Don't translate dom0 to @adminvm

[HW42]

The previous behavior of handling "dom0" and "@adminvm" in policies was
inconsistent and let to the problem that you could not specify
target=dom0 default_target=dom0 (or both @adminvm) since one was
translated to @adminvm and the other was alsways expanded to dom0.

Based on the discussion in QubesOS/qubes-issues#9870 we now stop to
translate dom0 (or it's UUID) to @adminvm. The later works as keyword
that is expanded to dom0.

Note this also uncovered some wrong tests (like that "@type:AdminVM"
should not match "dom0").

Closes QubesOS/qubes-issues#9870

---

Depends on #203

[HW42]

As can been seen by the updates needed to the test cases, this change can have some side effects. I did some basic testing on a running system, but it definitively needs a full openqa run to make sure it doesn't break an assumption about dom0 vs. @adminvm elsewhere.

For that reason I probably would not backport this, even though I think being unable to specify a test.service * vm1 @default ask target=dom0 default_target=dom0 policy is a bug.

[codecov]

Codecov Report

❌ Patch coverage is 98.14815% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 78.96%. Comparing base (7b7e4fe) to head (4d62b9e).
⚠️ Report is 22 commits behind head on main.

Files with missing lines	Patch %	Lines
qrexec/policy/parser.py	92.85%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #204      +/-   ##
==========================================
+ Coverage   78.80%   78.96%   +0.16%     
==========================================
  Files          55       55              
  Lines       10458    10502      +44     
==========================================
+ Hits         8241     8293      +52     
+ Misses       2217     2209       -8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[marmarek]

Indeed there are problematic cases. With sys-gui, clipboard paste doesn't work:

May 08 18:07:08.218152 dom0 qrexec-policy-daemon[1725]: qrexec: policy.EvalGUI+qubes.ClipboardPaste: sys-gui -> @adminvm: denied: no matching rule found

The policy is here: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/main/qvm/template-gui.jinja#L15 and it has dom0 as a target.

[HW42]

Indeed there are problematic cases. With sys-gui, clipboard paste doesn't work:

May 08 18:07:08.218152 dom0 qrexec-policy-daemon[1725]: qrexec: policy.EvalGUI+qubes.ClipboardPaste: sys-gui -> @adminvm: denied: no matching rule found

The policy is here: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/main/qvm/template-gui.jinja#L15 and it has dom0 as a target.

And the VM requests @adminvm. That's indeed a use case I haven't fully considered. That is using @adminvm not as a keyword in a policy, but as requested target. Do you think this should work (specifying dom0 in policy and requesting @adminvm as target)?

[marmarek]

I must admit it's a weird case. But it worked before, and we have no idea where is is that used (in various user scripts etc). So, I guess it needs to remain working.
BTW, with RemoteVM, there may be a point where @adminvm might get smarter and point not at local dom0, but dom0 of a given VM (so Admin API would work on RemoteVM too). But R4.3 is not the time for that, there are a lot of details that aren't clear yet (including whether it's a good idea at all). But it would be consistent with translating @adminvm to dom0 right now.

[HW42]

I must admit it's a weird case. But it worked before, and we have no idea where is is that used (in various user scripts etc). So, I guess it needs to remain working.

I assumed so, but thought worth asking given that it's not fully clear if this should still be the case, now that we kind of change @adminvm towards a keyword instead of a new name for dom0 (and treating the later as a legacy alias). For example a policy for test.service * vm1 @default allow target=vm2 does not allow requests from vm1 with a target of vm2 (and something like @tag:test is not allowed as request target at all).

BTW, with RemoteVM, there may be a point where @adminvm might get smarter and point not at local dom0, but dom0 of a given VM (so Admin API would work on RemoteVM too). But R4.3 is not the time for that, there are a lot of details that aren't clear yet (including whether it's a good idea at all). But it would be consistent with translating @adminvm to dom0 right now.

We need to be careful when such a change changes the meaning of a previously valid policies. But in that case that's probably ok, given that the remote dom0 is less sensitive than the local dom0.

