Add handler for internal feature

[ben-grande]

For: QubesOS/qubes-issues#1512

---

I didn't run the tests but I manually tested on R4.3 bench.

One thing I encountered is that a newly created qube can appear on the list for some miliseconds before it's internal feature is added.

[codecov]

Codecov Report

Attention: Patch coverage is 87.61905% with 13 lines in your changes missing coverage. Please review.

Project coverage is 79.18%. Comparing base (9acc13c) to head (5d9c320).
Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
qubes_menu/vm_manager.py	80.59%	13 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #55      +/-   ##
==========================================
- Coverage   81.44%   79.18%   -2.26%     
==========================================
  Files          22       23       +1     
  Lines        2387     2561     +174     
==========================================
+ Hits         1944     2028      +84     
- Misses        443      533      +90     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[marmarta]

I'm a bit confused here: is the goal to hide every VM based on a template that's internal? Or do I misunderstand something? (also very possible)

[ben-grande]

is the goal to hide every VM based on a template that's internal?

That is correct. If the qube is internal, hide it, but if it is not internal but it's template is, it also should be hidden.

[marmarta]

That is correct. If the qube is internal, hide it, but if it is not internal but it's template is, it also should be hidden.

Hm, I'm a bit worried that this could be confusing... Could we document this in user-facing documentation somewhere? Preferably somewhere where the internal feature is described...

[ben-grande]

https://github.com/QubesOS/qubes-core-admin-client/compare/4d020c4a8b82d036c785c55a068ef02a0f798ce2..366319448408bdeb9b133d8d4b953fc3482cc444

[marmarta]

I mean in the qubes-doc somewhere, too

[ben-grande]

I mean in the qubes-doc somewhere, too

I grepped for internal in the qubes-doc and the only mention in the same context is about default-mgmt-dvm:

https://github.com/QubesOS/qubes-doc/blob/690d2898862903c6151031d27ec135c77e2fb658/user/templates/templates.md?plain=1#L240

And it doesn't even mention that it is a feature, just an internal qube. I think it would be wrong to add it to qubes-doct as only people deploying configuration for others do need to know about this feature and not end users.

But if you are sure about this, please let me know in which page to add.

[marmarta]

Hmm, I see. But I keep thinking on it, and I think I figured out the problem case: if a system has been configured for end-user (like in SecureDrop case), you might get 'internal' templates managed by the system itself (auto-updated etc.) and qubes based on those templates that should very much be visible to the end-user. I think only qubes that are internal themselves should be hidden.

[ben-grande]

A disposable template with internal feature set to true does not appear on the menu. If a child of this template has set to false the feature, the qube will appear on the menu under another disposable template as if it was its child.

…

On Tue, May 6, 2025, 4:20 PM Marta Marczykowska-Górecka < ***@***.***> wrote: *marmarta* left a comment (QubesOS/qubes-desktop-linux-menu#55) <#55 (comment)> Hmm, I see. But I keep thinking on it, and I think I figured out the problem case: if a system has been configured for end-user (like in SecureDrop case), you might get 'internal' templates managed by the system itself (auto-updated etc.) and qubes based on those templates that should very much be visible to the end-user. I think only qubes that are internal themselves should be hidden. — Reply to this email directly, view it on GitHub <#55 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BCE2O4IAJTYHDCRSAZJR7HD25DALXAVCNFSM6AAAAAB3KNEILWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNJUG42TSOJZGM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[marmarta]

I'm confused. Currently yeah, I see that it is a problem, but I don't think a good solution is just not showing all qubes with template with internal (especially as I think this PR would also hide an AppVM whose template has 'internal' set to true - correct me if I'm wrong, if that's not true, then this reservation is partially withheld). I think this would have us think about how to show this case in the menu in a sensible way, not just hide it?

[ben-grande]

I think this would have us think about how to show this case in the menu in a sensible way, not just hide it?

A little bit of background. The preloaded disposables was setting the internal feature when preloading and emptying it when marking the preloaded as used. Now, if the disposable template has the internal feature set to true, it is not removing it anymore.

About a sensible way to show it, I don't know how.

[marmarta]

A little bit of background. The preloaded disposables was setting the internal feature when preloading and emptying it when marking the preloaded as used. Now, if the disposable template has the internal feature set to true, it is not removing it anymore.

Hmm, so the issue is basically that an in-use preloaded dispvm shows up in the menu with a fake parent? My proposal would be then:

• an initial bandaid: do not show only those VMs in the menu (pre-loaded ones)
• next step: make an issue to rework how parent VM is shown to account for VMs whose parent is internal (right now I'm torn between "show parent, just don't allow running stuff in it" and "completely change how parents are shown, aaaa"

[ben-grande]

That is not an issue anymore on the preloaded side as mentioned above. It has been fixed there by not deleting it if the disposable template has internal set to true. The preloaded qubes are not shown in the menu anymore because they also have internal set to true. This issue was in the beginning to account for the preloaded functionality, but now it is more general.

