qubespolicy: translate '' target to '@default' earlier
Translate empty target to '@default' keyword earlier, so that original_target will report '@default' instead of ''. The latter is rejected by qubes-rpc-multiplexer when the call is directed to dom0, because it expects to get non-empty arguments about original target.
This commit is contained in:
parent
bda9264e19
commit
232a00a2b0
@ -237,7 +237,7 @@ class PolicyRule(object):
|
|||||||
|
|
||||||
# not specified target matches only with @default and @anyvm policy
|
# not specified target matches only with @default and @anyvm policy
|
||||||
# entry
|
# entry
|
||||||
if value == '@default' or value == '':
|
if value == '@default':
|
||||||
return policy_value in ('@default', '@anyvm')
|
return policy_value in ('@default', '@anyvm')
|
||||||
|
|
||||||
# if specific target used, check if it's valid
|
# if specific target used, check if it's valid
|
||||||
@ -642,6 +642,8 @@ class Policy(object):
|
|||||||
:return tuple(rule, considered_targets) - where considered targets is a
|
:return tuple(rule, considered_targets) - where considered targets is a
|
||||||
list of possible targets for 'ask' action (rule.action == Action.ask)
|
list of possible targets for 'ask' action (rule.action == Action.ask)
|
||||||
'''
|
'''
|
||||||
|
if target == '':
|
||||||
|
target = '@default'
|
||||||
rule = self.find_matching_rule(system_info, source, target)
|
rule = self.find_matching_rule(system_info, source, target)
|
||||||
if rule.action == Action.deny:
|
if rule.action == Action.deny:
|
||||||
raise AccessDenied(
|
raise AccessDenied(
|
||||||
|
@ -254,8 +254,6 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|||||||
is_match_single = qubespolicy.PolicyRule.is_match_single
|
is_match_single = qubespolicy.PolicyRule.is_match_single
|
||||||
self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
|
self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
|
||||||
self.assertTrue(is_match_single(system_info, '@anyvm', '@default'))
|
self.assertTrue(is_match_single(system_info, '@anyvm', '@default'))
|
||||||
self.assertTrue(is_match_single(system_info, '@anyvm', ''))
|
|
||||||
self.assertTrue(is_match_single(system_info, '@default', ''))
|
|
||||||
self.assertTrue(is_match_single(system_info, '@default', '@default'))
|
self.assertTrue(is_match_single(system_info, '@default', '@default'))
|
||||||
self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1'))
|
self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1'))
|
||||||
self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1'))
|
self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1'))
|
||||||
@ -679,9 +677,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|||||||
system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
|
system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
|
||||||
# @anyvm matches @default too
|
# @anyvm matches @default too
|
||||||
self.assertEqual(policy.find_matching_rule(
|
self.assertEqual(policy.find_matching_rule(
|
||||||
system_info, 'test-vm1', ''), policy.policy_rules[1])
|
system_info, 'test-vm1', '@default'), policy.policy_rules[1])
|
||||||
self.assertEqual(policy.find_matching_rule(
|
|
||||||
system_info, 'test-vm2', ''), policy.policy_rules[7])
|
|
||||||
self.assertEqual(policy.find_matching_rule(
|
self.assertEqual(policy.find_matching_rule(
|
||||||
system_info, 'test-vm2', '@default'), policy.policy_rules[7])
|
system_info, 'test-vm2', '@default'), policy.policy_rules[7])
|
||||||
self.assertEqual(policy.find_matching_rule(
|
self.assertEqual(policy.find_matching_rule(
|
||||||
|
Loading…
Reference in New Issue
Block a user