ext/admin: allow setting 'created-by-*' tags from dom0

Add an exception for this limit - if for nothing else, to allow full backup restore (non-paranoid mode).
2017-07-17 02:42:36 +02:00 · 2017-07-17 02:42:36 +02:00 · 8cb831da29
commit 8cb831da29
parent cbc7241a93
1 changed files with 3 additions and 1 deletions
--- a/qubes/ext/admin.py
+++ b/qubes/ext/admin.py
@ -19,6 +19,7 @@

 import qubes.api
 import qubes.ext
+import qubes.vm.adminvm

 class AdminExtension(qubes.ext.Extension):
    # pylint: disable=too-few-public-methods
@ -28,7 +29,8 @@ class AdminExtension(qubes.ext.Extension):
    def on_tag_set_or_remove(self, vm, event, arg, **kwargs):
        '''Forbid changing specific tags'''
        # pylint: disable=no-self-use,unused-argument
-        if arg.startswith('created-by-'):
+        if arg.startswith('created-by-') and \
+                not isinstance(vm, qubes.vm.adminvm.AdminVM):
            raise qubes.api.PermissionDenied(
                'changing this tag is prohibited by {}.{}'.format(
                    __name__, type(self).__name__))