feat: install Qusal TCP Proxy on updatevm's origin

Document qusal.ConnectTCP in dev's Access Control as it defaults to deny and causes confusion to users why it doesn't work by default. This is an exception of the rule that a formula cannot document the RPC service of another formula to avoid duplication.
ben-grande · Jun 26, 2024 · eb3a8ab · eb3a8ab
1 parent c2fc4b5
commit eb3a8ab
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 0 deletions.
diff --git a/salt/dev/README.md b/salt/dev/README.md
@@ -6,6 +6,7 @@ Development environment in Qubes OS.
 
 * [Description](#description)
 * [Installation](#installation)
+* [Access Control](#access-control)
 * [Usage](#usage)
 
 ## Description
@@ -22,6 +23,10 @@ allows.
 sudo qubesctl top.enable dev
 sudo qubesctl --targets=tpl-dev,dvm-dev,dev state.apply
 sudo qubesctl top.disable dev
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 
 - State
@@ -31,9 +36,35 @@ sudo qubesctl state.apply dev.create
 sudo qubesctl --skip-dom0 --targets=tpl-dev state.apply dev.install
 sudo qubesctl --skip-dom0 --targets=dvm-dev state.apply dev.configure-dvm
 sudo qubesctl --skip-dom0 --targets=dev state.apply dev.configure
+proxy_target="$(qusal-report-updatevm-origin)"
+if test -n "${proxy_target}"; then
+  sudo qubesctl --skip-dom0 --targets="${proxy_target}" state.apply sys-net.install-proxy
+fi
 ```
 <!-- pkg:end:post-install -->
 
+The installation will make the Qusal TCP Proxy available in the `updatevm`
+(after it is restarted in case it is template based). If you want to have the
+proxy available on a `netvm` that is not deployed by Qusal, install the Qusal
+TCP proxy on the templates of your `netvm`:
+```sh
+sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-net.install-proxy
+```
+
+Remember to restart the `netvms` after the proxy installation for the changes
+to take effect.
+
+## Access Control
+
+_Default policy_: `denies` `all` qubes from calling `qusal.ConnectTCP`
+
+Allow qube `dev` to `connect` to `github.com:22` via `disp-sys-net` but not to
+any other host or via any other qube:
+```qrexecpolicy
+qusal.ConnectTCP +github.com+22 dev @default allow target=disp-sys-net
+qusal.ConnectTCP *              dev @anyvm   deny
+```
+
 ## Usage
 
 The development qube `dev` can be used for:

diff --git a/salt/dev/create.sls b/salt/dev/create.sls
@@ -8,6 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
+  - sys-net.show-updatevm-origin
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}

diff --git a/salt/dev/init.top b/salt/dev/init.top
@@ -14,3 +14,6 @@ base:
     - dev.configure-dvm
   'dev':
     - dev.configure
+  '(I@qubes:type:template or I@qubes:type:standalone) and (G@kernel:Linux or G@kernel:*BSD)':
+    - match: compound
+    - sys-net.install-proxy
diff --git a/salt/sys-net/create.sls b/salt/sys-net/create.sls
@@ -10,6 +10,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 include:
   - .clone
+  - .show-updatevm-origin
 
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}

diff --git a/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <[email protected]>
+##
+## SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+updatevm="$(qubes-prefs updatevm)"
+updatevm_class="$(qvm-prefs "${updatevm}" klass)"
+proxy_target=""
+case "${updatevm_class}" in
+  StandaloneVM) proxy_target="${updatevm}";;
+  AppVM) proxy_target="$(qvm-prefs "${updatevm}" template)";;
+  DispVM)
+    proxy_target="$(qvm-prefs "$(qvm-prefs "${updatevm}" template)" template)"
+    ;;
+esac
+if test -n "${proxy_target}"; then
+  echo "${proxy_target}"
+fi
diff --git a/salt/sys-net/show-updatevm-origin.sls b/salt/sys-net/show-updatevm-origin.sls
@@ -0,0 +1,14 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <[email protected]>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+"{{ slsdotpath }}-get-updatevm-origin":
+  file.managed:
+    - name: /usr/local/bin/qusal-report-updatevm-origin
+    - source: salt://{{ slsdotpath }}/files/admin/bin/qusal-report-updatevm-origin
+    - mode: "0755"
+    - user: root
+    - group: root
+    - makedirs: True
diff --git a/salt/sys-net/show-updatevm-origin.top b/salt/sys-net/show-updatevm-origin.top
@@ -0,0 +1,10 @@
+{#
+SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <[email protected]>
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+base:
+  'dom0':
+    - match: nodegroup
+    - sys-net.show-updatevm-origin