Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qubespolicy: translate '' target to '@default' earlier

Browse Source 
Translate empty target to '@default' keyword earlier, so that
original_target will report '@default' instead of ''. The latter is
rejected by qubes-rpc-multiplexer when the call is directed to dom0,
because it expects to get non-empty arguments about original
target.
This commit is contained in:
Marek Marczykowski-Górecki 2018-03-03 03:35:57 +01:00
parent bda9264e19
commit 232a00a2b0
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
qubespolicy/__init__.py
View File

@ -237,7 +237,7 @@ class PolicyRule(object):
# not specified target matches only with @default and @anyvm policy # not specified target matches only with @default and @anyvm policy
# entry # entry
if value == '@default' or value == '': if value == '@default':
return policy_value in ('@default', '@anyvm') return policy_value in ('@default', '@anyvm')
# if specific target used, check if it's valid # if specific target used, check if it's valid
@ -642,6 +642,8 @@ class Policy(object):
:return tuple(rule, considered_targets) - where considered targets is a :return tuple(rule, considered_targets) - where considered targets is a
list of possible targets for 'ask' action (rule.action == Action.ask) list of possible targets for 'ask' action (rule.action == Action.ask)
''' '''
if target == '':
target = '@default'
rule = self.find_matching_rule(system_info, source, target) rule = self.find_matching_rule(system_info, source, target)
if rule.action == Action.deny: if rule.action == Action.deny:
raise AccessDenied( raise AccessDenied(

6
qubespolicy/tests/__init__.py
View File

@ -254,8 +254,6 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
is_match_single = qubespolicy.PolicyRule.is_match_single is_match_single = qubespolicy.PolicyRule.is_match_single
self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1')) self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
self.assertTrue(is_match_single(system_info, '@anyvm', '@default')) self.assertTrue(is_match_single(system_info, '@anyvm', '@default'))
self.assertTrue(is_match_single(system_info, '@anyvm', ''))
self.assertTrue(is_match_single(system_info, '@default', ''))
self.assertTrue(is_match_single(system_info, '@default', '@default')) self.assertTrue(is_match_single(system_info, '@default', '@default'))
self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1')) self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1'))
self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1')) self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1'))
@ -679,9 +677,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2]) system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
# @anyvm matches @default too # @anyvm matches @default too
self.assertEqual(policy.find_matching_rule( self.assertEqual(policy.find_matching_rule(
system_info, 'test-vm1', ''), policy.policy_rules[1]) system_info, 'test-vm1', '@default'), policy.policy_rules[1])
self.assertEqual(policy.find_matching_rule(
system_info, 'test-vm2', ''), policy.policy_rules[7])
self.assertEqual(policy.find_matching_rule( self.assertEqual(policy.find_matching_rule(
system_info, 'test-vm2', '@default'), policy.policy_rules[7]) system_info, 'test-vm2', '@default'), policy.policy_rules[7])
self.assertEqual(policy.find_matching_rule( self.assertEqual(policy.find_matching_rule(