qrexec.policy.parser
– Qubes RPC policy parser¶
Qrexec policy format is available as separate specification: <no title>.
Representing domain names¶
The classes should be instantiated using either VMToken
or the context
that expects the token.
>>> type(VMToken('@adminvm'))
<class 'qrexec.policy.parser.AdminVM'>
>>> type(Target('@adminvm'))
<class 'qrexec.policy.parser.AdminVM'>
The latter has the advantage that tokens inappropriate for the context are rejected:
>>> Redirect('@tag:tag1')
Traceback (most recent call last):
...
qrexec.exc.PolicySyntaxError: <unknown>:None: invalid redirect token: '@tag:tag1'
The tokens are as follows. EXACT means the token should match exactly. PREFIX
means anything goes after the prefix. When two different prefixes match
('@dispvm:'
/'@dispvm:@tag:'
), the longer one is chosen.
There is a helper metaclass for this, do not use it elsewhere:
Request object¶
Actions and resolutions¶
There are two things that represent “what to do” when there is a match in
policy: actions and resolutions. Action is part of a Rule
, it means
what this rule prescripts. In contrast, a resolution is something that happens
after a Rule
was actually matched to Request
.