Merge branch 'extract-template-gui'

* extract-template-gui: Use 50-* policy files for salt-managed policy Add other necessary calls into sys-gui's policy Use new policy location for sys-gui's Admin API settings Separated common gui vm state into template-gui.jinja
QubesOS · May 24, 2020 · dae4041 · dae4041
2 parents d0f18bc + 1a8ab02
commit dae4041
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 53 deletions.
diff --git a/qvm/sys-gui.sls b/qvm/sys-gui.sls
@@ -10,6 +10,7 @@ qubes-template-{{ salt['pillar.get']('qvm:sys-gui:template', 'fedora-30-xfce') }
   pkg.installed: []
 
 {% from "qvm/template.jinja" import load -%}
+{% from "qvm/template-gui.jinja" import gui_common -%}
 
 {% load_yaml as defaults -%}
 name:          sys-gui
@@ -28,56 +29,4 @@ service:
 {%- endload %}
 
 {{ load(defaults) }}
-
-# Set 'dom0' keyboard-layout feature
-dom0-keyboard-layout:
-  cmd.run:
-    - name: qvm-features dom0 keyboard-layout {{ salt['keyboard.get_x']() }}
-
-# Set 'sys-gui' keyboard-layout feature
-sys-gui-keyboard-layout:
-  cmd.run:
-    - name: qvm-features sys-gui keyboard-layout {{ salt['keyboard.get_x']() }}
-    - require:
-      - qvm: sys-gui
-
-# Setup Qubes RPC policy
-sys-gui-rpc:
-  file.managed:
-    - name: /etc/qubes/policy.d/30-sys-gui.policy
-    - contents: |
-        qubes.GetImageRGBA                  *   sys-gui             @tag:guivm-sys-gui          allow
-        qubes.GetAppmenus                   *   sys-gui             @tag:guivm-sys-gui          allow
-        qubes.SetMonitorLayout              *   sys-gui             @tag:guivm-sys-gui          allow
-        qubes.StartApp                      *   sys-gui             @tag:guivm-sys-gui          allow
-        qubes.StartApp                      *   sys-gui             @dispvm:@tag:guivm-sys-gui  allow
-        qubes.SyncAppMenus                  *   @tag:guivm-sys-gui  dom0                        allow   target=sys-gui
-        qubes.WaitForSession                *   sys-gui             @tag:guivm-sys-gui          allow
-
-
-# GuiVM (AdminVM) with local 'rwx' permissions
-/etc/qubes-rpc/policy/include/admin-local-rwx:
-  file.append:
-    - text: |
-        sys-gui @tag:guivm-sys-gui allow,target=dom0
-        sys-gui sys-gui allow,target=dom0
-
-# GuiVM (AdminVM) with global 'ro' permissions
-{% if salt['pillar.get']('qvm:sys-gui:admin-global-permissions') == 'ro' %}
-/etc/qubes-rpc/policy/include/admin-global-ro:
-  file.append:
-    - text: |
-        sys-gui @adminvm allow,target=dom0
-        sys-gui @tag:guivm-sys-gui allow,target=dom0
-        sys-gui sys-gui allow,target=dom0
-{% endif %}
-
-{% if salt['pillar.get']('qvm:sys-gui:admin-global-permissions') == 'rwx' %}
-# GuiVM (AdminVM) with global 'rwx' permissions
-/etc/qubes-rpc/policy/include/admin-global-rwx:
-  file.append:
-    - text: |
-        sys-gui @adminvm allow,target=dom0
-        sys-gui @tag:guivm-sys-gui allow,target=dom0
-        sys-gui sys-gui allow,target=dom0
-{% endif %}
+{{ gui_common(defaults.name) }}
diff --git a/qvm/template-gui.jinja b/qvm/template-gui.jinja
@@ -0,0 +1,70 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# GUI Virtual Machine Common State Template
+# ==============================
+##
+
+{% macro gui_common(vmname) -%}
+# Setup Qubes RPC policy
+{{ vmname }}-rpc:
+  file.managed:
+    - name: /etc/qubes/policy.d/50-gui-{{ vmname }}.policy
+    - contents: |
+        qubes.GetImageRGBA                  *   {{ vmname }}             @tag:guivm-{{ vmname }}          allow
+        qubes.GetAppmenus                   *   {{ vmname }}             @tag:guivm-{{ vmname }}          allow
+        # TODO: limit to templates related to @tag:guivm-{{ vmname }} only
+        qubes.GetAppmenus                   *   {{ vmname }}             @type:TemplateVM                 allow
+        qubes.SetMonitorLayout              *   {{ vmname }}             @tag:guivm-{{ vmname }}          allow
+        qubes.StartApp                      *   {{ vmname }}             @tag:guivm-{{ vmname }}          allow
+        qubes.StartApp                      *   {{ vmname }}             @dispvm:@tag:guivm-{{ vmname }}  allow
+        qubes.SyncAppMenus                  *   @tag:guivm-{{ vmname }}  dom0                        allow   target={{ vmname }}
+        qubes.WindowIconUpdater             *   @tag:guivm-{{ vmname }}  dom0                        allow   target={{ vmname }}
+        qubes.WaitForSession                *   {{ vmname }}             @tag:guivm-{{ vmname }}          allow
+
+        # Parts of Admin API necessary for GUI-related tools to work
+        admin.vm.List                       *   {{ vmname }}             dom0                             allow
+        admin.vm.List                       *   {{ vmname }}             @tag:guivm-sys-gui               allow target=dom0
+        admin.Events                        *   {{ vmname }}             dom0                             allow
+        admin.Events                        *   {{ vmname }}             @tag:guivm-sys-gui               allow target=dom0
+        admin.label.Get                     *   {{ vmname }}             dom0                             allow
+        admin.label.Index                   *   {{ vmname }}             dom0                             allow
+        admin.vm.property.Get               *   {{ vmname }}             dom0                             allow
+        admin.vm.volume.List                *   {{ vmname }}             dom0                             allow
+        admin.vm.device.pci.Available       *   {{ vmname }}             dom0                             allow
+        admin.vm.feature.Get                +internal {{ vmname }}             dom0                             allow
+        # TODO: find a way to avoid this one (ram, cpu usage)
+        admin.vm.CurrentState               *   {{ vmname }}             dom0                             allow
+
+# GuiVM (AdminVM) with local 'rwx' permissions
+{{ vmname }}-admin-local-rwx:
+  file.append:
+    - name: /etc/qubes/policy.d/include/admin-local-rwx
+    - text: |
+        {{ vmname }} @tag:guivm-{{ vmname }} allow target=dom0
+        {{ vmname }} {{ vmname }} allow target=dom0
+
+# GuiVM (AdminVM) with global 'ro' permissions
+{% if salt['pillar.get']('qvm:' + vmname + ':admin-global-permissions') == 'ro' %}
+{{ vmname }}-admin-global-ro:
+  file.append:
+    - name: /etc/qubes/policy.d/include/admin-global-ro
+    - text: |
+        {{ vmname }} @adminvm allow target=dom0
+        {{ vmname }} @tag:guivm-{{ vmname }} allow target=dom0
+        {{ vmname }} {{ vmname }} allow target=dom0
+{% endif %}
+
+{% if salt['pillar.get']('qvm:' + vmname + ':admin-global-permissions') == 'rwx' %}
+# GuiVM (AdminVM) with global 'rwx' permissions
+{{ vmname }}-admin-global-rwx:
+  file.append:
+    - name: /etc/qubes/policy.d/include/admin-global-rwx
+    - text: |
+        {{ vmname }} @adminvm allow target=dom0
+        {{ vmname }} @tag:guivm-{{ vmname }} allow target=dom0
+        {{ vmname }} {{ vmname }} allow target=dom0
+{% endif %}
+{%- endmacro %}
+
diff --git a/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec.in b/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec.in
@@ -94,6 +94,7 @@ fi
 /srv/formulas/base/virtual-machines-formula/qvm/sys-whonix.sls
 /srv/formulas/base/virtual-machines-formula/qvm/sys-whonix.top
 /srv/formulas/base/virtual-machines-formula/qvm/template.jinja
+/srv/formulas/base/virtual-machines-formula/qvm/template-gui.jinja
 /srv/formulas/base/virtual-machines-formula/qvm/template-whonix-gw.sls
 /srv/formulas/base/virtual-machines-formula/qvm/template-whonix-ws.sls
 /srv/formulas/base/virtual-machines-formula/qvm/untrusted.sls