From a3829e46ae11aebea304189e1b7735b173930758 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 9 Jan 2024 18:44:50 +0100 Subject: [PATCH] feat: policy support for multiple sys-usb qubes --- salt/browser/create.sls | 5 +- salt/sys-usb/README.md | 6 ++ salt/sys-usb/create.sls | 6 ++ .../sys-usb/files/admin/policy/default.policy | 55 +++++++++++++++---- salt/sys-usb/keyboard.sls | 11 ---- 5 files changed, 60 insertions(+), 23 deletions(-) diff --git a/salt/browser/create.sls b/salt/browser/create.sls index 3f2b2f7..664789b 100644 --- a/salt/browser/create.sls +++ b/salt/browser/create.sls @@ -40,11 +40,12 @@ prefs: - template_for_dispvms: True - include_in_backups: False features: +- enable: + - appmenus-dispvm + - service.qubes-ctap-proxy - disable: - service.tracker - service.evolution-data-server -- enable: - - appmenus-dispvm - set: - menu-items: "firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-start.desktop" {%- endload %} diff --git a/salt/sys-usb/README.md b/salt/sys-usb/README.md index a2ae120..e70f841 100644 --- a/salt/sys-usb/README.md +++ b/salt/sys-usb/README.md @@ -40,14 +40,20 @@ Install the proxy on the client template: ```sh qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-proxy ``` + If the client requires decrypting a device, install on the client template: ```sh qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-cryptsetup ``` + If the client requires a FIDO device, install on the client template: ```sh qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-fido ``` +And enable the CTAP Proxy service for the client qubes: +```sh +qvm-features QUBE service.qubes-ctap-proxy 1 +``` ## Usage diff --git a/salt/sys-usb/create.sls b/salt/sys-usb/create.sls index 9d4267a..e9934da 100644 --- a/salt/sys-usb/create.sls +++ b/salt/sys-usb/create.sls @@ -140,6 +140,12 @@ features: - service.cups-browsed - service.meminfo-writer - service.qubes-updates-proxy +tags: +- add: + - usbvm {%- endload %} {{ load(defaults) }} {% endfor -%} + +{% from 'utils/macros/policy.sls' import policy_set with context -%} +{{ policy_set(sls_path, '80') }} diff --git a/salt/sys-usb/files/admin/policy/default.policy b/salt/sys-usb/files/admin/policy/default.policy index 4b792dc..c30b112 100644 --- a/salt/sys-usb/files/admin/policy/default.policy +++ b/salt/sys-usb/files/admin/policy/default.policy @@ -4,21 +4,56 @@ ## Do not modify this file, create a new policy with with a lower number in the ## file name instead. For example `30-user.policy`. -qubes.InputKeyboard * {{ sls_path }} dom0 allow user=root -qubes.InputKeyboard * {{ sls_path }} @anyvm deny +{% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' -%} + {% set mouse_action = 'ask default_target=dom0' -%} +{% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' -%} + {%- set mouse_action = 'allow' -%} +{% else -%} + {%- set mouse_action = 'deny' -%} +{% endif -%} -ctap.ClientPin * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }} -ctap.GetInfo * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }} -u2f.Authenticate * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }} -u2f.Register * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }} +{% if salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'ask' -%} + {%- set keyboard_action = 'ask default_target=dom0' -%} +{% elif salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'allow' -%} + {%- set keyboard_action = 'allow' -%} +{% else -%} + {%- set keyboard_action = 'deny' -%} +{% endif -%} -ctap.ClientPin * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }} -ctap.GetInfo * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }} -u2f.Authenticate * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }} -u2f.Register * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }} +{% if salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'ask' -%} + {%- set tablet_action = 'ask default_target=dom0' -%} +{% elif salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'allow' -%} + {%- set tablet_action = 'allow' -%} +{% else -%} + {%- set tablet_action = 'deny' -%} +{% endif -%} + +qubes.InputMouse * @tag:usbvm dom0 {{ mouse_action }} +qubes.InputKeyboard * @tag:usbvm dom0 {{ keyboard_action }} +qubes.InputTablet * @tag:usbvm dom0 {{ tablet_action }} + +qubes.InputKeyboard * @tag:usbvm @adminvm deny +qubes.InputMouse * @tag:usbvm @adminvm deny +qubes.InputTablet * @tag:usbvm @adminvm deny +qubes.InputKeyboard * @tag:usbvm @anyvm deny +qubes.InputMouse * @tag:usbvm @anyvm deny +qubes.InputTablet * @tag:usbvm @anyvm deny + +ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} +ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} +u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} +u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} + +ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }} +ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }} +u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }} +u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }} ctap.GetInfo * @anyvm @anyvm deny ctap.ClientPin * @anyvm @anyvm deny u2f.Authenticate * @anyvm @anyvm deny u2f.Register * @anyvm @anyvm deny + +policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0 +policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm deny # vim:ft=qrexecpolicy diff --git a/salt/sys-usb/keyboard.sls b/salt/sys-usb/keyboard.sls index e8b1dbe..e23c656 100644 --- a/salt/sys-usb/keyboard.sls +++ b/salt/sys-usb/keyboard.sls @@ -22,17 +22,6 @@ include: - pkg: - qubes-input-proxy -"{{ slsdotpath }}-input-proxy-keyboard": - file.managed: - - require: - - qvm: {{ slsdotpath }} - - pkg: installed-dom0 - - name: /etc/qubes/policy.d/80-{{ slsdotpath }}.policy - - source: salt://{{ slsdotpath }}/files/policy/default.policy - - user: root - - group: qubes - - mode: '0664' - {% set uefi_xen_cfg = '/boot/efi/EFI/qubes/xen.cfg' %} {% if grains['boot_mode'] == 'efi' %} {% set grub_cfg = '/boot/efi/EFI/qubes/grub.cfg' %}