From e0fe88ddfab6a63247547c5b8799418c60048b64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 16 Jun 2026 12:19:46 +0200 Subject: [PATCH] Disable notification for denied property.GetAll call It's expected to be denied when some properties are allowed but not all. QubesOS/qubes-issues#10534 --- Makefile | 2 ++ qubes-rpc-policy/91-admin-default-deny.policy | 12 ++++++++++++ rpm_spec/core-dom0.spec.in | 1 + 3 files changed, 15 insertions(+) create mode 100644 qubes-rpc-policy/91-admin-default-deny.policy diff --git a/Makefile b/Makefile index ceefb386e..9e6037583 100644 --- a/Makefile +++ b/Makefile @@ -195,6 +195,8 @@ endif mkdir -p $(DESTDIR)/usr/libexec/qubes install -m 0644 qubes-rpc-policy/90-default.policy \ $(DESTDIR)/etc/qubes/policy.d/90-default.policy + install -m 0644 qubes-rpc-policy/91-admin-default-deny.policy \ + $(DESTDIR)/etc/qubes/policy.d/91-admin-default-deny.policy install -m 0644 qubes-rpc-policy/85-admin-backup-restore.policy \ $(DESTDIR)/etc/qubes/policy.d/85-admin-backup-restore.policy cp qubes-rpc/qubes.FeaturesRequest $(DESTDIR)/etc/qubes-rpc/ diff --git a/qubes-rpc-policy/91-admin-default-deny.policy b/qubes-rpc-policy/91-admin-default-deny.policy new file mode 100644 index 000000000..feabf017e --- /dev/null +++ b/qubes-rpc-policy/91-admin-default-deny.policy @@ -0,0 +1,12 @@ +## Do not modify this file, create a new policy file with a lower number in the +## filename instead. For example `30-user.policy`. + +## Default action is deny anyway, but add notify=no, as GetAll is expected to +## be called if some properties are allowed but not all, so mute the spurious +## notification + +admin.vm.property.GetAll * @anyvm @anyvm deny notify=no +admin.vm.property.GetAll * @anyvm @adminvm deny notify=no + +admin.property.GetAll * @anyvm @anyvm deny notify=no +admin.property.GetAll * @anyvm @adminvm deny notify=no diff --git a/rpm_spec/core-dom0.spec.in b/rpm_spec/core-dom0.spec.in index 824391807..10cc3a857 100644 --- a/rpm_spec/core-dom0.spec.in +++ b/rpm_spec/core-dom0.spec.in @@ -597,6 +597,7 @@ done %attr(0664,root,qubes) %config /etc/qubes/policy.d/85-admin-backup-restore.policy %attr(0664,root,qubes) %config /etc/qubes/policy.d/90-admin-default.policy %attr(0664,root,qubes) %config /etc/qubes/policy.d/90-default.policy +%attr(0664,root,qubes) %config /etc/qubes/policy.d/91-admin-default-deny.policy %attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/include/admin-global-ro %attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/include/admin-global-rwx %attr(0664,root,qubes) %config(noreplace) /etc/qubes/policy.d/include/admin-local-ro