Skip to content

Notify users on clipboard paste denied by policies #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 5, 2025
Merged

Notify users on clipboard paste denied by policies #165

merged 1 commit into from
Jul 5, 2025

Conversation

@alimirjamali
Copy link
Contributor

@alimirjamali alimirjamali commented Jun 25, 2025

This was referenced Jun 27, 2025
Open
Merged
Merged
Merged
@qubesos-bot
Copy link

qubesos-bot commented Jun 27, 2025
edited
Loading

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025070405-4.3&flavor=pull-requests

Test run included the following:

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025061004-4.3&flavor=update

  • system_tests_pvgrub_salt_storage

  • system_tests_kde_gui_interactive

    • kde_install: wait_serial (wait serial expected)
      # wait_serial expected: qr/1YA~i-\d+-/...

    • kde_install: Failed (test died + timed out)
      # Test died: command '(set -o pipefail; sudo qubes-dom0-update -y k...

  • system_tests_guivm_vnc_gui_interactive

    • guivm_startup: unnamed test (unknown)
    • guivm_startup: Failed (test died)
      # Test died: no candidate needle with tag(s) 'desktop' matched...

  • system_tests_qwt_win10_seamless@hw13

    • windows_clipboard_and_filecopy: unnamed test (unknown)
    • windows_clipboard_and_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'windows-Edge-address-...

  • system_tests_qwt_win11@hw13

    • windows_install: wait_serial (wait serial expected)
      # wait_serial expected: qr/dcWzE-\d+-/...

    • windows_install: Failed (test died + timed out)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_basic_vm_qrexec_gui_xfs

    • TC_20_NonAudio_whonix-gateway-17-pool: test_012_qubes_desktop_run (error)
      subprocess.CalledProcessError: Command 'qubes.WaitForSession' retur...

Failed tests

15 failures

  • system_tests_pvgrub_salt_storage

  • system_tests_splitgpg

  • system_tests_extra

    • TC_00_QVCTest_whonix-workstation-17: test_010_screenshare (failure)
      AssertionError: 1 != 0 : Timeout waiting for /dev/video0 in test-in...

  • system_tests_kde_gui_interactive

    • kde_install: wait_serial (wait serial expected)
      # wait_serial expected: qr/1YA~i-\d+-/...

    • kde_install: Failed (test died + timed out)
      # Test died: command '(set -o pipefail; sudo qubes-dom0-update -y k...

  • system_tests_guivm_vnc_gui_interactive

    • guivm_startup: unnamed test (unknown)
    • guivm_startup: Failed (test died)
      # Test died: no candidate needle with tag(s) 'desktop' matched...

  • system_tests_qwt_win10_seamless@hw13

    • windows_clipboard_and_filecopy: unnamed test (unknown)
    • windows_clipboard_and_filecopy: Failed (test died)
      # Test died: no candidate needle with tag(s) 'windows-Edge-address-...

  • system_tests_qwt_win11@hw13

    • windows_install: wait_serial (wait serial expected)
      # wait_serial expected: qr/dcWzE-\d+-/...

    • windows_install: Failed (test died + timed out)
      # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

  • system_tests_basic_vm_qrexec_gui_xfs

    • TC_20_NonAudio_whonix-gateway-17-pool: test_012_qubes_desktop_run (error)
      subprocess.CalledProcessError: Command 'qubes.WaitForSession' retur...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/142375#dependencies

11 fixed

  • system_tests_splitgpg

  • system_tests_extra

  • system_tests_kde_gui_interactive

    • gui_keyboard_layout: wait_serial (wait serial expected)
      # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

    • gui_keyboard_layout: Failed (test died)
      # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

  • system_tests_guivm_vnc_gui_interactive

    • simple_gui_apps: unnamed test (unknown)
    • simple_gui_apps: Failed (test died)
      # Test died: no candidate needle with tag(s) 'vm-settings-applicati...

  • system_tests_audio

Unstable tests

Performance Tests

Performance degradation:

5 performance degradations
  • debian-12-xfce_exec-data-duplex-root: 89.40 🔺 ( previous job: 70.01, degradation: 127.70%)
  • whonix-gateway-17_socket: 9.08 🔺 ( previous job: 7.85, degradation: 115.67%)
  • whonix-workstation-17_exec-data-duplex-root: 101.77 🔺 ( previous job: 86.00, degradation: 118.33%)
  • dom0_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 8613.00 :small_red_triangle: ( previous job: 11086.00, degradation: 77.69%)
  • dom0_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 675.00 :small_red_triangle: ( previous job: 1840.00, degradation: 36.68%)

Remaining performance tests:

67 tests
  • debian-12-xfce_exec: 8.04 🟢 ( previous job: 8.63, improvement: 93.15%)
  • debian-12-xfce_exec-root: 28.87 🟢 ( previous job: 29.44, improvement: 98.07%)
  • debian-12-xfce_socket: 8.84 🔺 ( previous job: 8.50, degradation: 103.99%)
  • debian-12-xfce_socket-root: 7.75 🟢 ( previous job: 8.31, improvement: 93.20%)
  • debian-12-xfce_exec-data-simplex: 69.47 🔺 ( previous job: 65.51, degradation: 106.04%)
  • debian-12-xfce_exec-data-duplex: 72.15 🟢 ( previous job: 73.55, improvement: 98.10%)
  • debian-12-xfce_socket-data-duplex: 163.46 🔺 ( previous job: 161.35, degradation: 101.31%)
  • fedora-42-xfce_exec: 9.06
  • fedora-42-xfce_exec-root: 58.04
  • fedora-42-xfce_socket: 8.13
  • fedora-42-xfce_socket-root: 8.35
  • fedora-42-xfce_exec-data-simplex: 66.32
  • fedora-42-xfce_exec-data-duplex: 74.35
  • fedora-42-xfce_exec-data-duplex-root: 110.92
  • fedora-42-xfce_socket-data-duplex: 148.60
  • whonix-gateway-17_exec: 7.91 🔺 ( previous job: 7.34, degradation: 107.78%)
  • whonix-gateway-17_exec-root: 42.06 🔺 ( previous job: 39.57, degradation: 106.28%)
  • whonix-gateway-17_socket-root: 8.01 🔺 ( previous job: 7.89, degradation: 101.48%)
  • whonix-gateway-17_exec-data-simplex: 77.58 🟢 ( previous job: 77.76, improvement: 99.76%)
  • whonix-gateway-17_exec-data-duplex: 77.39 🟢 ( previous job: 78.39, improvement: 98.73%)
  • whonix-gateway-17_exec-data-duplex-root: 99.31 🔺 ( previous job: 90.74, degradation: 109.45%)
  • whonix-gateway-17_socket-data-duplex: 168.37 🔺 ( previous job: 161.95, degradation: 103.97%)
  • whonix-workstation-17_exec: 7.96 🟢 ( previous job: 8.27, improvement: 96.19%)
  • whonix-workstation-17_exec-root: 56.28 🟢 ( previous job: 57.61, improvement: 97.70%)
  • whonix-workstation-17_socket: 9.47 🔺 ( previous job: 8.97, degradation: 105.61%)
  • whonix-workstation-17_socket-root: 8.27 🟢 ( previous job: 9.46, improvement: 87.46%)
  • whonix-workstation-17_exec-data-simplex: 65.28 🟢 ( previous job: 74.54, improvement: 87.58%)
  • whonix-workstation-17_exec-data-duplex: 77.86 🔺 ( previous job: 74.84, degradation: 104.04%)
  • whonix-workstation-17_socket-data-duplex: 159.67 🟢 ( previous job: 160.20, improvement: 99.67%)
  • dom0_root_seq1m_q8t1_read 3:read_bandwidth_kb: 475760.00 :green_circle: ( previous job: 289982.00, improvement: 164.07%)
  • dom0_root_seq1m_q8t1_write 3:write_bandwidth_kb: 215845.00 :green_circle: ( previous job: 101988.00, improvement: 211.64%)
  • dom0_root_seq1m_q1t1_read 3:read_bandwidth_kb: 96904.00 :green_circle: ( previous job: 14284.00, improvement: 678.41%)
  • dom0_root_seq1m_q1t1_write 3:write_bandwidth_kb: 45227.00 :green_circle: ( previous job: 32696.00, improvement: 138.33%)
  • dom0_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 21250.00 :green_circle: ( previous job: 17102.00, improvement: 124.25%)
  • dom0_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 3061.00 :green_circle: ( previous job: 1091.00, improvement: 280.57%)
  • dom0_varlibqubes_seq1m_q8t1_read 3:read_bandwidth_kb: 464177.00 :green_circle: ( previous job: 289182.00, improvement: 160.51%)
  • dom0_varlibqubes_seq1m_q8t1_write 3:write_bandwidth_kb: 117701.00 :small_red_triangle: ( previous job: 122848.00, degradation: 95.81%)
  • dom0_varlibqubes_seq1m_q1t1_read 3:read_bandwidth_kb: 438367.00 :green_circle: ( previous job: 433654.00, improvement: 101.09%)
  • dom0_varlibqubes_seq1m_q1t1_write 3:write_bandwidth_kb: 151628.00 :small_red_triangle: ( previous job: 167872.00, degradation: 90.32%)
  • dom0_varlibqubes_rnd4k_q32t1_read 3:read_bandwidth_kb: 103480.00 :small_red_triangle: ( previous job: 108760.00, degradation: 95.15%)
  • dom0_varlibqubes_rnd4k_q32t1_write 3:write_bandwidth_kb: 8902.00 :green_circle: ( previous job: 8874.00, improvement: 100.32%)
  • dom0_varlibqubes_rnd4k_q1t1_read 3:read_bandwidth_kb: 8277.00 :green_circle: ( previous job: 6356.00, improvement: 130.22%)
  • dom0_varlibqubes_rnd4k_q1t1_write 3:write_bandwidth_kb: 4528.00 :green_circle: ( previous job: 4420.00, improvement: 102.44%)
  • fedora-42-xfce_root_seq1m_q8t1_read 3:read_bandwidth_kb: 367019.00
  • fedora-42-xfce_root_seq1m_q8t1_write 3:write_bandwidth_kb: 298739.00
  • fedora-42-xfce_root_seq1m_q1t1_read 3:read_bandwidth_kb: 327475.00
  • fedora-42-xfce_root_seq1m_q1t1_write 3:write_bandwidth_kb: 122488.00
  • fedora-42-xfce_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 83504.00
  • fedora-42-xfce_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 4582.00
  • fedora-42-xfce_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 7771.00
  • fedora-42-xfce_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 1280.00
  • fedora-42-xfce_private_seq1m_q8t1_read 3:read_bandwidth_kb: 382134.00
  • fedora-42-xfce_private_seq1m_q8t1_write 3:write_bandwidth_kb: 255127.00
  • fedora-42-xfce_private_seq1m_q1t1_read 3:read_bandwidth_kb: 316981.00
  • fedora-42-xfce_private_seq1m_q1t1_write 3:write_bandwidth_kb: 62677.00
  • fedora-42-xfce_private_rnd4k_q32t1_read 3:read_bandwidth_kb: 44045.00
  • fedora-42-xfce_private_rnd4k_q32t1_write 3:write_bandwidth_kb: 2658.00
  • fedora-42-xfce_private_rnd4k_q1t1_read 3:read_bandwidth_kb: 8415.00
  • fedora-42-xfce_private_rnd4k_q1t1_write 3:write_bandwidth_kb: 784.00
  • fedora-42-xfce_volatile_seq1m_q8t1_read 3:read_bandwidth_kb: 416763.00
  • fedora-42-xfce_volatile_seq1m_q8t1_write 3:write_bandwidth_kb: 112648.00
  • fedora-42-xfce_volatile_seq1m_q1t1_read 3:read_bandwidth_kb: 319395.00
  • fedora-42-xfce_volatile_seq1m_q1t1_write 3:write_bandwidth_kb: 78328.00
  • fedora-42-xfce_volatile_rnd4k_q32t1_read 3:read_bandwidth_kb: 44282.00
  • fedora-42-xfce_volatile_rnd4k_q32t1_write 3:write_bandwidth_kb: 4307.00
  • fedora-42-xfce_volatile_rnd4k_q1t1_read 3:read_bandwidth_kb: 7956.00
  • fedora-42-xfce_volatile_rnd4k_q1t1_write 3:write_bandwidth_kb: 1667.00

