Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-07-29 01:28:59 -04:00
Code Issues Projects Releases Packages Wiki Activity

merge form upstream

Browse source
This commit is contained in:
qubedmaiska 2025-02-21 04:48:20 -05:00
commit 2093a276b8
No known key found for this signature in database
GPG key ID: 204BCE0FD52C0501
5 changed files with 25 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

5
developer/releases/todo.md
View file

@ -37,6 +37,7 @@ On final release
* finish release notes
* update InstallationInstructions
* build ISO and push to mirrors
* push `qubes-release` package to `current`
* notify @Rudd-O about the new ISO for new torrent hosting
* write blog post
* announce on Twitter
* write news post
* announce

16
developer/services/qrexec.md
View file

@ -109,11 +109,6 @@ whether to allow the request, what VM to redirect the execution to, and what use
Note that if the request is redirected (`target=` parameter), policy action remains the same -- even if there is another rule which would otherwise deny such request.
If no policy rule is matched, the action is denied.
In the target VM, a file in either of the following locations must exist, containing the file name of the program that will be invoked, or being that program itself -- in which case it must have executable permission set (`chmod +x`):
- `/etc/qubes-rpc/RPC_ACTION_NAME` when you make it in the template qube;
- `/usr/local/etc/qubes-rpc/RPC_ACTION_NAME` for making it only in an app qube.
Files in `/run/qubes/policy.d/` are deleted when the system is rebooted.
This is useful for temporary policy that contains the name or UUID of a disposable VM, which will not be meaningful after the system has rebooted.
Such policy files can be created manually, but they are usually created automatically by a Qrexec call to dom0.
@ -141,6 +136,17 @@ It is also possible to call service without specific client program -- in which
$ qrexec-client-vm target_vm_name RPC_ACTION_NAME
```
### Answering an RPC call
In other for a RPC call to be answered in the target VM, a file in either of the following locations must exist, containing the file name of the program that will be invoked, or being that program itself -- in which case it must have executable permission set (`chmod +x`):
- `/etc/qubes-rpc/RPC_ACTION_NAME` when you make it in the template qube;
- `/usr/local/etc/qubes-rpc/RPC_ACTION_NAME` for making it only in an app qube.
The source VM name can then be accessed in the server process via
`QREXEC_REMOTE_DOMAIN` environment variable. (Note the source VM has *no*
control over the name provided in this variable--the name of the VM is
provided by dom0, and so is trusted.)
### Specifying VMs: tags, types, targets, etc.
There are severals methods for specifying source/target VMs in RPC policies.