How to edit a policy

There are three ways to edit a policy:

  • with Qubes OS Global Config, the recommended way for the most common policies

  • with Qubes Policy Editor, a graphical text editor dedicated to this task

  • with qubes-policy-editor, a command-line text editor that will validate the file before saving it.

In this how-to, we will restrict the clipboard policy to prevent an untrusted qube from pasting something in a vault qube, as an example.

Edit a policy with Qubes OS Global Config

Qubes OS Global Config allows you to edit the most common policies. Following our clipboard example:

  1. you need to go to the Clipboard tab.

  2. Under Custom policy, select Add

  3. Change the drop-down items to get this: “untrusted will never be allowed to paste into the clipboard of vault

    Note

    if there is any inconsistency, a pop-up will warn you about that

  4. Click on Accept and at the bottom of the window, select either OK or Apply.

Edit a policy with Qubes Policy Editor

  1. Open Qubes Policy Editor

  2. You have to either:

    • open an existing file using File ‣ Open or Ctrl + O

    • or create a new file using File ‣ New or Ctrl + N

      In that case, you need to choose a filename. The filename can only contain alphanumeric characters, underscores and hyphens. The common practice is to use a name like 30-user.policy where:

      • 30 indicates the priority (i.e. the default policies start with 90 while the policies from Qubes OS Global Config start with 50)

      • user could be any name

    In order to override some clipboard policy, 30-clipboard could be a good name. Starting with 30 makes sure that the file will be read before any file starting with 31 or more, especially 50-config-clipboard.policy (this file is automatically created if you Edit a policy with Qubes OS Global Config). If you want to create a policy that will never override the policies from Qubes OS Global Config, use a name starting with a number between 51 and 89. The default policies from Qubes OS start with 90, so using a number equal or superior might be useless.

  3. Add a line to the file. In order to prevent the untrusted qube from pasting to the vault qube, the line should be:

    qubes.ClipboardPaste *       untrusted       vault   deny

  4. If you have made any edits and if the format is correct, you will be able to select Save Changes and Save and Exit, or to press Ctrl + S.

Edit a policy with qubes-policy-editor

qubes-policy-editor is a command-line tool that ensures that the syntax of the policy is valid. You have to run it as root:

[root@dom0] # qubes-policy-editor

An editor will open; it will be your default editor if you have set the environment variable $EDITOR or $VISUAL, otherwise it will fall back to vi. After saving the file, qubes-policy-editor will check the content and tell you if there is something wrong with the syntax.

It will open 30-user.policy by default but you can invoke the program with any valid filename (only alphanumeric characters, underscores and hyphens), without the .policy extension:

[root@dom0] # qubes-policy-editor 30-clipboard

In that case, qubes-policy-editor will also check that the filename of the policy is correct.

See also