Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
60bf68a748
core-admin/qubes/firewall.py

618 lines
20 KiB
Python
Raw Normal View History

qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
# pylint: disable=too-few-public-methods
qubes: port core to python3 fixes QubesOS/qubes-issues#2074
2017-01-18 22:16:46 +01:00
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
#
# The Qubes OS Project, https://www.qubes-os.org/
#
# Copyright (C) 2016
# Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
#
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
#
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# This library is distributed in the hope that it will be useful,
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
# but WITHOUT ANY WARRANTY; without even the implied warranty of
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
#
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, see <https://www.gnu.org/licenses/>.
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
#
qubes: port core to python3 fixes QubesOS/qubes-issues#2074
2017-01-18 22:16:46 +01:00
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
import datetime
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
import string
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
qubes/vm: plug in new firewall code, create QubesDB entries QubesOS/qubes-issues#1815
2016-09-09 03:14:16 +02:00
import itertools
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
import os
import socket
firewall: use asyncio's call_later instead of systemd to reload rules When some expiring rules are present, it is necessary to reload firewall when those rules expire. Previously systemd timer was used to trigger this action, but since we have own daemon now, it isn't necessary anymore - use this daemon for that. Additionally automatically removing expired rules was completely broken in R4.0. Fixes QubesOS/qubes-issues#1173
2018-02-07 02:40:56 +01:00
import asyncio
Make pylint happy
2016-09-19 18:12:57 +02:00
import lxml.etree
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
import qubes
import qubes.vm.qubesvm
Fix issues found by pylint 2.0 Resolve: - no-else-return - useless-object-inheritance - useless-return - consider-using-set-comprehension - consider-using-in - logging-not-lazy Ignore: - not-an-iterable - false possitives for asyncio coroutines Ignore all the above in qubespolicy/__init__.py, as the file will be moved to separate repository (core-qrexec) - it already has a copy there, don't desynchronize them.
2018-07-15 23:08:23 +02:00
class RuleOption:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
def __init__(self, untrusted_value):
# subset of string.punctuation
safe_set = string.ascii_letters + string.digits + \
':;,./-_[]'
assert all(x in safe_set for x in str(untrusted_value))
value = str(untrusted_value)
self._value = value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
@property
def rule(self):
raise NotImplementedError
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
@property
def api_rule(self):
return self.rule
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def __str__(self):
return self._value
def __eq__(self, other):
return str(self) == other
# noinspection PyAbstractClass
class RuleChoice(RuleOption):
# pylint: disable=abstract-method
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
def __init__(self, untrusted_value):
# preliminary validation
super(RuleChoice, self).__init__(untrusted_value)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.allowed_values = \
[v for k, v in self.__class__.__dict__.items()
qubes: port core to python3 fixes QubesOS/qubes-issues#2074
2017-01-18 22:16:46 +01:00
if not k.startswith('__') and isinstance(v, str) and
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
not v.startswith('__')]
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
if untrusted_value not in self.allowed_values:
raise ValueError(untrusted_value)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
class Action(RuleChoice):
accept = 'accept'
drop = 'drop'
@property
def rule(self):
return 'action=' + str(self)
class Proto(RuleChoice):
tcp = 'tcp'
udp = 'udp'
icmp = 'icmp'
@property
def rule(self):
return 'proto=' + str(self)
class DstHost(RuleOption):
'''Represent host/network address: either IPv4, IPv6, or DNS name'''
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
def __init__(self, untrusted_value, prefixlen=None):
if untrusted_value.count('/') > 1:
raise ValueError('Too many /: ' + untrusted_value)
elif not untrusted_value.count('/'):
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
# add prefix length to bare IP addresses
try:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
socket.inet_pton(socket.AF_INET6, untrusted_value)
value = untrusted_value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.prefixlen = prefixlen or 128
if self.prefixlen < 0 or self.prefixlen > 128:
raise ValueError(
'netmask for IPv6 must be between 0 and 128')
value += '/' + str(self.prefixlen)
