015_list_available(self):
self.assertEqual({self.device}, set(self.collection)) self.assertEqual({self.device}, set(self.collection))
self.assertEventFired(self.emitter, 'device-list:testclass')
class TC_01_DeviceManager(qubes.tests.QubesTestCase): class TC_01_DeviceManager(qubes.tests.QubesTestCase):

View File

@ -508,7 +508,7 @@ class TC_10_BackupVMMixin(BackupTestsMixin):
p = self.backupvm.run("ls /var/tmp/backup*/qubes-backup*", p = self.backupvm.run("ls /var/tmp/backup*/qubes-backup*",
passio_popen=True) passio_popen=True)
(backup_path, _) = p.communicate() (backup_path, _) = p.communicate()
backup_path = backup_path.strip() backup_path = backup_path.decode().strip()
self.restore_backup(source=backup_path, self.restore_backup(source=backup_path,
appvm=self.backupvm) appvm=self.backupvm)

View File

@ -970,6 +970,7 @@ class TC_00_AppVMMixin(qubes.tests.SystemTestsMixin):
# now free the fragmented memory and trigger compaction # now free the fragmented memory and trigger compaction
alloc1.stdin.write(b"\n") alloc1.stdin.write(b"\n")
alloc1.stdin.flush()
alloc1.wait() alloc1.wait()
self.testvm1.run("echo 1 > /proc/sys/vm/compact_memory", user="root") self.testvm1.run("echo 1 > /proc/sys/vm/compact_memory", user="root")
@ -1006,9 +1007,11 @@ class TC_00_AppVMMixin(qubes.tests.SystemTestsMixin):
class TC_10_Generic(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase): class TC_10_Generic(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
def setUp(self): def setUp(self):
super(TC_10_Generic, self).setUp() super(TC_10_Generic, self).setUp()
self.init_default_template()
self.vm = self.app.add_new_vm( self.vm = self.app.add_new_vm(
qubes.vm.appvm.AppVM, qubes.vm.appvm.AppVM,
name=self.make_vm_name('vm'), name=self.make_vm_name('vm'),
label='red',
template=self.app.default_template) template=self.app.default_template)
self.vm.create_on_disk() self.vm.create_on_disk()
self.save_and_reload_db() self.save_and_reload_db()
@ -1029,7 +1032,7 @@ class TC_10_Generic(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
f.write('echo service output\n') f.write('echo service output\n')
self.addCleanup(os.unlink, "/etc/qubes-rpc/test.AnyvmDeny") self.addCleanup(os.unlink, "/etc/qubes-rpc/test.AnyvmDeny")
self.vm.start(verbose=False) self.vm.start()
p = self.vm.run("/usr/lib/qubes/qrexec-client-vm dom0 test.AnyvmDeny", p = self.vm.run("/usr/lib/qubes/qrexec-client-vm dom0 test.AnyvmDeny",
passio_popen=True, passio_stderr=True) passio_popen=True, passio_stderr=True)
(stdout, stderr) = p.communicate() (stdout, stderr) = p.communicate()

View File

@ -4,6 +4,7 @@ import asyncio
import functools import functools
import io import io
import os import os
import shutil
import signal import signal
import struct import struct
import traceback import traceback
@ -18,7 +19,7 @@ QUBESD_SOCK = '/var/run/qubesd.sock'
class QubesDaemonProtocol(asyncio.Protocol): class QubesDaemonProtocol(asyncio.Protocol):
buffer_size = 65536 buffer_size = 65536
header = struct.Struct('!H') header = struct.Struct('Bx')
def __init__(self, *args, app, debug=False, **kwargs): def __init__(self, *args, app, debug=False, **kwargs):
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
@ -162,6 +163,7 @@ def main(args=None):
old_umask = os.umask(0o007) old_umask = os.umask(0o007)
server = loop.run_until_complete(loop.create_unix_server( server = loop.run_until_complete(loop.create_unix_server(
functools.partial(QubesDaemonProtocol, app=args.app), QUBESD_SOCK)) functools.partial(QubesDaemonProtocol, app=args.app), QUBESD_SOCK))
shutil.chown(QUBESD_SOCK, group='qubes')
os.umask(old_umask) os.umask(old_umask)
del old_umask del old_umask

View File

@ -536,7 +536,7 @@ class QubesVM(qubes.vm.mix.net.NetVMMixin, qubes.vm.BaseVM):
result += [volume] result += [volume]
break break
return result + self.volumes.values() return result + list(self.volumes.values())
@property @property
def libvirt_domain(self): def libvirt_domain(self):

View File

@ -86,6 +86,7 @@ Requires: gnome-packagekit
Requires: cronie Requires: cronie
Requires: bsdtar Requires: bsdtar
Requires: python3-jinja2 Requires: python3-jinja2
Requires: scrypt
# for qubes-hcl-report # for qubes-hcl-report
Requires: dmidecode Requires: dmidecode
Requires: PyQt4 Requires: PyQt4