From e32ce14ab507cd6d84a9035d585e9e0f9cff7b59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Thu, 8 Aug 2019 12:28:30 +0200 Subject: [PATCH] qubes-rpc: add qubes.ConnectTCP --- Makefile | 1 + qubes-rpc-policy/qubes.ConnectTCP.policy | 10 ++++++++++ rpm_spec/core-dom0.spec.in | 1 + 3 files changed, 12 insertions(+) create mode 100644 qubes-rpc-policy/qubes.ConnectTCP.policy diff --git a/Makefile b/Makefile index cbb19d6a..42b2f35d 100644 --- a/Makefile +++ b/Makefile @@ -185,6 +185,7 @@ endif cp qubes-rpc-policy/qubes.VMShell.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.VMShell cp qubes-rpc-policy/qubes.UpdatesProxy.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.UpdatesProxy cp qubes-rpc-policy/qubes.GetDate.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.GetDate + cp qubes-rpc-policy/qubes.ConnectTCP.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.ConnectTCP cp qubes-rpc-policy/admin.vm.Console.policy $(DESTDIR)/etc/qubes-rpc/policy/admin.vm.Console cp qubes-rpc-policy/policy.RegisterArgument.policy $(DESTDIR)/etc/qubes-rpc/policy/policy.RegisterArgument cp qubes-rpc/qubes.FeaturesRequest $(DESTDIR)/etc/qubes-rpc/ diff --git a/qubes-rpc-policy/qubes.ConnectTCP.policy b/qubes-rpc-policy/qubes.ConnectTCP.policy new file mode 100644 index 00000000..ce516034 --- /dev/null +++ b/qubes-rpc-policy/qubes.ConnectTCP.policy @@ -0,0 +1,10 @@ +## Note that policy parsing stops at the first match, +## so adding anything below "$anyvm $anyvm action" line will have no effect + +## Please use a single # to start your custom comments + +# WARNING: The qubes.ConnectTCP service is dangerous and allows any +# qube to access any other qube TCP port. It should be restricted +# only to restricted qubes. This is why the default policy is 'deny' + +# Example of policy: mytcp-client @default allow,target=mytcp-server diff --git a/rpm_spec/core-dom0.spec.in b/rpm_spec/core-dom0.spec.in index a5c05abe..666b1d2c 100644 --- a/rpm_spec/core-dom0.spec.in +++ b/rpm_spec/core-dom0.spec.in @@ -385,6 +385,7 @@ fi %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-local-rwx %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-global-ro %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-global-rwx +%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.ConnectTCP %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.FeaturesRequest %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.Filecopy %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.GetImageRGBA