core: fix vm.run(..., passio=False) handling
Long time ago passio=True was used to replace current process with
qrexec-client directly (qvm-run --pass-io was the called), but this
behaviour is not used anymore (qvm-run was the only user). And this
option was left untouched, with misleading name - one would assume that
using passio=False should disallow any I/O, but this isn't the case.
Especially qvm-sync-clock is calling clockvm.run('...', wait=True),
default value for passio=False. This causes to output data from
untrusted VM, without sanitising terminal sequences, which can be fatal.
This patch changes passio semantic to actually do what it means - when
set to True - VM process will be able to interact with
stdin/stdout/stderr. But when set to False, all those FDs will be
connected to /dev/null.
Conflicts:
core-modules/000QubesVm.py
This commit is contained in:
Marek Marczykowski-Górecki
parent
1da8ab5823
commit
73301a67c8
@ -1437,19 +1437,14 @@ class QubesVm(object):
|
|||||||
args += ["-t"]
|
args += ["-t"]
|
||||||
if os.isatty(sys.stderr.fileno()):
|
if os.isatty(sys.stderr.fileno()):
|
||||||
args += ["-T"]
|
args += ["-T"]
|
||||||
if passio:
|
|
||||||
if os.name == 'nt':
|
|
||||||
# wait for qrexec-client to exit, otherwise client is not properly attached to console
|
|
||||||
# if qvm-run is executed from cmd.exe
|
|
||||||
ret = subprocess.call(args)
|
|
||||||
exit(ret)
|
|
||||||
os.execv(system_path["qrexec_client_path"], args)
|
|
||||||
exit(1)
|
|
||||||
|
|
||||||
call_kwargs = {}
|
call_kwargs = {}
|
||||||
if ignore_stderr:
|
if ignore_stderr or not passio:
|
||||||
null = open("/dev/null", "w")
|
null = open("/dev/null", "rw")
|
||||||
call_kwargs['stderr'] = null
|
call_kwargs['stderr'] = null
|
||||||
|
if not passio:
|
||||||
|
call_kwargs['stdin'] = null
|
||||||
|
call_kwargs['stdout'] = null
|
||||||
|
|
||||||
if passio_popen:
|
if passio_popen:
|
||||||
popen_kwargs={'stdout': subprocess.PIPE}
|
popen_kwargs={'stdout': subprocess.PIPE}
|
||||||
@ -1462,7 +1457,7 @@ class QubesVm(object):
|
|||||||
if null:
|
if null:
|
||||||
null.close()
|
null.close()
|
||||||
return p
|
return p
|
||||||
if not wait:
|
if not wait and not passio:
|
||||||
args += ["-e"]
|
args += ["-e"]
|
||||||
retcode = subprocess.call(args, **call_kwargs)
|
retcode = subprocess.call(args, **call_kwargs)
|
||||||
if null:
|
if null:
|
||||||
|
|||||||
@ -60,7 +60,7 @@ def vm_run_cmd(vm, cmd, options):
|
|||||||
verbose = options.verbose,
|
verbose = options.verbose,
|
||||||
user = options.user,
|
user = options.user,
|
||||||
notify_function = tray_notify_generic if options.tray else None,
|
notify_function = tray_notify_generic if options.tray else None,
|
||||||
wait = options.passio, localcmd = options.localcmd,
|
passio = options.passio, localcmd = options.localcmd,
|
||||||
gui = options.gui, filter_esc = options.filter_esc)
|
gui = options.gui, filter_esc = options.filter_esc)
|
||||||
except QubesException as err:
|
except QubesException as err:
|
||||||
if options.passio and options.color_output is not None:
|
if options.passio and options.color_output is not None:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user