fix: strict split-gpg2 service

Split-gpg V1 allowed for querying public keys, but as split-gpg2 is
running as an agent, public keys are not queried. Allowing connection to
the server to query only public parts of the key exposes the server more
than needed to the client.

All clients now have to hold the public key they need locally in order
to do GPG operations.
This commit is contained in:
Ben Grande 2023-12-28 11:47:41 +01:00
parent 76079d2c7e
commit b52e4b1b63
8 changed files with 5 additions and 16 deletions

View File

@ -26,8 +26,6 @@ prefs:
- autostart: False
- include_in_backups: True
features:
- enable:
- service.split-gpg2-client
- disable:
- service.cups
- service.cups-browsed

View File

@ -38,6 +38,7 @@ prefs:
- autostart: False
features:
- enable:
- service.split-gpg2-client
- service.shutdown-idle
- disable:
- service.cups

View File

@ -54,8 +54,8 @@ qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
## Access Control
The policy is based on `qubes-builderv2/rpc/50-qubesbuilder.policy`.
Extra services added are `qubes.Gpg`, `qubes.Gpg2`, `qusal.GitInit`,
`qusal.GitFetch`, `qusal.GitPush`, `qusal.SshAgent`.
Extra services added are `qubes.Gpg2`, `qusal.GitInit`, `qusal.GitFetch`,
`qusal.GitPush`, `qusal.SshAgent`.
Out of these services, if an argument `+qubes-builder` can be specified to
limit the scope, the action is `allowed`, else the action is to `ask`.

View File

@ -51,8 +51,8 @@ prefs:
- vcpus: 4
- default_dispvm: dvm-{{ slsdotpath }}
features:
# - enable:
# - service.split-gpg2-client
- enable:
- service.split-gpg2-client
- disable:
- service.cups
- service.cups-browsed

View File

@ -5,7 +5,6 @@
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp
qubes.Gpg * {{ sls_path }} @default ask target=sys-pgp
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git

View File

@ -30,9 +30,6 @@ features:
- disable:
- service.cups
- service.cups-browsed
# tags:
# - add:
# - split-gpg2-client
{%- endload %}
{{ load(defaults) }}

View File

@ -53,10 +53,6 @@ Allow the `work` qubes to access `sys-pgp`, but not other qubes:
qubes.Gpg2 * work sys-pgp ask default_target=sys-pgp
qubes.Gpg2 * work @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg2 * @anyvm @anyvm deny
qubes.Gpg * work sys-pgp ask default_target=sys-pgp
qubes.Gpg * work @default ask target=sys-pgp default_target=sys-pgp
qubes.Gpg * @anyvm @anyvm deny
```
## Usage

View File

@ -6,6 +6,4 @@
## file name instead. For example `30-user.policy`.
qubes.Gpg2 * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }}
qubes.Gpg2 * @anyvm @anyvm deny
qubes.Gpg * @anyvm @default ask target={{ sls_path }} default_target={{ sls_path }}
qubes.Gpg * @anyvm @anyvm deny
## vim:ft=qrexecpolicy