From c442ff5fcaeca7408928fc173541da1b771b8358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 14 Jan 2016 01:14:41 +0100 Subject: [PATCH] tests: add a test for proper saving of DispVM firewall rules Test if DispVM firewall rules are: - inherited from a calling VM - saved properly (so will be effective after firewall reload) - saved only for that DispVM (#1608) QubesOS/qubes-issues#1608 (cherry picked from commit f4d46c7855628b923fde1fa1ff28ae539504eb10) --- tests/basic.py | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/tests/basic.py b/tests/basic.py index 352d6fe55..8df1ac41e 100644 --- a/tests/basic.py +++ b/tests/basic.py @@ -614,6 +614,66 @@ def test_000_revert_pv(self): self._do_test() +class TC_04_DispVM(qubes.tests.SystemTestsMixin, + qubes.tests.QubesTestCase): + + def test_000_firewall_propagation(self): + testvm1 = self.qc.add_new_vm("QubesAppVm", + name=self.make_vm_name('vm1'), + template=self.qc.get_default_template()) + testvm1.create_on_disk(verbose=False) + firewall = testvm1.get_firewall_conf() + firewall['allowDns'] = False + firewall['allowYumProxy'] = False + firewall['rules'] = [{'address': '1.2.3.4', + 'netmask': 24, + 'proto': 'tcp', + 'portBegin': 22, + 'portEnd': 22, + }] + testvm1.write_firewall_conf(firewall) + self.qc.save() + self.qc.unlock_db() + + testvm1.start() + + p = testvm1.run("qvm-run --dispvm 'qubesdb-read /name; echo ERROR;" + " read x'", + passio_popen=True) + + dispvm_name = p.stdout.readline().strip() + self.qc.lock_db_for_reading() + self.qc.load() + self.qc.unlock_db() + dispvm = self.qc.get_vm_by_name(dispvm_name) + self.assertIsNotNone(dispvm, "DispVM {} not found in qubes.xml".format( + dispvm_name)) + # FIXME: currently qubes.xml doesn't contain this information... + dispvm_template_name = os.path.basename(dispvm.dir_path) + dispvm_template = self.qc.get_vm_by_name(dispvm_template_name) + # check if firewall was propagated to the DispVM + self.assertEquals(testvm1.get_firewall_conf(), + dispvm.get_firewall_conf()) + # and only there (#1608) + self.assertNotEquals(dispvm_template.get_firewall_conf(), + dispvm.get_firewall_conf()) + # then modify some rule + firewall = dispvm.get_firewall_conf() + firewall['rules'] = [{'address': '4.3.2.1', + 'netmask': 24, + 'proto': 'tcp', + 'portBegin': 22, + 'portEnd': 22, + }] + dispvm.write_firewall_conf(firewall) + # and check again if wasn't saved anywhere else (#1608) + self.assertNotEquals(dispvm_template.get_firewall_conf(), + dispvm.get_firewall_conf()) + self.assertNotEquals(testvm1.get_firewall_conf(), + dispvm.get_firewall_conf()) + p.stdin.write('\n') + p.wait() + class TC_04_DispVM(qubes.tests.SystemTestsMixin, qubes.tests.QubesTestCase):