Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
48ae89fe62
core-admin/qubes/api/internal.py

236 lines
8.1 KiB
Python
Raw Normal View History

Implement new admin.vm.ImportWithSize API call This should allow importing a volume and changing the size at the same time, without performing the resize operation on original volume first. The internal API has been renamed to internal.vm.volume.ImportBegin to avoid confusion, and for symmetry with ImportEnd. See QubesOS/qubes-issues#5239.
2020-01-16 14:41:00 +01:00
# -*- encoding: utf-8 -*-
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2017 Marek Marczykowski-Górecki
# <marmarek@invisiblethingslab.com>
#
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
#
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# This library is distributed in the hope that it will be useful,
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
# but WITHOUT ANY WARRANTY; without even the implied warranty of
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
#
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, see <https://www.gnu.org/licenses/>.
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
''' Internal interface for dom0 components to communicate with qubesd. '''
import asyncio
import json
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
import subprocess
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
Rename MgmtAPI to AdminAPI - part 1: classes QubesOS/qubes-issues#853
2017-05-12 19:07:41 +02:00
import qubes.api
import qubes.api.admin
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
import qubes.vm.adminvm
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
import qubes.vm.dispvm
api/internal: extract get_system_info() function This will be useful in other places too. QubesOS/qubes-issues#5099
2020-02-20 05:38:50 +01:00
def get_system_info(app):
system_info = {'domains': {
domain.name: {
'tags': list(domain.tags),
'type': domain.__class__.__name__,
'template_for_dispvms':
getattr(domain, 'template_for_dispvms', False),
'default_dispvm': (domain.default_dispvm.name if
getattr(domain, 'default_dispvm', None) else None),
'icon': str(domain.label.icon),
'guivm': (domain.guivm.name if getattr(domain, 'guivm', None)
else None),
} for domain in app.domains
}}
return system_info
Rename MgmtAPI to AdminAPI - part 1: classes QubesOS/qubes-issues#853
2017-05-12 19:07:41 +02:00
class QubesInternalAPI(qubes.api.AbstractQubesAPI):
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
''' Communication interface for dom0 components,
by design the input here is trusted.'''
qubes/api: refactor creating multiple qubesd sockets Now there is a single function to do this, shared with tests.
2017-06-06 15:49:19 +02:00
SOCKNAME = '/var/run/qubesd.internal.sock'
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
Rename MgmtAPI to AdminAPI - part 2: internal API QubesOS/qubes-issues#853
2017-05-12 19:14:29 +02:00
@qubes.api.method('internal.GetSystemInfo', no_payload=True)
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
@asyncio.coroutine
def getsysteminfo(self):
Do not use assert statement in security logic This is because assert statement gets optimised out when Python is run with -O flag. This was pointed out to me by audience at PyWaw 76.
2018-06-11 12:32:05 +02:00
self.enforce(self.dest.name == 'dom0')
self.enforce(not self.arg)
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
api/internal: extract get_system_info() function This will be useful in other places too. QubesOS/qubes-issues#5099
2020-02-20 05:38:50 +01:00
system_info = get_system_info(self.app)
qubesd: add second socket for in-dom0 internal calls This socket (and commands) are not exposed to untrusted input, so no need to extensive sanitization. Also, there is no need to provide a stable API here, as those methods are used internally only. QubesOS/qubes-issues#853
2017-03-21 11:48:20 +01:00
return json.dumps(system_info)
Implement new admin.vm.ImportWithSize API call This should allow importing a volume and changing the size at the same time, without performing the resize operation on original volume first. The internal API has been renamed to internal.vm.volume.ImportBegin to avoid confusion, and for symmetry with ImportEnd. See QubesOS/qubes-issues#5239.
2020-01-16 14:41:00 +01:00
@qubes.api.method('internal.vm.volume.ImportBegin',
scope='local', write=True)
@asyncio.coroutine
def vm_volume_import(self, untrusted_payload):
"""Begin importing volume data. Payload is either size of new data
in bytes, or empty. If empty, the current volume's size will be used.
