Restrict and test and qubes-rpc policies for dom0 #187
Conversation
|
Tested and uncovered one error. Output from test failure: The Qubes workstation I'm using was installed fresh about a week ago, so looks like the RPC policy files have had additional comments added. I've also been reviewing #174, so will re-run the test plan here to ensure I'm testing in a rather clean environment. |
|
Was able to reproduce the error above, even after cleaning up my dom0 env of leftovers from reviewing #174. Ported the We should update all the policy adds to use similar logic, so we can confidently manage changes over time. As long as we keep the "markers" stable, we can insert or remove customizations at will. Some items of note for making the requested changes here:
|
There was a problem hiding this comment.
Tests are an excellent addition. A few changes requested; see comments in-line; summarized:
- convert file.prepend calls -> file.blockreplace (note implementations in Restrict and test and qubes-rpc policies for dom0 #187 (comment))
- convert cmd.run qvm-tags calls -> qvm.tags.add blocks on VM creation
- show-output on makefile target, so it's easier to debug how files change
Makefile
Outdated
| update-whonix-templates prep-whonix prep-dom0 sd-workstation-template \ | ||
| sd-whonix sd-svs sd-gpg \ | ||
| sd-journalist sd-svs-disp | ||
|
|
||
| clone: assert-dom0 ## Pulls the latest repo from work VM to dom0 | ||
| @./scripts/clone-to-dom0 | ||
|
|
||
| qubes-rpc: prep-salt ## Places default deny qubes-rpc policies for sd-svs and sd-gpg | ||
| sudo qubesctl top.enable sd-dom0-qvm-rpc | ||
| sudo qubesctl --targets sd-dom0-qvm-rpc state.highstate |
There was a problem hiding this comment.
Change
sudo qubesctl --targets sd-dom0-qvm-rpc state.highstate
to
sudo qubesctl --show-output --targets sd-dom0-qvm-rpc state.highstate
to match changes in #190.
dom0/sd-dom0-qvm-rpc.sls
Outdated
| ## | ||
|
|
||
| dom0-rpc-qubes.ClipboardPaste: | ||
| file.prepend: |
There was a problem hiding this comment.
Change file.prepend to file.blockreplace throughout; see the OpenInVM config task for an example.
dom0/sd-gpg.sls
Outdated
| # Add tag for default qubes-rpc deny catch-all rule | ||
| # (see dom0/sd-dom0-qvm-rpc.sls) | ||
| qvm-tags sd-gpg add sd-workstation: | ||
| cmd.run |
There was a problem hiding this comment.
Convert the cmd.run calls to qvm-tags to a - tags: block on the VM spec; see the - prefs: block as an example. Docs here: https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/blob/master/README.rst#qvm-vm Note that the syntax is slightly different when using the qvm wrapper lib; e.g.
- tags:
- add:
- sd-workstation
| @@ -41,6 +41,7 @@ def test_sd_whonix_config(self): | |||
| self.assertTrue(vm.template == "sd-whonix-template") | |||
| self.assertTrue(vm.provides_network) | |||
| self.assertFalse(vm.template_for_dispvms) | |||
| self.assertTrue('sd-workstation' in vm.tags) | |||
There was a problem hiding this comment.
👌 Great addition; keeping these tests will help in confirming that the cmd.run -> qvm.tags conversion suggested above works well.
| else: | ||
| print("Policy for {} is:\n{}".format(filename, | ||
| actualPolicy)) | ||
| print("Policy for {} should be:\n{}".format(filename, |
There was a problem hiding this comment.
Nit: more aggressive output would be helpful here for when the policies fail. Consider adding more newlines and header blocks like:
print("\n\n#### BEGIN RPC policy error report ####\n\n")
print("Policy for {} is:\n{}".format(filename,
actualPolicy))
print("Policy for {} should be:\n{}".format(filename,
expectedPolicy))
print("\n\n#### END RPC policy error report ####\n\n")
emkll
force-pushed
the
175-qubes-rpc
branch
6 times, most recently
from
60f4a52 to
1aa5fe9
Compare
|
@conorsch thanks for all the great feedback. I've incorporated it and cleaned up the git history, this should now be ready for re-review! |
|
Roger that, re-reviewing! |
This will ensure we guard against regressions, configuration drift, and enforce least-privilege on qubes-rpc policies for sd-workstation App and Template VMs.
This will ensure we will be able to apply preferences (e.g. qubes-rpc policies) accross all VMs managed in the Qubes Workstation. Added configuration tests for templates VMs that were created as part of #160
Both templates and AppVMs provisioned by the SecureDrop workstation now have the `sd-workstation` tag. This tag will be used to prepend a default deny for all Qubes-RPC operations at the start of the install process. The SecureDrop installer will prepend to this list any other grant necessary. sd-dom0-qvm-rpc will add default deny rule for all policies at the end of the install to ensure that it overrides any policies that may have been added by error as part of the other tasks. @conorsch recommended use blockreplace for the following reasons: "We want to ensure that the newest config (which will change over time) is added to the top of the file. It's OK to add additional grants elsewhere (mostly for developers), but the Workstation-specific grants should be enforced first. Saltstack's "blockreplace" module allows this, and convenient supports "markers" to ensure updates over time are inserted in the correct location. Better yet, it's now obvious where the grants are coming from: the securedrop-workstation config."
This is already handled by the securedrop-workstation-config package. Furthermore, the package won't persist in sd-svs because it is an AppVM.
|
Works like a charm. After full provision with passing tests, I edited one of the Salt files to write a bad config, and the tests started failing. Reverted the fix, reapplied, and tests are passing—so the new logic is correctly updating the files in-place, as we want. |
Status
Ready for review.
Fixes #175, #147
sd-workstation)dom0/sd-dom0-qvm-rpc.sls, to make it easier to manage and slightly more idempotent.sd-workstationlabel.Test plan
clean && make allshould succeed with no errormake testshould passAnd, as always: