From 031ad02ff6b21cf89f0d3cbef3b402c03619fe79 Mon Sep 17 00:00:00 2001
From: Peter Gerber <peter@arbitrary.ch>
Date: Fri, 11 May 2018 00:30:20 +0000
Subject: [PATCH] Settings window: do not crash when there is no firewall rule

When all firewall rules are removed, qubes-vm-settings crashed
trying to check if the last rule accepts or drops all packages.
It is now verifies that there is a last rule.

Also, it is now properly verified that the last rule accept
or drops all packages.

Associated stack trace:

----
line: last_rule = reversed_rules.pop(0)
func: get_firewall_conf
line no.: 227
file: /usr/lib/python3.5/site-packages/qubesmanager/firewall.py
----
line: conf = self.get_firewall_conf(vm)
func: set_vm
line no.: 308
file: /usr/lib/python3.5/site-packages/qubesmanager/firewall.py
----
line: model.set_vm(vm)
func: __init__
line no.: 111
file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
----
line: settings_window = VMSettingsWindow(vm, qapp, args.tab)
func: main
line no.: 1133
file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
----
line: load_entry_point('qubesmanager==4.0.17', 'console_scripts', 'qubes-vm-settings')()
func: <module>
line no.: 9
file: /usr/bin/qubes-vm-settings
---
 qubesmanager/firewall.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/qubesmanager/firewall.py b/qubesmanager/firewall.py
index 14b69dc..1b6042d 100644
--- a/qubesmanager/firewall.py
+++ b/qubesmanager/firewall.py
@@ -223,23 +223,24 @@ class QubesFirewallRulesModel(QtCore.QAbstractItemModel):
         allow_icmp = False
         common_action = None
 
-        reversed_rules = list(reversed(vm.firewall.rules))
-        last_rule = reversed_rules.pop(0)
+        reversed_rules = reversed(vm.firewall.rules)
+        last_rule = next(reversed_rules, None)
+
+        if last_rule is None:
+            raise FirewallModifiedOutsideError('At least one rule must exist.')
 
         if last_rule == qubesadmin.firewall.Rule('action=accept') \
                 or last_rule == qubesadmin.firewall.Rule('action=drop'):
             common_action = last_rule.action
         else:
-            FirewallModifiedOutsideError('Last rule must be either '
-                                         'drop all or accept all.')
+            raise FirewallModifiedOutsideError('Last rule must be either '
+                                               'drop all or accept all.')
 
         dns_rule = qubesadmin.firewall.Rule(None,
                                         action='accept', specialtarget='dns')
         icmp_rule = qubesadmin.firewall.Rule(None,
                                         action='accept', proto='icmp')
-        while reversed_rules:
-            rule = reversed_rules.pop(0)
-
+        for rule in reversed_rules:
             if rule == dns_rule:
                 allow_dns = True
                 continue