Returns size and path to where data should be written.
Triggered by scripts in /etc/qubes-rpc:
admin.vm.volume.Import, admin.vm.volume.ImportWithSize.
When the script finish importing, it will trigger
internal.vm.volume.ImportEnd (with either b'ok' or b'fail' as a
payload) and response from that call will be actually send to the
caller.
"""
self.enforce(self.arg in self.dest.volumes.keys())
if untrusted_payload:
original_method = 'admin.vm.volume.ImportWithSize'
else:
original_method = 'admin.vm.volume.Import'
self.src.fire_event(
'admin-permission:' + original_method,
pre_event=True, dest=self.dest, arg=self.arg)
if not self.dest.is_halted():
raise qubes.exc.QubesVMNotHaltedError(self.dest)
requested_size = None
if untrusted_payload:
try:
untrusted_value = int(untrusted_payload.decode('ascii'))
except (UnicodeDecodeError, ValueError):
raise qubes.api.ProtocolError('Invalid value')
self.enforce(untrusted_value > 0)
requested_size = untrusted_value
del untrusted_value
del untrusted_payload
path = yield from self.dest.storage.import_data(
self.arg, requested_size)
self.enforce(' ' not in path)
if requested_size is None:
size = self.dest.volumes[self.arg].size
else:
size = requested_size
# when we know the action is allowed, inform extensions that it will
# be performed
self.dest.fire_event(
'domain-volume-import-begin', volume=self.arg, size=size)
return '{} {}'.format(size, path)
admin: implement admin.vm.volume.Import Implement this in two parts: 1. Permissions checks, getting a path from appropriate storage pool 2. Actual data import The first part is done by qubesd in a standard way, but then, instead of accepting all the data (which may be several GB), return a path to which a shell script (in practice: `dd` command) will write the data. Then the script call back to qubesd again to report success/failure and qubesd response from that call is actually returned to the user. This way we do not pass all the data through qubesd, but still can control the process from there in a meaningful way. Note that the last part (second call to qubesd) may perform all kind of verification (like a signature check on the data, or so) and can also prevent VM from starting (hooking also domain-pre-start event) from not verified image. QubesOS/qubes-issues#2622
2017-05-23 15:38:28 +02:00
@qubes.api.method('internal.vm.volume.ImportEnd')
@asyncio.coroutine
def vm_volume_import_end(self, untrusted_payload):
'''
This is second half of admin.vm.volume.Import handling. It is called
when actual import is finished. Response from this method is sent do
the client (as a response for admin.vm.volume.Import call).
import: check exact size of copied data The import will error out if there is not enough data, or too much data provided.
2020-01-20 18:14:05 +01:00
The payload is either 'ok', or 'fail\n<error message>'.
admin: implement admin.vm.volume.Import Implement this in two parts: 1. Permissions checks, getting a path from appropriate storage pool 2. Actual data import The first part is done by qubesd in a standard way, but then, instead of accepting all the data (which may be several GB), return a path to which a shell script (in practice: `dd` command) will write the data. Then the script call back to qubesd again to report success/failure and qubesd response from that call is actually returned to the user. This way we do not pass all the data through qubesd, but still can control the process from there in a meaningful way. Note that the last part (second call to qubesd) may perform all kind of verification (like a signature check on the data, or so) and can also prevent VM from starting (hooking also domain-pre-start event) from not verified image. QubesOS/qubes-issues#2622
2017-05-23 15:38:28 +02:00
'''
Do not use assert statement in security logic This is because assert statement gets optimised out when Python is run with -O flag. This was pointed out to me by audience at PyWaw 76.
