From c717c927efec3bc3deff3cbc0c00db450eccb327 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Thu, 24 Apr 2025 23:27:43 +0200
Subject: [PATCH] Remove internal qubes from being target of ask

For: https://github.com/QubesOS/qubes-issues/issues/1512
---
 qrexec/policy/parser.py       |  8 ++++++++
 qrexec/tests/policy_parser.py | 36 ++++++++++++++++++++++++++++++-----
 2 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/qrexec/policy/parser.py b/qrexec/policy/parser.py
index 7709cd12..c8c9112b 100644
--- a/qrexec/policy/parser.py
+++ b/qrexec/policy/parser.py
@@ -1899,6 +1899,14 @@ def collect_targets_for_ask(self, request):
         if source_uuid in targets:
             targets.remove(source_uuid)
 
+        for unwanted_target in targets.copy():
+            if unwanted_target.startswith("@dispvm:"):
+                unwanted_target_name = unwanted_target[len("@dispvm:") :]
+            else:
+                unwanted_target_name = unwanted_target
+            if info[unwanted_target_name].get("internal", False):
+                targets.remove(unwanted_target)
+
         return targets
 
 
diff --git a/qrexec/tests/policy_parser.py b/qrexec/tests/policy_parser.py
index e8e4df57..a2d5a64d 100644
--- a/qrexec/tests/policy_parser.py
+++ b/qrexec/tests/policy_parser.py
@@ -87,6 +87,24 @@
             "power_state": "Halted",
             "uuid": "f3e538bd-4427-4697-bed7-45ef3270df21",
         },
+        "default-mgmt-dvm": {
+            "internal": True,
+            "tags": [],
+            "type": "AppVM",
+            "default_dispvm": "default-dvm",
+            "template_for_dispvms": True,
+            "power_state": "Halted",
+            "uuid": "f3e538bd-4427-4697-bed7-45ef3270df22",
+        },
+        "internal-vm": {
+            "internal": True,
+            "tags": [],
+            "type": "AppVM",
+            "default_dispvm": "default-dvm",
+            "template_for_dispvms": False,
+            "power_state": "Halted",
+            "uuid": "f3e538bd-4427-4697-bed7-45ef3270df23",
+        },
         "test-invalid-dvm": {
             "tags": ["tag1", "tag2"],
             "type": "AppVM",
@@ -328,9 +346,12 @@ def test_021_Target_expand(self):
             [
                 "@dispvm",
                 "@dispvm:default-dvm",
+                "@dispvm:default-mgmt-dvm",
                 "@dispvm:test-vm3",
                 "@dispvm:test-vm4",
                 "default-dvm",
+                "default-mgmt-dvm",
+                "internal-vm",
                 "test-invalid-dvm",
                 "test-no-dvm",
                 "test-relayvm1",
@@ -356,10 +377,13 @@ def test_021_Target_expand(self):
             [
                 "@dispvm",
                 "@dispvm:default-dvm",
+                "@dispvm:default-mgmt-dvm",
                 "@dispvm:test-vm3",
                 "@dispvm:test-vm4",
                 "default-dvm",
+                "default-mgmt-dvm",
                 "dom0",
+                "internal-vm",
                 "test-invalid-dvm",
                 "test-no-dvm",
                 "test-relayvm1",
@@ -383,17 +407,19 @@ def test_021_Target_expand(self):
         self.assertCountEqual(
             parser.Target("@type:AppVM").expand(system_info=self.system_info),
             [
+                "default-dvm",
+                "default-mgmt-dvm",
+                "internal-vm",
+                "test-invalid-dvm",
+                "test-no-dvm",
+                "test-relayvm1",
                 "test-vm1",
                 "test-vm2",
                 "test-vm3",
                 "test-vm4",
-                "default-dvm",
-                "test2-vm1",
                 "test2-relayvm1",
                 "test2-relayvm2",
-                "test-invalid-dvm",
-                "test-no-dvm",
-                "test-relayvm1",
+                "test2-vm1",
             ],
         )
         self.assertCountEqual(