qubespolicy: fix handling '$adminvm' target with ask action

All policy keywords needs to be expanded before sending it to
confirmation dialog. $dispvm was already handled, but $adminvm was
missing

Fixes QubesOS/qubes-issues#3283
This commit is contained in:
Marek Marczykowski-Górecki 2017-11-06 14:37:08 +01:00
parent 227378f2b3
commit d3cc2d50e3
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 7 additions and 1 deletions

View File

@ -617,6 +617,11 @@ class Policy(object):
if verify_target_value(system_info, dispvm): if verify_target_value(system_info, dispvm):
targets.add(dispvm) targets.add(dispvm)
# expand other keywords
if '$adminvm' in targets:
targets.remove('$adminvm')
targets.add('dom0')
return targets return targets
def evaluate(self, system_info, source, target): def evaluate(self, system_info, source, target):

View File

@ -685,6 +685,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
f.write('$tag:tag1 $type:AppVM allow\n') f.write('$tag:tag1 $type:AppVM allow\n')
f.write('test-no-dvm $dispvm allow\n') f.write('test-no-dvm $dispvm allow\n')
f.write('test-standalone $dispvm allow\n') f.write('test-standalone $dispvm allow\n')
f.write('test-standalone $adminvm allow\n')
policy = qubespolicy.Policy('test.service', tmp_policy_dir) policy = qubespolicy.Policy('test.service', tmp_policy_dir)
self.assertCountEqual(policy.collect_targets_for_ask(system_info, self.assertCountEqual(policy.collect_targets_for_ask(system_info,
'test-vm1'), ['test-vm1', 'test-vm2', 'test-vm3', 'test-vm1'), ['test-vm1', 'test-vm2', 'test-vm3',
@ -698,7 +699,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
self.assertCountEqual(policy.collect_targets_for_ask(system_info, self.assertCountEqual(policy.collect_targets_for_ask(system_info,
'test-standalone'), ['test-vm1', 'test-vm2', 'test-vm3', 'test-standalone'), ['test-vm1', 'test-vm2', 'test-vm3',
'default-dvm', 'test-no-dvm', 'test-invalid-dvm', 'default-dvm', 'test-no-dvm', 'test-invalid-dvm',
'$dispvm:default-dvm']) '$dispvm:default-dvm', 'dom0'])
self.assertCountEqual(policy.collect_targets_for_ask(system_info, self.assertCountEqual(policy.collect_targets_for_ask(system_info,
'test-no-dvm'), []) 'test-no-dvm'), [])