|
@@ -0,0 +1,21 @@
|
|
|
+## Note that policy parsing stops at the first match.
|
|
|
+## Add ",user=root" to any ask or allow rules.
|
|
|
+
|
|
|
+## Please use a single # to start your custom comments
|
|
|
+
|
|
|
+$anyvm $anyvm deny
|
|
|
+
|
|
|
+# WARNING: The qubes.VMRootShell service is dangerous and there are really few
|
|
|
+# cases when it could be safely used. Especially when policy set to "ask" you
|
|
|
+# have no way to know for sure what command(s) will be called. Compromissed
|
|
|
+# source VM can substitute the command. Allowing one VM to execute
|
|
|
+# qubes.VMRootShell over the other VM allows the former to TAKE FULL CONTROL over
|
|
|
+# the later. In most cases this is not what we want!
|
|
|
+#
|
|
|
+# Instead we should be using task-specific qrexec services which provide
|
|
|
+# assurance as to what program will be responding to the (untrusted) VM
|
|
|
+# requests.
|
|
|
+#
|
|
|
+# See e.g. this thread for some discussion:
|
|
|
+# https://groups.google.com/d/msg/qubes-users/xnAByaL_bjI/3PjYdiTDW-0J
|
|
|
+#
|