Skip to content

Commit

Permalink
Converts RPC sd-svs -> $tag:sd-client
Browse files Browse the repository at this point in the history 
We use a tag rather than a hardcoded AppVM name to support flexibility
configuration. In the main, this is useful to developers, so that the
`sd-dev` AppVM can be tagged with `sd-client`, and thereby make calls as
though it were `sd-svs`. The Salt logic does not create `sd-dev`, it's
up to the developer to configure that machine.

Includes corresponding config test updates to validate the RPC policy
changes. There are no functional changes to sd-svs grants, merely the
possibility that other VMs can be manually granted similar capability.

Includes docs, recommending that developers add the new `sd-client` tag
to the dev VM manually, if working on the Client code.
  • Loading branch information
Conor Schaefer committed Jul 24, 2019
1 parent 503fd6f commit 784076d
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 10 deletions.
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,14 @@ export SECUREDROP_DEV_DIR=/home/user/projects/securedrop-workstation # set to
make clone
```

If you plan to work on the [SecureDrop Client](https://github.com/freedomofpress/securedrop-client) code, also run:

```
qvm-tags sd-dev add sd-client
```

Doing so will permit the `sd-dev` AppVM to make RPC calls with the same privileges as the `sd-svs` AppVM.

**NOTE:** The destination directory on `dom0` is not customizable; it must be `securedrop-workstation` in your home directory.

#### Building
Expand Down
10 changes: 5 additions & 5 deletions dom0/sd-dom0-qvm-rpc.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ dom0-rpc-qubes.Filecopy:
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-proxy sd-svs allow
sd-proxy $tag:sd-client allow
$anyvm $tag:sd-workstation deny
dom0-rpc-qubes.OpenInVM:
file.blockreplace:
Expand All @@ -42,8 +42,8 @@ dom0-rpc-qubes.OpenInVM:
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-svs $dispvm:sd-svs-disp allow
sd-svs sd-export-usb allow
$tag:sd-client $dispvm:sd-svs-disp allow
$tag:sd-client sd-export-usb allow
$anyvm $tag:sd-workstation deny
dom0-rpc-qubes.OpenURL:
file.blockreplace:
Expand Down Expand Up @@ -100,7 +100,7 @@ dom0-rpc-qubes.Gpg:
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-svs sd-gpg allow
$tag:sd-client sd-gpg allow
$anyvm $tag:sd-workstation deny
dom0-rpc-qubes.GpgImportKey:
file.blockreplace:
Expand All @@ -109,5 +109,5 @@ dom0-rpc-qubes.GpgImportKey:
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-svs sd-gpg allow
$tag:sd-client sd-gpg allow
$anyvm $tag:sd-workstation deny
1 change: 1 addition & 0 deletions dom0/sd-svs.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ sd-svs:
- netvm: ""
- tags:
- add:
- sd-client
- sd-workstation
- features:
- enable:
Expand Down
1 change: 1 addition & 0 deletions tests/test_vms_exist.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ def test_sd_svs_config(self):
self._check_kernel(vm)
self._check_service_running(vm, "paxctld")
self.assertTrue('sd-workstation' in vm.tags)
self.assertTrue('sd-client' in vm.tags)

def test_sd_svs_disp_config(self):
vm = self.app.domains["sd-svs-disp"]
Expand Down
10 changes: 5 additions & 5 deletions tests/vars/qubes-rpc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
- policy: Filecopy
starts_with: |-
### BEGIN securedrop-workstation ###
sd-proxy sd-svs allow
sd-proxy $tag:sd-client allow
$anyvm $tag:sd-workstation deny
### END securedrop-workstation ###
Expand Down Expand Up @@ -49,14 +49,14 @@
- policy: Gpg
starts_with: |-
### BEGIN securedrop-workstation ###
sd-svs sd-gpg allow
$tag:sd-client sd-gpg allow
$anyvm $tag:sd-workstation deny
### END securedrop-workstation ###
- policy: GpgImportKey
starts_with: |-
### BEGIN securedrop-workstation ###
sd-svs sd-gpg allow
$tag:sd-client sd-gpg allow
$anyvm $tag:sd-workstation deny
### END securedrop-workstation ###
Expand Down Expand Up @@ -90,8 +90,8 @@
- policy: OpenInVM
starts_with: |-
### BEGIN securedrop-workstation ###
sd-svs $dispvm:sd-svs-disp allow
sd-svs sd-export-usb allow
$tag:sd-client $dispvm:sd-svs-disp allow
$tag:sd-client sd-export-usb allow
$anyvm $tag:sd-workstation deny
### END securedrop-workstation ###
Expand Down

0 comments on commit 784076d

Please sign in to comment.