From b6450f7aa0b74dc9ef90248d1d9f41abc6ce4a78 Mon Sep 17 00:00:00 2001 From: deeplow Date: Sun, 29 Jan 2023 13:02:26 +0000 Subject: [PATCH] Adapt u2f proxy instructions to new Qrexec policy --- user/security-in-qubes/u2f-proxy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user/security-in-qubes/u2f-proxy.md b/user/security-in-qubes/u2f-proxy.md index 942c163a..81c0520b 100644 --- a/user/security-in-qubes/u2f-proxy.md +++ b/user/security-in-qubes/u2f-proxy.md @@ -99,10 +99,10 @@ If you are using Qubes 4.0, you can further compartmentalise your U2F keys by re For example, you could make it so that your `twitter` qube (and, therefore, all web browsers in your `twitter` qube) can access only the key on your U2F token for `https://twitter.com`, regardless of whether any of the web browsers in your `twitter` qube or the `twitter` qube itself are compromised. If your `twitter` qube makes an authentication request for your bank website, it will be denied at the Qubes policy level. -To enable this, create a file in dom0 named `/etc/qubes-rpc/policy/policy.RegisterArgument+u2f.Authenticate` with the following content: +To enable this, create a file in dom0 named `/etc/qubes/policy.d/30-user-u2fproxy.policy` with the following content: ``` -sys-usb @anyvm allow,target=dom0 +policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm allow target=dom0 ``` Next, empty the contents of `/etc/qubes-rpc/policy/u2f.Authenticate` so that it is a blank file. @@ -124,7 +124,7 @@ systemctl disable qubes-u2fproxy@sys-usb.service Replace `USB_QUBE` with the actual USB qube name. -Do not forget to change the sys-usb qube name in the policy `/etc/qubes-rpc/policy/u2f.Authenticate`. +Do not forget to change the sys-usb qube name in the policy `/etc/qubes/policy.d/30-user-u2fproxy.policy`. ## Template and browser support