api: improve handling destination removed just before the call

There are cases when destination domain doesn't exist when the call gets
to qubesd. Namely:
 1. The call comes from dom0, which bypasses qrexec policy
 2. Domain was removed between checking the policy and here
Handle the the same way as if the domain wouldn't exist at policy
evaluation stage either - i.e. refuse the call.

On the client side it doesn't change much, but on the server call it
avoids ugly, useless tracebacks in system journal.

Fixes QubesOS/qubes-issues#5105

qubes/api/__init__.py

@@ -121,8 +121,17 @@ class AbstractQubesAPI:
         #: source qube
         self.src = self.app.domains[src.decode('ascii')]
 
-        #: destination qube
-        self.dest = self.app.domains[dest.decode('ascii')]
+        try:
+            #: destination qube
+            self.dest = self.app.domains[dest.decode('ascii')]
+        except KeyError:
+            # normally this should filtered out by qrexec policy, but there are
+            # two cases it might not be:
+            # 1. The call comes from dom0, which bypasses qrexec policy
+            # 2. Domain was removed between checking the policy and here
+            # For uniform handling on the client side, treat this as permission
+            # denied error too
+            raise PermissionDenied
 
         #: argument
         self.arg = arg.decode('ascii')