Skip to content

Commit

Permalink
tests: add a test for proper saving of DispVM firewall rules
Browse files Browse the repository at this point in the history
Test if DispVM firewall rules are:
 - inherited from a calling VM
 - saved properly (so will be effective after firewall reload)
 - saved only for that DispVM (#1608)

QubesOS/qubes-issues#1608
  • Loading branch information
marmarek committed Jan 14, 2016
1 parent 46a338d commit f4d46c7
Showing 1 changed file with 60 additions and 0 deletions.
60 changes: 60 additions & 0 deletions tests/basic.py
Original file line number Diff line number Diff line change
Expand Up @@ -630,5 +630,65 @@ def test_000_revert_hvm(self):
self.setup_hvm_template()
self._do_test()

class TC_04_DispVM(qubes.tests.SystemTestsMixin,
qubes.tests.QubesTestCase):

def test_000_firewall_propagation(self):
testvm1 = self.qc.add_new_vm("QubesAppVm",
name=self.make_vm_name('vm1'),
template=self.qc.get_default_template())
testvm1.create_on_disk(verbose=False)
firewall = testvm1.get_firewall_conf()
firewall['allowDns'] = False
firewall['allowYumProxy'] = False
firewall['rules'] = [{'address': '1.2.3.4',
'netmask': 24,
'proto': 'tcp',
'portBegin': 22,
'portEnd': 22,
}]
testvm1.write_firewall_conf(firewall)
self.qc.save()
self.qc.unlock_db()

testvm1.start()

p = testvm1.run("qvm-run --dispvm 'qubesdb-read /name; echo ERROR;"
" read x'",
passio_popen=True)

dispvm_name = p.stdout.readline().strip()
self.qc.lock_db_for_reading()
self.qc.load()
self.qc.unlock_db()
dispvm = self.qc.get_vm_by_name(dispvm_name)
self.assertIsNotNone(dispvm, "DispVM {} not found in qubes.xml".format(
dispvm_name))
# FIXME: currently qubes.xml doesn't contain this information...
dispvm_template_name = os.path.basename(dispvm.dir_path)
dispvm_template = self.qc.get_vm_by_name(dispvm_template_name)
# check if firewall was propagated to the DispVM
self.assertEquals(testvm1.get_firewall_conf(),
dispvm.get_firewall_conf())
# and only there (#1608)
self.assertNotEquals(dispvm_template.get_firewall_conf(),
dispvm.get_firewall_conf())
# then modify some rule
firewall = dispvm.get_firewall_conf()
firewall['rules'] = [{'address': '4.3.2.1',
'netmask': 24,
'proto': 'tcp',
'portBegin': 22,
'portEnd': 22,
}]
dispvm.write_firewall_conf(firewall)
# and check again if wasn't saved anywhere else (#1608)
self.assertNotEquals(dispvm_template.get_firewall_conf(),
dispvm.get_firewall_conf())
self.assertNotEquals(testvm1.get_firewall_conf(),
dispvm.get_firewall_conf())
p.stdin.write('\n')
p.wait()


# vim: ts=4 sw=4 et

0 comments on commit f4d46c7

Please sign in to comment.