Skip to content

Enable Dynamic Policy Management via ghaf-givc#1758

Merged
brianmcgillion merged 9 commits intotiiuae:mainfrom
gngram:pulls/policy-management
Mar 10, 2026
Merged

Enable Dynamic Policy Management via ghaf-givc#1758
brianmcgillion merged 9 commits intotiiuae:mainfrom
gngram:pulls/policy-management

Conversation

@gngram
Copy link
Copy Markdown
Contributor

@gngram gngram commented Feb 16, 2026

Description of Changes

This PR introduces policy management capabilities within the ghaf-givc implementation. It establishes a distinction between policy administrators and clients, allowing for dynamic updates to system configurations such as firewalls and proxies.

Key Changes:
Policy Architecture:

  • Implemented policyAdmin specifically for the admin-vm.
  • Implemented policyClient for the host and remaining VMs.
  • Added ghaf.common.policies option to accumulate policies from various VMs.

Dynamic Configuration:

  • Enabled dynamic firewall rule updates via the policy admin.
  • Enabled proxy-config updates via the policy admin.

GIVC Integration:

  • Updated givc configurations to align with agents.
  • Updated configs for YubiKey and Boot-UI integration.

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Every functionality should work as usual.
  2. I have restricted access of chatgpt in chrome vm via dynamic policy update for testing (will remove it later). With this PR you should not be able to access chatgpt from google chrome.

kajusnau
kajusnau reviewed Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@kajusnau kajusnau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool change!
Some opinionated, some refactor comments.
Also is it possible to define some example test scenario instead of a generic Every functionality should work as usual.? 😁

vunnyso
vunnyso reviewed Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@vunnyso vunnyso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR title has title has typo and wip can removed if change is ready.

@gngram gngram force-pushed the pulls/policy-management branch from f085696 to 0d35917 Compare February 16, 2026 14:39
@gngram gngram force-pushed the pulls/policy-management branch from 0d35917 to b4321a1 Compare February 16, 2026 14:46
@gngram
Copy link
Copy Markdown
Contributor Author

gngram commented Feb 16, 2026

PR title has title has typo and wip can removed if change is ready.

waiting for ghaf-givc commit to be merged on mainline. once done I will remove wip status and will update givc url also in flake.nix.

vunnyso
vunnyso reviewed Feb 16, 2026
View reviewed changes
@gngram gngram force-pushed the pulls/policy-management branch from b4321a1 to 70ee43b Compare February 20, 2026 10:59
@gngram gngram force-pushed the pulls/policy-management branch from 70ee43b to 92bcecc Compare February 20, 2026 11:17
@gngram gngram added the Needs Testing CI Team to pre-verify label Feb 20, 2026
@gngram gngram changed the title [wip] nable Dynamic Policy Management via ghaf-givc Enable Dynamic Policy Management via ghaf-givc Feb 20, 2026
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Feb 23, 2026

Tested on Darter Pro (new image)

  • Policy management is not working as described in the testing instructions, ChatGPT is not blocked in chrome-vm Google Chrome

@milva-unikie milva-unikie added Bug on System76 and removed Needs Testing CI Team to pre-verify labels Feb 23, 2026
mbssrc
mbssrc reviewed Mar 5, 2026
View reviewed changes
mbssrc
mbssrc reviewed Mar 5, 2026
View reviewed changes
@gngram gngram force-pushed the pulls/policy-management branch from 99e82a1 to f8e8119 Compare March 6, 2026 11:03
@gngram gngram force-pushed the pulls/policy-management branch from f8e8119 to 413d642 Compare March 6, 2026 11:17
@gngram gngram force-pushed the pulls/policy-management branch from 413d642 to 7065827 Compare March 9, 2026 08:01
@gngram
Copy link
Copy Markdown
Contributor Author

gngram commented Mar 9, 2026

Rebased..

@avnik
Copy link
Copy Markdown
Contributor

avnik commented Mar 9, 2026

@mbssrc Could you merge, please? Looks like only you or Brian can

gngram added 9 commits March 10, 2026 21:22
@gngram
policy management through ghaf-givc
04190a0 
- updated givc options to align it with the givc agents
- policyAdmin is for admin-vm, policyClient is for rest of the VMs and host

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
add common option to accumulate policies from vms
e29df0a 
- option added ghaf.common.policies

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
update commong config from evaluated config
d75d87a 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
enable policy admin in admin vm
93c1f70 
- update givc configs for yubikey and boot-ui

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
enable proxy-config update via policy admin
83193a9 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
enable dynamic firwall rule update via policy admin
ae227fd 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
code review feedback modification
24d4169 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
Policy: documentation
8572df2 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
givc package update
09d6c9d 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram gngram force-pushed the pulls/policy-management branch from 7065827 to 09d6c9d Compare March 10, 2026 17:27
@gngram
Copy link
Copy Markdown
Contributor Author

gngram commented Mar 10, 2026

Rebased again and resolved merge conflicts.

@brianmcgillion brianmcgillion merged commit e6b3856 into tiiuae:main Mar 10, 2026
32 checks passed
@gngram gngram deleted the pulls/policy-management branch March 25, 2026 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kajusnau kajusnau kajusnau left review comments

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@mbssrc mbssrc mbssrc approved these changes

@vunnyso vunnyso vunnyso approved these changes

@everton-dematos everton-dematos Awaiting requested review from everton-dematos

+1 more reviewer

@vadika vadika vadika approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@gngram @milva-unikie @avnik @brianmcgillion @vadika @mbssrc @vunnyso @kajusnau