Address review comments

Hat tip to @emkll. Specifically: * Don't process binary files with grep in dom0 * Makes destroy-vm subprocess cmd more readable * Adds comments to use of "update.qubes-vm" SLS * Removes extraneous newlines from RPC policy cleanup
freedomofpress · Dec 2, 2019 · 1b7a901 · 1b7a901
1 parent 1fede0e
commit 1b7a901
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls
@@ -1,6 +1,12 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 #
+
+# Import the Qubes-maintained Salt logic for upgrading VM packages.
+# Intelligently handles both Debian & Fedora VMs. For reference, see:
+#
+#   dom0:/srv/formulas/base/update-formula/update/qubes-vm.sls
+#
 include:
   - update.qubes-vm
 
@@ -11,7 +17,8 @@ install-python-apt-for-repo-config:
     - pkgs:
       - python-apt
     - require:
-      # Require that the Qubes update state has run first
+      # Require that the Qubes update state has run first. Doing so
+      # will ensure that apt is sufficiently patched prior to installing.
       - sls: update.qubes-vm
 
 configure-apt-test-apt-repo:

diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -31,12 +31,12 @@ sd-cleanup-rpc-mgmt-policy:
     - repl: ''
     - pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root'
 
-{% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %}
+{% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rIl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %}
 {% if sdw_customized_rpc_files|length > 0 %}
 sd-cleanup-rpc-policy-grants:
   file.replace:
     - names: {{ sdw_customized_rpc_files }}
-    - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###'
+    - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
     - flags:
       - MULTILINE
       - DOTALL

diff --git a/scripts/destroy-vm b/scripts/destroy-vm
@@ -43,7 +43,7 @@ def destroy_vm(vm):
     if vm.is_running():
         vm.kill()
     print("Destroying VM '{}'... ".format(vm.name), end="")
-    subprocess.check_call("qvm-remove -f {}".format(vm.name).split())
+    subprocess.check_call(["qvm-remove", "-f", vm.name])
     print("OK")