I have a policy file that has worked fine until sometime recently:
qubes.Gpg * pim ring5-vault allow
qubes.Gpg * projects ring5-vault allow
qubes.Gpg * @anyvm @anyvm ask
Since some time now, instead of automatically defaulting to executing the action, now qrexec asks me for a target VM every time.
This is irksome and totally not what I want. Also not what it does in other cases, where policy just runs without asking the stupid question!
What am I doing wrong?
EDIT: I had !compat 4.0
directive in 35-compat.policy. Removing this made it go away.
Here is the culprit — these files ship with Qubes:
[rudd-o@dom0 policy]$ ls
include qubes.InputKeyboard qubes.ReceiveUpdates qubes.SyncAppMenus ruddo.ConnectToFolder ruddo.ConnectToFolder+b24aa0b888139c8684a417ff189158ab ruddo.QueryFolderAuthorization
qubes.ClipboardPaste qubes.InputMouse qubes.repos.Disable qubes.USB ruddo.ConnectToFolder+64354562078aa47c13b4ee9c0387b7b5 ruddo.ConnectToFolder+be8d76f1b11ee33589cd45639b8e27f4 whonix.GatewayCommand
qubes.Gpg qubes.InputTablet qubes.repos.Enable qubes.WindowIconUpdater ruddo.ConnectToFolder+8df87212f7d0f1c4da49b591203cf3c5 ruddo.Git+-home-user-optplone-deployments-601a whonix.NewStatus
qubes.GpgImportKey qubes.PdfConvert qubes.repos.List ruddo.AuthorizeFolderAccess ruddo.ConnectToFolder+a680511683682cd0235024662ac49688 ruddo.Git+-home-user-optplone-deployments-master whonix.SdwdateStatus
[rudd-o@dom0 policy]$ cat ruddo.ConnectToFolder
## This policy is used by VMs to verify folder authorization.
## Do not change this or add policy -- this is managed by qubes-shared-folders.
$anyvm $anyvm deny
[rudd-o@dom0 policy]$ ls ^C
[rudd-o@dom0 policy]$ cat qubes.Gpg
$anyvm $anyvm ask
[rudd-o@dom0 policy]$ cat qubes.Gpg
qubes.Gpg qubes.GpgImportKey
[rudd-o@dom0 policy]$ cat qubes.Gpg
qubes.Gpg qubes.GpgImportKey
[rudd-o@dom0 policy]$ rpm -qf qubes.Gpg
qubes-gpg-split-dom0-2.0.66-1.fc32.x86_64
[rudd-o@dom0 policy]$ cat qubes.GpgImportKey
$anyvm $anyvm ask
Somehow the compat rule is trumping my stuff.