diff --git a/MANIFEST.in b/MANIFEST.in index a3f77ee9..7a10c4f6 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -3,6 +3,7 @@ include dom0/*.top include dom0/*.j2 include dom0/*.yml include dom0/*.conf +include dom0/remove-tags include dom0/securedrop-admin include dom0/securedrop-login include dom0/securedrop-launcher.desktop diff --git a/dom0/remove-tags b/dom0/remove-tags new file mode 100755 index 00000000..3ef3e81a --- /dev/null +++ b/dom0/remove-tags @@ -0,0 +1,32 @@ +#!/usr/bin/env python3 +""" +Removes tags used for exempting VMs from default SecureDrop Workstation +RPC policies from all VMs (including non-SecureDrop ones). +""" +import qubesadmin + +q = qubesadmin.Qubes() + +TAGS_TO_REMOVE = ["sd-send-app-clipboard", "sd-receive-app-clipboard", "sd-receive-logs"] + + +def main(): + tags_removed = False + for vm in q.domains: + for tag in TAGS_TO_REMOVE: + if tag in q.domains[vm].tags: + print("Removing tag '{}' from VM '{}'.".format(tag, vm)) + try: + q.domains[vm].tags.remove(tag) + except Exception as error: + print("Error removing tag: '{}'".format(error)) + print("Aborting.") + exit(1) + tags_removed = True + + if tags_removed is False: + print("Tags {} not set on any VMs, nothing removed.".format(TAGS_TO_REMOVE)) + + +if __name__ == "__main__": + main() diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index 1d5b5647..069b84c7 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -46,6 +46,12 @@ remove-dom0-sdw-config-files: - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop - /home/{{ gui_user }}/.securedrop_launcher + +# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user +remove-rpc-policy-tags: + cmd.script: + - name: salt://remove-tags + # Removes files that are provisioned by the dom0 RPM, only for the development # environment, since dnf takes care of those provisioned in the RPM {% if d.environment == "dev" %} @@ -53,8 +59,13 @@ remove-dom0-sdw-config-files-dev: file.absent: - names: - /opt/securedrop + - /srv/salt/remove-tags - /srv/salt/securedrop-update - /srv/salt/update-xfce-settings + # Do not remove these scripts before they have done their cleanup duties + - require: + - cmd: dom0-reset-icon-size-xfce + - cmd: remove-rpc-policy-tags {% endif %} sd-cleanup-etc-changes: diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index f0d49dee..b6fc2fcb 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | + @tag:sd-send-app-clipboard sd-app ask + sd-app @tag:sd-receive-app-clipboard ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny dom0-rpc-qubes.FeaturesRequest: @@ -35,6 +37,8 @@ dom0-rpc-qubes.Filecopy: - marker_start: "### BEGIN securedrop-workstation ###" - marker_end: "### END securedrop-workstation ###" - content: | + sd-log @default ask + sd-log @tag:sd-receive-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index b38da295..c446c73a 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -59,6 +59,7 @@ install -m 644 dom0/*.top %{buildroot}/srv/salt/ install -m 644 dom0/*.j2 %{buildroot}/srv/salt/ install -m 644 dom0/*.yml %{buildroot}/srv/salt/ install -m 644 dom0/*.conf %{buildroot}/srv/salt/ +install -m 655 dom0/remove-tags %{buildroot}/srv/salt/ install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/ install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/ install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/ @@ -92,6 +93,7 @@ install -m 644 launcher/sdw_util/*.py %{buildroot}/srv/salt/launcher/sdw_util/ /opt/securedrop/launcher/**/*.py /srv/salt/sd* /srv/salt/dom0-xfce-desktop-file.j2 +/srv/salt/remove-tags /srv/salt/securedrop-* /srv/salt/update-xfce-settings /srv/salt/fpf* diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py index 5a721c80..d3c20326 100644 --- a/scripts/securedrop-admin.py +++ b/scripts/securedrop-admin.py @@ -149,7 +149,8 @@ def main(): elif args.uninstall: print( "Uninstalling will remove all packages and destroy all VMs associated\n" - "with SecureDrop Workstation." + "with SecureDrop Workstation. It will also remove all SecureDrop tags\n" + "from other VMs on the system." ) response = input("Are you sure you want to uninstall (y/N)? ") if response.lower() != 'y': diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index 256f84f3..8b963eb9 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -1,6 +1,8 @@ - policy: qubes.ClipboardPaste starts_with: |- ### BEGIN securedrop-workstation ### + @tag:sd-send-app-clipboard sd-app ask + sd-app @tag:sd-receive-app-clipboard ask @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### @@ -15,6 +17,8 @@ - policy: qubes.Filecopy starts_with: |- ### BEGIN securedrop-workstation ### + sd-log @default ask + sd-log @tag:sd-receive-logs ask sd-proxy @tag:sd-client allow @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny