qubespolicy: translate '' target to '@default' earlier

Translate empty target to '@default' keyword earlier, so that
original_target will report '@default' instead of ''. The latter is
rejected by qubes-rpc-multiplexer when the call is directed to dom0,
because it expects to get non-empty arguments about original
target.

qubespolicy/__init__.py

@@ -237,7 +237,7 @@ class PolicyRule(object):
 
         # not specified target matches only with @default and @anyvm policy
         # entry
-        if value == '@default' or value == '':
+        if value == '@default':
             return policy_value in ('@default', '@anyvm')
 
         # if specific target used, check if it's valid
@@ -642,6 +642,8 @@ class Policy(object):
         :return tuple(rule, considered_targets) - where considered targets is a
         list of possible targets for 'ask' action (rule.action == Action.ask)
         '''
+        if target == '':
+            target = '@default'
         rule = self.find_matching_rule(system_info, source, target)
         if rule.action == Action.deny:
             raise AccessDenied(

qubespolicy/tests/__init__.py

@@ -254,8 +254,6 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
         is_match_single = qubespolicy.PolicyRule.is_match_single
         self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
         self.assertTrue(is_match_single(system_info, '@anyvm', '@default'))
-        self.assertTrue(is_match_single(system_info, '@anyvm', ''))
-        self.assertTrue(is_match_single(system_info, '@default', ''))
         self.assertTrue(is_match_single(system_info, '@default', '@default'))
         self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1'))
         self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1'))
@@ -679,9 +677,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
             system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
         # @anyvm matches @default too
         self.assertEqual(policy.find_matching_rule(
-            system_info, 'test-vm1', ''), policy.policy_rules[1])
-        self.assertEqual(policy.find_matching_rule(
-            system_info, 'test-vm2', ''), policy.policy_rules[7])
+            system_info, 'test-vm1', '@default'), policy.policy_rules[1])
         self.assertEqual(policy.find_matching_rule(
             system_info, 'test-vm2', '@default'), policy.policy_rules[7])
         self.assertEqual(policy.find_matching_rule(