…

On Wed, May 7, 2025, 12:26 PM Marta Marczykowska-Górecka < ***@***.***> wrote: *marmarta* left a comment (QubesOS/qubes-desktop-linux-menu#55) <#55 (comment)> A little bit of background. The preloaded disposables <QubesOS/qubes-core-admin#660> was setting the internal feature when preloading and emptying it when marking the preloaded as used. Now, if the disposable template has the internal feature set to true, it is not removing it anymore. Hmm, so the issue is basically that an in-use preloaded dispvm shows up in the menu with a fake parent? My proposal would be then: - an initial bandaid: do not show only those VMs in the menu (pre-loaded ones) - next step: make an issue to rework how parent VM is shown to account for VMs whose parent is internal (right now I'm torn between "show parent, just don't allow running stuff in it" and "completely change how parents are shown, aaaa" — Reply to this email directly, view it on GitHub <#55 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BCE2O4MR4RWBNOS754AQUMD25HNU3AVCNFSM6AAAAAB3KNEILWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNJYGAZDINRRGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[marmarta]

I think this looks fine on my side now, but codecov claims most of the actual internal-related lines are not covered by tests?

[ben-grande]

but codecov claims

From what I see, every failed check related to internal is a false positive.

---

The changes pushed are because I changed my mind on querying the template features, using check_with_template() now for uniformity with other Qubes components.

[marmarek]

This is not resilient against not having access to the feature:

Jun 10 00:54:26 sys-gui qubes-app-menu[1285]: Traceback (most recent call last):
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/appmenu.py", line 281, in do_activate
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     self.perform_setup()
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     ~~~~~~~~~~~~~~~~~~^^
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/appmenu.py", line 401, in perform_setup
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     self.vm_manager = VMManager(self.qapp, self.dispatcher)
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:                       ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/vm_manager.py", line 210, in __init__
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     self.load_vm_from_name(vm.name)
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/vm_manager.py", line 228, in load_vm_from_name
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     if vm.features.check_with_template("internal", False):
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubesadmin/features.py", line 83, in check_with_template
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     qubesd_response = self.vm.qubesd_call(
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:         self.vm.name, 'admin.vm.feature.CheckWithTemplate', feature)
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubesadmin/base.py", line 76, in qubesd_call
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     return self.app.qubesd_call(dest, method, arg, payload,
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:            ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:         payload_stream)
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:         ^^^^^^^^^^^^^^^
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubesadmin/app.py", line 1021, in qubesd_call
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     raise qubesadmin.exc.QubesDaemonAccessError(
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:         "Service call error: %s", stderr.decode()
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]:     )
Jun 10 00:54:26 sys-gui qubes-app-menu[1285]: qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]: Traceback (most recent call last):
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/appmenu.py", line 281, in do_activate
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     self.perform_setup()
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     ~~~~~~~~~~~~~~~~~~^^
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/appmenu.py", line 401, in perform_setup
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     self.vm_manager = VMManager(self.qapp, self.dispatcher)
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:                       ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/vm_manager.py", line 210, in __init__
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     self.load_vm_from_name(vm.name)
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubes_menu/vm_manager.py", line 228, in load_vm_from_name
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     if vm.features.check_with_template("internal", False):
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubesadmin/features.py", line 83, in check_with_template
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     qubesd_response = self.vm.qubesd_call(
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:         self.vm.name, 'admin.vm.feature.CheckWithTemplate', feature)
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubesadmin/base.py", line 76, in qubesd_call
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     return self.app.qubesd_call(dest, method, arg, payload,
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:            ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:         payload_stream)
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:         ^^^^^^^^^^^^^^^
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:   File "/usr/lib/python3.13/site-packages/qubesadmin/app.py", line 1021, in qubesd_call
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     raise qubesadmin.exc.QubesDaemonAccessError(
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:         "Service call error: %s", stderr.decode()
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]:     )
Jun 10 00:54:46 sys-gui qubes-app-menu[1285]: qubesadmin.exc.QubesDaemonAccessError: Service call error: Request refused

It choked on dom0 specifically:

Jun 10 00:54:45.982922 dom0 qrexec-policy-daemon[1733]: qrexec: admin.vm.feature.CheckWithTemplate+internal: sys-gui -> dom0: denied: no matching rule found

I guess sys-gui should be able to get properties/features of dom0. But still, menu shouldn't explode if permissions are limited.

[ben-grande]

But still, menu shouldn't explode if permissions are limited.

Handling exception now.

[marmarek]

mypy complains, and looking at the message it's a valid complain

[marmarek]

Can you split formatting and functional changes into separate commits?

[marmarek]

PipelineRetry