Sys-usb being BYPASSED

I’ve recently setup a Trezor (which is a hardware usb wallet for crypto).
Getting it working required a number of setups, How to set up the trezor bridge in 4.1

But now ive noticed the trezor-app-vm can detect and use the usb trezor device WITHOUT attaching it to the app-vm via sys-usb. Im worried ive compromised sys-usb in some way?? Or that all app-vm will be able to access it?

Is there any logs i can provide that will help figure out whats going on?

This policy will allow connections from any VM and not only your walletvm:
$anyvm $anyvm allow,user=trezord,target=sys-usb
You can read about policies here:

If you want to restrict the connection only to your walletvm, then you can do it like this:
walletvm sys-usb allow,user=trezord,target=sys-usb
You can see an example of policy usage for Monero wallet isolation:


will putting this command in dom0 override the prior RPC $anyvm $anyvm policy?

No, the whole policy file is parsed from top to bottom. As soon as a rule is found that matches the action being evaluated, parsing stops.
So if your file look like this:

walletvm sys-usb allow,user=trezord,target=sys-usb
$anyvm $anyvm allow,user=trezord,target=sys-usb

Then this will allow connections from any VM.
But if the file will look like this:

walletvm sys-usb allow,user=trezord,target=sys-usb
$anyvm $anyvm deny
$anyvm $anyvm allow,user=trezord,target=sys-usb

Then only walletvm will be allowed and all other connections will be denied.


That is a solid call out. Thank you.

sounds like i should edit the file and remove the $anyvm $anyvm entry?
dom0$ cd /etc/qubes-rpc/policy/trezord-service
this one?

appreciate your knowledge and help

Yes, you need to change this line in this file:

$anyvm $anyvm allow,user=trezord,target=sys-usb

To this instead:

walletvm sys-usb allow,user=trezord,target=sys-usb
1 Like

To me, anything after 2nd line is pointless since it won’t be / couldn’t be executed.

That’s right. This is an example of this quote:

That rules in the file won’t be parsed after first matching rule so anything after $anyvm $anyvm rule will be ignored.

So, for the sake of other users, policy in this case should containt only two lines:

walletvm sys-usb allow,user=trezord,target=sys-usb
$anyvm $anyvm deny

You can leave only the first line in the file:

walletvm sys-usb allow,user=trezord,target=sys-usb

Any requests that don’t match will be denied by default:

If no policy rule is matched, the action is denied. If the policy file does not exist, the user is prompted to create one. If there is still no policy file after prompting, the action is denied.

I have to point out that this is the old format, and should not be used
in 4.1
Updated format could be, in /etc/qubes/policy.d/30-user.policy

qubes.Trezor  * CLIENTVM  sys-usb allow

And that, is exactly the policy set out in the guide that OP linked

Of course. I just commented specific case, but didn’t look back at the broader context. Thanks.