Optionally log API calls made by dom0

ben-grande · ben-grande · commit 5c27f42b36bc · 2026-02-26T17:53:20.000+01:00
Developers normally edit the code to log the calls or use a management domain such as a GUIVM to see logged calls. Add a command-line option and environment variable to enable logging dom0 calls also. Fixes: QubesOS/qubes-issues#10689
diff --git a/qubes/api/__init__.py b/qubes/api/__init__.py
@@ -322,14 +322,17 @@ class QubesDaemonProtocol(asyncio.Protocol):
     buffer_size = 65536
     header = struct.Struct("Bx")
 
-    def __init__(self, handler, *args, app, debug=False, **kwargs):
+    def __init__(
+        self, handler, *args, app, debug=False, log_dom0_call=False, **kwargs
+    ):
         super().__init__(*args, **kwargs)
         self.handler = handler
         self.app = app
         self.untrusted_buffer = io.BytesIO()
         self.len_untrusted_buffer = 0
         self.transport = None
         self.debug = debug
+        self.log_dom0_call = log_dom0_call
         self.event_sent = False
         self.mgmt = None
 
@@ -388,6 +391,18 @@ def eof_received(self):
         return True
 
     async def respond(self, src, meth, dest, arg, *, untrusted_payload):
+        if self.log_dom0_call:
+            call_fmt = (
+                "received call %r+%r (%r → %r) with payload of %d bytes"
+            )
+            self.app.log.debug(
+                call_fmt,
+                meth,
+                arg,
+                src,
+                dest,
+                len(untrusted_payload),
+            )
         exc_fmt = (
             "failed call %r+%r (%r → %r) with payload of %d bytes due to %r"
         )
diff --git a/qubes/tools/qubesd.py b/qubes/tools/qubesd.py
@@ -38,6 +38,12 @@ def sighandler(loop, signame, servers, app):
     help="Enable verbose error logging (all exceptions with full "
     "tracebacks) and also send tracebacks to Admin API clients",
 )
+parser.add_argument(
+    "--log-dom0-call",
+    action="store_true",
+    default=False,
+    help="Enable logging API calls made by dom0",
+)
 
 
 def main(args=None):
@@ -64,6 +70,8 @@ def main(args=None):
             qubes.api.misc.QubesMiscAPI,
             app=args.app,
             debug=args.debug,
+            log_dom0_call=args.log_dom0_call
+            or os.environ.get("QUBES_LOG_DOM0_CALL"),
         )
     )
 

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ def sighandler(loop, signame, servers, app):`
`38`	`38`	`help="Enable verbose error logging (all exceptions with full "`
`39`	`39`	`"tracebacks) and also send tracebacks to Admin API clients",`
`40`	`40`	`)`
	`41`	`+parser.add_argument(`
	`42`	`+ "--log-dom0-call",`
	`43`	`+ action="store_true",`
	`44`	`+ default=False,`
	`45`	`+ help="Enable logging API calls made by dom0",`
	`46`	`+)`
`41`	`47`
`42`	`48`
`43`	`49`	`def main(args=None):`
`@@ -64,6 +70,8 @@ def main(args=None):`
`64`	`70`	`qubes.api.misc.QubesMiscAPI,`
`65`	`71`	`app=args.app,`
`66`	`72`	`debug=args.debug,`
	`73`	`+ log_dom0_call=args.log_dom0_call`
	`74`	`+ or os.environ.get("QUBES_LOG_DOM0_CALL"),`
`67`	`75`	`)`
`68`	`76`	`)`
`69`	`77`