qrexec-policy: new DispVM handling - $dispvm:DISP_VM keyword
Add support for `$dispvm:DISP_VM` syntax in target specification. At the same time update the code for core3 API for handling DispVMs. QubesOS/qubes-issues#2253
This commit is contained in:
parent
009e2e6adb
commit
cce22c9517
@ -143,25 +143,33 @@ def spawn_target_if_necessary(vm):
|
|||||||
vm.start()
|
vm.start()
|
||||||
|
|
||||||
def do_execute(domain, target, user, service_name, process_ident, vm=None):
|
def do_execute(domain, target, user, service_name, process_ident, vm=None):
|
||||||
|
dispvm = False
|
||||||
if target == "$dispvm":
|
if target == "$dispvm":
|
||||||
cmd = "/usr/lib/qubes/qfile-daemon-dvm " + service_name + " " + \
|
if domain.default_dispvm is None:
|
||||||
domain + " " + user
|
print >>sys.stderr, "No default DispVM set, aborting!"
|
||||||
os.execl(QREXEC_CLIENT, "qrexec-client",
|
exit(1)
|
||||||
"-d", "dom0", "-c", process_ident, cmd)
|
target = "$dispvm:" + domain.default_dispvm.name
|
||||||
else:
|
if target.startswith("$dispvm:"):
|
||||||
if isinstance(vm, qubes.vm.qubesvm.QubesVM):
|
dispvm_tpl_name = target[len("$dispvm:"):]
|
||||||
|
vm = qubes.vm.dispvm.DispVM.from_appvm(dispvm_tpl_name)
|
||||||
|
dispvm = True
|
||||||
|
# at this point we should also have some VM *object*
|
||||||
|
assert vm is not None
|
||||||
|
try:
|
||||||
spawn_target_if_necessary(vm)
|
spawn_target_if_necessary(vm)
|
||||||
if target == "dom0":
|
if target == "dom0":
|
||||||
cmd = QUBES_RPC_MULTIPLEXER_PATH + " " + service_name + " " + \
|
cmd = QUBES_RPC_MULTIPLEXER_PATH + " " + service_name + " " + \
|
||||||
domain.name
|
domain.name
|
||||||
else:
|
else:
|
||||||
cmd = user + ":QUBESRPC " + service_name + " " + domain.name
|
cmd = user + ":QUBESRPC " + service_name + " " + domain.name
|
||||||
# stderr should be logged in source/target VM
|
qrexec_opts = ["-d", vm.name, "-c", process_ident]
|
||||||
null = open(os.devnull, 'w')
|
if dispvm:
|
||||||
os.dup2(null.fileno(), 2)
|
# wait for qrexec connection end
|
||||||
os.execl(QREXEC_CLIENT, "qrexec-client",
|
qrexec_opts.append("-W")
|
||||||
"-d", target, "-c", process_ident, cmd)
|
subprocess.call([QREXEC_CLIENT] + qrexec_opts + [cmd])
|
||||||
|
finally:
|
||||||
|
if dispvm:
|
||||||
|
vm.cleanup()
|
||||||
|
|
||||||
def confirm_execution(domain, target, service_name):
|
def confirm_execution(domain, target, service_name):
|
||||||
text = "Do you allow domain \"" + domain + "\" to execute " + service_name
|
text = "Do you allow domain \"" + domain + "\" to execute " + service_name
|
||||||
|
Loading…
Reference in New Issue
Block a user