Qrexec policy, do not copy from non anon-vm

How can I write a qrexec policy for qubes.Filecopy that lets me copy from an anon-vm to another anon-vm, but not from a non anon-vm to an anon-vm and the other way around?

I imagine this:

qubes.Filecopy * @tag:anon-vm @tag:anon-vm ask # Accept whonix to whonix
qubes.FileCopy * @tag:anon-vm !@tag:anon-vm deny # Deny Whonix to non-Whonix
qubes.FileCopy * !@tag:anon-vm @tag:anon-vm deny # Deny non-Whonix to Whonix

The ! here is made up by me to mean negate, is a policy like this possible?

The following should work:

qubes.Filecopy  *  @tag:anon-vm  @tag:anon-vm  ask
qubes.Filecopy  *  @tag:anon-vm  @default      ask
qubes.Filecopy  *  @anyvm        @tag:anon-vm  deny
qubes.Filecopy  *  @tag:anon-vm  @anyvm        deny
1 Like

Great, I had tried something similar but I believe it failed without the @default clause. This works.

Some additional questions, is /etc/qubes/policy.d/50-config-filecopy.policy the right file? Where should I put my options to not have them get overwritten?

Can we use multiple tags? Whonix templates have the tag whonix-updatevm but not anon-vm.

It is managed by Qubes Global Config, so it’s not the best place to add new policies. Create a new policy file with a lower number instead so that it is read first and doesn’t get overwritten by anything else.

Unfortunately not on the same line, but it has been proposed on github:

Until it is implemented, you can duplicate the lines, but with the other tag instead.