qubespolicy: unify calling qrexec service

Rely on qrexec-client resolving QUBESRPC keyword, same as in case of VM
call. This will allow applying special treatment to such calls, like
calling qubes-rpc-multiplexer directly (avoiding shell), because we have
defined protocol what can be used here.
This commit is contained in:
Marek Marczykowski-Górecki 2018-02-16 04:30:32 +01:00
parent b00bbb73e4
commit 7c50bd5104
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724

View File

@ -29,7 +29,6 @@ import subprocess
# don't import 'qubes.config' please, it takes 0.3s # don't import 'qubes.config' please, it takes 0.3s
QREXEC_CLIENT = '/usr/lib/qubes/qrexec-client' QREXEC_CLIENT = '/usr/lib/qubes/qrexec-client'
QUBES_RPC_MULTIPLEXER_PATH = '/usr/lib/qubes/qubes-rpc-multiplexer'
POLICY_DIR = '/etc/qubes-rpc/policy' POLICY_DIR = '/etc/qubes-rpc/policy'
QUBESD_INTERNAL_SOCK = '/var/run/qubesd.internal.sock' QUBESD_INTERNAL_SOCK = '/var/run/qubesd.internal.sock'
QUBESD_SOCK = '/var/run/qubesd.sock' QUBESD_SOCK = '/var/run/qubesd.sock'
@ -450,11 +449,11 @@ class PolicyAction(object):
if self.target == '$adminvm': if self.target == '$adminvm':
self.target = 'dom0' self.target = 'dom0'
if self.target == 'dom0': if self.target == 'dom0':
cmd = '{multiplexer} {service} {source} {original_target}'.format( cmd = \
multiplexer=QUBES_RPC_MULTIPLEXER_PATH, 'QUBESRPC {service} {source} {original_target}'.format(
service=self.service, service=self.service,
source=self.source, source=self.source,
original_target=self.original_target) original_target=self.original_target)
else: else:
cmd = '{user}:QUBESRPC {service} {source}'.format( cmd = '{user}:QUBESRPC {service} {source}'.format(
user=(self.rule.override_user or 'DEFAULT'), user=(self.rule.override_user or 'DEFAULT'),