From 11d19eee931c3d81a87fa206b7e6908b9064f594 Mon Sep 17 00:00:00 2001
From: "Manuel Amador (Rudd-O)" <rudd-o@rudd-o.com>
Date: Mon, 15 May 2017 18:41:21 +0000
Subject: [PATCH] Add note about dom0 security policy.

---
 README.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 54d2c13..cfec88b 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,20 @@ Enabling bombshell-client access to dom0
 create a file `/etc/qubes-rpc/qubes.VMshell` with mode `0644` and make
 sure its contents say `/bin/bash`.
 
-That's it -- `bombshell-client` should work against dom0 now.
+You will then create a file `/etc/qubes-rpc/policy/qubes.VMShell` with
+mode 0664, owned by your login user, and group `qubes`.  Add a policy
+line towards the top of the file:
+
+```
+yourvm dom0 ask
+```
+
+Where `yourvm` represents the name of the VM you will be executing
+`bombshell-client` against dom0 from.
+
+That's it -- `bombshell-client` should work against dom0 now.  Of course,
+you can adjust the policy to have it not ask — do the security math
+on what that implies.
 
 How to use the connection technology with automation tools like Ansible
 -----------------------------------------------------------------------