2018-06-11 12:32:05 +02:00
self.enforce(self.arg in self.dest.volumes.keys())
admin: implement admin.vm.volume.Import Implement this in two parts: 1. Permissions checks, getting a path from appropriate storage pool 2. Actual data import The first part is done by qubesd in a standard way, but then, instead of accepting all the data (which may be several GB), return a path to which a shell script (in practice: `dd` command) will write the data. Then the script call back to qubesd again to report success/failure and qubesd response from that call is actually returned to the user. This way we do not pass all the data through qubesd, but still can control the process from there in a meaningful way. Note that the last part (second call to qubesd) may perform all kind of verification (like a signature check on the data, or so) and can also prevent VM from starting (hooking also domain-pre-start event) from not verified image. QubesOS/qubes-issues#2622
2017-05-23 15:38:28 +02:00
success = untrusted_payload == b'ok'
try:
storage: allow import_data and import_data_end be coroutines On some storage pools this operation can also be time consuming - for example require creating temporary volume, and volume.create() already can be a coroutine. This is also requirement for making common code used by start()/create() etc be a coroutine, otherwise neither of them can be and will block other operations. Related to QubesOS/qubes-issues#4283
2018-10-19 01:29:03 +02:00
yield from self.dest.storage.import_data_end(self.arg,
success=success)
admin: implement admin.vm.volume.Import Implement this in two parts: 1. Permissions checks, getting a path from appropriate storage pool 2. Actual data import The first part is done by qubesd in a standard way, but then, instead of accepting all the data (which may be several GB), return a path to which a shell script (in practice: `dd` command) will write the data. Then the script call back to qubesd again to report success/failure and qubesd response from that call is actually returned to the user. This way we do not pass all the data through qubesd, but still can control the process from there in a meaningful way. Note that the last part (second call to qubesd) may perform all kind of verification (like a signature check on the data, or so) and can also prevent VM from starting (hooking also domain-pre-start event) from not verified image. QubesOS/qubes-issues#2622
2017-05-23 15:38:28 +02:00
except:
self.dest.fire_event('domain-volume-import-end', volume=self.arg,
Fix typo in volume import end handler
2017-11-21 07:05:06 +01:00
success=False)
admin: implement admin.vm.volume.Import Implement this in two parts: 1. Permissions checks, getting a path from appropriate storage pool 2. Actual data import The first part is done by qubesd in a standard way, but then, instead of accepting all the data (which may be several GB), return a path to which a shell script (in practice: `dd` command) will write the data. Then the script call back to qubesd again to report success/failure and qubesd response from that call is actually returned to the user. This way we do not pass all the data through qubesd, but still can control the process from there in a meaningful way. Note that the last part (second call to qubesd) may perform all kind of verification (like a signature check on the data, or so) and can also prevent VM from starting (hooking also domain-pre-start event) from not verified image. QubesOS/qubes-issues#2622
2017-05-23 15:38:28 +02:00
raise
self.dest.fire_event('domain-volume-import-end', volume=self.arg,
Fix typo in volume import end handler
2017-11-21 07:05:06 +01:00
success=success)
admin: implement admin.vm.volume.Import Implement this in two parts: 1. Permissions checks, getting a path from appropriate storage pool 2. Actual data import The first part is done by qubesd in a standard way, but then, instead of accepting all the data (which may be several GB), return a path to which a shell script (in practice: `dd` command) will write the data. Then the script call back to qubesd again to report success/failure and qubesd response from that call is actually returned to the user. This way we do not pass all the data through qubesd, but still can control the process from there in a meaningful way. Note that the last part (second call to qubesd) may perform all kind of verification (like a signature check on the data, or so) and can also prevent VM from starting (hooking also domain-pre-start event) from not verified image. QubesOS/qubes-issues#2622
2017-05-23 15:38:28 +02:00
if not success:
import: check exact size of copied data The import will error out if there is not enough data, or too much data provided.
2020-01-20 18:14:05 +01:00
error = ''
parts = untrusted_payload.decode('ascii').split('\n', 1)
if len(parts) > 1:
error = parts[1]
raise qubes.exc.QubesException(
'Data import failed: {}'.format(error))
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
@qubes.api.method('internal.SuspendPre', no_payload=True)
@asyncio.coroutine
def suspend_pre(self):
'''
Method called before host system goes to sleep.
