dom0/qubes_rpc: mark untrusted variables (#654)

dom0/qubes_rpc/qubes-notify-updates

@@ -50,10 +50,12 @@ def main():
     os.umask(0002)
     qubes_gid = grp.getgrnam('qubes').gr_gid
     
-    update_count = sys.stdin.readline(128).strip()
+    untrusted_update_count = sys.stdin.readline(128).strip()
-    if not update_count.isdigit():
+    if not untrusted_update_count.isdigit():
-        print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: ' + update_count
+        print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: %s' % untrusted_update_count
         exit(1)
+    # now sanitized
+    update_count = untrusted_update_count
     if source_vm.updateable:
         # Just trust information from VM itself
         update_f = open(source_vm.dir_path + '/' + updates_stat_file, "w")

dom0/qubes_rpc/qubes-receive-appmenus

@@ -53,10 +53,10 @@ def get_appmenus(xid):
     untrusted_appmenulist = []
     if xid == -1:
         while appmenus_line_count > 0:
-            line = sys.stdin.readline(appmenus_line_size)
+            untrusted_line = sys.stdin.readline(appmenus_line_size)
-            if line == "":
+            if untrusted_line == "":
                 break;
-            untrusted_appmenulist.append(line.strip())
+            untrusted_appmenulist.append(untrusted_line.strip())
             appmenus_line_count -= 1
         if appmenus_line_count == 0:
             raise QubesException("Line count limit exceeded")
@@ -64,10 +64,10 @@ def get_appmenus(xid):
         p = subprocess.Popen ([qrexec_client_path, '-d', str(xid),
                 'user:QUBESRPC qubes.GetAppmenus dom0'], stdout=subprocess.PIPE)
         while appmenus_line_count > 0:
-            line = p.stdout.readline(appmenus_line_size)
+            untrusted_line = p.stdout.readline(appmenus_line_size)
-            if line == "":
+            if untrusted_line == "":
                 break;
-            untrusted_appmenulist.append(line.strip())
+            untrusted_appmenulist.append(untrusted_line.strip())
             appmenus_line_count -= 1
         p.wait()
         if p.returncode != 0:
@@ -88,6 +88,7 @@ def get_appmenus(xid):
         if untrusted_m:
             untrusted_key = untrusted_m.group(2)
             untrusted_value = untrusted_m.group(3)
+            # Look only at predefined keys
             if fields_regexp.has_key(untrusted_key):
                 if fields_regexp[untrusted_key].match(untrusted_value):
                     # now values are sanitized

dom0/qubes_rpc/qubes-receive-updates

@@ -66,9 +66,12 @@ def handle_dom0updates(updatevm):
     os.chmod(updates_rpm_dir, 0775)
     subprocess.check_call(["/usr/lib/qubes/qfile-dom0-unpacker", str(os.getuid()), updates_rpm_dir])
     # Verify received files
-    for f in os.listdir(updates_rpm_dir):
+    for untrusted_f in os.listdir(updates_rpm_dir):
-        full_path = updates_rpm_dir + "/" + f
+        if not package_regex.match(untrusted_f):
-        if package_regex.match(f):
+            dom0updates_fatal(untrusted_f, 'Domain ' + source + ' sent unexpected file: ' + untrusted_f)
+        else:
+            f = untrusted_f
+            full_path = updates_rpm_dir + "/" + f
             if os.path.islink(full_path) or not os.path.isfile(full_path):
                 dom0updates_fatal(f, 'Domain ' + source + ' sent not regular file')
             p = subprocess.Popen (["/bin/rpm", "-K", full_path],
@@ -78,8 +81,6 @@ def handle_dom0updates(updatevm):
                 dom0updates_fatal(f, 'Error while verifing %s signature: %s' % (f, output))
             if not gpg_ok_regex.search(output.strip()):
                 dom0updates_fatal(f, 'Domain ' + source + ' sent not signed rpm: ' + f)
-        else:
-            dom0updates_fatal(f, 'Domain ' + source + ' sent unexpected file: ' + f)
     if updates_error_file_handle is not None:
         updates_error_file_handle.close()
     # After updates received - create repo metadata