I’m trying to write up how to use the policy files, but every time I try to use qrexec-client-vm to test a policy, i get a null result.
Attempts:
As one would expect, doing this:
qrexec-client-vm qrexec-tests-2 admin.vm.property.List
gives a denied by policy error notification.
Adding this to /etc/qubes/policy.d/30-user.policy:
admin.vm.List * qrexec-tests-1 qrexec-tests-2
then doing it:
qrexec-client-vm qrexec-tests-2 admin.vm.property.List
Gives success in the sense that there is no policy denied error (meaning it’s not a typo), but the result returned from the command is nothing, it just goes back to the prompt
Trying other possible combinations
Adding this to /etc/qubes/policy.d/30-user.policy:
admin.vm.List * qrexec-tests-1 dom0
Then trying this:
qrexec-client-vm dom0 admin.vm.property.List
just hangs and never comes back, as does:
qrexec-client-vm dom0 admin.vm.property.List+qrexec-tests-2
Any help would be appreciated
What the documentation says:
Qrexec: secure communication across domains | Qubes OS says that we should use qrexec-client-vm like:
qrexec-client-vm anotherVM test.Add /usr/bin/our_test_add_client 1 2
But this doesn’t make sense as the caller could just could just do
qrexec-client-vm anotherVM test.Add /usr/bin/rm -rf /
instead.
And also, that’s not how the default installed policies are. For example by default it’s:
qubes.GetDate * @anyvm @anyvm allow target=dom0
not something like:
qubes.GetDate /usr/bin/qubes-get-date @anyvm @anyvm allow target=dom0
If I assume qubes wouldn’t ship with a default configuration that would allow
qrexec-client-vm dom0 qubes.GetDate test.Add /usr/bin/rm -rf /
from any VM, then I must conclude that something is wrong but I don’t know what.
Even if it was right, what would the actual command be?
qrexec-client-vm qrexec-tests-2 admin.vm.property.List /usr/bin/qubes-backend-to-property.List
?
Link to my writeup:
If interested, my writeup (so far) of how to use policy files is at: