Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity

feat: policy support for multiple sys-usb qubes

Browse Source
This commit is contained in:
Ben Grande 2024-01-09 18:44:50 +01:00
parent f5894dc6fc
commit a3829e46ae
5 changed files with 60 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
salt/browser/create.sls
View File

@ -40,11 +40,12 @@ prefs:
- template_for_dispvms: True
- include_in_backups: False
features:
- enable:
- appmenus-dispvm
- service.qubes-ctap-proxy
- disable:
- service.tracker
- service.evolution-data-server
- enable:
- appmenus-dispvm
- set:
- menu-items: "firefox-esr.desktop chromium.desktop google-chrome.desktop qubes-run-terminal.desktop qubes-start.desktop"
{%- endload %}

6
salt/sys-usb/README.md
View File

@ -40,14 +40,20 @@ Install the proxy on the client template:
```sh
qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-proxy
```
If the client requires decrypting a device, install on the client template:
```sh
qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-cryptsetup
```
If the client requires a FIDO device, install on the client template:
```sh
qubesctl --skip-dom0 --targets=tpl-QUBE state.apply sys-usb.install-client-fido
```
And enable the CTAP Proxy service for the client qubes:
```sh
qvm-features QUBE service.qubes-ctap-proxy 1
```
## Usage

6
salt/sys-usb/create.sls
View File

@ -140,6 +140,12 @@ features:
- service.cups-browsed
- service.meminfo-writer
- service.qubes-updates-proxy
tags:
- add:
- usbvm
{%- endload %}
{{ load(defaults) }}
{% endfor -%}
{% from 'utils/macros/policy.sls' import policy_set with context -%}
{{ policy_set(sls_path, '80') }}

55
salt/sys-usb/files/admin/policy/default.policy
View File

@ -4,21 +4,56 @@
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qubes.InputKeyboard * {{ sls_path }} dom0 allow user=root
qubes.InputKeyboard * {{ sls_path }} @anyvm deny
{% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' -%}
{% set mouse_action = 'ask default_target=dom0' -%}
{% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' -%}
{%- set mouse_action = 'allow' -%}
{% else -%}
{%- set mouse_action = 'deny' -%}
{% endif -%}
ctap.ClientPin * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
ctap.GetInfo * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
u2f.Authenticate * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
u2f.Register * @anyvm {{ sls_path }} ask user=root target={{ sls_path }} default_target={{ sls_path }}
{% if salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'ask' -%}
{%- set keyboard_action = 'ask default_target=dom0' -%}
{% elif salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'allow' -%}
{%- set keyboard_action = 'allow' -%}
{% else -%}
{%- set keyboard_action = 'deny' -%}
{% endif -%}
ctap.ClientPin * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
ctap.GetInfo * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root target={{ sls_path }} default_target={{ sls_path }}
{% if salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'ask' -%}
{%- set tablet_action = 'ask default_target=dom0' -%}
{% elif salt['pillar.get']('qvm:sys-usb:tablet-action', 'deny') == 'allow' -%}
{%- set tablet_action = 'allow' -%}
{% else -%}
{%- set tablet_action = 'deny' -%}
{% endif -%}
qubes.InputMouse * @tag:usbvm dom0 {{ mouse_action }}
qubes.InputKeyboard * @tag:usbvm dom0 {{ keyboard_action }}
qubes.InputTablet * @tag:usbvm dom0 {{ tablet_action }}
qubes.InputKeyboard * @tag:usbvm @adminvm deny
qubes.InputMouse * @tag:usbvm @adminvm deny
qubes.InputTablet * @tag:usbvm @adminvm deny
qubes.InputKeyboard * @tag:usbvm @anyvm deny
qubes.InputMouse * @tag:usbvm @anyvm deny
qubes.InputTablet * @tag:usbvm @anyvm deny
ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @anyvm deny
ctap.ClientPin * @anyvm @anyvm deny
u2f.Authenticate * @anyvm @anyvm deny
u2f.Register * @anyvm @anyvm deny
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm deny
# vim:ft=qrexecpolicy

11
salt/sys-usb/keyboard.sls
View File

@ -22,17 +22,6 @@ include:
- pkg:
- qubes-input-proxy
"{{ slsdotpath }}-input-proxy-keyboard":
file.managed:
- require:
- qvm: {{ slsdotpath }}
- pkg: installed-dom0
- name: /etc/qubes/policy.d/80-{{ slsdotpath }}.policy
- source: salt://{{ slsdotpath }}/files/policy/default.policy
- user: root
- group: qubes
- mode: '0664'
{% set uefi_xen_cfg = '/boot/efi/EFI/qubes/xen.cfg' %}
{% if grains['boot_mode'] == 'efi' %}
{% set grub_cfg = '/boot/efi/EFI/qubes/grub.cfg' %}