/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically generate policy files for Admin API #2871

Closed
marmarek opened this Issue Jun 26, 2017 · 1 comment

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 4.0
2 participants
@marmarek @qubesos-bot
@marmarek
Member

marmarek commented Jun 26, 2017

Annotate Admin API methods with a scope (local, global) and operation type (read, write, execute), then generate policy files which include common policy file named after those annotations.
For example /etc/qubes-rpc/policy/include/admin-local-rwx. This is improved approach over including one common /etc/qubes-rpc/policy/include/admin-all file.
More details in upcoming blog post.

cc @rootkovska

@marmarek marmarek added C: core enhancement P: major labels Jun 26, 2017

@marmarek marmarek added this to the Release 4.0 milestone Jun 26, 2017

@marmarek marmarek self-assigned this Jun 26, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 27, 2017

@marmarek
qubes/api/admin: annotate API methods 
Second attempt: this time use full words for scope, read, write,
execute.

QubesOS/qubes-issues#2871
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
d066394

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 27, 2017

@marmarek
Generate policy for Admin API calls based on annotations on actual me… 
…thods

This ease Admin API administration, and also adds checking if qrexec
policy + scripts matches actual Admin API methods implementation.
The idea is to classify every Admin API method as either local
read-only, local read-write, global read-only or global read-write.
Where local/global means affecting a single VM, or the whole system.

See QubesOS/qubes-issues#2871 for details.

Fixes QubesOS/qubes-issues#2871
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
384a1b0

@marmarek marmarek referenced this issue in QubesOS/qubes-core-admin Jun 27, 2017

Merged

Policy related changes for Qubes 4.0 #121

@marmarek marmarek closed this in marmarek/qubes-core-admin@3d803ac Jul 4, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jul 4, 2017

Automated announcement from builder-github

The package qubes-core-dom0-4.0.1-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot commented Jul 4, 2017

Automated announcement from builder-github

The package qubes-core-dom0-4.0.1-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-dom0-cur-test label Jul 4, 2017

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jul 4, 2017

Closed

core-admin v4.0.1 (r4.0) #100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment