feat: policy support for multiple sys-usb qubes

salt/browser/create.sls

@@ -40,11 +40,12 @@ prefs:
 - template_for_dispvms: True
 - include_in_backups: False
 features:
+- enable:
+  - appmenus-dispvm
+  - service.qubes-ctap-proxy
 - disable:
   - service.tracker
   - service.evolution-data-server
-- enable:
-  - appmenus-dispvm
 - set:
   - menu-items: "firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}

salt/sys-usb/README.md

@@ -40,14 +40,20 @@ Install the proxy on the client template:
 ```sh
 qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-proxy
 ```
+
 If the client requires decrypting a device, install on the client template:
 ```sh
 qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-cryptsetup
 ```
+
 If the client requires a FIDO device, install on the client template:
 ```sh
 qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-fido
 ```
+And enable the CTAP Proxy service for the client qubes:
+```sh
+qvm-features QUBE service.qubes-ctap-proxy 1
+```
 
 ## Usage
 

salt/sys-usb/create.sls

@@ -140,6 +140,12 @@ features:
   - service.cups-browsed
   - service.meminfo-writer
   - service.qubes-updates-proxy
+tags:
+- add:
+  - usbvm
 {%- endload %}
 {{ load(defaults) }}
 {% endfor -%}
+
+{% from 'utils/macros/policy.sls' import policy_set with context -%}
+{{ policy_set(sls_path, '80') }}

salt/sys-usb/files/admin/policy/default.policy

@@ -4,21 +4,56 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
-qubes.InputKeyboard * {{ sls_path }} dom0 allow user=root
+{% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' -%}
-qubes.InputKeyboard * {{ sls_path }} @anyvm deny
+  {% set mouse_action = 'ask default_target=dom0' -%}
+{% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' -%}
+  {%- set mouse_action = 'allow' -%}
+{% else -%}
+  {%- set mouse_action = 'deny' -%}
+{% endif -%}
 
-ctap.ClientPin   * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
+{% if salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'ask' -%}
-ctap.GetInfo     * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
+  {%- set keyboard_action = 'ask default_target=dom0' -%}
-u2f.Authenticate * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
+{% elif salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'allow' -%}
-u2f.Register     * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
+  {%- set keyboard_action = 'allow' -%}
+{% else -%}
+  {%- set keyboard_action = 'deny' -%}
+{% endif -%}
 
-ctap.ClientPin   * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
+{% if salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'ask' -%}
-ctap.GetInfo     * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
+  {%- set tablet_action = 'ask default_target=dom0' -%}
-u2f.Authenticate * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
+{% elif salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'allow' -%}
-u2f.Register     * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
+  {%- set tablet_action = 'allow' -%}
+{% else -%}
+  {%- set tablet_action = 'deny' -%}
+{% endif -%}
+
+qubes.InputMouse    * @tag:usbvm dom0 {{ mouse_action }}
+qubes.InputKeyboard * @tag:usbvm dom0 {{ keyboard_action }}
+qubes.InputTablet   * @tag:usbvm dom0 {{ tablet_action }}
+
+qubes.InputKeyboard * @tag:usbvm @adminvm deny
+qubes.InputMouse    * @tag:usbvm @adminvm deny
+qubes.InputTablet   * @tag:usbvm @adminvm deny
+qubes.InputKeyboard * @tag:usbvm @anyvm deny
+qubes.InputMouse    * @tag:usbvm @anyvm deny
+qubes.InputTablet   * @tag:usbvm @anyvm deny
+
+ctap.ClientPin   * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
+ctap.GetInfo     * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
+u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
+u2f.Register     * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
+
+ctap.ClientPin   * @anyvm @default ask user=root default_target={{ sls_path }}
+ctap.GetInfo     * @anyvm @default ask user=root default_target={{ sls_path }}
+u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
+u2f.Register     * @anyvm @default ask user=root default_target={{ sls_path }}
 
 ctap.GetInfo     * @anyvm @anyvm deny
 ctap.ClientPin   * @anyvm @anyvm deny
 u2f.Authenticate * @anyvm @anyvm deny
 u2f.Register     * @anyvm @anyvm deny
+
+policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0
+policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm deny
 # vim:ft=qrexecpolicy

salt/sys-usb/keyboard.sls

@@ -22,17 +22,6 @@ include:
     - pkg:
       - qubes-input-proxy
 
-"{{ slsdotpath }}-input-proxy-keyboard":
-  file.managed:
-    - require:
-      - qvm: {{ slsdotpath }}
-      - pkg: installed-dom0
-    - name: /etc/qubes/policy.d/80-{{ slsdotpath }}.policy
-    - source: salt://{{ slsdotpath }}/files/policy/default.policy
-    - user: root
-    - group: qubes
-    - mode: '0664'
-
 {% set uefi_xen_cfg = '/boot/efi/EFI/qubes/xen.cfg' %}
 {% if grains['boot_mode'] == 'efi' %}
 {% set grub_cfg = '/boot/efi/EFI/qubes/grub.cfg' %}