self.type = 'dst6'
except socket.error:
try:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
socket.inet_pton(socket.AF_INET, untrusted_value)
if untrusted_value.count('.') != 3:
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
raise ValueError(
'Invalid number of dots in IPv4 address')
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
value = untrusted_value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.prefixlen = prefixlen or 32
if self.prefixlen < 0 or self.prefixlen > 32:
raise ValueError(
'netmask for IPv4 must be between 0 and 32')
value += '/' + str(self.prefixlen)
self.type = 'dst4'
except socket.error:
self.type = 'dsthost'
self.prefixlen = 0
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
safe_set = string.ascii_lowercase + string.digits + '-._'
firewall: raise ValueError on invalid hostname in dsthost= ...instead of AssertionError
2017-07-25 14:19:29 +02:00
if not all(c in safe_set for c in untrusted_value):
raise ValueError('Invalid hostname')
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
value = untrusted_value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
else:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
untrusted_host, untrusted_prefixlen = untrusted_value.split('/', 1)
prefixlen = int(untrusted_prefixlen)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
if prefixlen < 0:
raise ValueError('netmask must be non-negative')
self.prefixlen = prefixlen
try:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
socket.inet_pton(socket.AF_INET6, untrusted_host)
value = untrusted_value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
if prefixlen > 128:
raise ValueError('netmask for IPv6 must be <= 128')
self.type = 'dst6'
except socket.error:
try:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
socket.inet_pton(socket.AF_INET, untrusted_host)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
if prefixlen > 32:
raise ValueError('netmask for IPv4 must be <= 32')
self.type = 'dst4'
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
if untrusted_host.count('.') != 3:
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
raise ValueError(
'Invalid number of dots in IPv4 address')
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
value = untrusted_value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
except socket.error:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
raise ValueError('Invalid IP address: ' + untrusted_host)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
super(DstHost, self).__init__(value)
@property
def rule(self):
return self.type + '=' + str(self)
class DstPorts(RuleOption):
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
def __init__(self, untrusted_value):
if isinstance(untrusted_value, int):
untrusted_value = str(untrusted_value)
if untrusted_value.count('-') == 1:
self.range = [int(x) for x in untrusted_value.split('-', 1)]
elif not untrusted_value.count('-'):
self.range = [int(untrusted_value), int(untrusted_value)]
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
else:
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
raise ValueError(untrusted_value)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
if any(port < 0 or port > 65536 for port in self.range):
raise ValueError('Ports out of range')
if self.range[0] > self.range[1]:
raise ValueError('Invalid port range')
super(DstPorts, self).__init__(
str(self.range[0]) if self.range[0] == self.range[1]
else '-'.join(map(str, self.range)))
@property
def rule(self):
return 'dstports=' + '{!s}-{!s}'.format(*self.range)
class IcmpType(RuleOption):
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
def __init__(self, untrusted_value):
untrusted_value = int(untrusted_value)
if untrusted_value < 0 or untrusted_value > 255:
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
raise ValueError('ICMP type out of range')
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
super(IcmpType, self).__init__(untrusted_value)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
@property
def rule(self):
return 'icmptype=' + str(self)
class SpecialTarget(RuleChoice):
dns = 'dns'
@property
def rule(self):
return 'specialtarget=' + str(self)
class Expire(RuleOption):
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
def __init__(self, untrusted_value):
super(Expire, self).__init__(untrusted_value)
Avoid UTC datetime utcfromtimestamp() does not seems reliable and qubes-manager uses local time
2018-03-07 22:40:07 +01:00
self.datetime = datetime.datetime.fromtimestamp(int(untrusted_value))
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
@property
def rule(self):
Fix issues found by pylint 2.0 Resolve: - no-else-return - useless-object-inheritance - useless-return - consider-using-set-comprehension - consider-using-in - logging-not-lazy Ignore: - not-an-iterable - false possitives for asyncio coroutines Ignore all the above in qubespolicy/__init__.py, as the file will be moved to separate repository (core-qrexec) - it already has a copy there, don't desynchronize them.
