From e72ac297c5459b1884628c1e901f9c8c91ac221e Mon Sep 17 00:00:00 2001 From: 3hhh Date: Wed, 23 Nov 2022 17:21:48 +0100 Subject: [PATCH] qubes-pciback: misc PCI policy changes - new wording - enable only if rd.qubes.pci_policy is set --- .../modules.d/90qubes-pciback/module-setup.sh | 2 +- .../90qubes-pciback/qubes-pciback.sh | 22 +++++++++---------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/dracut/modules.d/90qubes-pciback/module-setup.sh b/dracut/modules.d/90qubes-pciback/module-setup.sh index 03c71999..d319a4b2 100755 --- a/dracut/modules.d/90qubes-pciback/module-setup.sh +++ b/dracut/modules.d/90qubes-pciback/module-setup.sh @@ -10,7 +10,7 @@ install () { inst_multiple /etc/nsswitch.conf inst_multiple /etc/usbguard/{qubes-usbguard.conf,rules.d,IPCAccessControl.d} inst_multiple /etc/usbguard/rules.d/* - inst_multiple -o /etc/qubes-pci-whitelist.txt + inst_multiple -o /etc/qubes-pci-policy.conf inst -l /usr/bin/usbguard inst -l /usr/sbin/usbguard-daemon inst /usr/lib/systemd/system/usbguard.service.d/30_qubes.conf diff --git a/dracut/modules.d/90qubes-pciback/qubes-pciback.sh b/dracut/modules.d/90qubes-pciback/qubes-pciback.sh index 3fb27521..e046ffe4 100755 --- a/dracut/modules.d/90qubes-pciback/qubes-pciback.sh +++ b/dracut/modules.d/90qubes-pciback/qubes-pciback.sh @@ -1,18 +1,18 @@ #!/bin/bash -- type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh -unset re HIDE_PCI usb_in_dom0 dev skip exposed PCI_WHITELIST_FILE PCI_WHITELIST_RE ignore_re devs invert +unset re HIDE_PCI usb_in_dom0 dev skip exposed PCI_POLICY_FILE PCI_POLICY_RE ignore_re devs invert usb_in_dom0=false -# PCI_WHITELIST_FILE syntax: -# - one POSIX regex on `lspci -mm -n` per line (match = whitelisted) +# PCI_POLICY_FILE syntax: +# - one POSIX regex on `lspci -mm -n` per line (matching device = allowed) # - empty lines & lines starting with # are ignored -# - lines starting with ! will cause a blacklisting +# - lines starting with ! will cause a block # - processing stops as soon as a match is found # - WARNING: If you block devices required by dom0, Qubes may not boot anymore. # You'll have to chroot and re-create the initramfs. -PCI_WHITELIST_FILE="/etc/qubes-pci-whitelist.txt" +PCI_POLICY_FILE="/etc/qubes-pci-policy.conf" if getargbool 0 rd.qubes.hide_all_usb; then # Select all networking and USB devices @@ -26,12 +26,10 @@ else warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.' fi -if [ -f "$PCI_WHITELIST_FILE" ] ; then - PCI_WHITELIST_RE="$(cat "$PCI_WHITELIST_FILE")" || die "Failed to read ${PCI_WHITELIST_FILE}." -fi -if [ -n "$PCI_WHITELIST_RE" ] ; then - info "Manual PCI whitelisting mode based on ${PCI_WHITELIST_FILE} in initramfs." - getargbool 0 "rd.qubes.hide_all_usb" && warn "rd.qubes.hide_all_usb has no effect with manual PCI whitelisting." +if getargbool 0 rd.qubes.pci_policy; then + PCI_POLICY_RE="$(cat "$PCI_POLICY_FILE")" || die "Failed to read ${PCI_POLICY_FILE}." + info "Manual PCI policy mode based on ${PCI_POLICY_FILE} in initramfs." + getargbool 0 "rd.qubes.hide_all_usb" && warn "rd.qubes.hide_all_usb has no effect with rd.qubes.pci_policy." ignore_re='^[[:blank:]]*(#.*)?$' devs="$(lspci -mm -n)" || die "Cannot obtain the list of PCI devices." @@ -45,7 +43,7 @@ if [ -n "$PCI_WHITELIST_RE" ] ; then [ $invert -eq 0 ] && skip=1 || skip=0 break fi - done <<< "$PCI_WHITELIST_RE" + done <<< "$PCI_POLICY_RE" [ $skip -eq 0 ] && info "Whitelisting: $dev" || HIDE_PCI="$HIDE_PCI ${dev%% *}" done <<< "$devs" else