How do you properly create a policy for qubes.filecopy

User Support General
1

Start: V

Hi, im very new to qubes and not very knowledgeable about programing, and im thankfull for any help I recieve.

Version and what ive done: V

Im using qubes 4.2.4:
and have tried looking through this form for qubes.filecopy but couldnt make what ive found work. and Chatgpt ended up making me delete all the defualt policys, woops. had to reinstall qubes because of that.

What Im trying to do: V

Im trying to create a policy that restricts which qubes can send and receive files from others.
In this case im trying to make it so that a specific qube(cat) can only recieve files from qube(tat), and that qube(cat) can’t transfer files outside itself.

End: V

Any help I can get and any links to relevent guides for my version of qubes is much appreciated. Thanks!

2

Hi and welcome here!

Have you tried this instead of ChatGPT?

Also:

Please note that AIs often hallucinate about Qubes OS. If you’re using an AI to assist you, please check its conclusions against the official documentation.

2 Likes
3

checking the obvious, you need to search files for “qubes.Filecopy” (with a capital F) since searches are case sensitive.

in any case, there are policy entries in 90-default.policy (the line there lets any VM copy to any other VM with “ask” (i.e., popping up the dialog that has you pick a qube to copy to.)

I added more stuff in 30-user.policy that overrides the default; I gave three different VMs “allow” permission to copy to a fourth one (which accesses a “dropbox” on a NAS)–basically after I do a backup I send the backup file to the dropbox. It looks like this:

qubes.Filecopy   *   SourceQube1    DropBoxQube   allow
qubes.Filecopy   *   SourceQube2    DropBoxQube   allow
qubes.Filecopy   *   SourceQube3    DropBoxQube   allow

Note that this allows direct copy access without asking the user; I wanted this process to be unattended. I made sure to restrict it only to three different source qubes; any other qube will go right on to the default rule. (Below, I explain why this works this way.)

You can probably write something like this into 30-user.policy

qubes.FileCopy * cat @anyvm deny
qubes.FileCopy * tat  cat ask
qubes.FileCopy * @anyvm  cat  deny

The policies function by starting with the lowest numbered file (30 will come before 90). When a line that matches the current situation is reached it stops (so put the more general rules AFTER the more specific ones).

The first line it should hit when looking at file copy is the line forbidding cat from copying to anything else. If the requestor happens to be cat, it’s done; cat can’t do it.

The next line says that tat is allowed to copy to cat. so if tat is the requestor, and it’s trying to copy to cat, it’s done–allowed to do it (it will pop up the dialog; if you don’t want that use allow here). If tat is trying to copy to anywhere else it will keep going until it reads the default rule in 90-default.policy.

Any other qube, if trying to copy to cat, will hit the third line and stop, denied.

5 Likes
4

@SteveC has given everything you need, but I would add a strong recommendation to edit policy using only the methods in the first link of @parulin : How to edit a policy. These editors will prevent saving a policy with a syntax error, which Qubes cannot understand, and which is the same as a policy where everything is denied, for all qubes.

I also make a backup copy of policy files in another directory before I start, because I do not change them very often, and it makes any mistakes easier to repair.

A last point: it is normally not necessary to modify the original policy files at all. It is possible to change everything using only new policy files with a smaller number (like @SteveC explains above).

3 Likes
5

You can do this using GUI in Qubes OS Global Config → File Access → Custom policy.

1 Like
6

Let me underscore this. I do not edit 90-* policy files, I override them with other files with lower numbers. I want to be able to fall back on the defaults easily by simply removing my files. I’ve never had to do it, but I am sure I will have to within hours of altering a 90-* file.

As @phceac and @parulin point out, There are ways to do this graphically as well, that utility edits files starting with 50-. Some of my automated scripts will also modify these files (specifically the settings IN those files), because I want the GUI to work when I do use it. (If I override that policy in my own 30- file, the GUI will tell me (not conspicuously enough for my tastes) that the setting is overridden, so any edits I make there will be useless, which defeats the purpose of the GUI.)