But now ive noticed the trezor-app-vm can detect and use the usb trezor device WITHOUT attaching it to the app-vm via sys-usb. Im worried ive compromised sys-usb in some way?? Or that all app-vm will be able to access it?
Is there any logs i can provide that will help figure out whats going on?
This policy will allow connections from any VM and not only your walletvm: $anyvm $anyvm allow,user=trezord,target=sys-usb
You can read about policies here:
If you want to restrict the connection only to your walletvm, then you can do it like this: walletvm sys-usb allow,user=trezord,target=sys-usb
You can see an example of policy usage for Monero wallet isolation:
No, the whole policy file is parsed from top to bottom. As soon as a rule is found that matches the action being evaluated, parsing stops.
So if your file look like this:
Any requests that don’t match will be denied by default:
If no policy rule is matched, the action is denied. If the policy file does not exist, the user is prompted to create one. If there is still no policy file after prompting, the action is denied.