Allow VM boot modes to change a VM's default user

ArrayBolt3 · ArrayBolt3 · commit 06cf964f6099 · 2025-05-18T20:03:00.000-05:00
diff --git a/qubes/ext/core_features.py b/qubes/ext/core_features.py
@@ -108,9 +108,11 @@ async def qubes_features_request(self, vm, event, untrusted_features):
         # handle boot mode advertisement
         old_bootmode_info = {}
         for feature_key, feature_val in vm.features.items():
-            if feature_key.startswith(
-                "boot-mode.kernelopts."
-            ) or feature_key.startswith("boot-mode.name."):
+            if (
+                feature_key.startswith("boot-mode.kernelopts.")
+                or feature_key.startswith("boot-mode.name.")
+                or feature_key.startswith("boot-mode.default-user.")
+            ):
                 old_bootmode_info[feature_key] = feature_val
         new_bootmode_info = {}
         new_bootmode_names = []
@@ -136,19 +138,22 @@ async def qubes_features_request(self, vm, event, untrusted_features):
             untrusted_feature_key,
             untrusted_feature_value,
         ) in untrusted_features.items():
-            if untrusted_feature_key.startswith("boot-mode.name."):
-                bootmode_key_parts = untrusted_feature_key.split(".")
-                if len(bootmode_key_parts) != 3:
-                    # Boot mode key contains unexpected data, reject it
-                    continue
-                bootmode_name = bootmode_key_parts[2]
-                if bootmode_name == "":
-                    continue
-                if (
-                    f"boot-mode.kernelopts.{bootmode_name}"
-                    not in new_bootmode_info
-                ) and bootmode_name != "default":
-                    continue
+            if not untrusted_feature_key.startswith("boot-mode."):
+                continue
+            bootmode_key_parts = untrusted_feature_key.split(".")
+            if len(bootmode_key_parts) != 3:
+                # Boot mode key contains unexpected data, reject it
+                continue
+            bootmode_name = bootmode_key_parts[2]
+            if bootmode_name == "":
+                continue
+            if (
+                f"boot-mode.kernelopts.{bootmode_name}" not in new_bootmode_info
+            ) and bootmode_name != "default":
+                continue
+            if untrusted_feature_key.startswith(
+                "boot-mode.name."
+            ) or untrusted_feature_key.startswith("boot-mode.default-user."):
                 bootmode_feature = untrusted_feature_key
                 bootmode_value = untrusted_feature_value
                 new_bootmode_info[bootmode_feature] = bootmode_value
diff --git a/qubes/tests/ext.py b/qubes/tests/ext.py
@@ -1587,6 +1587,75 @@ def test_055_bootmode_preserve_oldvals(self):
             ],
         )
 
