Qubes Qrexec Policy File

wobo · September 4, 2020, 8:23am

I am creating a policy files in /etc/qubes/policy.d/. I wanted to create a policy with extremely lockdown system in mind which can have last rule as-

- @anyvm @anyvm deny
  Does anybody know how to do that.
  The main hindrance is VMRootShell. I don’t know how to writes rules for it so that it can be used in useful way but not jeoparding whole system security. AFAIK it is required for templates updates so it can not be denied always.

adw · September 26, 2020, 9:55am

AFAIK, the default for qubes.VMRootShell is @anyvm @anyvm deny, and leaving it this way causes no problems for template updates.

The comment in qubes.VMRootShell nicely explains it.

wobo · September 28, 2020, 5:48am

Recently user policy files in /etc/qubes/policy.d/ does not work properly. (If you have a usb mouse, mouse is not assigned to dom0 even after no blocking rules present in user policy and qubes-rpc/policy is set to do so).
It used to work perfectly like about 20 days back.

panati · September 28, 2020, 7:44am

Yes, that’s true. I have also same kind of problems while testing sys-gui in 4.1. Maybe a redirection in code from dom0 to sys-gui is causing these issues.

adw · September 28, 2020, 7:46am

I don’t have that directory in dom0. Instead, my policy files are in /etc/qubes-rpc/policy/. I’m on 4.0.