2018-07-15 23:08:23 +02:00
pass
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
@property
def api_rule(self):
return 'expire=' + str(self)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
@property
def expired(self):
Avoid UTC datetime utcfromtimestamp() does not seems reliable and qubes-manager uses local time
2018-03-07 22:40:07 +01:00
return self.datetime < datetime.datetime.now()
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
class Comment(RuleOption):
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
# noinspection PyMissingConstructor
def __init__(self, untrusted_value):
# pylint: disable=super-init-not-called
# subset of string.punctuation
safe_set = string.ascii_letters + string.digits + \
':;,./-_[] '
assert all(x in safe_set for x in str(untrusted_value))
value = str(untrusted_value)
self._value = value
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
@property
def rule(self):
Fix issues found by pylint 2.0 Resolve: - no-else-return - useless-object-inheritance - useless-return - consider-using-set-comprehension - consider-using-in - logging-not-lazy Ignore: - not-an-iterable - false possitives for asyncio coroutines Ignore all the above in qubespolicy/__init__.py, as the file will be moved to separate repository (core-qrexec) - it already has a copy there, don't desynchronize them.
2018-07-15 23:08:23 +02:00
pass
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
@property
def api_rule(self):
return 'comment=' + str(self)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
class Rule(qubes.PropertyHolder):
qubes/firewall: make xml parameter to Rule optional QubesOS/qubes-issues#1815
2016-09-19 17:47:42 +02:00
def __init__(self, xml=None, **kwargs):
'''Single firewall rule
:param xml: XML element describing rule, or None
:param kwargs: rule elements
'''
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
super(Rule, self).__init__(xml, **kwargs)
self.load_properties()
self.events_enabled = True
# validate dependencies
if self.dstports:
self.on_set_dstports('property-set:dstports', 'dstports',
self.dstports, None)
if self.icmptype:
self.on_set_icmptype('property-set:icmptype', 'icmptype',
self.icmptype, None)
self.property_require('action', False, True)
action = qubes.property('action',
type=Action,
order=0,
doc='rule action')
proto = qubes.property('proto',
type=Proto,
default=None,
order=1,
doc='protocol to match')
dsthost = qubes.property('dsthost',
type=DstHost,
default=None,
order=1,
doc='destination host/network')
dstports = qubes.property('dstports',
type=DstPorts,
default=None,
order=2,
doc='Destination port(s) (for \'tcp\' and \'udp\' protocol only)')
icmptype = qubes.property('icmptype',
type=IcmpType,
default=None,
order=2,
doc='ICMP packet type (for \'icmp\' protocol only)')
specialtarget = qubes.property('specialtarget',
type=SpecialTarget,
default=None,
order=1,
doc='Special target, for now only \'dns\' supported')
expire = qubes.property('expire',
type=Expire,
default=None,
doc='Timestamp (UNIX epoch) on which this rule expire')
comment = qubes.property('comment',
type=Comment,
default=None,
doc='User comment')
# noinspection PyUnusedLocal
@qubes.events.handler('property-pre-set:dstports')
qubes/events: they accept only keyword arguments Positional arguments are hereby deprecated, with immediate effect. QubesOS/qubes-issues#2622
2017-02-21 14:09:06 +01:00
def on_set_dstports(self, event, name, newvalue, oldvalue=None):
# pylint: disable=unused-argument
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
if self.proto not in ('tcp', 'udp'):
raise ValueError(
'dstports valid only for \'tcp\' and \'udp\' protocols')
# noinspection PyUnusedLocal
@qubes.events.handler('property-pre-set:icmptype')
qubes/events: they accept only keyword arguments Positional arguments are hereby deprecated, with immediate effect. QubesOS/qubes-issues#2622
2017-02-21 14:09:06 +01:00
def on_set_icmptype(self, event, name, newvalue, oldvalue=None):
# pylint: disable=unused-argument
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
if self.proto not in ('icmp',):
raise ValueError('icmptype valid only for \'icmp\' protocol')
# noinspection PyUnusedLocal
@qubes.events.handler('property-set:proto')
qubes/events: they accept only keyword arguments Positional arguments are hereby deprecated, with immediate effect. QubesOS/qubes-issues#2622
2017-02-21 14:09:06 +01:00
def on_set_proto(self, event, name, newvalue, oldvalue=None):
# pylint: disable=unused-argument
if newvalue not in ('tcp', 'udp'):
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.dstports = qubes.property.DEFAULT
qubes/events: they accept only keyword arguments Positional arguments are hereby deprecated, with immediate effect. QubesOS/qubes-issues#2622
2017-02-21 14:09:06 +01:00
if newvalue not in ('icmp',):
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.icmptype = qubes.property.DEFAULT
@qubes.events.handler('property-del:proto')
qubes/events: they accept only keyword arguments Positional arguments are hereby deprecated, with immediate effect. QubesOS/qubes-issues#2622
2017-02-21 14:09:06 +01:00
def on_del_proto(self, event, name, oldvalue):
# pylint: disable=unused-argument
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.dstports = qubes.property.DEFAULT
