Skip to content

Commit

Permalink
Merge pull request #751 from freedomofpress/600-qubes-4.1
Browse files Browse the repository at this point in the history 
Initial support for Qubes 4.1
  • Loading branch information
@sssoleileraaa
sssoleileraaa authored May 3, 2022
2 parents 49f81c7 + bb637dd commit d18d0c2
Show file tree
Hide file tree
Showing 18 changed files with 425 additions and 174 deletions.
9 changes: 9 additions & 0 deletions dom0/sd-clean-all.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ remove-dom0-sdw-config-files:
- /srv/salt/qa-switch.tar.gz
- /srv/salt/qa-switch
- /srv/salt/consolidation-qa-switch.sh
- /etc/qubes/policy.d/60-securedrop-workstation.policy
- /etc/qubes/policy.d/70-securedrop-workstation.policy

# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user
remove-rpc-policy-tags:
Expand All @@ -59,12 +61,16 @@ sd-cleanup-etc-changes:
- names:
- /etc/crontab
- /etc/systemd/logind.conf
- /etc/qubes/repo-templates/qubes-templates.repo
- pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
- flags:
- MULTILINE
- DOTALL
- repl: ''
- backup: no
{% if grains['osrelease'] == '4.0' %}
- ignore_if_missing: True
{% endif %}

{% if d.environment == "prod" or d.environment == "staging" %}
apply-systemd-changes:
Expand All @@ -88,6 +94,9 @@ sd-cleanup-rpc-mgmt-policy:
- /etc/qubes-rpc/policy/qubes.VMShell
- /etc/qubes-rpc/policy/qubes.VMRootShell
- repl: ''
{% if grains['osrelease'] == '4.1' %}
- ignore_if_missing: True
{% endif %}
- pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root'

{% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rIl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %}
Expand Down
39 changes: 29 additions & 10 deletions dom0/sd-dom0-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,6 @@
# over time. These scripts should be ported to an RPM package.
##

include:
# Import the upstream Qubes-maintained anon-whonix settings.
# The anon-whoni config pulls in sys-whonix and sys-firewall,
# as well as ensures the latest versions of Whonix are installed.
- qvm.anon-whonix

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}

Expand Down Expand Up @@ -52,6 +46,27 @@ dom0-workstation-rpm-repo:
- require:
- file: dom0-rpm-test-key

{% if grains['osrelease'] == '4.1' %}
dom0-workstation-templates-repo:
# Using file.blockreplace because /etc/qubes/repo-templates/ is not a .d
# style directory, and qvm.template_installed:fromrepo seems to only support
# using a repo from this file. Installing manually via a cli-command-instead?
file.blockreplace:
- name: /etc/qubes/repo-templates/qubes-templates.repo
- append_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
[securedrop-workstation-templates]
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
enabled=1
baseurl={{ sdvars.dom0_yum_repo_url }}
name=SecureDrop Workstation Templates repository
- require:
- file: dom0-rpm-test-key
{% endif %}

dom0-remove-securedrop-workstation-stretch-template:
pkg.removed:
- pkgs:
Expand All @@ -60,12 +75,20 @@ dom0-remove-securedrop-workstation-stretch-template:
- file: dom0-workstation-rpm-repo

dom0-install-securedrop-workstation-template:
{% if grains['osrelease'] == '4.1' %}
cmd.run:
- name: >
qvm-template install securedrop-workstation-buster
{% else %}
pkg.installed:
- pkgs:
- qubes-template-securedrop-workstation-buster
{% endif %}
- require:
- file: dom0-workstation-rpm-repo
{% if grains['osrelease'] != '4.1' %}
- pkg: dom0-remove-securedrop-workstation-stretch-template
{% endif %}

