diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index 67c8fe08..054900d0 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -18,6 +18,7 @@ dom0-rpc-qubes.ClipboardPaste: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.FeaturesRequest: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.FeaturesRequest @@ -26,6 +27,7 @@ dom0-rpc-qubes.FeaturesRequest: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.Filecopy: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.Filecopy @@ -35,6 +37,7 @@ dom0-rpc-qubes.Filecopy: - content: | sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.OpenInVM: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.OpenInVM @@ -45,6 +48,7 @@ dom0-rpc-qubes.OpenInVM: @tag:sd-client @dispvm:sd-svs-disp allow @tag:sd-client sd-export-usb allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.OpenURL: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.OpenURL @@ -53,6 +57,7 @@ dom0-rpc-qubes.OpenURL: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.PdfConvert: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.PdfConvert @@ -61,6 +66,7 @@ dom0-rpc-qubes.PdfConvert: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.StartApp: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.StartApp @@ -69,6 +75,7 @@ dom0-rpc-qubes.StartApp: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.USB: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.USB @@ -77,6 +84,7 @@ dom0-rpc-qubes.USB: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.VMRootShell: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.VMRootShell @@ -85,6 +93,7 @@ dom0-rpc-qubes.VMRootShell: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.VMshell: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.VMShell @@ -93,6 +102,7 @@ dom0-rpc-qubes.VMshell: - marker_end: "### END securedrop-workstation ###" - content: | @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.Gpg: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.Gpg @@ -102,6 +112,7 @@ dom0-rpc-qubes.Gpg: - content: | @tag:sd-client sd-gpg allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny dom0-rpc-qubes.GpgImportKey: file.blockreplace: - name: /etc/qubes-rpc/policy/qubes.GpgImportKey @@ -111,3 +122,4 @@ dom0-rpc-qubes.GpgImportKey: - content: | @tag:sd-client sd-gpg allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index 6b7f7c4f..fd56a358 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -2,12 +2,14 @@ starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: FeaturesRequest starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: Filecopy @@ -15,6 +17,7 @@ ### BEGIN securedrop-workstation ### sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: GetDate @@ -51,6 +54,7 @@ ### BEGIN securedrop-workstation ### @tag:sd-client sd-gpg allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: GpgImportKey @@ -58,6 +62,7 @@ ### BEGIN securedrop-workstation ### @tag:sd-client sd-gpg allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: InputKeyboard @@ -93,18 +98,21 @@ @tag:sd-client @dispvm:sd-svs-disp allow @tag:sd-client sd-export-usb allow @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: OpenURL starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: PdfConvert starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: ReceiveUpdates @@ -120,6 +128,7 @@ starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: SyncAppMenus @@ -156,18 +165,21 @@ starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: VMRootShell starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: VMShell starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny + @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### - policy: WindowIconUpdater