Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict outbound qubes-rpc policies for sd-workstation VMs #387

Merged
merged 1 commit into from
Jan 2, 2020
Merged

Restrict outbound qubes-rpc policies for sd-workstation VMs #387

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 12 additions & 0 deletions dom0/sd-dom0-qvm-rpc.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ dom0-rpc-qubes.ClipboardPaste:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.FeaturesRequest:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.FeaturesRequest
Expand All @@ -26,6 +27,7 @@ dom0-rpc-qubes.FeaturesRequest:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.Filecopy:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.Filecopy
Expand All @@ -35,6 +37,7 @@ dom0-rpc-qubes.Filecopy:
- content: |
sd-proxy @tag:sd-client allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.OpenInVM:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.OpenInVM
Expand All @@ -45,6 +48,7 @@ dom0-rpc-qubes.OpenInVM:
@tag:sd-client @dispvm:sd-svs-disp allow
@tag:sd-client sd-export-usb allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.OpenURL:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.OpenURL
Expand All @@ -53,6 +57,7 @@ dom0-rpc-qubes.OpenURL:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.PdfConvert:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.PdfConvert
Expand All @@ -61,6 +66,7 @@ dom0-rpc-qubes.PdfConvert:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.StartApp:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.StartApp
Expand All @@ -69,6 +75,7 @@ dom0-rpc-qubes.StartApp:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.USB:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.USB
Expand All @@ -77,6 +84,7 @@ dom0-rpc-qubes.USB:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.VMRootShell:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.VMRootShell
Expand All @@ -85,6 +93,7 @@ dom0-rpc-qubes.VMRootShell:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.VMshell:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.VMShell
Expand All @@ -93,6 +102,7 @@ dom0-rpc-qubes.VMshell:
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.Gpg:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.Gpg
Expand All @@ -102,6 +112,7 @@ dom0-rpc-qubes.Gpg:
- content: |
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.GpgImportKey:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.GpgImportKey
Expand All @@ -111,3 +122,4 @@ dom0-rpc-qubes.GpgImportKey:
- content: |
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
12 changes: 12 additions & 0 deletions tests/vars/qubes-rpc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,22 @@
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: FeaturesRequest
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: Filecopy
starts_with: |-
### BEGIN securedrop-workstation ###
sd-proxy @tag:sd-client allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: GetDate
Expand Down Expand Up @@ -51,13 +54,15 @@
### BEGIN securedrop-workstation ###
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: GpgImportKey
starts_with: |-
### BEGIN securedrop-workstation ###
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: InputKeyboard
Expand Down Expand Up @@ -93,18 +98,21 @@
@tag:sd-client @dispvm:sd-svs-disp allow
@tag:sd-client sd-export-usb allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: OpenURL
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: PdfConvert
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: ReceiveUpdates
Expand All @@ -120,6 +128,7 @@
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: SyncAppMenus
Expand Down Expand Up @@ -156,18 +165,21 @@
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: VMRootShell
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: VMShell
starts_with: |-
### BEGIN securedrop-workstation ###
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###

- policy: WindowIconUpdater
Expand Down