From 3642afb40f85e3de13defe8f58a55d1fda9ae90a Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Tue, 30 Aug 2011 13:43:49 +0000
Subject: [PATCH] Qrexec changed

---
 Qrexec.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Qrexec.md b/Qrexec.md
index 22cc523e..be8541ee 100644
--- a/Qrexec.md
+++ b/Qrexec.md
@@ -60,6 +60,8 @@ On src VM, one should invoke the client via
 
 Note that only stdin/stdout is passed between rpc server and client - notably, the server cmdline argument list is fixed (it contains one argument, source VM name). By default, stderr of client and server is logged to respective /var/log/qubes/qrexec.XID files.
 
+Be very careful when coding and adding a new rpc service. Unless the offered functionality equals full control over the target (it is the case with e.g. qubes.VMShell action), any vulnerability in a rpc server can be fatal to qubes security. On the other hand, this mechanism allows to delegate processing of untrusted input to less privileged (or throwaway) AppVMs, thus wise usage of it increases security.
+
 ### Qubes RPC example
 
 We will show the necessary files to create rpc call that adds two integers on the target and returns back the result to the invoker.