1717# You should have received a copy of the GNU Lesser General Public
1818# License along with this library; if not, see <https://www.gnu.org/licenses/>.
1919import importlib
20+ import os
2021
2122import qubes .api
2223import qubes .api .internal
@@ -177,11 +178,35 @@ def on_device_attach(
177178
178179 # load device deny list
179180 deny = {}
181+ AdminExtension ._load_deny_list (deny , DEVICE_DENY_LIST )
182+
183+ # load drop ins
184+ drop_in_path = DEVICE_DENY_LIST + '.d'
185+ if os .path .isdir (drop_in_path ):
186+ for deny_list_name in os .listdir (drop_in_path ):
187+ deny_list_path = os .path .join (drop_in_path , deny_list_name )
188+
189+ if os .path .isfile (deny_list_path ):
190+ AdminExtension ._load_deny_list (deny , deny_list_path )
191+
192+ # check if any presented interface is on deny list
193+ for interface in deny .get (dest .name , set ()):
194+ pattern = DeviceInterface (interface )
195+ for devint in device .interfaces :
196+ if pattern .matches (devint ):
197+ raise qubes .exc .PermissionDenied ()
198+
199+ @staticmethod
200+ def _load_deny_list (deny : dict , path : str ) -> None :
180201 try :
181- with open (DEVICE_DENY_LIST , 'r' , encoding = "utf-8" ) as file :
202+ with open (path , 'r' , encoding = "utf-8" ) as file :
182203 for line in file :
183204 line = line .strip ()
184205
206+ # skip comments
207+ if line .startswith ('#' ):
208+ continue
209+
185210 if line :
186211 name , * values = line .split ()
187212
@@ -191,10 +216,3 @@ def on_device_attach(
191216 deny [name ] = deny .get (name , set ()).union (set (values ))
192217 except IOError :
193218 pass
194-
195- # check if any presented interface is on deny list
196- for interface in deny .get (dest .name , set ()):
197- pattern = DeviceInterface (interface )
198- for devint in device .interfaces :
199- if pattern .matches (devint ):
200- raise qubes .exc .PermissionDenied ()
0 commit comments