__init__.py 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694
  1. # coding=utf-8
  2. # The Qubes OS Project, https://www.qubes-os.org/
  3. #
  4. # Copyright (C) 2013-2015 Joanna Rutkowska <joanna@invisiblethingslab.com>
  5. # Copyright (C) 2013-2017 Marek Marczykowski-Górecki
  6. # <marmarek@invisiblethingslab.com>
  7. #
  8. # This program is free software; you can redistribute it and/or modify
  9. # it under the terms of the GNU General Public License as published by
  10. # the Free Software Foundation; either version 2 of the License, or
  11. # (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU General Public License along
  19. # with this program; if not, write to the Free Software Foundation, Inc.,
  20. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. ''' Qrexec policy parser and evaluator '''
  22. import enum
  23. import itertools
  24. import json
  25. import os
  26. import os.path
  27. import socket
  28. import subprocess
  29. # don't import 'qubes.config' please, it takes 0.3s
  30. QREXEC_CLIENT = '/usr/lib/qubes/qrexec-client'
  31. QUBES_RPC_MULTIPLEXER_PATH = '/usr/lib/qubes/qubes-rpc-multiplexer'
  32. POLICY_DIR = '/etc/qubes-rpc/policy'
  33. QUBESD_INTERNAL_SOCK = '/var/run/qubesd.internal.sock'
  34. QUBESD_SOCK = '/var/run/qubesd.sock'
  35. class AccessDenied(Exception):
  36. ''' Raised when qrexec policy denied access '''
  37. pass
  38. class PolicySyntaxError(AccessDenied):
  39. ''' Syntax error in qrexec policy, abort parsing '''
  40. def __init__(self, filename, lineno, msg):
  41. super(PolicySyntaxError, self).__init__(
  42. '{}:{}: {}'.format(filename, lineno, msg))
  43. class PolicyNotFound(AccessDenied):
  44. ''' Policy was not found for this service '''
  45. def __init__(self, service_name):
  46. super(PolicyNotFound, self).__init__(
  47. 'Policy not found for service {}'.format(service_name))
  48. class Action(enum.Enum):
  49. ''' Action as defined by policy '''
  50. allow = 1
  51. deny = 2
  52. ask = 3
  53. def verify_target_value(system_info, value):
  54. ''' Check if given value names valid target
  55. This function check if given value is not only syntactically correct,
  56. but also if names valid service call target (existing domain,
  57. or valid $dispvm like keyword)
  58. :param system_info: information about the system
  59. :param value: value to be checked
  60. '''
  61. if value == '$dispvm':
  62. return True
  63. elif value == '$adminvm':
  64. return True
  65. elif value.startswith('$dispvm:'):
  66. dispvm_base = value.split(':', 1)[1]
  67. if dispvm_base not in system_info['domains']:
  68. return False
  69. dispvm_base_info = system_info['domains'][dispvm_base]
  70. return bool(dispvm_base_info['dispvm_allowed'])
  71. else:
  72. return value in system_info['domains']
  73. def verify_special_value(value, for_target=True):
  74. '''
  75. Verify if given special VM-specifier ('$...') is valid
  76. :param value: value to verify
  77. :param for_target: should classify target-only values as valid (
  78. '$default', '$dispvm')
  79. :return: True or False
  80. '''
  81. # pylint: disable=too-many-return-statements
  82. if value.startswith('$tag:') and len(value) > len('$tag:'):
  83. return True
  84. elif value.startswith('$type:') and len(value) > len('$type:'):
  85. return True
  86. elif value == '$anyvm':
  87. return True
  88. elif value == '$adminvm':
  89. return True
  90. elif value.startswith('$dispvm:') and for_target:
  91. return True
  92. elif value == '$dispvm' and for_target:
  93. return True
  94. elif value == '$default' and for_target:
  95. return True
  96. return False
  97. class PolicyRule(object):
  98. ''' A single line of policy file '''
  99. def __init__(self, line, filename=None, lineno=None):
  100. '''
