qubes.VMShell.policy 1.4 KB

12345678910111213141516171819202122232425262728293031
  1. ## Note that policy parsing stops at the first match,
  2. ## so adding anything below "$anyvm $anyvm action" line will have no effect
  3. ## Please use a single # to start your custom comments
  4. $anyvm $dispvm allow
  5. $anyvm $anyvm deny
  6. # WARNING: The qubes.VMShell service is dangerous and there are really few
  7. # cases when it could be safely used. Especially when policy set to "ask" you
  8. # have no way to know for sure what command(s) will be called. Compromissed
  9. # source VM can substitute the command. Allowing one VM to execute
  10. # qubes.VMShell over the other VM allows the former to TAKE FULL CONTROL over
  11. # the later. In most cases this is not what we want!
  12. #
  13. # Instead we should be using task-specific qrexec services which provide
  14. # assurance as to what program will be responding to the (untrusted) VM
  15. # requests.
  16. #
  17. # It is, however, safe, in most cases, to allow ultimate control of the
  18. # creating AppVM over the DisposableVM it creates as part of the qrexec service
  19. # invocation. That's why by default we have "$anyvm $dispvm allow" rule. Note
  20. # that it does _not_ allow any AppVM to execute qubes.VMShell service over any
  21. # DispVM created in the system -- that would obviously be wrong. It only allows
  22. # qubes.VMShell service access to the AppVM which creates the DispVM as part of
  23. # this very service invocation.
  24. #
  25. # See e.g. this thread for some discussion:
  26. # https://groups.google.com/d/msg/qubes-users/xnAByaL_bjI/3PjYdiTDW-0J
  27. #
  28. #