What is a "tag" in rpc policy files?

tanky0u · October 21, 2024, 9:41am

Reading this doc: http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/rpc-policy/

I see the example:

[user@dom0 user ~]$ cat /etc/qubes-rpc/policy/qubes.FileCopy
(...)
@tag:work   @default    ask
@tag:work   @tag:work   allow
@tag:work   @anyvm      deny
@anyvm      @tag:work   deny
@anyvm      @anyvm      ask

What is @tag:work here? As far as I know, we can distinguish qubes by giving them a name, and not a “tag”. So, how does one tag a qube with “work” string?

apparatus · October 21, 2024, 10:00am

qvm-tags – manage domain’s tags — Qubes Admin client mm_bb297fc9-1-g30d7547-dirty documentation

quber · October 21, 2024, 1:06pm

With Saltstack you can also target vm’s with tags.
Since:
https://github.com/QubesOS/qubes-mgmt-salt-base/pull/17