Add support for sys-usb DispVM and suppress sd-log loopback notificat…

…ions The Qubes OS 4.1 default configuration makes the `sys-usb` qube disposable, which interferes with our udev rule to automatically attach flash devices to `sd-devices`. This change clones the `fedora-34-dvm` qube as `sd-fedora-34-dvm`, where we henceforth add the necessary modifications, so `sys-usb` stays disposable, but with our modifications sticking around permanently. In 4.1 policy denials trigger a notification visible to the user - qexec loopback isn't supported in 4.0 either, but they're silent. Suppressing these notifications is only supported in the new policy format, so securedrop.Log rules are now there.
freedomofpress · Apr 29, 2022 · 01e5ea1 · 01e5ea1
1 parent fc08acc
commit 01e5ea1
Show file tree

Hide file tree

Showing 8 changed files with 99 additions and 10 deletions.
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -9,8 +9,43 @@ set-fedora-as-default-dispvm:
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
+{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %}
+restore-sys-usb-dispvm-halt:
+  qvm.kill:
+    - name: sys-usb
+
+restore-sys-usb-dispvm-halt-wait:
+  cmd.run:
+    - name: sleep 5
+    - require:
+      - qvm: restore-sys-usb-dispvm-halt
+
+restore-sys-usb-dispvm:
+  qvm.prefs:
+    - name: sys-usb
+    - template: fedora-34-dvm
+    - require:
+      - cmd: restore-sys-usb-dispvm-halt-wait
+      - cmd: set-fedora-as-default-dispvm
+
+restore-sys-usb-dispvm-start:
+  qvm.start:
+    - name: sys-usb
+    - require:
+      - qvm: restore-sys-usb-dispvm
+
+# autoattach modifications are only present in sd-fedora-dvm
+# so no more sd-usb-autoattach-remove necessary
+remove-sd-fedora-dispvm:
+  qvm.absent:
+    - name: sd-fedora-dvm
+    - require:
+      - qvm: restore-sys-usb-dispvm
+{% else %}
+# If sys-usb is not disposable, clean up after ourselves
 include:
   - sd-usb-autoattach-remove
+{% endif %}
 
 # Reset desktop icon size to its original value
 dom0-reset-icon-size-xfce:

diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls
@@ -193,6 +193,8 @@ dom0-rpc-qubes.r5-format-deny:
   file.managed:
     - name: /etc/qubes/policy.d/70-securedrop-workstation.policy
     - contents: |
+        securedrop.Log          *           @anyvm @anyvm deny
+
         qubes.FeaturesRequest   *           @anyvm @tag:sd-workstation deny
         qubes.FeaturesRequest   *           @tag:sd-workstation @anyvm deny
 
@@ -221,6 +223,10 @@ dom0-rpc-qubes.r5-format-ask-allow:
   file.managed:
     - name: /etc/qubes/policy.d/60-securedrop-workstation.policy
     - contents: |
+        # required to suppress unsupported loopback error notifications
+        securedrop.Log          *           sd-log sd-log deny notify=no
+        securedrop.Log          *           @tag:sd-workstation sd-log allow
+
         qubes.Filecopy          *           sd-log @default ask
         qubes.Filecopy          *           sd-log @tag:sd-receive-logs ask
         qubes.Filecopy          *           sd-proxy @tag:sd-client allow

diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls
@@ -31,13 +31,23 @@ sd-log:
     - require:
       - qvm: sd-small-buster-template
 
+{% if grains['osrelease'] == '4.0' %}
 # Allow any SecureDrop VM to log to the centralized log VM
 sd-log-dom0-securedrop.Log:
   file.prepend:
     - name: /etc/qubes-rpc/policy/securedrop.Log
     - text: |
         @tag:sd-workstation sd-log allow
         @anyvm @anyvm deny
+{% elif grains['osrelease'] == '4.1' %}
+# In 4.1 this policy is handled in the more central app policy
+# files added by sd-dom0-qvm-rpc.sls, no need to keep this
+# around in 4.0 if we migrated
+sd-log-dom0-remove-old-securedrop.Log-policy:
+  file.absent:
+    - names:
+      - /etc/qubes-rpc/policy/securedrop.Log
+{% endif %}
 
 {% import_json "sd/config.json" as d %}
 

diff --git a/dom0/sd-sys-vms.sls b/dom0/sd-sys-vms.sls
@@ -71,13 +71,31 @@ set-fedora-default-template-version:
 {% endif %}
       - sls: qvm.default-dispvm
 
+# sys-usb qubes are disposable in the default configuration - instead of forcing
+# users to turn sys-usb into an AppVM, we're just cloning the DispVM template to
+# make our changes to allow auto-attaching USB drives. 
+{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %}
+clone-dispvm-for-sys-usb-customization:
+  cmd.run:
+    - name: >
+        qvm-check sd-fedora-dvm || qvm-clone {{ sd_supported_fedora_version }}-dvm sd-fedora-dvm
+    - require:
+      - cmd: dom0-install-fedora-template
+{% endif %}
+
 
