Commit Graph

28 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
971c7d4ac9
api/admin: add admin.vm.CreateDisposable in place of internal.vm.Create.DispVM
Add public Admin API call to create Disposable VM that would be
automatically destroyed after shutdown. Do not keep this functionality
for qrexec-policy tool only.
Also, use admin.vm.Start there, instead of internal.vm.Start and
admin.vm.Kill instead of internal.vm.CleanupDispVM (this is enough,
because DispVM now have auto_cleanup property).

QubesOS/qubes-issues#2974
2017-08-06 20:54:10 +02:00
Marek Marczykowski-Górecki
38bc751b97
qubespolicy: fix handling icons dictionary
Build icons dictionary from all provided icons, not only those allowed
as target. Specifically, source may not be allowed target (but the
window need its icon).
2017-07-30 14:48:21 +02:00
Marek Marczykowski-Górecki
d650a90289
qubespolicy: fix handling ask,default_target= 2017-07-30 14:48:06 +02:00
Bahtiar `kalkin-` Gadimov
a936b07d7b
Do not display gi Gtk warning when running tests
- Fix Gtk import
2017-07-14 14:15:46 +02:00
Wojtek Porczyk
55c9370454 qubespolicy: make commas exchangeable for spaces
Commas in policy action are optional, if used with spaces.
2017-07-04 12:49:26 +02:00
Marek Marczykowski-Górecki
e7f717ec3d
doc: fix formating of policy-related documentation
Fix Sphinx warnings and errors in both doc/ and docstrings.
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
e8e30c8bdf
qubespolicy: fix handling allow rule to '$dispvm'
When rule does not specify forced target (`target=...`), generic
`$dispvm` wasn't resolved to specific Disposable VM (based on
`default_dispvm` property).
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
a96a85bdc9
qubespolicy: add a tool to analyze policy in form of graph
Output possible connections between VMs in form of dot file.

Fixes QubesOS/qubes-issues#2873
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
8afb425271
qubespolicy: allow non-default policy directory
This will allow to evaluate policy extracted from other system.
And also ease tests.

QubesOS/qubes-issues#2873
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
26ea836f67
qubespolicy: add $adminvm keyword for specifying dom0 aka AdminVM
Fixes QubesOS/qubes-issues#2872
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
a937bb173a
qubespolicy: allow spaces in action arguments
This is natural to write space after coma.
2017-07-04 04:27:34 +02:00
Wojtek Porczyk
00a81b75a3 qubespolicy: fix import order 2017-06-01 12:31:14 +02:00
Marek Marczykowski-Górecki
58e58e0ca7
qubespolicy: improve logging
Include actual target to which service was allowed (either overriden by
policy, or chosen by user).

QubesOS/qubes-issues#910
2017-05-17 14:25:54 +02:00
Marek Marczykowski-Górecki
258d268a3a
Rename MgmtAPI to AdminAPI - part 2: internal API
QubesOS/qubes-issues#853
2017-05-12 19:28:08 +02:00
Marek Marczykowski-Górecki
fa72679b47
Make pylint happy
New pylint throw some more warnings.
2017-04-21 16:57:35 +02:00
Marek Marczykowski-Górecki
e5ad26c090
qubespolicy: make pylint happy
This include refactoring out one-function-class GtkIconGetter.

QubesOS/qubes-issues#910
2017-04-07 17:07:30 +02:00
Marek Marczykowski-Górecki
a3da85bfda
qubespolicy: run GUI code inside user session and expose it as dbus object
This way it will work independently from where qrexec-policy tool will
be called (in most cases - from a system service, as root).
This is also very similar architecture to what we'll need when moving to
GUI domain - there GUI part will also be separated from policy
evaluation logic.

QubesOS/qubes-issues#910
2017-04-07 17:07:30 +02:00
Marek Marczykowski-Górecki
4d3f539f7f
qubespolicy: plug GUI code into qrexec-policy tool
Fixes QubesOS/qubes-issues#910
2017-04-07 17:07:30 +02:00
Marek Marczykowski-Górecki
6c3410377d
rpc-window: adjust for qubespolicy API
- drop qid usage - it isn't really needed, especially for to-be-created
  DispVMs
- use "domains_info" dict as input, instead of loading qubes.xml
  directly
- nicely format "Disposable VM" entries
- simplify whitelist/blacklist handling - since qrexecpolicy always
  provide a list of allowed choices, use just that

Important note: there are two names concepts:
1. Display name - name of VM, or in case of to-be-created DispVMs - a
string "Disposable VM (name-of-base-vm)"
2. API name - as in qrexec policy - $dispvm:name-of-base-vm for new
DispVMs

Externally at API level (allowed targets list, return value), API name
is used, but internally VMListModeler._entries is still indexed with
display names. This is done for more efficient (and readable) GUI
handling - because most of the time it's searched for what user have
entered.

QubesOS/qubes-issues#910
2017-04-07 17:07:29 +02:00
Marek Marczykowski-Górecki
b1dbc0647f
rpc-window: use pkg_resources for glade file
This is more canonical way for accessing data files.

QubesOS/qubes-issues#910
2017-04-07 17:07:29 +02:00
Marek Marczykowski-Górecki
067940f5aa
rpc-window: use 'edit-find' icon if no other is found
'gnome-foot' icon is not present in Adwaita theme.

QubesOS/qubes-issues#910
2017-04-07 17:07:29 +02:00
Marek Marczykowski-Górecki
20a1853f3f
rpc-window: adjust for python3
dict.keys() is not indexable.

QubesOS/qubes-issues#910
2017-04-07 17:07:28 +02:00
Marek Marczykowski-Górecki
ab1bd77b45
rpc-window: code style adjustments
QubesOS/qubes-issues#910
2017-04-07 17:07:28 +02:00
Marek Marczykowski-Górecki
b3ceb2d7fa
Import new rpc confirmation window code
Import unmodified implementation done by @boring-stuff.
Full history for reference is available in rpc-confirmation-window
branch.

QubesOS/qubes-issues#910
2017-04-07 17:07:28 +02:00
Marek Marczykowski-Górecki
83526a28d3
qubesd: add second socket for in-dom0 internal calls
This socket (and commands) are not exposed to untrusted input, so no
need to extensive sanitization. Also, there is no need to provide a
stable API here, as those methods are used internally only.

QubesOS/qubes-issues#853
2017-04-07 17:07:28 +02:00
Marek Marczykowski-Górecki
c9b5d0ab15
policy: qrexec-policy cli tool
This is the tool called by qrexec-daemon.
2017-04-06 15:43:17 +02:00
Marek Marczykowski-Górecki
564408eb3f
tests: qubespolicy tests
Fixes QubesOS/qubes-issues#2460
2017-04-06 15:43:17 +02:00
Marek Marczykowski-Górecki
e705a04cc5
qubespolicy: initial version for core3
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
2017-04-06 15:43:17 +02:00