From 8a8674bb577c3599be210f3840483e8cb248d752 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 30 Jul 2017 18:34:43 +0200
Subject: [PATCH] ext/core_features: add handling 'qubes-firewall' feature
 request

VM (template) can announce whether it support enforcing firewall rules
or not.

Fixes QubesOS/qubes-issues#2003
---
 qubes/ext/core_features.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/qubes/ext/core_features.py b/qubes/ext/core_features.py
index 7cd18272..ad3c1447 100644
--- a/qubes/ext/core_features.py
+++ b/qubes/ext/core_features.py
@@ -32,7 +32,7 @@ class CoreFeatures(qubes.ext.Extension):
             return
 
         requested_features = {}
-        for feature in ('qrexec', 'gui'):
+        for feature in ('qrexec', 'gui', 'qubes-firewall'):
             untrusted_value = untrusted_features.get(feature, None)
             if untrusted_value in ('1', '0'):
                 requested_features[feature] = bool(int(untrusted_value))
@@ -50,6 +50,11 @@ class CoreFeatures(qubes.ext.Extension):
             if feature in requested_features and feature not in vm.features:
                 vm.features[feature] = requested_features[feature]
 
+        # those features can be freely enabled or disabled by template
+        for feature in ('qubes-firewall',):
+            if feature in requested_features:
+                vm.features[feature] = requested_features[feature]
+
         if not qrexec_before and vm.features.get('qrexec', False):
             # if this is the first time qrexec was advertised, now can finish
             #  template setup