Hide improper qubes from selection

ben-grande · ben-grande · commit 9a86cceb6e3d · 2026-02-16T14:06:58.000+01:00
Improve filters of several comboboxes to show only valid options:

- Templates nor disposable templates shouldn't be used:

  - as service qubes
  - have devices assigned to it
  - GPG key qube

- Minimal template may lack some packages and services, improve filter:

  - "updatevm" requires "supported-rpc.qube.TemplateDownload"
  - "split-gpg" requires "supported-rpc.qube.Gpg"
  - every model using VMSubsetPolicyHandler will check "service_name"
diff --git a/qubes_config/global_config/basics_handler.py b/qubes_config/global_config/basics_handler.py
@@ -740,7 +740,11 @@ def __init__(self, gtk_builder: Gtk.Builder, qapp: qubesadmin.Qubes):
 
     @staticmethod
     def _clock_vm_filter(vm) -> bool:
-        return vm.klass != "TemplateVM"
+        return (
+            vm.klass != "TemplateVM"
+            and not getattr(vm, "template_for_dispvms", False)
+            and (vm.klass == "AdminVM" or vm.is_networked())
+        )
 
     @staticmethod
     def _default_template_filter(vm) -> bool:
diff --git a/qubes_config/global_config/device_attachments.py b/qubes_config/global_config/device_attachments.py
@@ -122,7 +122,8 @@ def __init__(
             self.qapp,
             "edit_device",
             [],
-            filter_function=lambda vm: vm.klass != "AdminVM",
+            filter_function=lambda vm: vm.klass not in ["AdminVM", "TemplateVM"]
+            and not getattr(vm, "template_for_dispvms", False),
         )
 
         self.backend_vm: Optional[qubesadmin.vm.QubesVM] = None
@@ -398,7 +399,8 @@ def __init__(
             self.qapp,
             "required_device",
             [],
-            filter_function=lambda vm: vm.klass != "AdminVM",
+            filter_function=lambda vm: vm.klass not in ["AdminVM", "TemplateVM"]
+            and not getattr(vm, "template_for_dispvms", False),
         )
 
         self.dev_modeler = self.fill_combo_with_devices(
diff --git a/qubes_config/global_config/global_config.py b/qubes_config/global_config/global_config.py
@@ -434,6 +434,11 @@ def perform_setup(self):
             service_name="qubes.Gpg",
             policy_file_name="50-config-splitgpg",
             default_policy="",
+            filter_function=lambda vm: vm.klass not in ["AdminVM", "TemplateVM"]
+            and not getattr(vm, "template_for_dispvms", False)
+            and not vm.features.get("service.guivm")
+            and not vm.features.get("service.audiovm")
+            and not getattr(vm, "provides_network", False),
             main_rule_class=RuleSimpleNoAllow,
             main_verb_description=SimpleVerbDescription(
                 {
diff --git a/qubes_config/global_config/policy_handler.py b/qubes_config/global_config/policy_handler.py
@@ -44,7 +44,7 @@
 
 import qubesadmin
 import qubesadmin.vm
-from ..widgets.utils import compare_rule_lists
+from ..widgets.utils import compare_rule_lists, get_boolean_feature
 
 gi.require_version("Gtk", "3.0")
 from gi.repository import Gtk
@@ -562,6 +562,7 @@ def __init__(
         main_rule_class: Type[AbstractRuleWrapper],
         exception_verb_description: AbstractVerbDescription,
         exception_rule_class: Type[AbstractRuleWrapper],
+        filter_function: Callable[[qubesadmin.vm.QubesVM], bool] | None = None,
     ):
         """
         :param qapp: Qubes object
@@ -619,7 +620,22 @@ def __init__(
 
         # populate combo
         self.select_qube_model = VMListModeler(
-            combobox=self.select_qube_combo, qapp=self.qapp
+            combobox=self.select_qube_combo,
+            qapp=self.qapp,
+            filter_function=(
+                (
+                    lambda vm: filter_function(vm)
+                    and get_boolean_feature(
+                        vm, "supported-rpc." + service_name, recurse_template=True
+                    )
+                )
+                if filter_function
+                else (
+                    lambda vm: get_boolean_feature(
+                        vm, "supported-rpc." + service_name, recurse_template=True
+                    )
+                )
+            ),
         )
 