  101. Load a single line of qrexec policy and check its syntax.
  102. Do not verify existence of named objects.
  103. :raise PolicySyntaxError: when syntax error is found
  104. :param line: a single line of actual qrexec policy (not a comment,
  105. empty line or $include)
  106. :param filename: name of the file from which this line is loaded
  107. :param lineno: line number from which this line is loaded
  108. '''
  109. self.lineno = lineno
  110. self.filename = filename
  111. try:
  112. self.source, self.target, self.full_action = line.split(maxsplit=2)
  113. except ValueError:
  114. raise PolicySyntaxError(filename, lineno, 'wrong number of fields')
  115. (action, *params) = self.full_action.replace(',', ' ').split()
  116. try:
  117. self.action = Action[action]
  118. except KeyError:
  119. raise PolicySyntaxError(filename, lineno,
  120. 'invalid action: {}'.format(action))
  121. #: alternative target, used instead of the one specified by the caller
  122. self.override_target = None
  123. #: alternative user, used instead of vm.default_user
  124. self.override_user = None
  125. #: default target when asking the user for confirmation
  126. self.default_target = None
  127. for param in params:
  128. try:
  129. param_name, value = param.split('=')
  130. except ValueError:
  131. raise PolicySyntaxError(filename, lineno,
  132. 'invalid action parameter syntax: {}'.format(param))
  133. if param_name == 'target':
  134. if self.action == Action.deny:
  135. raise PolicySyntaxError(filename, lineno,
  136. 'target= option not allowed for deny action')
  137. self.override_target = value
  138. elif param_name == 'user':
  139. if self.action == Action.deny:
  140. raise PolicySyntaxError(filename, lineno,
  141. 'user= option not allowed for deny action')
  142. self.override_user = value
  143. elif param_name == 'default_target':
  144. if self.action != Action.ask:
  145. raise PolicySyntaxError(filename, lineno,
  146. 'default_target= option allowed only for ask action')
  147. self.default_target = value
  148. else:
  149. raise PolicySyntaxError(filename, lineno,
  150. 'invalid option {} for {} action'.format(param, action))
  151. # verify special values
  152. if self.source.startswith('$'):
  153. if not verify_special_value(self.source, False):
  154. raise PolicySyntaxError(filename, lineno,
  155. 'invalid source specification: {}'.format(self.source))
  156. if self.target.startswith('$'):
  157. if not verify_special_value(self.target, True):
  158. raise PolicySyntaxError(filename, lineno,
  159. 'invalid target specification: {}'.format(self.target))
  160. if self.target == '$default' \
  161. and self.action == Action.allow \
  162. and self.override_target is None:
  163. raise PolicySyntaxError(filename, lineno,
  164. 'allow action for $default rule must specify target= option')
  165. if self.override_target is not None:
  166. if self.override_target.startswith('$') and \
  167. not self.override_target.startswith('$dispvm') and \
  168. self.override_target != '$adminvm':
  169. raise PolicySyntaxError(filename, lineno,
  170. 'target= option needs to name specific target')
  171. @staticmethod
  172. def is_match_single(system_info, policy_value, value):
  173. '''
  174. Evaluate if a single value (VM name or '$default') matches policy
  175. specification
  176. :param system_info: information about the system
  177. :param policy_value: value from qrexec policy (either self.source or
  178. self.target)
  179. :param value: value to be compared (source or target)
  180. :return: True or False
  181. '''
  182. # pylint: disable=too-many-return-statements
  183. # not specified target matches only with $default and $anyvm policy
  184. # entry
  185. if value == '$default' or value == '':
  186. return policy_value in ('$default', '$anyvm')
  187. # if specific target used, check if it's valid
  188. # this function (is_match_single) is also used for checking call source
  189. # values, but this isn't a problem, because it will always be a
  190. # domain name (not $dispvm or such) - this is guaranteed by a nature
  191. # of qrexec call
  192. if not verify_target_value(system_info, value):
  193. return False
  194. # handle $adminvm keyword
