Merge pull request #299 from freedomofpress/288-use-tags-for-client-g…

…rants Uses tags for RPC grants denoting Client privileges
freedomofpress · Jul 25, 2019 · bdbcaa7 · bdbcaa7
2 parents 503fd6f + c7383e5
commit bdbcaa7
Show file tree

Hide file tree

Showing 11 changed files with 43 additions and 361 deletions.
diff --git a/README.md b/README.md
@@ -80,6 +80,14 @@ export SECUREDROP_DEV_DIR=/home/user/projects/securedrop-workstation    # set to
 make clone
 ```
 
+If you plan to work on the [SecureDrop Client](https://github.com/freedomofpress/securedrop-client) code, also run:
+
+```
+qvm-tags sd-dev add sd-client
+```
+
+Doing so will permit the `sd-dev` AppVM to make RPC calls with the same privileges as the `sd-svs` AppVM.
+
 **NOTE:** The destination directory on `dom0` is not customizable; it must be `securedrop-workstation` in your home directory.
 
 #### Building

diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls
@@ -33,7 +33,7 @@ dom0-rpc-qubes.Filecopy:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-proxy sd-svs allow
+        sd-proxy $tag:sd-client allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.OpenInVM:
   file.blockreplace:
@@ -42,8 +42,8 @@ dom0-rpc-qubes.OpenInVM:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-svs $dispvm:sd-svs-disp allow
-        sd-svs sd-export-usb allow
+        $tag:sd-client $dispvm:sd-svs-disp allow
+        $tag:sd-client sd-export-usb allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.OpenURL:
   file.blockreplace:
@@ -100,7 +100,7 @@ dom0-rpc-qubes.Gpg:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-svs sd-gpg allow
+        $tag:sd-client sd-gpg allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.GpgImportKey:
   file.blockreplace:
@@ -109,5 +109,5 @@ dom0-rpc-qubes.GpgImportKey:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-svs sd-gpg allow
+        $tag:sd-client sd-gpg allow
         $anyvm $tag:sd-workstation deny
diff --git a/dom0/sd-svs-files.sls b/dom0/sd-svs-files.sls
@@ -11,45 +11,10 @@
 include:
   - fpf-apt-test-repo
 
-sd-svs-configure-gpg-domain:
-  file.managed:
-    - name: /etc/profile.d/sd-svs-qubes-gpg-domain.sh
-    - source: salt://sd/sd-svs/dot-profile
-    - user: root
-    - group: root
-    - mode: 644
-
-sd-svs-open-in-dvm-desktop-file:
-  file.managed:
-    - name: /usr/share/applications/open-in-dvm.desktop
-    - source: salt://sd/sd-svs/open-in-dvm.desktop
-    - user: root
-    - group: root
-    - mode: 644
-    - makedirs: True
-
-sd-svs-configure-mimetypes:
-  file.managed:
-    - name: /usr/share/applications/mimeapps.list
-    - source: salt://sd/sd-svs/mimeapps.list
-    - user: user
-    - group: user
-    - mode: 644
-    - makedirs: True
-  cmd.run:
-    - name: sudo update-desktop-database /usr/share/applications
-    - require:
-      - file: sd-svs-configure-mimetypes
-    - onchanges:
-      - file: sd-svs-configure-mimetypes
-      - file: sd-svs-open-in-dvm-desktop-file
-
 # FPF repo is setup in "securedrop-workstation" template
 install-securedrop-client-package:
   pkg.installed:
     - pkgs:
-      - python3-pyqt5
-      - python3-pyqt5.qtsvg
       - securedrop-client
     - require:
       - sls: fpf-apt-test-repo
diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls
@@ -33,6 +33,7 @@ sd-svs:
       - netvm: ""
     - tags:
       - add:
+        - sd-client
         - sd-workstation
     - features:
       - enable:

diff --git a/sd-svs/dot-profile b/sd-svs/dot-profile