Hi, greetings to everyone.
I am on Qubes-OS 4.2.2. I am using Qubes for years now. Not very well versed with command line, but can manage simple things.
So now to main question-
I have set a user policy with restrictions set for clipboard, url redirection, filecopy, pdfconvert and openinvm etc.And works perfectly fine how I intend it to be.
I want to set my last rule as anyvm anyvm deny kind of. But when I put this line, updates stops working. I use onion repo and sys-whonix as update v but it has nothing to do with this as it doesn’t work even with clearnet options.
So what should I place in rules above this dny rule so that update can work even when this rule is there?
Can you post the deny rule that you’ve tried?
lost account access
but it was
* * @anyvm @anyvm deny
That policy will deny all qrexec requests so it works as intended. Since there are other system policies after your custom user deny all policy then they are blocked.
The qrexec requests are already denied by default if they are not allowed by any existing policy:
Whenever a RPC request for an action is received, the domain checks the first matching line of the files in
/etc/qubes/policy.d/to determine access: whether to allow the request, what VM to redirect the execution to, and what user account the program should run under. Note that if the request is redirected (target=parameter), policy action remains the same – even if there is another rule which would otherwise deny such request. If no policy rule is matched, the action is denied.
So you don’t need to create a specific deny all policy for this.
You need to create a separate deny policies for specific actions instead (clipboard, url redirection, filecopy, pdfconvert and openinvm etc) if they are allowed for all qubes by default.
In that case when you dont put this rule even then update should have been denied. because it would have been fall into the category of no policy rule matched.
But it’s not the case,
It’s matched in the default policy files e.g.:
[user@dom0 ~]$ grep -ir "update" /etc/qubes/policy.d/
/etc/qubes/policy.d/90-default.policy:# Notify about available updates
/etc/qubes/policy.d/90-default.policy:qubes.NotifyUpdates * @anyvm dom0 allow
/etc/qubes/policy.d/90-default.policy:# HTTP proxy for downloading updates
/etc/qubes/policy.d/90-default.policy:#qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-whonix
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
/etc/qubes/policy.d/90-default.policy:# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-net
/etc/qubes/policy.d/90-default.policy:qubes.UpdatesProxy * @anyvm @anyvm deny
/etc/qubes/policy.d/90-default-linux.policy:# qubes-dom0-update
/etc/qubes/policy.d/90-default-linux.policy:qubes.ReceiveUpdates * @anyvm dom0 allow
/etc/qubes/policy.d/90-default-gui-daemon.policy:qubes.WindowIconUpdater * @anyvm dom0 allow
/etc/qubes/policy.d/50-config-updates.policy:qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
/etc/qubes/policy.d/50-config-updates.policy:qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-whonix
So if I put all these updates rules in my custom policy, update should work even wth last deny rule mentioned above?
Yes.