Opened 13 months ago
Closed 13 months ago
#530 closed defect (fixed)
GUID: display message to the user if one of the VERIFY macro fails
| Reported by: | joanna | Owned by: | marmarek |
|---|---|---|---|
| Priority: | major | Milestone: | Release 1 |
| Component: | gui-virtualization | Keywords: | |
| Cc: | marmarek |
Description
... rather than silently exit()ing the guid.
Include as much info about the situation that casued this (window name, which VERIFY macro failed, what where the actual values), as possible.
Change History (19)
comment:1 Changed 13 months ago by marmarek
- Owner changed from rafal to marmarek
- Status changed from new to accepted
comment:2 Changed 13 months ago by marmarek
comment:3 Changed 13 months ago by marmarek
- Resolution set to fixed
- Status changed from accepted to closed
comment:4 Changed 13 months ago by joanna
- Resolution fixed deleted
- Status changed from closed to reopened
This doesn't work!
handle_configure_from_vm, local 0x2e00010 remote 0x18000ec, 421/3851, was 421/900, ovr=1, xy 1179/-3637, was 0/0
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `kdialog --yesnocancel 'VMapp "rflab" has sent invalid message, it shouldn't normally happend. Condition: (int) untrusted_conf.y >= -g->root_height && (int) untrusted_conf.y <= 2 * g->root_height. Do you want to terminate this VM immediately? "No" will terminate only GUI daemon, cancel will just ignore this message''
release_all_mapped_mfns running
comment:5 Changed 13 months ago by marmarek
- Status changed from reopened to accepted
comment:6 Changed 13 months ago by joanna
Now (2.0.4) I can see the dialog window, but... it's essentially useless, as I cannot cancel it, because immediately after I click Cancel, a new window appears asking about the same...
Besides, the message in the dialogue box should be:
The domain $(vmname) attempted to perform an invalid or suspicious GUI request. This might be a sign that the domain has been compromised and is attempting to compromise the GUI daemon (Dom0 domain). In rare cases, however, it might be possible that a legitimate application trigger such condition (check the guid logs for more information). Click "Terminate" to terminate this domain immediately, or "Ignore" to ignore this condition check and allow the GUI request to proceed, or "Ignore All" to ignore all further checks for this condition.
Buttons:
1) Terminate (default)
2) Ignore
3) Ignore All
comment:7 Changed 13 months ago by marmarek
"Ignore All" isn't trivial to implement. Should I do it at price of some complexity in security sensitive code?
PS Cancel action already fixed, but not pushed yet.
comment:8 Changed 13 months ago by joanna
Ok, let's skip the Ignore All button for now. Let's see how this will work out after we remove this one "stupid" check...
comment:9 Changed 13 months ago by marmarek
- Resolution set to fixed
- Status changed from accepted to closed
comment:10 Changed 13 months ago by joanna
- Resolution fixed deleted
- Status changed from closed to reopened
Hehe, still doesn't work:
Verify failed: (int) untrusted_shmcmd->width < 4096 && (int) untrusted_shmcmd->height < 3072 kdialog: Unknown option '-label'. kdialog: Use --help to get a list of available command line options. Problems executing kdialog ?
comment:11 Changed 13 months ago by marmarek
Ah, we have to old version of kdialog in dom0, which doesn't support button label changing (in opposite to version provided by FC14, which supports it).
So we have two generic options (marked default choice): Yes/*No* or *Continue*/Cancel.
Which option use?
comment:12 Changed 13 months ago by joanna
I think Continue/Cancel? is more descriptive, than Yes/No? (of course, nobody will read the text in dialog, right? ;)
comment:13 Changed 13 months ago by marmarek
It has continue as default option... of course it will be the user fault if it choose "continue" for really malicious operation.
comment:14 Changed 13 months ago by joanna
:/ Can we set "Cancel" as default?
comment:15 Changed 13 months ago by marmarek
Not in this version of kdialog...
BTW I've just found that kdialog supports "do not ask again" feature, which can be easily used here (instead of "Ignore All" button). Check:
kdialog --dontagain qubes-guid-vmname:verify-condition --warningyesno "text"
If user checks "do not again option", future kdialog calls (with the same ID passed to --dontagain option) silently respond with saved choice.
comment:16 Changed 13 months ago by marmarek
So maybe we should use Yes/No? version (which has "No" as default) with question like "Do you allow this VM to continue running?" or sth like this?
comment:17 Changed 13 months ago by joanna
Aha, co "NO", can be set as a default, but "Cancel" not? Well, ok then.
comment:18 Changed 13 months ago by marmarek
There are hardcoded defaults for each dialog type (at lest in this version of kdialog)...
comment:19 Changed 13 months ago by marmarek
- Resolution set to fixed
- Status changed from reopened to closed
The only sensible information available for VERIFY is VM name, especially not every message is about specific window (eg clipboard copy). Anyway trusting any value (eg window XID, to get window name from Xorg) in message _detected as malicious_ isn't good idea.
Of course failed condition will be included in message.