I would like to modify some Qubes RPC policies, especially those using the “ask” action, so that the amount of VMs displayed as potential targets is reduced.
I understand that this list displays all VMs that are either set to “allow” or “ask”. VMs with an action of “deny” are not listed.
In particular, I want to modify qubes.OpenURL so that whenever I click on a hyperlink (e.g., in an email), only some of my persistent VMs, as well as some of the disposable VMs are shown.
I figured that the best way would be to use a tag “hyperlink-target” for these VMs.
How do I configure the RPC policy so that both existing and to-be-created disposable VMs are listed, but not the disp templates themselves?
I tried configuring the policy with “type” instead of “tag” but did not find a list of all types supported by this command (e.g., specifying the type “disposable” seems to be without effect).
I then gave a dispVM template the tag “hyperlink-target”. This made both the template and dispVMs derived from it appear in the drop down.
I further tried to exclude the template by specifying a “deny” policy for it, but it seems that it appears in the lost once it is matched by one of the allow policies.
Does anyone know how to configure such setup? Might there even be a good documentation on RPC policies regarding tags and types? The official documentation only briefly covers this aspect.
Edit: After writing this I thought about the policy file like a firewall. Putting the “deny” rule above the “ask” rules works as intended and removes the disp templates from the drop-down. However, I would still like to know if the same could be achieved by using types instead of tags.