I’m simply trying to call admin.vm.List from a domU VM to list all VMs.
I have created /etc/qubes/policy.d/10-temp-dev.policy
admin.vm.List * myvm @adminvm allow #target=dom0
(note: same result if we uncomment target=dom0).
What happens
Upon running qrexec-client-vm dom0 admin.vm.List from myvm, the command “runs” (i.e. the policy doesn’t reject it) but it hangs forever, e.g. the terminal never returns anything.
Upon running qvm-ls, we get
NAME STATE CLASS LABEL TEMPLATE NETVM
dom0 Running AdminVM - - -
i.e. only dom0
Questions
What am I doing wrong via qrexec-client-vm ?
Why is qvm-ls listing only dom0 and not all the VMs visible by running qvm-ls directly in dom0 ?
admin.vm.List uses the destination dom0 or @adminvm (as an initial destination, not redirected via target=) to mean it should start from a list of all VMs, but the list is narrowed to only those VMs for which there is a policy that would allow them to be used as a destination as well. So to allow listing all VMs, you apparently need multiple policy lines (because @anyvm does not include dom0):
If you want other features you will also need a number of allow rule
to avoid being spammed by “deny” messages I keep those in a distinct
policy file applying policy restrictions per managementVM
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.