Marek Marczykowski-Górecki
e7f717ec3d
doc: fix formating of policy-related documentation
...
Fix Sphinx warnings and errors in both doc/ and docstrings.
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
e8e30c8bdf
qubespolicy: fix handling allow rule to '$dispvm'
...
When rule does not specify forced target (`target=...`), generic
`$dispvm` wasn't resolved to specific Disposable VM (based on
`default_dispvm` property).
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
a96a85bdc9
qubespolicy: add a tool to analyze policy in form of graph
...
Output possible connections between VMs in form of dot file.
Fixes QubesOS/qubes-issues#2873
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
8afb425271
qubespolicy: allow non-default policy directory
...
This will allow to evaluate policy extracted from other system.
And also ease tests.
QubesOS/qubes-issues#2873
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
68f046cd31
Include qubespolicy in coverage report
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
26ea836f67
qubespolicy: add $adminvm keyword for specifying dom0 aka AdminVM
...
Fixes QubesOS/qubes-issues#2872
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
a937bb173a
qubespolicy: allow spaces in action arguments
...
This is natural to write space after coma.
2017-07-04 04:27:34 +02:00
Marek Marczykowski-Górecki
291a338e73
api: add missing docstring
2017-07-04 04:27:34 +02:00
Marek Marczykowski-Górecki
3d803acfde
Generate policy for Admin API calls based on annotations on actual methods
...
This ease Admin API administration, and also adds checking if qrexec
policy + scripts matches actual Admin API methods implementation.
The idea is to classify every Admin API method as either local
read-only, local read-write, global read-only or global read-write.
Where local/global means affecting a single VM, or the whole system.
See QubesOS/qubes-issues#2871 for details.
Fixes QubesOS/qubes-issues#2871
2017-07-04 04:27:34 +02:00
Marek Marczykowski-Górecki
d0663940a7
qubes/api/admin: annotate API methods
...
Second attempt: this time use full words for scope, read, write,
execute.
QubesOS/qubes-issues#2871
2017-06-27 06:01:58 +02:00
Wojtek Porczyk
3e0d01cfb9
qubes/admin: Add listing of API methods
2017-06-27 06:01:58 +02:00
Marek Marczykowski-Górecki
26013122a0
Merge remote-tracking branch 'woju/devel-adminext' into core3-devel
2017-06-23 10:34:11 +02:00
Wojtek Porczyk
9f57db8749
rpm_spec: fix
2017-06-23 10:26:04 +02:00
Marek Marczykowski-Górecki
4208a98bd7
Merge branch 'core3-devel-20170619'
2017-06-23 02:53:17 +02:00
Marek Marczykowski-Górecki
f976f7ec6c
storage: simplify coroutine handling
...
Suggested by @woju
2017-06-23 02:35:49 +02:00
Marek Marczykowski-Górecki
57e293eb54
Merge branch 'core3-qmemman-fix'
2017-06-22 23:16:35 +02:00
Wojtek Porczyk
8c9ce0587b
ext/admin: add explanation to PermissionDenied
2017-06-22 13:21:37 +02:00
Wojtek Porczyk
2942f8bcac
qubes: admin extension
...
for managing tags
2017-06-21 23:12:54 +02:00
Marek Marczykowski-Górecki
c1f4c219f9
tests: adjust TC_00_QubesDaemonProtocol for reorganized api module
2017-06-21 06:59:58 +02:00
Marek Marczykowski-Górecki
588ff04f0d
qmemman: fix units on meminfo parsing
...
meminfo (written by VM) is expected report KiB, but qmemman internally
use bytes. Convert units.
And also move obscure unit conversion in is_meminfo_suspicious to more
logical place in sanitize_and_parse_meminfo.
2017-06-21 06:34:00 +02:00
Marek Marczykowski-Górecki
ea0cbe3a56
tests: improve tests for qrexe exit code handling
...
Check if exit code retrieved from dom0 is really the one expected.
Fix typo in test_065_qrexec_exit_code_vm (testvm1/testvm2), adjust for
reporing remote exit code and remove expectedFailure.
QubesOS/qubes-issues#2861
2017-06-21 05:23:35 +02:00
Marek Marczykowski-Górecki
a73dcf6016
tests: wait for session in tests requiring running GUI
...
Since tests expose qubesd socket, qvm-start-gui should handle starting
GUI daemons (so, GUI session inside VM). Add synchronization with it
using qubes.WaitForSession service.
2017-06-21 04:45:46 +02:00
Marek Marczykowski-Górecki
376ac4b32d
tests: fix vm.run_for_stdio in some more places
...
When test expect to wait for remote process, use vm.run_for_stdio.
Additionally, when the call fail, (stdout, stderr) is not assigned - use
the one attached to exception object instead.
2017-06-21 04:33:10 +02:00
Marek Marczykowski-Górecki
a0f616f14e
tests: fix checking exit code
...
Since run_for_stdio raise an exception for non-zero exit code, it isn't
ignored anymore. So, check if qrexec-client-vm return expected value,
instead of keep ignoring it.
QubesOS/qubes-issues#2861
2017-06-21 00:17:43 +02:00
Marek Marczykowski-Górecki
72240c13b6
tests: fix vm_qrexec_gui/TC_10_Generic/test_000_anyvm_deny_dom0
...
When method (as expected) raise an exception, service output would not be
assigned. Extract it from exception object.
2017-06-21 00:17:43 +02:00
Marek Marczykowski-Górecki
a469c565f4
tests: fix QrexecPolicyContext
...
Flush new policy file to the disk, otherwise it will stay only in write
buffer.
2017-06-21 00:17:43 +02:00
Marek Marczykowski-Górecki
3ddc052af3
vm: move kernel presence validation to event handler
...
Setter is called also on qubes.xml load, so missing kernel breaks
qubes.xml parsing - for example qubesd startup to fix that property.
2017-06-21 00:17:43 +02:00
Marek Marczykowski-Górecki
4241b39b94
tests: fix tests cleanup
2017-06-21 00:17:42 +02:00
Marek Marczykowski-Górecki
60443259d0
vm: raise CalledProcessError on failed service/command call
2017-06-21 00:17:42 +02:00
Marek Marczykowski-Górecki
51a17ba749
tests: do not reload qubes.xml
...
In core3 this isn't needed anymore (and unit tests already check if
that's really true).
2017-06-21 00:17:42 +02:00
Marek Marczykowski-Górecki
ea5ca79133
tests: fix removing test VMs
...
Do it before shutting down qubesd socket - some things may require it
for VM removal/shutdown.
2017-06-21 00:17:41 +02:00
Marek Marczykowski-Górecki
eee6ab0c01
tests: use copy of qubes.xml, instead of empty one
2017-06-21 00:17:41 +02:00
Marek Marczykowski-Górecki
984a070f3e
tests: move create_*_file to SystemTestsMixin
2017-06-21 00:17:40 +02:00
Wojtek Porczyk
f56f7d13fb
tests/integ/vm_qrexec_gui: skip test_051_qrexec_simple_eof_reverse
...
QubesOS/qubes-issues#2851
2017-06-21 00:17:39 +02:00
Wojtek Porczyk
139f18fa1d
qubes/tests/integ/vm_qrexec_gui: some fixes
2017-06-21 00:17:39 +02:00
Wojtek Porczyk
0c0b0ea6ef
qubes/tests/integ/vm_qrexec_gui: change time.sleep to asyncio.sleep
2017-06-21 00:17:38 +02:00
Wojtek Porczyk
96a66ac6bd
qubes/api: refactor creating multiple qubesd sockets
...
Now there is a single function to do this, shared with tests.
2017-06-21 00:17:37 +02:00
Wojtek Porczyk
bec58fc861
qubes/tests: start qrexec policy responder for system tests
2017-06-20 13:00:20 +02:00
Wojtek Porczyk
71a4390fdb
qubes/tools/qubesd: properly unlink UNIX sockets at shutdown
2017-06-20 13:00:20 +02:00
Wojtek Porczyk
4b8e5c3704
qubes/tests/run: refuse to run tests if qubesd is running
...
Test suite creates some VMs and needs to pass the knowledge about them
to qrexec policy checker. This is done using Admin API, so we need to
substitute qubesd with our own API server.
2017-06-20 13:00:20 +02:00
Wojtek Porczyk
858e547525
qubes: reorganise API protocols
...
Now instantiating API servers is handled by common function. This is,
among other reasons, for creating ad-hoc sockets for tests.
2017-06-20 13:00:20 +02:00
Marek Marczykowski-Górecki
8196b2d5bf
admin.vm.Create: add commend about 'created-by-' tag
2017-06-20 12:47:01 +02:00
Marek Marczykowski-Górecki
c13cf44e5e
admin.vm.Create: add 'created-by-' tag
2017-06-20 12:47:00 +02:00
Marek Marczykowski-Górecki
5f187bd2bf
Force maxmem=memory for HVM with PCI devices
...
Xen do not support other cases at all ("PCI device assignment for HVM
guest failed due to PoD enabled", PoD means "populate on demand").
2017-06-20 12:47:00 +02:00
Marek Marczykowski-Górecki
083108e995
app: fix registering libvirt event handler
...
register_event_handlers is called early, when libvirt connection may not
be yet established - especially on empty qubes.xml. Do not skip
automatic connection logic.
2017-06-20 12:47:00 +02:00
Marek Marczykowski-Górecki
e4d285d479
vm/adminvm: make AdminVM sortable
...
One more thing gone during changing AdminVM base class.
2017-06-20 12:47:00 +02:00
Marek Marczykowski-Górecki
9242202db2
admin: implement admin.vm.tag.*
...
QubesOS/qubes-issues#2622
2017-06-20 00:54:16 +02:00
Marek Marczykowski-Górecki
4a1a5fc24b
exc: fix QubesNoTemplateError
2017-06-20 00:54:16 +02:00
Marek Marczykowski-Górecki
aadbe223c3
admin: add admin.vm.volume.Clone
...
QubesOS/qubes-issues#2622
2017-06-20 00:54:15 +02:00
Marek Marczykowski-Górecki
f48b1be669
storage: extract single volume clone into clone_volume
...
This will be useful for admin.vm.volume.Clone implementation.
QubesOS/qubes-issues#2256
2017-06-20 00:54:15 +02:00