Fix setting default updatevm/whonix updatevm to none

Correctly put in policy a deny row when either is
set to none.

fixes QubesOS/qubes-issues#10294

Author: marmarta

mypy.ini

@@ -1,5 +1,6 @@
 [mypy]
 files = qubes_config
+exclude = qubes_config/tests/*
 
 ignore_missing_imports = True
 check_untyped_defs = True

qubes_config/global_config/basics_handler.py

@@ -134,7 +134,7 @@ def __init__(
         widget: Gtk.ComboBox,
         vm_filter: Optional[Callable] = None,
         readable_name: Optional[str] = None,
-        additional_options: Optional[Dict[str, str]] = None,
+        additional_options: Dict[Any | str | None, str] | None = None,
     ):
         self.qapp = qapp
         self.trait_holder = trait_holder

qubes_config/global_config/rule_list_widgets.py

@@ -18,7 +18,7 @@
 # You should have received a copy of the GNU Lesser General Public License along
 # with this program; if not, see <http://www.gnu.org/licenses/>.
 """Widgets used by various list of policy rules."""
-from typing import Optional, Dict, Callable
+from typing import Optional, Dict, Callable, Any
 
 from ..widgets.gtk_widgets import (
     VMListModeler,
@@ -43,36 +43,36 @@
 t = gettext.translation("desktop-linux-manager", fallback=True)
 _ = t.gettext
 
-SOURCE_CATEGORIES = {
+SOURCE_CATEGORIES: dict[Any | str | None, str] | None = {
     "@anyvm": _("ALL QUBES"),
     "@type:AppVM": _("TYPE: APP"),
     "@type:TemplateVM": _("TYPE: TEMPLATES"),
     "@type:DispVM": _("TYPE: DISPOSABLE"),
 }
 
-SOURCE_CATEGORIES_ADMIN = {
+SOURCE_CATEGORIES_ADMIN: dict[Any | str | None, str] | None = {
     "@anyvm": _("ALL QUBES"),
     "@type:AppVM": _("TYPE: APP"),
     "@type:TemplateVM": _("TYPE: TEMPLATES"),
     "@type:DispVM": _("TYPE: DISPOSABLE"),
     "@adminvm": _("TYPE: ADMINVM"),
 }
 
-TARGET_CATEGORIES = {
+TARGET_CATEGORIES: dict[Any | str | None, str] | None = {
     "@anyvm": _("ALL QUBES"),
     "@dispvm": _("Default Disposable Qube"),
     "@type:AppVM": _("TYPE: APP"),
     "@type:TemplateVM": _("TYPE: TEMPLATES"),
     "@type:DispVM": _("TYPE: DISPOSABLE"),
 }
 
-LIMITED_CATEGORIES = {
+LIMITED_CATEGORIES: dict[Any | str | None, str] | None = {
     "@type:AppVM": _("TYPE: APP"),
     "@type:TemplateVM": _("TYPE: TEMPLATES"),
     "@type:DispVM": _("TYPE: DISPOSABLE"),
 }
 
-DISPVM_CATEGORIES = {
+DISPVM_CATEGORIES: dict[Any | str | None, str] | None = {
     "@dispvm": _("Default Disposable Template"),
 }
 
@@ -83,12 +83,12 @@ class VMWidget(Gtk.Box):
     def __init__(
         self,
         qapp: qubesadmin.Qubes,
-        categories: Optional[Dict[str, str]],
+        categories: Dict[Any | str | None, str] | None,
         initial_value: str,
         additional_text: Optional[str] = None,
-        additional_widget: Optional[Gtk.Widget] = None,
-        filter_function: Optional[Callable[[qubesadmin.vm.QubesVM], bool]] = None,
-        change_callback: Optional[Callable] = None,
+        additional_widget: Gtk.Widget | None = None,
+        filter_function: Callable[[qubesadmin.vm.QubesVM], bool] | None = None,
+        change_callback: Callable | None = None,
     ):
         """
         :param qapp: Qubes object

qubes_config/global_config/updates_handler.py

@@ -491,13 +491,18 @@ def load_rules(self):
 
         for rule in reversed(self.rules):
             if rule.source == "@type:TemplateVM":
-                def_updatevm = rule.action.target
+                if rule.action == "deny":
+                    def_updatevm = None
+                else:
+                    def_updatevm = rule.action.target
             elif rule.source == "@tag:whonix-updatevm":
-                def_whonix_updatevm = rule.action.target
+                if rule.action == "deny":
+                    def_whonix_updatevm = None
+                else:
+                    def_whonix_updatevm = rule.action.target
 
