From baef139c007b64d78784d9d1a835e44abc5c28cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?=
 <frederic.pierret@qubes-os.org>
Date: Tue, 30 Apr 2019 11:23:23 +0200
Subject: [PATCH] Add qubes.ShowTerminal service

---
 qubes-rpc-policy/qubes.ShowTerminal | 12 ++++++++++++
 qubes-rpc/qubes.ShowTerminal        |  7 +++++++
 2 files changed, 19 insertions(+)
 create mode 100644 qubes-rpc-policy/qubes.ShowTerminal
 create mode 100755 qubes-rpc/qubes.ShowTerminal

diff --git a/qubes-rpc-policy/qubes.ShowTerminal b/qubes-rpc-policy/qubes.ShowTerminal
new file mode 100644
index 00000000..8a355b72
--- /dev/null
+++ b/qubes-rpc-policy/qubes.ShowTerminal
@@ -0,0 +1,12 @@
+## Note that policy parsing stops at the first match,
+## so adding anything below "$anyvm $anyvm action" line will have no effect
+
+## Please use a single # to start your custom comments
+
+$anyvm	$anyvm	deny,target=dom0
+
+# WARNING: The qubes.ShowTerminal service is dangerous and allows any
+# qube to access any other qube console. It should be restricted
+# only to management/admin qubes. This is why the default policy is 'deny'
+
+# Example of policy: mgmtvm $tag:created-by-mgmtvm allow,target=dom0
diff --git a/qubes-rpc/qubes.ShowTerminal b/qubes-rpc/qubes.ShowTerminal
new file mode 100755
index 00000000..65b5765e
--- /dev/null
+++ b/qubes-rpc/qubes.ShowTerminal
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+lock="/var/run/qubes/$QREXEC_REQUESTED_TARGET.terminal.lock"
+
+# Create an exclusive lock to ensure that multiple qubes cannot access to the same socket
+# In the case of multiple qrexec calls it returns a specific exit code
+sudo flock -n -E 200 -x "$lock" socat - OPEN:"$(virsh -c xen ttyconsole "$QREXEC_REQUESTED_TARGET")"