From bc0d64b92670a28bef90dd97c58eb00813a6d982 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 18 Nov 2016 02:51:25 +0100
Subject: [PATCH] qrexec: really do not match 'dom0' at '$anyvm', as documented

Design documentation says:
'note string dom0 does not match the $anyvm pattern; all other names do'

This behaviour was broken, because 'is not' in python isn't the same as
string comparison. In theory this could result in some service
erroneously allowed to execute in dom0, but in practice such services are
not installed in dom0 at all, so the only impact was misleading error
message.

Fixes QubesOS/qubes-issues#2031
Reported by @Jeeppler

(cherry picked from commit 981a11cee14a10ad90a3f0c8803f956d102f9076)
---
 qrexec/qrexec-policy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qrexec/qrexec-policy b/qrexec/qrexec-policy
index ff38caa..a895c0b 100755
--- a/qrexec/qrexec-policy
+++ b/qrexec/qrexec-policy
@@ -67,7 +67,7 @@ def read_policy_file(service_name):
     return policy_list
 
 def is_match(item, config_term):
-    return (item is not "dom0" and config_term == "$anyvm") or item == config_term
+    return (item != "dom0" and config_term == "$anyvm") or item == config_term
 
 def get_default_policy():
     dict={}