linux-qubasis

linux oasis port as a qubes template

git clone https://9o.is/git/linux-qubasis.git

commit 255e008f6a430d824dba9eebd029195b157e5c34
parent 1234532d20a41005ea8a3c37f05f22fa5340c0f9
Author: Jul <jul@9o.is>
Date:   Wed, 19 Nov 2025 05:00:24 -0500

set qubes policy for build vm

Diffstat:

Mgen.sh | 1+


Aqubes/30-build.policy | 4++++


Mqubes/gen.sh | 2++


Mqubes/genfn.sh | 16++++++++++++++++


Mqubes/rules.sh | 3+++


5 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/gen.sh b/gen.sh
@@ -17,5 +17,6 @@ subgen qubes
 
 phony build.ninja $dir/ninja
 phony build qubes/build
+phony install qubes/install
 
 default build
diff --git a/qubes/30-build.policy b/qubes/30-build.policy
@@ -0,0 +1,4 @@
+admin.vm.create.TemplateVM      *       build @adminvm              allow target=@adminvm
+admin.vm.volume.ImportWithSize  +root   build @tag:created-by-build allow target=@adminvm
+admin.vm.CurrentState           *       build @tag:build-client     allow target=@adminvm
+admin.vm.Shutdown               *       build @tag:build-client     allow target=@adminvm
diff --git a/qubes/gen.sh b/qubes/gen.sh
@@ -14,6 +14,8 @@ var pkgexclude
 import rules.sh
 import genfn.sh
 
+policy 30-build.policy
 qvm example
 
 phony build $BUILDS
+phony install $INSTALL
diff --git a/qubes/genfn.sh b/qubes/genfn.sh
@@ -1,12 +1,15 @@
 BUILDS=
+INSTALL=
 
 qvm() {
 	BUILDS="$BUILDS $dir/$1/build"
+	INSTALL="$INSTALL $dir/$1/install"
 	subgen $1 init_qvm fini_qvm
 }
 
 init_qvm() {
 	FSPECS=
+	INSTALL=
 	PKGEXCLUDE=
 
 	var qvm $1
@@ -26,6 +29,8 @@ fini_qvm() {
 		phony build $outdir/nofspecs
 	fi
 
+	touch noinstall
+	phony install $outdir/noinstall
 }
 
 pkg() {
@@ -62,3 +67,14 @@ pkgexclude() {
 	done
 	var pkgexclude \"$PKGEXCLUDE\"
 }
+
+policy() {
+	_file=${1##*/}
+	_out=$outdir/policy/$_file
+	_name=${_file%.*}
+
+	qubes_policy $_out $1
+	bind policy $_name
+
+	INSTALL="$INSTALL $_out"
+}
diff --git a/qubes/rules.sh b/qubes/rules.sh
@@ -21,3 +21,6 @@ bind fspecvars "
 	-v includedir=$includedir
 	-v statedir=$statedir
 "
+
+rule qubes_policy 'qubes-policy --replace $policy <$in && touch $out'
+bind description 'QUBES POLICY $policy'