This was referenced Jun 27, 2025
Merged
Merged
Draft
marmarek
marmarek requested changes Jun 27, 2025
View reviewed changes
gui-daemon/xside.c Outdated
return 1;
}
if (!evaluate_clipboard_policy(g)) {
show_message(g, "ERROR", "Pasting to this qube is denied by policies", NOTIFY_EXPIRES_DEFAULT);
Copy link
Member

@marmarek marmarek Jun 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It isn't necessarily about "pasting to this qube", it's also about from where the clipboard is. So, maybe include the source name in the message too?
Alternatively, make qrexec notify the user, as it's done for normal services. It's mostly about this line: https://github.com/QubesOS/qubes-core-qrexec/blob/main/qrexec/tools/qrexec_policy_exec.py#L405.
While theoretically enabling notifications for all "just_evaluate" (denied) calls is not a good idea, in practice that "just_evaluate" mode is currently used only for clipboard operations, so maybe it's still one-line change?

Copy link
Contributor Author

@alimirjamali alimirjamali Jun 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It isn't necessarily about "pasting to this qube", it's also about from where the clipboard is. So, maybe include the source name in the message too?

This is done

While theoretically enabling notifications for all "just_evaluate" (denied) calls is not a good idea, in practice that "just_evaluate" mode is currently used only for clipboard operations, so maybe it's still one-line change?

Maybe in future, it might be necessary to just_evaluate for other operations? So lets do not burn options?

@alimirjamali alimirjamali force-pushed the issue-9978-paste-deny branch from 486cf80 to 15d9ed0 Compare June 28, 2025 01:49
@alimirjamali alimirjamali requested a review from marmarek June 28, 2025 01:52
@alimirjamali
Copy link
Contributor Author

alimirjamali commented Jun 28, 2025
edited
Loading

@marmarek Something is confusing. I have:

qubes.ClipboardPaste * @anyvm untrusted deny

and it is still possible to paste clipboard from dom0 to untrusted. And I believe it is not related to this PR.

@marmarek
Copy link
Member

marmarek commented Jun 28, 2025

qubes.ClipboardPaste * @anyvm untrusted deny

@anyvm matches everything except dom0.

This was referenced Jul 3, 2025
Merged
Merged
Merged
@marmarek marmarek merged commit 15d4fd1 into QubesOS:main Jul 5, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marmarek marmarek marmarek approved these changes

Assignees

No one assigned

Labels

openqa-pending

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Notify the user when an attempt to paste from the global clipboard is denied

3 participants

@alimirjamali @qubesos-bot @marmarek