I can also reproduce this.

Diagnosis: Redirect (target= parameter, but also default_target=) does not check against a list of targets that were not denied, instead it redirects to any target that is available in your system.

I think the error was introduced because the target= parameter is supposed to override the target disregarding the IntendedTarget value dest:

qubes.Filecopy * foo dest allow target=vault

That is why the above works.

But I don't think it is correct for the redirect target to dismiss previous deny rules.

The function collect_targets_for_ask() seems to build the correct list when the rule has no redirect. It could be useful to compare the set of available targets that are not denied by policy against the redirect target.

I tried to fix this issue but couldn't. Would appreciate guidance.

PR submitted :)

Diagnosis: Redirect (target= parameter, but also default_target=) does not check against a list of targets that were not denied, instead it redirects to any target that is available in your system.

This is intentional for target= - see https://www.qubes-os.org/doc/qrexec/#policy-files:

Note that if the request is redirected (target= parameter), policy action remains the same – even if there is another rule which would otherwise deny such request.

But default_target should not have this side effect, it's only about pre-selecting target from otherwise allowed ones.

This is intentional for target= - see https://www.qubes-os.org/doc/qrexec/#policy-files:

Note that if the request is redirected (target= parameter), policy action remains the same – even if there is another rule which would otherwise deny such request.

I understand it is intentional. It is okay to override the destination on the same line by using target=, but is it okay to ignore previous deny rules to that destination?

My PR aboves consider previous deny rules and if encounters none, uses the redirect target=.

Shouldn't this intentional behavior change? When using Admin Management VMs or qubes 90-*.policy, should their rule (later sourced/read) always override the user rule (previous sourced/read)?

Duplicate of #7723

This issue has been closed as a "duplicate." This means that another issue exists that is very similar to or subsumes this one. If any useful information on this issue is not already present on the other issue, please add it in a comment on the other issue. Here are some common cases of duplicate issues:

• The other issue is closed. The other issue being closed does not prevent this issue from duplicating it. We will examine the closed issue and, if appropriate, reopen it.
• The other issue is for a different Qubes release. We usually maintain only one issue for all affected Qubes releases.
• The other issue is very old. The mere age of an issue is not, by itself, a relevant factor when determining duplicates.

By default, the newer issue will be closed in favor of the older issue. However, we make exceptions when we determine that it would be significantly more useful to keep the newer issue open instead of the older one.

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

If anyone reading this believes that this issue was closed in error or that the resolution of "duplicate" is not accurate, please leave a comment below, and we will review this issue again. For more information, see How issues get closed.