Configures per-source DispVMs

See discussion in #333
freedomofpress · Mar 4, 2021 · 9db728f · 9db728f
1 parent bdd07b2
commit 9db728f
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 0 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -9,6 +9,7 @@ include dom0/securedrop-login
 include dom0/securedrop-launcher.desktop
 include dom0/securedrop-handle-upgrade
 include dom0/securedrop-check-migration
+include dom0/securedrop.CreateSourceDispVM
 include dom0/update-xfce-settings
 include config.json.example
 include README.md

diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls
@@ -51,6 +51,7 @@ dom0-rpc-qubes.OpenInVM:
     - content: |
         @tag:sd-client @dispvm:sd-viewer allow
         @tag:sd-client sd-devices allow
+        @tag:sd-client @tag:sd-viewer-dvm allow
         sd-devices @dispvm:sd-viewer allow
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny

diff --git a/dom0/sd-viewer.sls b/dom0/sd-viewer.sls
@@ -41,3 +41,20 @@ sd-viewer-default-dispvm:
     - name: qubes-prefs default_dispvm sd-viewer
     - require:
       - qvm: sd-viewer
+
+# Allow any SecureDrop VM to log to the centralized log VM
+sd-viewer-dom0-securedrop.CreateSourceDispVM:
+  file.prepend:
+    - name: /etc/qubes-rpc/policy/securedrop.CreateSourceDispVM
+    - text: |
+        @tag:sd-client dom0 allow
+        @anyvm @anyvm deny
+
+# Script to handle opening per-source DispVM
+sd-viewer-dom0-per-source-dispvm-script:
+  file.managed:
+    - name: /etc/qubes-rpc/securedrop.CreateSourceDispVM
+    - source: salt://sd/securedrop.CreateSourceDispVM
+    - user: root
+    - group: root
+    - mode: 0755
diff --git a/dom0/securedrop.CreateSourceDispVM b/dom0/securedrop.CreateSourceDispVM
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Create to @deeplow, see discussion in 
+#  https://github.com/freedomofpress/securedrop-workstation/issues/333#issuecomment-789562152
+# Content slightly modified from original.
+
+# TODO Fully sanitize this $1 parameter to make sure it is only a source's code
+# name and nothing else. Otherwise sd-app we will have an RCE in dom0
+#
+# TODO Script should read from stdin, not handle args.
+
+if [ -z "$1" ]; then
+    # This service requires an argument
+    exit 1
+fi
+
+# create a named disposable VM with the and set it to autodestroy once shut down
+/usr/bin/qvm-create --class DispVM sd-viewer-$1 --template=sd-viewer \
+--label=red --property auto_cleanup=True
+
+# Give it a tag so we can target the policy from sd-app onto this new VM
+/usr/bin/qvm-tags sd-viewer-$1 set sd-viewer-dvm
diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -64,6 +64,7 @@ install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
 install -m 755 dom0/securedrop-check-migration %{buildroot}/srv/salt/
 install -m 755 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
+install -m 755 dom0/securedrop.CreateSourceDispVM %{buildroot}/srv/salt/sd/
 install -m 755 dom0/update-xfce-settings %{buildroot}/srv/salt/
 install -m 755 scripts/sdw-admin.py %{buildroot}/%{_bindir}/sdw-admin
 install -m 644 sd-app/* %{buildroot}/srv/salt/sd/sd-app/