Implemented BackupStorageVM. Closes #3

Author: Vít Šesták

README.md

@@ -1,6 +1,6 @@
 ## Status
 
-**Parts of implementation are missing. See the [“MVP” milestone](https://github.com/v6ak/qubes-incremental-backup-poc/issues?q=is%3Aopen+is%3Aissue+milestone%3AMVP) for details. Proof of concept. Backup format details will likely change.**
+**Proof of concept. Backup format details will likely change.**
 
 ## Goals
 
@@ -130,13 +130,15 @@ TODO
 ## Limitations
 
 * DVM template is somehow trusted.
+* Works with some (most?) Duplicity backends. It requires allowing directory-like URLs.
 * We assume that DVM template has drivers for all filesystems we need to backup
 * VM config backup is missing. User needs to backup `~/.v6-qubes-backup-poc/master` in order to be able to restore the backup.
 * The implementation assumes that attacker cannot read parameters of running applications (e.g., via /proc). This is justifiable in Qubes security model, especially in dom0, but it is not very nice.
 * VMs are identified by name. If you destroy a VM and create a VM of the same name then, it will use the same keys and it might have some security implications.
 * We strongly assume that attacker does not have any access to dom0. More specificaly, attacker cannot obtain a RAM snapshot of dom0 and attacker cannot list running applications of dom0 (e.g., via /proc). While those assumptions are standard in Qubes security model, failing to satisfy them can cause the backup security to break hardly. No serious attempt has been made to reduce number of copies of sensitive cryptographic material in RAM.
 * It assumes that we use locale utf-8. When one switches locale, it can cause issues, mostly with password. If you use another encoding, you might get troubles, especially if your password contains some characters that are represented differently in your encoding than in utf-8.
 * It assumes that user does not run the script multiple times in parallel. Various race conditions (cloned images, config files) could happen there.
+* https://github.com/v6ak/qubes-incremental-backup-poc/labels/limitation
 * (Probably incomplete)
 
 ## Human aspects for password

backup.py

@@ -16,6 +16,7 @@
 import os
 import sys
 import shutil
+import shlex
 import collections
 import argparse
 from backupsession import MasterBackupSession
@@ -77,23 +78,24 @@ def main():
 	session = create_session_gui(config, args.passphrase)
 	if session is None: return 1 # aborted
 	vm_keys = session.vm_keys(vm)
-
+	backup_backend = config.get_backup_backend()
 	volume_clone = Vm(vm).private_volume().clone("v6-qubes-backup-poc-cloned")
 	try:
+		backup_storage_vm = VmInstance(config.get_backup_storage_vm_name())
 		dvm = DvmInstance.create()
 		try:
 			dvm.attach("xvdz", volume_clone)  # --ro: 1. is not needed since it is a clone, 2. blocks repair procedures when mounting
 			try:
 				dvm.check_output("sudo mkdir /mnt/clone")
 				dvm.check_output("sudo mount /dev/xvdz /mnt/clone") # TODO: consider -o nosuid,noexec – see issue #16
 				try:
-					with open(os.path.dirname(os.path.realpath(__file__))+"/vm-backup-agent", "rb") as inp:
-						dvm.check_output("cat > /tmp/backup-agent", stdin = inp)
-					dvm.check_output("chmod +x /tmp/backup-agent")
-					with subprocess.Popen(dvm.create_command("/tmp/backup-agent "+vm_keys.encrypted_name), stdin = subprocess.PIPE) as proc:
-						proc.stdin.write(vm_keys.key)
-						proc.stdin.close()
-						assert(proc.wait() == 0) # uarrgh, implemented by busy loop
+					backup_backend.upload_agent(dvm)
+					with backup_backend.add_permissions(backup_storage_vm, dvm, vm_keys.encrypted_name):
+						# run the agent
+						with subprocess.Popen(dvm.create_command("/tmp/backup-agent "+shlex.quote(backup_storage_vm.get_name())+" "+shlex.quote(vm_keys.encrypted_name)), stdin = subprocess.PIPE) as proc:
+							proc.stdin.write(vm_keys.key)
+							proc.stdin.close()
+							assert(proc.wait() == 0) # uarrgh, implemented by busy loop
 					# TODO: also copy ~/.v6-qubes-backup-poc/master to the backup in order to make it recoverable without additional data (except password). See issue #12.
 				finally: dvm.check_output("sudo umount /mnt/clone")
 			finally: dvm.detach_all()

