-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
I'm on R4.1. Up-to-date.
Can you please give an example of a working 3-arg form as it seems that
all positional arguments are required?
Policy:
```
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
qusal.GitFetch * dom0 @default allow target=sys-git
qusal.GitPush * dom0 @default allow target=sys-git
qusal.GitInit * dom0 @default allow target=sys-git
qusal.GitFetch * @adminvm @default allow target=sys-git
qusal.GitPush * @adminvm @default allow target=sys-git
qusal.GitInit * @adminvm @default allow target=sys-git
qusal.GitFetch * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitPush * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
qusal.GitFetch * @anyvm @anyvm deny
qusal.GitPush * @anyvm @anyvm deny
qusal.GitInit * @anyvm @anyvm deny
```
Yes, I now currently dom0 is the only @adminvm.
Trials:
```sh
# 1
$ qrexec-policy --just-evaluate dom0 @default qusal.GitInit+qusal
usage: qrexec-policy [-h] [--assume-yes-for-ask] [--just-evaluate]
[--path PATH]
src-domain-id SOURCE TARGET SERVICE+ARGUMENT
process-ident
qrexec-policy: error: the following arguments are required: SERVICE+ARGUMENT, process-ident
# 2
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
# exit code 0
# 3
$ qrexec-policy --assume-yes-for-ask 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: target @default is not a valid choice
# 4
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
ERROR:policy:qusal.GitInit not allowed from dom0: the resolution was "ask", but source domain has no GuiVM
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: denied: denied by the user /etc/qubes/policy.d/80-sys-git.policy:12
```
On 1 there is no possibility to skip domain id and process ident because
they don't have nargs='?'.
On 3 we see that if we assume yes for ask, @default can't be used.
On 4 if we don't assume, it is actually failing on the following rule:
```
qusal.GitInit * @anyvm @default ask target=sys-git default_target=sys-git
```
because "source domain has no GuiVM", but Dom0 has a GUI.
But how to get the policy to "work" yesterday?
Add "dom0" tag to "dom0" qube:
```
qvm-tags dom0 add dom0
```
Add rule allow "@tag:dom0" to "@default":
```
qusal.GitInit * @tag:dom0 @default allow target=sys-git
```
Was the only call that was passed to qrexec-client and has the correct
target domain name but failed:
```
$ qrexec-policy 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
INFO:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: allowed to sys-git
2023-10-24 09:00:00.000 qrexec-client[42694]: qrexec-client.c:184:connect_unix_socket: connect: No such file or directory
ERROR:policy:qrexec: qusal.GitInit+qusal: dom0 -> @default: error while executing: qrexec-client failed: ['/usr/lib/qubes/qrexec-client', '-d', 'sys-git', '-c', '1,dom0,0', '-E', '--', 'DEFAULT:QUBESRPC qusal.GitInit+qusal dom0']
```
And if I ask to just evaluate, it doens't print the rule:
```
$ qrexec-policy --just-evaluate 0 dom0 @default qusal.GitInit+qusal 1
WARNING:root:warning: !compat-4.0 directive in file /etc/qubes/policy.d/35-compat.policy line 16 is transitional and will be deprecated
```
Exit code 0
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZTeUTV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NjQ5
NjcxMURCMTQ1MUVFNzQ1MjZCRDQ1MUI3MzE0QkYwQ0NDOTY4NwAKCRAbcxS/DMyW
hyzNAP94F3mxlrABdkZVaak6vlWiMUNNha06Nl9/znrBkYuruwEAuUMQkyesv497
qSVtHjRH2i/7qrNs7f53tHX5wKGX8Ag=
=Orvt
-----END PGP SIGNATURE-----