From f67aea1fe0a39139238caacfa32c738aa280256c Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Wed, 16 Nov 2022 12:33:55 +0000
Subject: [PATCH] Sys-git - allow fine grained access controls in policy file

---
 git/README.md  | 25 ++++++++++++++++++++++++-
 git/git-qrexec |  3 ++-
 2 files changed, 26 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 git/git-qrexec

diff --git a/git/README.md b/git/README.md
index 884eeb2..b7bb990 100644
--- a/git/README.md
+++ b/git/README.md
@@ -2,6 +2,8 @@ This package provides a central git qube, named sys-git.
 By default the qube has no netvm, but you can set one if you wish.
 
 Some configuration is needed.
+Repositories must be created under /home/user/repos in sys-git, and
+repository names must be common between sys-git and client qubes.
 
 # Setting up a new repository
 
@@ -19,7 +21,15 @@ Then prepare a qube by running:
 `qubesctl --skip0-dom0 --targets=QUBE state.apply git.install_client`
 
 ## Work in the client
-You can then use that repository as usual.
+Configure git, as necessary.  
+Open a terminal in the qube:
+```
+mkdir X
+cd X
+git init
+add-remote sg
+```
+You can then use that repository as usual, making commits.
 To push to sys-git you must first-  
 `git push --set-upstream sg master`
 
@@ -52,5 +62,18 @@ After making more commits,
 `git push `
 
 
+# Access control
+Access to sys-git is governed by policy rules in `/etc/qubes/policy/30-user.policy`
+The default rule allows access from any qube to sys-git, after a confirmation dialog.  
+`qubes.Git  *  @anyvm  @anyvm ask default_target=sys-git`
 
+You can control access to sys-git by qube, and restrict qubes to specific named repositories:  
+```
+qubes.Git  +REPO  QUBE   @anyvm  ask default_target=sys-git
+qubes.Git  *      QUBE2  @anyvm  ask default_target=sys-git  
+qubes.Git  *      *     sys-git deny
+```
+These rules will allow QUBE to access the REPO repository on sys-git, but no other.
+QUBE2 is allowed to access any repository on sys-git.  
+No other qube is allowed access at all.
 
diff --git a/git/git-qrexec b/git/git-qrexec
old mode 100644
new mode 100755
index 5e0358e..22eb13e
--- a/git/git-qrexec
+++ b/git/git-qrexec
@@ -2,4 +2,5 @@
 
 VMNAME=$1
 
-(echo $GIT_EXT_SERVICE $2 $3; exec cat) | qrexec-client-vm $VMNAME qubes.Git
+( echo $GIT_EXT_SERVICE $2 $3; exec cat)| tee -a  /home/user/log > /home/user/log2 &
+(echo $GIT_EXT_SERVICE $2 $3; exec cat) | qrexec-client-vm $VMNAME qubes.Git+$3