Prevent backing up dom0 to itself (in home dir)

alimirjamali · alimirjamali · commit 0a9339830349 · 2025-09-19T10:49:01.000+03:30
resolves: QubesOS/qubes-issues#10127
diff --git a/qubes/backup.py b/qubes/backup.py
@@ -28,6 +28,7 @@
 import itertools
 import logging
 import os
+from pathlib import Path
 import pwd
 import shutil
 import stat
@@ -452,6 +453,15 @@ def get_files_to_backup(self):
         if 0 in [vm.qid for vm in self.vms_for_backup]:
             local_user = grp.getgrnam("qubes").gr_mem[0]
             home_dir = pwd.getpwnam(local_user).pw_dir
+
+            # Checking if target is not user home directory in dom0
+            if self.target_dir in ["", "~"] or Path(
+                    self.target_dir
+            ).is_relative_to(home_dir):
+                raise qubes.exc.QubesException(
+                    "Can not backup dom0 home directory to itself!"
+                )
+
             # Home dir should have only user-owned files, so fix it now
             # to prevent permissions problems - some root-owned files can
             # left after 'sudo bash' and similar commands
diff --git a/qubes/tests/api_admin.py b/qubes/tests/api_admin.py
@@ -3535,6 +3535,32 @@ def test_602_backup_info_profile_missing_destination_vm(self):
                         b"admin.backup.Info", b"dom0", b"testprofile"
                     )
 
+    def test_603_backup_info_dom0_to_dom0_home(self):
+        if self.local_name == "dom0":
+            # Test is performed at dom0. Use exact homedir location
+            home_dir = os.environ["HOME"]
+        else:
+            home_dir = "~"
+        backup_profile = (
+            "include:\n"
+            " - dom0\n"
+            "destination_vm: dom0\n"
+            "destination_path: " + home_dir +"\n"
+            "passphrase_text: test\n"
+        )
+        with tempfile.TemporaryDirectory() as profile_dir:
+            with open(
+                os.path.join(profile_dir, "testprofile.conf"), "w"
+            ) as profile_file:
+                profile_file.write(backup_profile)
+            with unittest.mock.patch(
+                "qubes.config.backup_profile_dir", profile_dir
+            ):
+                with self.assertRaises(qubes.exc.QubesException):
+                    self.call_mgmt_func(
+                        b"admin.backup.Info", b"dom0", b"testprofile"
+                    )
+
     def test_610_backup_cancel_not_running(self):
         with self.assertRaises(qubes.exc.QubesException):
             self.call_mgmt_func(b"admin.backup.Cancel", b"dom0", b"testprofile")
diff --git a/qubes/tests/integ/backup.py b/qubes/tests/integ/backup.py
@@ -198,7 +198,9 @@ def make_backup(self, vms, target=None, expect_failure=False, **kwargs):
         if target is None:
             target = self.backupdir
         try:
-            backup = qubes.backup.Backup(self.app, vms, **kwargs)
+            backup = qubes.backup.Backup(
+                self.app, vms, target_dir=target, **kwargs
+            )
         except qubes.exc.QubesException as e:
             if not expect_failure:
                 self.fail("QubesException during backup_prepare: %s" % str(e))
@@ -207,7 +209,6 @@ def make_backup(self, vms, target=None, expect_failure=False, **kwargs):
 
         if "passphrase" not in kwargs:
             backup.passphrase = "qubes"
-        backup.target_dir = target
 
         try:
             self.loop.run_until_complete(backup.backup_do())