self.icmptype = qubes.property.DEFAULT
@property
def rule(self):
if self.expire and self.expire.expired:
return None
values = []
for prop in self.property_list():
value = getattr(self, prop.__name__)
if value is None:
continue
if value.rule is None:
continue
values.append(value.rule)
return ' '.join(values)
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
@property
def api_rule(self):
values = []
firewall: skip expired rules Expired rules are skipped while loading the firewall. Do that also when such rules expired after loading the firewall. This applies to both Admin API and actually applying the rules (sending them to appropriate VM). Related QubesOS/qubes-issues#3020
2017-10-16 01:47:20 +02:00
if self.expire and self.expire.expired:
return None
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
# put comment at the end
for prop in sorted(self.property_list(),
key=(lambda p: p.__name__ == 'comment')):
value = getattr(self, prop.__name__)
if value is None:
continue
if value.api_rule is None:
continue
values.append(value.api_rule)
return ' '.join(values)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
@classmethod
def from_xml_v1(cls, node, action):
netmask = node.get('netmask')
if netmask is None:
netmask = 32
else:
netmask = int(netmask)
address = node.get('address')
if address:
dsthost = DstHost(address, netmask)
else:
dsthost = None
proto = node.get('proto')
port = node.get('port')
toport = node.get('toport')
if port and toport:
dstports = port + '-' + toport
elif port:
dstports = port
else:
dstports = None
# backward compatibility: protocol defaults to TCP if port is specified
if dstports and not proto:
proto = 'tcp'
if proto == 'any':
proto = None
expire = node.get('expire')
kwargs = {
'action': action,
}
if dsthost:
kwargs['dsthost'] = dsthost
if dstports:
kwargs['dstports'] = dstports
if proto:
kwargs['proto'] = proto
if expire:
kwargs['expire'] = expire
qubes/firewall: make xml parameter to Rule optional QubesOS/qubes-issues#1815
2016-09-19 17:47:42 +02:00
return cls(**kwargs)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
@classmethod
def from_api_string(cls, untrusted_rule):
'''Parse a single line of firewall rule'''
# comment is allowed to have spaces
untrusted_options, _, untrusted_comment = untrusted_rule.partition(
'comment=')
# appropriate handlers in __init__ of individual options will perform
# option-specific validation
kwargs = {}
if untrusted_comment:
firewall: pass untrusted values as keyword arguments Use keyword arguments to pass untrusted arguments to make sure the function parameter also have `untrusted_` prefix. Suggested by @woju
2017-06-26 18:41:27 +02:00
kwargs['comment'] = Comment(untrusted_value=untrusted_comment)
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
for untrusted_option in untrusted_options.strip().split(' '):
untrusted_key, untrusted_value = untrusted_option.split('=', 1)
if untrusted_key in kwargs:
raise ValueError('Option \'{}\' already set'.format(
untrusted_key))
if untrusted_key in [str(prop) for prop in cls.property_list()]:
firewall: pass untrusted values as keyword arguments Use keyword arguments to pass untrusted arguments to make sure the function parameter also have `untrusted_` prefix. Suggested by @woju
2017-06-26 18:41:27 +02:00
kwargs[untrusted_key] = cls.property_get_def(
untrusted_key).type(untrusted_value=untrusted_value)
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
elif untrusted_key in ('dst4', 'dst6', 'dstname'):
firewall: pass untrusted values as keyword arguments Use keyword arguments to pass untrusted arguments to make sure the function parameter also have `untrusted_` prefix. Suggested by @woju
2017-06-26 18:41:27 +02:00
if 'dsthost' in kwargs:
raise ValueError('Option \'{}\' already set'.format(
'dsthost'))
kwargs['dsthost'] = DstHost(untrusted_value=untrusted_value)
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
else:
raise ValueError('Unknown firewall option')
return cls(**kwargs)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def __eq__(self, other):
api/admin: firewall-related methods In the end firewall is implemented as .Get and .Set rules, with policy statically set to 'drop'. This way allow atomic firewall updates. Since we already have appropriate firewall format handling in qubes.firewall module - reuse it from there, but adjust the code to be prepared for potentially malicious input. And also mark such variables with untrusted_ prefix. There is also third method: .Reload - which cause firewall reload without making any change. QubesOS/qubes-issues#2622 Fixes QubesOS/qubes-issues#2869
2017-06-26 12:58:14 +02:00
if isinstance(other, Rule):
return self.api_rule == other.api_rule
return self.api_rule == str(other)
def __hash__(self):
return hash(self.api_rule)
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
Fix issues found by pylint 2.0 Resolve: - no-else-return - useless-object-inheritance - useless-return - consider-using-set-comprehension - consider-using-in - logging-not-lazy Ignore: - not-an-iterable - false possitives for asyncio coroutines Ignore all the above in qubespolicy/__init__.py, as the file will be moved to separate repository (core-qrexec) - it already has a copy there, don't desynchronize them.
