From 232a00a2b09972403cb86e8c921fd4b292da3e4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sat, 3 Mar 2018 03:35:57 +0100
Subject: [PATCH] qubespolicy: translate '' target to '@default' earlier

Translate empty target to '@default' keyword earlier, so that
original_target will report '@default' instead of ''. The latter is
rejected by qubes-rpc-multiplexer when the call is directed to dom0,
because it expects to get non-empty arguments about original
target.
---
 qubespolicy/__init__.py       | 4 +++-
 qubespolicy/tests/__init__.py | 6 +-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/qubespolicy/__init__.py b/qubespolicy/__init__.py
index 190e3d61..c8c6c042 100755
--- a/qubespolicy/__init__.py
+++ b/qubespolicy/__init__.py
@@ -237,7 +237,7 @@ class PolicyRule(object):
 
         # not specified target matches only with @default and @anyvm policy
         # entry
-        if value == '@default' or value == '':
+        if value == '@default':
             return policy_value in ('@default', '@anyvm')
 
         # if specific target used, check if it's valid
@@ -642,6 +642,8 @@ class Policy(object):
         :return tuple(rule, considered_targets) - where considered targets is a
         list of possible targets for 'ask' action (rule.action == Action.ask)
         '''
+        if target == '':
+            target = '@default'
         rule = self.find_matching_rule(system_info, source, target)
         if rule.action == Action.deny:
             raise AccessDenied(
diff --git a/qubespolicy/tests/__init__.py b/qubespolicy/tests/__init__.py
index 036b4fe5..66cb9e5c 100644
--- a/qubespolicy/tests/__init__.py
+++ b/qubespolicy/tests/__init__.py
@@ -254,8 +254,6 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
         is_match_single = qubespolicy.PolicyRule.is_match_single
         self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
         self.assertTrue(is_match_single(system_info, '@anyvm', '@default'))
-        self.assertTrue(is_match_single(system_info, '@anyvm', ''))
-        self.assertTrue(is_match_single(system_info, '@default', ''))
         self.assertTrue(is_match_single(system_info, '@default', '@default'))
         self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1'))
         self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1'))
@@ -679,9 +677,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
             system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
         # @anyvm matches @default too
         self.assertEqual(policy.find_matching_rule(
-            system_info, 'test-vm1', ''), policy.policy_rules[1])
-        self.assertEqual(policy.find_matching_rule(
-            system_info, 'test-vm2', ''), policy.policy_rules[7])
+            system_info, 'test-vm1', '@default'), policy.policy_rules[1])
         self.assertEqual(policy.find_matching_rule(
             system_info, 'test-vm2', '@default'), policy.policy_rules[7])
         self.assertEqual(policy.find_matching_rule(