fix: rpc service copy to dvm

Upstream-commit: 7c37bb7bd65ad3a183790ad07344729504bc0930

salt/qubes-builder/README.md

@@ -69,9 +69,13 @@ Setting the Disposable VM  to Dom0 works because it will use the
 `default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
 
 If you need to pull new commits, a set of trusted keys is present in
-`/home/user/.gnupg/qubes-builder` to be used to verify commits or tags:
+`/home/user/.gnupg/qubes-builder`. By default, the provided gitconfig verifies
+merges, so pulling new commits will do signature verification of `FETCH_HEAD`:
 ```sh
-GNUPGHOME="$HOME/.gnupg/qubes-builder" git verify-commit "HEAD^{commit}"
+GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull
+Commit 7c37bb7 has a good GPG signature by Frédéric Pierret (fepitre)
+<frederic.pierret@qubes-os.org>
+...
 ```
 
 There are no further modifications needed to comply with this package. Consult

salt/qubes-builder/configure-qubes-executor.sls

@@ -11,16 +11,6 @@ include:
   - dotfiles.copy-sh
   - dotfiles.copy-x11
 
-"{{ slsdotpath }}-executor-rpc":
-  file.recurse:
-    - name: /usr/local/etc/qubes-rpc/
-    - source: salt://{{ slsdotpath }}/files/server/rpc/
-    - user: root
-    - group: root
-    - dir_mode: '0755'
-    - file_mode: '0755'
-    - makedirs: True
-
 "{{ slsdotpath }}-executor-makedir-binded-builder":
   file.directory:
     - name: /rw/bind-dirs/builder

salt/qubes-builder/files/admin/policy/default.policy

@@ -22,6 +22,7 @@ admin.vm.Kill * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target=
 qubesbuilder.FileCopyIn * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
 qubesbuilder.FileCopyOut * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
 
+qubes.Filecopy * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
 qubes.WaitForSession * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
 qubes.VMShell * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow
 ## vim:ft=qrexecpolicy