qubespolicy: fix handling '$adminvm' target with ask action

All policy keywords needs to be expanded before sending it to confirmation dialog. $dispvm was already handled, but $adminvm was missing Fixes QubesOS/qubes-issues#3283
2017-11-06 14:37:08 +01:00 · 2017-11-06 14:37:08 +01:00 · d3cc2d50e3
commit d3cc2d50e3
parent 227378f2b3
2 changed files with 7 additions and 1 deletions
--- a/qubespolicy/init.py
+++ b/qubespolicy/init.py
@ -617,6 +617,11 @@ class Policy(object):
                if verify_target_value(system_info, dispvm):
                    targets.add(dispvm)

+        # expand other keywords
+        if '$adminvm' in targets:
+            targets.remove('$adminvm')
+            targets.add('dom0')
+
        return targets

    def evaluate(self, system_info, source, target):
--- a/qubespolicy/tests/init.py
+++ b/qubespolicy/tests/init.py
@ -685,6 +685,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
            f.write('$tag:tag1 $type:AppVM allow\n')
            f.write('test-no-dvm $dispvm allow\n')
            f.write('test-standalone $dispvm allow\n')
+            f.write('test-standalone $adminvm allow\n')
        policy = qubespolicy.Policy('test.service', tmp_policy_dir)
        self.assertCountEqual(policy.collect_targets_for_ask(system_info,
            'test-vm1'), ['test-vm1', 'test-vm2', 'test-vm3',
@ -698,7 +699,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
        self.assertCountEqual(policy.collect_targets_for_ask(system_info,
            'test-standalone'), ['test-vm1', 'test-vm2', 'test-vm3',
            'default-dvm', 'test-no-dvm', 'test-invalid-dvm',
-            '$dispvm:default-dvm'])
+            '$dispvm:default-dvm', 'dom0'])
        self.assertCountEqual(policy.collect_targets_for_ask(system_info,
            'test-no-dvm'), [])