From eb39f698820f8f4a264f89a3af54b895be797038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 23 Sep 2019 04:09:17 +0200
Subject: [PATCH] api: improve handling destination removed just before the
 call

There are cases when destination domain doesn't exist when the call gets
to qubesd. Namely:
 1. The call comes from dom0, which bypasses qrexec policy
 2. Domain was removed between checking the policy and here
Handle the the same way as if the domain wouldn't exist at policy
evaluation stage either - i.e. refuse the call.

On the client side it doesn't change much, but on the server call it
avoids ugly, useless tracebacks in system journal.

Fixes QubesOS/qubes-issues#5105
---
 qubes/api/__init__.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/qubes/api/__init__.py b/qubes/api/__init__.py
index e83fadb8..1d273d0e 100644
--- a/qubes/api/__init__.py
+++ b/qubes/api/__init__.py
@@ -121,8 +121,17 @@ class AbstractQubesAPI:
         #: source qube
         self.src = self.app.domains[src.decode('ascii')]
 
-        #: destination qube
-        self.dest = self.app.domains[dest.decode('ascii')]
+        try:
+            #: destination qube
+            self.dest = self.app.domains[dest.decode('ascii')]
+        except KeyError:
+            # normally this should filtered out by qrexec policy, but there are
+            # two cases it might not be:
+            # 1. The call comes from dom0, which bypasses qrexec policy
+            # 2. Domain was removed between checking the policy and here
+            # For uniform handling on the client side, treat this as permission
+            # denied error too
+            raise PermissionDenied
 
         #: argument
         self.arg = arg.decode('ascii')