Recently (I suppose after a dom0 update) this stopped working entirely. Retracing the guide, I was able to restore functionality. One thing I noticed was that some of my config files I’d setup had been renamed. Specifically, /etc/qubes-rpc/policy/custom.LockScreen was renamed to /etc/qubes-rpc/policy/custom.LockScreen.rpmsave, and the optional “Locking the screen when YubiKey is removed” functionality was not working. I renamed the file back to the original format, /etc/qubes-rpc/policy/custom.LockScreen (removing .rpmsave extension), and the LockScreen began working again when removing the YubiKey.
Coincidentally, hours later, I starting looking through the policy file at /etc/qubes/policy.d/30-user.policy (I noticed this was edited when I just installed @unman’s syncthing task), and I saw a curious contents:
qubes.Syncthing * @anyvm @anyvm deny
# Policy rules in this file were automatically converted from old
# policy format. Old files can be found in /etc/qubes-rpc/policy; they have
# the suffix .rpmsave.
# All rules pertaining to qubes.Gpg were moved to this file. If you want to
# move them to the relevant GUI config file, see 50-config-splitgpg. Caution:
# the GUI tool for qubes.Gpg policy supports only policy rules that have a
# single vm as a target.
custom.LockScreen * sys-usb @adminvm allow
The first line was inserted by @unman’s script, fine.
Everything after that was strange. Even though my line, custom.LockScreen * sys-usb @adminvm allow was here, the policy was not working. In addition, I then investigated /etc/qubes/policy.d/README and saw that it says This directory contains qrexec policy in new (Qubes R5.0) format.! Weird, because, besides R5.0 is not released, I am on R4.2.
It is unclear to me what format should be used for qrexec policies. Are files in /etc/qubes-rpc/policy/ supposed to be ignored? Are they automatically migrated to /etc/qubes/policy.d/ upon updates? Why would be YubiKey LockScreen not be working automatically until I restored my old policy file? This is very confusing, and I think the docstrings and README and unclear.
The policy file should now be under /etc/qubes/policy.d/. I don’t understand why it doesn’t work. Could you check the content with a policy editor? Maybe run the following command to search some other policy?
grep -r custom.LockScreen /etc/qubes/policy.d
qubes-dist-upgrade, used during in-place upgrade, has something to do with the .rpmsave but I don’t know what exactly. If you have run the 6 steps, I suppose there is a bug.
The documentation is sometimes unclear about the policy format. Check that page for the most up-to-date information:
[Edit: I see @parulin has also answered. They know much more than me…]
I do not know much, but I would say I think it is an automatic migration. I was meaning to ask/find out if it was coming.
I would also ask:
Do you see any messages using journalctl in Dom0? …looking at the time when your policy was not working, of course.
I think that the migrated file looks correct and exactly equivalent to the old-format one. There are some methods to edit and verify policy files in the docs. I would suggest to verify the new file, even though a bad syntax normally causes Deny for all qrexec calls, so nothing would work if it is incorrect.
At least I can comment that I think it is meaning “qrexec version 5” syntax and behaviour, not that you have been magicked to Qubes R5.0 !
I also comment that Qubes 4.3 uses a different* screensaver, so you will need to adapt your setup when you do upgrade.