From 6eefceda74977ed20c47be5a2ccccb3941e642ca Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Fri, 12 Jan 2024 18:21:35 +0100
Subject: [PATCH] fix: sys-usb disposables must have name prefix

---
 salt/sys-usb/README.md                        |  4 ++++
 salt/sys-usb/create.sls                       | 22 ++++++-------------
 .../sys-usb/files/admin/policy/default.policy | 16 +++++++-------
 3 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/salt/sys-usb/README.md b/salt/sys-usb/README.md
index a3c7140..a7423f0 100644
--- a/salt/sys-usb/README.md
+++ b/salt/sys-usb/README.md
@@ -66,6 +66,10 @@ following services:
 
 ## Usage
 
+Depending on you system, one or more USB qubes will be created to hold the
+different controllers. The qube names are `disp-sys-usb`, `disp-sys-usb-left`,
+`disp-sys-usb-dock`.
+
 Start a USB qube an connect a device to it.  USB PCI devices will appear on
 the system tray icon `qui-devices`. From there, assign it to the intended
 qube.
diff --git a/salt/sys-usb/create.sls b/salt/sys-usb/create.sls
index 385654f..234015a 100644
--- a/salt/sys-usb/create.sls
+++ b/salt/sys-usb/create.sls
@@ -10,14 +10,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
   - .clone
 
-## If sys-usb is an AppVM, the state will fail, replace the AppVM for a DispVM
-{% set non_disp_usb = salt['cmd.shell']("qvm-ls --no-spinner --raw-data --fields=NAME,CLASS sys-usb sys-usb-dock sys-usb-left 2>/dev/null | awk -F '|' '!/\|DispVM$/{print $1}'") -%} # noqa: 204
-{% for wrong_class in non_disp_usb.split("\n") -%}
-"{{ slsdotpath }}-absent-{{ wrong_class }}":
-  qvm.absent:
-    - name: {{ wrong_class }}
-{% endfor -%}
-
 {% load_yaml as defaults -%}
 name: dvm-{{ slsdotpath }}
 force: True
@@ -52,10 +44,10 @@ features:
 {% set usb_pcidevs = salt['grains.get']('pci_usb_devs', []) -%}
 {% if usb_pcidevs == ['00:14.0', '00:1a.0', '00:1d.0'] -%}
   {% set usb_host_model = 'ThinkPad T430' -%}
-  {% set usbs = ['sys-usb', 'sys-usb-dock', 'sys-usb-left'] -%}
+  {% set usbs = ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'] -%}
 {% else -%}
   {% set usb_host_model = 'unknown' -%}
-  {% set usbs = ['sys-usb'] -%}
+  {% set usbs = ['disp-sys-usb'] -%}
 {% endif -%}
 
 {#
@@ -72,12 +64,12 @@ Questions:
 {#
 {% set usb_pcidevs = {
     'ThinkPad T430': {
-      'qubes': ['sys-usb', 'sys-usb-dock', 'sys-usb-left'],
+      'qubes': ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'],
       'pcidevs': ['00:14.0', '00:1a.0', '00:1d.0'],
       'autostart': False,
     },
     'UNCATEGORIZED': {
-      'qubes': ['sys-usb'],
+      'qubes': ['disp-sys-usb'],
       'pcidevs': {{ usb_pcidevs }},
       'autostart': True,
     },
@@ -109,11 +101,11 @@ prefs:
 - pci_strictreset: False
 {% if usb_host_model == 'ThinkPad T430' -%}
 - autostart: False
-{% if usb == 'sys-usb-left' -%}
+{% if usb == 'disp-sys-usb-left' -%}
 - pcidevs: {{ [usb_pcidevs[0]]|yaml }}
-{% elif usb == 'sys-usb' -%}
+{% elif usb == 'disp-sys-usb' -%}
 - pcidevs: {{ [usb_pcidevs[1]]|yaml }}
-{% elif usb == 'sys-usb-dock' -%}
+{% elif usb == 'disp-sys-usb-dock' -%}
 - pcidevs: {{ [usb_pcidevs[2]]|yaml }}
 {% endif -%}
 {% else -%}
diff --git a/salt/sys-usb/files/admin/policy/default.policy b/salt/sys-usb/files/admin/policy/default.policy
index de4334b..eade733 100644
--- a/salt/sys-usb/files/admin/policy/default.policy
+++ b/salt/sys-usb/files/admin/policy/default.policy
@@ -37,20 +37,20 @@ qubes.InputKeyboard * @tag:usbvm @adminvm deny
 qubes.InputTablet   * @tag:usbvm @adminvm {{ tablet_action }}
 qubes.InputTablet   * @tag:usbvm @adminvm deny
 
-ctap.ClientPin   * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
-ctap.ClientPin   * @anyvm @default   ask user=root default_target={{ sls_path }}
+ctap.ClientPin   * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
+ctap.ClientPin   * @anyvm @default   ask user=root default_target=disp-{{ sls_path }}
 ctap.ClientPin   * @anyvm @anyvm     deny
 
-ctap.GetInfo     * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
-ctap.GetInfo     * @anyvm @default   ask user=root default_target={{ sls_path }}
+ctap.GetInfo     * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
+ctap.GetInfo     * @anyvm @default   ask user=root default_target=disp-{{ sls_path }}
 ctap.GetInfo     * @anyvm @anyvm     deny
 
-u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
-u2f.Authenticate * @anyvm @default   ask user=root default_target={{ sls_path }}
+u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
+u2f.Authenticate * @anyvm @default   ask user=root default_target=disp-{{ sls_path }}
 u2f.Authenticate * @anyvm @anyvm     deny
 
-u2f.Register     * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
-u2f.Register     * @anyvm @default   ask user=root default_target={{ sls_path }}
+u2f.Register     * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
+u2f.Register     * @anyvm @default   ask user=root default_target=disp-{{ sls_path }}
 u2f.Register     * @anyvm @anyvm     deny
 
 policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0