qusal/salt/sys-audio/files/admin/policy/default.policy

# SPDX-FileCopyrightText: 2023 Yukikoo neowutran <https://neowutran.ovh>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Credits: https://forum.qubes-os.org/t/audio-qube/20685

## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
{% set audiovm = 'disp-' ~ sls_path %}
## Literal name 'sys-usb' in case user has not installed via our formula.
admin.vm.device.usb.Available * @tag:audiovm sys-usb allow target=dom0
admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0
admin.vm.device.usb.Available * @tag:audiovm @anyvm deny

admin.vm.device.mic.Available * @tag:audiovm @adminvm allow target=dom0
admin.vm.device.mic.Available * @anyvm @anyvm deny

admin.Events * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.Events * @tag:audiovm   @adminvm allow target=dom0
admin.Events * @tag:audiovm   @anyvm deny

admin.vm.CurrentState * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.CurrentState * @tag:audiovm @adminvm allow target=dom0
admin.vm.CurrentState * @tag:audiovm @anyvm deny

admin.vm.List * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.List * @tag:audiovm   @adminvm allow target=dom0
admin.vm.List * @tag:audiovm   @anyvm deny

admin.vm.property.Get +audiovm {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +audiovm @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.property.Get +stubdom_xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +stubdom_xid @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.property.Get +xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +xid @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.feature.CheckWithTemplate +audio {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.feature.CheckWithTemplate +audio @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.feature.CheckWithTemplate +audio-low-latency {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.feature.CheckWithTemplate +audio-low-latency @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.feature.CheckWithTemplate +audio-model {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.feature.CheckWithTemplate +audio-model @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.feature.CheckWithTemplate +supported-service.pipewire {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.feature.CheckWithTemplate +supported-service.pipewire @anyvm @tag:audiovm-{{ audiovm }} deny

admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny
## vim:ft=qrexecpolicy
fix: sys-audio policy and autostart pacat daemon 2024-01-03 05:47:13 -05:00			`# SPDX-FileCopyrightText: 2023 Yukikoo neowutran <https://neowutran.ovh>`
fix: disposable sys-audio name with disp prefix 2024-01-14 08:05:17 -05:00			`# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`#`
			`# SPDX-License-Identifier: AGPL-3.0-or-later`
fix: sys-audio policy and autostart pacat daemon 2024-01-03 05:47:13 -05:00			`#`
			`# Credits: https://forum.qubes-os.org/t/audio-qube/20685`
refactor: initial commit 2023-11-13 09:33:28 -05:00
			`## Do not modify this file, create a new policy with with a lower number in the`
			## file name instead. For example `30-user.policy`.
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`{% set audiovm = 'disp-' ~ sls_path %}`
			`## Literal name 'sys-usb' in case user has not installed via our formula.`
			`admin.vm.device.usb.Available * @tag:audiovm sys-usb allow target=dom0`
			`admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0`
			`admin.vm.device.usb.Available * @tag:audiovm @anyvm deny`
fix: allow to attach mic with sys-audio 2024-01-04 06:20:13 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.vm.device.mic.Available * @tag:audiovm @adminvm allow target=dom0`
			`admin.vm.device.mic.Available * @anyvm @anyvm deny`
fix: allow to attach mic with sys-audio 2024-01-04 06:20:13 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.Events * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.Events * @tag:audiovm @adminvm allow target=dom0`
			`admin.Events * @tag:audiovm @anyvm deny`
fix: sys-audio policy and autostart pacat daemon 2024-01-03 05:47:13 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.vm.CurrentState * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.CurrentState * @tag:audiovm @adminvm allow target=dom0`
			`admin.vm.CurrentState * @tag:audiovm @anyvm deny`
fix: sys-audio policy and autostart pacat daemon 2024-01-03 05:47:13 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.vm.List * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.List * @tag:audiovm @adminvm allow target=dom0`
			`admin.vm.List * @tag:audiovm @anyvm deny`
refactor: initial commit 2023-11-13 09:33:28 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.vm.property.Get +audiovm {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.property.Get +audiovm @anyvm @tag:audiovm-{{ audiovm }} deny`
refactor: initial commit 2023-11-13 09:33:28 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.vm.property.Get +stubdom_xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.property.Get +stubdom_xid @anyvm @tag:audiovm-{{ audiovm }} deny`
refactor: initial commit 2023-11-13 09:33:28 -05:00
feat: allow disp-sys-usb to be an AudioVM - End qrexec policy with deny rules; - Move the USB setup from sys-audio to sys-usb; and - Document the pros and cons of the different types of USB devices assignment to client qubes or to the server. 2024-02-28 16:22:59 -05:00			`admin.vm.property.Get +xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.property.Get +xid @anyvm @tag:audiovm-{{ audiovm }} deny`

			`admin.vm.feature.CheckWithTemplate +audio {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.feature.CheckWithTemplate +audio @anyvm @tag:audiovm-{{ audiovm }} deny`

			`admin.vm.feature.CheckWithTemplate +audio-low-latency {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.feature.CheckWithTemplate +audio-low-latency @anyvm @tag:audiovm-{{ audiovm }} deny`

			`admin.vm.feature.CheckWithTemplate +audio-model {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.feature.CheckWithTemplate +audio-model @anyvm @tag:audiovm-{{ audiovm }} deny`

			`admin.vm.feature.CheckWithTemplate +supported-service.pipewire {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.feature.CheckWithTemplate +supported-service.pipewire @anyvm @tag:audiovm-{{ audiovm }} deny`

			`admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0`
			`admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny`
refactor: initial commit 2023-11-13 09:33:28 -05:00			`## vim:ft=qrexecpolicy`