From 7159f206a5c0c874742bce60dfae926f9796f04d Mon Sep 17 00:00:00 2001
From: Rusty Bird <rustybird@net-c.com>
Date: Wed, 10 Feb 2021 12:58:00 +0000
Subject: [PATCH] firewall: save firewall.xml with utils.replace_file()

Don't rewrite the file in-place.

Also change the error message from 'save error' to 'firewall save
error'.
---
 qubes/firewall.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/qubes/firewall.py b/qubes/firewall.py
index 6f70c8f1..b3b0a3af 100644
--- a/qubes/firewall.py
+++ b/qubes/firewall.py
@@ -31,6 +31,7 @@ import asyncio
 import lxml.etree
 
 import qubes
+import qubes.utils
 import qubes.vm.qubesvm
 
 
@@ -577,14 +578,13 @@ class Firewall:
         xml_tree = lxml.etree.ElementTree(xml_root)
 
         try:
-            old_umask = os.umask(0o002)
-            with open(firewall_conf, 'wb') as firewall_xml:
-                xml_tree.write(firewall_xml, encoding="UTF-8",
-                    pretty_print=True)
-            os.umask(old_umask)
+            with qubes.utils.replace_file(firewall_conf,
+                                          permissions=0o664) as tmp_io:
+                xml_tree.write(tmp_io, encoding='UTF-8', pretty_print=True)
         except EnvironmentError as err:
-            self.vm.log.error("save error: {}".format(err))
-            raise qubes.exc.QubesException('save error: {}'.format(err))
+            msg='firewall save error: {}'.format(err)
+            self.vm.log.error(msg)
+            raise qubes.exc.QubesException(msg)
 
         self.vm.fire_event('firewall-changed')