 # Now proceed with rebooting all the sys-* VMs, since the new template is up to date.
 
 {% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %}
 {% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:'+sys_vm+':disposable', false) %}
 # As of Qubes 4.1, certain sys-* VMs will be DispVMs by default.
+{% if sys_vm == 'sys-usb' %}
+# If sys-usb is disposable, we want it to use the template we just cloned so we
+# can customize it
+{% set sd_supported_fedora_template = 'sd-fedora-dvm' %}
+{% else %}
 {% set sd_supported_fedora_template = sd_supported_fedora_version+'-dvm' %}
+{% endif %}
 {% else %}
 {% set sd_supported_fedora_template = sd_supported_fedora_version %}
 {% endif %}

diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
@@ -41,7 +41,14 @@ base:
   securedrop-workstation-buster:
     - sd-workstation-template-files
     - sd-logging-setup
+# Depending on whether sys-usb is disposable or not, we want to
+# modify different qubes. If sd-fedora-dvm will only be
+# created by sd-sys-vms.sls if sys-usb is disposable.
+{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %}
+  sd-fedora-dvm:
+{% else %}
   sys-usb:
+{% endif %}
     - sd-usb-autoattach-add
   sd-log:
     - sd-logging-setup

diff --git a/scripts/provision-all b/scripts/provision-all
@@ -30,4 +30,8 @@ echo "Provision all SecureDrop Workstation VMs with service-specific configs"
 sudo qubesctl --show-output --max-concurrency "$max_concurrency" --skip-dom0 --targets "$all_sdw_vms_target" state.highstate
 
 echo "Add SecureDrop export device handling to sys-usb"
-sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate
+# If sd-fedora-dvm exists it's because salt determined that sys-usb was disposable
+qvm-check --quiet sd-fedora-dvm 2> /dev/null && \
+  sudo qubesctl --show-output --skip-dom0 --targets sd-fedora-dvm state.highstate && \
+  qvm-shutdown --wait sys-usb && qvm-start sys-usb || \
+  sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate
diff --git a/tests/test_qubes_vms.py b/tests/test_qubes_vms.py
@@ -23,14 +23,22 @@ def test_current_fedora_for_sys_vms(self):
         """
         sys_vms = ["sys-firewall", "sys-net", "sys-usb", "default-mgmt-dvm"]
         sys_vms_maybe_disp = ["sys-firewall", "sys-usb"]
+        sys_vms_custom_disp = ["sys-usb"]
 
         for sys_vm in sys_vms:
             vm = self.app.domains[sys_vm]
-            wanted_template = CURRENT_FEDORA_TEMPLATE
+            wanted_templates = [CURRENT_FEDORA_TEMPLATE]
             if get_qubes_version() == "4.1" and sys_vm in sys_vms_maybe_disp:
-                wanted_template += "-dvm"
-            self.assertEqual(
-                vm.template.name, wanted_template, "Unexpected template for {}".format(sys_vm)
+                if sys_vm in sys_vms_custom_disp:
+                    wanted_templates.append("sd-fedora-dvm")
+                else:
+                    wanted_templates.append(CURRENT_FEDORA_TEMPLATE + "-dvm")
+
+            self.assertTrue(
+                vm.template.name in wanted_templates,
+                "Unexpected template for {}\n".format(sys_vm)
+                + "Current: {}\n".format(vm.template.name)
+                + "Expected: {}".format(", ".join(wanted_templates)),
             )
 
     def test_current_whonix_vms(self):

diff --git a/tests/vars/qubes-rpc-41.yml b/tests/vars/qubes-rpc-41.yml
@@ -52,11 +52,6 @@
 
     $anyvm	dom0	allow
 
-- policy: securedrop.Log
-  starts_with: |-
-    @tag:sd-workstation sd-log allow
-    @anyvm @anyvm deny
-
 - policy: securedrop.Proxy
   starts_with: |-
     sd-app sd-proxy allow
@@ -98,6 +93,10 @@
 
 - policy: /etc/qubes/policy.d/60-securedrop-workstation.policy
   starts_with: |-
+    # required to suppress unsupported loopback error notifications
+    securedrop.Log          *           sd-log sd-log deny notify=no
+    securedrop.Log          *           @tag:sd-workstation sd-log allow
+
     qubes.Filecopy          *           sd-log @default ask
     qubes.Filecopy          *           sd-log @tag:sd-receive-logs ask
     qubes.Filecopy          *           sd-proxy @tag:sd-client allow
@@ -108,6 +107,8 @@
 
 - policy: /etc/qubes/policy.d/70-securedrop-workstation.policy
   starts_with: |-
+    securedrop.Log          *           @anyvm @anyvm deny
+
     qubes.FeaturesRequest   *           @anyvm @tag:sd-workstation deny
     qubes.FeaturesRequest   *           @tag:sd-workstation @anyvm deny