qrexec-policy-graph – Graph qrexec policy¶
Synopsis¶
qrexec-policy-graph [-h] [–include-ask] [–source SOURCE [SOURCE …]] [–target TARGET [TARGET …]] [–service SERVICE [SERVICE …]] [–output OUTPUT] [–policy-dir POLICY_DIR] [–system-info SYSTEM_INFO]
Options¶
- --help, -h¶
show this help message and exit
- --include-ask¶
Include ask action in graph. In most cases produce unreadable graphs because many services contains $anyvm $anyvm ask rules. It’s recommended to limit graph using other options.
- --source¶
Limit graph to calls from source. You can specify multiple names.
- --target¶
Limit graph to calls to target. You can specify multiple names.
- --service¶
Limit graph to service. You can specify multiple names. This can be either bare service name, or service with argument (joined with +). If bare service name is given, output will contain also policies for specific arguments.
- --output¶
Write to output instead of stdout. The file will be overwritten without confirmation.
- --policy-dir¶
Look for policy in policy-dir. This can be useful to process policy extracted from other system. This option adjust only base directory, if any policy file contains $include:path with absolute path, it will try to load the file from that location. See also –system-info option.
- --system-info¶
Load system information from file instead of querying local qubesd instance. The file should be in json format, as returned by internal.GetSystemInfo qubesd method. This can be obtained by running in dom0:
qubesd-query -e -c /var/run/qubesd.internal.sock dom0 internal.GetSystemInfo dom0 | cut -b 3-
- --skip-labels¶
Do not include service names on the graph. Also, include only a single connection between qubes if any service call is allowed there.