firewall: drop GetPolicy/SetPolicy calls

Firewall policy is now hardcoded to 'drop'. Keep the property, so anyone
trying to assign it will get an exception

QubesOS/qubes-issues#2869

qubesadmin/app.py

@@ -360,7 +360,6 @@ def clone_vm(self, src_vm, new_name, new_cls=None,
                         raise
 
             try:
-                dst_vm.firewall.policy = src_vm.firewall.policy
                 dst_vm.firewall.save_rules(src_vm.firewall.rules)
             except qubesadmin.exc.QubesException as e:
                 self.log.error('Failed to set firewall: %s', e)

qubesadmin/firewall.py

@@ -432,13 +432,7 @@ def save_rules(self, rules=None):
     @property
     def policy(self):
         '''Default action to take if no rule matches'''
-        policy_str = self.vm.qubesd_call(None, 'admin.vm.firewall.GetPolicy')
-        return Action(policy_str.decode())
-
-    @policy.setter
-    def policy(self, value):
-        self.vm.qubesd_call(None, 'admin.vm.firewall.SetPolicy', payload=str(
-            value).encode('ascii'))
+        return Action('drop')
 
     def reload(self):
         '''Force reload the same firewall rules.

qubesadmin/tests/app.py

@@ -220,15 +220,9 @@ def clone_setup_common_calls(self, src, dst):
             b'action=drop dst4=192.168.0.0/24\n'
             b'action=accept\n'
         )
-        self.app.expected_calls[
-            (src, 'admin.vm.firewall.GetPolicy', None, None)] = \
-            b'0\x00accept'
         self.app.expected_calls[
             (src, 'admin.vm.firewall.Get', None, None)] = \
             b'0\x00' + rules
-        self.app.expected_calls[
-            (dst, 'admin.vm.firewall.SetPolicy', None, b'accept')] = \
-            b'0\x00'
         self.app.expected_calls[
             (dst, 'admin.vm.firewall.Set', None, rules)] = \
             b'0\x00'
@@ -467,13 +461,9 @@ def test_039_clone_ignore_errors_firewall(self):
         self.app.expected_calls[('dom0', 'admin.vm.Create.AppVM',
             'test-template', b'name=new-name label=red')] = b'0\x00'
         self.app.expected_calls[
-            ('new-name', 'admin.vm.firewall.SetPolicy', None, b'accept')] = \
-            b'2\0QubesException\0\0something happened\0'
-        del self.app.expected_calls[
-            ('test-vm', 'admin.vm.firewall.Get', None, None)]
-        del self.app.expected_calls[
             ('new-name', 'admin.vm.firewall.Set', None,
-            b'action=drop dst4=192.168.0.0/24\naction=accept\n')]
+            b'action=drop dst4=192.168.0.0/24\naction=accept\n')] = \
+            b'2\0QubesException\0\0something happened\0'
         new_vm = self.app.clone_vm('test-vm', 'new-name', ignore_errors=True)
         self.assertEqual(new_vm.name, 'new-name')
         self.assertAllCalled()

qubesadmin/tests/firewall.py

@@ -409,26 +409,6 @@ def setUp(self):
             b'0\0test-vm class=AppVM state=Halted\n'
         self.vm = self.app.domains['test-vm']
 
-    def test_000_policy_get(self):
-        self.app.expected_calls[('test-vm', 'admin.vm.firewall.GetPolicy',
-            None, None)] = b'0\0accept'
-        policy = self.vm.firewall.policy
-        self.assertEqual(policy, 'accept')
-        self.assertEqual(policy, qubesadmin.firewall.Action('accept'))
-        self.assertAllCalled()
-
-    def test_001_policy_set(self):
-        self.app.expected_calls[('test-vm', 'admin.vm.firewall.SetPolicy',
-            None, b'drop')] = b'0\0'
-        self.vm.firewall.policy = 'drop'
-        self.assertAllCalled()
-
-    def test_002_policy_set2(self):
-        self.app.expected_calls[('test-vm', 'admin.vm.firewall.SetPolicy',
-            None, b'drop')] = b'0\0'
-        self.vm.firewall.policy = qubesadmin.firewall.Action('drop')
-        self.assertAllCalled()
-
     def test_010_load_rules(self):
         self.app.expected_calls[('test-vm', 'admin.vm.firewall.Get',
                 None, None)] = \
@@ -464,4 +444,4 @@ def test_020_set_rules(self):
         self.app.expected_calls[('test-vm', 'admin.vm.firewall.Set', None,
         ''.join(rule + '\n' for rule in rules_txt).encode('ascii'))] = b'0\0'
         self.vm.firewall.rules = rules
-        self.assertAllCalled()
+        self.assertAllCalled()