qubespolicy: unify calling qrexec service
Rely on qrexec-client resolving QUBESRPC keyword, same as in case of VM call. This will allow applying special treatment to such calls, like calling qubes-rpc-multiplexer directly (avoiding shell), because we have defined protocol what can be used here.
This commit is contained in:
Marek Marczykowski-Górecki
parent
b00bbb73e4
commit
7c50bd5104
@ -29,7 +29,6 @@ import subprocess
|
|||||||
|
|
||||||
# don't import 'qubes.config' please, it takes 0.3s
|
# don't import 'qubes.config' please, it takes 0.3s
|
||||||
QREXEC_CLIENT = '/usr/lib/qubes/qrexec-client'
|
QREXEC_CLIENT = '/usr/lib/qubes/qrexec-client'
|
||||||
QUBES_RPC_MULTIPLEXER_PATH = '/usr/lib/qubes/qubes-rpc-multiplexer'
|
|
||||||
POLICY_DIR = '/etc/qubes-rpc/policy'
|
POLICY_DIR = '/etc/qubes-rpc/policy'
|
||||||
QUBESD_INTERNAL_SOCK = '/var/run/qubesd.internal.sock'
|
QUBESD_INTERNAL_SOCK = '/var/run/qubesd.internal.sock'
|
||||||
QUBESD_SOCK = '/var/run/qubesd.sock'
|
QUBESD_SOCK = '/var/run/qubesd.sock'
|
||||||
@ -450,11 +449,11 @@ class PolicyAction(object):
|
|||||||
if self.target == '$adminvm':
|
if self.target == '$adminvm':
|
||||||
self.target = 'dom0'
|
self.target = 'dom0'
|
||||||
if self.target == 'dom0':
|
if self.target == 'dom0':
|
||||||
cmd = '{multiplexer} {service} {source} {original_target}'.format(
|
cmd = \
|
||||||
multiplexer=QUBES_RPC_MULTIPLEXER_PATH,
|
'QUBESRPC {service} {source} {original_target}'.format(
|
||||||
service=self.service,
|
service=self.service,
|
||||||
source=self.source,
|
source=self.source,
|
||||||
original_target=self.original_target)
|
original_target=self.original_target)
|
||||||
else:
|
else:
|
||||||
cmd = '{user}:QUBESRPC {service} {source}'.format(
|
cmd = '{user}:QUBESRPC {service} {source}'.format(
|
||||||
user=(self.rule.override_user or 'DEFAULT'),
|
user=(self.rule.override_user or 'DEFAULT'),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user