feat: install Qusal TCP Proxy on updatevm's origin

Document qusal.ConnectTCP in dev's Access Control as it defaults to deny and causes confusion to users why it doesn't work by default. This is an exception of the rule that a formula cannot document the RPC service of another formula to avoid duplication.
2024-10-01 02:35:49 -04:00 · 2024-06-26 12:20:35 +02:00 · 2024-06-26 12:20:35 +02:00 · eb3a8ab324
commit eb3a8ab324
parent c2fc4b524a
7 changed files with 81 additions and 0 deletions
--- a/salt/dev/README.md
+++ b/salt/dev/README.md
@ -6,6 +6,7 @@ Development environment in Qubes OS.

 * [Description](#description)
 * [Installation](#installation)
+* [Access Control](#access-control)
 * [Usage](#usage)

 ## Description
@ -22,6 +23,10 @@ allows.
 sudo qubesctl top.enable dev
 sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
 sudo qubesctl top.disable dev
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```

 - State
@ -31,9 +36,35 @@ sudo qubesctl state.apply dev.create
 sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
 sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
 sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 <!-- pkg:end:post-install -->

+The installation will make the Qusal TCP Proxy available in the `updatevm`
+(after it is restarted in case it is template based). If you want to have the
+proxy available on a `netvm` that is not deployed by Qusal, install the Qusal
+TCP proxy on the templates of your `netvm`:
+```sh
+sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy
+```
+
+Remember to restart the `netvms` after the proxy installation for the changes
+to take effect.
+
+## Access Control
+
+_Default policy_: `denies` `all` qubes from calling `qusal.ConnectTCP`
+
+Allow qube `dev` to `connect` to `github.com:22` via `disp-sys-net` but not to
+any other host or via any other qube:
+```qrexecpolicy
+qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
+qusal.ConnectTCP *              dev @anyvm   deny
+```
+
 ## Usage

 The development qube `dev` can be used for:
--- a/salt/dev/create.sls
+++ b/salt/dev/create.sls
@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 include:
  - .clone
+  - sys-net.show-updatevm-origin

 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
--- a/salt/dev/init.top
+++ b/salt/dev/init.top
@ -14,3 +14,6 @@ base:
    - dev.configure-dvm
  'dev':
    - dev.configure
+  '(I@qubes:type:template or I@qubes:type:standalone) and (G@kernel:Linux or G@kernel:*BSD)':
+    - match: compound
+    - sys-net.install-proxy
--- a/salt/sys-net/create.sls
+++ b/salt/sys-net/create.sls
@ -10,6 +10,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 include:
  - .clone
+  - .show-updatevm-origin

 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
--- a/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
+++ b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
@ -0,0 +1,21 @@
+#!/bin/sh
+
+## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+##
+## SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+updatevm="$(qubes-prefs updatevm)"
+updatevm_class="$(qvm-prefs "${updatevm}" klass)"
+proxy_target=""
+case "${updatevm_class}" in
+  StandaloneVM) proxy_target="${updatevm}";;
+  AppVM) proxy_target="$(qvm-prefs "${updatevm}" template)";;
+  DispVM)
+    proxy_target="$(qvm-prefs "$(qvm-prefs "${updatevm}" template)" template)"
+    ;;
+esac
+if test -n "${proxy_target}"; then
+  echo "${proxy_target}"
+fi
--- a/salt/sys-net/show-updatevm-origin.sls
+++ b/salt/sys-net/show-updatevm-origin.sls
@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+"{{ slsdotpath }}-get-updatevm-origin":
+  file.managed:
+    - name: /usr/local/bin/qusal-report-updatevm-origin
+    - source: salt://{{ slsdotpath }}/files/admin/bin/qusal-report-updatevm-origin
+    - mode: "0755"
+    - user: root
+    - group: root
+    - makedirs: True
--- a/salt/sys-net/show-updatevm-origin.top
+++ b/salt/sys-net/show-updatevm-origin.top
@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.show-updatevm-origin