core-admin/qubespolicy/agent.py

# -*- encoding: utf8 -*-
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2017 Marek Marczykowski-Górecki
#                               <marmarek@invisiblethingslab.com>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, see <https://www.gnu.org/licenses/>.


''' Agent running in user session, responsible for asking the user about policy
decisions.'''

import pydbus
# pylint: disable=import-error,wrong-import-position
import gi
gi.require_version('Gtk', '3.0')
from gi.repository import GLib
# pylint: enable=import-error

import qubespolicy.rpcconfirmation
import qubespolicy.policycreateconfirmation
# pylint: enable=wrong-import-position

class PolicyAgent(object):
    # pylint: disable=too-few-public-methods
    dbus = """
    <node>
      <interface name='org.qubesos.PolicyAgent'>
        <method name='Ask'>
          <arg type='s' name='source' direction='in'/>
          <arg type='s' name='service_name' direction='in'/>
          <arg type='as' name='targets' direction='in'/>
          <arg type='s' name='default_target' direction='in'/>
          <arg type='a{ss}' name='icons' direction='in'/>
          <arg type='s' name='response' direction='out'/>
        </method>
        <method name='ConfirmPolicyCreate'>
          <arg type='s' name='source' direction='in'/>
          <arg type='s' name='service_name' direction='in'/>
          <arg type='b' name='response' direction='out'/>
        </method>
      </interface>
    </node>
    """

    @staticmethod
    def Ask(source, service_name, targets, default_target,
            icons):
        # pylint: disable=invalid-name
        entries_info = {}
        for entry in icons:
            entries_info[entry] = {}
            entries_info[entry]['icon'] = icons.get(entry, None)

        response = qubespolicy.rpcconfirmation.confirm_rpc(
            entries_info, source, service_name,
            targets, default_target or None)
        return response or ''

    @staticmethod
    def ConfirmPolicyCreate(source, service_name):
        # pylint: disable=invalid-name

        response = qubespolicy.policycreateconfirmation.confirm(
            source, service_name)
        return response

def main():
    loop = GLib.MainLoop()
    bus = pydbus.SystemBus()
    obj = PolicyAgent()
    bus.publish('org.qubesos.PolicyAgent', obj)
    loop.run()


if __name__ == '__main__':
    main()
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`# -- encoding: utf8 --`
			`#`
			`# The Qubes OS Project, http://www.qubes-os.org`
			`#`
			`# Copyright (C) 2017 Marek Marczykowski-Górecki`
			`# <marmarek@invisiblethingslab.com>`
			`#`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# This library is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU Lesser General Public`
			`# License as published by the Free Software Foundation; either`
			`# version 2.1 of the License, or (at your option) any later version.`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`#`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# This library is distributed in the hope that it will be useful,`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`# Lesser General Public License for more details.`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`#`
Change license to LGPL v2.1+ See this thread for reasoning and acceptance from contributors: https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion "Changing qubes-core-admin license to LGPL v2.1+" 2017-10-12 00:11:50 +02:00			`# You should have received a copy of the GNU Lesser General Public`
			`# License along with this library; if not, see <https://www.gnu.org/licenses/>.`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00

			`''' Agent running in user session, responsible for asking the user about policy`
			`decisions.'''`

			`import pydbus`
qubespolicy: make pylint happy This include refactoring out one-function-class GtkIconGetter. QubesOS/qubes-issues#910 2017-04-06 16:29:49 +02:00			`# pylint: disable=import-error,wrong-import-position`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`import gi`
			`gi.require_version('Gtk', '3.0')`
			`from gi.repository import GLib`
qubespolicy: make pylint happy This include refactoring out one-function-class GtkIconGetter. QubesOS/qubes-issues#910 2017-04-06 16:29:49 +02:00			`# pylint: enable=import-error`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00
			`import qubespolicy.rpcconfirmation`
qubespolicy: ask to create default policy if none is found Fixes QubesOS/qubes-issues#3005 2017-08-13 02:36:26 +02:00			`import qubespolicy.policycreateconfirmation`
qubespolicy: make pylint happy This include refactoring out one-function-class GtkIconGetter. QubesOS/qubes-issues#910 2017-04-06 16:29:49 +02:00			`# pylint: enable=wrong-import-position`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00
			`class PolicyAgent(object):`
qubespolicy: make pylint happy This include refactoring out one-function-class GtkIconGetter. QubesOS/qubes-issues#910 2017-04-06 16:29:49 +02:00			`# pylint: disable=too-few-public-methods`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`dbus = """`
			`<node>`
			`<interface name='org.qubesos.PolicyAgent'>`
			`<method name='Ask'>`
			`<arg type='s' name='source' direction='in'/>`
			`<arg type='s' name='service_name' direction='in'/>`
			`<arg type='as' name='targets' direction='in'/>`
			`<arg type='s' name='default_target' direction='in'/>`
			`<arg type='a{ss}' name='icons' direction='in'/>`
			`<arg type='s' name='response' direction='out'/>`
			`</method>`
qubespolicy: ask to create default policy if none is found Fixes QubesOS/qubes-issues#3005 2017-08-13 02:36:26 +02:00			`<method name='ConfirmPolicyCreate'>`
			`<arg type='s' name='source' direction='in'/>`
			`<arg type='s' name='service_name' direction='in'/>`
			`<arg type='b' name='response' direction='out'/>`
			`</method>`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`</interface>`
			`</node>`
			`"""`

qubespolicy: make pylint happy This include refactoring out one-function-class GtkIconGetter. QubesOS/qubes-issues#910 2017-04-06 16:29:49 +02:00			`@staticmethod`
			`def Ask(source, service_name, targets, default_target,`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`icons):`
qubespolicy: make pylint happy This include refactoring out one-function-class GtkIconGetter. QubesOS/qubes-issues#910 2017-04-06 16:29:49 +02:00			`# pylint: disable=invalid-name`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00			`entries_info = {}`
qubespolicy: fix handling icons dictionary Build icons dictionary from all provided icons, not only those allowed as target. Specifically, source may not be allowed target (but the window need its icon). 2017-07-30 14:48:21 +02:00			`for entry in icons:`
			`entries_info[entry] = {}`
			`entries_info[entry]['icon'] = icons.get(entry, None)`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00
			`response = qubespolicy.rpcconfirmation.confirm_rpc(`
			`entries_info, source, service_name,`
			`targets, default_target or None)`
			`return response or ''`

qubespolicy: ask to create default policy if none is found Fixes QubesOS/qubes-issues#3005 2017-08-13 02:36:26 +02:00			`@staticmethod`
			`def ConfirmPolicyCreate(source, service_name):`
			`# pylint: disable=invalid-name`

			`response = qubespolicy.policycreateconfirmation.confirm(`
			`source, service_name)`
			`return response`
qubespolicy: run GUI code inside user session and expose it as dbus object This way it will work independently from where qrexec-policy tool will be called (in most cases - from a system service, as root). This is also very similar architecture to what we'll need when moving to GUI domain - there GUI part will also be separated from policy evaluation logic. QubesOS/qubes-issues#910 2017-04-06 15:39:31 +02:00
			`def main():`
			`loop = GLib.MainLoop()`
			`bus = pydbus.SystemBus()`
			`obj = PolicyAgent()`
			`bus.publish('org.qubesos.PolicyAgent', obj)`
			`loop.run()`


			`if __name__ == '__main__':`
			`main()`