Commit Graph

61 Commits

Author SHA1 Message Date
Rafal Wojtczuk
2600134e3b qrexec: tiny corrections to rpc autostart code 2011-07-07 10:38:15 +02:00
Rafal Wojtczuk
77f21e08a4 qrexec: corrected stupid typo 2011-07-07 10:06:45 +02:00
Rafal Wojtczuk
65fe9e1b93 qrexec: manually autostart target rpc domain
option 2) from the previous commit comment
2011-07-07 10:05:41 +02:00
Rafal Wojtczuk
11c1cb0aa2 qrexec: temporarily disable auto executing domains upon rpc request
There are two problems with qvm-run -a:
1) even with -q flag, it spits to stdout (actually, "xl create" does it), and
this garbage is received by rpc client
2) even with -q flag, it steals input (actually, "qrexec ... wait for session")

These two can be manually fixed (by passing /dev/null appropriately); hovewer,
this is prone to disaster if qvm-run is enhanced/broken later.

We could do
if is_domain_running() ; then
	run qrexec client
else
	qvm-run -a domain true </dev/null >/dev/null
	run qrexec client
fi
which looks safer; but is_domain_running() is a bit expensive even in "running"
case - we need to xl_context.list_domains anyway.

Gotta decide on one of these.
2011-07-07 09:13:51 +02:00
Rafal Wojtczuk
c80ee3b231 qrexec: allow for more options in the policy files 2011-07-06 18:34:00 +02:00
Rafal Wojtczuk
7b39b15f6d qrexec: enforce strict character set in TRIGGER_EXEC message 2011-07-06 17:07:40 +02:00
Rafal Wojtczuk
ab6aeb0bca qrexec: in qrexec_client_vm, need to preserve absolute exe name before execv 2011-07-06 16:51:56 +02:00
Rafal Wojtczuk
b3ce35b5e2 qrexec: change qrexec_client_vm syntax to be nicer to read
Now the local_program is just before arguments, which is nicer.
2011-07-06 14:21:35 +02:00
Rafal Wojtczuk
7d79a15c4b qrexec: support for rpc with dom0 as target 2011-07-06 13:56:57 +02:00
Rafal Wojtczuk
2fdf9761c7 qrexec: adjust DispVM code to the new qrexec API
Note, we have qvm-open-in-vm totally for free.
2011-07-06 12:32:20 +02:00
Rafal Wojtczuk
b7e8c2708c qrexec: adjust intervm file copy code to the new qrexec API 2011-07-06 10:17:58 +02:00
Rafal Wojtczuk
5b78e8f983 qrexec: dup old stdin/out fds, pass the dup-ed fds in SAVED_FD_%d env var 2011-07-05 20:01:28 +02:00
Rafal Wojtczuk
ecf200dca3 qrexec: last two missing pieces of the new rpc infrastructure 2011-07-05 18:35:03 +02:00
Rafal Wojtczuk
1e355f11d2 qrexec: in agent, use nonzero "fake" pid for existing process
Because 0 means invalid entry.
Also make sure that the rest of code handles -1 pid fine.
2011-07-05 13:04:34 +02:00
Rafal Wojtczuk
2c23891856 Revert "qrexec: in agent, use nonzero "fake" pid for existing process"
This reverts commit 9e77e8831e.
2011-07-05 12:58:27 +02:00
Rafal Wojtczuk
9e77e8831e qrexec: in agent, use nonzero "fake" pid for existing process
Because 0 means invalid entry.
2011-07-05 12:49:06 +02:00
Rafal Wojtczuk
9ac98a77b9 qrexec: in agent, handle CONNECT_EXISTING the way convenient for client 2011-07-05 12:46:33 +02:00
Rafal Wojtczuk
703cedc708 qrexec: fixed qrexec_client getopt handling 2011-07-05 11:04:44 +02:00
Rafal Wojtczuk
9c7eb81a23 qrexec: add qrexec_client_vm.c 2011-07-05 11:03:31 +02:00
Rafal Wojtczuk
b4f28152b8 qrexec: CONNECT_EXISTING command handling in daemon and client 2011-07-04 20:55:25 +02:00
Rafal Wojtczuk
c05b26763a qrexec: new communication scheme, agent<->server part
1) Instead of a set of predefined commands, we send MSG_AGENT_TO_SERVER_TRIGGER_CONNECT_EXISTING msg with a parameter (e.g. "org.qubes-os.vm.Filecopy")
defining required action
2) qrexec_daemon just forks qrexec_policy, that will take care of actually
allowing and executing required action
3) after MSG_AGENT_TO_SERVER_TRIGGER_CONNECT_EXISTING, qrexec_agent does not
execute a command - it justs uses already established file descriptors to
send data to/from. Thus, there is no need to use ~/.xxxxxspool - a command line
tool can have direct access to remote fds.
2011-07-04 18:56:56 +02:00
Rafal Wojtczuk
732a90443e qrexec: move daemon-specific code out of unix_server.c
So that agent can use code in unix_server.c
2011-07-04 17:06:29 +02:00
Marek Marczykowski
83d211836a dom0+vm: Trigger appmenus sync after yum transaction (#45), NEW QREXEC COMMAND
After yum transaction (install/upgrade/remove),
yum-plugin-post-transaction-actions will execute script which trigger
qvm-sync-appmenus in dom0 (through qrexec).
THIS INTRODUCE NEW PREDEFINED COMMAND IN QREXEC
2011-06-12 01:46:24 +02:00
