From 6ef280b132ef9fb7a0084817485f5f8bc0ea5a65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 7 May 2014 15:34:59 +0200
Subject: [PATCH] qubes.VMShell.policy: extend comment

---
 qubes-rpc-policy/qubes.VMShell.policy | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/qubes-rpc-policy/qubes.VMShell.policy b/qubes-rpc-policy/qubes.VMShell.policy
index 1038b76b..71986330 100644
--- a/qubes-rpc-policy/qubes.VMShell.policy
+++ b/qubes-rpc-policy/qubes.VMShell.policy
@@ -7,9 +7,11 @@ $anyvm	$dispvm	allow
 $anyvm	$anyvm	deny
 
 # WARNING: The qubes.VMShell service is dangerous and there are really few
-# cases when it could be safely used. Allowing one VM to execute qubes.VMShell
-# over the other VM allows the former to TAKE FULL CONTROL over the later. In
-# most cases this is not what we want!
+# cases when it could be safely used. Especially when policy set to "ask" you
+# have no way to know for sure what command(s) will be called. Compromissed
+# source VM can substitute the command. Allowing one VM to execute
+# qubes.VMShell over the other VM allows the former to TAKE FULL CONTROL over
+# the later. In most cases this is not what we want!
 #
 # Instead we should be using task-specific qrexec services which provide
 # assurance as to what program will be responding to the (untrusted) VM