Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'woju/master'

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2014-05-16 20:14:05 +02:00
commit ad3b45b2fb
4 changed files with 27 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
qubes-rpc/qubes-notify-tools
View File

@ -60,9 +60,11 @@ def main():
else: else:
gui = int(untrusted_gui) gui = int(untrusted_gui)
if untrusted_user is not None: if untrusted_user is not None and re.match(r'^[a-zA-Z0-9-]{1,255}$', untrusted_user):
if re.match(r'^[a-zA-Z0-9-]+$', untrusted_user): assert '@' not in untrusted_user
user = untrusted_user assert '/' not in untrusted_user
user = untrusted_user
else: else:
user = None user = None
@ -70,7 +72,7 @@ def main():
source_vm.qrexec_installed = qrexec > 0 source_vm.qrexec_installed = qrexec > 0
source_vm.guiagent_installed = gui > 0 source_vm.guiagent_installed = gui > 0
if user: if user is not None:
source_vm.default_user = user source_vm.default_user = user
qvm_collection.save() qvm_collection.save()

59
qvm-tools/qvm-firewall
View File

@ -27,32 +27,7 @@ import subprocess
import sys import sys
import re import re
import os import os
import socket
services = list()
def load_services():
global services
services = list()
pattern = re.compile("(?P<name>[a-z][a-z0-9-]+)\s+(?P<port>[0-9]+)/(?P<protocol>[a-z]+)", re.IGNORECASE)
f = open('/etc/services', 'r')
for line in f:
match = pattern.match(line)
if match is not None:
service = match.groupdict()
services.append( (service["name"], int(service["port"]), service["protocol"]) )
f.close()
def get_service_name(port):
for service in services:
if service[1] == port:
return service[0]
return str(port)
def get_service_port(name):
for service in services:
if service[0] == name:
return int(service[1])
return None
def parse_rule(args): def parse_rule(args):
if len(args) < 2: if len(args) < 2:
@ -109,13 +84,14 @@ def parse_rule(args):
port = port_range[0] port = port_range[0]
port_end = port_range[1] port_end = port_range[1]
if get_service_port(port): if port.isdigit():
port = get_service_port(port)
elif not port.isdigit():
print >>sys.stderr, "ERROR: Invalid port/service name '%s'" % port
return None
else:
port = int(port) port = int(port)
else:
try:
port = socket.getservbyname(port)
except socket.error:
print >>sys.stderr, "ERROR: Invalid port/service name '%s'" % port
return None
if port_end is not None and not port_end.isdigit(): if port_end is not None and not port_end.isdigit():
print >>sys.stderr, "ERROR: Invalid port '%s'" % port_end print >>sys.stderr, "ERROR: Invalid port '%s'" % port_end
@ -132,7 +108,7 @@ def parse_rule(args):
rule['portEnd'] = port_end rule['portEnd'] = port_end
return rule return rule
def list_rules(rules): def list_rules(rules, numeric=False):
fields = [ "num", "address", "proto", "port(s)" ] fields = [ "num", "address", "proto", "port(s)" ]
rules_to_display = list() rules_to_display = list()
@ -147,8 +123,11 @@ def list_rules(rules):
if rule['proto'] in ['tcp', 'udp']: if rule['proto'] in ['tcp', 'udp']:
parsed_rule['port(s)'] = str(rule['portBegin']) + \ parsed_rule['port(s)'] = str(rule['portBegin']) + \
('-' + str(rule['portEnd']) if rule['portEnd'] is not None else '') ('-' + str(rule['portEnd']) if rule['portEnd'] is not None else '')
if rule['portBegin'] is not None and rule['portEnd'] is None: if not numeric and rule['portBegin'] is not None and rule['portEnd'] is None:
parsed_rule['port(s)'] = get_service_name(rule['portBegin']) try:
parsed_rule['port(s)'] = str(socket.getservbyport(rule['portBegin']))
except socket.error:
pass
if 'expire' in rule: if 'expire' in rule:
parsed_rule['expire'] = str(datetime.datetime.fromtimestamp(rule[ parsed_rule['expire'] = str(datetime.datetime.fromtimestamp(rule[
@ -193,13 +172,13 @@ def list_rules(rules):
s += " <-- expires at %s" % r['expire'] s += " <-- expires at %s" % r['expire']
print s print s
def display_firewall(conf): def display_firewall(conf, numeric=False):
print "Firewall policy: %s" % ( print "Firewall policy: %s" % (
"ALLOW all traffic except" if conf['allow'] else "DENY all traffic except") "ALLOW all traffic except" if conf['allow'] else "DENY all traffic except")
print "ICMP: %s" % ("ALLOW" if conf['allowIcmp'] else 'DENY') print "ICMP: %s" % ("ALLOW" if conf['allowIcmp'] else 'DENY')
print "DNS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY') print "DNS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY')
print "Qubes yum proxy: %s" % ("ALLOW" if conf['allowYumProxy'] else 'DENY') print "Qubes yum proxy: %s" % ("ALLOW" if conf['allowYumProxy'] else 'DENY')
list_rules(conf['rules']) list_rules(conf['rules'], numeric)
def add_rule(conf, args): def add_rule(conf, args):
rule = parse_rule(args) rule = parse_rule(args)
@ -318,17 +297,13 @@ def main():
changed = True changed = True
if options.do_add: if options.do_add:
load_services()
changed = add_rule(conf, args) changed = add_rule(conf, args)
elif options.do_del: elif options.do_del:
load_services()
changed = del_rule(conf, args) changed = del_rule(conf, args)
elif options.do_list and not options.reload: elif options.do_list and not options.reload:
if not options.numeric:
load_services()
if not vm.has_firewall(): if not vm.has_firewall():
print "INFO: This VM has no firewall rules set, below defaults are listed" print "INFO: This VM has no firewall rules set, below defaults are listed"
display_firewall(conf) display_firewall(conf, options.numeric)
if changed: if changed:
vm.write_firewall_conf(conf) vm.write_firewall_conf(conf)