2018-07-15 23:08:23 +02:00
class Firewall:
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def __init__(self, vm, load=True):
assert hasattr(vm, 'firewall_conf')
self.vm = vm
#: firewall rules
self.rules = []
if load:
self.load()
firewall: always use policy 'drop' There is a problem with having separate default action ("policy") and rules because it isn't possible to set both of them atomically at the same time. To solve this problem, always have policy 'drop' (as a safe default), but by default have a single rule with action 'accept' Fixes QubesOS/qubes-issues#2869
2017-06-26 05:11:24 +02:00
@property
def policy(self):
''' Default action - always 'drop' '''
return Action('drop')
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
def __eq__(self, other):
if isinstance(other, Firewall):
firewall: always use policy 'drop' There is a problem with having separate default action ("policy") and rules because it isn't possible to set both of them atomically at the same time. To solve this problem, always have policy 'drop' (as a safe default), but by default have a single rule with action 'accept' Fixes QubesOS/qubes-issues#2869
2017-06-26 05:11:24 +02:00
return self.rules == other.rules
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
return NotImplemented
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def load_defaults(self):
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
'''Load default firewall settings'''
firewall: always use policy 'drop' There is a problem with having separate default action ("policy") and rules because it isn't possible to set both of them atomically at the same time. To solve this problem, always have policy 'drop' (as a safe default), but by default have a single rule with action 'accept' Fixes QubesOS/qubes-issues#2869
2017-06-26 05:11:24 +02:00
self.rules = [Rule(None, action='accept')]
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
def clone(self, other):
'''Clone firewall settings from other instance.
This method discards pre-existing firewall settings.
:param other: other :py:class:`Firewall` instance
'''
rules = []
for rule in other.rules:
firewall: fix Firewall.clone() New rule require action to be defined, even if will be overwritten a moment later.
2017-08-06 12:49:19 +02:00
# Rule constructor require some action, will be overwritten by
# clone_properties below
new_rule = Rule(action='drop')
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
new_rule.clone_properties(rule)
rules.append(new_rule)
self.rules = rules
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def load(self):
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
'''Load firewall settings from a file'''
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
firewall_conf = os.path.join(self.vm.dir_path, self.vm.firewall_conf)
if os.path.exists(firewall_conf):
self.rules = []
tree = lxml.etree.parse(firewall_conf)
root = tree.getroot()
version = root.get('version', '1')
if version == '1':
self.load_v1(root)
elif version == '2':
self.load_v2(root)
else:
raise qubes.exc.QubesVMError(self.vm,
'Unsupported firewall.xml version: {}'.format(version))
else:
self.load_defaults()
def load_v1(self, xml_root):
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
'''Load old (Qubes < 4.0) firewall XML format'''
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
policy_v1 = xml_root.get('policy')
assert policy_v1 in ('allow', 'deny')
firewall: minor simplification for old firewall.xml loading Have `default_policy_is_accept` variable of type bool, instead of `policy`, which is only compared to a constant value (`accept`). Suggested by @woju
2017-06-26 18:45:59 +02:00
default_policy_is_accept = (policy_v1 == 'allow')
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def _translate_action(key):
if xml_root.get(key, policy_v1) == 'allow':
return Action.accept
Make pylint happy New pylint throw some more warnings.
