I had created a tiny list of commands to automate the split-gpg setup. The script included the following:
echo "work vault allow" | tee /etc/qubes-rpc/policy/qubes.Gpg
echo "$anyvm $anyvm ask" | tee -a /etc/qubes-rpc/policy/qubes.Gpg
Since tee only appends (to my knowledge), I had to reinstate “$anyvm $anyvm ask”. However, once I ran this in Dom0, it treated $anyvm as a variable and the result in qubes.GpG was:
work vault allow
Among the results of this mistake was that the mouse stopped working, and I couldn’t attached a USB devices to sys-net (denied). And while I could copy into Dom0 (Ctrl+Shift+C), I could no longer paste into another Qube (Ctrl+Shift+V).
Once I fixed qubes.Gpg manually to:
work vault allow
$anyvm $anyvm ask
Things went back to normal (Mouse, USB device, pasting).
Why did a mistake in qubes.Gpg cause errors for tasks unrelated to Gpg?
From the first line of documention (RPC policies | Qubes OS)
you have a link to the new qrexec policy system and policy format.
in the Policy files section, you got your answer:
Now that the policy is a single entity, it is parsed as a whole. If there are any syntax errors, the parser will refuse to load anything (in order to prevent any unintended permission grants).
The “Mouse, USB device and pasting” are handled via policies, therefore without
them, they can’t work.
When you use double quote, the shell will parse your command and substitute
the variables it found, before to run the command.
If you want to write exactly
$some_var, you need to use single quote (or escape the
echo 'work vault allow
$anyvm $anyvm ask' | tee /etc/qubes-rpc/policy/qubes.Gpg
from the manual page (
tee file will create a file.
tee -a file will append to that file.
Might it be that the invalid policy actually prevented other policy from being defined / taken into account?
Putting that hypothesis in other words: it wouldn’t be the case that the
qubes.Gpg policy has a direct influence on other policies in particular, as much as errors in any policy definition affect whether other policies can be successfully defined.
Edit: @szz9pza quoted the relevant docs, see above!
To avoid problems, I suggest doing things the recommended way by creating and putting all of your custom rules in
/etc/qubes/policy.d/30-user.policy. Unexpected things are more likely to occur when you manipulate the RPC policy files in ways that the developers did not intend.
Thank you for your replies. Very helpful.
@adw is this the line to append to
/etc/qubes/policy.d/30-user.policy (all single space)?
qubes.Gpg * work vault allow
I don’t think the spacing matters as long as there’s at least one space (or tab) separating each field.