From 5d0a2fe463a6058fc6bc11e755ae390a13120100 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 6 Aug 2017 12:50:17 +0200 Subject: [PATCH] Add default policy for qubes.VMRootShell service --- Makefile | 1 + qubes-rpc-policy/qubes.VMRootShell.policy | 21 +++++++++++++++++++++ rpm_spec/core-dom0.spec | 1 + 3 files changed, 23 insertions(+) create mode 100644 qubes-rpc-policy/qubes.VMRootShell.policy diff --git a/Makefile b/Makefile index ccf17a59..e219888b 100644 --- a/Makefile +++ b/Makefile @@ -157,6 +157,7 @@ endif cp qubes-rpc-policy/qubes.OpenInVM.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.OpenInVM cp qubes-rpc-policy/qubes.OpenURL.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.OpenURL cp qubes-rpc-policy/qubes.VMShell.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.VMShell + cp qubes-rpc-policy/qubes.VMRootShell.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.VMRootShell cp qubes-rpc-policy/qubes.NotifyUpdates.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.NotifyUpdates cp qubes-rpc-policy/qubes.NotifyTools.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.NotifyTools cp qubes-rpc-policy/qubes.GetImageRGBA.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.GetImageRGBA diff --git a/qubes-rpc-policy/qubes.VMRootShell.policy b/qubes-rpc-policy/qubes.VMRootShell.policy new file mode 100644 index 00000000..4b62923f --- /dev/null +++ b/qubes-rpc-policy/qubes.VMRootShell.policy @@ -0,0 +1,21 @@ +## Note that policy parsing stops at the first match. +## Add ",user=root" to any ask or allow rules. + +## Please use a single # to start your custom comments + +$anyvm $anyvm deny + +# WARNING: The qubes.VMRootShell service is dangerous and there are really few +# cases when it could be safely used. Especially when policy set to "ask" you +# have no way to know for sure what command(s) will be called. Compromissed +# source VM can substitute the command. Allowing one VM to execute +# qubes.VMRootShell over the other VM allows the former to TAKE FULL CONTROL over +# the later. In most cases this is not what we want! +# +# Instead we should be using task-specific qrexec services which provide +# assurance as to what program will be responding to the (untrusted) VM +# requests. +# +# See e.g. this thread for some discussion: +# https://groups.google.com/d/msg/qubes-users/xnAByaL_bjI/3PjYdiTDW-0J +# diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index a80857f2..e0e6b00d 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -427,6 +427,7 @@ fi %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.OpenInVM %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.OpenURL %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.VMShell +%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.VMRootShell %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.UpdatesProxy %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.GetDate /etc/qubes-rpc/admin.*