device interface denied list: allow hexdigits

qubes/device_protocol.py

@@ -38,7 +38,7 @@
 from typing import TYPE_CHECKING
 
 import qubes.utils
-from qubes.exc import ProtocolError
+from qubes.exc import ProtocolError, QubesValueError
 
 if TYPE_CHECKING:
     from qubes.vm.qubesvm import QubesVM
@@ -693,7 +693,12 @@ def __init__(self, interface_encoding: str, devclass: Optional[str] = None):
                     f"for given {devclass=}",
                     file=sys.stderr,
                 )
-            ifc_full = devclass[0] + ifc_padded
+            if not all(c in string.hexdigits + "*" for c in ifc_padded):
+                raise ProtocolError("Invalid characters in interface encoding")
+            devclass_code = devclass[0].lower()
+            if devclass_code not in string.ascii_lowercase:
+                raise ProtocolError("Invalid characters in devclass encoding")
+            ifc_full = devclass_code + ifc_padded
         else:
             known_devclasses = {
                 "p": "pci",
@@ -735,7 +740,12 @@ def unknown(cls) -> "DeviceInterface":
 
     @staticmethod
     def from_str_bulk(interfaces: Optional[str]) -> List["DeviceInterface"]:
-        interfaces = interfaces or []
+        interfaces = interfaces or ""
+        if len(interfaces) % 7 != 0:
+            raise QubesValueError(
+                f"Invalid length of {interfaces=} "
+                f"(is {len(interfaces)}, expected multiple of 7)",
+            )
         return [
             DeviceInterface(interfaces[i: i + 7])
             for i in range(0, len(interfaces), 7)

qubes/tests/api_admin.py

@@ -3919,26 +3919,26 @@ def test_660_vm_device_denied_list_empty(self):
         self.assertFalse(self.app.save.called)
 
     def test_661_vm_device_denied_list(self):
-        self.vm.devices_denied = "b******p012345p53**2*"
+        self.vm.devices_denied = "b******p012345pff**2*"
         actual = self.call_mgmt_func(b"admin.vm.device.denied.List",
                                      b"test-vm1")
-        self.assertEqual(actual, "b******\np012345\np53**2*")
+        self.assertEqual(actual, "b******\np012345\npff**2*")
         self.assertFalse(self.app.save.called)
 
     def test_662_vm_device_denied_add(self):
         self.vm.devices_denied = "b******p012345p53**2*"
         self.call_mgmt_func(b"admin.vm.device.denied.Add", b"test-vm1",
-                            b"", b"u112233")
+                            b"", b"uabcdef")
         self.assertEqual(self.vm.devices_denied,
-                         "b******p012345p53**2*u112233")
+                         "b******p012345p53**2*uabcdef")
         self.assertTrue(self.app.save.called)
 
     def test_663_vm_device_denied_add_multiple(self):
         self.vm.devices_denied = "b******p012345p53**2*"
         self.call_mgmt_func(b"admin.vm.device.denied.Add", b"test-vm1",
-                            b"", b"u112233m******")
+                            b"", b"uabcdefm******")
         self.assertEqual(self.vm.devices_denied,
-                         "b******p012345p53**2*u112233m******")
+                         "b******p012345p53**2*uabcdefm******")
         self.assertTrue(self.app.save.called)
 
     def test_664_vm_device_denied_add_repeated(self):

qubes/vm/qubesvm.py

@@ -145,13 +145,13 @@ def _setter_denied_list(self, prop, value):
             self, prop, value,
             "Interface code list contains duplicates.")
     # block, usb, mic, pci, *
-    pattern = r"^([bump\*][0123456789\*]{6})*$"
+    pattern = r"^([bump\*][0123456789abcdef\*]{6})*$"
     if not re.fullmatch(pattern, value):
         raise qubes.exc.QubesPropertyValueError(
             self, prop, value,
-            "Interface code list should be in the form cddddddcdddddd...,"
+            "Interface code list should be in the form chhhhhhchhhhhh...,"
             'where c is one of "b", "u", "m", "p", "*" '
-            'and d is a digit or "*".')
+            'and h is a hexdigit or "*".')
     return value