solene
September 29, 2023, 6:43pm
1
hi,
would it be possible to allow a qube to use an RPC in itself? For an easier setup, I’d like my vault qube to use itself in a policy, but I get a message that it’s denied
vault vault ask,default_target=vault
Loopback qrexec connections are forbidden because of a Xen limitation:
opened 05:24PM - 08 Mar 15 UTC
closed 09:30AM - 05 Aug 23 UTC
T: bug
C: core
P: major
eol-4.0
**Reported by marmarek on 9 Feb 2015 21:15 UTC**
Currently Xen implementation of… vchan in R3 crashes when connection is made back to the source domain. This is apparently not supported by xen-gntalloc driver.
The exact message is:
```
[ 9.937990] BUG: Bad page map in process qrexec-agent pte:80000000f9d41167 pmd:131c3067
[ 9.938010] page:ffffea00036a6638 count:1 mapcount:-1 mapping: (null) index:0xffffffffffffffff
[ 9.938018] page flags: 0x4000000000000c14(referenced|dirty|reserved|private)
[ 9.938033] addr:00007fa856d47000 vm_flags:140400fb anon_vma: (null) mapping:ffff880011efe940 index:11
[ 9.938042] vma->vm_ops->fault: (null)
[ 9.938057] vma->vm_file->f_op->mmap: gntalloc_mmap+0x0/0x1c0 [ 9.938066](xen_gntalloc]
[) CPU: 0 PID: 1108 Comm: qrexec-agent Tainted: G O 3.12.23-1.pvops.qubes.x86_64 #1
[ 9.938074] ffff8800131f3818 ffff88001316fc78 ffffffff814db550 00007fa856d47000
[ 9.938085] ffff88001316fcb8 ffffffff81139413 ffff880011efe940 ffff8800131c3a38
[ 9.938096] ffffea00036a6638 00007fa856d47000 00007fa856d57000 ffff88001316fe18
[ 9.938107] Call Trace:
[ 9.938117] [dump_stack+0x45/0x56
[ 9.938126](<ffffffff814db550>]) [print_bad_pte+0x1a3/0x240
[ 9.938133](<ffffffff81139413>]) [unmap_page_range+0x6ee/0x7d0
[ 9.938142](<ffffffff8113ac9e>]) [unmap_single_vma+0x76/0xa0
[ 9.938149](<ffffffff8113adf6>]) [unmap_vmas+0x49/0x90
[ 9.938157](<ffffffff8113be09>]) [exit_mmap+0x9c/0x170
[ 9.938166](<ffffffff8114443c>]) [mmput+0x5c/0x110
[ 9.938175](<ffffffff8105950c>]) [do_exit+0x27c/0xa20
[ 9.938184](<ffffffff8105d74c>]) [? vtime_account_user+0x4f/0x60
[ 9.938194](<ffffffff810908ef>]) [? context_tracking_user_exit+0x52/0xc0
[ 9.938203](<ffffffff81116502>]) [do_group_exit+0x3a/0xa0
[ 9.938211](<ffffffff8105ed2a>]) [SyS_exit_group+0xf/0x10
[ 9.938220](<ffffffff8105ed9f>]) [<ffffffff814ea907>] tracesys+0xdd/0xe2
```
Needs either fix in the kernel, or some special case in vchan-xen code (use simple shm instead of Xen shared memory?).
Migrated-From: https://wiki.qubes-os.org/ticket/951
But maybe you could run the executable in /etc/qubes-rpc/ directly? E.g. instead of
qrexec-client-vm qubename rpcname
try
QREXEC_REMOTE_DOMAIN=qubename /etc/qubes-rpc/rpcname
1 Like
solene
September 29, 2023, 8:04pm
3
This was for SSH forwarding, I’ll just adapt to not use itself for the ssh agent, the workaround seems more complicated
