fix: GPU domain Qrexec policy

Upstream-issue: QubesOS/qubes-mgmt-salt-dom0-virtual-machines/pull/68

salt/sys-gui-gpu/cancel.sls

@@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -8,7 +8,7 @@ include:
   - sys-gui.cancel-common
   - qvm.sys-gui-gpu-detach-gpu
 
-"{{ slsdotpath }}-gpu-disable-autostart":
+"{{ slsdotpath }}-disable-autostart":
   qvm.prefs:
-    - name: {{ slsdotpath }}-gpu
+    - name: {{ slsdotpath }}
     - autostart: False

salt/sys-gui-gpu/create.sls

@@ -1,7 +1,7 @@
 {#
 SPDX-FileCopyrightText: 2020 Artur Puzio <contact@puzio.waw.pl>
 SPDX-FileCopyrightText: 2020 Frederic Pierret <frederic.pierret@qubes-os.org>
-SPDX-FileCopyrightText: 2020 - 2024 Marmarek Marczykowski-Gorecki <marmarek@invisiblethingslab.com>
+SPDX-FileCopyrightText: 2020 - 2025 Marmarek Marczykowski-Gorecki <marmarek@invisiblethingslab.com>
 SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 
 SPDX-License-Identifier: GPL-2.0-only
@@ -13,7 +13,7 @@ SPDX-License-Identifier: GPL-2.0-only
 include:
   - .clone
 
-"{{ slsdotpath }}-gpu-installed":
+"{{ slsdotpath }}-installed":
   pkg.installed:
     - install_recommends: False
     - skip_suggestions: True
@@ -61,17 +61,33 @@ features:
 {{ gui_common(defaults.name) }}
 
 # Set GuiVM target for input-proxy-sender of dom0 attached input devices (not USB)
-"{{ slsdotpath }}-gpu-input-proxy-target":
+"{{ slsdotpath }}-input-proxy-target":
   file.managed:
     - name: /etc/qubes/input-proxy-target
     - contents: "TARGET_DOMAIN=sys-gui-gpu"
 
-# Set Qubes RPC policy for sys-usb to sys-gui-gpu
-"{{ slsdotpath }}-gpu-usb-input-proxy-target":
+{% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' %}
+{% set mouse_action = 'ask user=root default_target=sys-gui-gpu' %}
+{% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' %}
+{% set mouse_action = 'allow user=root target=sys-gui-gpu' %}
+{% else %}
+{% set mouse_action = 'deny' %}
+{% endif %}
+
+{% if salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'ask' %}
+{% set keyboard_action = 'ask user=root default_target=sys-gui-gpu' %}
+{% elif salt['pillar.get']('qvm:sys-usb:keyboard-action', 'deny') == 'allow' %}
+{% set keyboard_action = 'allow user=root target=sys-gui-gpu' %}
+{% else %}
+{% set keyboard_action = 'deny' %}
+{% endif %}
+
+# Setup Qubes RPC policy for sys-usb to sys-gui-gpu
+"{{ slsdotpath }}-input-proxy":
   file.managed:
     - name: /etc/qubes/policy.d/45-sys-gui-gpu.policy
-    {% if salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'ask' %}
-    - text: qubes.InputMouse * {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 ask user=root default_target=sys-gui-gpu
-    {% elif salt['pillar.get']('qvm:sys-usb:mouse-action', 'ask') == 'allow' %}
-    - text: qubes.InputMouse * {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 allow user=root target=sys-gui-gpu
-    {% endif %}
+    - contents: |
+        qubes.InputMouse * {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 {{ mouse_action }}
+        qubes.InputKeyboard * {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 {{ keyboard_action }}
+        # not configurable by this state
+        qubes.InputTablet * {{ salt['pillar.get']('qvm:sys-usb:name', 'sys-usb') }} dom0 deny

salt/sys-gui-gpu/prefs.sls

@@ -7,13 +7,13 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
   - qvm.sys-gui-gpu-attach-gpu
 
-"{{ slsdotpath }}-gpu-autostart":
+"{{ slsdotpath }}-autostart":
   qvm.prefs:
-    - name: {{ slsdotpath }}-gpu
+    - name: {{ slsdotpath }}
     - autostart: True
 
-"{{ slsdotpath }}-gpu-activate":
+"{{ slsdotpath }}-activate":
   cmd.run:
     - require:
-      - qvm: "{{ slsdotpath }}-gpu-autostart"
-    - name: qubes-prefs -- default_guivm {{ slsdotpath }}-gpu
+      - qvm: "{{ slsdotpath }}-autostart"
+    - name: qubes-prefs -- default_guivm {{ slsdotpath }}

salt/sys-gui-vnc/cancel.sls

@@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
   - sys-gui.cancel-common
 
-"{{ slsdotpath }}-vnc-disable-autostart":
+"{{ slsdotpath }}-disable-autostart":
   qvm.prefs:
-    - name: {{ slsdotpath }}-vnc
+    - name: {{ slsdotpath }}
     - autostart: False

salt/sys-gui-vnc/create.sls

@@ -13,7 +13,7 @@ include:
   - .clone
 
 {% if 'psu' in salt['pillar.get']('qvm:sys-gui-vnc:dummy-modules', []) or 'backlight' in salt['pillar.get']('qvm:sys-gui-vnc:dummy-modules', []) %}
-"{{ slsdotpath }}-vnc-installed":
+"{{ slsdotpath }}-installed":
   pkg.installed:
     - install_recommends: False
     - skip_suggestions: True

salt/sys-gui-vnc/prefs.sls

@@ -4,13 +4,13 @@ SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.co
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-"{{ slsdotpath }}-vnc-autostart":
+"{{ slsdotpath }}-autostart":
   qvm.prefs:
-    - name: {{ slsdotpath }}-vnc
+    - name: {{ slsdotpath }}
     - autostart: True
 
-"{{ slsdotpath }}-vnc-activate":
+"{{ slsdotpath }}-activate":
   cmd.run:
     - require:
-      - qvm: "{{ slsdotpath }}-vnc-autostart"
-    - name: qubes-prefs -- default_guivm {{ slsdotpath }}-vnc
+      - qvm: "{{ slsdotpath }}-autostart"
+    - name: qubes-prefs -- default_guivm {{ slsdotpath }}