diff --git a/qubes-rpc/qubes-notify-tools b/qubes-rpc/qubes-notify-tools index 2869dc92..c91d8d09 100755 --- a/qubes-rpc/qubes-notify-tools +++ b/qubes-rpc/qubes-notify-tools @@ -60,9 +60,11 @@ def main(): else: gui = int(untrusted_gui) - if untrusted_user is not None: - if re.match(r'^[a-zA-Z0-9-]+$', untrusted_user): - user = untrusted_user + if untrusted_user is not None and re.match(r'^[a-zA-Z0-9-]{1,255}$', untrusted_user): + assert '@' not in untrusted_user + assert '/' not in untrusted_user + + user = untrusted_user else: user = None @@ -70,7 +72,7 @@ def main(): source_vm.qrexec_installed = qrexec > 0 source_vm.guiagent_installed = gui > 0 - if user: + if user is not None: source_vm.default_user = user qvm_collection.save() diff --git a/qvm-tools/qvm-firewall b/qvm-tools/qvm-firewall index 3ff07711..12577b1e 100755 --- a/qvm-tools/qvm-firewall +++ b/qvm-tools/qvm-firewall @@ -27,32 +27,7 @@ import subprocess import sys import re import os - -services = list() - -def load_services(): - global services - services = list() - pattern = re.compile("(?P[a-z][a-z0-9-]+)\s+(?P[0-9]+)/(?P[a-z]+)", re.IGNORECASE) - f = open('/etc/services', 'r') - for line in f: - match = pattern.match(line) - if match is not None: - service = match.groupdict() - services.append( (service["name"], int(service["port"]), service["protocol"]) ) - f.close() - -def get_service_name(port): - for service in services: - if service[1] == port: - return service[0] - return str(port) - -def get_service_port(name): - for service in services: - if service[0] == name: - return int(service[1]) - return None +import socket def parse_rule(args): if len(args) < 2: @@ -109,13 +84,14 @@ def parse_rule(args): port = port_range[0] port_end = port_range[1] - if get_service_port(port): - port = get_service_port(port) - elif not port.isdigit(): - print >>sys.stderr, "ERROR: Invalid port/service name '%s'" % port - return None - else: + if port.isdigit(): port = int(port) + else: + try: + port = socket.getservbyname(port) + except socket.error: + print >>sys.stderr, "ERROR: Invalid port/service name '%s'" % port + return None if port_end is not None and not port_end.isdigit(): print >>sys.stderr, "ERROR: Invalid port '%s'" % port_end @@ -132,7 +108,7 @@ def parse_rule(args): rule['portEnd'] = port_end return rule -def list_rules(rules): +def list_rules(rules, numeric=False): fields = [ "num", "address", "proto", "port(s)" ] rules_to_display = list() @@ -147,8 +123,11 @@ def list_rules(rules): if rule['proto'] in ['tcp', 'udp']: parsed_rule['port(s)'] = str(rule['portBegin']) + \ ('-' + str(rule['portEnd']) if rule['portEnd'] is not None else '') - if rule['portBegin'] is not None and rule['portEnd'] is None: - parsed_rule['port(s)'] = get_service_name(rule['portBegin']) + if not numeric and rule['portBegin'] is not None and rule['portEnd'] is None: + try: + parsed_rule['port(s)'] = str(socket.getservbyport(rule['portBegin'])) + except socket.error: + pass if 'expire' in rule: parsed_rule['expire'] = str(datetime.datetime.fromtimestamp(rule[ @@ -193,13 +172,13 @@ def list_rules(rules): s += " <-- expires at %s" % r['expire'] print s -def display_firewall(conf): +def display_firewall(conf, numeric=False): print "Firewall policy: %s" % ( "ALLOW all traffic except" if conf['allow'] else "DENY all traffic except") print "ICMP: %s" % ("ALLOW" if conf['allowIcmp'] else 'DENY') print "DNS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY') print "Qubes yum proxy: %s" % ("ALLOW" if conf['allowYumProxy'] else 'DENY') - list_rules(conf['rules']) + list_rules(conf['rules'], numeric) def add_rule(conf, args): rule = parse_rule(args) @@ -318,17 +297,13 @@ def main(): changed = True if options.do_add: - load_services() changed = add_rule(conf, args) elif options.do_del: - load_services() changed = del_rule(conf, args) elif options.do_list and not options.reload: - if not options.numeric: - load_services() if not vm.has_firewall(): print "INFO: This VM has no firewall rules set, below defaults are listed" - display_firewall(conf) + display_firewall(conf, options.numeric) if changed: vm.write_firewall_conf(conf) diff --git a/qvm-tools/qvm-prefs b/qvm-tools/qvm-prefs index c9e54455..992ab6bc 100755 --- a/qvm-tools/qvm-prefs +++ b/qvm-tools/qvm-prefs @@ -164,7 +164,7 @@ def set_mac(vms, vm, args): print >> sys.stderr, "Missing MAC argument!" return False - if not re.match("[0-9a-fA-F:]{17}|auto", args[0]): + if not re.match("[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}|auto", args[0]): print >> sys.stderr, "Invalid MAC argument!" print >> sys.stderr, "Possible values:" print >> sys.stderr, "1) auto" diff --git a/qvm-tools/qvm-sync-clock b/qvm-tools/qvm-sync-clock index df2eddc2..62112754 100755 --- a/qvm-tools/qvm-sync-clock +++ b/qvm-tools/qvm-sync-clock @@ -72,10 +72,10 @@ def main(): sys.exit(1) # Use the date format based on RFC2822 to avoid localisation issues - p = clock_vm.run('date -u -R', verbose=verbose, passio_popen=True, ignore_stderr=True) + p = clock_vm.run('date -u -Iseconds', verbose=verbose, passio_popen=True, ignore_stderr=True) date_out = p.stdout.read(100) date_out = date_out.strip() - if not re.match(r'^[A-Za-z]+[,] [0-9][0-9] [A-Za-z]+ [0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [+]0000$', date_out): + if not re.match(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\+0000$', date_out): print >> sys.stderr, 'Invalid date output, aborting!' sys.exit(1) @@ -83,7 +83,7 @@ def main(): if verbose: print >> sys.stderr, '--> Syncing dom0 clock.' - subprocess.check_call(['sudo', 'date', '-u', '-R', '-s', date_out]) + subprocess.check_call(['sudo', 'date', '-u', '-Iseconds', '-s', date_out]) subprocess.check_call(['sudo', 'hwclock', '--systohc']) # Sync other VMs clock