Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Generate policy for Admin API calls based on annotations on actual methods

Browse Source 
This ease Admin API administration, and also adds checking if qrexec
policy + scripts matches actual Admin API methods implementation.
The idea is to classify every Admin API method as either local
read-only, local read-write, global read-only or global read-write.
Where local/global means affecting a single VM, or the whole system.

See QubesOS/qubes-issues#2871 for details.

Fixes QubesOS/qubes-issues#2871
This commit is contained in:
Marek Marczykowski-Górecki 2017-06-27 01:55:17 +02:00
parent d0663940a7
commit 3d803acfde
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
8 changed files with 158 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Makefile
View File

@ -8,7 +8,6 @@ OS ?= Linux
PYTHON ?= python3 PYTHON ?= python3
ADMIN_API_METHODS_SIMPLE = \ ADMIN_API_METHODS_SIMPLE = \
admin.vm.List \
admin.vmclass.List \ admin.vmclass.List \
admin.Events \ admin.Events \
admin.backup.Execute \ admin.backup.Execute \
@ -17,6 +16,7 @@ ADMIN_API_METHODS_SIMPLE = \
admin.label.Create \ admin.label.Create \
admin.label.Get \ admin.label.Get \
admin.label.List \ admin.label.List \
admin.label.Index \
admin.label.Remove \ admin.label.Remove \
admin.pool.Add \ admin.pool.Add \
admin.pool.Info \ admin.pool.Info \
@ -84,6 +84,7 @@ ADMIN_API_METHODS_SIMPLE = \
admin.vm.tag.List \ admin.vm.tag.List \
admin.vm.tag.Remove \ admin.vm.tag.Remove \
admin.vm.tag.Set \ admin.vm.tag.Set \
admin.vm.volume.Clone \
admin.vm.volume.Info \ admin.vm.volume.Info \
admin.vm.volume.List \ admin.vm.volume.List \
admin.vm.volume.ListSnapshots \ admin.vm.volume.ListSnapshots \
@ -91,10 +92,6 @@ ADMIN_API_METHODS_SIMPLE = \
admin.vm.volume.Revert \ admin.vm.volume.Revert \
$(null) $(null)
ADMIN_API_METHODS := $(ADMIN_API_METHODS_SIMPLE) \
admin.vm.volume.Import \
$(null)
ifeq ($(OS),Linux) ifeq ($(OS),Linux)
DATADIR ?= /var/lib/qubes DATADIR ?= /var/lib/qubes
STATEDIR ?= /var/run/qubes STATEDIR ?= /var/run/qubes
@ -173,15 +170,26 @@ endif
install qubes-rpc/qubesd-query-fast $(DESTDIR)/usr/libexec/qubes/ install qubes-rpc/qubesd-query-fast $(DESTDIR)/usr/libexec/qubes/
for method in $(ADMIN_API_METHODS_SIMPLE); do \ for method in $(ADMIN_API_METHODS_SIMPLE); do \
ln -s ../../usr/libexec/qubes/qubesd-query-fast \ ln -s ../../usr/libexec/qubes/qubesd-query-fast \
$(DESTDIR)/etc/qubes-rpc/$$method; \ $(DESTDIR)/etc/qubes-rpc/$$method || exit 1; \
done done
install qubes-rpc/admin.vm.volume.Import $(DESTDIR)/etc/qubes-rpc/ install qubes-rpc/admin.vm.volume.Import $(DESTDIR)/etc/qubes-rpc/
for method in $(ADMIN_API_METHODS); do \ PYTHONPATH=.:test-packages qubes-rpc-policy/generate-admin-policy \
install -m 0644 qubes-rpc-policy/admin-default \ --destdir=$(DESTDIR)/etc/qubes-rpc/policy \
$(DESTDIR)/etc/qubes-rpc/policy/$$method; \ --exclude admin.vm.Create.AdminVM \
admin.vm.CreateInPool.AdminVM \
admin.vm.device.testclass.Attach \
admin.vm.device.testclass.Detach \
admin.vm.device.testclass.List \
admin.vm.device.testclass.Available
# sanity check
for method in $(DESTDIR)/etc/qubes-rpc/policy/admin.*; do \
ls $(DESTDIR)/etc/qubes-rpc/$$(basename $$method) >/dev/null || exit 1; \
done done
install -d $(DESTDIR)/etc/qubes-rpc/policy/include install -d $(DESTDIR)/etc/qubes-rpc/policy/include
install -m 0644 qubes-rpc-policy/admin-all \ install -m 0644 qubes-rpc-policy/admin-local-ro \
qubes-rpc-policy/admin-local-rwx \
qubes-rpc-policy/admin-global-ro \
qubes-rpc-policy/admin-global-rwx \
$(DESTDIR)/etc/qubes-rpc/policy/include/ $(DESTDIR)/etc/qubes-rpc/policy/include/
mkdir -p "$(DESTDIR)$(FILESDIR)" mkdir -p "$(DESTDIR)$(FILESDIR)"

13
qubes-rpc-policy/admin-default
View File

@ -1,13 +0,0 @@
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions
## Include a single file for all admin.* methods to ease setting up Management VM.
## To allow only specific actions, edit specific policy file, like this one. To
## allow all of them, edit /etc/qubes-rpc/include/admin-all.
$include:/etc/qubes-rpc/policy/include/admin-all
$anyvm $anyvm deny

13
qubes-rpc-policy/admin-global-ro Normal file
View File

@ -0,0 +1,13 @@
## This file is included from all global read-only admin.* policy files
## _in default configuration_. To allow only specific action,
## edit specific policy file.
## Note that policy parsing stops at the first match,
## Please use a single # to start your custom comments
## Include all already having write access
$include:include/admin-global-rwx
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions

11
qubes-rpc-policy/admin-global-rwx Normal file
View File

@ -0,0 +1,11 @@
## This file is included from all global read-write admin.* policy files
## _in default configuration_. To allow only specific action,
## edit specific policy file.
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions

14
qubes-rpc-policy/admin-local-ro Normal file
View File

@ -0,0 +1,14 @@
## This file is included from all local read-only admin.* policy files
## _in default configuration_. To allow only specific action,
## edit specific policy file.
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
## Include all already having write access
$include:include/admin-local-rwx
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions

6
qubes-rpc-policy/admin-all → qubes-rpc-policy/admin-local-rwx
View File

@ -1,5 +1,6 @@
## This file is included from all admin.* policy files _in default ## This file is included from all local read-write admin.* policy files
## configuration_. To allow only specific action, edit specific policy file. ## _in default configuration_. To allow only specific action,
## edit specific policy file.
## Note that policy parsing stops at the first match, ## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect ## so adding anything below "$anyvm $anyvm action" line will have no effect
@ -8,4 +9,3 @@
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions ## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions
$anyvm $anyvm deny

95
qubes-rpc-policy/generate-admin-policy Executable file
View File

@ -0,0 +1,95 @@
#!/usr/bin/python3
# coding=utf-8
# The Qubes OS Project, https://www.qubes-os.org/
#
# Copyright (C) 2017 Marek Marczykowski-Górecki
# <marmarek@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
import argparse
import os
import sys
import qubes.api.admin
parser = argparse.ArgumentParser(
description='Generate default Admin API policy')
parser.add_argument('--include-base', action='store',
default='/etc/qubes-rpc/policy/include',
help='Base path for included paths (default: %(default)s)')
parser.add_argument('--destdir', action='store',
default='/etc/qubes-rpc/policy',
help='Directory where write output files to (default: %(default)s)')
parser.add_argument('--verbose', action='store_true', default=False,
help='Be verbose')
parser.add_argument('--exclude', action='store', nargs='*',
help='Exclude service')
parser.add_argument('service', nargs='*', action='store',
help='Generate policy for those services (default: all)')
default_policy_header = '''\
## Note that policy parsing stops at the first match.
## Please use a single # to start your custom comments
## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions
## Include a common file for all admin.* methods to ease setting up
## Management VM.
## To allow only specific actions, edit specific policy file, like this one. To
## allow all of them, edit appropriate /etc/qubes-rpc/include/admin-*.
'''
def write_default_policy(args, apiname, clasifiers):
''' Write single default policy for given API call '''
assert 'scope' in clasifiers, \
'Method {} lack scope classifier'.format(apiname)
assert any(attr in clasifiers for attr in ('read', 'write', 'execute')), \
'Method {} lack read/write/execute classifier'.format(apiname)
assert clasifiers['scope'] in ('local', 'global'), \
'Method {} have invalid scope: {}'.format(apiname, clasifiers['scope'])
file_to_include = 'admin-{scope}-{rwx}'.format(
scope=clasifiers['scope'],
rwx=('rwx' if clasifiers.get('write', False) or
clasifiers.get('execute', False)
else 'ro'))
if args.verbose:
print('Service {}: include {}'.format(apiname, file_to_include),
file=sys.stderr)
with open(os.path.join(args.destdir, apiname), 'w') as f:
f.write(default_policy_header)
f.write('$include:{}\n'.format(
os.path.join(args.include_base, file_to_include)))
def main(args=None):
''' Main function of default-admin-policy tool'''
args = parser.parse_args(args)
for func, apiname, _ in qubes.api.admin.QubesAdminAPI.list_methods():
if args.service and apiname not in args.service:
continue
if args.exclude and apiname in args.exclude:
continue
write_default_policy(args, apiname, func.classifiers)
if __name__ == '__main__':
sys.exit(main())

5
rpm_spec/core-dom0.spec
View File

@ -410,7 +410,10 @@ fi
/etc/xen/scripts/block-origin /etc/xen/scripts/block-origin
/etc/xen/scripts/vif-route-qubes /etc/xen/scripts/vif-route-qubes
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/admin.* %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/admin.*
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-all %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-local-ro
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-local-rwx
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-global-ro
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/include/admin-global-rwx
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.FeaturesRequest %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.FeaturesRequest
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.Filecopy %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.Filecopy
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.GetImageRGBA %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.GetImageRGBA