tests: check '$anyvm' parsing in qrexec policy

Regression test for QubesOS/qubes-issues#2031
marmarek · Nov 18, 2016 · 68a116e · 68a116e
1 parent 85f6ff9
commit 68a116e
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/tests/vm_qrexec_gui.py b/tests/vm_qrexec_gui.py
@@ -1007,6 +1007,44 @@ def test_300_bug_1028_gui_memory_pinning(self):
         if vm_image != dom0_image:
             self.fail("Dom0 window doesn't match VM window content")
 
+class TC_10_Generic(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):
+    def setUp(self):
+        super(TC_10_Generic, self).setUp()
+        self.vm = self.qc.add_new_vm(
+            "QubesAppVm",
+            name=self.make_vm_name('vm'),
+            template=self.qc.get_default_template())
+        self.vm.create_on_disk(verbose=False)
+        self.save_and_reload_db()
+        self.qc.unlock_db()
+        self.vm = self.qc[self.vm.qid]
+
+    def test_000_anyvm_deny_dom0(self):
+        '''$anyvm in policy should not match dom0'''
+        policy = open("/etc/qubes-rpc/policy/test.AnyvmDeny", "w")
+        policy.write("%s $anyvm allow" % (self.vm.name,))
+        policy.close()
+        self.addCleanup(os.unlink, "/etc/qubes-rpc/policy/test.AnyvmDeny")
+
+        flagfile = '/tmp/test-anyvmdeny-flag'
+        if os.path.exists(flagfile):
+            os.remove(flagfile)
+        with open('/etc/qubes-rpc/test.AnyvmDeny', 'w') as f:
+            f.write('touch {}\n'.format(flagfile))
+            f.write('echo service output\n')
+        self.addCleanup(os.unlink, "/etc/qubes-rpc/test.AnyvmDeny")
+
+        self.vm.start(verbose=False)
+        p = self.vm.run("/usr/lib/qubes/qrexec-client-vm dom0 test.AnyvmDeny",
+                             passio_popen=True, passio_stderr=True)
+        (stdout, stderr) = p.communicate()
+        self.assertEqual(p.returncode, 1,
+            '$anyvm matched dom0, qrexec-client-vm output: {}'.
+                format(stdout + stderr))
+        self.assertFalse(os.path.exists(flagfile),
+            'Flag file created (service was run) even though should be denied,'
+            ' qrexec-client-vm output: {}'.format(stdout + stderr))
+
 
 def load_tests(loader, tests, pattern):
     try: