From 9d6b7257c4fb0edcc97912614b9b1ac14b251847 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 16 Jun 2020 15:50:03 +0200
Subject: [PATCH] tools/qvm-start-daemon: reduce required permissions to
 sys-gui itself

Do not require permission to list sys-gui itself just to get keyboard
layout. Listing itself is not sensitive (sys-gui knows it exists), but
it will make other tools request its properties, which may not be
desirable.
---
 qubesadmin/tools/qvm_start_daemon.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qubesadmin/tools/qvm_start_daemon.py b/qubesadmin/tools/qvm_start_daemon.py
index e42a7f5..829f0af 100644
--- a/qubesadmin/tools/qvm_start_daemon.py
+++ b/qubesadmin/tools/qvm_start_daemon.py
@@ -508,7 +508,7 @@ def main(args=None):
     if args.watch and 'guivm-gui-agent' in enabled_services:
         args.set_keyboard_layout = True
     if args.set_keyboard_layout or os.path.exists('/etc/qubes-release'):
-        guivm = args.app.domains[args.app.local_name]
+        guivm = args.app.domains.get_blind(args.app.local_name)
         set_keyboard_layout(guivm)
     launcher = DAEMONLauncher(args.app)
     if args.watch: