Unable to mount external USB drives

[tortugaverde98]

From an appvm with a hardened template, unable to mount an external usb thumbdrive.
Nautilus/Files shows it is present, but once clicked on to mount, error pops up: Unable to access location, not authorized to perform action.

From Disks, error is "Error mounting filesystem" Not authorized to perform operation (udisks-error-quart, 4).
I realize it's possible to mount it via a root xterm from dom0, but is there something that can be whitelisted or something to allow USBs to be mounted as normal?

[tasket]

@tortugaverde98 Is the thumbdrive encrypted? This advice may apply:

https://askubuntu.com/questions/399768/encrypted-disk-wont-unlock-anymore-not-authorized-to-perform-operation-udisks#751769

The udisksctl command could be a convenient workaround, but a possible solution may be hinted at in the answer mentioning polkit (polkit-gnome in this case).

[tortugaverde98]

It is not encrypted, and the filesystem is fat32. I have two identical templates (fedora 28), and the only difference between them is that one has been hardened and passwordless root removed, but all the other qubes agents reinstalled, including polkit.
The thumbdrive mounts fine in the non-hardened, but not in the hardened.

Something needs to be whitelisted so the hardening script allows it to mount.

[tortugaverde98]

Attempting to gather more specifics, I ran the command below with the resulting response. Are there any workarounds that don't involve running a dom0 root xterm?:

$ udisksctl mount -b /dev/xvdi1
==== AUTHENTICATING FOR org.freedesktop.udisks2.filesystem-mount-system ====
Authentication is required to mount /dev/xvdi1
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ====
Error mounting /dev/xvdi1: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorized: Not authorized to perform operation

[tasket]

This looks like an upstream Qubes issue.

Without vm-boot-protect present I can reproduce the behavior by first following the Qubes vm-sudo doc. Same result if I remove the qubes-core-agent-passwordless-root package. Likewise, installing nautilus in a fedora-minimal template and trying to use it to mount disks should lead to the same auth failure because that template doesn't come with passwordless-root installed.

There may still be some mechanism by which nautilus can mount volumes in an auth-restricted VM. For instance if some setting or policy makes nautilus use sudo, then a VM configured for sudo prompts should trigger a dom0 auth prompt before successfully running mount. Also, this suid method might work.

[tasket]

Additional ideas for workarounds:
https://unix.stackexchange.com/questions/96625/how-to-allow-non-superusers-to-mount-any-filesystem

[tortugaverde98]

To clarify, it is required to remove passwordless root on fedora templates, correct?

[tortugaverde98]

Attempting on a debian minimal template, with the same result. Any suggestions to get this going?