qusal/salt/qubes-builder/files/admin/policy/default.policy

# SPDX-FileCopyrightText: 2023 The Qubes OS Project <https://www.qubes-os.org>
# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only

## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.

## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp

qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitFetch +qubes-builder {{ sls_path }} @default allow target=sys-git
qusal.GitPush  +qubes-builder {{ sls_path }} @default ask   target=sys-git default_target=sys-git

qusal.SshAgent +qubes-builder {{ sls_path }} @default allow target=sys-ssh-agent
qusal.SshAgent +qubes-builder {{ sls_path }} @anyvm deny

admin.vm.CreateDisposable * {{ sls_path }} dom0 allow
admin.vm.CreateDisposable * {{ sls_path }} dvm-qubes-builder allow target=dom0
admin.vm.Start * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=dom0
admin.vm.Kill * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=dom0

qubesbuilder.FileCopyIn * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
qubesbuilder.FileCopyOut * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow

qubes.Filecopy * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
qubes.WaitForSession * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
qubes.VMShell * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
## vim:ft=qrexecpolicy