90-default.policy 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127
  1. ## Do not modify this file, create a new policy file with a lower number in the
  2. ## filename instead. For example `30-user.policy`.
  3. ###
  4. ### Default qrexec policy
  5. ###
  6. ## File format:
  7. ## service-name|* +argument|* source destination action [options]
  8. ## Note that policy parsing stops at the first match.
  9. # policy.RegisterArgument should be allowed only for specific arguments.
  10. policy.RegisterArgument * @anyvm dom0 deny
  11. # WARNING: The qubes.ConnectTCP service is dangerous and allows any
  12. # qube to access any other qube TCP port. It should be restricted
  13. # only to restricted qubes. This is why the default policy is 'deny'
  14. # Example of policy: qubes.ConnectTCP +22 mytcp-client @default allow,target=mytcp-server
  15. qubes.ConnectTCP * @anyvm @anyvm deny
  16. # VM advertise its supported features
  17. qubes.FeaturesRequest * @anyvm dom0 allow
  18. # Windows VM advertise installed Qubes Windows Tools
  19. qubes.NotifyTools * @anyvm dom0 allow
  20. # File copy/move
  21. qubes.Filecopy * @anyvm @anyvm ask
  22. # Get current date/time
  23. qubes.GetDate * @tag:anon-vm @anyvm deny
  24. qubes.GetDate * @anyvm @anyvm allow target=dom0
  25. # Get slightly randomized date/time
  26. qubes.GetRandomizedTime * @anyvm dom0 allow
  27. # Convert image to a safe format, also, allows to get an image (icon) file from a VM
  28. qubes.GetImageRGBA * @anyvm @dispvm allow
  29. qubes.GetImageRGBA * @anyvm @anyvm ask
  30. # Notify about available updates
  31. qubes.NotifyUpdates * @anyvm dom0 allow
  32. # Open a file in a VM
  33. qubes.OpenInVM * @anyvm @dispvm allow
  34. qubes.OpenInVM * @anyvm @anyvm ask
  35. # Open URL in a VM
  36. qubes.OpenURL * @anyvm @dispvm allow
  37. qubes.OpenURL * @anyvm @anyvm ask
  38. # Start application using its menu entry (only applications with menu entries
  39. # are allowed, no arbitrary command). Argument is an application name (in case
  40. # of Linux, basename of .desktop file from /usr/share/applications or similar
  41. # location).
  42. qubes.StartApp * @anyvm @dispvm allow
  43. qubes.StartApp * @anyvm @anyvm ask
  44. # HTTP proxy for downloading updates
  45. # Upgrade all TemplateVMs through sys-whonix.
  46. #qubes.UpdatesProxy * @type:TemplateVM @default allow,target=sys-whonix
  47. # Upgrade Whonix TemplateVMs through sys-whonix.
  48. qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
  49. # Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
  50. qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
  51. # Default rule for all TemplateVMs - direct the connection to sys-net
  52. qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-net
  53. qubes.UpdatesProxy * @anyvm @anyvm deny
  54. # WARNING: The qubes.VMShell service is dangerous and there are really few
  55. # cases when it could be safely used. Especially when policy set to "ask" you
  56. # have no way to know for sure what command(s) will be called. Compromissed
  57. # source VM can substitute the command. Allowing one VM to execute
  58. # qubes.VMShell over the other VM allows the former to TAKE FULL CONTROL over
  59. # the later. In most cases this is not what we want!
  60. #
  61. # Instead we should be using task-specific qrexec services which provide
  62. # assurance as to what program will be responding to the (untrusted) VM
  63. # requests.
  64. #
  65. # It is, however, safe, in most cases, to allow ultimate control of the
  66. # creating AppVM over the DisposableVM it creates as part of the qrexec service
  67. # invocation. That's why by default we have "@anyvm @dispvm allow" rule. Note
  68. # that it does _not_ allow any AppVM to execute qubes.VMShell service over any
  69. # DispVM created in the system -- that would obviously be wrong. It only allows
  70. # qubes.VMShell service access to the AppVM which creates the DispVM as part of
  71. # this very service invocation.
  72. #
  73. # See e.g. this thread for some discussion:
  74. # https://groups.google.com/d/msg/qubes-users/xnAByaL_bjI/3PjYdiTDW-0J
  75. qubes.VMShell * @anyvm @dispvm allow
  76. qubes.VMShell * @anyvm @anyvm deny
  77. # WARNING: qubes.VMRootShell has similar risks as qubes.VMExec
  78. # Add "user=root" option to any ask or allow rules.
  79. qubes.VMRootShell * @anyvm @anyvm deny
  80. # WARNING: The qubes.VMExec service is dangerous and there are really few
  81. # cases when it could be safely used. Contrary to qubes.VMShell, when policy is
  82. # set to "ask", the command to be executed is visible in the confirmation
  83. # prompt. But once allowed, the source VM have full control over the command
  84. # standard input/output. Allowing one VM to execute qubes.VMExec over the
  85. # other VM allows the former to TAKE FULL CONTROL over the later. In most cases
  86. # this is not what we want!
  87. #
  88. # Instead we should be using task-specific qrexec services which provide
  89. # assurance as to what program will be responding to the (untrusted) VM
  90. # requests.
  91. #
  92. # It is, however, safe, in most cases, to allow ultimate control of the
  93. # creating AppVM over the DisposableVM it creates as part of the qrexec service
  94. # invocation. That's why by default we have "@anyvm @dispvm allow" rule. Note
  95. # that it does _not_ allow any AppVM to execute qubes.VMExec service over any
  96. # DispVM created in the system -- that would obviously be wrong. It only allows
  97. # qubes.VMExec service access to the AppVM which creates the DispVM as part of
  98. # this very service invocation.
  99. #
  100. # See e.g. this thread for some discussion:
  101. # https://groups.google.com/d/msg/qubes-users/xnAByaL_bjI/3PjYdiTDW-0J
  102. qubes.VMExec * @anyvm @dispvm allow
  103. qubes.VMExec * @anyvm @anyvm deny
  104. # WARNING: qubes.VMExecGUI has similar risks as qubes.VMExec
  105. qubes.VMExecGUI * @anyvm @dispvm allow
  106. qubes.VMExecGUI * @anyvm @anyvm deny