[qubesos-bot]

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025051904-4.3&flavor=pull-requests

Test run included the following:

• Add Arch packaging qubes-core-admin-client#332 (QubesOS/qubes-core-admin-client@e22c531)
• Allow user to save valid modified policy on 1st char qubes-desktop-linux-manager#256 (QubesOS/qubes-desktop-linux-manager@be1f977)
• Allow VM boot modes to change a VM's default user qubes-core-admin#681 (QubesOS/qubes-core-admin@06cf964)
• Wait for session only if necessary qubes-core-agent-linux#571 (QubesOS/qubes-core-agent-linux@397ffc9)
• Don't translate dom0 to @adminvm #204 (4d62b9e)
• Fix tests for changes in mock API qubes-manager#423 (QubesOS/qubes-manager@7192b9a)
• Disable (in updatevm) dnf ANSI coloring of output qubes-core-agent-linux#573 (QubesOS/qubes-core-agent-linux@9f99162)
• Redefine DeviceCategories and improvements in MockDevices qubes-core-admin-client#355 (QubesOS/qubes-core-admin-client@9308882)
• Device API changes qubes-desktop-linux-manager#258 (QubesOS/qubes-desktop-linux-manager@af1eb3e)
• Improve qvm-backup-restore --paranoid-mode qubes-core-admin-client#358 (QubesOS/qubes-core-admin-client@302533f)
• Correctly label pointing device as absolute, not relative qubes-gui-agent-linux#228 (QubesOS/qubes-gui-agent-linux@5947c79)
• merge_tops : throw better error if top is invalid qubes-mgmt-salt-base-topd#15 (QubesOS/qubes-mgmt-salt-base-topd@44d09b1)
• Make Devices tab prettier & safer qubes-manager#421 (QubesOS/qubes-manager@2bed45c)
• Restart qrexec-agent on update #205 (27facce)
• Assure backup restore/verify tmpdir is properly deleted qubes-core-admin-client#351 (QubesOS/qubes-core-admin-client@08f6820)
• Ignore RemoteVM for now qubes-manager#398 (QubesOS/qubes-manager@679eff4)
• Fix handling remove event qubes-app-linux-input-proxy#38 (QubesOS/qubes-app-linux-input-proxy@45a7c06)
• Devel20250429 qubes-ansible#7 (QubesOS/qubes-ansible@62a9741)

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025031804-4.3&flavor=update

• system_tests_whonix

  • whonix_torbrowser: unnamed test (unknown)
  • whonix_torbrowser: Failed (test died)
    # Test died: no candidate needle with tag(s) 'anon-whonix-tor-brows...

• system_tests_kde_gui_interactive

  • gui_keyboard_layout: wait_serial (wait serial expected)
    # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

  • gui_keyboard_layout: Failed (test died)
    # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

• system_tests_audio@hw1

  • TC_20_AudioVM_PipeWire_debian-12-xfce: test_250_audio_playback_audiovm_pipewire (failure)
    AssertionError: Command 'timeout 20s pw-play --raw --format=f32 --r...

• system_tests_gui_tools@hw7

  • qui_widgets_devices: unnamed test (unknown)
  • qui_widgets_devices: Failed (test died)
    # Test died: no candidate needle with tag(s) 'qui-devices-opened' m...

• system_tests_qwt_win10_seamless@hw13

  • windows_clipboard_and_filecopy: unnamed test (unknown)
  • windows_clipboard_and_filecopy: Failed (test died)
    # Test died: no candidate needle with tag(s) 'windows-Edge-address-...

• system_tests_qwt_win11@hw13

  • windows_install: wait_serial (wait serial expected)
    # wait_serial expected: qr/dcWzE-\d+-/...

  • windows_install: Failed (test died + timed out)
    # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

Failed tests

11 failures

• system_tests_whonix

  • whonix_torbrowser: unnamed test (unknown)
  • whonix_torbrowser: Failed (test died)
    # Test died: no candidate needle with tag(s) 'anon-whonix-tor-brows...

• system_tests_kde_gui_interactive

  • gui_keyboard_layout: wait_serial (wait serial expected)
    # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

  • gui_keyboard_layout: Failed (test died)
    # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

• system_tests_audio@hw1

  • TC_20_AudioVM_PipeWire_debian-12-xfce: test_250_audio_playback_audiovm_pipewire (failure)
    AssertionError: Command 'timeout 20s pw-play --raw --format=f32 --r...

• system_tests_gui_tools@hw7

  • qui_widgets_devices: unnamed test (unknown)
  • qui_widgets_devices: Failed (test died)
    # Test died: no candidate needle with tag(s) 'qui-devices-opened' m...

• system_tests_qwt_win10_seamless@hw13

  • windows_clipboard_and_filecopy: unnamed test (unknown)
  • windows_clipboard_and_filecopy: Failed (test died)
    # Test died: no candidate needle with tag(s) 'windows-Edge-address-...

• system_tests_qwt_win11@hw13

  • windows_install: wait_serial (wait serial expected)
    # wait_serial expected: qr/dcWzE-\d+-/...

  • windows_install: Failed (test died + timed out)
    # Test died: command 'script -e -c 'bash -x /usr/bin/qvm-create-win...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/132953#dependencies

14 fixed

• system_tests_whonix

  • whonixcheck: fail (unknown)
    Whonixcheck for sys-whonix failed...

  • whonixcheck: unnamed test (unknown)

• system_tests_suspend

  • suspend: unnamed test (unknown)
  • suspend: Failed (test died)
    # Test died: no candidate needle with tag(s) 'SUSPEND-FAILED' match...

• system_tests_basic_vm_qrexec_gui

  • TC_20_NonAudio_whonix-gateway-17: test_300_bug_1028_gui_memory_pinning (failure)
    AssertionError: Dom0 window doesn't match VM window content, saved ...

• system_tests_qrexec

  • TC_00_Qrexec_fedora-41-xfce: test_081_qrexec_service_argument_allow_specific (error)
    subprocess.CalledProcessError: Command '/usr/lib/qubes/qrexec-clien...

• system_tests_kde_gui_interactive

  • clipboard_and_web: unnamed test (unknown)

  • clipboard_and_web: Failed (test died)
    # Test died: no candidate needle with tag(s) 'qubes-website' matche...

  • clipboard_and_web: wait_serial (wait serial expected)
    # wait_serial expected: "lspci; echo 2E8vz-\$?-"...

• system_tests_guivm_vnc_gui_interactive

  • gui_filecopy: unnamed test (unknown)
  • gui_filecopy: Failed (test died)
    # Test died: no candidate needle with tag(s) 'files-work' matched...

• system_tests_audio

  • TC_20_AudioVM_Pulse_whonix-workstation-17: test_252_audio_playback_audiovm_switch_hvm (failure)
    AssertionError: only silence detected, no useful audio data

• system_tests_whonix@hw7

  • whonixcheck: fail (unknown)
    Whonixcheck for sys-whonix failed...

  • whonixcheck: unnamed test (unknown)

Unstable tests

• system_tests_update

  update2/Failed (1/5 times with errors)

  • job 139051 # Test died: command 'script -c 'qubes-vm-update --force-update --l...

• system_tests_update@hw1

  update2/Failed (1/5 times with errors)

  • job 139051 # Test died: command 'script -c 'qubes-vm-update --force-update --l...

• system_tests_update@hw7

  update2/Failed (1/5 times with errors)

  • job 139051 # Test died: command 'script -c 'qubes-vm-update --force-update --l...

• system_tests_update@hw13

  update2/Failed (1/5 times with errors)

  • job 139051 # Test died: command 'script -c 'qubes-vm-update --force-update --l...

Performance Tests

Performance degradation:

13 performance degradations

• dom0_root_seq1m_q8t1_read 3:read_bandwidth_kb: 183156.00 :small_red_triangle: ( previous job: 446963.00, degradation: 40.98%)
• dom0_root_seq1m_q8t1_write 3:write_bandwidth_kb: 81844.00 :small_red_triangle: ( previous job: 129298.00, degradation: 63.30%)
• dom0_root_seq1m_q1t1_read 3:read_bandwidth_kb: 233120.00 :small_red_triangle: ( previous job: 294295.00, degradation: 79.21%)
• dom0_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 71505.00 :small_red_triangle: ( previous job: 79803.00, degradation: 89.60%)
• dom0_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 3947.00 :small_red_triangle: ( previous job: 6149.00, degradation: 64.19%)
• dom0_varlibqubes_rnd4k_q1t1_write 3:write_bandwidth_kb: 4252.00 :small_red_triangle: ( previous job: 4903.00, degradation: 86.72%)
• fedora-41-xfce_root_rnd4k_q32t1_write 3:write_bandwidth_kb: 3046.00 :small_red_triangle: ( previous job: 3599.00, degradation: 84.63%)
• fedora-41-xfce_private_seq1m_q1t1_write 3:write_bandwidth_kb: 53948.00 :small_red_triangle: ( previous job: 61534.00, degradation: 87.67%)
• fedora-41-xfce_private_rnd4k_q32t1_write 3:write_bandwidth_kb: 1690.00 :small_red_triangle: ( previous job: 2215.00, degradation: 76.30%)
• fedora-41-xfce_volatile_seq1m_q8t1_write 3:write_bandwidth_kb: 101259.00 :small_red_triangle: ( previous job: 179949.00, degradation: 56.27%)
• fedora-41-xfce_volatile_seq1m_q1t1_read 3:read_bandwidth_kb: 282102.00 :small_red_triangle: ( previous job: 324737.00, degradation: 86.87%)
• fedora-41-xfce_volatile_rnd4k_q32t1_write 3:write_bandwidth_kb: 3462.00 :small_red_triangle: ( previous job: 5672.00, degradation: 61.04%)
• fedora-41-xfce_volatile_rnd4k_q1t1_read 3:read_bandwidth_kb: 6917.00 :small_red_triangle: ( previous job: 7867.00, degradation: 87.92%)

Remaining performance tests:

