generate-admin-policy 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. #!/usr/bin/python3
  2. # coding=utf-8
  3. # The Qubes OS Project, https://www.qubes-os.org/
  4. #
  5. # Copyright (C) 2017 Marek Marczykowski-Górecki
  6. # <marmarek@invisiblethingslab.com>
  7. #
  8. # This program is free software; you can redistribute it and/or modify
  9. # it under the terms of the GNU General Public License as published by
  10. # the Free Software Foundation; either version 2 of the License, or
  11. # (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU General Public License along
  19. # with this program; if not, write to the Free Software Foundation, Inc.,
  20. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. import argparse
  22. import os
  23. import sys
  24. import qubes.api.admin
  25. parser = argparse.ArgumentParser(
  26. description='Generate default Admin API policy')
  27. parser.add_argument('--include-base', action='store',
  28. default='include',
  29. help='Base path for included paths (default: %(default)s)')
  30. parser.add_argument('--destdir', action='store',
  31. default='/etc/qubes-rpc/policy',
  32. help='Directory where write output files to (default: %(default)s)')
  33. parser.add_argument('--verbose', action='store_true', default=False,
  34. help='Be verbose')
  35. parser.add_argument('--exclude', action='store', nargs='*',
  36. help='Exclude service')
  37. parser.add_argument('service', nargs='*', action='store',
  38. help='Generate policy for those services (default: all)')
  39. default_policy_header = '''\
  40. ## Note that policy parsing stops at the first match.
  41. ## Anything not specifically allowed here (or in included file) will be denied.
  42. ## Please use a single # to start your custom comments
  43. ## Add your entries here, make sure to append ",target=dom0" to all allow/ask actions
  44. ## Include a common file for all admin.* methods to ease setting up
  45. ## Management VM.
  46. ## To allow only specific actions, edit specific policy file, like this one. To
  47. ## allow all of them, edit appropriate /etc/qubes-rpc/include/admin-*.
  48. '''
  49. def write_default_policy(args, apiname, clasifiers):
  50. ''' Write single default policy for given API call '''
  51. assert 'scope' in clasifiers, \
  52. 'Method {} lack scope classifier'.format(apiname)
  53. assert any(attr in clasifiers for attr in ('read', 'write', 'execute')), \
  54. 'Method {} lack read/write/execute classifier'.format(apiname)
  55. assert clasifiers['scope'] in ('local', 'global'), \
  56. 'Method {} have invalid scope: {}'.format(apiname, clasifiers['scope'])
  57. file_to_include = 'admin-{scope}-{rwx}'.format(
  58. scope=clasifiers['scope'],
  59. rwx=('rwx' if clasifiers.get('write', False) or
  60. clasifiers.get('execute', False)
  61. else 'ro'))
  62. if args.verbose:
  63. print('Service {}: include {}'.format(apiname, file_to_include),
  64. file=sys.stderr)
  65. with open(os.path.join(args.destdir, apiname), 'w') as f:
  66. f.write(default_policy_header)
  67. f.write('$include:{}\n'.format(
  68. os.path.join(args.include_base, file_to_include)))
  69. def main(args=None):
  70. ''' Main function of default-admin-policy tool'''
  71. args = parser.parse_args(args)
  72. for func, apiname, _ in qubes.api.admin.QubesAdminAPI.list_methods():
  73. if args.service and apiname not in args.service:
  74. continue
  75. if args.exclude and apiname in args.exclude:
  76. continue
  77. write_default_policy(args, apiname, func.classifiers)
  78. if __name__ == '__main__':
  79. sys.exit(main())