Restoring "/etc/qubes-rpc/policy" files

User Support
1

I am a student in cybersecurity and I was in the last step of setting up the buskill cable (syncing info with dom0). I accidentally closed the dom0 terminal before the sync command was completed in tutorial for the files in the path.

I was setting up lock screen with the code on buskill’s qubes tutorial.

path in question:
/etc/qubes-rpc/policy

I was trying to move files between vm’s shortly after when I noticed I lost the capability to move and copy files as well as update template vm’s (all reliant on files in the policy folder). I was able to manually restore the qubes.Filecopy file and functionality, moving and copying files between vm’s (including for pdf sanitation in disposable vm’s) is back to normal.

I noticed that there are other files missing from the policy folder (such as the ones needed to configure a network vm to use for updating templates, dom0 itself is unaffected and can update fine). I consulted chatgpt but was not able to get a full and accurate list and text content of the default files for the qubes latest release.

Was looking through the website for documentation on policy files but i found there is only info on the qubes.Filecopy as an example which I already fixed.

Is there a way to download just the files that were default to policy. or somewhere that lists their content.

Everything else seems to be intact besides this.

I cannot 100% confirm but I believe that the missing files after error in sync are

qubes.ConnectTCP
qubes.FeaturesRequest
qubes.GetImageRGBA
qubes.GetRandomizedTime
qubes.NotifyTools
qubes.NotifyUpdates
qubes.OpenInVm
qubes.OpenURL
qubes.StartApp
qubes.VMRootShell

Also the existing files below may or may not be missing some information after sync as I was unable to update a debian-11 template that previously had no issues

qubes.ClipboardPaste
qubes.GetDate
qubes.Gpg
qubes.GpgImportKey
qubes.InputKeyboard
qubes.InputMouse
qubes.InputTablet
qubes.PdfConvert
qubes.ReceiveUpdates
qubes.repos.Disable
qubes.repos.Enable
qubes.repos.List
qubes.SyncAppMenus
qubes.UpdatesProxy
qubes.USB
qubes.WindowIconUpdater
whonix.GatewayCommand
whonix.NewStatus
whonix.SdwdateStatus

Can anyone can provide the default text inputs for the above files? (running sudo nano filepath). Also if anyone believes that I should do a full audit of dom0 can you provide the best method of doing so?

2

I don’t see in that tutorial anything that could affect default policy files. It just creates new policy files /etc/qubes-rpc/policy/buskill.*. If they are the problem then removing them will fix your problem:
sudo rm /etc/qubes-rpc/policy/buskill.*

3

On the first line of the RPC policies documention. https://www.qubes-os.org/doc/rpc-policy/

Qubes OS 4.1 introduced a new qrexec policy system and policy format. Please see this article for details.

the article is: https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/

in the Policy files section:

Now that the policy is a single entity, it is parsed as a whole. If there are any syntax errors, the parser will refuse to load anything (in order to prevent any unintended permission grants).

So, as said by disp6252, removing all buskill policy files will fix your problem.

from New qrexec policy format #4370

marmarek commented on Oct 4, 2018
No, general rule is that default policy is installed with a component providing given service. So, for example default policy for qubes.USB will be in in {70,75,80}-qubes-usb-proxy.

Therefore, a lot of policies come from:
https://github.com/QubesOS/qubes-core-admin/tree/main/qubes-rpc-policy

some other example:
https://github.com/QubesOS/qubes-core-qrexec/tree/main/policy.d
https://github.com/QubesOS/qubes-app-linux-pdf-converter/blob/main/qubes.PdfConvert.policy
https://github.com/QubesOS/qubes-app-linux-usb-proxy/blob/main/qubes-rpc/qubes.USB.policy

etc.

2 Likes