From 1dff6361b7ca1c7b26d52cd00ca0cedceef2ac00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 28 Oct 2016 13:28:04 +0200 Subject: [PATCH] qrexec: fix "yes to all" for qrexec calls with custom argument If argument-specific policy file do not exists, create one based on generic one. Fixes QubesOS/qubes-issues#2403 Reported by @Rudd-O --- qrexec/qrexec-policy | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/qrexec/qrexec-policy b/qrexec/qrexec-policy index 0d236ae..cfb1df9 100755 --- a/qrexec/qrexec-policy +++ b/qrexec/qrexec-policy @@ -9,6 +9,7 @@ import qubes.guihelpers import libvirt from optparse import OptionParser import fcntl +import shutil POLICY_FILE_DIR="/etc/qubes-rpc/policy" # XXX: Backward compatibility, to be removed soon @@ -136,7 +137,12 @@ def confirm_execution(domain, target, service_name): def add_always_allow(domain, target, service_name, options): policy_file=POLICY_FILE_DIR+"/"+service_name if not os.path.isfile(policy_file): - return None + # if we add "always allow" for specifc argument value, base the new + # file on the generic one + policy_file_source = os.path.join(POLICY_FILE_DIR, service_name.split("+")[0]) + if not os.path.isfile(policy_file_source): + return None + shutil.copy2(policy_file_source, policy_file) f = open(policy_file, 'r+') fcntl.flock(f, fcntl.LOCK_EX) lines = []