+    def test_056_bootmode_default_user(self):
+        del self.vm.template
+        self.loop.run_until_complete(
+            self.ext.qubes_features_request(
+                self.vm,
+                "features-request",
+                untrusted_features={
+                    "boot-mode.name.vmreq": "VMReq",
+                    "boot-mode.kernelopts.vmreq": "vmreq1 vmreq2",
+                    "boot-mode.default-user.vmreq": "altuser",
+                },
+            )
+        )
+        self.assertListEqual(
+            self.vm.mock_calls,
+            [
+                ("features.items", (), {}),
+                (
+                    "features.__setitem__",
+                    ("boot-mode.kernelopts.vmreq", "vmreq1 vmreq2"),
+                    {},
+                ),
+                (
+                    "features.__setitem__",
+                    ("boot-mode.name.vmreq", "VMReq"),
+                    {},
+                ),
+                (
+                    "features.__setitem__",
+                    ("boot-mode.default-user.vmreq", "altuser"),
+                    {},
+                ),
+                ("features.get", ("qrexec", False), {}),
+                ("features.get", ("qrexec", False), {}),
+            ],
+        )
+
+    def test_056_bootmode_default_user_mismatch(self):
+        del self.vm.template
+        self.loop.run_until_complete(
+            self.ext.qubes_features_request(
+                self.vm,
+                "features-request",
+                untrusted_features={
+                    "boot-mode.name.vmreq": "VMReq",
+                    "boot-mode.kernelopts.vmreq": "vmreq1 vmreq2",
+                    "boot-mode.default-user.nope": "altuser",
+                },
+            )
+        )
+        self.assertListEqual(
+            self.vm.mock_calls,
+            [
+                ("features.items", (), {}),
+                (
+                    "features.__setitem__",
+                    ("boot-mode.kernelopts.vmreq", "vmreq1 vmreq2"),
+                    {},
+                ),
+                (
+                    "features.__setitem__",
+                    ("boot-mode.name.vmreq", "VMReq"),
+                    {},
+                ),
+                ("features.get", ("qrexec", False), {}),
+                ("features.get", ("qrexec", False), {}),
+            ],
+        )
+
     def test_100_servicevm_feature(self):
         self.vm.provides_network = True
         self.ext.set_servicevm_feature(self.vm)
diff --git a/qubes/tests/vm/qubesvm.py b/qubes/tests/vm/qubesvm.py
@@ -3232,3 +3232,25 @@ def test_811_default_bootmode(self):
         self.assertEqual(vm.bootmode, "testmode3")
         del vm.template.features["boot-mode.kernelopts.testmode3"]
         self.assertEqual(vm.bootmode, "default")
+
+    def test_812_bootmode_default_user(self):
+        vm = self.get_vm(cls=qubes.vm.appvm.AppVM)
+        vm.template = self.get_vm(cls=qubes.vm.templatevm.TemplateVM)
+        vm.bootmode = qubes.property.DEFAULT
+        self.assertEqual(vm.get_default_user(), "user")
+        vm.features["boot-mode.kernelopts.testmode1"] = "abc def"
+        vm.features["boot-mode.default-user.testmode1"] = "altuser"
+        vm.features["boot-mode.active"] = "testmode1"
+        self.assertEqual(vm.get_default_user(), "altuser")
+        del vm.features["boot-mode.default-user.testmode1"]
+        self.assertEqual(vm.get_default_user(), "user")
+        vm.features["boot-mode.default-user.testmode1"] = "altuser"
+        del vm.features["boot-mode.kernelopts.testmode1"]
+        self.assertEqual(vm.get_default_user(), "user")
+        del vm.features["boot-mode.default-user.testmode1"]
+        vm.template.features["boot-mode.kernelopts.testmode2"] = "ghi jkl"
+        vm.template.features["boot-mode.default-user.testmode2"] = "altuser2"
+        vm.features["boot-mode.active"] = "testmode2"
+        self.assertEqual(vm.get_default_user(), "altuser2")
+        del vm.features["boot-mode.active"]
+        self.assertEqual(vm.get_default_user(), "user")
diff --git a/qubes/vm/qubesvm.py b/qubes/vm/qubesvm.py
@@ -1807,7 +1807,7 @@ async def run_service(
         name = self.name + "-dm" if stubdom else self.name
 
         if user is None:
-            user = self.default_user
+            user = self.get_default_user()
 
         if self.is_paused():
             # XXX what about autostart?
@@ -1876,7 +1876,7 @@ async def run(self, command, user=None, **kwargs):
         """  # pylint: disable=redefined-builtin
 
         if user is None:
-            user = self.default_user
+            user = self.get_default_user()
 
         return await asyncio.create_subprocess_exec(
             qubes.config.system_path["qrexec_client_path"],
@@ -2106,7 +2106,7 @@ async def start_qrexec_daemon(self, stubdom=False):
                 "--",
                 str(self.xid),
                 self.name,
-                self.default_user,
+                self.get_default_user(),
             ]
 
         if not self.debug:
@@ -2274,6 +2274,21 @@ def libvirt_undefine(self):
 
     # state of the machine
 
+    def get_default_user(self):
+        """Return a user account name suitable for use as a default user.
+
+        Usually returns the value of the default_user property, but also
+        allows boot modes to override the default user.
+        """
+        if self.bootmode == "default":
+            return self.default_user
+        bootmode_default_user = self.features.check_with_template(
+            f"boot-mode.default-user.{self.bootmode}", None
+        )
+        if bootmode_default_user is None:
+            return self.default_user
+        return bootmode_default_user
+
     def get_power_state(self):
         """Return power state description string.
 
@@ -2726,7 +2741,7 @@ def create_qdb_entries(self):
 
         self.untrusted_qdb.write("/name", self.name)
         self.untrusted_qdb.write("/type", self.__class__.__name__)
-        self.untrusted_qdb.write("/default-user", self.default_user)
+        self.untrusted_qdb.write("/default-user", self.get_default_user())
         self.untrusted_qdb.write("/qubes-vm-updateable", str(self.updateable))
         self.untrusted_qdb.write(
             "/qubes-vm-persistence", "full" if self.updateable else "rw-only"
