2024-01-29 10:49:54 -05:00
|
|
|
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
2023-11-13 09:33:28 -05:00
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
|
|
|
|
## Do not modify this file, create a new policy with with a lower number in the
|
|
|
|
|
## file name instead. For example `30-user.policy`.
|
2024-01-09 12:44:50 -05:00
|
|
|
{% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' -%}
|
|
|
|
|
{% set mouse_action = 'ask default_target=dom0' -%}
|
|
|
|
|
{% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' -%}
|
|
|
|
|
{%- set mouse_action = 'allow' -%}
|
|
|
|
|
{% else -%}
|
|
|
|
|
{%- set mouse_action = 'deny' -%}
|
|
|
|
|
{% endif -%}
|
2023-11-13 09:33:28 -05:00
|
|
|
|
2024-01-09 12:44:50 -05:00
|
|
|
{% if salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'ask' -%}
|
|
|
|
|
{%- set keyboard_action = 'ask default_target=dom0' -%}
|
|
|
|
|
{% elif salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'allow' -%}
|
|
|
|
|
{%- set keyboard_action = 'allow' -%}
|
|
|
|
|
{% else -%}
|
|
|
|
|
{%- set keyboard_action = 'deny' -%}
|
|
|
|
|
{% endif -%}
|
2023-11-13 09:33:28 -05:00
|
|
|
|
2024-01-09 12:44:50 -05:00
|
|
|
{% if salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'ask' -%}
|
|
|
|
|
{%- set tablet_action = 'ask default_target=dom0' -%}
|
|
|
|
|
{% elif salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'allow' -%}
|
|
|
|
|
{%- set tablet_action = 'allow' -%}
|
|
|
|
|
{% else -%}
|
|
|
|
|
{%- set tablet_action = 'deny' -%}
|
|
|
|
|
{% endif -%}
|
|
|
|
|
|
2024-01-10 06:49:20 -05:00
|
|
|
qubes.InputMouse * @tag:usbvm @adminvm {{ mouse_action }}
|
|
|
|
|
qubes.InputMouse * @tag:usbvm @adminvm deny
|
2024-01-09 12:44:50 -05:00
|
|
|
|
2024-01-10 06:49:20 -05:00
|
|
|
qubes.InputKeyboard * @tag:usbvm @adminvm {{ keyboard_action }}
|
2024-01-09 12:44:50 -05:00
|
|
|
qubes.InputKeyboard * @tag:usbvm @adminvm deny
|
2024-01-10 06:49:20 -05:00
|
|
|
|
|
|
|
|
qubes.InputTablet * @tag:usbvm @adminvm {{ tablet_action }}
|
2024-01-09 12:44:50 -05:00
|
|
|
qubes.InputTablet * @tag:usbvm @adminvm deny
|
|
|
|
|
|
2024-01-12 12:21:35 -05:00
|
|
|
ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
|
|
|
|
|
ctap.ClientPin * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
|
2024-01-10 06:49:20 -05:00
|
|
|
ctap.ClientPin * @anyvm @anyvm deny
|
|
|
|
|
|
2024-01-12 12:21:35 -05:00
|
|
|
ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
|
|
|
|
|
ctap.GetInfo * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
|
2024-01-10 06:49:20 -05:00
|
|
|
ctap.GetInfo * @anyvm @anyvm deny
|
2024-01-09 12:44:50 -05:00
|
|
|
|
2024-01-12 12:21:35 -05:00
|
|
|
u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
|
|
|
|
|
u2f.Authenticate * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
|
2024-01-10 06:49:20 -05:00
|
|
|
u2f.Authenticate * @anyvm @anyvm deny
|
2023-11-13 09:33:28 -05:00
|
|
|
|
2024-01-12 12:21:35 -05:00
|
|
|
u2f.Register * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
|
|
|
|
|
u2f.Register * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
|
2024-01-10 06:49:20 -05:00
|
|
|
u2f.Register * @anyvm @anyvm deny
|
2024-01-09 12:44:50 -05:00
|
|
|
|
|
|
|
|
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0
|
2024-01-10 06:49:20 -05:00
|
|
|
policy.RegisterArgument +u2f.Authenticate @anyvm @anyvm deny
|
2023-11-13 09:33:28 -05:00
|
|
|
# vim:ft=qrexecpolicy
|
