I’ve been wanting to write a qrexec policy that would only allow the copy of a specific file from a specific VM to another. The goal is to be able to use qvm-copy-to-vm to copy this specific file without having to confirm the target in a GUI prompt.
I’m using the new qrexec policy system described in this blog post:
The syntax documentation, as far as I’m aware, lives here:
So, I’m able to allow any file copy from the source to the target VM with the following policy:
qubes.Filecopy * source-vm target-vm allow
From what I understand from the syntax documentation, I should be able to replace the * with a syntax such as +ARGUMENT. The syntax documentation is a bit unclear on how that works. I tried the following policy:
qubes.Filecopy +~/file source-vm target-vm allow
But with this policy, running qvm-copy-to-vm target-vm ~/file on VM source-vm fails. Am I not writing the policy correctly? Or is what I want to do not possible?
I haven’t looked at the code for a while,but I don’t think that qvm-move/copy
will allow this because of the way it handles input.
You could create a new qrexec call that does have specific inputs and
wraps qvm-copy.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.