74 lines
2.2 KiB
ReStructuredText
74 lines
2.2 KiB
ReStructuredText
|
.. program:: qrexec-policy-graph
|
||
|
|
||
|
:program:`qrexec-policy-graph` -- Graph qrexec policy
|
||
|
=====================================================
|
||
|
|
||
|
Synopsis
|
||
|
--------
|
||
|
|
||
|
:command:`qrexec-policy-graph` [-h] [--include-ask] [--source *SOURCE* [*SOURCE* ...]] [--target *TARGET* [*TARGET* ...]] [--service *SERVICE* [*SERVICE* ...]] [--output *OUTPUT*] [--policy-dir POLICY_DIR] [--system-info SYSTEM_INFO]
|
||
|
|
||
|
|
||
|
Options
|
||
|
-------
|
||
|
|
||
|
.. option:: --help, -h
|
||
|
|
||
|
show this help message and exit
|
||
|
|
||
|
.. option:: --include-ask
|
||
|
|
||
|
Include `ask` action in graph. In most cases produce unreadable graphs
|
||
|
because many services contains `$anyvm $anyvm ask` rules. It's recommended to
|
||
|
limit graph using other options.
|
||
|
|
||
|
.. option:: --source
|
||
|
|
||
|
Limit graph to calls from *source*. You can specify multiple names.
|
||
|
|
||
|
.. option:: --target
|
||
|
|
||
|
Limit graph to calls to *target*. You can specify multiple names.
|
||
|
|
||
|
.. option:: --service
|
||
|
|
||
|
Limit graph to *service*. You can specify multiple names. This can be either
|
||
|
bare service name, or service with argument (joined with `+`). If bare
|
||
|
service name is given, output will contain also policies for specific
|
||
|
arguments.
|
||
|
|
||
|
.. option:: --output
|
||
|
|
||
|
Write to *output* instead of stdout. The file will be overwritten without
|
||
|
confirmation.
|
||
|
|
||
|
.. option:: --policy-dir
|
||
|
|
||
|
Look for policy in *policy-dir*. This can be useful to process policy
|
||
|
extracted from other system. This option adjust only base directory, if any
|
||
|
policy file contains `$include:path` with absolute path, it will try to load
|
||
|
the file from that location.
|
||
|
See also --system-info option.
|
||
|
|
||
|
.. option:: --system-info
|
||
|
|
||
|
Load system information from file instead of querying local qubesd instance.
|
||
|
The file should be in json format, as returned by `internal.GetSystemInfo`
|
||
|
qubesd method. This can be obtained by running in dom0:
|
||
|
|
||
|
qubesd-query -e -c /var/run/qubesd.internal.sock dom0 \
|
||
|
internal.GetSystemInfo dom0 | cut -b 3-
|
||
|
|
||
|
.. option:: --skip-labels
|
||
|
|
||
|
Do not include service names on the graph. Also, include only a single
|
||
|
connection between qubes if any service call is allowed there.
|
||
|
|
||
|
|
||
|
Authors
|
||
|
-------
|
||
|
|
||
|
| Marek Marczykowski-Górecki <marmarek at invisiblethingslab dot com>
|
||
|
|
||
|
.. vim: ts=3 sw=3 et tw=80
|