         # connect events
diff --git a/qubes_config/global_config/updates_handler.py b/qubes_config/global_config/updates_handler.py
@@ -686,6 +686,10 @@ def __init__(
                 lambda vm: vm.klass != "TemplateVM"
                 and vm.klass != "AdminVM"
                 and vm.is_networked()
+                and not getattr(vm, "template_for_dispvms", False)
+                and get_boolean_feature(
+                    vm, "supported-rpc.qubes.TemplateDownload", recurse_template=True
+                )
             ),
             current_value=self.qapp.updatevm,
             additional_options=NONE_CATEGORY,
diff --git a/qubes_config/tests/test_policy_handler.py b/qubes_config/tests/test_policy_handler.py
@@ -886,6 +886,16 @@ def test_subset_handler(test_builder, test_qapp, test_policy_manager: PolicyMana
     default_policy = """
 TestService * @anyvm test-blue allow"""
 
+    for qube in test_qapp.domains:
+        test_qapp.expected_calls[
+            (
+                qube,
+                "admin.vm.feature.CheckWithTemplate",
+                "supported-rpc.TestService",
+                None,
+            )
+        ] = b"0\x001"
+
     handler = VMSubsetPolicyHandler(
         qapp=test_qapp,
         gtk_builder=test_builder,
@@ -973,6 +983,16 @@ def test_subset_handler_limited_choice(
 TestService * @anyvm test-blue allow
 TestService * @anyvm test-red allow"""
 
+    for qube in test_qapp.domains:
+        test_qapp.expected_calls[
+            (
+                qube,
+                "admin.vm.feature.CheckWithTemplate",
+                "supported-rpc.TestService",
+                None,
+            )
+        ] = b"0\x001"
+
     handler = VMSubsetPolicyHandler(
         qapp=test_qapp,
         gtk_builder=test_builder,
@@ -1066,6 +1086,16 @@ def test_subset_handler_remove_choice(
 TestService * @anyvm test-blue allow
 TestService * @anyvm vault ask"""
 
+    for qube in test_qapp.domains:
+        test_qapp.expected_calls[
+            (
+                qube,
+                "admin.vm.feature.CheckWithTemplate",
+                "supported-rpc.TestService",
+                None,
+            )
+        ] = b"0\x001"
+
     handler = VMSubsetPolicyHandler(
         qapp=test_qapp,
         gtk_builder=test_builder,
@@ -1122,6 +1152,16 @@ def test_subset_handler_duplicates(
     default_policy = """
 TestService * @anyvm vault ask"""
 
+    for qube in test_qapp.domains:
+        test_qapp.expected_calls[
+            (
+                qube,
+                "admin.vm.feature.CheckWithTemplate",
+                "supported-rpc.TestService",
+                None,
+            )
+        ] = b"0\x001"
+
     handler = VMSubsetPolicyHandler(
         qapp=test_qapp,
         gtk_builder=test_builder,
@@ -1161,6 +1201,16 @@ def test_subset_handler_duplicates_load(
 TestService * @anyvm vault ask
 """
 
+    for qube in test_qapp.domains:
+        test_qapp.expected_calls[
+            (
+                qube,
+                "admin.vm.feature.CheckWithTemplate",
+                "supported-rpc.TestService",
+                None,
+            )
+        ] = b"0\x001"
+
     handler = VMSubsetPolicyHandler(
         qapp=test_qapp,
         gtk_builder=test_builder,
@@ -1191,6 +1241,16 @@ def test_subset_handler_unsupported(
 TestService * @anyvm vault allow target=test-blue
 """
 
+    for qube in test_qapp.domains:
+        test_qapp.expected_calls[
+            (
+                qube,
+                "admin.vm.feature.CheckWithTemplate",
+                "supported-rpc.TestService",
+                None,
+            )
+        ] = b"0\x001"
+
     test_policy_manager.policy_client.policy_replace("c-test", current_policy, "any")
 
     handler = VMSubsetPolicyHandler(
diff --git a/qubes_config/widgets/utils.py b/qubes_config/widgets/utils.py
@@ -33,19 +33,25 @@
 _ = t.gettext
 
 
-def get_feature(vm, feature_name, default_value=None):
+def get_feature(vm, feature_name, default_value=None, recurse_template=False):
     """Get feature, with a working default_value."""
+    if recurse_template:
+        feat = vm.features.check_with_template
+    else:
+        feat = vm.features.get
     try:
-        return vm.features.get(feature_name, default_value)
+        return feat(feature_name, default_value)
     except qubesadmin.exc.QubesDaemonAccessError:
         return default_value
 
 
-def get_boolean_feature(vm, feature_name, default=False):
+def get_boolean_feature(vm, feature_name, default=False, recurse_template=False):
     """helper function to get a feature converted to a Bool if it does exist.
     Necessary because of the true/false in features being coded as 1/empty
     string."""
-    result = get_feature(vm, feature_name, None)
+    result = get_feature(
+        vm, feature_name, default_value=None, recurse_template=recurse_template
+    )
     if result is not None:
         result = bool(result)
     else:
