core: fix vm.run(..., passio=False) handling

Long time ago passio=True was used to replace current process with qrexec-client directly (qvm-run --pass-io was the called), but this behaviour is not used anymore (qvm-run was the only user). And this option was left untouched, with misleading name - one would assume that using passio=False should disallow any I/O, but this isn't the case. Especially qvm-sync-clock is calling clockvm.run('...', wait=True), default value for passio=False. This causes to output data from untrusted VM, without sanitising terminal sequences, which can be fatal. This patch changes passio semantic to actually do what it means - when set to True - VM process will be able to interact with stdin/stdout/stderr. But when set to False, all those FDs will be connected to /dev/null. Conflicts: core-modules/000QubesVm.py
2014-12-12 23:09:33 +01:00 · 2014-12-12 23:09:33 +01:00 · 73301a67c8
commit 73301a67c8
parent 1da8ab5823
2 changed files with 7 additions and 12 deletions
--- a/core-modules/000QubesVm.py
+++ b/core-modules/000QubesVm.py
@ -1437,19 +1437,14 @@ class QubesVm(object):
            args += ["-t"]
        if os.isatty(sys.stderr.fileno()):
            args += ["-T"]
-        if passio:
-            if os.name == 'nt':
-                # wait for qrexec-client to exit, otherwise client is not properly attached to console
-                # if qvm-run is executed from cmd.exe
-                ret = subprocess.call(args)
-                exit(ret)
-            os.execv(system_path["qrexec_client_path"], args)
-            exit(1)

        call_kwargs = {}
-        if ignore_stderr:
-            null = open("/dev/null", "w")
+        if ignore_stderr or not passio:
+            null = open("/dev/null", "rw")
            call_kwargs['stderr'] = null
+        if not passio:
+            call_kwargs['stdin'] = null
+            call_kwargs['stdout'] = null

        if passio_popen:
            popen_kwargs={'stdout': subprocess.PIPE}
@ -1462,7 +1457,7 @@ class QubesVm(object):
            if null:
                null.close()
            return p
-        if not wait:
+        if not wait and not passio:
            args += ["-e"]
        retcode = subprocess.call(args, **call_kwargs)
        if null:
--- a/qvm-tools/qvm-run
+++ b/qvm-tools/qvm-run
@ -60,7 +60,7 @@ def vm_run_cmd(vm, cmd, options):
            verbose = options.verbose,
            user = options.user,
            notify_function = tray_notify_generic if options.tray else None,
-            wait = options.passio, localcmd = options.localcmd,
+            passio = options.passio, localcmd = options.localcmd,
            gui = options.gui, filter_esc = options.filter_esc)
    except QubesException as err:
        if options.passio and options.color_output is not None: