Qubes Upgrade to 4.2 - In Place Upgrade

apparatus · June 4, 2024, 4:11am

You have an error in policy files somewhere.
I’d suggest to remove all your custom policies and use all default policies for a test and if it’ll work then try to add your custom policies one by one.
Related issues:

github.com/QubesOS/qubes-issues

qrexec-policy-graph has AssertionError when only `--target` is specified without `--source` or `--service`

opened 04:51PM - 15 Feb 24 UTC

ben-grande

T: bug C: core P: default needs diagnosis affects-4.2

### Qubes OS release R4.2 qubes-core-qrexec-4.2.17-1.fc37.x86_64 ### Br…ief summary Qrexec policy graph breaks unexpectedly. Happens when `--target` is specified but not `--source` or `--service`. My policy has no syntax errors, as far as I can see from the journal. Proving with the parser (doesn't cover runtime errors): ``` $ qubes-policy-lint $(find /etc/qubes/policy.d/ -maxdepth 1 -type f -name "*.policy") WARNING:root:warning: !compat-4.0 directive in file __main__[in-memory] line 1 is transitional and will be deprecated $ echo $? 0 $ qubes-policy-lint -i $(find /etc/qubes/policy.d/include/ -maxdepth 1 -type f) $ echo $? 0 ``` ### Steps to reproduce I can't share my policy and I understand debugging becomes more difficult. Occurs with or without `--full-output` or `--include-ask`. If you specify `--source` or `--service`, it works, but only `--target` doesn't work. ``` $ qrexec-policy-graph --include-ask --full-output --target QUBE WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated digraph g { Traceback (most recent call last): File "/usr/bin/qrexec-policy-graph", line 5, in <module> sys.exit(main()) ^^^^^^ File "/usr/lib/python3.11/site-packages/qrexec/tools/qrexec_policy_graph.py", line 186, in main action = policy.evaluate(request) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/qrexec/policy/parser.py", line 1623, in evaluate return rule.action.evaluate(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/qrexec/policy/parser.py", line 1115, in evaluate return request.ask_resolution_type( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/qrexec/policy/parser.py", line 733, in __init__ assert default_target is None or default_target in targets_for_ask ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AssertionError ``` ### Expected behavior No exception, just the dot output. ### Actual behavior Python exception.

github.com/QubesOS/qubes-issues

`qubes.OpenInVM * @anyvm @dispvm ask default_target=@dispvm:[...]` causes AssertionError

opened 11:42AM - 29 Aug 22 UTC

andrewdavidwong

T: bug C: core P: default needs diagnosis affects-4.1

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## Qubes OS release 4.1.1 ### Brief summary Attempting to open a file in a non-global-default disposable with an `ask default_target=[...]` policy fails. ### Steps to reproduce 1. Create a disposable template named `dvm-default`. 2. In Qubes Global Settings, set `dvm-default` as the default disposable template. 3. Specify these policy rules in `/etc/qubes/policy.d/30-user.policy` in dom0: ``` qubes.OpenInVM * @anyvm @dispvm ask default_target=@dispvm:dvm-default qubes.OpenInVM * @anyvm @anyvm deny ``` 4. Create another disposable template called `dvm-other`. 5. Create an app qube called `my-app-qube` 6. In `my-app-qube`'s advanced settings, set "Default disposable template" to `dvm-other`. 7. In `my-app-qube`, do `qvm-open-in-dvm <some_file>`. ### Expected behavior An "Operation execution" prompt is created in dom0 with the following: ``` Source: my-app-qube Operation: qubes.OpenInVM Target: Disposable VM (dvm-other) ``` (The target should be pre-filled.) ### Actual behavior No dom0 prompt is created. `journalctl` shows: ``` Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: AssertionError Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: assert default_target is None or default_target in targets_for_ask Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: File "/usr/lib/python3.8/site-packages/qrexec/policy/parser.py", line 619, in __init__ Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: return request.ask_resolution_type(self.rule, request, Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: File "/usr/lib/python3.8/site-packages/qrexec/policy/parser.py", line 922, in evaluate Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: return rule.action.evaluate(request) Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: File "/usr/lib/python3.8/site-packages/qrexec/policy/parser.py", line 1307, in evaluate Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: resolution = policy.evaluate(request) Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: File "/usr/lib/python3.8/site-packages/qrexec/tools/qrexec_policy_exec.py", line 273, in handle_request Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: result = await handle_request(**args, log=log, Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: File "/usr/lib/python3.8/site-packages/qrexec/tools/qrexec_policy_daemon.py", line 100, in handle_client_connection Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: Traceback (most recent call last): Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: future: <Task finished name='Task-35552' coro=<handle_client_connection() done, defined at /usr/lib/python3.8/site-packages/qrexec/tools/qre> Aug 29 04:26:15 dom0 qrexec-policy-daemon[4452]: Task exception was never retrieved ```