From 8cb831da297e4887ddb34d49df1e25ff81757d03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 17 Jul 2017 02:42:36 +0200
Subject: [PATCH] ext/admin: allow setting 'created-by-*' tags from dom0

Add an exception for this limit - if for nothing else, to allow full
backup restore (non-paranoid mode).
---
 qubes/ext/admin.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/qubes/ext/admin.py b/qubes/ext/admin.py
index 1c43d3ac..530c6d8a 100644
--- a/qubes/ext/admin.py
+++ b/qubes/ext/admin.py
@@ -19,6 +19,7 @@
 
 import qubes.api
 import qubes.ext
+import qubes.vm.adminvm
 
 class AdminExtension(qubes.ext.Extension):
     # pylint: disable=too-few-public-methods
@@ -28,7 +29,8 @@ class AdminExtension(qubes.ext.Extension):
     def on_tag_set_or_remove(self, vm, event, arg, **kwargs):
         '''Forbid changing specific tags'''
         # pylint: disable=no-self-use,unused-argument
-        if arg.startswith('created-by-'):
+        if arg.startswith('created-by-') and \
+                not isinstance(vm, qubes.vm.adminvm.AdminVM):
             raise qubes.api.PermissionDenied(
                 'changing this tag is prohibited by {}.{}'.format(
                     __name__, type(self).__name__))