What does Qubes.Gpg policy file have to do with devices?

I had created a tiny list of commands to automate the split-gpg setup. The script included the following:

echo "work  vault  allow" | tee /etc/qubes-rpc/policy/qubes.Gpg
echo "$anyvm  $anyvm  ask" | tee -a /etc/qubes-rpc/policy/qubes.Gpg

Since tee only appends (to my knowledge), I had to reinstate “$anyvm $anyvm ask”. However, once I ran this in Dom0, it treated $anyvm as a variable and the result in qubes.GpG was:

work  vault  allow

Among the results of this mistake was that the mouse stopped working, and I couldn’t attached a USB devices to sys-net (denied). And while I could copy into Dom0 (Ctrl+Shift+C), I could no longer paste into another Qube (Ctrl+Shift+V).

Once I fixed qubes.Gpg manually to:

work  vault  allow
$anyvm  $anyvm  ask

Things went back to normal (Mouse, USB device, pasting).

Why did a mistake in qubes.Gpg cause errors for tasks unrelated to Gpg?

From the first line of documention (RPC policies | Qubes OS)
you have a link to the new qrexec policy system and policy format.

in the Policy files section, you got your answer:

Now that the policy is a single entity, it is parsed as a whole. If there are any syntax errors, the parser will refuse to load anything (in order to prevent any unintended permission grants).

The “Mouse, USB device and pasting” are handled via policies, therefore without
them, they can’t work.

When you use double quote, the shell will parse your command and substitute
the variables it found, before to run the command.
If you want to write exactly $some_var, you need to use single quote (or escape the $).

echo 'work  vault  allow
$anyvm  $anyvm  ask' | tee /etc/qubes-rpc/policy/qubes.Gpg

from the manual page (man tee):
tee file will create a file.
tee -a file will append to that file.

Might it be that the invalid policy actually prevented other policy from being defined / taken into account?

Putting that hypothesis in other words: it wouldn’t be the case that the qubes.Gpg policy has a direct influence on other policies in particular, as much as errors in any policy definition affect whether other policies can be successfully defined.

Edit: @szz9pza quoted the relevant docs, see above!

To avoid problems, I suggest doing things the recommended way by creating and putting all of your custom rules in /etc/qubes/policy.d/30-user.policy. Unexpected things are more likely to occur when you manipulate the RPC policy files in ways that the developers did not intend.

Thank you for your replies. Very helpful.

@adw is this the line to append to /etc/qubes/policy.d/30-user.policy (all single space)?

qubes.Gpg * work vault allow

I don’t think the spacing matters as long as there’s at least one space (or tab) separating each field.

1 Like