core-admin/qubes-rpc-policy/admin-global-ro
Marek Marczykowski-Górecki 3d803acfde
Generate policy for Admin API calls based on annotations on actual methods
This ease Admin API administration, and also adds checking if qrexec
policy + scripts matches actual Admin API methods implementation.
The idea is to classify every Admin API method as either local
read-only, local read-write, global read-only or global read-write.
Where local/global means affecting a single VM, or the whole system.

See QubesOS/qubes-issues#2871 for details.

Fixes QubesOS/qubes-issues#2871
2017-07-04 04:27:34 +02:00

14 lines
441 B
Plaintext

## This file is included from all global read-only admin.* policy files
## _in default configuration_. To allow only specific action,
## edit specific policy file.
## Note that policy parsing stops at the first match,
## Please use a single # to start your custom comments
## Include all already having write access
$include:include/admin-global-rwx
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions