Add policy for paranoid mode backup restore

Policy allows a VM with 'backup-restore-mgmt' tag to create VMs, and
then manage VMs with 'backup-restore-in-progress' tag (which is added by
AdminExtension, based on 'tag-created-vm-with' feature).

VM with 'backup-restore-mgmt' tag can also call qubes.RestoreById
service to a VM with 'backup-restore-storage' tag. This service allows
to retrieve backup archive.

QubesOS/qubes-issues#5310

Makefile

@@ -174,6 +174,8 @@ endif
 	mkdir -p $(DESTDIR)/usr/libexec/qubes
 	install -m 0644 qubes-rpc-policy/90-default.policy \
 		$(DESTDIR)/etc/qubes/policy.d/90-default.policy
+	install -m 0644 qubes-rpc-policy/85-admin-backup-restore.policy \
+		$(DESTDIR)/etc/qubes/policy.d/85-admin-backup-restore.policy
 	cp qubes-rpc/qubes.FeaturesRequest $(DESTDIR)/etc/qubes-rpc/
 	cp qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc/
 	cp qubes-rpc/qubes.GetRandomizedTime $(DESTDIR)/etc/qubes-rpc/

qubes-rpc-policy/85-admin-backup-restore.policy

@@ -0,0 +1,26 @@
+## File format:
+## service-name|*       +argument|* source                   destination                     action  [options]
+
+## Allow selected DisposableVM perform "paranoid backup restore"
+admin.vm.Create.AppVM                      *   @tag:backup-restore-mgmt dom0                 allow target=dom0
+admin.vm.Create.StandaloneVM               *   @tag:backup-restore-mgmt dom0                 allow target=dom0
+admin.vm.Create.TemplateVM                 *   @tag:backup-restore-mgmt dom0                 allow target=dom0
+admin.vm.List                              *   @tag:backup-restore-mgmt dom0                 allow target=dom0
+## Allow checking some basic info about all the VMs, to propose conflicts resolution
+admin.vm.List                              *   @tag:backup-restore-mgmt @anyvm               allow target=dom0
+admin.vm.property.Get  +provides_network       @tag:backup-restore-mgmt @anyvm               allow target=dom0
+admin.vm.property.Get  +template_for_dispvms   @tag:backup-restore-mgmt @anyvm               allow target=dom0
+
+## Allow it to configure just created qubes
+admin.vm.feature.Set            *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.firewall.Set           *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.property.Set           *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.tag.Set                *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.volume.Import          *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.volume.Info            *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.volume.List            *   @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+admin.vm.volume.Set.revisions_to_keep   *	@tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
+
+## And finally, allow it to retrieve the actual backup
+qubes.RestoreById               *   @tag:backup-restore-mgmt @tag:backup-restore-storage     allow
+

rpm_spec/core-dom0.spec.in

@@ -530,6 +530,7 @@ done
 /etc/xen/scripts/block-snapshot
 /etc/xen/scripts/block-origin
 /etc/xen/scripts/vif-route-qubes
+%attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/85-admin-backup-restore.policy
 %attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/90-admin-default.policy
 %attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/90-default.policy
 %attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/include/admin-global-ro