Allow fewer qubes to use the U2F proxy

ben-grande · ben-grande · commit 4d8bf3325d78 · 2026-02-16T14:06:59.000+01:00
diff --git a/qubes_config/global_config/usb_devices.py b/qubes_config/global_config/usb_devices.py
@@ -27,7 +27,7 @@
 from qubesadmin.device_protocol import DeviceCategory
 
 from ..widgets.gtk_widgets import TokenName, TextModeler, VMListModeler
-from ..widgets.utils import get_feature, apply_feature_change
+from ..widgets.utils import get_feature, get_boolean_feature, apply_feature_change
 from ..widgets.gtk_utils import ask_question, show_error
 from .page_handler import PageHandler
 from .policy_rules import RuleTargetedAdminVM, Rule
@@ -465,13 +465,16 @@ def load_rules_for_usb_qube(self):
         self.error_handler.clear_all_errors()
 
         for vm in self.qapp.domains:
-            if vm.features.check_with_template(self.SUPPORTED_SERVICE_FEATURE):
-                if vm == usb_qube:
-                    continue
+            if vm.features.check_with_template(self.SUPPORTED_SERVICE_FEATURE) and not (
+                vm == usb_qube
+                or vm.klass == "TemplateVM"
+                or getattr(vm, "template_for_dispvms", False)
+                or getattr(vm, "provides_network", False)
+                or get_boolean_feature(vm, "service.audiovm")
+                or get_boolean_feature(vm, "service.guivm")
+            ):
                 self.available_vms.append(vm)
-            if get_feature(vm, self.SERVICE_FEATURE):
-                if vm == usb_qube:
-                    continue
+            if get_feature(vm, self.SERVICE_FEATURE) and not vm == usb_qube:
                 self.initially_enabled_vms.append(vm)
 
         if not self.available_vms:
diff --git a/qubes_config/tests/test_usb_devices.py b/qubes_config/tests/test_usb_devices.py
@@ -981,6 +981,12 @@ def test_devices_handler_unsaved(test_qapp, test_policy_manager, real_builder):
         b"_function='0' _bus='00' _libvirt_name='pci_0000_00_0d_0' "
         b"_device='0d'\n"
     )
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.audiovm", None)
+    ] = b"0\x00"
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.guivm", None)
+    ] = b"0\x00"
 
     handler = DevicesHandler(test_qapp, test_policy_manager, real_builder)
 
@@ -1023,6 +1029,12 @@ def test_devices_handler_detect_usbvms(test_qapp, test_policy_manager, real_buil
         b"_function='0' _bus='00' _libvirt_name='pci_0000_00_0d_0' "
         b"_device='0d'\n"
     )
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.audiovm", None)
+    ] = b"0\x00"
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.guivm", None)
+    ] = b"0\x00"
 
     handler = DevicesHandler(test_qapp, test_policy_manager, real_builder)
 
