Qubes/core-admin-client
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

firewall: drop GetPolicy/SetPolicy calls

Browse Source 
Firewall policy is now hardcoded to 'drop'. Keep the property, so anyone
trying to assign it will get an exception

QubesOS/qubes-issues#2869
This commit is contained in:
Marek Marczykowski-Górecki 2017-06-26 13:49:50 +02:00
parent ade5083e5e
commit 942e122d27
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
4 changed files with 4 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
qubesadmin/app.py
View File

@ -360,7 +360,6 @@ class QubesBase(qubesadmin.base.PropertyHolder):
raise
try:
dst_vm.firewall.policy = src_vm.firewall.policy
dst_vm.firewall.save_rules(src_vm.firewall.rules)
except qubesadmin.exc.QubesException as e:
self.log.error('Failed to set firewall: %s', e)

8
qubesadmin/firewall.py
View File

@ -432,13 +432,7 @@ class Firewall(object):
@property
def policy(self):
'''Default action to take if no rule matches'''
policy_str = self.vm.qubesd_call(None, 'admin.vm.firewall.GetPolicy')
return Action(policy_str.decode())
@policy.setter
def policy(self, value):
self.vm.qubesd_call(None, 'admin.vm.firewall.SetPolicy', payload=str(
value).encode('ascii'))
return Action('drop')
def reload(self):
'''Force reload the same firewall rules.

14
qubesadmin/tests/app.py
View File

@ -220,15 +220,9 @@ class TC_10_QubesBase(qubesadmin.tests.QubesTestCase):
b'action=drop dst4=192.168.0.0/24\n'
b'action=accept\n'
)
self.app.expected_calls[
(src, 'admin.vm.firewall.GetPolicy', None, None)] = \
b'0\x00accept'
self.app.expected_calls[
(src, 'admin.vm.firewall.Get', None, None)] = \
b'0\x00' + rules
self.app.expected_calls[
(dst, 'admin.vm.firewall.SetPolicy', None, b'accept')] = \
b'0\x00'
self.app.expected_calls[
(dst, 'admin.vm.firewall.Set', None, rules)] = \
b'0\x00'
@ -467,13 +461,9 @@ class TC_10_QubesBase(qubesadmin.tests.QubesTestCase):
self.app.expected_calls[('dom0', 'admin.vm.Create.AppVM',
'test-template', b'name=new-name label=red')] = b'0\x00'
self.app.expected_calls[
('new-name', 'admin.vm.firewall.SetPolicy', None, b'accept')] = \
b'2\0QubesException\0\0something happened\0'
del self.app.expected_calls[
('test-vm', 'admin.vm.firewall.Get', None, None)]
del self.app.expected_calls[
('new-name', 'admin.vm.firewall.Set', None,
b'action=drop dst4=192.168.0.0/24\naction=accept\n')]
b'action=drop dst4=192.168.0.0/24\naction=accept\n')] = \
b'2\0QubesException\0\0something happened\0'
new_vm = self.app.clone_vm('test-vm', 'new-name', ignore_errors=True)
self.assertEqual(new_vm.name, 'new-name')
self.assertAllCalled()

22
qubesadmin/tests/firewall.py
View File

@ -409,26 +409,6 @@ class TC_11_Firewall(qubesadmin.tests.QubesTestCase):
b'0\0test-vm class=AppVM state=Halted\n'
self.vm = self.app.domains['test-vm']
def test_000_policy_get(self):
self.app.expected_calls[('test-vm', 'admin.vm.firewall.GetPolicy',
None, None)] = b'0\0accept'
policy = self.vm.firewall.policy
self.assertEqual(policy, 'accept')
self.assertEqual(policy, qubesadmin.firewall.Action('accept'))
self.assertAllCalled()
def test_001_policy_set(self):
self.app.expected_calls[('test-vm', 'admin.vm.firewall.SetPolicy',
None, b'drop')] = b'0\0'
self.vm.firewall.policy = 'drop'
self.assertAllCalled()
def test_002_policy_set2(self):
self.app.expected_calls[('test-vm', 'admin.vm.firewall.SetPolicy',
None, b'drop')] = b'0\0'
self.vm.firewall.policy = qubesadmin.firewall.Action('drop')
self.assertAllCalled()
def test_010_load_rules(self):
self.app.expected_calls[('test-vm', 'admin.vm.firewall.Get',
None, None)] = \
@ -464,4 +444,4 @@ class TC_11_Firewall(qubesadmin.tests.QubesTestCase):
self.app.expected_calls[('test-vm', 'admin.vm.firewall.Set', None,
''.join(rule + '\n' for rule in rules_txt).encode('ascii'))] = b'0\0'
self.vm.firewall.rules = rules
self.assertAllCalled()
self.assertAllCalled()