Commit Graph

28 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
eeec2e0ddd
qubespolicy: forbid qrexec loopback connections at policy level
libxenvchan currently can't handle loopback connections. Since error
reporting on vchan connection setup is far from perfect, try to avoid
making such connections at all.

QubesOS/qubes-issues#951
Fixes QubesOS/qubes-issues#4804
2019-02-27 06:03:57 +01:00
Marek Marczykowski-Górecki
91c9e49612
Drop unnecessary 'pass' to make pylint happy 2018-12-04 16:06:33 +01:00
Marek Marczykowski-Górecki
f621e8792c
Merge branch 'master' into devel-no-assert 2018-10-29 20:29:53 +01:00
Marek Marczykowski-Górecki
be2465c1f9
Fix issues found by pylint 2.0
Resolve:
 - no-else-return
 - useless-object-inheritance
 - useless-return
 - consider-using-set-comprehension
 - consider-using-in
 - logging-not-lazy

Ignore:
 - not-an-iterable - false possitives for asyncio coroutines

Ignore all the above in qubespolicy/__init__.py, as the file will be
moved to separate repository (core-qrexec) - it already has a copy
there, don't desynchronize them.
2018-07-15 23:51:15 +02:00
Wojtek Porczyk
4e49b951ce Do not use assert statement in security logic
This is because assert statement gets optimised out when Python is run
with -O flag. This was pointed out to me by audience at PyWaw 76.
2018-06-11 12:32:05 +02:00
Marek Marczykowski-Górecki
232a00a2b0
qubespolicy: translate '' target to '@default' earlier
Translate empty target to '@default' keyword earlier, so that
original_target will report '@default' instead of ''. The latter is
rejected by qubes-rpc-multiplexer when the call is directed to dom0,
because it expects to get non-empty arguments about original
target.
2018-03-03 03:50:59 +01:00
Marek Marczykowski-Górecki
68b6f1ec76
qubespolicy: use '@' instead of '$' for policy keywords
Using '$' is easy to misuse in shell scripts, shell commands etc. After
all this years, lets abandon this dangerous character and move to
something safer: '@'. The choice was made after reviewing specifications
of various shells on different operating systems and this is the
character that have no special meaning in none of them.

To preserve compatibility, automatically translate '$' to '@' when
loading policy files.
2018-02-19 03:33:40 +01:00
Marek Marczykowski-Górecki
c87fcd7e2e
qubespolicy: use separate arguments for original target type and value
Provide original target as two arguments: type, value
This will ease handling special keywords without risking hitting shell
special characters or other problems.
2018-02-19 03:32:44 +01:00
Marek Marczykowski-Górecki
7c50bd5104
qubespolicy: unify calling qrexec service
Rely on qrexec-client resolving QUBESRPC keyword, same as in case of VM
call. This will allow applying special treatment to such calls, like
calling qubes-rpc-multiplexer directly (avoiding shell), because we have
defined protocol what can be used here.
2018-02-16 04:30:32 +01:00
Marek Marczykowski-Górecki
d3cc2d50e3
qubespolicy: fix handling '$adminvm' target with ask action
All policy keywords needs to be expanded before sending it to
confirmation dialog. $dispvm was already handled, but $adminvm was
missing

Fixes QubesOS/qubes-issues#3283
2017-11-07 03:10:41 +01:00
Marek Marczykowski-Górecki
2164a8d7b8
Change license to LGPL v2.1+
See this thread for reasoning and acceptance from contributors:
https://groups.google.com/d/topic/qubes-devel/G7KzrfU0lWY/discussion
"Changing qubes-core-admin license to LGPL v2.1+"
2017-10-12 00:11:50 +02:00
Marek Marczykowski-Górecki
d4716832e2
qubespolicy: move all syntax-level validation to one place
This will make analyzing the policy code slightly easier. While it makes
verify_special_value function more complex, other places are much
simpler now.
2017-09-11 14:28:14 +02:00
Marek Marczykowski-Górecki
5e870e4b6a
qubespolicy: implement $dispvm:$tag: syntax
This allow to specify allowed/forbidden DispVM base using tags, not only
static name.

