qubesadmin provides the system default disposable template on @dispvm rather than callers default disposable template #10747
Description
Qubes OS release
Qubes OS 4.3
Brief summary
The explanation is a bit weird of how it reached this point. See discussion on QubesOS/qubes-core-admin-client#438 (comment).
In summary, a restrictive client doesn't necessarily have access to self.app.default_dispvm. It doesn't really need to know that and shouldn't really target it when making calls. What it should do instead is target dom0, and let the server decide on which disposable template to give, in this case, it would be the caller's default disposable template:
But the caller is being picky:
In other words, the global default disposable template is something that should be linked to as a qube property, not for callers to try to generate disposables out of it, at least not directly.
Steps to reproduce
- Use qubesadmin to get a disposable without specifying the disposable template
- Note that the interaction requires more calls than necessary and may override what the server could do with a destination such as dom0
Expected behavior
No extra call.
Don't try to use the global default disposable template, when instead, @dispvm should be using the qube's default disposable template property, which although not known by the qube, is known by dom0, and targetting dom0, has the same effect.
Actual behavior
Extra self.app.default_dispvm call.
Targets the global default disposable template, which might be different than the qube disposable template property. As this was an error on the client and not on the server, it would require specific allow rules in the policy.
Additional information
No response