Periodically (every 10s) check if connection is still alive, otherwise
killing remote domain (as it's the case of DispVM) will hang client
side.
(cherry picked from commit 5f81f0486d)
With the old code the addrlen argument were uninitialized on the first
call resulting in errors depending on the compiler behavior.
(cherry picked from commit f4c402e7c7)
Add an option for custom vchan buffer size, to override default 64k (for
each direction). This is especially useful when the other side of
connection is MirageOS based, because of limited memory and default
grant table size (128 entries).
(cherry picked from commit 4a09023451)
Previously the script was called through shell as:
execl(shell, "-sh", "-c", "/usr/lib/qubes/qubes-rpc-multiplexer
...", 0);
This tells the shell to load login scripts, including /etc/profile.
Since 5512e4eada this is no longer the
case and the script is called directly. Since most services do expect
proper user session initialized (/etc/profile loaded etc), adjust the
script's shebang to behave like a login shell and load those startup
scripts.
FixesQubesOS/qubes-issues#3615
(cherry picked from commit f0b057479e)
This avoids duplicating service call parsing in multiple places.
Further improvements to that code (like avoid using shell) can be
implemented in one place.
(cherry picked from commit 5512e4eada)
(cherry picked from commit 475421b2e2)
Apparently some of this commit got reverted during cleanup before
Qubes 3.0 release.
(cherry picked from commit f49042211b)
When qrexec-client-vm is started with socket on its stdout and no local
process requested, it will try to shutdown(SHUT_WR) this socket when
remote process exists. This is wrong, because this socket may be still
needed by other processes (for example shell from where qrexec-client-vm
was called).
In such a case, simple close() should be used.
(cherry picked from commit 6bddcfcb52)
1. If local process is started, report its exit code, instaed of remote
one. To get remote exit code, simply start qrexec-client-vm without
third argument (and connect its stdin/stdout with the other process some
other way).
2. Report process terminated by signal.
Don't pretend that process terminated by signal finished successfuly.
Copy shell behaviour of reporting it as 128+signum.
3. Do not wait() for any child process, just the one we expect. In case
of qrexec-client-vm the child process is started differently and
wait()ing on it inside main loop would break its exit code reporting.
FixesQubesOS/qubes-issues#2861
(cherry picked from commit ea0cd0fdc3)
Exit code 1 is very common in all kind of programs, including qrexec
services, so it is hard to distinguish remote failure from service call
refusal. Use something from top of the range here (but not 127, as it is
commonly used to report "Command not found")
QubesOS/qubes-issues#2861
(cherry picked from commit d2aa21625c)
Always set QREXEC_AGENT_PID variable, setup SIGUSR1 handler. And do that
before starting child process to avoid race conditions.
Required for QubesOS/qubes-issues#
FixesQubesOS/qubes-issues#1863
In case of some services it makes much sense for caller to receive also
stderr in addition to stdout. For example:
- qubes.VMShell (stderr required for salt-ssh over qrexec)
- qubes.OpenInVM - especially when called to DispVM - otherwise
diagnosing errors can be hard
And generally all sort of error reporting (the purpose of stderr). It
would ease debugging - instead of message "error occurred, check here and
there for more details", it could be "error occurred: the reason".
FixesQubesOS/qubes-issues#1808
Implement one of TODOs left in the code. Without this buffering, it may
happen that qrexec-agent will hang waiting on write(2) to the child
process, while that child will do the same (try to write something to
the qrexec-agent), without reading its stdin. This would end up in a
deadlock.
FixesQubesOS/qubes-issues#1347
This will ensure that the child process will receive info that the
connection is closed. Otherwise it could hang on write() or in some
cases read() - on its stdin/stdout.
Thanks @adrelanos for help with debugging.
It should be remote process exit code, not the local one.
Also do not 'return' from the middle of the look, just use 'break' to
execute common cleanup code (which will be introduced in next commit).
Simply forget about that connection, instead of waiting for further
messages. If that connection is no longer available, select would return
EBADF, which would cause qrexec-agent termination.
/usr/local resides in private.img, so it is possible to define per-appvm RPC
Also, with the upcoming 3.0 release support for old (R1) paths is
removed.
In case of remote process exit even when some messages are still
waiting, vchan connection can be already closed. If we try to send some
data in this case (for example stdout of local process), there will be
an error, which will terminate qrexec-client-vm/qrexec-agent child. So
first check vchan data (where could be MSG_EXIT_CODE queued) , then
local process.
There is still some race condition in this code - remote process could
exit just after we check vchan, but before we send some data. But this
is much less probable and in the worst case we only loose remote process
exit code.
Child process can request to use single socket for both stdin and
stdout by sending SIGUSR1 signal. If it does so twice or more, previous
code broke the connection by closing the socket.
This doesn't cover all the cases, because local process could want to
receive that value (currently it cant), but I can't think of any simple,
*compatible* way to pass it there.
This way qrexec-client-vm will have much more information, at least:
- will know whether the service call was accepted or refused
- potentially will know remote process exit code
This commit implements the first point - the local process will not be
started if service call was refused.
This process should be started from user session (most likely
qubes-session). New processes (of that user) will be created as
children of that session making logind and such crap happy. This should
also solve problems with EOF transmission (no additional "su" process)
and prevent loading all the environment multiple times.
Move (qrexec-agent version of) do_exec to qrexec-agent.c, move
handle_handshake to qrexec-agent-data.c (common to all agent binaries).
Fix indentation (tabs -> spaces).
The main advantage is possible use of single socket for both stdin and
stdout. This is strictly required for using USBIP over qrexec.
For compatibility qrexec still creates three socket pairs (instead of
pipes) for stdin/out/err respectively. When qrexec-agent receives
SIGUSR1, it will close stdout socket and use stdin socket for both
directions.
Some additional work is needed here to actually allow child process to
send that signal - qrexec is running as root, but child as "user" in
most cases.
