Do not check for object existence when got it with another Admin API call

When qubesd returns an name of VM or other object, as part of another call (reading a property, listing devices etc), it's safe to assume that object exists. Do not try to list it, which could be prevented by qrexec policy. This means a VM object would be returned (for example in vm.netvm property), which potentially could not be listed through app.domains collection. This may lead to some corner cases, but generally should ease handling of restricted policy. This does not affect practical information the management VM have access too, as those names are already returned. It's just client side python wrapper that didn't allowed to access them. QubesOS/qubes-issues#5099
2019-06-14 17:10:21 +02:00 · 2019-06-14 17:10:21 +02:00 · 5315bbf8f9
commit 5315bbf8f9
parent 83b1fc6c58
2 changed files with 2 additions and 2 deletions
--- a/qubesadmin/base.py
+++ b/qubesadmin/base.py
@ -233,7 +233,7 @@ class PropertyHolder(object):
        if prop_type == 'vm':
            if value == '':
                return None
-            return self.app.domains[value]
+            return self.app.domains.get_blind(value)
        if prop_type == 'label':
            if value == '':
                return None
--- a/qubesadmin/devices.py
+++ b/qubesadmin/devices.py
@ -209,7 +209,7 @@ class DeviceCollection(object):
                              ['True', 'yes', True])
            if persistent is not None and dev_persistent != persistent:
                continue
-            backend_domain = self._vm.app.domains[backend_domain]
+            backend_domain = self._vm.app.domains.get_blind(backend_domain)
            yield DeviceAssignment(backend_domain, ident, options,
                                   persistent=dev_persistent,
                                   frontend_domain=self._vm,