2
qvm-tools/qvm-prefs
View File

@ -164,7 +164,7 @@ def set_mac(vms, vm, args):
print >> sys.stderr, "Missing MAC argument!" print >> sys.stderr, "Missing MAC argument!"
return False return False
if not re.match("[0-9a-fA-F:]{17}|auto", args[0]): if not re.match("[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}|auto", args[0]):
print >> sys.stderr, "Invalid MAC argument!" print >> sys.stderr, "Invalid MAC argument!"
print >> sys.stderr, "Possible values:" print >> sys.stderr, "Possible values:"
print >> sys.stderr, "1) auto" print >> sys.stderr, "1) auto"

6
qvm-tools/qvm-sync-clock
View File

@ -72,10 +72,10 @@ def main():
sys.exit(1) sys.exit(1)
# Use the date format based on RFC2822 to avoid localisation issues # Use the date format based on RFC2822 to avoid localisation issues
p = clock_vm.run('date -u -R', verbose=verbose, passio_popen=True, ignore_stderr=True) p = clock_vm.run('date -u -Iseconds', verbose=verbose, passio_popen=True, ignore_stderr=True)
date_out = p.stdout.read(100) date_out = p.stdout.read(100)
date_out = date_out.strip() date_out = date_out.strip()
if not re.match(r'^[A-Za-z]+[,] [0-9][0-9] [A-Za-z]+ [0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [+]0000$', date_out): if not re.match(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\+0000$', date_out):
print >> sys.stderr, 'Invalid date output, aborting!' print >> sys.stderr, 'Invalid date output, aborting!'
sys.exit(1) sys.exit(1)
@ -83,7 +83,7 @@ def main():
if verbose: if verbose:
print >> sys.stderr, '--> Syncing dom0 clock.' print >> sys.stderr, '--> Syncing dom0 clock.'
subprocess.check_call(['sudo', 'date', '-u', '-R', '-s', date_out]) subprocess.check_call(['sudo', 'date', '-u', '-Iseconds', '-s', date_out])
subprocess.check_call(['sudo', 'hwclock', '--systohc']) subprocess.check_call(['sudo', 'hwclock', '--systohc'])
# Sync other VMs clock # Sync other VMs clock