Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-03-11 01:49:23 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: organize sys-usb policy per service

Browse Source
This commit is contained in:
Ben Grande 2024-01-10 12:49:20 +01:00
parent 567e36d276
commit 76e9234c83
1 changed files with 18 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
salt/sys-usb/files/admin/policy/default.policy
View File

@ -28,32 +28,31 @@
{%- set tablet_action = 'deny' -%} {%- set tablet_action = 'deny' -%}
{% endif -%} {% endif -%}
qubes.InputMouse * @tag:usbvm dom0 {{ mouse_action }} qubes.InputMouse * @tag:usbvm @adminvm {{ mouse_action }}
qubes.InputKeyboard * @tag:usbvm dom0 {{ keyboard_action }}
qubes.InputTablet * @tag:usbvm dom0 {{ tablet_action }}
qubes.InputKeyboard * @tag:usbvm @adminvm deny
qubes.InputMouse * @tag:usbvm @adminvm deny qubes.InputMouse * @tag:usbvm @adminvm deny
qubes.InputKeyboard * @tag:usbvm @adminvm {{ keyboard_action }}
qubes.InputKeyboard * @tag:usbvm @adminvm deny
qubes.InputTablet * @tag:usbvm @adminvm {{ tablet_action }}
qubes.InputTablet * @tag:usbvm @adminvm deny qubes.InputTablet * @tag:usbvm @adminvm deny
qubes.InputKeyboard * @tag:usbvm @anyvm deny
qubes.InputMouse * @tag:usbvm @anyvm deny
qubes.InputTablet * @tag:usbvm @anyvm deny
ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @anyvm deny
ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @anyvm deny
u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @anyvm deny
u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }} u2f.Register * @anyvm @anyvm deny
ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @anyvm deny
ctap.ClientPin * @anyvm @anyvm deny
u2f.Authenticate * @anyvm @anyvm deny
u2f.Register * @anyvm @anyvm deny
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0 policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm deny policy.RegisterArgument +u2f.Authenticate @anyvm @anyvm deny
# vim:ft=qrexecpolicy # vim:ft=qrexecpolicy