mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-25 15:29:29 -05:00
Merge branch 'update-qrexec-keywords' of https://github.com/pierwill/qubes-doc into pierwill-update-qrexec-keywords
This commit is contained in:
commit
47e0d4bc5f
@ -15,10 +15,10 @@ Here's an example of an RPC policy file in dom0:
|
|||||||
```
|
```
|
||||||
[user@dom0 user ~]$ cat /etc/qubes-rpc/policy/qubes.FileCopy
|
[user@dom0 user ~]$ cat /etc/qubes-rpc/policy/qubes.FileCopy
|
||||||
(...)
|
(...)
|
||||||
$tag:work $tag:work allow
|
@tag:work @tag:work allow
|
||||||
$tag:work $anyvm deny
|
@tag:work @anyvm deny
|
||||||
$anyvm $tag:work deny
|
@anyvm @tag:work deny
|
||||||
$anyvm $anyvm ask
|
@anyvm @anyvm ask
|
||||||
```
|
```
|
||||||
|
|
||||||
It has three columns (from left to right): source, destination, and permission.
|
It has three columns (from left to right): source, destination, and permission.
|
||||||
@ -32,7 +32,7 @@ Now, the whole policy file is parsed from top to bottom.
|
|||||||
As soon as a rule is found that matches the action being evaluated, parsing stops.
|
As soon as a rule is found that matches the action being evaluated, parsing stops.
|
||||||
We can see what this means by looking at the second row.
|
We can see what this means by looking at the second row.
|
||||||
It says that we're **denied** from attempting to copy a file **from** any VM tagged with "work" **to** any VM whatsoever.
|
It says that we're **denied** from attempting to copy a file **from** any VM tagged with "work" **to** any VM whatsoever.
|
||||||
(That's what the `$anyvm` keyword means -- literally any VM in the system).
|
(That's what the `@anyvm` keyword means -- literally any VM in the system).
|
||||||
But, wait a minute, didn't we just say (in the first row) that all the VMs tagged with work are **allowed** to copy files to each other?
|
But, wait a minute, didn't we just say (in the first row) that all the VMs tagged with work are **allowed** to copy files to each other?
|
||||||
That's exactly right.
|
That's exactly right.
|
||||||
The first and second rows contradict each other, but that's intentional.
|
The first and second rows contradict each other, but that's intentional.
|
||||||
@ -46,7 +46,7 @@ Rather, it means that only VMs that match an earlier rule can do so (in this cas
|
|||||||
The fourth and final row says that we're **asked** (i.e., prompted) to copy files **from** any VM in the system **to** any VM in the system.
|
The fourth and final row says that we're **asked** (i.e., prompted) to copy files **from** any VM in the system **to** any VM in the system.
|
||||||
(This rule was already in the policy file by default.
|
(This rule was already in the policy file by default.
|
||||||
We added the first three.)
|
We added the first three.)
|
||||||
Note that it wouldn't make sense to add any rules after this one, since every possible pair of VMs will match the `$anyvm $anyvm` pattern.
|
Note that it wouldn't make sense to add any rules after this one, since every possible pair of VMs will match the `@anyvm @anyvm` pattern.
|
||||||
Therefore, parsing will always stop at this rule, and no rules below it will ever be evaluated.
|
Therefore, parsing will always stop at this rule, and no rules below it will ever be evaluated.
|
||||||
|
|
||||||
All together, the three rules we added say that all VMs tagged with "work" are allowed to copy files to each other; however, they're denied from copying files to other VMs (without the "work" tag), and other VMs (without the "work" tag) are denied from copying files to them.
|
All together, the three rules we added say that all VMs tagged with "work" are allowed to copy files to each other; however, they're denied from copying files to other VMs (without the "work" tag), and other VMs (without the "work" tag) are denied from copying files to them.
|
||||||
@ -54,5 +54,8 @@ The fourth rule means that the user gets prompted for any situation not already
|
|||||||
|
|
||||||
Further details about how this system works can be found in [Qrexec: command execution in VMs][qrexec3].
|
Further details about how this system works can be found in [Qrexec: command execution in VMs][qrexec3].