# Remove the legacy auto updater script
dom0-remove-legacy-updater:
Expand Down Expand Up @@ -101,16 +124,12 @@ dom0-enabled-apparmor-on-whonix-gw-template:
- name: whonix-gw-16
- prefs:
- kernelopts: "nopat apparmor=1 security=apparmor"
- require:
- sls: qvm.anon-whonix

dom0-enabled-apparmor-on-whonix-ws-template:
qvm.vm:
- name: whonix-ws-16
- prefs:
- kernelopts: "nopat apparmor=1 security=apparmor"
- require:
- sls: qvm.anon-whonix

dom0-create-opt-securedrop-directory:
file.directory:
Expand Down
178 changes: 126 additions & 52 deletions dom0/sd-dom0-qvm-rpc.sls
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,22 @@
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
##
# Explicitly deny as a catch-all for SecureDrop workstation provisioned VMs.
# All SecureDrop-workstation provisioned VMS should have the sd-workstation tag.
# To be both be mindful of developers using the workstation and ensure
# RPC policies are not too permissive, this should be the first action
# performed by the install. All other provisioning steps will prepend to this
# list grants.
# using blockreplace will ensure that we will be able to more reliably update
# these policies during updates.
## Configure Qubes RPC policies for SecureDrop Workstation.
#
# As a general strategy, in addition to explicit grants, we provide
# catch-all deny policies for SDW-provisioned VMs. Where possible,
# we prefer to prepend SDW policies, in order to support overrides
# for the general system. We use the 'blockreplace' Salt state
# to achieve this for the 4.0-style grants, and order the policy
# files numerically for the 4.1-style grants.
#
##

# Certain policies use the legacy format (i.e. in /etc/qubes-rpc/policy/)
# under both Qubes 4.0 & 4.1. Under 4.1, we continue to use the legacy path,
# because the backwards-compatibility logic loads those files first,
# via /etc/qubes/policy.d/35-compat.policy. Since first match wins,
# we want our overrides to be present early, during the backwards compat loading.
dom0-rpc-qubes.ClipboardPaste:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.ClipboardPaste
Expand All @@ -21,138 +28,205 @@ dom0-rpc-qubes.ClipboardPaste:
sd-app @tag:sd-receive-app-clipboard ask
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.FeaturesRequest:
dom0-rpc-qubes.PdfConvert:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.FeaturesRequest
- name: /etc/qubes-rpc/policy/qubes.PdfConvert
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.Filecopy:
dom0-rpc-qubes.USB:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.Filecopy
- name: /etc/qubes-rpc/policy/qubes.USB
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-log @default ask
sd-log @tag:sd-receive-logs ask
sd-proxy @tag:sd-client allow
sd-devices sys-usb allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.GetImageRGBA:
dom0-rpc-qubes.ensure.USBAttach:
file.managed:
- name: /etc/qubes-rpc/policy/qubes.USBAttach
- contents: |
@anyvm @anyvm ask
- replace: false

dom0-rpc-qubes.USBAttach:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.GetImageRGBA
- name: /etc/qubes-rpc/policy/qubes.USBAttach
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sys-usb sd-devices allow,user=root
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.OpenInVM:
- require:
- file: dom0-rpc-qubes.ensure.USBAttach

