core-admin/qubes/ext/r3compatibility.py
Marek Marczykowski-Górecki aa0674e8bb
qubes/vm: make VM QubesDB interface as much compatible as possible
All the base keys can be kept easily the same, so do it.

QubesOS/qubes-issues#1812
2016-09-08 04:17:48 +02:00

187 lines
7.4 KiB
Python

#!/usr/bin/python2 -O
# vim: fileencoding=utf-8
#
# The Qubes OS Project, https://www.qubes-os.org/
#
# Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>
# Copyright (C) 2013-2016 Marek Marczykowski-Górecki
# <marmarek@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
import datetime
import qubes.ext
import qubes.vm.qubesvm
import qubes.vm.appvm
import qubes.vm.templatevm
import qubes.utils
yum_proxy_ip = '10.137.255.254'
yum_proxy_port = '8082'
class R3Compatibility(qubes.ext.Extension):
'''Maintain VM interface compatibility with R3.0 and R3.1.
At lease where possible.
'''
features_to_services = {
'services/ntpd': 'ntpd',
'check-updates': 'qubes-update-check',
'dvm': 'qubes-dvm',
}
# noinspection PyUnusedLocal
@qubes.ext.handler('domain-qdb-create')
def on_domain_qdb_create(self, vm, event):
'''
:param qubes.vm.qubesvm.QubesVM vm: \
VM on which QubesDB entries were just created
''' # pylint: disable=unused-argument
# /qubes-vm-type: AppVM, NetVM, ProxyVM, TemplateVM
if isinstance(vm, qubes.vm.templatevm.TemplateVM):
vmtype = 'TemplateVM'
elif vm.netvm is not None and vm.provides_network:
vmtype = 'ProxyVM'
elif vm.netvm is None and vm.provides_network:
vmtype = 'NetVM'
else:
vmtype = 'AppVM'
vm.qdb.write('/qubes-vm-type', vmtype)
vm.qdb.write("/qubes-iptables-error", '')
self.write_iptables_qubesdb_entry(vm)
self.write_services(vm)
@qubes.ext.handler('domain-spawn')
def on_domain_started(self, vm, event, **kwargs):
# pylint: disable=unused-argument
if vm.netvm:
self.write_iptables_qubesdb_entry(vm.netvm)
@qubes.ext.handler('firewall-changed')
def on_firewall_changed(self, vm, event):
# pylint: disable=unused-argument
if vm.is_running() and vm.netvm:
self.write_iptables_qubesdb_entry(vm.netvm)
def write_iptables_qubesdb_entry(self, firewallvm):
# pylint: disable=no-self-use
firewallvm.qdb.rm("/qubes-iptables-domainrules/")
iptables = "# Generated by Qubes Core on {0}\n".format(
datetime.datetime.now().ctime())
iptables += "*filter\n"
iptables += ":INPUT DROP [0:0]\n"
iptables += ":FORWARD DROP [0:0]\n"
iptables += ":OUTPUT ACCEPT [0:0]\n"
# Strict INPUT rules
iptables += "-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n"
iptables += "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED " \
"-j ACCEPT\n"
iptables += "-A INPUT -p icmp -j ACCEPT\n"
iptables += "-A INPUT -i lo -j ACCEPT\n"
iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
iptables += "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED " \
"-j ACCEPT\n"
# Deny inter-VMs networking
iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
iptables += "COMMIT\n"
firewallvm.qdb.write("/qubes-iptables-header", iptables)
for vm in firewallvm.connected_vms:
iptables = "*filter\n"
conf = vm.get_firewall_conf()
xid = vm.xid
if xid < 0: # VM not active ATM
continue
ip = vm.ip
if ip is None:
continue
# Anti-spoof rules are added by vif-script (vif-route-qubes),
# here we trust IP address
accept_action = "ACCEPT"
reject_action = "REJECT --reject-with icmp-host-prohibited"
if conf["allow"]:
default_action = accept_action
rules_action = reject_action
else:
default_action = reject_action
rules_action = accept_action
for rule in conf["rules"]:
iptables += "-A FORWARD -s {0} -d {1}".format(
ip, rule["address"])
if rule["netmask"] != 32:
iptables += "/{0}".format(rule["netmask"])
if rule["proto"] is not None and rule["proto"] != "any":
iptables += " -p {0}".format(rule["proto"])
if rule["portBegin"] is not None and rule["portBegin"] > 0:
iptables += " --dport {0}".format(rule["portBegin"])
if rule["portEnd"] is not None and \
rule["portEnd"] > rule["portBegin"]:
iptables += ":{0}".format(rule["portEnd"])
iptables += " -j {0}\n".format(rules_action)
if conf["allowDns"] and firewallvm.netvm is not None:
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
# properties
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip, vm.dns[0])
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip, vm.dns[1])
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip, vm.dns[0])
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip, vm.dns[1])
if conf["allowIcmp"]:
iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
if conf["allowYumProxy"]:
iptables += \
"-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".\
format(ip, yum_proxy_ip, yum_proxy_port)
else:
iptables += \
"-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".\
format(ip, yum_proxy_ip, yum_proxy_port)
iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
iptables += "COMMIT\n"
firewallvm.qdb.write("/qubes-iptables-domainrules/" + str(xid),
iptables)
# no need for ending -A FORWARD -j DROP, cause default action is DROP
firewallvm.qdb.write("/qubes-iptables", 'reload')
def write_services(self, vm):
for feature, value in vm.features.items():
service = self.features_to_services.get(feature, feature)
# forcefully convert to '0' or '1'
vm.qdb.write('/qubes-service/{}'.format(service),
str(int(bool(value))))
if 'updates-proxy-setup' in vm.features.keys():
vm.qdb.write('/qubes-service/{}'.format('yum-proxy-setup'),
str(int(bool(vm.features['updates-proxy-setup']))))