|
||||||
|
|
||||||
|
(***Note**: the `$` character is deprecated in qrexec keywords -- please use `@` instead (e.g. `@anyvm`).
|
||||||
|
For more information, see the bulletin [here](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-038-2018.txt).*)
|
||||||
|
|
||||||
[qrexec3]: /doc/qrexec3/
|
[qrexec3]: /doc/qrexec3/
|
||||||
|
|
||||||
|
@ -62,8 +62,8 @@ You may wish to configure this policy in order to prevent user error.
|
|||||||
For example, if you are certain that you never wish to paste *into* your "vault" AppVM (and it is highly recommended that you do not), then you should edit the policy as follows:
|
For example, if you are certain that you never wish to paste *into* your "vault" AppVM (and it is highly recommended that you do not), then you should edit the policy as follows:
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
$anyvm vault deny
|
@anyvm vault deny
|
||||||
$anyvm $anyvm ask
|
@anyvm @anyvm ask
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
Shortcut Configuration
|
Shortcut Configuration
|
||||||
|
@ -123,7 +123,7 @@ Sometimes it can be useful to start an arbitrary program in a DisposableVM.
|
|||||||
This can be done from an AppVM by running
|
This can be done from an AppVM by running
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
[user@vault ~]$ qvm-run '$dispvm' xterm
|
[user@vault ~]$ qvm-run '@dispvm' xterm
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
The created DisposableVM can be accessed via other tools (such as `qvm-copy-to-vm`) using its `disp####` name as shown in the Qubes Manager or `qvm-ls`.
|
The created DisposableVM can be accessed via other tools (such as `qvm-copy-to-vm`) using its `disp####` name as shown in the Qubes Manager or `qvm-ls`.
|
||||||
|
@ -218,12 +218,12 @@ This new design allows for templates to be updated even when they are not connec
|
|||||||
Example policy file in R4.0 (with whonix installed, but not set as default updatevm for all templates):
|
Example policy file in R4.0 (with whonix installed, but not set as default updatevm for all templates):
|
||||||
```
|
```
|
||||||
# any VM with tag `whonix-updatevm` should use `sys-whonix`; this tag is added to `whonix-gw` and `whonix-ws` during installation and is preserved during template clone
|
# any VM with tag `whonix-updatevm` should use `sys-whonix`; this tag is added to `whonix-gw` and `whonix-ws` during installation and is preserved during template clone
|
||||||
$tag:whonix-updatevm $default allow,target=sys-whonix
|
@tag:whonix-updatevm @default allow,target=sys-whonix
|
||||||
$tag:whonix-updatevm $anyvm deny
|
@tag:whonix-updatevm @anyvm deny
|
||||||
|
|
||||||
# other templates use sys-net
|
# other templates use sys-net
|
||||||
$type:TemplateVM $default allow,target=sys-net
|
@type:TemplateVM @default allow,target=sys-net
|
||||||
$anyvm $anyvm deny
|
@anyvm @anyvm deny
|
||||||
```
|
```
|
||||||
|
|
||||||
Note on treating AppVM's root filesystem non-persistence as a security feature
|
Note on treating AppVM's root filesystem non-persistence as a security feature
|
||||||
|
@ -105,7 +105,7 @@ Do not rely on this for extra security.**
|
|||||||
1. Adding Dom0 "VMAuth" service:
|
1. Adding Dom0 "VMAuth" service:
|
||||||
|
|
||||||
[root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
|
[root@dom0 /]# echo "/usr/bin/echo 1" >/etc/qubes-rpc/qubes.VMAuth
|
||||||
[root@dom0 /]# echo "\$anyvm dom0 ask,default_target=dom0" \
|
[root@dom0 /]# echo "\@anyvm dom0 ask,default_target=dom0" \
|
||||||
>/etc/qubes-rpc/policy/qubes.VMAuth
|
>/etc/qubes-rpc/policy/qubes.VMAuth
|
||||||
|
|
||||||
(Note: any VMs you would like still to have passwordless root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
|
(Note: any VMs you would like still to have passwordless root access (e.g. TemplateVMs) can be specified in the second file with "\<vmname\> dom0 allow")
|
||||||
|
Loading…
Reference in New Issue
Block a user