Merge remote-tracking branch 'woju/master'

2014-05-16 20:14:05 +02:00 · 2014-05-16 20:14:05 +02:00 · ad3b45b2fb
commit ad3b45b2fb
parent 2abe0649d4 04df26ab70
4 changed files with 27 additions and 50 deletions
--- a/qubes-rpc/qubes-notify-tools
+++ b/qubes-rpc/qubes-notify-tools
@ -60,8 +60,10 @@ def main():
        else:
            gui = int(untrusted_gui)

-        if untrusted_user is not None:
-            if re.match(r'^[a-zA-Z0-9-]+$', untrusted_user):
+        if untrusted_user is not None and re.match(r'^[a-zA-Z0-9-]{1,255}$', untrusted_user):
+            assert '@' not in untrusted_user
+            assert '/' not in untrusted_user
+
            user = untrusted_user
        else:
            user = None
@ -70,7 +72,7 @@ def main():
        source_vm.qrexec_installed = qrexec > 0
        source_vm.guiagent_installed = gui > 0

-        if user:
+        if user is not None:
            source_vm.default_user = user

        qvm_collection.save()
--- a/qvm-tools/qvm-firewall
+++ b/qvm-tools/qvm-firewall
@ -27,32 +27,7 @@ import subprocess
 import sys
 import re
 import os
-
-services = list()
-
-def load_services():
-    global services
-    services = list()
-    pattern = re.compile("(?P<name>[a-z][a-z0-9-]+)\s+(?P<port>[0-9]+)/(?P<protocol>[a-z]+)", re.IGNORECASE)
-    f = open('/etc/services', 'r')
-    for line in f:
-        match = pattern.match(line)
-        if match is not None:
-            service = match.groupdict()
-            services.append( (service["name"], int(service["port"]), service["protocol"]) )
-    f.close()
-
-def get_service_name(port):
-    for service in services:
-        if service[1] == port:
-            return service[0]
-    return str(port)
-
-def get_service_port(name):
-    for service in services:
-        if service[0] == name:
-            return int(service[1])
-    return None
+import socket

 def parse_rule(args):
    if len(args) < 2:
@ -109,13 +84,14 @@ def parse_rule(args):
            port = port_range[0]
            port_end = port_range[1]

-        if get_service_port(port):
-            port = get_service_port(port)
-        elif not port.isdigit():
+        if port.isdigit():
+            port = int(port)
+        else:
+            try:
+                port = socket.getservbyname(port)
+            except socket.error:
                print >>sys.stderr, "ERROR: Invalid port/service name '%s'" % port
                return None
-        else:
-            port = int(port)

        if port_end is not None and not port_end.isdigit():
            print >>sys.stderr, "ERROR: Invalid port '%s'" % port_end
@ -132,7 +108,7 @@ def parse_rule(args):
    rule['portEnd'] = port_end
    return rule

-def list_rules(rules):
+def list_rules(rules, numeric=False):
    fields = [ "num", "address", "proto", "port(s)" ]

    rules_to_display = list()
@ -147,8 +123,11 @@ def list_rules(rules):
        if rule['proto'] in ['tcp', 'udp']:
            parsed_rule['port(s)'] = str(rule['portBegin']) + \
                ('-' + str(rule['portEnd']) if rule['portEnd'] is not None else '')
-            if rule['portBegin'] is not None and rule['portEnd'] is None:
-                parsed_rule['port(s)'] = get_service_name(rule['portBegin'])
+            if not numeric and rule['portBegin'] is not None and rule['portEnd'] is None:
+                try:
+                    parsed_rule['port(s)'] = str(socket.getservbyport(rule['portBegin']))
+                except socket.error:
+                    pass

        if 'expire' in rule:
            parsed_rule['expire'] = str(datetime.datetime.fromtimestamp(rule[
@ -193,13 +172,13 @@ def list_rules(rules):
            s += " <-- expires at %s" % r['expire']
        print s

-def display_firewall(conf):
+def display_firewall(conf, numeric=False):
    print "Firewall policy: %s" % (
            "ALLOW all traffic except" if conf['allow'] else "DENY all traffic except")
    print "ICMP: %s" % ("ALLOW" if conf['allowIcmp'] else 'DENY')
    print "DNS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY')
    print "Qubes yum proxy: %s" % ("ALLOW" if conf['allowYumProxy'] else 'DENY')
-    list_rules(conf['rules'])
+    list_rules(conf['rules'], numeric)

 def add_rule(conf, args):
    rule = parse_rule(args)
@ -318,17 +297,13 @@ def main():
        changed = True

    if options.do_add:
-        load_services()
        changed = add_rule(conf, args)
    elif options.do_del:
-        load_services()
        changed = del_rule(conf, args)
    elif options.do_list and not options.reload:
-        if not options.numeric:
-            load_services()
        if not vm.has_firewall():
            print "INFO: This VM has no firewall rules set, below defaults are listed"
-        display_firewall(conf)
+        display_firewall(conf, options.numeric)

    if changed:
        vm.write_firewall_conf(conf)
--- a/qvm-tools/qvm-prefs
+++ b/qvm-tools/qvm-prefs
@ -164,7 +164,7 @@ def set_mac(vms, vm, args):
        print >> sys.stderr, "Missing MAC argument!"
        return False

-    if not re.match("[0-9a-fA-F:]{17}|auto", args[0]):
+    if not re.match("[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}|auto", args[0]):
        print >> sys.stderr, "Invalid MAC argument!"
        print >> sys.stderr, "Possible values:"
        print >> sys.stderr, "1) auto"
--- a/qvm-tools/qvm-sync-clock
+++ b/qvm-tools/qvm-sync-clock
@ -72,10 +72,10 @@ def main():
        sys.exit(1)

    # Use the date format based on RFC2822 to avoid localisation issues
-    p = clock_vm.run('date -u -R', verbose=verbose, passio_popen=True, ignore_stderr=True)
+    p = clock_vm.run('date -u -Iseconds', verbose=verbose, passio_popen=True, ignore_stderr=True)
    date_out = p.stdout.read(100)
    date_out = date_out.strip()
-    if not re.match(r'^[A-Za-z]+[,] [0-9][0-9] [A-Za-z]+ [0-9][0-9][0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [+]0000$', date_out):
+    if not re.match(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\+0000$', date_out):
        print >> sys.stderr, 'Invalid date output, aborting!'
        sys.exit(1)

@ -83,7 +83,7 @@ def main():
    if verbose:
        print >> sys.stderr, '--> Syncing dom0 clock.'

-    subprocess.check_call(['sudo', 'date', '-u', '-R', '-s', date_out])
+    subprocess.check_call(['sudo', 'date', '-u', '-Iseconds', '-s', date_out])
    subprocess.check_call(['sudo', 'hwclock', '--systohc'])

    # Sync other VMs clock