  195. if policy_value == 'dom0':
  196. # TODO: log a warning in Qubes 4.1
  197. policy_value = '$adminvm'
  198. if value == 'dom0':
  199. value = '$adminvm'
  200. # allow any _valid_, non-dom0 target
  201. if policy_value == '$anyvm':
  202. return value != '$adminvm'
  203. # exact match, including $dispvm* and $adminvm
  204. if value == policy_value:
  205. return True
  206. # if $dispvm* not matched above, reject it; missing ':' is
  207. # intentional - handle both '$dispvm' and '$dispvm:xxx'
  208. if value.startswith('$dispvm'):
  209. return False
  210. # require $adminvm to be matched explicitly (not through $tag or $type)
  211. # - if not matched already, reject it
  212. if value == '$adminvm':
  213. return False
  214. # at this point, value name a specific target
  215. domain_info = system_info['domains'][value]
  216. if policy_value.startswith('$tag:'):
  217. tag = policy_value.split(':', 1)[1]
  218. return tag in domain_info['tags']
  219. if policy_value.startswith('$type:'):
  220. type_ = policy_value.split(':', 1)[1]
  221. return type_ == domain_info['type']
  222. return False
  223. def is_match(self, system_info, source, target):
  224. '''
  225. Check if given (source, target) matches this policy line.
  226. :param system_info: information about the system - available VMs,
  227. their types, labels, tags etc. as returned by
  228. :py:func:`app_to_system_info`
  229. :param source: name of the source VM
  230. :param target: name of the target VM, or None if not specified
  231. :return: True or False
  232. '''
  233. if not self.is_match_single(system_info, self.source, source):
  234. return False
  235. if not self.is_match_single(system_info, self.target, target):
  236. return False
  237. return True
  238. def expand_target(self, system_info):
  239. '''
  240. Return domains matching target of this policy line
  241. :param system_info: information about the system
  242. :return: matching domains
  243. '''
  244. if self.target.startswith('$tag:'):
  245. tag = self.target.split(':', 1)[1]
  246. for name, domain in system_info['domains'].items():
  247. if tag in domain['tags']:
  248. yield name
  249. elif self.target.startswith('$type:'):
  250. type_ = self.target.split(':', 1)[1]
  251. for name, domain in system_info['domains'].items():
  252. if type_ == domain['type']:
  253. yield name
  254. elif self.target == '$anyvm':
  255. for name, domain in system_info['domains'].items():
  256. if name != 'dom0':
  257. yield name
  258. if domain['dispvm_allowed']:
  259. yield '$dispvm:' + name
  260. yield '$dispvm'
  261. elif self.target.startswith('$dispvm:'):
  262. dispvm_base = self.target.split(':', 1)[1]
  263. try:
  264. if system_info['domains'][dispvm_base]['dispvm_allowed']:
  265. yield self.target
  266. except KeyError:
  267. # TODO log a warning?
  268. pass
  269. elif self.target == '$adminvm':
  270. yield self.target
  271. elif self.target == '$dispvm':
  272. yield self.target
  273. else:
  274. if self.target in system_info['domains']:
  275. yield self.target
  276. def expand_override_target(self, system_info, source):
  277. '''
  278. Replace '$dispvm' with specific '$dispvm:...' value, based on qrexec
  279. call source.
  280. :param system_info: System information
  281. :param source: Source domain name
  282. :return: :py:attr:`override_target` with '$dispvm' substituted
  283. '''
  284. if self.override_target == '$dispvm':
  285. if system_info['domains'][source]['default_dispvm'] is None:
  286. return None
  287. return '$dispvm:' + system_info['domains'][source]['default_dispvm']
  288. else:
  289. return self.override_target
  290. class PolicyAction(object):
  291. ''' Object representing positive policy evaluation result -
  292. either ask or allow action '''
  293. def __init__(self, service, source, target, rule, original_target,
  294. targets_for_ask=None):
  295. #: service name
  296. self.service = service
  297. #: calling domain
  298. self.source = source
  299. #: target domain the service should be connected to, None if
  300. # not chosen yet
  301. if targets_for_ask is None or target in targets_for_ask:
  302. self.target = target
  303. else:
  304. # TODO: log a warning?
