Home Explore Help
Sign In
Qubes
/
core-admin
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 56ec271606
Branches Tags
core-admin
/
doc
/
manpages
/
qrexec-policy-graph.rst

qrexec-policy-graph.rst 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. .. program:: qrexec-policy-graph
    2. 

  2. 

  3. :program:`qrexec-policy-graph` -- Graph qrexec policy
    4. 

  4. =====================================================
    5. 

  5. 

  6. Synopsis
    7. 

  7. --------
    8. 

  8. 

  9. :command:`qrexec-policy-graph` [-h] [--include-ask] [--source *SOURCE* [*SOURCE* ...]] [--target *TARGET* [*TARGET* ...]] [--service *SERVICE* [*SERVICE* ...]] [--output *OUTPUT*] [--policy-dir POLICY_DIR] [--system-info SYSTEM_INFO]
    10. 

  10. 

  11. 

  12. Options
    13. 

  13. -------
    14. 

  14. 

  15. .. option:: --help, -h
    16. 

  16. 

  17.    show this help message and exit
    18. 

  18. 

  19. .. option:: --include-ask
    20. 

  20. 

  21.    Include `ask` action in graph. In most cases produce unreadable graphs
    22. 

  22.    because many services contains `$anyvm $anyvm ask` rules. It's recommended to
    23. 

  23.    limit graph using other options.
    24. 

  24. 

  25. .. option:: --source
    26. 

  26. 

  27.    Limit graph to calls from *source*. You can specify multiple names.
    28. 

  28. 

  29. .. option:: --target
    30. 

  30. 

  31.    Limit graph to calls to *target*. You can specify multiple names.
    32. 

  32. 

  33. .. option:: --service
    34. 

  34. 

  35.    Limit graph to *service*. You can specify multiple names. This can be either
    36. 

  36.    bare service name, or service with argument (joined with `+`). If bare
    37. 

  37.    service name is given, output will contain also policies for specific
    38. 

  38.    arguments.
    39. 

  39. 

  40. .. option:: --output
    41. 

  41. 

  42.    Write to *output* instead of stdout. The file will be overwritten without
    43. 

  43.    confirmation.
    44. 

  44. 

  45. .. option:: --policy-dir
    46. 

  46. 

  47.    Look for policy in *policy-dir*. This can be useful to process policy
    48. 

  48.    extracted from other system. This option adjust only base directory, if any
    49. 

  49.    policy file contains `$include:path` with absolute path, it will try to load
    50. 

  50.    the file from that location.
    51. 

  51.    See also --system-info option.
    52. 

  52. 

  53. .. option:: --system-info
    54. 

  54. 

  55.    Load system information from file instead of querying local qubesd instance.
    56. 

  56.    The file should be in json format, as returned by `internal.GetSystemInfo`
    57. 

  57.    qubesd method. This can be obtained by running in dom0:
    58. 

  58. 

  59.         qubesd-query -e -c /var/run/qubesd.internal.sock dom0 \
    60. 

  60.         internal.GetSystemInfo dom0 | cut -b 3-
    61. 

  61. 

  62. .. option:: --skip-labels
    63. 

  63. 

  64.    Do not include service names on the graph. Also, include only a single
    65. 

  65.    connection between qubes if any service call is allowed there.
    66. 

  66. 

  67. 

  68. Authors
    69. 

  69. -------
    70. 

  70. 

  71. | Marek Marczykowski-Górecki <marmarek at invisiblethingslab dot com>
    72. 

  72. 

  73. .. vim: ts=3 sw=3 et tw=80
    74.