core-admin/qubes-rpc-policy/qubes.UpdatesProxy.policy

## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

# Upgrade all TemplateVMs through sys-whonix.
#$type:TemplateVM $default allow,target=sys-whonix

# Upgrade Whonix TemplateVMs through sys-whonix.
$tag:whonix-updatevm $default allow,target=sys-whonix

# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
$tag:whonix-updatevm $anyvm deny

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

$anyvm $anyvm deny
Add default policy for qubes.UpdatesProxy service QubesOS/qubes-issues#1854 2017-05-26 05:27:34 +02:00			`## Note that policy parsing stops at the first match,`
			`## so adding anything below "$anyvm $anyvm action" line will have no effect`

			`## Please use a single # to start your custom comments`

comments 2018-08-08 11:38:45 +02:00			`# Upgrade all TemplateVMs through sys-whonix.`
			`#$type:TemplateVM $default allow,target=sys-whonix`

			`# Upgrade Whonix TemplateVMs through sys-whonix.`
add Whonix defaults 2018-08-07 19:31:32 +02:00			`$tag:whonix-updatevm $default allow,target=sys-whonix`
comments 2018-08-08 11:38:45 +02:00
			`# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.`
add Whonix defaults 2018-08-07 19:31:32 +02:00			`$tag:whonix-updatevm $anyvm deny`

Add default policy for qubes.UpdatesProxy service QubesOS/qubes-issues#1854 2017-05-26 05:27:34 +02:00			`# Default rule for all TemplateVMs - direct the connection to sys-net`
			`$type:TemplateVM $default allow,target=sys-net`

			`$anyvm $anyvm deny`