Document /run/qubes/policy.d/

Useful for users of the feature.
QubesOS · Sep 15, 2024 · d089db6 · d089db6
1 parent af2d3c0
commit d089db6
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/developer/services/qrexec.md b/developer/services/qrexec.md
@@ -86,11 +86,12 @@ Disposable VMs are tightly integrated -- RPC to a DisposableVM is identical to R
 
 ### Policy files
 
-The dom0 directory `/etc/qubes/policy.d/` contains files that set policy for each available RPC action that a VM might call.
+The dom0 directories `/etc/qubes/policy.d/` and `/run/qubes/policy.d/` contain files that set policy for each available RPC action that a VM might call.
 For example, `/etc/qubes/policy.d/90-default.policy` contains the default policy settings.  
 When making changes to existing policies it is recommended that you create a *new* policy file starting with a lower number, like `/etc/qubes/policy.d/30-user.policy`.  
 You may keep your custom policies in one file like `/etc/qubes/policy.d/30-user.policy`, or you may choose to have multiple files, like `/etc/qubes/policy.d/10-copy.policy`, `/etc/qubes/policy.d/10-open.policy`.  
 Together the contents of these files make up the RPC access policy database: the files are merged, with policies in lower number files overriding policies in higher numbered files.
+If there are entries in both `/run/qubes/policy.d/` and `/etc/qubes/policy.d/` with the same name, it isn't specified which takes precedence, so you should avoid this situation.
 
 Policies are defined in lines with the following format:
 
@@ -103,7 +104,7 @@ You can specify the source and destination by name or by one of the reserved key
 Service calls from dom0 are currently always allowed, and `@dispvm` means "new VM created for this particular request," so it is never a source of request.)
 Other methods using *tags* and *types* are also available (and discussed below).
 
-Whenever a RPC request for an action is received, the domain checks the first matching line of the files in `/etc/qubes/policy.d/` to determine access:
+Whenever a RPC request for an action is received, the domain checks the first matching line of the files in `/etc/qubes/policy.d/` and `/run/qubes/policy.d/` to determine access:
 whether to allow the request, what VM to redirect the execution to, and what user account the program should run under.
 Note that if the request is redirected (`target=` parameter), policy action remains the same -- even if there is another rule which would otherwise deny such request.
 If no policy rule is matched, the action is denied.
@@ -112,6 +113,10 @@ In the target VM, a file in either of the following locations must exist, contai
   - `/etc/qubes-rpc/RPC_ACTION_NAME` when you make it in the template qube;
   - `/usr/local/etc/qubes-rpc/RPC_ACTION_NAME` for making it only in an app qube.
 
+Files in `/run/qubes/policy.d/` are deleted when the system is rebooted.
+This is useful for temporary policy that contains the name or UUID of a disposable VM, which will not be meaningful after the system has rebooted.
+Such policy files can be created manually, but they are usually created automatically by a qrexec call to dom0.
+
 ### Making an RPC call
 
 From outside of dom0, RPC calls take the following form: