qubes-policy.rst 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
  1. :py:mod:`qubes.policy` -- Qubes RPC policy
  2. ==========================================
  3. Every Qubes domain can trigger various RPC services, but if such call would be
  4. allowed depends on Qubes RPC policy (qrexec policy in short).
  5. Qrexec policy format
  6. --------------------
  7. Policy consists of a file, which is parsed line-by-line. First matching line
  8. is used as an action.
  9. Each line consist of three values separated by white characters (space(s), tab(s)):
  10. 1. Source specification, which is one of:
  11. - domain name
  12. - `$anyvm` - any domain
  13. - `$tag:some-tag` - VM having tag `some-tag`
  14. - `$type:vm-type` - VM of `vm-type` type, available types:
  15. AppVM, TemplateVM, StandaloneVM, DispVM
  16. 2. Target specification, one of:
  17. - domain name
  18. - `$anyvm` - any domain, excluding dom0
  19. - `$tag:some-tag` - domain having tag `some-tag`
  20. - `$type:vm-type` - domain of `vm-type` type, available types:
  21. AppVM, TemplateVM, StandaloneVM, DispVM
  22. - `$default` - used when caller did not specified any VM
  23. - `$dispvm:vm-name` - _new_ Disposable VM created from AppVM `vm-name`
  24. - `$dispvm` - _new_ Disposable VM created from AppVM pointed by caller
  25. property `default_dispvm`, which defaults to global property `default_dispvm`
  26. 3. Action and optional action parameters, one of:
  27. - `allow` - allow the call, without further questions; optional parameters:
  28. - `target=` - override caller provided call target -
  29. possible values are: domain name, `$dispvm` or `$dispvm:vm-name`
  30. - `user=` - call the service using this user, instead of the user
  31. pointed by target VM's `default_user` property
  32. - `deny` - deny the call, without further questions; no optional
  33. parameters are supported
  34. - `ask` - ask the user for confirmation; optional parameters:
  35. - `target=` - override user provided call target
  36. - `user=` - call the service using this user, instead of the user
  37. pointed by target VM's `default_user` property
  38. - `default_target=` - suggest this target when prompting the user for
  39. confirmation
  40. Alternatively, a line may consist of a single keyword `$include:` followed by a
  41. path. This will load a given file as its content would be in place of
  42. `$include` line. Relative paths are resolved relative to
  43. `/etc/qubes-rpc/policy` directory.
  44. Evaluating `ask` action
  45. -----------------------
  46. When qrexec policy specify `ask` action, the user is asked whether the call
  47. should be allowed or denied. In addition to that, user also need to choose
  48. target domain. User have to choose from a set of targets specified by the
  49. policy. Such set is calculated using the algorithm below:
  50. 1. If `ask` action have `target=` option specified, only that target is
  51. considered. A prompt window will allow to choose only this value and it will
  52. also be pre-filled value.
  53. 2. If no `target=` option is specified, all rules are evaluated to see what
  54. target domains (for a given source domain) would result in `ask` or `allow`
  55. action. If any of them have `target=` option set, that value is used instead of
  56. the one specified in "target" column (for this particular line). Then the user
  57. is presented with a confirmation dialog and an option to choose from those
  58. domains.
  59. 3. If `default_target=` option is set, it is used as
  60. suggested value, otherwise no suggestion is made (regardless of calling domain
  61. specified any target or not).
  62. Module contents
  63. ---------------
  64. .. automodule:: qubespolicy
  65. :members:
  66. :show-inheritance:
  67. .. vim: ts=3 sw=3 et