  305. self.target = None
  306. #: original target specified by the caller
  307. self.original_target = original_target
  308. #: targets for the user to choose from
  309. self.targets_for_ask = targets_for_ask
  310. #: policy rule from which this action is derived
  311. self.rule = rule
  312. if rule.action == Action.deny:
  313. # this should be really rejected by Policy.eval()
  314. raise AccessDenied(
  315. 'denied by policy {}:{}'.format(rule.filename, rule.lineno))
  316. elif rule.action == Action.ask:
  317. assert targets_for_ask is not None
  318. elif rule.action == Action.allow:
  319. assert targets_for_ask is None
  320. assert target is not None
  321. self.action = rule.action
  322. def handle_user_response(self, response, target=None):
  323. '''
  324. Handle user response for the 'ask' action
  325. :param response: whether the call was allowed or denied (bool)
  326. :param target: target chosen by the user (if reponse==True)
  327. :return: None
  328. '''
  329. assert self.action == Action.ask
  330. if response:
  331. assert target in self.targets_for_ask
  332. self.target = target
  333. self.action = Action.allow
  334. else:
  335. self.action = Action.deny
  336. raise AccessDenied(
  337. 'denied by the user {}:{}'.format(self.rule.filename,
  338. self.rule.lineno))
  339. def execute(self, caller_ident):
  340. ''' Execute allowed service call
  341. :param caller_ident: Service caller ident
  342. (`process_ident,source_name, source_id`)
  343. '''
  344. assert self.action == Action.allow
  345. assert self.target is not None
  346. if self.target == '$adminvm':
  347. self.target = 'dom0'
  348. if self.target == 'dom0':
  349. cmd = '{multiplexer} {service} {source} {original_target}'.format(
  350. multiplexer=QUBES_RPC_MULTIPLEXER_PATH,
  351. service=self.service,
  352. source=self.source,
  353. original_target=self.original_target)
  354. else:
  355. cmd = '{user}:QUBESRPC {service} {source}'.format(
  356. user=(self.rule.override_user or 'DEFAULT'),
  357. service=self.service,
  358. source=self.source)
  359. if self.target.startswith('$dispvm:'):
  360. target = self.spawn_dispvm()
  361. dispvm = True
  362. else:
  363. target = self.target
  364. dispvm = False
  365. self.ensure_target_running()
  366. qrexec_opts = ['-d', target, '-c', caller_ident]
  367. if dispvm:
  368. qrexec_opts.append('-W')
  369. try:
  370. subprocess.call([QREXEC_CLIENT] + qrexec_opts + [cmd])
  371. finally:
  372. if dispvm:
  373. self.cleanup_dispvm(target)
  374. def spawn_dispvm(self):
  375. '''
  376. Create and start Disposable VM based on AppVM specified in
  377. :py:attr:`target`
  378. :return: name of new Disposable VM
  379. '''
  380. base_appvm = self.target.split(':', 1)[1]
  381. dispvm_name = qubesd_call(base_appvm, 'admin.vm.CreateDisposable')
  382. dispvm_name = dispvm_name.decode('ascii')
  383. qubesd_call(dispvm_name, 'admin.vm.Start')
  384. return dispvm_name
  385. def ensure_target_running(self):
  386. '''
  387. Start domain if not running already
  388. :return: None
  389. '''
  390. if self.target == 'dom0':
  391. return
  392. try:
  393. qubesd_call(self.target, 'admin.vm.Start')
  394. except QubesMgmtException as e:
  395. if e.exc_type == 'QubesVMNotHaltedError':
  396. pass
  397. else:
  398. raise
  399. @staticmethod
  400. def cleanup_dispvm(dispvm):
  401. '''
  402. Kill and remove Disposable VM
  403. :param dispvm: name of Disposable VM
  404. :return: None
  405. '''
  406. qubesd_call(dispvm, 'admin.vm.Kill')
  407. class Policy(object):
  408. ''' Full policy for a given service
  409. Usage:
  410. >>> system_info = get_system_info()
  411. >>> policy = Policy('some-service')
  412. >>> action = policy.evaluate(system_info, 'source-name', 'target-name')
  413. >>> if action.action == Action.ask:
  414. >>> # ... ask the user, see action.targets_for_ask ...
