I wanted to get some feedback on how to structure custom policies for specific qubes and specific purposes.
Given that the first matching rule is used when evaluating these policy files, there is some room for differences based on how the user structured and ordered their rules and I would like to know how others are doing this.
The included policy files seem to be loosely ordered by feature and privilege level.
I considered two approaches so far and would like to hear your thoughts:
Have a policy file correspond to a specific qube, like vault, and include restrictive various custom rules for only that qube in there. This would seem easier to maintain.
Have a dedicated file for each service, like file copy, and include relevant rules for all qubes there
I only have /etc/qubes/policy.d/30-user.policy file:
# /home/user/30-user.policy file. Symlink this file to
# /etc/qubes/policy.d/30-user.policy file for migrating your policy
# edits to a new machine.
# ln -s /home/user/30-user.policy /etc/qubes/policy.d/30-user.policy
# ConnectTCP configs
qubes.ConnectTCP +<PORT> <QUBE-1> <QUBE-2> allow
[...]
# Filecopy configs
qubes.Filecopy * <QUBE-3> @anyvm allow
[...]
# SplitGPG configs
qubes.Gpg * <QUBE-4> <QUBE-5> ask target=<QUBE-5>
[...]
# SplitSSH configs
qubes.SshAgent * <QUBE-6> <QUBE-7> ask target=<QUBE-7>
[...]
I find this approach easier than others. All my custom policy setups are in a single file, ready to observe and peruse. I don’t use QubesOS GUI tools for setting custom policies, so, maintaining this singular policy file using dom0 terminal is easy.