Broken qrexec/policies after dom0 update (qvm-copy, clipboard, mouse passthrough... not working)

After updating dom0 through the built-in tool, I noticed that the global clipboard was no longer working: it copies things and I actually get the contents fetched notification but it does not paste into another vm.

This prompted me to try other things: qvm-copy in a vm outputs Request refused (but qvm-copy-to-vm in dom0 works).

I also unplugged and replugged my mouse and this time I didn’t get the usual sys-usb prompt to attach it to dom0, so now the mouse doesn’t work.

I checked /etc/qubes/policy.d/90-default.policy and it looks default.

/etc/qubes-rpc/policy/qubes.ClipboardPaste has the following:

dom0 @anyvm ask
@anyvm @anyvm ask

/etc/qubes-rpc/policy/qubes.InputMouse also looks normal with sys-usb dom0 ask… and deny the rest.

The only thing that I changed is qubes.ConnectTCP which I edited to have mail and monero policies (but I don’t remember if by default it had anything in it).

I read a report of similar issues that mentioned updating everything and restarting, which I did. But to be fair I started from 4.1 and all the latest templates so regardless, that should not have been an issue.

Suggestions? thanks all

As it turns out the culprit was a policy I misconfigured for qubes.ConnectTCP.

For those stumbling upon this, if you change a policy from ask to allow, you should remember to remove default_target= if present.

1 Like