  415. >>> action.handle_user_response(response, target_chosen_by_user)
  416. >>> action.execute('process-ident')
  417. '''
  418. def __init__(self, service, policy_dir=POLICY_DIR):
  419. policy_file = os.path.join(policy_dir, service)
  420. if not os.path.exists(policy_file):
  421. # fallback to policy without specific argument set (if any)
  422. policy_file = os.path.join(policy_dir, service.split('+')[0])
  423. if not os.path.exists(policy_file):
  424. raise PolicyNotFound(service)
  425. #: policy storage directory
  426. self.policy_dir = policy_dir
  427. #: service name
  428. self.service = service
  429. #: list of PolicyLine objects
  430. self.policy_rules = []
  431. try:
  432. self.load_policy_file(policy_file)
  433. except OSError as e:
  434. raise AccessDenied(
  435. 'failed to load {} file: {!s}'.format(e.filename, e))
  436. def load_policy_file(self, path):
  437. ''' Load policy file and append rules to :py:attr:`policy_rules`
  438. :param path: file to load
  439. '''
  440. with open(path) as policy_file:
  441. for lineno, line in zip(itertools.count(start=1),
  442. policy_file.readlines()):
  443. line = line.strip()
  444. if not line:
  445. # skip empty lines
  446. continue
  447. if line[0] == '#':
  448. # skip comments
  449. continue
  450. if line.startswith('$include:'):
  451. include_path = line.split(':', 1)[1]
  452. # os.path.join will leave include_path unchanged if it's
  453. # already absolute
  454. include_path = os.path.join(self.policy_dir, include_path)
  455. self.load_policy_file(include_path)
  456. else:
  457. self.policy_rules.append(PolicyRule(line, path, lineno))
  458. def find_matching_rule(self, system_info, source, target):
  459. ''' Find the first rule matching given arguments '''
  460. for rule in self.policy_rules:
  461. if rule.is_match(system_info, source, target):
  462. return rule
  463. raise AccessDenied('no matching rule found')
  464. def collect_targets_for_ask(self, system_info, source):
  465. ''' Collect targets the user can choose from in 'ask' action
  466. Word 'targets' is used intentionally instead of 'domains', because it
  467. can also contains $dispvm like keywords.
  468. '''
  469. targets = set()
  470. # iterate over rules in reversed order to easier handle 'deny'
  471. # actions - simply remove matching domains from allowed set
  472. for rule in reversed(self.policy_rules):
  473. if rule.is_match_single(system_info, rule.source, source):
  474. if rule.action == Action.deny:
  475. targets -= set(rule.expand_target(system_info))
  476. else:
  477. if rule.override_target is not None:
  478. override_target = rule.expand_override_target(
  479. system_info, source)
  480. if verify_target_value(system_info, override_target):
  481. targets.add(rule.override_target)
  482. else:
  483. targets.update(rule.expand_target(system_info))
  484. # expand default DispVM
  485. if '$dispvm' in targets:
  486. targets.remove('$dispvm')
  487. if system_info['domains'][source]['default_dispvm'] is not None:
  488. dispvm = '$dispvm:' + \
  489. system_info['domains'][source]['default_dispvm']
  490. if verify_target_value(system_info, dispvm):
  491. targets.add(dispvm)
  492. return targets
  493. def evaluate(self, system_info, source, target):
  494. ''' Evaluate policy
  495. :raise AccessDenied: when action should be denied unconditionally
  496. :return tuple(rule, considered_targets) - where considered targets is a
  497. list of possible targets for 'ask' action (rule.action == Action.ask)
  498. '''
  499. rule = self.find_matching_rule(system_info, source, target)
  500. if rule.action == Action.deny:
  501. raise AccessDenied(
