Add deny-by-default rule for outbound qvm-rpc policies

Provides defense-in-depth and reduces attack surface, should an attacker gain code execution in a VM.
In the future, we should explicitly approve inter-vm rpc calls.

dom0/sd-dom0-qvm-rpc.sls

@@ -18,6 +18,7 @@ dom0-rpc-qubes.ClipboardPaste:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.FeaturesRequest:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.FeaturesRequest
@@ -26,6 +27,7 @@ dom0-rpc-qubes.FeaturesRequest:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.Filecopy:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.Filecopy
@@ -35,6 +37,7 @@ dom0-rpc-qubes.Filecopy:
     - content: |
         sd-proxy @tag:sd-client allow
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.OpenInVM:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.OpenInVM
@@ -45,6 +48,7 @@ dom0-rpc-qubes.OpenInVM:
         @tag:sd-client @dispvm:sd-svs-disp allow
         @tag:sd-client sd-export-usb allow
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.OpenURL:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.OpenURL
@@ -53,6 +57,7 @@ dom0-rpc-qubes.OpenURL:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.PdfConvert:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.PdfConvert
@@ -61,6 +66,7 @@ dom0-rpc-qubes.PdfConvert:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.StartApp:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.StartApp
@@ -69,6 +75,7 @@ dom0-rpc-qubes.StartApp:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.USB:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.USB
@@ -77,6 +84,7 @@ dom0-rpc-qubes.USB:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.VMRootShell:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.VMRootShell
@@ -85,6 +93,7 @@ dom0-rpc-qubes.VMRootShell:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.VMshell:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.VMShell
@@ -93,6 +102,7 @@ dom0-rpc-qubes.VMshell:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.Gpg:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.Gpg
@@ -102,6 +112,7 @@ dom0-rpc-qubes.Gpg:
     - content: |
         @tag:sd-client sd-gpg allow
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.GpgImportKey:
   file.blockreplace:
     - name: /etc/qubes-rpc/policy/qubes.GpgImportKey
@@ -111,3 +122,4 @@ dom0-rpc-qubes.GpgImportKey:
     - content: |
         @tag:sd-client sd-gpg allow
         @anyvm @tag:sd-workstation deny
+        @tag:sd-workstation @anyvm deny

tests/vars/qubes-rpc.yml

@@ -2,19 +2,22 @@
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: FeaturesRequest
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: Filecopy
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     sd-proxy @tag:sd-client allow
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: GetDate
@@ -51,13 +54,15 @@
     ### BEGIN securedrop-workstation ###
     @tag:sd-client sd-gpg allow
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: GpgImportKey
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @tag:sd-client sd-gpg allow
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: InputKeyboard
@@ -93,18 +98,21 @@
     @tag:sd-client @dispvm:sd-svs-disp allow
     @tag:sd-client sd-export-usb allow
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: OpenURL
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: PdfConvert
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: ReceiveUpdates
@@ -120,6 +128,7 @@
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: SyncAppMenus
@@ -156,18 +165,21 @@
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: VMRootShell
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: VMShell
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     @anyvm @tag:sd-workstation deny
+    @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
 
 - policy: WindowIconUpdater