Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dom0/qrexec: implement standalone policy evaluation (#12 pro)

Browse Source 
This change will allow to use the same policy mechanism to control clipboard
copy between domains.
This commit is contained in:
Marek Marczykowski 2012-08-18 22:08:26 +02:00
parent 11e142adb3
commit 7c1dfe9266
1 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
qrexec/qrexec_policy
View File

@ -5,6 +5,7 @@ import os.path
import subprocess import subprocess
import xen.lowlevel.xl import xen.lowlevel.xl
import qubes.guihelpers import qubes.guihelpers
from optparse import OptionParser
from qubes.qubes import QubesVmCollection from qubes.qubes import QubesVmCollection
import fcntl import fcntl
@ -127,10 +128,18 @@ def policy_editor(domain, target, exec_index):
subprocess.call(["/usr/bin/zenity", "--info", "--text", text]) subprocess.call(["/usr/bin/zenity", "--info", "--text", text])
def main(): def main():
domain=sys.argv[1] usage = "usage: %prog [options] <src-domain> <target-domain> <service> <process-ident>"
target=sys.argv[2] parser = OptionParser (usage)
exec_index=sys.argv[3] parser.add_option ("--assume-yes-for-ask", action="store_true", dest="assume_yes_for_ask", default=False,
process_ident=sys.argv[4] help="Allow run of service without confirmation if policy say 'ask'")
parser.add_option ("--just-evaluate", action="store_true", dest="just_evaluate", default=False,
help="Do not run the service, only evaluate policy; retcode=0 means 'allow'")
(options, args) = parser.parse_args ()
domain=args[0]
target=args[1]
exec_index=args[2]
process_ident=args[3]
policy_list=read_policy_file(exec_index) policy_list=read_policy_file(exec_index)
if policy_list==None: if policy_list==None:
@ -141,6 +150,9 @@ def main():
policy_dict=find_policy(policy_list, domain, target) policy_dict=find_policy(policy_list, domain, target)
if policy_dict["action"] == "ask" and options.assume_yes_for_ask:
policy_dict["action"] = "allow"
if policy_dict["action"] == "ask": if policy_dict["action"] == "ask":
user_choice = confirm_execution(domain, target, exec_index) user_choice = confirm_execution(domain, target, exec_index)
if user_choice == UserChoice.ALWAYS_ALLOW: if user_choice == UserChoice.ALWAYS_ALLOW:
@ -151,6 +163,12 @@ def main():
else: else:
policy_dict["action"] = "deny" policy_dict["action"] = "deny"
if options.just_evaluate:
if policy_dict["action"] == "allow":
exit(0)
else:
exit(1)
if policy_dict["action"] == "allow": if policy_dict["action"] == "allow":
if policy_dict.has_key("action.target"): if policy_dict.has_key("action.target"):
target=policy_dict["action.target"] target=policy_dict["action.target"]