mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-03-12 17:56:30 -04:00
Merge branch 'QubesOS:main' into main
This commit is contained in:
m
GitHub
commit
8338dab1fd
@ -16,6 +16,7 @@ permalink: /doc/releases/4.2/release-notes/
|
|||||||
- Qubes Global Settings ([#6898](https://github.com/QubesOS/qubes-issues/issues/6898))
|
- Qubes Global Settings ([#6898](https://github.com/QubesOS/qubes-issues/issues/6898))
|
||||||
- Create New Qube
|
- Create New Qube
|
||||||
- Qubes Update ([#7443](https://github.com/QubesOS/qubes-issues/issues/7443))
|
- Qubes Update ([#7443](https://github.com/QubesOS/qubes-issues/issues/7443))
|
||||||
|
- New `qubes-vm-update` tool ([#7443](https://github.com/QubesOS/qubes-issues/issues/7443))
|
||||||
- Unified `grub.cfg` location for both UEFI and legacy boot ([#7985](https://github.com/QubesOS/qubes-issues/issues/7985))
|
- Unified `grub.cfg` location for both UEFI and legacy boot ([#7985](https://github.com/QubesOS/qubes-issues/issues/7985))
|
||||||
- PipeWire support ([#6358](https://github.com/QubesOS/qubes-issues/issues/6358))
|
- PipeWire support ([#6358](https://github.com/QubesOS/qubes-issues/issues/6358))
|
||||||
- fwupd integration for firmware updates ([#4855](https://github.com/QubesOS/qubes-issues/issues/4855))
|
- fwupd integration for firmware updates ([#4855](https://github.com/QubesOS/qubes-issues/issues/4855))
|
||||||
@ -68,6 +69,8 @@ We strongly recommend [updating Qubes OS](/doc/how-to-update/) immediately after
|
|||||||
|
|
||||||
- For more information, see [RPC policies](/doc/rpc-policy/) and [Qube configuration interface](/doc/vm-interface/#qubes-rpc).
|
- For more information, see [RPC policies](/doc/rpc-policy/) and [Qube configuration interface](/doc/vm-interface/#qubes-rpc).
|
||||||
|
|
||||||
|
- Beginning with Qubes 4.2, the recommended way to update Qubes OS via the command line has changed. Salt is no longer the preferred method, though it is still supported. Instead, `qubes-dom0-update` is recommended for updating dom0, and `qubes-vm-update` is recommended for updating templates and standalones. (The recommended way to update via the GUI has not changed. The Qubes Update tool is still the preferred method.) For more information, see [How to update](/doc/how-to-update/).
|
||||||
|
|
||||||
## Download
|
## Download
|
||||||
|
|
||||||
All Qubes ISOs and associated [verification files](/security/verifying-signatures/) are available on the [downloads](/downloads/) page.
|
All Qubes ISOs and associated [verification files](/security/verifying-signatures/) are available on the [downloads](/downloads/) page.
|
||||||
|
|||||||
@ -86,11 +86,12 @@ Disposable VMs are tightly integrated -- RPC to a DisposableVM is identical to R
|
|||||||
|
|
||||||
### Policy files
|
### Policy files
|
||||||
|
|
||||||
The dom0 directory `/etc/qubes/policy.d/` contains files that set policy for each available RPC action that a VM might call.
|
The dom0 directories `/etc/qubes/policy.d/` and `/run/qubes/policy.d/` contain files that set policy for each available RPC action that a VM might call.
|
||||||
For example, `/etc/qubes/policy.d/90-default.policy` contains the default policy settings.
|
For example, `/etc/qubes/policy.d/90-default.policy` contains the default policy settings.
|
||||||
When making changes to existing policies it is recommended that you create a *new* policy file starting with a lower number, like `/etc/qubes/policy.d/30-user.policy`.
|
When making changes to existing policies it is recommended that you create a *new* policy file starting with a lower number, like `/etc/qubes/policy.d/30-user.policy`.
|
||||||
You may keep your custom policies in one file like `/etc/qubes/policy.d/30-user.policy`, or you may choose to have multiple files, like `/etc/qubes/policy.d/10-copy.policy`, `/etc/qubes/policy.d/10-open.policy`.
|
You may keep your custom policies in one file like `/etc/qubes/policy.d/30-user.policy`, or you may choose to have multiple files, like `/etc/qubes/policy.d/10-copy.policy`, `/etc/qubes/policy.d/10-open.policy`.
|
||||||
Together the contents of these files make up the RPC access policy database: the files are merged, with policies in lower number files overriding policies in higher numbered files.
|
Together the contents of these files make up the RPC access policy database: the files are merged, with policies in lower number files overriding policies in higher numbered files.
|
||||||
|
If there are entries in both `/run/qubes/policy.d/` and `/etc/qubes/policy.d/` with the same name, it isn't specified which takes precedence, so you should avoid this situation.
|
||||||
|
|
||||||
Policies are defined in lines with the following format:
|
Policies are defined in lines with the following format:
|
||||||
|
|
||||||
@ -103,7 +104,7 @@ You can specify the source and destination by name or by one of the reserved key
|
|||||||
Service calls from dom0 are currently always allowed, and `@dispvm` means "new VM created for this particular request," so it is never a source of request.)
|
Service calls from dom0 are currently always allowed, and `@dispvm` means "new VM created for this particular request," so it is never a source of request.)
|
||||||
Other methods using *tags* and *types* are also available (and discussed below).
|
Other methods using *tags* and *types* are also available (and discussed below).
|
||||||
|
|
||||||
Whenever a RPC request for an action is received, the domain checks the first matching line of the files in `/etc/qubes/policy.d/` to determine access:
|
Whenever a RPC request for an action is received, the domain checks the first matching line of the files in `/etc/qubes/policy.d/` and `/run/qubes/policy.d/` to determine access:
|
||||||
whether to allow the request, what VM to redirect the execution to, and what user account the program should run under.
|
whether to allow the request, what VM to redirect the execution to, and what user account the program should run under.
|
||||||
Note that if the request is redirected (`target=` parameter), policy action remains the same -- even if there is another rule which would otherwise deny such request.
|
Note that if the request is redirected (`target=` parameter), policy action remains the same -- even if there is another rule which would otherwise deny such request.
|
||||||
If no policy rule is matched, the action is denied.
|
If no policy rule is matched, the action is denied.
|
||||||
@ -113,6 +114,10 @@ In the target VM, a file in either of the following locations must exist, contai
|
|||||||
- `/etc/qubes-rpc/RPC_ACTION_NAME` when you make it in the template qube;
|
- `/etc/qubes-rpc/RPC_ACTION_NAME` when you make it in the template qube;
|
||||||
- `/usr/local/etc/qubes-rpc/RPC_ACTION_NAME` for making it only in an app qube.
|
- `/usr/local/etc/qubes-rpc/RPC_ACTION_NAME` for making it only in an app qube.
|
||||||
|
|
||||||
|
Files in `/run/qubes/policy.d/` are deleted when the system is rebooted.
|
||||||
|
This is useful for temporary policy that contains the name or UUID of a disposable VM, which will not be meaningful after the system has rebooted.
|
||||||
|
Such policy files can be created manually, but they are usually created automatically by a Qrexec call to dom0.
|
||||||
|
|
||||||
### Making an RPC call
|
### Making an RPC call
|
||||||
|
|
||||||
From outside of dom0, RPC calls take the following form:
|
From outside of dom0, RPC calls take the following form:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user