q-dev: deny list drop ins and comments

QubesOS · Oct 15, 2024 · 97084d6 · 97084d6
1 parent 63489c1
commit 97084d6
Showing 1 changed file with 26 additions and 8 deletions.
diff --git a/qubes/ext/admin.py b/qubes/ext/admin.py
@@ -17,6 +17,7 @@
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library; if not, see <https://www.gnu.org/licenses/>.
 import importlib
+import os
 
 import qubes.api
 import qubes.api.internal
@@ -177,11 +178,35 @@ def on_device_attach(
 
         # load device deny list
         deny = {}
+        AdminExtension._load_deny_list(deny, DEVICE_DENY_LIST)
+
+        # load drop ins
+        drop_in_path = DEVICE_DENY_LIST + '.d'
+        if os.path.isdir(drop_in_path):
+            for deny_list_name in os.listdir(drop_in_path):
+                deny_list_path = os.path.join(drop_in_path, deny_list_name)
+
+                if os.path.isfile(deny_list_path):
+                    AdminExtension._load_deny_list(deny, deny_list_path)
+
+        # check if any presented interface is on deny list
+        for interface in deny.get(dest.name, set()):
+            pattern = DeviceInterface(interface)
+            for devint in device.interfaces:
+                if pattern.matches(devint):
+                    raise qubes.exc.PermissionDenied()
+
+    @staticmethod
+    def _load_deny_list(deny: dict, path: str) -> None:
         try:
-            with open(DEVICE_DENY_LIST, 'r', encoding="utf-8") as file:
+            with open(path, 'r', encoding="utf-8") as file:
                 for line in file:
                     line = line.strip()
 
+                    # skip comments
+                    if line.startswith('#'):
+                        continue
+
                     if line:
                         name, *values = line.split()
 
@@ -191,10 +216,3 @@ def on_device_attach(
                         deny[name] = deny.get(name, set()).union(set(values))
         except IOError:
             pass
-
-        # check if any presented interface is on deny list
-        for interface in deny.get(dest.name, set()):
-            pattern = DeviceInterface(interface)
-            for devint in device.interfaces:
-                if pattern.matches(devint):
-                    raise qubes.exc.PermissionDenied()