Sys-usb being BYPASSED

naverone · April 30, 2022, 11:04am

I’ve recently setup a Trezor (which is a hardware usb wallet for crypto).
Getting it working required a number of setups, How to set up the trezor bridge in 4.1

But now ive noticed the trezor-app-vm can detect and use the usb trezor device WITHOUT attaching it to the app-vm via sys-usb. Im worried ive compromised sys-usb in some way?? Or that all app-vm will be able to access it?

Is there any logs i can provide that will help figure out whats going on?

tzwcfq · April 30, 2022, 11:26am

This policy will allow connections from any VM and not only your walletvm:
$anyvm $anyvm allow,user=trezord,target=sys-usb
You can read about policies here:

If you want to restrict the connection only to your walletvm, then you can do it like this:
walletvm sys-usb allow,user=trezord,target=sys-usb
You can see an example of policy usage for Monero wallet isolation:

naverone · April 30, 2022, 10:29pm

will putting this command in dom0 override the prior RPC $anyvm $anyvm policy?
thanks

tzwcfq · May 1, 2022, 4:38am

No, the whole policy file is parsed from top to bottom. As soon as a rule is found that matches the action being evaluated, parsing stops.
So if your file look like this:

walletvm sys-usb allow,user=trezord,target=sys-usb
$anyvm $anyvm allow,user=trezord,target=sys-usb

Then this will allow connections from any VM.
But if the file will look like this:

walletvm sys-usb allow,user=trezord,target=sys-usb
$anyvm $anyvm deny
$anyvm $anyvm allow,user=trezord,target=sys-usb

Then only walletvm will be allowed and all other connections will be denied.

dropkicked-ego · May 1, 2022, 5:27am

That is a solid call out. Thank you.

naverone · May 1, 2022, 9:42am

sounds like i should edit the file and remove the $anyvm $anyvm entry?
dom0$ cd /etc/qubes-rpc/policy/trezord-service
this one?

appreciate your knowledge and help

tzwcfq · May 1, 2022, 10:03am

Yes, you need to change this line in this file:

$anyvm $anyvm allow,user=trezord,target=sys-usb

To this instead:

walletvm sys-usb allow,user=trezord,target=sys-usb

enmus · May 4, 2022, 5:57pm

To me, anything after 2nd line is pointless since it won’t be / couldn’t be executed.

tzwcfq · May 4, 2022, 6:21pm

That’s right. This is an example of this quote:

That rules in the file won’t be parsed after first matching rule so anything after $anyvm $anyvm rule will be ignored.

enmus · May 4, 2022, 6:26pm

So, for the sake of other users, policy in this case should containt only two lines:

walletvm sys-usb allow,user=trezord,target=sys-usb
$anyvm $anyvm deny

tzwcfq · May 5, 2022, 6:45am

You can leave only the first line in the file:

walletvm sys-usb allow,user=trezord,target=sys-usb

Any requests that don’t match will be denied by default:

If no policy rule is matched, the action is denied. If the policy file does not exist, the user is prompted to create one. If there is still no policy file after prompting, the action is denied.

unman · May 5, 2022, 2:50pm

I have to point out that this is the old format, and should not be used
in 4.1
Updated format could be, in /etc/qubes/policy.d/30-user.policy

qubes.Trezor  * CLIENTVM  sys-usb allow

And that, is exactly the policy set out in the guide that OP linked
to.

enmus · May 5, 2022, 4:56pm

Of course. I just commented specific case, but didn’t look back at the broader context. Thanks.