Home Explore Help
Sign In
Qubes
/
core-admin
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

doc: drop moved elsewhere components

Frédéric Pierret (fepitre) 4 years ago
parent
e092b40350
commit
3ba9c6f8d1
2 changed files with 0 additions and 97 deletions
Split View Show Diff Stats
  1. 0 2
      doc/index.rst
  2. 0 95
      doc/qubes-policy.rst

+ 0 - 2
doc/index.rst
View File 

@@ -22,8 +22,6 @@ manpages and API documentation. For primary user documentation, see
 
    qubes-exc
 
    qubes-ext
 
    qubes-log
 
-   qubes-mgmt
 
-   qubes-policy
 
    qubes-backup
 
    qubes-tools/index
 
    qubes-tests

+ 0 - 95
doc/qubes-policy.rst
View File 

@@ -1,95 +0,0 @@
 
-:py:mod:`qubes.policy` -- Qubes RPC policy
 
-==========================================
 
-
 
-Every Qubes domain can trigger various RPC services, but if such call would be
 
-allowed depends on Qubes RPC policy (qrexec policy in short).
 
-
 
-Qrexec policy format
 
---------------------
 
-
 
-Policy consists of a file, which is parsed line-by-line. First matching line
 
-is used as an action.
 
-
 
-Each line consist of three values separated by white characters (space(s), tab(s)):
 
-
 
-1. Source specification, which is one of:
 
-
 
-  - domain name
 
-  - `$anyvm` - any domain
 
-  - `$tag:some-tag` - VM having tag `some-tag`
 
-  - `$type:vm-type` - VM of `vm-type` type, available types:
 
-    AppVM, TemplateVM, StandaloneVM, DispVM
 
-
 
-2. Target specification, one of:
 
-
 
-  - domain name
 
-  - `$anyvm` - any domain, excluding dom0
 
-  - `$tag:some-tag` - domain having tag `some-tag`
 
-  - `$type:vm-type` - domain of `vm-type` type, available types:
 
-    AppVM, TemplateVM, StandaloneVM, DispVM
 
-  - `$default` - used when caller did not specified any VM
 
-  - `$dispvm:vm-name` - _new_ Disposable VM created from AppVM `vm-name`
 
-  - `$dispvm:$tag:some-tag` - _new_ Disposable VM created from AppVM tagged with `some-tag`
 
-  - `$dispvm` - _new_ Disposable VM created from AppVM pointed by caller
 
-    property `default_dispvm`, which defaults to global property `default_dispvm`
 
-  - `$adminvm` - Admin VM aka dom0
 
-
 
-  Dom0 can only be matched explicitly - either as `dom0` or `$adminvm` keyword.
 
-  None of `$anyvm`, `$tag:some-tag`, `$type:AdminVM` will match.
 
-
 
-3. Action and optional action parameters, one of:
 
-
 
-  - `allow` - allow the call, without further questions; optional parameters:
 
-
 
-    - `target=` - override caller provided call target -
 
-      possible values are: domain name, `$dispvm` or `$dispvm:vm-name`
 
-    - `user=` - call the service using this user, instead of the user
 
-      pointed by target VM's `default_user` property
 
-  - `deny` - deny the call, without further questions; no optional
 
-    parameters are supported
 
-  - `ask` - ask the user for confirmation; optional parameters:
 
-
 
-    - `target=` - override user provided call target
 
-    - `user=` - call the service using this user, instead of the user
 
-      pointed by target VM's `default_user` property
 
-    - `default_target=` - suggest this target when prompting the user for
 
-      confirmation
 
-
 
-Alternatively, a line may consist of a single keyword `$include:` followed by a
 
-path. This will load a given file as its content would be in place of
 
-`$include` line. Relative paths are resolved relative to
 
-`/etc/qubes-rpc/policy` directory.
 
-
 
-Evaluating `ask` action
 
------------------------
 
-
 
-When qrexec policy specify `ask` action, the user is asked whether the call
 
-should be allowed or denied. In addition to that, user also need to choose
 
-target domain. User have to choose from a set of targets specified by the
 
-policy. Such set is calculated using the algorithm below:
 
-
 
-1. If `ask` action have `target=` option specified, only that target is
 
-considered. A prompt window will allow to choose only this value and it will
 
-also be pre-filled value.
 
-
 
-2. If no `target=` option is specified, all rules are evaluated to see what
 
-target domains (for a given source domain) would result in `ask` or `allow`
 
-action. If any of them have `target=` option set, that value is used instead of
 
-the one specified in "target" column (for this particular line). Then the user
 
-is presented with a confirmation dialog and an option to choose from those
 
-domains. 
-
 
-3. If `default_target=` option is set, it is used as
 
-suggested value, otherwise no suggestion is made (regardless of calling domain
 
-specified any target or not).
 
-
 
-
 
-
 
-Module contents
 
----------------
 
-
 
-.. automodule:: qubespolicy
 
-   :members:
 
-   :show-inheritance:
 
-
 
-.. vim: ts=3 sw=3 et