Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/pr/303'

Browse Source 
* origin/pr/303:
  Update tests after adding /connected-ips
  Also reload /connected-ips on firewall change / domain spawn
  Also store /connected-ips6 for machines that have IPv6 addresses
  Don't try to write to qubesdb of an offline VM
  Maintain a list of connected machine IPs in qubesdb
This commit is contained in:
Marek Marczykowski-Górecki 2020-01-16 04:03:44 +01:00
commit 0c08305f1a
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
qubes/tests/vm/qubesvm.py
View File

@ -1521,6 +1521,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
'/qubes-iptables-header': iptables_header, '/qubes-iptables-header': iptables_header,
'/qubes-service/qubes-update-check': '0', '/qubes-service/qubes-update-check': '0',
'/qubes-service/meminfo-writer': '1', '/qubes-service/meminfo-writer': '1',
'/connected-ips': '',
'/connected-ips6': '',
}) })
@unittest.mock.patch('datetime.datetime') @unittest.mock.patch('datetime.datetime')
@ -1591,6 +1593,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
'/qubes-gateway': '10.137.0.2', '/qubes-gateway': '10.137.0.2',
'/qubes-primary-dns': '10.139.1.1', '/qubes-primary-dns': '10.139.1.1',
'/qubes-secondary-dns': '10.139.1.2', '/qubes-secondary-dns': '10.139.1.2',
'/connected-ips': '',
'/connected-ips6': '',
} }
with self.subTest('ipv4'): with self.subTest('ipv4'):
@ -1645,6 +1649,7 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
expected['/qubes-firewall/10.137.0.3'] = '' expected['/qubes-firewall/10.137.0.3'] = ''
expected['/qubes-firewall/10.137.0.3/0000'] = 'action=accept' expected['/qubes-firewall/10.137.0.3/0000'] = 'action=accept'
expected['/qubes-firewall/10.137.0.3/policy'] = 'drop' expected['/qubes-firewall/10.137.0.3/policy'] = 'drop'
expected['/connected-ips'] = '10.137.0.3'
with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running', with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running',
lambda _: True): lambda _: True):
@ -1660,6 +1665,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
expected['/qubes-firewall/' + ip6] = '' expected['/qubes-firewall/' + ip6] = ''
expected['/qubes-firewall/' + ip6 + '/0000'] = 'action=accept' expected['/qubes-firewall/' + ip6 + '/0000'] = 'action=accept'
expected['/qubes-firewall/' + ip6 + '/policy'] = 'drop' expected['/qubes-firewall/' + ip6 + '/policy'] = 'drop'
expected['/connected-ips6'] = ip6
with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running', with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running',
lambda _: True): lambda _: True):
netvm.create_qdb_entries() netvm.create_qdb_entries()
@ -1708,6 +1715,8 @@ class TC_90_QubesVM(QubesVMTestsMixin, qubes.tests.QubesTestCase):
'/qubes-iptables-header': unittest.mock.ANY, '/qubes-iptables-header': unittest.mock.ANY,
'/qubes-service/qubes-update-check': '0', '/qubes-service/qubes-update-check': '0',
'/qubes-service/meminfo-writer': '1', '/qubes-service/meminfo-writer': '1',
'/connected-ips': '',
'/connected-ips6': '',
}) })

28
qubes/vm/mix/net.py
View File

@ -389,6 +389,23 @@ class NetVMMixin(qubes.events.Emitter):
else: else:
self.untrusted_qdb.rm(mapped_ip_base + '/visible-gateway') self.untrusted_qdb.rm(mapped_ip_base + '/visible-gateway')
def reload_connected_ips(self):
'''
Update list of IPs possibly connected to this machine.
This is used by qubes-firewall to implement anti-spoofing.
'''
connected_ips = [str(vm.visible_ip) for vm in self.connected_vms
if vm.visible_ip is not None]
connected_ips6 = [str(vm.visible_ip6) for vm in self.connected_vms
if vm.visible_ip6 is not None]
self.untrusted_qdb.write(
'/connected-ips',
' '.join(connected_ips))
self.untrusted_qdb.write(
'/connected-ips6',
' '.join(connected_ips6))
@qubes.events.handler('property-pre-del:netvm') @qubes.events.handler('property-pre-del:netvm')
def on_property_pre_del_netvm(self, event, name, oldvalue=None): def on_property_pre_del_netvm(self, event, name, oldvalue=None):
''' Sets the the NetVM to default NetVM ''' ''' Sets the the NetVM to default NetVM '''
@ -436,9 +453,15 @@ class NetVMMixin(qubes.events.Emitter):
''' '''
# pylint: disable=unused-argument # pylint: disable=unused-argument
if oldvalue is not None and oldvalue.is_running():
oldvalue.reload_connected_ips()
if newvalue is None: if newvalue is None:
return return
if newvalue.is_running():
newvalue.reload_connected_ips()
if self.is_running(): if self.is_running():
# refresh IP, DNS etc # refresh IP, DNS etc
self.create_qdb_entries() self.create_qdb_entries()
@ -456,9 +479,11 @@ class NetVMMixin(qubes.events.Emitter):
def on_domain_qdb_create(self, event): def on_domain_qdb_create(self, event):
''' Fills the QubesDB with firewall entries. ''' ''' Fills the QubesDB with firewall entries. '''
# pylint: disable=unused-argument # pylint: disable=unused-argument
# Keep the following in sync with on_firewall_changed.
self.reload_connected_ips()
for vm in self.connected_vms: for vm in self.connected_vms:
if vm.is_running(): if vm.is_running():
# keep in sync with on_firewall_changed
self.set_mapped_ip_info_for_vm(vm) self.set_mapped_ip_info_for_vm(vm)
self.reload_firewall_for_vm(vm) self.reload_firewall_for_vm(vm)
@ -467,6 +492,7 @@ class NetVMMixin(qubes.events.Emitter):
''' Reloads the firewall if vm is running and has a NetVM assigned ''' ''' Reloads the firewall if vm is running and has a NetVM assigned '''
# pylint: disable=unused-argument # pylint: disable=unused-argument
if self.is_running() and self.netvm: if self.is_running() and self.netvm:
self.netvm.reload_connected_ips()
self.netvm.set_mapped_ip_info_for_vm(self) self.netvm.set_mapped_ip_info_for_vm(self)
self.netvm.reload_firewall_for_vm(self) # pylint: disable=no-member self.netvm.reload_firewall_for_vm(self) # pylint: disable=no-member