:return:
'''
# first notify all VMs
processes = []
for vm in self.app.domains:
if isinstance(vm, qubes.vm.adminvm.AdminVM):
continue
Do not abort suspend hooks if any qubes.Suspend* service fails to run First of all, do not try to call those services in VMs not having qrexec installed - for example Windows VMs without qubes tools. Then, even if service call fails for any other reason, only log it but do not prevent other services from being called. A single uncooperative VM should generally be able only to hurt itself, not break other VMs during suspend. Fixes QubesOS/qubes-issues#3489
2019-02-24 16:08:49 +01:00
if not vm.is_running():
continue
if not vm.features.check_with_template('qrexec', False):
continue
try:
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
proc = yield from vm.run_service(
'qubes.SuspendPreAll', user='root',
stdin=subprocess.DEVNULL,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
processes.append(proc)
Do not abort suspend hooks if any qubes.Suspend* service fails to run First of all, do not try to call those services in VMs not having qrexec installed - for example Windows VMs without qubes tools. Then, even if service call fails for any other reason, only log it but do not prevent other services from being called. A single uncooperative VM should generally be able only to hurt itself, not break other VMs during suspend. Fixes QubesOS/qubes-issues#3489
2019-02-24 16:08:49 +01:00
except qubes.exc.QubesException as e:
vm.log.warning('Failed to run qubes.SuspendPreAll: %s', str(e))
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
# FIXME: some timeout?
if processes:
yield from asyncio.wait([p.wait() for p in processes])
coros = []
# then suspend/pause VMs
for vm in self.app.domains:
if isinstance(vm, qubes.vm.adminvm.AdminVM):
continue
if vm.is_running():
coros.append(vm.suspend())
if coros:
yield from asyncio.wait(coros)
@qubes.api.method('internal.SuspendPost', no_payload=True)
@asyncio.coroutine
def suspend_post(self):
'''
Method called after host system wake up from sleep.
:return:
'''
coros = []
# first resume/unpause VMs
for vm in self.app.domains:
if isinstance(vm, qubes.vm.adminvm.AdminVM):
continue
if vm.get_power_state() in ["Paused", "Suspended"]:
coros.append(vm.resume())
if coros:
yield from asyncio.wait(coros)
# then notify all VMs
processes = []
for vm in self.app.domains:
if isinstance(vm, qubes.vm.adminvm.AdminVM):
continue
Do not abort suspend hooks if any qubes.Suspend* service fails to run First of all, do not try to call those services in VMs not having qrexec installed - for example Windows VMs without qubes tools. Then, even if service call fails for any other reason, only log it but do not prevent other services from being called. A single uncooperative VM should generally be able only to hurt itself, not break other VMs during suspend. Fixes QubesOS/qubes-issues#3489
2019-02-24 16:08:49 +01:00
if not vm.is_running():
continue
if not vm.features.check_with_template('qrexec', False):
continue
try:
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
proc = yield from vm.run_service(
'qubes.SuspendPostAll', user='root',
stdin=subprocess.DEVNULL,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
processes.append(proc)
Do not abort suspend hooks if any qubes.Suspend* service fails to run First of all, do not try to call those services in VMs not having qrexec installed - for example Windows VMs without qubes tools. Then, even if service call fails for any other reason, only log it but do not prevent other services from being called. A single uncooperative VM should generally be able only to hurt itself, not break other VMs during suspend. Fixes QubesOS/qubes-issues#3489
2019-02-24 16:08:49 +01:00
except qubes.exc.QubesException as e:
vm.log.warning('Failed to run qubes.SuspendPostAll: %s', str(e))
api/internal: add methods for handling host suspend
2017-06-02 20:34:53 +02:00
# FIXME: some timeout?
if processes:
yield from asyncio.wait([p.wait() for p in processes])
Reference in New Issue Copy Permalink