Allow fewer qubes to use the U2F proxy

Most qubes are not intended to connect to the U2F proxy. Trim the
selection down by hiding improper qubes that should never be clients,
such as templates, disposable templates, netvm, AudioVM, GUIVM.

Author: ben-grande

qubes_config/global_config/usb_devices.py

@@ -27,7 +27,7 @@
 from qubesadmin.device_protocol import DeviceCategory
 
 from ..widgets.gtk_widgets import TokenName, TextModeler, VMListModeler
-from ..widgets.utils import get_feature, apply_feature_change
+from ..widgets.utils import get_feature, get_boolean_feature, apply_feature_change
 from ..widgets.gtk_utils import ask_question, show_error
 from .page_handler import PageHandler
 from .policy_rules import RuleTargetedAdminVM, Rule
@@ -465,13 +465,16 @@ def load_rules_for_usb_qube(self):
         self.error_handler.clear_all_errors()
 
         for vm in self.qapp.domains:
-            if vm.features.check_with_template(self.SUPPORTED_SERVICE_FEATURE):
-                if vm == usb_qube:
-                    continue
+            if vm.features.check_with_template(self.SUPPORTED_SERVICE_FEATURE) and not (
+                vm == usb_qube
+                or vm.klass == "TemplateVM"
+                or getattr(vm, "template_for_dispvms", False)
+                or getattr(vm, "provides_network", False)
+                or get_boolean_feature(vm, "service.audiovm")
+                or get_boolean_feature(vm, "service.guivm")
+            ):
                 self.available_vms.append(vm)
-            if get_feature(vm, self.SERVICE_FEATURE):
-                if vm == usb_qube:
-                    continue
+            if get_feature(vm, self.SERVICE_FEATURE) and not vm == usb_qube:
                 self.initially_enabled_vms.append(vm)
 
         if not self.available_vms:

qubes_config/tests/test_usb_devices.py

@@ -981,6 +981,12 @@ def test_devices_handler_unsaved(test_qapp, test_policy_manager, real_builder):
         b"_function='0' _bus='00' _libvirt_name='pci_0000_00_0d_0' "
         b"_device='0d'\n"
     )
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.audiovm", None)
+    ] = b"0\x00"
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.guivm", None)
+    ] = b"0\x00"
 
     handler = DevicesHandler(test_qapp, test_policy_manager, real_builder)
 
@@ -1023,6 +1029,12 @@ def test_devices_handler_detect_usbvms(test_qapp, test_policy_manager, real_buil
         b"_function='0' _bus='00' _libvirt_name='pci_0000_00_0d_0' "
         b"_device='0d'\n"
     )
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.audiovm", None)
+    ] = b"0\x00"
+    test_qapp.expected_calls[
+        ("test-vm", "admin.vm.feature.Get", "service.guivm", None)
+    ] = b"0\x00"
 
     handler = DevicesHandler(test_qapp, test_policy_manager, real_builder)