Home Explore Help
Sign In
Qubes
/
core-admin
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b3c92c475a
Branches Tags
core-admin
/
qubespolicy
/
cli.py

cli.py 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 
  1. # -*- encoding: utf8 -*-
    2. 

  2. #
    3. 

  3. # The Qubes OS Project, http://www.qubes-os.org
    4. 

  4. #
    5. 

  5. # Copyright (C) 2017 Marek Marczykowski-Górecki
    6. 

  6. #                               <marmarek@invisiblethingslab.com>
    7. 

  7. #
    8. 

  8. # This program is free software; you can redistribute it and/or modify
    9. 

  9. # it under the terms of the GNU General Public License as published by
    10. 

  10. # the Free Software Foundation; either version 2 of the License, or
    11. 

  11. # (at your option) any later version.
    12. 

  12. #
    13. 

  13. # This program is distributed in the hope that it will be useful,
    14. 

  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    15. 

  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    16. 

  16. # GNU General Public License for more details.
    17. 

  17. #
    18. 

  18. # You should have received a copy of the GNU General Public License along
    19. 

  19. # with this program; if not, see <http://www.gnu.org/licenses/>.
    20. 

  20. import argparse
    21. 

  21. import logging
    22. 

  22. import logging.handlers
    23. 

  23. 

  24. import sys
    25. 

  25. 

  26. import qubespolicy
    27. 

  27. 

  28. parser = argparse.ArgumentParser(description="Evaluate qrexec policy")
    29. 

  29. 

  30. parser.add_argument("--assume-yes-for-ask", action="store_true",
    31. 

  31.     dest="assume_yes_for_ask", default=False,
    32. 

  32.     help="Allow run of service without confirmation if policy say 'ask'")
    33. 

  33. parser.add_argument("--just-evaluate", action="store_true",
    34. 

  34.     dest="just_evaluate", default=False,
    35. 

  35.     help="Do not run the service, only evaluate policy; "
    36. 

  36.          "retcode=0 means 'allow'")
    37. 

  37. parser.add_argument('domain_id', metavar='src-domain-id',
    38. 

  38.     help='Source domain ID (Xen ID or similar, not Qubes ID)')
    39. 

  39. parser.add_argument('domain', metavar='src-domain-name',
    40. 

  40.     help='Source domain name')
    41. 

  41. parser.add_argument('target', metavar='dst-domain-name',
    42. 

  42.     help='Target domain name')
    43. 

  43. parser.add_argument('service_name', metavar='service-name',
    44. 

  44.     help='Service name')
    45. 

  45. parser.add_argument('process_ident', metavar='process-ident',
    46. 

  46.     help='Qrexec process identifier - for connecting data channel')
    47. 

  47. 

  48. 

  49. def main(args=None):
    50. 

  50.     args = parser.parse_args(args)
    51. 

  51. 

  52.     # Add source domain information, required by qrexec-client for establishing
    53. 

  53.     # connection
    54. 

  54.     caller_ident = args.process_ident + "," + args.domain + "," + args.domain_id
    55. 

  55.     log = logging.getLogger('qubespolicy')
    56. 

  56.     log.setLevel(logging.INFO)
    57. 

  57.     handler = logging.handlers.SysLogHandler(address='/dev/log')
    58. 

  58.     log.addHandler(handler)
    59. 

  59.     log_prefix = 'qrexec: {}: {} -> {}: '.format(
    60. 

  60.         args.service_name, args.domain, args.target)
    61. 

  61.     try:
    62. 

  62.         system_info = qubespolicy.get_system_info()
    63. 

  63.     except qubespolicy.QubesMgmtException as e:
    64. 

  64.         log.error(log_prefix + 'error getting system info: ' + str(e))
    65. 

  65.         return 1
    66. 

  66.     try:
    67. 

  67.         policy = qubespolicy.Policy(args.service_name)
    68. 

  68.         action = policy.evaluate(system_info, args.domain, args.target)
    69. 

  69.         if args.assume_yes_for_ask and action.action == qubespolicy.Action.ask:
    70. 

  70.             action.action = qubespolicy.Action.allow
    71. 

  71.         if args.just_evaluate:
    72. 

  72.             return {
    73. 

  73.                 qubespolicy.Action.allow: 0,
    74. 

  74.                 qubespolicy.Action.deny: 1,
    75. 

  75.                 qubespolicy.Action.ask: 1,
    76. 

  76.             }[action.action]
    77. 

  77.         if action.action == qubespolicy.Action.ask:
    78. 

  78.             # late import to save on time for allow/deny actions
    79. 

  79.             import pydbus
    80. 

  80.             bus = pydbus.SystemBus()
    81. 

  81.             proxy = bus.get('org.qubesos.PolicyAgent',
    82. 

  82.                 '/org/qubesos/PolicyAgent')
    83. 

  83. 

  84.             icons = {name: system_info['domains'][name]['icon']
    85. 

  85.                 for name in system_info['domains'].keys()}
    86. 

  86.             for dispvm_base in system_info['domains']:
    87. 

  87.                 if not system_info['domains'][dispvm_base]['dispvm_allowed']:
    88. 

  88.                     continue
    89. 

  89.                 dispvm_api_name = '$dispvm:' + dispvm_base
    90. 

  90.                 icons[dispvm_api_name] = \
    91. 

  91.                     system_info['domains'][dispvm_base]['icon']
    92. 

  92.                 icons[dispvm_api_name] = \
    93. 

  93.                     icons[dispvm_api_name].replace('app', 'disp')
    94. 

  94. 

  95.             response = proxy.Ask(args.domain, args.service_name,
    96. 

  96.                 action.targets_for_ask, action.target or '', icons)
    97. 

  97.             if response:
    98. 

  98.                 action.handle_user_response(True, response)
    99. 

  99.             else:
    100. 

  100.                 action.handle_user_response(False)
    101. 

  101.         log.info(log_prefix + 'allowed to {}'.format(action.target))
    102. 

  102.         action.execute(caller_ident)
    103. 

  103.     except qubespolicy.PolicySyntaxError as e:
    104. 

  104.         log.error(log_prefix + 'error loading policy: ' + str(e))
    105. 

  105.         return 1
    106. 

  106.     except qubespolicy.AccessDenied as e:
    107. 

  107.         log.info(log_prefix + 'denied: ' + str(e))
    108. 

  108.         return 1
    109. 

  109.     return 0
    110. 

  110. 

  111. if __name__ == '__main__':
    112. 

  112.     sys.exit(main())
    113.