Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 3 and Version 4 of Qfilecopy

Timestamp:: Aug 30, 2011 1:38:27 PM (21 months ago)
Author:: rafal
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Qfilecopy

-                      v3
+                      v4
  * security - VM kernel parses partition table and filesystem metadata from the block device; they are controlled by (potentially untrusted) sender VM.
+The current solution is based on the "qrexec" mechanism. Dom0 can call //qrexec_client//
+program, which will execute a given program in a given VM, passing
+stdin/stdout/stderr/exit code over vchan connection; possibly attaching the
+remote stdin/stdout to a local program. In the latter case, the syntax is
+//qrexec_client peer_vm command_in_vm -l command_in_dom0//
+In Qubes Beta1, we have reimplemented interVM file copy using qrexec, which addresses the
+abovementioned disadvantages. In Qubes Beta2, even more generic solution (qubes rpc) is used. See the developer docs on qrexec and qubes rpc. In a nutshell, the file sender and the file receiver just read/write from stdin/stdout, and the qubes rpc layer passes data properly - so, no block devices are used.
-In order to support qrexec, there are two permanent processes: //qrexec-daemon//
-in dom0 and //qrexec-agent// in VM, connected over vchan. These processes are
-started when a domain is created. All data exchanged by pairs of processes
-created by //qrexec_client DestVM command_in_vm// pass via the vchan
-connecting qrexec-daemon and qrexec-agent.
 The //qvm-run// tool has been adapted to use qrexec functionality. See //qvm-run --help// for syntax.
+The rpc action for regular file copy is //qubes.Filecopy//, the rpc client is named //qfile-agent//, the rpc server is named //qfile-unpacker//. For DispVM copy, the rpc action is //qubes.OpenInVM//, the rpc client is named //qopen-in-vm//, rpc server is named //vm-file-editor//. Note that the qubes.OpenInVM action can be done on a normal AppVM, too.
+Notably, qrexec-agent possess ability to signal its
+qrexec-daemon peer to execute a predefined command. This way, VM-side code
+can initiate setup of //vm process <-> vchan <-> dom0 process// structure. As
+the range of dom0 commands will be predefined, there is no "arbitrary code
+execution" vulnerability here.
+In Qubes Beta1, we have reimplemented interVM file copy using qrexec, which addresses the
+abovementioned disadvantages.
+Note, the qrexec mechanism works over vchan, and vchan is a channel between
+VM and dom0 (not between two VMs). We could imagine vchan extension, in
+which instead of using facilities available for dom0 only (like
+//xc_map_foreign_range//), the channel would be set up over granted pages,
+between two AppVMs.
+Reimplementing vchan this way is nontrivial. Also, it creates some security
+design questions; currently, everything is mediated via dom0, which has the
+ability to allow/deny communication, possibly asking user via dialog popups.
+== Regular file copy ==
+"Regular" file is implemented as follows:
+ * in srcVM, qvm-copy-to-vm utility
+   * stores the information on the files_to_be_copied to `~/.filecopyspool` directory
+   * tells //qrexec-agent// (by writing to its command fifo) to send `EXECUTE_FILE_COPY` command to qrexec-daemon
+ * //qrexec-daemon// sees `EXECUTE_FILE_COPY` command, executes (predefined) [[br]] //qrexec_client srcVM qfile-agent -l qfile-daemon//
+ * qfile-agent inspects `~/.filecopyspool`, sees the description about the file copy request. //qfile-agent// walks the directory tree, sends destination vmname, sends file metadata and data, then exits
+ * qfile-daemon gets the first 32 characters from stdin (copy destination vmname), then executes (execve, really turn into new process) [[br]] //qrexec_client dstVM qfile-unpacker// [[br]] At this point, two //qrexec_client// processes running in dom0 just pass data between srcVM and dstVM. When the one connected to srcVM sees incoming EOF, it just closes input to the other qrexec_client.
+[[Image(htdocs:../../../site/filecopy.png)]]
+Note that //qfile-unpacker// must be coded securely, as it processes potentially
+Being a rpc server, //qfile-unpacker// must be coded securely, as it processes potentially
 untrusted data format. Particularly, we do not want to use external tar or
 cpio and be prone to all vulnerabilities in them; we want a
 …
 has ca 100 lines of code and executes chrooted to the destination directory. The latter is hardcoded to `~user/incoming/srcVM`; because of chroot, there is no possibility to alter files outside of this directory.
-== DispVM file copy ==
-DispVM copy is implemented as follows:
- * in source_VM, //qvm-open-in-dvm// utility
-  * stores the information on file_to_be_edited in `~/.dvmspool` directory
-  * tells //qrexec-agent// (by writing to qrexec-agent command fifo) to send `EXECUTE_FILE_COPY_FOR_DISPVM` command to //qrexec-daemon//
- * qrexec-daemon sees `EXECUTE_FILE_COPY_FOR_DISPVM` command, executes [[br]] //qrexec_client srcVM qfile-agent-dvm -l qfile-daemon-dvm//
- * //qfile-agent-dvm// inspects `~/.dvmspool`, sees the description about file_to_be_edited, sends data about it to its peer, closes stdout
- * //qfile-daemon-dvm// creates DispVM, then forks [[br]] //qrexec_client DispVM dvm_file_editor// [[br]] at this point, two qrexec_client processes running in dom0 just pass data between srcVM and DispVM. //qfile-daemon-dvm// just waits for its child qrexec_client process termination.
- * //dvm_file_editor// gets file contents (end of transfer signalled by EOF), spawns mime handler;  if the file has changed, sends modified file to its stdout, closes stdout
- * the response from //dvm_file_editor// (terminated by EOF) is passed (via two qrexec_client processes in dom0) to //qfile-agent-dvm//. When //qfile-daemon-dvm// sees its child qrexec_client has exited (because of EOFs in both directions), it kills DispVM.
- * //qfile-agent-dvm// retrieves response (terminated by EOF), if nonempty, it updates the edited file.
-[[Image(htdocs:../../../site/dvmcopy.png)]]