From 10c6697050b428f8d8d55c9ad514861f56c5260a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 13 Aug 2017 02:40:28 +0200 Subject: [PATCH] qubespolicy/graph: let --target option filter on actual call target Not on what VM can ask for (which may be later overriden by target= option). Fixes QubesOS/qubes-issues#3006 --- qubespolicy/graph.py | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/qubespolicy/graph.py b/qubespolicy/graph.py index eff64bcb..159de772 100644 --- a/qubespolicy/graph.py +++ b/qubespolicy/graph.py @@ -52,17 +52,19 @@ def handle_single_action(args, action): service = '' else: service = action.service + target = action.target or action.original_target + # handle forced target= + if action.rule.override_target: + target = action.rule.override_target + if args.target and target not in args.target: + return '' if action.action == qubespolicy.Action.ask: if args.include_ask: - # handle forced target= - if len(action.targets_for_ask) == 1: - return ' "{}" -> "{}" [label="{}" color=orange];\n'.format( - action.source, action.targets_for_ask[0], service) return ' "{}" -> "{}" [label="{}" color=orange];\n'.format( - action.source, action.original_target, service) + action.source, target, service) elif action.action == qubespolicy.Action.allow: return ' "{}" -> "{}" [label="{}" color=red];\n'.format( - action.source, action.target, service) + action.source, target, service) return '' def main(args=None): @@ -83,12 +85,9 @@ def main(args=None): sources = args.source targets = list(system_info['domains'].keys()) - if args.target: - targets = args.target - else: - targets.append('$dispvm') - targets.extend('$dispvm:' + dom for dom in system_info['domains'] - if system_info['domains'][dom]['dispvm_allowed']) + targets.append('$dispvm') + targets.extend('$dispvm:' + dom for dom in system_info['domains'] + if system_info['domains'][dom]['dispvm_allowed']) connections = set()