Permit whitelisting VMs for copy/paste & copying logs via tags

dom0/sd-dom0-qvm-rpc.sls

@@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
+        @tag:send-clipboard-to-sd @tag:sd-workstation ask
+        @tag:sd-workstation @tag:receive-clipboard-from-sd ask
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny
 dom0-rpc-qubes.FeaturesRequest:
@@ -35,6 +37,8 @@ dom0-rpc-qubes.Filecopy:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
+        sd-log @default ask
+        sd-log @tag:receive-sd-logs ask
         sd-proxy @tag:sd-client allow
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny

tests/vars/qubes-rpc.yml

@@ -1,6 +1,8 @@
 - policy: qubes.ClipboardPaste
   starts_with: |-
     ### BEGIN securedrop-workstation ###
+    @tag:send-clipboard-to-sd @tag:sd-workstation ask
+    @tag:sd-workstation @tag:receive-clipboard-from-sd ask
     @anyvm @tag:sd-workstation deny
     @tag:sd-workstation @anyvm deny
     ### END securedrop-workstation ###
@@ -15,6 +17,8 @@
 - policy: qubes.Filecopy
   starts_with: |-
     ### BEGIN securedrop-workstation ###
+    sd-log @default ask
+    sd-log @tag:receive-sd-logs ask
     sd-proxy @tag:sd-client allow
     @anyvm @tag:sd-workstation deny
     @tag:sd-workstation @anyvm deny