diff --git a/salt/sys-usb/files/admin/policy/default.policy b/salt/sys-usb/files/admin/policy/default.policy index e9b41e8..a986b6e 100644 --- a/salt/sys-usb/files/admin/policy/default.policy +++ b/salt/sys-usb/files/admin/policy/default.policy @@ -1,13 +1,14 @@ # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. # # SPDX-License-Identifier: AGPL-3.0-or-later +# vim:ft=qrexecpolicy foldmethod=expr foldexpr=getline(v\:lnum)=~'^##!'?'>1'\:'=': ## Do not modify this file, create a new policy with with a lower number in the ## file name instead. For example `30-user.policy`. -# Input {{{ +##! Section: Input {% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' -%} - {% set mouse_action = 'ask default_target=dom0' -%} + {%- set mouse_action = 'ask default_target=dom0' -%} {% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' -%} {%- set mouse_action = 'allow' -%} {% else -%} @@ -38,9 +39,8 @@ qubes.InputKeyboard * @tag:usbvm @adminvm deny qubes.InputTablet * @tag:usbvm @adminvm {{ tablet_action }} qubes.InputTablet * @tag:usbvm @adminvm deny -# }}} -# CTAP {{{ +##! CTAP ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }} ctap.ClientPin * @anyvm @default ask user=root default_target=disp-{{ sls_path }} ctap.ClientPin * @anyvm @anyvm deny @@ -59,9 +59,8 @@ u2f.Register * @anyvm @anyvm deny policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0 policy.RegisterArgument +u2f.Authenticate @anyvm @anyvm deny -# }}} -# Audio {{{ +##! Audio {# Keep in sync with sys-audio policy #} {% set audiovm = 'disp-' ~ sls_path %} admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0 @@ -105,6 +104,3 @@ admin.vm.feature.CheckWithTemplate +supported-service.pipewire @anyvm @tag:audio admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0 admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny -# }}} - -# vim:ft=qrexecpolicy