-        if def_updatevm:
-            self.updatevm_model.select_value(str(def_updatevm))
-            self.updatevm_model.update_initial()
+        self.updatevm_model.select_value(str(def_updatevm))
+        self.updatevm_model.update_initial()
 
         if self.has_whonix:
             self.whonix_updatevm_model.select_value(str(def_whonix_updatevm))
@@ -589,27 +594,41 @@ def save(self):
             new_update_proxies.add(self.qapp.domains[rule.target])
 
         if self.has_whonix:
-            raw_rules.append(
-                self.policy_manager.new_rule(
+            if self.whonix_updatevm_model.get_selected():
+                rule = self.policy_manager.new_rule(
                     service=self.service_name,
                     source="@tag:whonix-updatevm",
                     target="@default",
                     action="allow "
                     f"target={self.whonix_updatevm_model.get_selected()}",
                 )
-            )
-            new_update_proxies.add(self.whonix_updatevm_model.get_selected())
-
-        if self.updatevm_model.get_selected():
-            raw_rules.append(
-                self.policy_manager.new_rule(
+            else:
+                rule = self.policy_manager.new_rule(
                     service=self.service_name,
-                    source="@type:TemplateVM",
+                    source="@tag:whonix-updatevm",
                     target="@default",
-                    action="allow " f"target={self.updatevm_model.get_selected()}",
+                    action="deny",
                 )
+            raw_rules.append(rule)
+            new_update_proxies.add(self.whonix_updatevm_model.get_selected())
+
+        # always have a rule for updatevm
+        if self.updatevm_model.get_selected():
+            rule = self.policy_manager.new_rule(
+                service=self.service_name,
+                source="@type:TemplateVM",
+                target="@default",
+                action=f"allow target={self.updatevm_model.get_selected()}",
             )
             new_update_proxies.add(self.updatevm_model.get_selected())
+        else:
+            rule = self.policy_manager.new_rule(
+                service=self.service_name,
+                source="@type:TemplateVM",
+                target="@default",
+                action="deny",
+            )
+        raw_rules.append(rule)
 
         self.policy_manager.save_rules(
             self.policy_file_name, raw_rules, self.current_token

qubes_config/widgets/gtk_widgets.py

@@ -38,7 +38,7 @@
 t = gettext.translation("desktop-linux-manager", fallback=True)
 _ = t.gettext
 
-NONE_CATEGORY = {"None": _("(none)")}
+NONE_CATEGORY: dict[Any | str | None, str] = {"None": _("(none)")}
 
 
 class TokenName(Gtk.Box):
@@ -50,12 +50,12 @@ def __init__(
         self,
         token_name: str,
         qapp: qubesadmin.Qubes,
-        categories: Optional[Dict[str, str]] = None,
+        categories: Optional[Dict[Any | str | None, str]] = None,
     ):
         """
         :param token_name: string for of the token
         :param qapp: Qubes object
-        :param categories: dict of human-readable names for token strings
+        :param categories: dict of human-readable names for tokens
         """
         super().__init__(orientation=Gtk.Orientation.HORIZONTAL)
         self.qapp = qapp
@@ -228,12 +228,12 @@ def __init__(
         self,
         combobox: Gtk.ComboBox,
         qapp: qubesadmin.Qubes,
-        filter_function: Optional[Callable[[qubesadmin.vm.QubesVM], bool]] = None,
-        event_callback: Optional[Callable[[], None]] = None,
-        default_value: Optional[Union[qubesadmin.vm.QubesVM, str]] = None,
-        current_value: Optional[Union[qubesadmin.vm.QubesVM, str]] = None,
+        filter_function: Callable[[qubesadmin.vm.QubesVM], bool] | None = None,
+        event_callback: Callable[[], None] | None = None,
+        default_value: qubesadmin.vm.QubesVM | str | None = None,
+        current_value: qubesadmin.vm.QubesVM | str | None = None,
         style_changes: bool = False,
-        additional_options: Optional[Dict[str, str]] = None,
+        additional_options: Dict[qubesadmin.vm.QubesVM | str | None, str] | None = None,
     ):
         """
         :param combobox: target ComboBox object
@@ -253,7 +253,7 @@ def __init__(
         :param style_changes: if True, combo-changed style class will be
         applied when combobox value changes
         :param additional_options: Dictionary of token: readable name of
-        addiitonal options to be added to the combobox
+        additonal options to be added to the combobox
         """
         self.qapp = qapp
         self.combo = combobox
@@ -321,10 +321,10 @@ def _get_icon(self, name):
 
     def _create_entries(
         self,
-        filter_function: Optional[Callable[[qubesadmin.vm.QubesVM], bool]],
-        default_value: Optional[Union[qubesadmin.vm.QubesVM, str]],
-        additional_options: Optional[Dict[str, str]] = None,
-        current_value: Optional[str] = None,
+        filter_function: Callable[[qubesadmin.vm.QubesVM], bool] | None,
+        default_value: qubesadmin.vm.QubesVM | str | None,
+        additional_options: Dict[qubesadmin.vm.QubesVM | str | None, str] | None = None,
+        current_value: str | None = None,
     ):
 
         if additional_options: