From 2942f8bcacb927d508812e7a7046d1003662878c Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 14 Jun 2017 11:47:52 +0200 Subject: [PATCH 1/3] qubes: admin extension for managing tags --- qubes/ext/admin.py | 34 ++++++++++++++++++++++++++++++++++ setup.py | 1 + 2 files changed, 35 insertions(+) create mode 100644 qubes/ext/admin.py diff --git a/qubes/ext/admin.py b/qubes/ext/admin.py new file mode 100644 index 00000000..ecdadc5a --- /dev/null +++ b/qubes/ext/admin.py @@ -0,0 +1,34 @@ +# -*- encoding: utf8 -*- +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2017 Wojtek Porczyk +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, see . + +import qubes.api +import qubes.ext + +class AdminExtension(qubes.ext.Extension): + # pylint: disable=too-few-public-methods + @qubes.ext.handler( + 'mgmt-permission:admin.vm.tag.Set', + 'mgmt-permission:admin.vm.tag.Remove') + def on_tag_set_or_remove(self, vm, event, arg, **kwargs): + '''Forbid changing specific tags''' + # pylint: disable=no-self-use,unused-argument + if arg.startswith('created-by-'): + raise qubes.api.PermissionDenied() + + # TODO create that extension in the first place diff --git a/setup.py b/setup.py index 0bcd0714..d5d5262e 100644 --- a/setup.py +++ b/setup.py @@ -43,6 +43,7 @@ if __name__ == '__main__': 'DispVM = qubes.vm.dispvm:DispVM', ], 'qubes.ext': [ + 'qubes.ext.admin = qubes.ext.admin:AdminExtension', 'qubes.ext.core_features = qubes.ext.core_features:CoreFeatures', 'qubes.ext.qubesmanager = qubes.ext.qubesmanager:QubesManager', 'qubes.ext.gui = qubes.ext.gui:GUI', From 8c9ce0587b36c25a1fb5dc66b6d7fbf1b1fd0e6e Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 22 Jun 2017 13:21:37 +0200 Subject: [PATCH 2/3] ext/admin: add explanation to PermissionDenied --- qubes/ext/admin.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/qubes/ext/admin.py b/qubes/ext/admin.py index ecdadc5a..30feef7b 100644 --- a/qubes/ext/admin.py +++ b/qubes/ext/admin.py @@ -29,6 +29,8 @@ class AdminExtension(qubes.ext.Extension): '''Forbid changing specific tags''' # pylint: disable=no-self-use,unused-argument if arg.startswith('created-by-'): - raise qubes.api.PermissionDenied() + raise qubes.api.PermissionDenied( + 'changing this tag is prohibited by {}.{}'.format( + __name__, type(self).__name__)) - # TODO create that extension in the first place + # TODO create that tag here (need to figure out how to pass mgmtvm name) From 9f57db874983acb128c685a44f6e49d1a74ad7ea Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Fri, 23 Jun 2017 10:26:04 +0200 Subject: [PATCH 3/3] rpm_spec: fix --- rpm_spec/core-dom0.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 729df0ef..78589264 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -285,6 +285,7 @@ fi %dir %{python3_sitelib}/qubes/ext/__pycache__ %{python3_sitelib}/qubes/ext/__pycache__/* %{python3_sitelib}/qubes/ext/__init__.py +%{python3_sitelib}/qubes/ext/admin.py %{python3_sitelib}/qubes/ext/block.py %{python3_sitelib}/qubes/ext/core_features.py %{python3_sitelib}/qubes/ext/gui.py