qubes-pciback: misc PCI policy changes

- new wording - enable only if rd.qubes.pci_policy is set
QubesOS · Nov 23, 2022 · e72ac29 · e72ac29
1 parent b5b80a6
commit e72ac29
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 13 deletions.
diff --git a/dracut/modules.d/90qubes-pciback/module-setup.sh b/dracut/modules.d/90qubes-pciback/module-setup.sh
@@ -10,7 +10,7 @@ install () {
     inst_multiple /etc/nsswitch.conf
     inst_multiple /etc/usbguard/{qubes-usbguard.conf,rules.d,IPCAccessControl.d}
     inst_multiple /etc/usbguard/rules.d/*
-    inst_multiple -o /etc/qubes-pci-whitelist.txt
+    inst_multiple -o /etc/qubes-pci-policy.conf
     inst -l /usr/bin/usbguard
     inst -l /usr/sbin/usbguard-daemon
     inst /usr/lib/systemd/system/usbguard.service.d/30_qubes.conf

diff --git a/dracut/modules.d/90qubes-pciback/qubes-pciback.sh b/dracut/modules.d/90qubes-pciback/qubes-pciback.sh
@@ -1,18 +1,18 @@
 #!/bin/bash --
 
 type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
-unset re HIDE_PCI usb_in_dom0 dev skip exposed PCI_WHITELIST_FILE PCI_WHITELIST_RE ignore_re devs invert
+unset re HIDE_PCI usb_in_dom0 dev skip exposed PCI_POLICY_FILE PCI_POLICY_RE ignore_re devs invert
 
 usb_in_dom0=false
 
-# PCI_WHITELIST_FILE syntax:
-# - one POSIX regex on `lspci -mm -n` per line (match = whitelisted)
+# PCI_POLICY_FILE syntax:
+# - one POSIX regex on `lspci -mm -n` per line (matching device = allowed)
 # - empty lines & lines starting with # are ignored
-# - lines starting with ! will cause a blacklisting
+# - lines starting with ! will cause a block
 # - processing stops as soon as a match is found
 # - WARNING: If you block devices required by dom0, Qubes may not boot anymore.
 #            You'll have to chroot and re-create the initramfs.
-PCI_WHITELIST_FILE="/etc/qubes-pci-whitelist.txt"
+PCI_POLICY_FILE="/etc/qubes-pci-policy.conf"
 
 if getargbool 0 rd.qubes.hide_all_usb; then
     # Select all networking and USB devices
@@ -26,12 +26,10 @@ else
     warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'
 fi
 
-if [ -f "$PCI_WHITELIST_FILE" ] ; then
-    PCI_WHITELIST_RE="$(cat "$PCI_WHITELIST_FILE")" || die "Failed to read ${PCI_WHITELIST_FILE}."
-fi
-if [ -n "$PCI_WHITELIST_RE" ] ; then
-    info "Manual PCI whitelisting mode based on ${PCI_WHITELIST_FILE} in initramfs."
-    getargbool 0 "rd.qubes.hide_all_usb" && warn "rd.qubes.hide_all_usb has no effect with manual PCI whitelisting."
+if getargbool 0 rd.qubes.pci_policy; then
+    PCI_POLICY_RE="$(cat "$PCI_POLICY_FILE")" || die "Failed to read ${PCI_POLICY_FILE}."
+    info "Manual PCI policy mode based on ${PCI_POLICY_FILE} in initramfs."
+    getargbool 0 "rd.qubes.hide_all_usb" && warn "rd.qubes.hide_all_usb has no effect with rd.qubes.pci_policy."
     ignore_re='^[[:blank:]]*(#.*)?$'
     devs="$(lspci -mm -n)" || die "Cannot obtain the list of PCI devices."
 
@@ -45,7 +43,7 @@ if [ -n "$PCI_WHITELIST_RE" ] ; then
                 [ $invert -eq 0 ] && skip=1 || skip=0
                 break
             fi
-        done <<< "$PCI_WHITELIST_RE"
+        done <<< "$PCI_POLICY_RE"
         [ $skip -eq 0 ] && info "Whitelisting: $dev" || HIDE_PCI="$HIDE_PCI ${dev%% *}"
     done <<< "$devs"
 else