qubespolicy/graph: let --target option filter on actual call target

Not on what VM can ask for (which may be later overriden by target=
option).

Fixes QubesOS/qubes-issues#3006

qubespolicy/graph.py

@@ -52,17 +52,19 @@ def handle_single_action(args, action):
         service = ''
     else:
         service = action.service
+    target = action.target or action.original_target
+    # handle forced target=
+    if action.rule.override_target:
+        target = action.rule.override_target
+    if args.target and target not in args.target:
+        return ''
     if action.action == qubespolicy.Action.ask:
         if args.include_ask:
-            # handle forced target=
-            if len(action.targets_for_ask) == 1:
-                return '  "{}" -> "{}" [label="{}" color=orange];\n'.format(
-                    action.source, action.targets_for_ask[0], service)
             return '  "{}" -> "{}" [label="{}" color=orange];\n'.format(
-                action.source, action.original_target, service)
+                action.source, target, service)
     elif action.action == qubespolicy.Action.allow:
         return '  "{}" -> "{}" [label="{}" color=red];\n'.format(
-                action.source, action.target, service)
+                action.source, target, service)
     return ''
 
 def main(args=None):
@@ -83,12 +85,9 @@ def main(args=None):
         sources = args.source
 
     targets = list(system_info['domains'].keys())
-    if args.target:
+    targets.append('$dispvm')
-        targets = args.target
+    targets.extend('$dispvm:' + dom for dom in system_info['domains']
-    else:
+        if system_info['domains'][dom]['dispvm_allowed'])
-        targets.append('$dispvm')
-        targets.extend('$dispvm:' + dom for dom in system_info['domains']
-            if system_info['domains'][dom]['dispvm_allowed'])
 
     connections = set()