Allow defining RPC policies using more than one tag

[xyhhx]

How to file a helpful issue

The problem you're addressing (if any)

I would like to create fine-grained RPC policies that target VMs using a combination of tags (for example @tag:dev-vm and @tag:client-1). Currently it seems this isn't possible.

The solution you'd like

It would be nice to be able to write RPC policies to allow multiple qualifiers or tags:

qubes.SshAgent  *   @tag:dev-vm,@tag:client-1   @tag:vault-vm,@tag:client-1    ask default_target=client-1-vault

Where I can say "VMs which are tagged with both dev-vm and client-1 can use Qubes.SshAgent in VMs which are tagged with both vault-vm and client-

The value to a user, and who that user might be

This allows for fine-grained policies that otherwise would take numerous policies or are otherwise impossible to define.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

[marmarek]

I like this as an idea, sounds very useful. The syntax looks consistent too. But I'd like to hear also @HW42 opinion.

[HW42]

The idea looks fine to me.

The qrexec policy is a tricky tradeoff between being powerful enough to express the policies people would like to write and not getting too tricky to review. But simply refusing useful features is no solution either, since then users just work around, likely leading to worse results. The suggested change seems not very invasive, easy to argue about (unless I'm missing tricky corner cases) and has a clear use case. So sounds like a reasonable addition to me.

I'm not quite sure about the proposed syntax. ,-separated values can also be easily read as or, especially given that the @tag: syntax means any VM with that tag. Maybe @tag:dev-vm&@tag:client-1?

How does this interact with other values? For example is @tag:client-1,@type:TemplateVM allowed?