2017-04-21 15:43:46 +02:00
return Action.drop
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
self.rules.append(Rule(None,
action=_translate_action('dns'),
specialtarget=SpecialTarget('dns')))
self.rules.append(Rule(None,
action=_translate_action('icmp'),
proto=Proto.icmp))
firewall: minor simplification for old firewall.xml loading Have `default_policy_is_accept` variable of type bool, instead of `policy`, which is only compared to a constant value (`accept`). Suggested by @woju
2017-06-26 18:45:59 +02:00
if default_policy_is_accept:
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
rule_action = Action.drop
else:
rule_action = Action.accept
for element in xml_root:
rule = Rule.from_xml_v1(element, rule_action)
self.rules.append(rule)
firewall: minor simplification for old firewall.xml loading Have `default_policy_is_accept` variable of type bool, instead of `policy`, which is only compared to a constant value (`accept`). Suggested by @woju
2017-06-26 18:45:59 +02:00
if default_policy_is_accept:
firewall: always use policy 'drop' There is a problem with having separate default action ("policy") and rules because it isn't possible to set both of them atomically at the same time. To solve this problem, always have policy 'drop' (as a safe default), but by default have a single rule with action 'accept' Fixes QubesOS/qubes-issues#2869
2017-06-26 05:11:24 +02:00
self.rules.append(Rule(None, action='accept'))
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def load_v2(self, xml_root):
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
'''Load new (Qubes >= 4.0) firewall XML format'''
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
xml_rules = xml_root.find('rules')
for xml_rule in xml_rules:
rule = Rule(xml_rule)
self.rules.append(rule)
firewall: use asyncio's call_later instead of systemd to reload rules When some expiring rules are present, it is necessary to reload firewall when those rules expire. Previously systemd timer was used to trigger this action, but since we have own daemon now, it isn't necessary anymore - use this daemon for that. Additionally automatically removing expired rules was completely broken in R4.0. Fixes QubesOS/qubes-issues#1173
2018-02-07 02:40:56 +01:00
def _expire_rules(self):
'''Function called to reload expired rules'''
self.load()
Removed self.rules != old_rules After lot of testing it does not work properly. Could do something more sophisticated but since calling save() is safe and probably lightweigth it is not worth probably.
2018-03-08 11:25:42 +01:00
# this will both save rules skipping those expired and trigger
# QubesDB update; and possibly schedule another timer
self.save()
firewall: use asyncio's call_later instead of systemd to reload rules When some expiring rules are present, it is necessary to reload firewall when those rules expire. Previously systemd timer was used to trigger this action, but since we have own daemon now, it isn't necessary anymore - use this daemon for that. Additionally automatically removing expired rules was completely broken in R4.0. Fixes QubesOS/qubes-issues#1173
2018-02-07 02:40:56 +01:00
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
def save(self):
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
'''Save firewall rules to a file'''
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
firewall_conf = os.path.join(self.vm.dir_path, self.vm.firewall_conf)
Wrong init var to bool and missing call to total_seconds() fix https://github.com/QubesOS/qubes-issues/issues/3661
2018-03-07 22:37:44 +01:00
nearest_expire = None
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
xml_root = lxml.etree.Element('firewall', version=str(2))
xml_rules = lxml.etree.Element('rules')
for rule in self.rules:
if rule.expire:
if rule.expire and rule.expire.expired:
continue
else:
firewall: use asyncio's call_later instead of systemd to reload rules When some expiring rules are present, it is necessary to reload firewall when those rules expire. Previously systemd timer was used to trigger this action, but since we have own daemon now, it isn't necessary anymore - use this daemon for that. Additionally automatically removing expired rules was completely broken in R4.0. Fixes QubesOS/qubes-issues#1173