backupbackends/duplicity-vm-files/backup-storage-agent/v6-qubes-backup-poc.py

@@ -0,0 +1,91 @@
+#!/usr/bin/python2 -u
+# -*- coding=utf-8 -*-
+# In python 2, we cannot be so generic to use /usr/bin/env. If we were, we could not pass the -u parameter.
+
+import sys
+import os
+from os import close
+import subprocess
+import base64
+import time
+import duplicity.backend
+import duplicity.log
+import duplicity.path
+from common import Commands, StatusCodes, read_until_zero, read_safe_filename
+from tempfile import NamedTemporaryFile
+from shutil import copyfileobj
+
+def action_list(backend, inp, out):
+	result = backend.list()
+	out.write(StatusCodes.OK)
+	for i in result:
+		assert(i.find(b'\0') == -1)
+		out.write(i.encode('ascii'))
+		out.write(b'\0')
+
+def action_put(backend, inp, out):
+	filename = read_safe_filename(inp)
+	tmp = NamedTemporaryFile(delete = False)
+	try:
+		try:
+			copyfileobj(inp, tmp.file)
+		finally:
+			tmp.file.close()
+		backend.put(duplicity.path.Path(tmp.name), filename)
+		out.write(StatusCodes.OK)
+	finally:
+		os.remove(tmp.name)
+
+def action_get(backend, inp, out):
+	filename = read_safe_filename(inp)
+	tmp = NamedTemporaryFile(delete = False)
+	try:
+		tmp.file.close()
+		backend.get(filename, duplicity.path.Path(tmp.name))
+		with open(tmp.name, "rb") as f:
+			out.write(StatusCodes.OK)
+			copyfileobj(f, out)
+	finally:
+		os.remove(tmp.name)
+
+def action_delete(inp):
+	raise Exception("Not implemented")
+
+def main():
+	with open("/tmp/backup-log-"+str(time.time()), "w+") as logfile:
+		def error(s, additional_data = None):
+			logfile.write(s+str(additional_data))
+			print(StatusCodes.ERROR + s)
+			exit(1)
+		inp = sys.stdin# For Python 3: .buffer
+		out = sys.stdout# For Python 3: .buffer
+		remote = os.environ['QREXEC_REMOTE_DOMAIN']
+		action_letter = inp.read(1)
+		actions = {
+			Commands.LIST: action_list,
+			Commands.PUT: action_put,
+			Commands.DELETE: action_delete,
+			Commands.GET: action_get
+		}
+		duplicity.log._logger = duplicity.log.DupLogger("some logger")
+		duplicity.backend.import_backends()
+		with open("/rw/config/v6-qubes-backup-poc-duplicity-path", "r") as f:
+			path_prefix = f.read().rstrip("\n")
+		# The file-based auth was chosen in order to preserve state across processes. Yes, we could use IPC, but this would be probably more complex.
+		with open("/var/run/v6-qubes-backup-poc-permissions/"+base64.b64encode(remote.encode("ascii")).decode("ascii"), "rb") as f:
+			allowed_path = f.read()
+		requested_path = read_until_zero(inp)
+		if allowed_path != requested_path:
+			error("bad path: " + str(allowed_path) + " vs " + str(requested_path))
+		else:
+			backend_url = path_prefix+"/"+requested_path
+			backend = duplicity.backend.get_backend(backend_url)
+			if backend is None:
+				error("Don't know backend for the URL", backend_url)
+			act = actions.get(action_letter)
+			if act is None:
+				error("bad command")
+			act(backend, inp, out)
+
+if __name__ == "__main__":
+	main()

backupbackends/duplicity-vm-files/common.py

@@ -0,0 +1,57 @@
+# python2
+
+# Common file for both parts of the inter-VM backup protocol
+
+class Commands:
+	LIST = b'L'
+	PUT = b'P'
+	GET = b'G'
+	DELETE = b'D'
+
+class StatusCodes:
+	OK = b'O'
+	ERROR = b'E'
+
+def sanitize_filename(filename):
+	dot_allowed = True
+	for c in filename:
+		if (c == '.') and dot_allowed:
+			dot_allowed = False
+			continue
+		dot_allowed = True # Will not read untill next iteration, so we can change it now. TODO: make the flow more clear
+		if (c >= 'a') and (c <= 'z'): continue
+		if (c >= 'A') and (c <= 'Z'): continue
+		if (c >= '0') and (c <= '9'): continue
+		if (c == '-') or (c == '_'): continue
+		raise Exception("Unexpected character: "+str(ord(c)))
+	return filename
+
+def read_until_zero(inp, maxlen = None):
+	# The bytearray wrap is needed in Python2; Without this, it behaves cucumbersome: It converts inp to string. In Python 3, this hack should not be needed.
+	return bytes(bytearray(_read_until_zero_intgen(inp, maxlen)))
+
+def _read_until_zero_intgen(inp, maxlen = None):
+	n = 0
+	while True:
+		n += 1
+		if (maxlen is not None) and (n > maxlen):
+			raise Exception("Reading data longer than "+str(maxlen))
+		chunk = inp.read(1)
+		if len(chunk) == 1:
+			if chunk == b'\0':
+				break
+			else:
+				yield chunk[0] # contains int
+		elif len(chunk) == 0:
+			raise Exception("Reached EOF after reading "+str(n)+" bytes witout seeing any zero byte!")
+		else:
+			assert(False)
+
+def read_safe_filename(inp):
+	return sanitize_filename(read_until_zero(inp, 255))
+
+def write_zero_terminated_ascii(f, bs):
+	assert(bs.find(b'\0') == -1)
+	f.write(bs.encode("ascii"))
+	f.write(b'\0')
+

