Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qubespolicy: fix handling allow rule to '$dispvm'

Browse Source 
When rule does not specify forced target (`target=...`), generic
`$dispvm` wasn't resolved to specific Disposable VM (based on
`default_dispvm` property).
This commit is contained in:
Marek Marczykowski-Górecki 2017-06-27 05:30:40 +02:00
parent a96a85bdc9
commit e8e30c8bdf
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
qubespolicy/__init__.py
View File

@ -607,6 +607,15 @@ class Policy(object):
'policy define \'allow\' action at {}:{} but no target is ' 'policy define \'allow\' action at {}:{} but no target is '
'specified by caller or policy'.format( 'specified by caller or policy'.format(
rule.filename, rule.lineno)) rule.filename, rule.lineno))
if actual_target == '$dispvm':
if system_info['domains'][source]['default_dispvm'] is None:
raise AccessDenied(
'policy define \'allow\' action to $dispvm at {}:{} '
'but no DispVM base is set for this VM'.format(
rule.filename, rule.lineno))
actual_target = '$dispvm:' + \
system_info['domains'][source]['default_dispvm']
return PolicyAction(self.service, source, return PolicyAction(self.service, source,
actual_target, rule, target) actual_target, rule, target)
else: else:

13
qubespolicy/tests/__init__.py
View File

@ -725,6 +725,19 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm', 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
'test-no-dvm', 'test-template', 'test-standalone']) 'test-no-dvm', 'test-template', 'test-standalone'])
def test_034_eval_resolve_dispvm(self):
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
f.write('test-vm3 $dispvm allow\n')
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
action = policy.evaluate(system_info, 'test-vm3', '$dispvm')
self.assertEqual(action.rule, policy.policy_rules[0])
self.assertEqual(action.action, qubespolicy.Action.allow)
self.assertEqual(action.target, '$dispvm:default-dvm')
self.assertEqual(action.original_target, '$dispvm')
self.assertEqual(action.service, 'test.service')
self.assertIsNone(action.targets_for_ask)
class TC_30_Misc(qubes.tests.QubesTestCase): class TC_30_Misc(qubes.tests.QubesTestCase):
@unittest.mock.patch('socket.socket') @unittest.mock.patch('socket.socket')