From d5cd58df51b5288e4cfd37e8a2be8ce928dec41f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 1 Jun 2017 04:26:44 +0200 Subject: [PATCH] templatevm: set default netvm to None for templates Since we have qrexec-based updates proxy, we can even stronger isolate templates from outside threats. QubesOS/qubes-issues#1854 --- qubes/vm/templatevm.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qubes/vm/templatevm.py b/qubes/vm/templatevm.py index 400eea856..3461acd41 100644 --- a/qubes/vm/templatevm.py +++ b/qubes/vm/templatevm.py @@ -27,6 +27,7 @@ import qubes import qubes.config import qubes.vm.qubesvm +import qubes.vm.mix.net from qubes.config import defaults from qubes.vm.qubesvm import QubesVM @@ -52,6 +53,13 @@ def appvms(self): if hasattr(vm, 'template') and vm.template is self: yield vm + netvm = qubes.VMProperty('netvm', load_stage=4, allow_none=True, + default=None, + # pylint: disable=protected-access + setter=qubes.vm.qubesvm.QubesVM.netvm._setter, + doc='VM that provides network connection to this domain. When ' + '`None`, machine is disconnected.') + def __init__(self, *args, **kwargs): assert 'template' not in kwargs, "A TemplateVM can not have a template" self.volume_config = {