backupbackends/duplicity-vm-files/qubesintervmbackend.py

@@ -0,0 +1,104 @@
+# python2 module
+import re
+import duplicity.backend
+import duplicity.urlparse_2_5 as urlparser
+import subprocess
+from duplicity.backends.qubesintervmbackendprivate.common import Commands, StatusCodes, write_zero_terminated_ascii, sanitize_filename
+from os.path import basename
+from shutil import copyfileobj
+
+
+class QubesInterVmBackend(duplicity.backend.Backend):
+	def __init__(self, parsed_url):
+		duplicity.backend.Backend.__init__(self, parsed_url)
+		print(parsed_url.path)
+		pat = re.compile("^/+([^/]+)/([^/]+)$")
+		parts = pat.match(parsed_url.path)
+		self.vm = parts.group(1)
+		self.path = parts.group(2)
+
+	def _call_command(self, command_letter):
+		return _QubesInterVmBackendChannel(command_letter, self.path, self.vm);
+
+	def _check_for_error_message(self, inp):
+		response = inp.read(1)
+		if response == StatusCodes.ERROR:
+			raise Exception("Error messge from the other end: "+inp.read(1024).decode('ascii'))
+		elif response == StatusCodes.OK:
+			print("got OK code")
+			return inp # OK
+		elif len(response) == 0:
+			raise Exception("Unexpected empty response")
+		else:
+			raise Exception("Unexpected response code: "+str(ord(response)))
+
+	def _read_all(self, proc):
+		return self._check_for_error_message(proc.stdout).read()
+
+	# Methods required for Duplicity:
+	def _list(self):
+		with self._call_command(Commands.LIST) as proc:
+			return map(sanitize_filename, self._read_all(proc).decode('ascii').split('\0'))
+
+	def put(self, source_path, remote_filename = None):
+		name = remote_filename or source_path.get_filename()
+		with source_path.open("rb") as f, self._call_command(Commands.PUT) as proc:
+			write_zero_terminated_ascii(proc.stdin, name)
+			copyfileobj(f, proc.stdin)
+			proc.stdin.close() # let the peer know we are finished. TODO: close automatically in _call_command?
+			self._check_for_error_message(proc.stdout)
+	
+	def get(self, remote_filename, local_path):
+		with local_path.open("w") as f, self._call_command(Commands.GET) as proc:
+			write_zero_terminated_ascii(proc.stdin, remote_filename)
+			proc.stdin.close()
+			self._check_for_error_message(proc.stdout)
+			copyfileobj(proc.stdout, f)
+
+	# TODO:
+	# def delete(self, filename_list) <-- not needed yet
+
+
+class _QubesInterVmBackendChannel:
+	def __init__(self, command_letter, path, vm):
+		self.command_letter = command_letter
+		self.path = path
+		self.vm = vm
+		self.initialized = False
+	def __enter__(self):
+		self.proc = subprocess.Popen([
+			"/usr/lib/qubes/qrexec-client-vm",
+			self.vm,
+			"v6ak.QubesInterVmBackupStorage"
+		], stdin = subprocess.PIPE, stdout = subprocess.PIPE)# , stderr = subprocess.PIPE
+		try:
+			self.proc.stdin.write(self.command_letter)
+			write_zero_terminated_ascii(self.proc.stdin, self.path)
+		except:
+			self.__exit__(*sys.exc_info())
+			raise
+		self.initialized = True
+		return self.proc
+	def __exit__(self, type, value, traceback):
+		def close(f):
+			if f is not None:
+				f.close()
+		def check_empty(f):
+			if f is None: return
+			res = f.read(1)
+			if len(res) <> 0:
+				raise Exception("Unexpected byte "+str(ord(res)))
+		try:
+			if self.initialized and (type is None): # Do not perform sanity checks when an exception is thrown, as they would likely fail and hide the root of cause
+				# Assert that nothing remains
+				check_empty(self.proc.stdout)
+				check_empty(self.proc.stderr)
+		finally:
+			close(self.proc.stdin)
+			close(self.proc.stderr)
+			close(self.proc.stdout)
+			return_code = self.proc.wait()
+		if return_code <> 0:
+			raise Exception("process did not finish with success: "+str(return_code))
+
+duplicity.backend.register_backend('qubesintervm', QubesInterVmBackend)

vm-backup-agent backupbackends/duplicity-vm-files/vm-backup-agent

@@ -14,7 +14,7 @@ mkdir /tmp/backup-wapor/
 
 PASSPHRASE="$(cat | base64)" # We'll use the key as password, because it seems to be the easiest way in Duplicity.
 [ "$(wc -c <<< $PASSPHRASE)" -ge 45 ] # Check the password/key has not been truncated. Key should be 32B, when base64'd and appended \n, it should be 45B.
-BUP_LOCATION="file:///tmp/backup-wapor/$1" # TODO: select proper backup location
+BUP_LOCATION="qubesintervm://$1/$2"
 BUP_SOURCE="/mnt/clone"
 
