diff --git a/files/etc/qubes/policy.d/60-securedrop-workstation.policy b/files/etc/qubes/policy.d/60-securedrop-workstation.policy new file mode 100644 index 000000000..b1b958ae0 --- /dev/null +++ b/files/etc/qubes/policy.d/60-securedrop-workstation.policy @@ -0,0 +1,24 @@ +# required to suppress unsupported loopback error notifications +securedrop.Log * sd-log sd-log deny notify=no +securedrop.Log * @tag:sd-workstation sd-log allow + +securedrop.Proxy * sd-app sd-proxy allow + +qubes.Gpg * @tag:sd-client sd-gpg allow + +qubes.USBAttach * sys-usb sd-devices allow user=root +qubes.USBAttach * @anyvm @anyvm ask + +qubes.USB * sd-devices sys-usb allow + +# TODO: should this be handled with the new Global Config UI instead? +qubes.ClipboardPaste * @tag:sd-send-app-clipboard sd-app ask +qubes.ClipboardPaste * sd-app @tag:sd-receive-app-clipboard ask + +qubes.Filecopy * sd-log @default ask +qubes.Filecopy * sd-log @tag:sd-receive-logs ask +qubes.Filecopy * sd-proxy @tag:sd-client allow + +qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow +qubes.OpenInVM * @tag:sd-client sd-devices allow +qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow diff --git a/files/etc/qubes/policy.d/70-securedrop-workstation.policy b/files/etc/qubes/policy.d/70-securedrop-workstation.policy new file mode 100644 index 000000000..5ae590f73 --- /dev/null +++ b/files/etc/qubes/policy.d/70-securedrop-workstation.policy @@ -0,0 +1,46 @@ +securedrop.Log * @anyvm @anyvm deny + +securedrop.Proxy * @anyvm @anyvm deny + +qubes.GpgImportKey * @anyvm @tag:sd-workstation deny +qubes.GpgImportKey * @tag:sd-workstation @anyvm deny + +qubes.Gpg * @anyvm @tag:sd-workstation deny +qubes.Gpg * @tag:sd-workstation @anyvm deny + +qubes.USBAttach * @anyvm @tag:sd-workstation deny +qubes.USBAttach * @tag:sd-workstation @anyvm deny + +qubes.USB * @anyvm @tag:sd-workstation deny +qubes.USB * @tag:sd-workstation @anyvm deny + +qubes.PdfConvert * @anyvm @tag:sd-workstation deny +qubes.PdfConvert * @tag:sd-workstation @anyvm deny + +# TODO: should this be handled with the new Global Config UI instead? +qubes.ClipboardPaste * @anyvm @tag:sd-workstation deny +qubes.ClipboardPaste * @tag:sd-workstation @anyvm deny + +qubes.FeaturesRequest * @anyvm @tag:sd-workstation deny +qubes.FeaturesRequest * @tag:sd-workstation @anyvm deny + +qubes.Filecopy * @anyvm @tag:sd-workstation deny +qubes.Filecopy * @tag:sd-workstation @anyvm deny + +qubes.GetImageRGBA * @anyvm @tag:sd-workstation deny +qubes.GetImageRGBA * @tag:sd-workstation @anyvm deny + +qubes.OpenInVM * @anyvm @tag:sd-workstation deny +qubes.OpenInVM * @tag:sd-workstation @anyvm deny + +qubes.OpenURL * @anyvm @tag:sd-workstation deny +qubes.OpenURL * @tag:sd-workstation @anyvm deny + +qubes.StartApp * @anyvm @tag:sd-workstation deny +qubes.StartApp * @tag:sd-workstation @anyvm deny + +qubes.VMRootShell * @anyvm @tag:sd-workstation deny +qubes.VMRootShell * @tag:sd-workstation @anyvm deny + +qubes.VMShell * @anyvm @tag:sd-workstation deny +qubes.VMShell * @tag:sd-workstation @anyvm deny diff --git a/files/etc/yum.repos.d/securedrop-workstation-dom0.repo b/files/etc/yum.repos.d/securedrop-workstation-dom0.repo new file mode 100644 index 000000000..28d7c6aa1 --- /dev/null +++ b/files/etc/yum.repos.d/securedrop-workstation-dom0.repo @@ -0,0 +1,6 @@ +[securedrop-workstation-dom0] +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation +enabled=1 +baseurl=https://yum.securedrop.org/workstation/dom0/ +name=SecureDrop Workstation Qubes dom0 repo