e73320533f
Policy allows a VM with 'backup-restore-mgmt' tag to create VMs, and then manage VMs with 'backup-restore-in-progress' tag (which is added by AdminExtension, based on 'tag-created-vm-with' feature). VM with 'backup-restore-mgmt' tag can also call qubes.RestoreById service to a VM with 'backup-restore-storage' tag. This service allows to retrieve backup archive. QubesOS/qubes-issues#5310
27 lines
2.1 KiB
Plaintext
27 lines
2.1 KiB
Plaintext
## File format:
|
|
## service-name|* +argument|* source destination action [options]
|
|
|
|
## Allow selected DisposableVM perform "paranoid backup restore"
|
|
admin.vm.Create.AppVM * @tag:backup-restore-mgmt dom0 allow target=dom0
|
|
admin.vm.Create.StandaloneVM * @tag:backup-restore-mgmt dom0 allow target=dom0
|
|
admin.vm.Create.TemplateVM * @tag:backup-restore-mgmt dom0 allow target=dom0
|
|
admin.vm.List * @tag:backup-restore-mgmt dom0 allow target=dom0
|
|
## Allow checking some basic info about all the VMs, to propose conflicts resolution
|
|
admin.vm.List * @tag:backup-restore-mgmt @anyvm allow target=dom0
|
|
admin.vm.property.Get +provides_network @tag:backup-restore-mgmt @anyvm allow target=dom0
|
|
admin.vm.property.Get +template_for_dispvms @tag:backup-restore-mgmt @anyvm allow target=dom0
|
|
|
|
## Allow it to configure just created qubes
|
|
admin.vm.feature.Set * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.firewall.Set * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.property.Set * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.tag.Set * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.volume.Import * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.volume.Info * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.volume.List * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
admin.vm.volume.Set.revisions_to_keep * @tag:backup-restore-mgmt @tag:backup-restore-in-progress allow target=dom0
|
|
|
|
## And finally, allow it to retrieve the actual backup
|
|
qubes.RestoreById * @tag:backup-restore-mgmt @tag:backup-restore-storage allow
|
|
|