api: improve handling destination removed just before the call

There are cases when destination domain doesn't exist when the call gets
to qubesd. Namely:
 1. The call comes from dom0, which bypasses qrexec policy
 2. Domain was removed between checking the policy and here
Handle the the same way as if the domain wouldn't exist at policy
evaluation stage either - i.e. refuse the call.

On the client side it doesn't change much, but on the server call it
avoids ugly, useless tracebacks in system journal.

Fixes QubesOS/qubes-issues#5105
This commit is contained in:
Marek Marczykowski-Górecki 2019-09-23 04:09:17 +02:00
parent 8ecf00bd0e
commit eb39f69882
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724

View File

@ -121,8 +121,17 @@ class AbstractQubesAPI:
#: source qube #: source qube
self.src = self.app.domains[src.decode('ascii')] self.src = self.app.domains[src.decode('ascii')]
#: destination qube try:
self.dest = self.app.domains[dest.decode('ascii')] #: destination qube
self.dest = self.app.domains[dest.decode('ascii')]
except KeyError:
# normally this should filtered out by qrexec policy, but there are
# two cases it might not be:
# 1. The call comes from dom0, which bypasses qrexec policy
# 2. Domain was removed between checking the policy and here
# For uniform handling on the client side, treat this as permission
# denied error too
raise PermissionDenied
#: argument #: argument
self.arg = arg.decode('ascii') self.arg = arg.decode('ascii')