43 tests

• debian-12-xfce_exec: 7.14 🔺 ( previous job: 7.12, degradation: 100.35%)
• debian-12-xfce_exec-root: 26.89 🟢 ( previous job: 28.65, improvement: 93.83%)
• debian-12-xfce_socket: 8.09 🟢 ( previous job: 8.60, improvement: 94.00%)
• debian-12-xfce_socket-root: 9.14 🔺 ( previous job: 8.52, degradation: 107.21%)
• debian-12-xfce_exec-data-simplex: 66.19 🟢 ( previous job: 71.62, improvement: 92.41%)
• debian-12-xfce_exec-data-duplex: 71.15 🔺 ( previous job: 70.34, degradation: 101.15%)
• debian-12-xfce_exec-data-duplex-root: 68.97 🟢 ( previous job: 82.72, improvement: 83.38%)
• debian-12-xfce_socket-data-duplex: 149.64 🟢 ( previous job: 156.96, improvement: 95.34%)
• fedora-41-xfce_exec: 9.19 🟢 ( previous job: 9.27, improvement: 99.18%)
• fedora-41-xfce_exec-root: 61.29 🟢 ( previous job: 61.51, improvement: 99.64%)
• fedora-41-xfce_socket: 8.55 🟢 ( previous job: 8.63, improvement: 99.12%)
• fedora-41-xfce_socket-root: 8.83 🔺 ( previous job: 8.71, degradation: 101.41%)
• fedora-41-xfce_exec-data-simplex: 73.14 🟢 ( previous job: 75.53, improvement: 96.83%)
• fedora-41-xfce_exec-data-duplex: 71.81 🔺 ( previous job: 71.56, degradation: 100.36%)
• fedora-41-xfce_exec-data-duplex-root: 103.58 🟢 ( previous job: 109.13, improvement: 94.92%)
• fedora-41-xfce_socket-data-duplex: 140.94 🟢 ( previous job: 150.61, improvement: 93.58%)
• dom0_root_seq1m_q1t1_write 3:write_bandwidth_kb: 113777.00 :green_circle: ( previous job: 95454.00, improvement: 119.20%)
• dom0_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 10353.00 :small_red_triangle: ( previous job: 10795.00, degradation: 95.91%)
• dom0_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 4659.00 :small_red_triangle: ( previous job: 4826.00, degradation: 96.54%)
• dom0_varlibqubes_seq1m_q8t1_read 3:read_bandwidth_kb: 499559.00 :green_circle: ( previous job: 382273.00, improvement: 130.68%)
• dom0_varlibqubes_seq1m_q8t1_write 3:write_bandwidth_kb: 240499.00 :small_red_triangle: ( previous job: 250795.00, degradation: 95.89%)
• dom0_varlibqubes_seq1m_q1t1_read 3:read_bandwidth_kb: 434013.00 :small_red_triangle: ( previous job: 437636.00, degradation: 99.17%)
• dom0_varlibqubes_seq1m_q1t1_write 3:write_bandwidth_kb: 194707.00 :green_circle: ( previous job: 184752.00, improvement: 105.39%)
• dom0_varlibqubes_rnd4k_q32t1_read 3:read_bandwidth_kb: 101566.00 :green_circle: ( previous job: 62195.00, improvement: 163.30%)
• dom0_varlibqubes_rnd4k_q32t1_write 3:write_bandwidth_kb: 6182.00 :small_red_triangle: ( previous job: 6479.00, degradation: 95.42%)
• dom0_varlibqubes_rnd4k_q1t1_read 3:read_bandwidth_kb: 8044.00 :green_circle: ( previous job: 7669.00, improvement: 104.89%)
• fedora-41-xfce_root_seq1m_q8t1_read 3:read_bandwidth_kb: 386785.00 :green_circle: ( previous job: 368309.00, improvement: 105.02%)
• fedora-41-xfce_root_seq1m_q8t1_write 3:write_bandwidth_kb: 147477.00 :small_red_triangle: ( previous job: 162081.00, degradation: 90.99%)
• fedora-41-xfce_root_seq1m_q1t1_read 3:read_bandwidth_kb: 310321.00 :small_red_triangle: ( previous job: 318716.00, degradation: 97.37%)
• fedora-41-xfce_root_seq1m_q1t1_write 3:write_bandwidth_kb: 93369.00 :green_circle: ( previous job: 87940.00, improvement: 106.17%)
• fedora-41-xfce_root_rnd4k_q32t1_read 3:read_bandwidth_kb: 91325.00 :green_circle: ( previous job: 82694.00, improvement: 110.44%)
• fedora-41-xfce_root_rnd4k_q1t1_read 3:read_bandwidth_kb: 7740.00 :small_red_triangle: ( previous job: 8485.00, degradation: 91.22%)
• fedora-41-xfce_root_rnd4k_q1t1_write 3:write_bandwidth_kb: 944.00 :green_circle: ( previous job: 542.00, improvement: 174.17%)
• fedora-41-xfce_private_seq1m_q8t1_read 3:read_bandwidth_kb: 379918.00 :green_circle: ( previous job: 373957.00, improvement: 101.59%)
• fedora-41-xfce_private_seq1m_q8t1_write 3:write_bandwidth_kb: 225888.00 :green_circle: ( previous job: 170062.00, improvement: 132.83%)
• fedora-41-xfce_private_seq1m_q1t1_read 3:read_bandwidth_kb: 310046.00 :small_red_triangle: ( previous job: 334687.00, degradation: 92.64%)
• fedora-41-xfce_private_rnd4k_q32t1_read 3:read_bandwidth_kb: 89225.00 :green_circle: ( previous job: 80283.00, improvement: 111.14%)
• fedora-41-xfce_private_rnd4k_q1t1_read 3:read_bandwidth_kb: 9010.00 :green_circle: ( previous job: 7540.00, improvement: 119.50%)
• fedora-41-xfce_private_rnd4k_q1t1_write 3:write_bandwidth_kb: 1288.00 :green_circle: ( previous job: 1130.00, improvement: 113.98%)
• fedora-41-xfce_volatile_seq1m_q8t1_read 3:read_bandwidth_kb: 385364.00 :green_circle: ( previous job: 369868.00, improvement: 104.19%)
• fedora-41-xfce_volatile_seq1m_q1t1_write 3:write_bandwidth_kb: 43557.00 :green_circle: ( previous job: 17567.00, improvement: 247.95%)
• fedora-41-xfce_volatile_rnd4k_q32t1_read 3:read_bandwidth_kb: 79244.00 :green_circle: ( previous job: 79021.00, improvement: 100.28%)
• fedora-41-xfce_volatile_rnd4k_q1t1_write 3:write_bandwidth_kb: 2336.00 :green_circle: ( previous job: 1953.00, improvement: 119.61%)

[HW42]

That case should now work too. Tried to unify the handling of dom0 (and it's effective aliases) a bit and added further tests.

[marmarek]

PipelineRetry