  502. 'denied by policy {}:{}'.format(rule.filename, rule.lineno))
  503. if rule.override_target is not None:
  504. override_target = rule.expand_override_target(system_info, source)
  505. if not verify_target_value(system_info, override_target):
  506. raise AccessDenied('invalid target= value in {}:{}'.format(
  507. rule.filename, rule.lineno))
  508. actual_target = override_target
  509. else:
  510. actual_target = target
  511. if rule.action == Action.ask:
  512. if rule.override_target is not None:
  513. targets = [actual_target]
  514. else:
  515. targets = list(
  516. self.collect_targets_for_ask(system_info, source))
  517. if not targets:
  518. raise AccessDenied(
  519. 'policy define \'ask\' action at {}:{} but no target is '
  520. 'available to choose from'.format(
  521. rule.filename, rule.lineno))
  522. return PolicyAction(self.service, source, rule.default_target,
  523. rule, target, targets)
  524. elif rule.action == Action.allow:
  525. if actual_target == '$default':
  526. raise AccessDenied(
  527. 'policy define \'allow\' action at {}:{} but no target is '
  528. 'specified by caller or policy'.format(
  529. rule.filename, rule.lineno))
  530. if actual_target == '$dispvm':
  531. if system_info['domains'][source]['default_dispvm'] is None:
  532. raise AccessDenied(
  533. 'policy define \'allow\' action to $dispvm at {}:{} '
  534. 'but no DispVM base is set for this VM'.format(
  535. rule.filename, rule.lineno))
  536. actual_target = '$dispvm:' + \
  537. system_info['domains'][source]['default_dispvm']
  538. return PolicyAction(self.service, source,
  539. actual_target, rule, target)
  540. else:
  541. # should be unreachable
  542. raise AccessDenied(
  543. 'invalid action?! {}:{}'.format(rule.filename, rule.lineno))
  544. class QubesMgmtException(Exception):
  545. ''' Exception returned by qubesd '''
  546. def __init__(self, exc_type):
  547. super(QubesMgmtException, self).__init__()
  548. self.exc_type = exc_type
  549. def qubesd_call(dest, method, arg=None, payload=None):
  550. if method.startswith('internal.'):
  551. socket_path = QUBESD_INTERNAL_SOCK
  552. else:
  553. socket_path = QUBESD_SOCK
  554. try:
  555. client_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
  556. client_socket.connect(socket_path)
  557. except IOError:
  558. # TODO:
  559. raise
  560. # src, method, dest, arg
  561. for call_arg in ('dom0', method, dest, arg):
  562. if call_arg is not None:
  563. client_socket.sendall(call_arg.encode('ascii'))
  564. client_socket.sendall(b'\0')
  565. if payload is not None:
  566. client_socket.sendall(payload)
  567. client_socket.shutdown(socket.SHUT_WR)
  568. return_data = client_socket.makefile('rb').read()
  569. if return_data.startswith(b'0\x00'):
  570. return return_data[2:]
  571. elif return_data.startswith(b'2\x00'):
  572. (_, exc_type, _traceback, _format_string, _args) = \
  573. return_data.split(b'\x00', 4)
  574. raise QubesMgmtException(exc_type.decode('ascii'))
  575. else:
  576. raise AssertionError(
  577. 'invalid qubesd response: {!r}'.format(return_data))
  578. def get_system_info():
  579. ''' Get system information
  580. This retrieve information necessary to process qrexec policy. Returned
  581. data is nested dict structure with this structure:
  582. - domains:
  583. - `<domain name>`:
  584. - tags: list of tags
  585. - type: domain type
  586. - dispvm_allowed: should DispVM based on this VM be allowed
  587. - default_dispvm: name of default AppVM for DispVMs started from here
  588. '''
  589. system_info = qubesd_call('dom0', 'internal.GetSystemInfo')
  590. return json.loads(system_info.decode('utf-8'))