# The GPG policies still exist in the legacy location on 4.1,
# and the legacy locations take precedence over SDW rules due
# to the import in `/etc/qubes/policy.d/35-compat.policy`,
# so we'll maintain them in the old location.
dom0-rpc-qubes.Gpg:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.OpenInVM
- name: /etc/qubes-rpc/policy/qubes.Gpg
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@tag:sd-client @dispvm:sd-viewer allow
@tag:sd-client sd-devices allow
sd-devices @dispvm:sd-viewer allow
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.OpenURL:
dom0-rpc-qubes.GpgImportKey:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.OpenURL
- name: /etc/qubes-rpc/policy/qubes.GpgImportKey
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.PdfConvert:
# Some legacy RPC files were moved under Qubes 4.1, to /etc/qubes/policy.d/.
# We'll continue to configure them under the legacy path for 4.0 hosts.
{% if grains['osrelease'] == '4.0' %}
dom0-rpc-qubes.FeaturesRequest:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.PdfConvert
- name: /etc/qubes-rpc/policy/qubes.FeaturesRequest
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.StartApp:
dom0-rpc-qubes.Filecopy:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.StartApp
- name: /etc/qubes-rpc/policy/qubes.Filecopy
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-log @default ask
sd-log @tag:sd-receive-logs ask
sd-proxy @tag:sd-client allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.USB:
dom0-rpc-qubes.GetImageRGBA:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.USB
- name: /etc/qubes-rpc/policy/qubes.GetImageRGBA
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-devices sys-usb allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.ensure.USBAttach:
file.managed:
- name: /etc/qubes-rpc/policy/qubes.USBAttach
- contents: |
@anyvm @anyvm ask
- replace: false
dom0-rpc-qubes.USBAttach:
dom0-rpc-qubes.OpenInVM:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.USBAttach
- name: /etc/qubes-rpc/policy/qubes.OpenInVM
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sys-usb sd-devices allow,user=root
@tag:sd-client @dispvm:sd-viewer allow
@tag:sd-client sd-devices allow
sd-devices @dispvm:sd-viewer allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
- require:
- file: dom0-rpc-qubes.ensure.USBAttach
dom0-rpc-qubes.VMRootShell:
dom0-rpc-qubes.OpenURL:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.VMRootShell
- name: /etc/qubes-rpc/policy/qubes.OpenURL
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.VMshell:
dom0-rpc-qubes.StartApp:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.VMShell
- name: /etc/qubes-rpc/policy/qubes.StartApp
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.Gpg:
dom0-rpc-qubes.VMRootShell:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.Gpg
- name: /etc/qubes-rpc/policy/qubes.VMRootShell
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.GpgImportKey:
dom0-rpc-qubes.VMshell:
file.blockreplace:
- name: /etc/qubes-rpc/policy/qubes.GpgImportKey
- name: /etc/qubes-rpc/policy/qubes.VMShell
- prepend_if_not_found: True
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@tag:sd-client sd-gpg allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
{% elif grains['osrelease'] == '4.1' %}
# Qubes suggests using files starting with 70- to be the allow policies
# and 60- deny policies, but due to the way SDW policies are stacked at the
# moment, we reverse this suggested order
dom0-rpc-qubes.r5-format-deny:
file.managed:
- name: /etc/qubes/policy.d/70-securedrop-workstation.policy
- contents: |
qubes.FeaturesRequest * @anyvm @tag:sd-workstation deny
qubes.FeaturesRequest * @tag:sd-workstation @anyvm deny
qubes.Filecopy * @anyvm @tag:sd-workstation deny
qubes.Filecopy * @tag:sd-workstation @anyvm deny
qubes.GetImageRGBA * @anyvm @tag:sd-workstation deny
qubes.GetImageRGBA * @tag:sd-workstation @anyvm deny
qubes.OpenInVM * @anyvm @tag:sd-workstation deny
qubes.OpenInVM * @tag:sd-workstation @anyvm deny
qubes.OpenURL * @anyvm @tag:sd-workstation deny
qubes.OpenURL * @tag:sd-workstation @anyvm deny
qubes.StartApp * @anyvm @tag:sd-workstation deny
qubes.StartApp * @tag:sd-workstation @anyvm deny
qubes.VMRootShell * @anyvm @tag:sd-workstation deny
qubes.VMRootShell * @tag:sd-workstation @anyvm deny
qubes.VMShell * @anyvm @tag:sd-workstation deny
qubes.VMShell * @tag:sd-workstation @anyvm deny
dom0-rpc-qubes.r5-format-ask-allow:
file.managed:
- name: /etc/qubes/policy.d/60-securedrop-workstation.policy
- contents: |
qubes.Filecopy * sd-log @default ask
qubes.Filecopy * sd-log @tag:sd-receive-logs ask
qubes.Filecopy * sd-proxy @tag:sd-client allow
qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow
qubes.OpenInVM * @tag:sd-client sd-devices allow
qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow
{% endif %}
Loading

0 comments on commit d18d0c2

Please sign in to comment.