Fixes QubesOS/qubes-issues#3048
2017-09-05 02:07:27 +02:00
Marek Marczykowski-Górecki
99bd193688
Rename 'dispvm_allowed' to 'template_for_dispvms'
'dispvm_allowed' name was confusing, because it suggested being able to
spawn new DispVMs, not being a template for DispVM.

Fixes QubesOS/qubes-issues#3047
2017-09-05 02:07:26 +02:00
Marek Marczykowski-Górecki
12661dccf8
qubespolicy: ask to create default policy if none is found
Fixes QubesOS/qubes-issues#3005
2017-08-14 02:24:31 +02:00
Marek Marczykowski-Górecki
971c7d4ac9
api/admin: add admin.vm.CreateDisposable in place of internal.vm.Create.DispVM
Add public Admin API call to create Disposable VM that would be
automatically destroyed after shutdown. Do not keep this functionality
for qrexec-policy tool only.
Also, use admin.vm.Start there, instead of internal.vm.Start and
admin.vm.Kill instead of internal.vm.CleanupDispVM (this is enough,
because DispVM now have auto_cleanup property).

QubesOS/qubes-issues#2974
2017-08-06 20:54:10 +02:00
Marek Marczykowski-Górecki
d650a90289
qubespolicy: fix handling ask,default_target= 2017-07-30 14:48:06 +02:00
Wojtek Porczyk
55c9370454 qubespolicy: make commas exchangeable for spaces
Commas in policy action are optional, if used with spaces.
2017-07-04 12:49:26 +02:00
Marek Marczykowski-Górecki
e7f717ec3d
doc: fix formating of policy-related documentation
Fix Sphinx warnings and errors in both doc/ and docstrings.
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
e8e30c8bdf
qubespolicy: fix handling allow rule to '$dispvm'
When rule does not specify forced target (`target=...`), generic
`$dispvm` wasn't resolved to specific Disposable VM (based on
`default_dispvm` property).
2017-07-04 04:27:36 +02:00
Marek Marczykowski-Górecki
8afb425271
qubespolicy: allow non-default policy directory
This will allow to evaluate policy extracted from other system.
And also ease tests.

QubesOS/qubes-issues#2873
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
26ea836f67
qubespolicy: add $adminvm keyword for specifying dom0 aka AdminVM
Fixes QubesOS/qubes-issues#2872
2017-07-04 04:27:35 +02:00
Marek Marczykowski-Górecki
a937bb173a
qubespolicy: allow spaces in action arguments
This is natural to write space after coma.
2017-07-04 04:27:34 +02:00
Wojtek Porczyk
00a81b75a3 qubespolicy: fix import order 2017-06-01 12:31:14 +02:00
Marek Marczykowski-Górecki
258d268a3a
Rename MgmtAPI to AdminAPI - part 2: internal API
QubesOS/qubes-issues#853
2017-05-12 19:28:08 +02:00
Marek Marczykowski-Górecki
fa72679b47
Make pylint happy
New pylint throw some more warnings.
2017-04-21 16:57:35 +02:00
Marek Marczykowski-Górecki
83526a28d3
qubesd: add second socket for in-dom0 internal calls
This socket (and commands) are not exposed to untrusted input, so no
need to extensive sanitization. Also, there is no need to provide a
stable API here, as those methods are used internally only.

QubesOS/qubes-issues#853
2017-04-07 17:07:28 +02:00
Marek Marczykowski-Górecki
e705a04cc5
qubespolicy: initial version for core3
This is rewritten version of core-admin-linux/qrexec/qrexec-policy.

It's placed outside of `qubes` module on purpose - to avoid imporing it,
which require a lot of time.

QubesOS/qubes-issues#865
QubesOS/qubes-issues#910
2017-04-06 15:43:17 +02:00