qvm-start-daemon: handle policy denials

Do not interrupt enumerating VMs if one gets policy deny. QubesOS/qubes-issues#1590
QubesOS · May 2, 2024 · 86d0312 · 86d0312
1 parent c779d0d
commit 86d0312
Showing 1 changed file with 24 additions and 20 deletions.
diff --git a/qubesadmin/tools/qvm_start_daemon.py b/qubesadmin/tools/qvm_start_daemon.py
@@ -694,28 +694,32 @@ def on_connection_established(self, _subject, _event, **_kwargs):
         monitor_layout = get_monitor_layout()
         self.app.domains.clear_cache()
         for vm in self.app.domains:
-            if vm.klass == 'AdminVM':
-                continue
+            try:
+                if vm.klass == 'AdminVM':
+                    continue
 
-            if not self.is_watched(vm):
-                continue
+                if not self.is_watched(vm):
+                    continue
 
-            power_state = vm.get_power_state()
-            if power_state == 'Running':
-                if "guivm" in self.enabled_services:
-                    asyncio.ensure_future(
-                        self.start_gui(vm, monitor_layout=monitor_layout)
-                    )
-                if "audiovm" in self.enabled_services:
-                    asyncio.ensure_future(self.start_audio(vm))
-                self.xid_cache[vm.name] = vm.xid, vm.stubdom_xid
-            elif power_state == 'Transient':
-                # it is still starting, we'll get 'domain-start'
-                # event when fully started
-                if "guivm" in self.enabled_services and vm.virt_mode == 'hvm':
-                    asyncio.ensure_future(
-                        self.start_gui_for_stubdomain(vm)
-                    )
+                power_state = vm.get_power_state()
+                if power_state == 'Running':
+                    if "guivm" in self.enabled_services:
+                        asyncio.ensure_future(
+                            self.start_gui(vm, monitor_layout=monitor_layout)
+                        )
+                    if "audiovm" in self.enabled_services:
+                        asyncio.ensure_future(self.start_audio(vm))
+                    self.xid_cache[vm.name] = vm.xid, vm.stubdom_xid
+                elif power_state == 'Transient':
+                    # it is still starting, we'll get 'domain-start'
+                    # event when fully started
+                    if "guivm" in self.enabled_services \
+                            and vm.virt_mode == 'hvm':
+                        asyncio.ensure_future(
+                            self.start_gui_for_stubdomain(vm)
+                        )
+            except qubesadmin.exc.QubesDaemonCommunicationError as e:
+                vm.log.warning("Failed to handle %s: %s", vm.name, str(e))
 
     def on_domain_stopped(self, vm, _event, **_kwargs):
         """Handler of 'domain-stopped' event, cleans up"""