tests: check '$anyvm' parsing in qrexec policy

Regression test for QubesOS/qubes-issues#2031
This commit is contained in:
Marek Marczykowski-Górecki 2016-11-18 03:15:08 +01:00
parent 85f6ff9ded
commit 68a116e8a3
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724

View File

@ -1007,6 +1007,44 @@ class TC_00_AppVMMixin(qubes.tests.SystemTestsMixin):
if vm_image != dom0_image:
self.fail("Dom0 window doesn't match VM window content")
class TC_10_Generic(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
def setUp(self):
super(TC_10_Generic, self).setUp()
self.vm = self.qc.add_new_vm(
"QubesAppVm",
name=self.make_vm_name('vm'),
template=self.qc.get_default_template())
self.vm.create_on_disk(verbose=False)
self.save_and_reload_db()
self.qc.unlock_db()
self.vm = self.qc[self.vm.qid]
def test_000_anyvm_deny_dom0(self):
'''$anyvm in policy should not match dom0'''
policy = open("/etc/qubes-rpc/policy/test.AnyvmDeny", "w")
policy.write("%s $anyvm allow" % (self.vm.name,))
policy.close()
self.addCleanup(os.unlink, "/etc/qubes-rpc/policy/test.AnyvmDeny")
flagfile = '/tmp/test-anyvmdeny-flag'
if os.path.exists(flagfile):
os.remove(flagfile)
with open('/etc/qubes-rpc/test.AnyvmDeny', 'w') as f:
f.write('touch {}\n'.format(flagfile))
f.write('echo service output\n')
self.addCleanup(os.unlink, "/etc/qubes-rpc/test.AnyvmDeny")
self.vm.start(verbose=False)
p = self.vm.run("/usr/lib/qubes/qrexec-client-vm dom0 test.AnyvmDeny",
passio_popen=True, passio_stderr=True)
(stdout, stderr) = p.communicate()
self.assertEqual(p.returncode, 1,
'$anyvm matched dom0, qrexec-client-vm output: {}'.
format(stdout + stderr))
self.assertFalse(os.path.exists(flagfile),
'Flag file created (service was run) even though should be denied,'
' qrexec-client-vm output: {}'.format(stdout + stderr))
def load_tests(loader, tests, pattern):
try: