Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-07-29 17:28:35 -04:00
Code Issues Projects Releases Packages Wiki Activity

fix: sync Qrexec audio policies

Browse source
This commit is contained in:
Ben Grande 2024-07-02 09:33:28 +02:00
parent c064f03b5a
commit 422ec06071
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
2 changed files with 20 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

4
salt/sys-audio/files/admin/policy/default.policy
View file

@ -8,7 +8,6 @@
## Do not modify this file, create a new policy with with a lower number in the ## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`. ## file name instead. For example `30-user.policy`.
{% set audiovm = 'disp-' ~ sls_path %} {% set audiovm = 'disp-' ~ sls_path %}
## Literal name 'sys-usb' in case user has not installed via our formula.
admin.vm.device.usb.Available * @tag:audiovm sys-usb allow target=dom0 admin.vm.device.usb.Available * @tag:audiovm sys-usb allow target=dom0
admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0 admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0
admin.vm.device.usb.Available * @tag:audiovm @anyvm deny admin.vm.device.usb.Available * @tag:audiovm @anyvm deny
@ -54,4 +53,5 @@ admin.vm.property.Get +xid @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} deny notify=no admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} deny notify=no
admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny
## vim:ft=qrexecpolicy
# vim:ft=qrexecpolicy

29
salt/sys-usb/files/admin/policy/default.policy
View file

@ -1,7 +1,6 @@
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com> # SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
# vim:ft=qrexecpolicy foldmethod=expr foldexpr=getline(v\:lnum)=~'^##!'?'>1'\:'=':
## Do not modify this file, create a new policy with with a lower number in the ## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`. ## file name instead. For example `30-user.policy`.
@ -63,14 +62,18 @@ policy.RegisterArgument +u2f.Authenticate @anyvm @anyvm deny
##! Audio ##! Audio
{# Keep in sync with sys-audio policy #} {# Keep in sync with sys-audio policy #}
{% set audiovm = 'disp-' ~ sls_path %} {% set audiovm = 'disp-' ~ sls_path %}
admin.vm.device.usb.Available * @tag:audiovm sys-usb allow target=dom0
admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0 admin.vm.device.usb.Available * @tag:audiovm @tag:usbvm allow target=dom0
admin.vm.device.usb.Available * @tag:audiovm @anyvm deny admin.vm.device.usb.Available * @tag:audiovm @anyvm deny
admin.vm.device.mic.Available * @tag:audiovm @adminvm allow target=dom0 admin.vm.device.mic.Available * @tag:audiovm @adminvm allow target=dom0
admin.vm.device.mic.Available * @anyvm @anyvm deny admin.vm.device.mic.Available * @anyvm @anyvm deny
admin.Events * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.Events * @tag:audiovm @adminvm allow target=dom0 admin.Events * @tag:audiovm @adminvm allow target=dom0
admin.Events +domain-start {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.Events +domain-stopped {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.Events +domain-shutdown {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.Events +connection-established {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.Events * @tag:audiovm @anyvm deny admin.Events * @tag:audiovm @anyvm deny
admin.vm.CurrentState * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0 admin.vm.CurrentState * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
@ -81,15 +84,6 @@ admin.vm.List * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.List * @tag:audiovm @adminvm allow target=dom0 admin.vm.List * @tag:audiovm @adminvm allow target=dom0
admin.vm.List * @tag:audiovm @anyvm deny admin.vm.List * @tag:audiovm @anyvm deny
admin.vm.property.Get +audiovm {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +audiovm @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.Get +stubdom_xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +stubdom_xid @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.Get +xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +xid @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.feature.CheckWithTemplate +audio {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0 admin.vm.feature.CheckWithTemplate +audio {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.feature.CheckWithTemplate +audio @anyvm @tag:audiovm-{{ audiovm }} deny admin.vm.feature.CheckWithTemplate +audio @anyvm @tag:audiovm-{{ audiovm }} deny
@ -102,5 +96,16 @@ admin.vm.feature.CheckWithTemplate +audio-model @anyvm @tag:audiovm-{{ audiovm }
admin.vm.feature.CheckWithTemplate +supported-service.pipewire {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0 admin.vm.feature.CheckWithTemplate +supported-service.pipewire {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.feature.CheckWithTemplate +supported-service.pipewire @anyvm @tag:audiovm-{{ audiovm }} deny admin.vm.feature.CheckWithTemplate +supported-service.pipewire @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0 admin.vm.property.Get +audiovm {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +audiovm @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.Get +stubdom_xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +stubdom_xid @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.Get +xid {{ audiovm }} @tag:audiovm-{{ audiovm }} allow target=dom0
admin.vm.property.Get +xid @anyvm @tag:audiovm-{{ audiovm }} deny
admin.vm.property.GetAll * {{ audiovm }} @tag:audiovm-{{ audiovm }} deny notify=no
admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny admin.vm.property.GetAll * @anyvm @tag:audiovm-{{ audiovm }} deny
# vim:ft=qrexecpolicy foldmethod=expr foldexpr=getline(v\:lnum)=~'^##!'?'>1'\:'=':