Qubes OS Summit 2022: qrexec over network (Proof of concept)

qrexec_network_poc.md

qrexec over network (Proof of concept)

Joint work for the Qubes OS Summit 2022:

• Simon Gaiser (@HW42)
• Frédéric Pierret (@fepitre)

Setup

Architecture

List of AppVMs:

• Qubes OS Host 1:

  • personal
  • proxy1 (192.168.0.1)

• Qubes OS Host 2:

  • proxy2 (192.168.0.2)
  • work

Connection scheme:

personal --QREXEC--> proxy1 --SSH--> proxy2 --QREXEC--> work

Custom RPC: forwarding script

In proxy1:

/usr/local/etc/qubes-rpc/qrexec.Proxy: 

#!/bin/bash

set -xe

args="$1"

target=$(echo $args | cut -d'@' -f1)
service=$(echo $args | cut -d'@' -f2-)

ssh user@192.168.0.2 qrexec-client-vm "$target" "$service"

Example call: qvm-copy from personal (host1) to work (host2)

qvm-copy-to-vm @proxy:proxy1:work myAwesomeFile

RPC policy

In host 1, /etc/qubes/policy.d/50-qubes-air.policy:

qrexec.Proxy    * personal proxy1 allow

In host 2, /etc/qubes/policy.d/50-qubes-air.policy:

qubes.Filecopy  * proxy2   work   allow

Modified code for qubes-core-qrexec

On host1 only, located at /usr/lib/python3.8/site-packages/qrexec/policy/parser.py:

diff --git a/qrexec/policy/parser.py b/qrexec/policy/parser.py
index c8c1062..a6c154e 100644
--- a/qrexec/policy/parser.py
+++ b/qrexec/policy/parser.py
@@ -800,6 +800,22 @@ class Request:
         ask_resolution_type=AskResolution
     ):
 
+        logging.critical("BEFORE")
+        logging.critical(service)
+        logging.critical(target)
+        logging.critical(argument)
+
+        if target.startswith("@proxy"):
+            _, proxyvm, destvm = target.split(':')
+            target = proxyvm
+            argument = "+" + destvm + '@' + service + argument
+            service = f"qrexec.Proxy"
+
+        logging.critical("AFTER")
+        logging.critical(service)
+        logging.critical(target)
+        logging.critical(argument)
+
         if target == "":
             target = "@default"
         assert argument and argument[0] == "+"