Marek Marczykowski
986f4a888c Merge branch 'r1-beta1-fixes'
Conflicts:
	dom0/qvm-core/qubes.py
	version_dom0
	version_vm
2011-05-24 00:20:39 +02:00
Rafal Wojtczuk
e7d2eefecd qrexec: fix stdout flush on process exit
In case a child of qrexec_daemon has exited and there is still data in its
stdout pipe, we need to flush it to the peer. Previously, the case when the
peer is blocked was not handled; it is now. The bug impact was premature EOF.
2011-05-23 15:35:40 +02:00
Rafal Wojtczuk
c677f1cc4e qrexec and qfile-*: compile with -pie
For full ASLR.
2011-05-10 12:19:28 +02:00
Marek Marczykowski
ef517e5e66 Merge branch 'sane-and-pretty' of ssh://git.qubes-os.org/var/lib/qubes/git/rafal/core 2011-05-09 13:57:21 +02:00
Rafal Wojtczuk
8733c0ef77 qrexec_daemon: fixed typo in msg name 2011-05-09 13:31:38 +02:00
Marek Marczykowski
3d92e50792 Merge branch 'sane-and-pretty' of ssh://git.qubes-os.org/var/lib/qubes/git/rafal/core 2011-05-09 12:25:14 +02:00
Rafal Wojtczuk
d84289f983 qrexec - indentation 2011-05-04 13:00:39 +02:00
Rafal Wojtczuk
b4fb7a4b5d qrexec: added two I/O error checks, even though it is redundant in these cases 2011-05-04 12:56:52 +02:00
Rafal Wojtczuk
d68183da0c qrexec: added comments, made identifiers more verbose 2011-05-04 12:52:54 +02:00
Rafal Wojtczuk
675d4ce25b qrexec_daemon: add explicite sanitize routine
It sanitizes messages from agent, the only untrusted input. No new
checks have been added, just moved the code.
2011-05-04 10:53:43 +02:00
Marek Marczykowski
3f310e5f3e Adopt vchan to xen-libs-4.1.0 API.
Add #ifdefs to support new and old API
2011-04-19 01:21:48 +02:00
Rafal Wojtczuk
b7698de251 qrexec_daemon: print dots when waiting for agent 2011-03-31 11:23:44 +02:00
Rafal Wojtczuk
1fc8f242c5 Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/marmarek/core into spring-merge 2011-03-28 17:27:50 +02:00
Rafal Wojtczuk
5c10812e36 qrexec_agent: When running as root, make the socket accessible
... world-rw. Perms on /var/run/qubes still limit access to group qubes.
2011-03-25 13:47:01 +01:00
Marek Marczykowski
14e50e983d gitignores 2011-03-23 19:57:48 -04:00
Rafal Wojtczuk
01b75b5987 Enable build on non-appvm. 2011-03-23 17:47:35 +01:00
Rafal Wojtczuk
7f6a06c354 qrexec: in write_stdin, remove dependency on write size
Previous code could barf when write was partial; probably can happen
only if we increase vchan buffer size, but it is better isolated now.
2011-03-18 11:16:05 +01:00
Rafal Wojtczuk
1d24ef9d1a qrexec: when forgetting about a client/process, flush buffered data
We need to spawn a child to take care of buffered data flushing, if there
is any. Expensive, but should be needed rarely.
2011-03-17 18:15:04 +01:00
Rafal Wojtczuk
53b517f6a5 qrexec: move set_nonblock function to write_stdin
It will be needed there.
2011-03-17 17:53:33 +01:00
Rafal Wojtczuk
fb71bf968c qrexec_agent: when receiving close from daemon, check buffered data
We need to wait for buffer flush, so that buffered data is not lost,
and only then close pipe to the child.
2011-03-17 17:37:35 +01:00
Rafal Wojtczuk
af7fefa73f qrexec: handle buffered writes correctly
In case when we have a buffered write, always append to the
buffer, even if the pipe happens to be writable now. If not,
in case of certain tight race we might end up writing buffered data in
wrong order.
2011-03-17 16:53:29 +01:00
Rafal Wojtczuk
d40fb3a2e1 Fifo semantics is hard to get right.
Finally: we need to close the command pipe at EOF.
2011-03-16 16:11:05 +01:00
Rafal Wojtczuk
15bab70eae Handle pipe io in qrexec_agent properly
Don't reopen pipe after each read - no need, and it could lose events.
2011-03-16 15:18:37 +01:00
Rafal Wojtczuk
769eedd33a Make qrexec_client wait for its local child before exiting
If we do not wait and exit imemdiately, qrexec_daemon will decrease
the children count and continue spawning processes, while e.g.
qfile-daemon still waits for kdialog - so dom0 will be DoSed by
multiple processes.
2011-03-16 14:52:35 +01:00
Rafal Wojtczuk
27cfd6111a qrexec_daemon limits the number of its children
So that evil VM cannot just send flood of exec qfile-daemon requests,
and DoS dom0.
2011-03-16 14:21:45 +01:00
Rafal Wojtczuk
00f4bf1197 qrexec_client accepts non-numeric domain description.
Just tries to open qrexec.argv[1].
2011-03-11 16:06:00 +01:00
Rafal Wojtczuk
470ddce435 qrexec_daemon creates VMname-based link to its socket 2011-03-11 14:14:04 +01:00