2017-03-20 22:22:20 +01:00
|
|
|
:py:mod:`qubes.policy` -- Qubes RPC policy
|
|
|
|
==========================================
|
|
|
|
|
|
|
|
Every Qubes domain can trigger various RPC services, but if such call would be
|
|
|
|
allowed depends on Qubes RPC policy (qrexec policy in short).
|
|
|
|
|
|
|
|
Qrexec policy format
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
Policy consists of a file, which is parsed line-by-line. First matching line
|
|
|
|
is used as an action.
|
|
|
|
|
|
|
|
Each line consist of three values separated by white characters (space(s), tab(s)):
|
2017-06-27 02:49:13 +02:00
|
|
|
|
2017-03-20 22:22:20 +01:00
|
|
|
1. Source specification, which is one of:
|
|
|
|
|
|
|
|
- domain name
|
|
|
|
- `$anyvm` - any domain
|
|
|
|
- `$tag:some-tag` - VM having tag `some-tag`
|
|
|
|
- `$type:vm-type` - VM of `vm-type` type, available types:
|
2017-06-27 02:49:13 +02:00
|
|
|
AppVM, TemplateVM, StandaloneVM, DispVM
|
2017-03-20 22:22:20 +01:00
|
|
|
|
|
|
|
2. Target specification, one of:
|
|
|
|
|
|
|
|
- domain name
|
|
|
|
- `$anyvm` - any domain, excluding dom0
|
|
|
|
- `$tag:some-tag` - domain having tag `some-tag`
|
|
|
|
- `$type:vm-type` - domain of `vm-type` type, available types:
|
2017-06-27 02:49:13 +02:00
|
|
|
AppVM, TemplateVM, StandaloneVM, DispVM
|
2017-03-20 22:22:20 +01:00
|
|
|
- `$default` - used when caller did not specified any VM
|
|
|
|
- `$dispvm:vm-name` - _new_ Disposable VM created from AppVM `vm-name`
|
2017-09-02 20:12:37 +02:00
|
|
|
- `$dispvm:$tag:some-tag` - _new_ Disposable VM created from AppVM tagged with `some-tag`
|
2017-03-20 22:22:20 +01:00
|
|
|
- `$dispvm` - _new_ Disposable VM created from AppVM pointed by caller
|
|
|
|
property `default_dispvm`, which defaults to global property `default_dispvm`
|
2017-06-27 02:36:42 +02:00
|
|
|
- `$adminvm` - Admin VM aka dom0
|
|
|
|
|
|
|
|
Dom0 can only be matched explicitly - either as `dom0` or `$adminvm` keyword.
|
|
|
|
None of `$anyvm`, `$tag:some-tag`, `$type:AdminVM` will match.
|
2017-03-20 22:22:20 +01:00
|
|
|
|
|
|
|
3. Action and optional action parameters, one of:
|
|
|
|
|
|
|
|
- `allow` - allow the call, without further questions; optional parameters:
|
2017-06-27 02:49:13 +02:00
|
|
|
|
2017-03-20 22:22:20 +01:00
|
|
|
- `target=` - override caller provided call target -
|
|
|
|
possible values are: domain name, `$dispvm` or `$dispvm:vm-name`
|
|
|
|
- `user=` - call the service using this user, instead of the user
|
|
|
|
pointed by target VM's `default_user` property
|
|
|
|
- `deny` - deny the call, without further questions; no optional
|
|
|
|
parameters are supported
|
|
|
|
- `ask` - ask the user for confirmation; optional parameters:
|
2017-06-27 02:49:13 +02:00
|
|
|
|
2017-03-20 22:22:20 +01:00
|
|
|
- `target=` - override user provided call target
|
|
|
|
- `user=` - call the service using this user, instead of the user
|
|
|
|
pointed by target VM's `default_user` property
|
|
|
|
- `default_target=` - suggest this target when prompting the user for
|
|
|
|
confirmation
|
|
|
|
|
|
|
|
Alternatively, a line may consist of a single keyword `$include:` followed by a
|
|
|
|
path. This will load a given file as its content would be in place of
|
|
|
|
`$include` line. Relative paths are resolved relative to
|
|
|
|
`/etc/qubes-rpc/policy` directory.
|
|
|
|
|
|
|
|
Evaluating `ask` action
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
When qrexec policy specify `ask` action, the user is asked whether the call
|
|
|
|
should be allowed or denied. In addition to that, user also need to choose
|
|
|
|
target domain. User have to choose from a set of targets specified by the
|
|
|
|
policy. Such set is calculated using the algorithm below:
|
|
|
|
|
|
|
|
1. If `ask` action have `target=` option specified, only that target is
|
|
|
|
considered. A prompt window will allow to choose only this value and it will
|
|
|
|
also be pre-filled value.
|
|
|
|
|
|
|
|
2. If no `target=` option is specified, all rules are evaluated to see what
|
|
|
|
target domains (for a given source domain) would result in `ask` or `allow`
|
|
|
|
action. If any of them have `target=` option set, that value is used instead of
|
|
|
|
the one specified in "target" column (for this particular line). Then the user
|
|
|
|
is presented with a confirmation dialog and an option to choose from those
|
|
|
|
domains.
|
|
|
|
|
|
|
|
3. If `default_target=` option is set, it is used as
|
|
|
|
suggested value, otherwise no suggestion is made (regardless of calling domain
|
|
|
|
specified any target or not).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Module contents
|
|
|
|
---------------
|
|
|
|
|
|
|
|
.. automodule:: qubespolicy
|
|
|
|
:members:
|
|
|
|
:show-inheritance:
|
|
|
|
|
|
|
|
.. vim: ts=3 sw=3 et
|