From 7756a5353ac2aaef9af6bfaccb534bcdc545d0db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 25 Jun 2017 13:02:48 +0200
Subject: [PATCH] Add Qubes 4.0 policy keywords

---
 services/qrexec3.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/services/qrexec3.md b/services/qrexec3.md
index bb8b6a92..8227eff0 100644
--- a/services/qrexec3.md
+++ b/services/qrexec3.md
@@ -192,6 +192,15 @@ second rule allowing calls to `$dispvm:anon-whonix-dvm`, or even if
 there is a rule explicitly denying it. This is because the redirection happen
 _after_ considering the action.
 
+In Qubes 4.0 there are also additional methods to specify source/target VM:
+
+ * `$tag:some-tag` - meaning a VM with tag `some-tag`
+ * `$type:type` - meaning a VM of `type` (like `AppVM`, `TemplateVM` etc)
+
+Target VM can be also specified as `$default`, which matches the case when
+calling VM didn't specified any particular target (either by using `$default`
+target, or empty target).
+
 ### Service argument in policy
 
 Sometimes just service name isn't enough to make reasonable qrexec policy. One