mirror of
https://github.com/ben-grande/qusal.git
synced 2025-01-16 09:57:27 -05:00
b52e4b1b63
Split-gpg V1 allowed for querying public keys, but as split-gpg2 is running as an agent, public keys are not queried. Allowing connection to the server to query only public parts of the key exposes the server more than needed to the client. All clients now have to hold the public key they need locally in order to do GPG operations.
27 lines
1.3 KiB
Plaintext
27 lines
1.3 KiB
Plaintext
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
## Do not modify this file, create a new policy with with a lower number in the
|
|
## file name instead. For example `30-user.policy`.
|
|
qubes.Gpg2 * {{ sls_path }} @default ask target=sys-pgp
|
|
|
|
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
|
|
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
|
|
qusal.GitPush +qubes-builder {{ sls_path }} @default ask target=sys-git
|
|
|
|
qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
|
|
qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny
|
|
|
|
admin.vm.CreateDisposable * {{ sls_path }} dom0 allow
|
|
admin.vm.CreateDisposable * {{ sls_path }} dvm-qubes-builder allow target=dom0
|
|
admin.vm.Start * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=dom0
|
|
admin.vm.Kill * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=dom0
|
|
|
|
qubesbuilder.FileCopyIn * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
|
|
qubesbuilder.FileCopyOut * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
|
|
|
|
qubes.WaitForSession * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
|
|
qubes.VMShell * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
|
|
## vim:ft=qrexecpolicy
|