Startseite Erkunden Hilfe
Anmelden
Qubes
/
core-admin
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

qubespolicy: use separate arguments for original target type and value

Provide original target as two arguments: type, value
This will ease handling special keywords without risking hitting shell
special characters or other problems.
Marek Marczykowski-Górecki vor 6 Jahren
Ursprung
7c50bd5104
Commit
c87fcd7e2e
2 geänderte Dateien mit 25 neuen und 4 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 11 2
      qubespolicy/__init__.py
  2. 14 2
      qubespolicy/tests/__init__.py

+ 11 - 2
qubespolicy/__init__.py
Datei anzeigen 

@@ -58,6 +58,10 @@ class Action(enum.Enum):
 
     deny = 2
 
     ask = 3
 
 
+def is_special_value(value):
 
+    '''Check if given source/target specification is special (keyword) value
 
+    '''
 
+    return value.startswith('$')
 
 
 def verify_target_value(system_info, value):
 
     ''' Check if given value names valid target
 
@@ -449,11 +453,16 @@ class PolicyAction(object):
 
         if self.target == '$adminvm':
 
             self.target = 'dom0'
 
         if self.target == 'dom0':
 
+            original_target_type = \
 
+                'keyword' if is_special_value(self.original_target) else 'name'
 
+            original_target = self.original_target.lstrip('$')
 
             cmd = \
 
-                'QUBESRPC {service} {source} {original_target}'.format(
 
+                'QUBESRPC {service} {source} {original_target_type} ' \
 
+                '{original_target}'.format(
 
                     service=self.service,
 
                     source=self.source,
 
-                    original_target=self.original_target)
 
+                    original_target_type=original_target_type,
 
+                    original_target=original_target)
 
         else:
 
             cmd = '{user}:QUBESRPC {service} {source}'.format(
 
                 user=(self.rule.override_user or 'DEFAULT'),

+ 14 - 2
qubespolicy/tests/__init__.py
Datei anzeigen 

@@ -514,8 +514,20 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
 
         self.assertEqual(mock_subprocess.mock_calls,
 
             [unittest.mock.call([qubespolicy.QREXEC_CLIENT, '-d', 'dom0',
 
              '-c', 'some-ident',
 
-             qubespolicy.QUBES_RPC_MULTIPLEXER_PATH +
 
-             ' test.service test-vm1 dom0'])])
 
+             'QUBESRPC test.service test-vm1 name dom0'])])
 
+
 
+    @unittest.mock.patch('qubespolicy.qubesd_call')
 
+    @unittest.mock.patch('subprocess.call')
 
+    def test_021_execute_dom0_keyword(self, mock_subprocess, mock_qubesd_call):
 
+        rule = qubespolicy.PolicyRule('$anyvm dom0 allow')
 
+        action = qubespolicy.PolicyAction('test.service', 'test-vm1',
 
+            'dom0', rule, '$adminvm')
 
+        action.execute('some-ident')
 
+        self.assertEqual(mock_qubesd_call.mock_calls, [])
 
+        self.assertEqual(mock_subprocess.mock_calls,
 
+            [unittest.mock.call([qubespolicy.QREXEC_CLIENT, '-d', 'dom0',
 
+             '-c', 'some-ident',
 
+             'QUBESRPC test.service test-vm1 keyword adminvm'])])
 
 
     @unittest.mock.patch('qubespolicy.qubesd_call')
 
     @unittest.mock.patch('subprocess.call')