core-admin/qubes-rpc-policy/generate-admin-policy

#!/usr/bin/python3
# coding=utf-8
# The Qubes OS Project, https://www.qubes-os.org/
#
# Copyright (C) 2017  Marek Marczykowski-Górecki
#                                   <marmarek@invisiblethingslab.com>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, see <https://www.gnu.org/licenses/>.

import argparse
import os

import sys

import qubes.api.admin

parser = argparse.ArgumentParser(
    description='Generate default Admin API policy')
parser.add_argument('--include-base', action='store',
    default='include',
    help='Base path for included paths (default: %(default)s)')
parser.add_argument('--destdir', action='store',
    default='/etc/qubes-rpc/policy',
    help='Directory where write output files to (default: %(default)s)')
parser.add_argument('--verbose', action='store_true', default=False,
    help='Be verbose')
parser.add_argument('--exclude', action='store', nargs='*',
    help='Exclude service')
parser.add_argument('service', nargs='*', action='store',
    help='Generate policy for those services (default: all)')

default_policy_header = '''\
## Note that policy parsing stops at the first match.
## Anything not specifically allowed here (or in included file) will be denied.

## Please use a single # to start your custom comments

## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions

## Include a common file for all admin.* methods to ease setting up
## Management VM.
## To allow only specific actions, edit specific policy file, like this one. To
## allow all of them, edit appropriate /etc/qubes-rpc/include/admin-*.

'''

def write_default_policy(args, apiname, clasifiers):
    ''' Write single default policy for given API call '''
    assert 'scope' in clasifiers, \
        'Method {} lack scope classifier'.format(apiname)
    assert any(attr in clasifiers for attr in ('read', 'write', 'execute')), \
        'Method {} lack read/write/execute classifier'.format(apiname)
    assert clasifiers['scope'] in ('local', 'global'), \
        'Method {} have invalid scope: {}'.format(apiname, clasifiers['scope'])

    file_to_include = 'admin-{scope}-{rwx}'.format(
        scope=clasifiers['scope'],
        rwx=('rwx' if clasifiers.get('write', False) or
                      clasifiers.get('execute', False)
        else 'ro'))

    if args.verbose:
        print('Service {}: include {}'.format(apiname, file_to_include),
            file=sys.stderr)
    with open(os.path.join(args.destdir, apiname), 'w') as f:
        f.write(default_policy_header)
        f.write('$include:{}\n'.format(
            os.path.join(args.include_base, file_to_include)))


def main(args=None):
    ''' Main function of default-admin-policy tool'''
    args = parser.parse_args(args)

    for func, apiname, _ in qubes.api.admin.QubesAdminAPI.list_methods():
        if args.service and apiname not in args.service:
            continue
        if args.exclude and apiname in args.exclude:
            continue
        write_default_policy(args, apiname, func.classifiers)


if __name__ == '__main__':
    sys.exit(main())
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00			`#!/usr/bin/python3`
			`# coding=utf-8`
			`# The Qubes OS Project, https://www.qubes-os.org/`
			`#`
			`# Copyright (C) 2017 Marek Marczykowski-Górecki`
			`# <marmarek@invisiblethingslab.com>`
			`#`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# This library is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU Lesser General Public`
			`# License as published by the Free Software Foundation; either`
			`# version 2.1 of the License, or (at your option) any later version.`
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00			`#`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# This library is distributed in the hope that it will be useful,`
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`# Lesser General Public License for more details.`
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00			`#`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# You should have received a copy of the GNU Lesser General Public`
			`# License along with this library; if not, see <https://www.gnu.org/licenses/>.`
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00
			`import argparse`
			`import os`

			`import sys`

			`import qubes.api.admin`

			`parser = argparse.ArgumentParser(`
			`description='Generate default Admin API policy')`
			`parser.add_argument('--include-base', action='store',`
qubespolicy: add a tool to analyze policy in form of graph Output possible connections between VMs in form of dot file. Fixes QubesOS/qubes-issues#2873 2017-06-27 04:46:35 +02:00			`default='include',`
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00			`help='Base path for included paths (default: %(default)s)')`
			`parser.add_argument('--destdir', action='store',`
			`default='/etc/qubes-rpc/policy',`
			`help='Directory where write output files to (default: %(default)s)')`
			`parser.add_argument('--verbose', action='store_true', default=False,`
			`help='Be verbose')`
			`parser.add_argument('--exclude', action='store', nargs='*',`
			`help='Exclude service')`
			`parser.add_argument('service', nargs='*', action='store',`
			`help='Generate policy for those services (default: all)')`

			`default_policy_header = '''\`
			`## Note that policy parsing stops at the first match.`
qubespolicy: add a commend about 'deny' being default action 2017-06-27 12:02:33 +02:00			`## Anything not specifically allowed here (or in included file) will be denied.`
Generate policy for Admin API calls based on annotations on actual methods This ease Admin API administration, and also adds checking if qrexec policy + scripts matches actual Admin API methods implementation. The idea is to classify every Admin API method as either local read-only, local read-write, global read-only or global read-write. Where local/global means affecting a single VM, or the whole system. See QubesOS/qubes-issues#2871 for details. Fixes QubesOS/qubes-issues#2871 2017-06-27 01:55:17 +02:00
			`## Please use a single # to start your custom comments`

			`## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions`

			`## Include a common file for all admin.* methods to ease setting up`
			`## Management VM.`
			`## To allow only specific actions, edit specific policy file, like this one. To`
			`## allow all of them, edit appropriate /etc/qubes-rpc/include/admin-*.`

			`'''`

			`def write_default_policy(args, apiname, clasifiers):`
			`''' Write single default policy for given API call '''`
			`assert 'scope' in clasifiers, \`
			`'Method {} lack scope classifier'.format(apiname)`
			`assert any(attr in clasifiers for attr in ('read', 'write', 'execute')), \`
			`'Method {} lack read/write/execute classifier'.format(apiname)`
			`assert clasifiers['scope'] in ('local', 'global'), \`
			`'Method {} have invalid scope: {}'.format(apiname, clasifiers['scope'])`

			`file_to_include = 'admin-{scope}-{rwx}'.format(`
			`scope=clasifiers['scope'],`
			`rwx=('rwx' if clasifiers.get('write', False) or`
			`clasifiers.get('execute', False)`
			`else 'ro'))`

			`if args.verbose:`
			`print('Service {}: include {}'.format(apiname, file_to_include),`
			`file=sys.stderr)`
			`with open(os.path.join(args.destdir, apiname), 'w') as f:`
			`f.write(default_policy_header)`
			`f.write('$include:{}\n'.format(`
			`os.path.join(args.include_base, file_to_include)))`


			`def main(args=None):`
			`''' Main function of default-admin-policy tool'''`
			`args = parser.parse_args(args)`

			`for func, apiname, _ in qubes.api.admin.QubesAdminAPI.list_methods():`
			`if args.service and apiname not in args.service:`
			`continue`
			`if args.exclude and apiname in args.exclude:`
			`continue`
			`write_default_policy(args, apiname, func.classifiers)`


			`if __name__ == '__main__':`
			`sys.exit(main())`