wip package files outside salt: add repo and rpc policy files

files/etc/qubes/policy.d/31-securedrop-workstation.policy

@@ -0,0 +1,24 @@
+# required to suppress unsupported loopback error notifications
+securedrop.Log          *           sd-log sd-log deny notify=no
+securedrop.Log          *           @tag:sd-workstation sd-log allow
+
+securedrop.Proxy        *           sd-app sd-proxy allow
+
+qubes.Gpg               *           @tag:sd-client sd-gpg allow
+
+qubes.USBAttach         *           sys-usb sd-devices allow  user=root
+qubes.USBAttach         *           @anyvm @anyvm ask
+
+qubes.USB               *           sd-devices sys-usb allow
+
+# TODO: should this be handled with the new Global Config UI instead?
+qubes.ClipboardPaste    *           @tag:sd-send-app-clipboard sd-app ask
+qubes.ClipboardPaste    *           sd-app @tag:sd-receive-app-clipboard ask
+
+qubes.Filecopy          *           sd-log @default ask
+qubes.Filecopy          *           sd-log @tag:sd-receive-logs ask
+qubes.Filecopy          *           sd-proxy @tag:sd-client allow
+
+qubes.OpenInVM          *           @tag:sd-client @dispvm:sd-viewer allow
+qubes.OpenInVM          *           @tag:sd-client sd-devices allow
+qubes.OpenInVM          *           sd-devices @dispvm:sd-viewer allow

files/etc/qubes/policy.d/32-securedrop-workstation.policy

@@ -0,0 +1,46 @@
+securedrop.Log          *           @anyvm @anyvm deny
+
+securedrop.Proxy        *           @anyvm @anyvm deny
+
+qubes.GpgImportKey      *           @anyvm @tag:sd-workstation deny
+qubes.GpgImportKey      *           @tag:sd-workstation @anyvm deny
+
+qubes.Gpg               *           @anyvm @tag:sd-workstation deny
+qubes.Gpg               *           @tag:sd-workstation @anyvm deny
+
+qubes.USBAttach         *           @anyvm @tag:sd-workstation deny
+qubes.USBAttach         *           @tag:sd-workstation @anyvm deny
+
+qubes.USB               *           @anyvm @tag:sd-workstation deny
+qubes.USB               *           @tag:sd-workstation @anyvm deny
+
+qubes.PdfConvert        *           @anyvm @tag:sd-workstation deny
+qubes.PdfConvert        *           @tag:sd-workstation @anyvm deny
+
+# TODO: should this be handled with the new Global Config UI instead?
+qubes.ClipboardPaste    *           @anyvm @tag:sd-workstation deny
+qubes.ClipboardPaste    *           @tag:sd-workstation @anyvm deny
+
+qubes.FeaturesRequest   *           @anyvm @tag:sd-workstation deny
+qubes.FeaturesRequest   *           @tag:sd-workstation @anyvm deny
+
+qubes.Filecopy          *           @anyvm @tag:sd-workstation deny
+qubes.Filecopy          *           @tag:sd-workstation @anyvm deny
+
+qubes.GetImageRGBA      *           @anyvm @tag:sd-workstation deny
+qubes.GetImageRGBA      *           @tag:sd-workstation @anyvm deny
+
+qubes.OpenInVM          *           @anyvm @tag:sd-workstation deny
+qubes.OpenInVM          *           @tag:sd-workstation @anyvm deny
+
+qubes.OpenURL           *           @anyvm @tag:sd-workstation deny
+qubes.OpenURL           *           @tag:sd-workstation @anyvm deny
+
+qubes.StartApp          *           @anyvm @tag:sd-workstation deny
+qubes.StartApp          *           @tag:sd-workstation @anyvm deny
+
+qubes.VMRootShell       *           @anyvm @tag:sd-workstation deny
+qubes.VMRootShell       *           @tag:sd-workstation @anyvm deny
+
+qubes.VMShell           *           @anyvm @tag:sd-workstation deny
+qubes.VMShell           *           @tag:sd-workstation @anyvm deny

files/etc/yum.repos.d/securedrop-workstation-dom0.repo

@@ -0,0 +1,6 @@
+[securedrop-workstation-dom0]
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+enabled=1
+baseurl=https://yum.securedrop.org/workstation/dom0/
+name=SecureDrop Workstation Qubes dom0 repo