This way it will work independently from where qrexec-policy tool will
be called (in most cases - from a system service, as root).
This is also very similar architecture to what we'll need when moving to
GUI domain - there GUI part will also be separated from policy
evaluation logic.
QubesOS/qubes-issues#910
- drop qid usage - it isn't really needed, especially for to-be-created
DispVMs
- use "domains_info" dict as input, instead of loading qubes.xml
directly
- nicely format "Disposable VM" entries
- simplify whitelist/blacklist handling - since qrexecpolicy always
provide a list of allowed choices, use just that
Important note: there are two names concepts:
1. Display name - name of VM, or in case of to-be-created DispVMs - a
string "Disposable VM (name-of-base-vm)"
2. API name - as in qrexec policy - $dispvm:name-of-base-vm for new
DispVMs
Externally at API level (allowed targets list, return value), API name
is used, but internally VMListModeler._entries is still indexed with
display names. This is done for more efficient (and readable) GUI
handling - because most of the time it's searched for what user have
entered.
QubesOS/qubes-issues#910
Import unmodified implementation done by @boring-stuff.
Full history for reference is available in rpc-confirmation-window
branch.
QubesOS/qubes-issues#910
This socket (and commands) are not exposed to untrusted input, so no
need to extensive sanitization. Also, there is no need to provide a
stable API here, as those methods are used internally only.
QubesOS/qubes-issues#853
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.
It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.
QubesOS/qubes-issues#865QubesOS/qubes-issues#910
0) All those methods are now awaitable rather than synchronous.
1) The base method is run_service(). The method run() was rewritten
using run_service('qubes.VMShell', input=...). There is no provision
for running plain commands.
2) Get rid of passio*= arguments. If you'd like to get another return
value, use another method. It's as simple as that.
See:
- run_service_for_stdio()
- run_for_stdio()
Also gone are wait= and localcmd= arguments. They are of no use
inside qubesd.
3) The qvm-run tool and tests are left behind for now and will be fixed
later. This is because they also need event loop, which is not
implemented yet.
fixesQubesOS/qubes-issues#1900QubesOS/qubes-issues#2622
- Get rid of @not_in_api, exchange for explicit @api() decorator.
- Old @no_payload decorator becomes an argument (keyword-only).
- Factor out AbstractQubesMgmt class to be a base class for other mgmt
backends.
- Use async def instead of @asyncio.coroutine.
QubesOS/qubes-issues#2622
This also means we don't check if a VM with given name (in case of
VMProperty) exists in the system, at this stage. But this is ok, lets
not duplicate work of property setter.
QubesOS/qubes-issues#2622
If kwargs contains dict as one of values, it isn't hashable and can't be
used as value in frozenset/tuple. Convert such values into
frozenset(dict.items()). Only one (more) level is supported, but it
should be enough.
Solution from http://stackoverflow.com/a/13264725
In theory any call could modify config (through events), but lets keep
writes to qubes.xml low. In any case, qubes.xml will be eventually
written (either at next config-modifying call, or daemon exit).