Merge remote-tracking branch 'origin/pr/303'

* origin/pr/303: Update tests after adding /connected-ips Also reload /connected-ips on firewall change / domain spawn Also store /connected-ips6 for machines that have IPv6 addresses Don't try to write to qubesdb of an offline VM Maintain a list of connected machine IPs in qubesdb
2020-01-16 04:03:44 +01:00 · 2020-01-16 04:03:44 +01:00 · 0c08305f1a
commit 0c08305f1a
parent e6aa35fcdf 70c862fe73
2 changed files with 36 additions and 1 deletions
--- a/qubes/tests/vm/qubesvm.py
+++ b/qubes/tests/vm/qubesvm.py
@ -1521,6 +1521,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
            '/qubes-iptables-header': iptables_header,
            '/qubes-service/qubes-update-check': '0',
            '/qubes-service/meminfo-writer': '1',
+            '/connected-ips': '',
+            '/connected-ips6': '',
        })

    @unittest.mock.patch('datetime.datetime')
@ -1591,6 +1593,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
            '/qubes-gateway': '10.137.0.2',
            '/qubes-primary-dns': '10.139.1.1',
            '/qubes-secondary-dns': '10.139.1.2',
+            '/connected-ips': '',
+            '/connected-ips6': '',
        }

        with self.subTest('ipv4'):
@ -1645,6 +1649,7 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
            expected['/qubes-firewall/10.137.0.3'] = ''
            expected['/qubes-firewall/10.137.0.3/0000'] = 'action=accept'
            expected['/qubes-firewall/10.137.0.3/policy'] = 'drop'
+            expected['/connected-ips'] = '10.137.0.3'

            with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running',
                    lambda _: True):
@ -1660,6 +1665,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
            expected['/qubes-firewall/' + ip6] = ''
            expected['/qubes-firewall/' + ip6 + '/0000'] = 'action=accept'
            expected['/qubes-firewall/' + ip6 + '/policy'] = 'drop'
+            expected['/connected-ips6'] = ip6
+
            with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running',
                    lambda _: True):
                netvm.create_qdb_entries()
@ -1708,6 +1715,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
            '/qubes-iptables-header': unittest.mock.ANY,
            '/qubes-service/qubes-update-check': '0',
            '/qubes-service/meminfo-writer': '1',
+            '/connected-ips': '',
+            '/connected-ips6': '',
        })


--- a/qubes/vm/mix/net.py
+++ b/qubes/vm/mix/net.py
@ -389,6 +389,23 @@ class NetVMMixin(qubes.events.Emitter):
        else:
            self.untrusted_qdb.rm(mapped_ip_base + '/visible-gateway')

+    def reload_connected_ips(self):
+        '''
+        Update list of IPs possibly connected to this machine.
+        This is used by qubes-firewall to implement anti-spoofing.
+        '''
+        connected_ips = [str(vm.visible_ip) for vm in self.connected_vms
+                         if vm.visible_ip is not None]
+        connected_ips6 = [str(vm.visible_ip6) for vm in self.connected_vms
+                          if vm.visible_ip6 is not None]
+
+        self.untrusted_qdb.write(
+            '/connected-ips',
+            ' '.join(connected_ips))
+        self.untrusted_qdb.write(
+            '/connected-ips6',
+            ' '.join(connected_ips6))
+
    @qubes.events.handler('property-pre-del:netvm')
    def on_property_pre_del_netvm(self, event, name, oldvalue=None):
        ''' Sets the the NetVM to default NetVM '''
@ -436,9 +453,15 @@ class NetVMMixin(qubes.events.Emitter):
        '''
        # pylint: disable=unused-argument

+        if oldvalue is not None and oldvalue.is_running():
+            oldvalue.reload_connected_ips()
+
        if newvalue is None:
            return

+        if newvalue.is_running():
+            newvalue.reload_connected_ips()
+
        if self.is_running():
            # refresh IP, DNS etc
            self.create_qdb_entries()
@ -456,9 +479,11 @@ class NetVMMixin(qubes.events.Emitter):
    def on_domain_qdb_create(self, event):
        ''' Fills the QubesDB with firewall entries. '''
        # pylint: disable=unused-argument
+
+        # Keep the following in sync with on_firewall_changed.
+        self.reload_connected_ips()
        for vm in self.connected_vms:
            if vm.is_running():
-                # keep in sync with on_firewall_changed
                self.set_mapped_ip_info_for_vm(vm)
                self.reload_firewall_for_vm(vm)

@ -467,6 +492,7 @@ class NetVMMixin(qubes.events.Emitter):
        ''' Reloads the firewall if vm is running and has a NetVM assigned '''
        # pylint: disable=unused-argument
        if self.is_running() and self.netvm:
+            self.netvm.reload_connected_ips()
            self.netvm.set_mapped_ip_info_for_vm(self)
            self.netvm.reload_firewall_for_vm(self)  # pylint: disable=no-member