Home Explore Help
Sign In
Qubes
/
core-admin
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 51022cada5
Branches Tags
core-admin
/
doc
/
qubes-policy.rst

qubes-policy.rst 3.6 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 
  1. :py:mod:`qubes.policy` -- Qubes RPC policy
    2. 

  2. ==========================================
    3. 

  3. 

  4. Every Qubes domain can trigger various RPC services, but if such call would be
    5. 

  5. allowed depends on Qubes RPC policy (qrexec policy in short).
    6. 

  6. 

  7. Qrexec policy format
    8. 

  8. --------------------
    9. 

  9. 

  10. Policy consists of a file, which is parsed line-by-line. First matching line
    11. 

  11. is used as an action.
    12. 

  12. 

  13. Each line consist of three values separated by white characters (space(s), tab(s)):
    14. 

  14. 

  15. 1. Source specification, which is one of:
    16. 

  16. 

  17.   - domain name
    18. 

  18.   - `$anyvm` - any domain
    19. 

  19.   - `$tag:some-tag` - VM having tag `some-tag`
    20. 

  20.   - `$type:vm-type` - VM of `vm-type` type, available types:
    21. 

  21.     AppVM, TemplateVM, StandaloneVM, DispVM
    22. 

  22. 

  23. 2. Target specification, one of:
    24. 

  24. 

  25.   - domain name
    26. 

  26.   - `$anyvm` - any domain, excluding dom0
    27. 

  27.   - `$tag:some-tag` - domain having tag `some-tag`
    28. 

  28.   - `$type:vm-type` - domain of `vm-type` type, available types:
    29. 

  29.     AppVM, TemplateVM, StandaloneVM, DispVM
    30. 

  30.   - `$default` - used when caller did not specified any VM
    31. 

  31.   - `$dispvm:vm-name` - _new_ Disposable VM created from AppVM `vm-name`
    32. 

  32.   - `$dispvm` - _new_ Disposable VM created from AppVM pointed by caller
    33. 

  33.     property `default_dispvm`, which defaults to global property `default_dispvm`
    34. 

  34.   - `$adminvm` - Admin VM aka dom0
    35. 

  35. 

  36.   Dom0 can only be matched explicitly - either as `dom0` or `$adminvm` keyword.
    37. 

  37.   None of `$anyvm`, `$tag:some-tag`, `$type:AdminVM` will match.
    38. 

  38. 

  39. 3. Action and optional action parameters, one of:
    40. 

  40. 

  41.   - `allow` - allow the call, without further questions; optional parameters:
    42. 

  42. 

  43.     - `target=` - override caller provided call target -
    44. 

  44.       possible values are: domain name, `$dispvm` or `$dispvm:vm-name`
    45. 

  45.     - `user=` - call the service using this user, instead of the user
    46. 

  46.       pointed by target VM's `default_user` property
    47. 

  47.   - `deny` - deny the call, without further questions; no optional
    48. 

  48.     parameters are supported
    49. 

  49.   - `ask` - ask the user for confirmation; optional parameters:
    50. 

  50. 

  51.     - `target=` - override user provided call target
    52. 

  52.     - `user=` - call the service using this user, instead of the user
    53. 

  53.       pointed by target VM's `default_user` property
    54. 

  54.     - `default_target=` - suggest this target when prompting the user for
    55. 

  55.       confirmation
    56. 

  56. 

  57. Alternatively, a line may consist of a single keyword `$include:` followed by a
    58. 

  58. path. This will load a given file as its content would be in place of
    59. 

  59. `$include` line. Relative paths are resolved relative to
    60. 

  60. `/etc/qubes-rpc/policy` directory.
    61. 

  61. 

  62. Evaluating `ask` action
    63. 

  63. -----------------------
    64. 

  64. 

  65. When qrexec policy specify `ask` action, the user is asked whether the call
    66. 

  66. should be allowed or denied. In addition to that, user also need to choose
    67. 

  67. target domain. User have to choose from a set of targets specified by the
    68. 

  68. policy. Such set is calculated using the algorithm below:
    69. 

  69. 

  70. 1. If `ask` action have `target=` option specified, only that target is
    71. 

  71. considered. A prompt window will allow to choose only this value and it will
    72. 

  72. also be pre-filled value.
    73. 

  73. 

  74. 2. If no `target=` option is specified, all rules are evaluated to see what
    75. 

  75. target domains (for a given source domain) would result in `ask` or `allow`
    76. 

  76. action. If any of them have `target=` option set, that value is used instead of
    77. 

  77. the one specified in "target" column (for this particular line). Then the user
    78. 

  78. is presented with a confirmation dialog and an option to choose from those
    79. 

  79. domains. 
    80. 

  80. 

  81. 3. If `default_target=` option is set, it is used as
    82. 

  82. suggested value, otherwise no suggestion is made (regardless of calling domain
    83. 

  83. specified any target or not).
    84. 

  84. 

  85. 

  86. 

  87. Module contents
    88. 

  88. ---------------
    89. 

  89. 

  90. .. automodule:: qubespolicy
    91. 

  91.    :members:
    92. 

  92.    :show-inheritance:
    93. 

  93. 

  94. .. vim: ts=3 sw=3 et
    95.