Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-12-17 20:04:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: sys-usb disposables must have name prefix

Browse Source
This commit is contained in:
Ben Grande 2024-01-12 18:21:35 +01:00
parent 6828e83dde
commit 6eefceda74
3 changed files with 19 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
salt/sys-usb/README.md
View File

@ -66,6 +66,10 @@ following services:
## Usage
Depending on you system, one or more USB qubes will be created to hold the
different controllers. The qube names are `disp-sys-usb`, `disp-sys-usb-left`,
`disp-sys-usb-dock`.
Start a USB qube an connect a device to it. USB PCI devices will appear on
the system tray icon `qui-devices`. From there, assign it to the intended
qube.

22
salt/sys-usb/create.sls
View File

@ -10,14 +10,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- .clone
## If sys-usb is an AppVM, the state will fail, replace the AppVM for a DispVM
{% set non_disp_usb = salt['cmd.shell']("qvm-ls --no-spinner --raw-data --fields=NAME,CLASS sys-usb sys-usb-dock sys-usb-left 2>/dev/null | awk -F '|' '!/\|DispVM$/{print $1}'") -%} # noqa: 204
{% for wrong_class in non_disp_usb.split("\n") -%}
"{{ slsdotpath }}-absent-{{ wrong_class }}":
qvm.absent:
- name: {{ wrong_class }}
{% endfor -%}
{% load_yaml as defaults -%}
name: dvm-{{ slsdotpath }}
force: True
@ -52,10 +44,10 @@ features:
{% set usb_pcidevs = salt['grains.get']('pci_usb_devs', []) -%}
{% if usb_pcidevs == ['00:14.0', '00:1a.0', '00:1d.0'] -%}
{% set usb_host_model = 'ThinkPad T430' -%}
{% set usbs = ['sys-usb', 'sys-usb-dock', 'sys-usb-left'] -%}
{% set usbs = ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'] -%}
{% else -%}
{% set usb_host_model = 'unknown' -%}
{% set usbs = ['sys-usb'] -%}
{% set usbs = ['disp-sys-usb'] -%}
{% endif -%}
{#
@ -72,12 +64,12 @@ Questions:
{#
{% set usb_pcidevs = {
'ThinkPad T430': {
'qubes': ['sys-usb', 'sys-usb-dock', 'sys-usb-left'],
'qubes': ['disp-sys-usb', 'disp-sys-usb-dock', 'disp-sys-usb-left'],
'pcidevs': ['00:14.0', '00:1a.0', '00:1d.0'],
'autostart': False,
},
'UNCATEGORIZED': {
'qubes': ['sys-usb'],
'qubes': ['disp-sys-usb'],
'pcidevs': {{ usb_pcidevs }},
'autostart': True,
},
@ -109,11 +101,11 @@ prefs:
- pci_strictreset: False
{% if usb_host_model == 'ThinkPad T430' -%}
- autostart: False
{% if usb == 'sys-usb-left' -%}
{% if usb == 'disp-sys-usb-left' -%}
- pcidevs: {{ [usb_pcidevs[0]]|yaml }}
{% elif usb == 'sys-usb' -%}
{% elif usb == 'disp-sys-usb' -%}
- pcidevs: {{ [usb_pcidevs[1]]|yaml }}
{% elif usb == 'sys-usb-dock' -%}
{% elif usb == 'disp-sys-usb-dock' -%}
- pcidevs: {{ [usb_pcidevs[2]]|yaml }}
{% endif -%}
{% else -%}

16
salt/sys-usb/files/admin/policy/default.policy
View File

@ -37,20 +37,20 @@ qubes.InputKeyboard * @tag:usbvm @adminvm deny
qubes.InputTablet * @tag:usbvm @adminvm {{ tablet_action }}
qubes.InputTablet * @tag:usbvm @adminvm deny
ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
ctap.ClientPin * @anyvm @anyvm deny
ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
ctap.GetInfo * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
ctap.GetInfo * @anyvm @anyvm deny
u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
u2f.Authenticate * @anyvm @anyvm deny
u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @tag:usbvm ask user=root default_target=disp-{{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target=disp-{{ sls_path }}
u2f.Register * @anyvm @anyvm deny
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0