2018-02-07 02:40:56 +01:00
if nearest_expire is None or rule.expire.datetime < \
nearest_expire:
nearest_expire = rule.expire.datetime
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
xml_rule = lxml.etree.Element('rule')
xml_rule.append(rule.xml_properties())
xml_rules.append(xml_rule)
xml_root.append(xml_rules)
xml_tree = lxml.etree.ElementTree(xml_root)
try:
old_umask = os.umask(0o002)
qubes: port core to python3 fixes QubesOS/qubes-issues#2074
2017-01-18 22:16:46 +01:00
with open(firewall_conf, 'wb') as firewall_xml:
qubes/firewall: new firewall interface First part - handling firewall.xml and rules formatting. Specification on https://qubes-os.org/doc/vm-interface/ TODO (for dom0): - plug into QubesVM object - expose rules in QubesDB (including reloading) - drop old functions (vm.get_firewall_conf etc) QubesOS/qubes-issues#1815
2016-09-08 04:10:02 +02:00
xml_tree.write(firewall_xml, encoding="UTF-8",
pretty_print=True)
os.umask(old_umask)
except EnvironmentError as err:
self.vm.log.error("save error: {}".format(err))
raise qubes.exc.QubesException('save error: {}'.format(err))
qubes/vm: plug in new firewall code, create QubesDB entries QubesOS/qubes-issues#1815
2016-09-09 03:14:16 +02:00
self.vm.fire_event('firewall-changed')
firewall: use asyncio's call_later instead of systemd to reload rules When some expiring rules are present, it is necessary to reload firewall when those rules expire. Previously systemd timer was used to trigger this action, but since we have own daemon now, it isn't necessary anymore - use this daemon for that. Additionally automatically removing expired rules was completely broken in R4.0. Fixes QubesOS/qubes-issues#1173
2018-02-07 02:40:56 +01:00
if nearest_expire and not self.vm.app.vmm.offline_mode:
loop = asyncio.get_event_loop()
# by documentation call_at use loop.time() clock, which not
# necessary must be the same as time module; calculate delay and
# use call_later instead
expire_when = nearest_expire - datetime.datetime.now()
Wrong init var to bool and missing call to total_seconds() fix https://github.com/QubesOS/qubes-issues/issues/3661
2018-03-07 22:37:44 +01:00
loop.call_later(expire_when.total_seconds(), self._expire_rules)
qubes/vm: plug in new firewall code, create QubesDB entries QubesOS/qubes-issues#1815
2016-09-09 03:14:16 +02:00
qubes/firewall: allow listing only IPv4/IPv6 rules This will allow setting only IPv4-related rules to IPv4 address, and the same for IPv6 QubesOS/qubes-issues#1815
2016-09-12 06:02:07 +02:00
def qdb_entries(self, addr_family=None):
firewall: add clone and comparing methods, missing docstrings
2017-05-15 13:04:59 +02:00
'''Return firewall settings serialized for QubesDB entries
:param addr_family: include rules only for IPv4 (4) or IPv6 (6); if
None, include both
'''
qubes/vm: plug in new firewall code, create QubesDB entries QubesOS/qubes-issues#1815
2016-09-09 03:14:16 +02:00
entries = {
'policy': str(self.policy)
}
qubes/firewall: allow listing only IPv4/IPv6 rules This will allow setting only IPv4-related rules to IPv4 address, and the same for IPv6 QubesOS/qubes-issues#1815
2016-09-12 06:02:07 +02:00
exclude_dsttype = None
if addr_family is not None:
exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6'
qubes/vm: plug in new firewall code, create QubesDB entries QubesOS/qubes-issues#1815
2016-09-09 03:14:16 +02:00
for ruleno, rule in zip(itertools.count(), self.rules):
firewall: skip expired rules Expired rules are skipped while loading the firewall. Do that also when such rules expired after loading the firewall. This applies to both Admin API and actually applying the rules (sending them to appropriate VM). Related QubesOS/qubes-issues#3020
2017-10-16 01:47:20 +02:00
if rule.expire and rule.expire.expired:
continue
qubes/firewall: allow listing only IPv4/IPv6 rules This will allow setting only IPv4-related rules to IPv4 address, and the same for IPv6 QubesOS/qubes-issues#1815
2016-09-12 06:02:07 +02:00
# exclude rules for another address family
if rule.dsthost and rule.dsthost.type == exclude_dsttype:
continue
qubes/vm: plug in new firewall code, create QubesDB entries QubesOS/qubes-issues#1815
2016-09-09 03:14:16 +02:00
entries['{:04}'.format(ruleno)] = rule.rule
return entries
Reference in New Issue Copy Permalink