 # Inspired by https://gist.github.com/bdsatish/5650178

backupbackends/duplicity.py

@@ -0,0 +1,49 @@
+# python3
+import os
+import subprocess
+import shlex
+import base64
+
+# If you want to implement another backend, you can, but maybe you should wait a while until the API becomes more stable.
+# TODO: document interface
+class DuplicityBackupBackend:
+	base_path = os.path.dirname(os.path.realpath(__file__))+"/duplicity-vm-files/"
+	def upload_agent(self, vm):
+		with open(self.base_path+"vm-backup-agent", "rb") as inp:
+			vm.check_output("cat > /tmp/backup-agent", stdin = inp)
+		vm.check_output("chmod +x /tmp/backup-agent")
+		with open(self.base_path+"qubesintervmbackend.py", "rb") as inp:
+			vm.check_output("sudo tee /usr/lib/python2.7/dist-packages/duplicity/backends/qubesintervmbackend.py", stdin = inp)
+		with open(self.base_path+"common.py", "rb") as inp:
+			vm.check_output("sudo mkdir /usr/lib/python2.7/dist-packages/duplicity/backends/qubesintervmbackendprivate")
+			vm.check_output("sudo touch /usr/lib/python2.7/dist-packages/duplicity/backends/qubesintervmbackendprivate/__init__.py")
+			vm.check_output("sudo tee /usr/lib/python2.7/dist-packages/duplicity/backends/qubesintervmbackendprivate/common.py", stdin = inp)
+
+	def install_dom0(self, vm):
+		subprocess.check_call("echo "+shlex.quote("$anyvm  "+vm.get_name()+" allow")+" | sudo tee /etc/qubes-rpc/policy/v6ak.QubesInterVmBackupStorage", shell=True, stdout=subprocess.DEVNULL)
+
+	def install_backup_storage_vm(self, vm):
+		# TODO: make it persistent across reboots
+		vm.check_output("sudo mkdir -p /usr/local/share/v6-qubes-backup-poc/")
+		vm.check_output("echo /usr/local/share/v6-qubes-backup-poc/v6-qubes-backup-poc.py | sudo tee /etc/qubes-rpc/v6ak.QubesInterVmBackupStorage")
+		with open(self.base_path+"backup-storage-agent/v6-qubes-backup-poc.py") as inp:
+			vm.check_output("sudo tee /usr/local/share/v6-qubes-backup-poc/v6-qubes-backup-poc.py && sudo chmod +x /usr/local/share/v6-qubes-backup-poc/v6-qubes-backup-poc.py", stdin = inp)
+		with open(self.base_path+"common.py") as inp:
+			# FIXME: Don't be so aggressive!
+			vm.check_output("sudo tee /usr/local/share/v6-qubes-backup-poc/common.py", stdin = inp)
+
+	def add_permissions(self, backup_storage_vm, dvm, encrypted_name):
+		permission_file = "/var/run/v6-qubes-backup-poc-permissions/"+base64.b64encode(dvm.get_name().encode("ascii")).decode("ascii")
+		return _DuplicityPermissionsContext(backup_storage_vm, encrypted_name, permission_file)
+
+class _DuplicityPermissionsContext:
+	def __init__(self, backup_storage_vm, encrypted_name, permission_file):
+		self.permission_file = permission_file
+		self.backup_storage_vm = backup_storage_vm
+		self.encrypted_name = encrypted_name
+	def __enter__(self):
+		self.backup_storage_vm.check_output("sudo mkdir -p /var/run/v6-qubes-backup-poc-permissions")
+		self.backup_storage_vm.check_output("echo -n "+shlex.quote(self.encrypted_name)+" | sudo tee "+shlex.quote(self.permission_file)+".ip")
+		self.backup_storage_vm.check_output("sudo mv "+shlex.quote(self.permission_file)+".ip "+shlex.quote(self.permission_file)) # This way prevents race condition. I know, this is not the best approach for duraility, but that's not what we need. (Especially if those files don't survive reboot.)
+	def __exit__(self, type, value, traceback):
+		self.backup_storage_vm.check_output("sudo rm "+shlex.quote(self.permission_file)) # remove permissions (not strictly needed for security, just hygiene)