Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-06-12 00:23:12 -04:00
Code Issues Projects Releases Packages Wiki Activity

fix: organize sys-usb policy per service

Browse source
This commit is contained in:
Ben Grande 2024-01-10 12:49:20 +01:00
parent 302460b458
commit c76fb42d48
No known key found for this signature in database
GPG key ID: 00C64E14F51F9E56
1 changed files with 18 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

37
salt/sys-usb/files/admin/policy/default.policy
View file

@ -28,32 +28,31 @@
{%- set tablet_action = 'deny' -%} {%- set tablet_action = 'deny' -%}
{% endif -%} {% endif -%}
qubes.InputMouse * @tag:usbvm dom0 {{ mouse_action }} qubes.InputMouse * @tag:usbvm @adminvm {{ mouse_action }}
qubes.InputKeyboard * @tag:usbvm dom0 {{ keyboard_action }}
qubes.InputTablet * @tag:usbvm dom0 {{ tablet_action }}
qubes.InputKeyboard * @tag:usbvm @adminvm deny
qubes.InputMouse * @tag:usbvm @adminvm deny qubes.InputMouse * @tag:usbvm @adminvm deny
qubes.InputKeyboard * @tag:usbvm @adminvm {{ keyboard_action }}
qubes.InputKeyboard * @tag:usbvm @adminvm deny
qubes.InputTablet * @tag:usbvm @adminvm {{ tablet_action }}
qubes.InputTablet * @tag:usbvm @adminvm deny qubes.InputTablet * @tag:usbvm @adminvm deny
qubes.InputKeyboard * @tag:usbvm @anyvm deny
qubes.InputMouse * @tag:usbvm @anyvm deny
qubes.InputTablet * @tag:usbvm @anyvm deny
ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} ctap.ClientPin * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @anyvm deny
ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} ctap.GetInfo * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @anyvm deny
u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} u2f.Authenticate * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @anyvm deny
u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }} u2f.Register * @anyvm @tag:usbvm ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.ClientPin * @anyvm @default ask user=root default_target={{ sls_path }} u2f.Register * @anyvm @anyvm deny
ctap.GetInfo * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Authenticate * @anyvm @default ask user=root default_target={{ sls_path }}
u2f.Register * @anyvm @default ask user=root default_target={{ sls_path }}
ctap.GetInfo * @anyvm @anyvm deny
ctap.ClientPin * @anyvm @anyvm deny
u2f.Authenticate * @anyvm @anyvm deny
u2f.Register * @anyvm @anyvm deny
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0 policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm allow target=dom0
policy.RegisterArgument +u2f.Authenticate @tag:usbvm @anyvm deny policy.RegisterArgument +u2f.Authenticate @anyvm @anyvm deny
# vim:ft=qrexecpolicy # vim:ft=qrexecpolicy