__init__.py 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759
  1. # coding=utf-8
  2. # The Qubes OS Project, https://www.qubes-os.org/
  3. #
  4. # Copyright (C) 2013-2015 Joanna Rutkowska <joanna@invisiblethingslab.com>
  5. # Copyright (C) 2013-2017 Marek Marczykowski-Górecki
  6. # <marmarek@invisiblethingslab.com>
  7. #
  8. # This library is free software; you can redistribute it and/or
  9. # modify it under the terms of the GNU Lesser General Public
  10. # License as published by the Free Software Foundation; either
  11. # version 2.1 of the License, or (at your option) any later version.
  12. #
  13. # This library is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16. # Lesser General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU Lesser General Public
  19. # License along with this library; if not, see <https://www.gnu.org/licenses/>.
  20. # pylint: disable=no-else-return,useless-object-inheritance,try-except-raise
  21. ''' Qrexec policy parser and evaluator '''
  22. import enum
  23. import itertools
  24. import json
  25. import os
  26. import os.path
  27. import socket
  28. import subprocess
  29. # don't import 'qubes.config' please, it takes 0.3s
  30. QREXEC_CLIENT = '/usr/lib/qubes/qrexec-client'
  31. POLICY_DIR = '/etc/qubes-rpc/policy'
  32. QUBESD_INTERNAL_SOCK = '/var/run/qubesd.internal.sock'
  33. QUBESD_SOCK = '/var/run/qubesd.sock'
  34. class AccessDenied(Exception):
  35. ''' Raised when qrexec policy denied access '''
  36. pass
  37. class PolicySyntaxError(AccessDenied):
  38. ''' Syntax error in qrexec policy, abort parsing '''
  39. def __init__(self, filename, lineno, msg):
  40. super(PolicySyntaxError, self).__init__(
  41. '{}:{}: {}'.format(filename, lineno, msg))
  42. class PolicyNotFound(AccessDenied):
  43. ''' Policy was not found for this service '''
  44. def __init__(self, service_name):
  45. super(PolicyNotFound, self).__init__(
  46. 'Policy not found for service {}'.format(service_name))
  47. class Action(enum.Enum):
  48. ''' Action as defined by policy '''
  49. allow = 1
  50. deny = 2
  51. ask = 3
  52. def is_special_value(value):
  53. '''Check if given source/target specification is special (keyword) value
  54. '''
  55. return value.startswith('@')
  56. def verify_target_value(system_info, value):
  57. ''' Check if given value names valid target
  58. This function check if given value is not only syntactically correct,
  59. but also if names valid service call target (existing domain,
  60. or valid @dispvm like keyword)
  61. :param system_info: information about the system
  62. :param value: value to be checked
  63. '''
  64. if value == '@dispvm':
  65. return True
  66. elif value == '@adminvm':
  67. return True
  68. elif value.startswith('@dispvm:'):
  69. dispvm_base = value.split(':', 1)[1]
  70. if dispvm_base not in system_info['domains']:
  71. return False
  72. dispvm_base_info = system_info['domains'][dispvm_base]
  73. return bool(dispvm_base_info['template_for_dispvms'])
  74. else:
  75. return value in system_info['domains']
  76. def verify_special_value(value, for_target=True, specific_target=False):
  77. '''
  78. Verify if given special VM-specifier ('@...') is valid
  79. :param value: value to verify
  80. :param for_target: should classify target-only values as valid (
  81. '@default', '@dispvm')
  82. :param specific_target: allow only values naming specific target
  83. (for use with target=, default= etc)
  84. :return: True or False
  85. '''
  86. # pylint: disable=too-many-return-statements
  87. # values used only for matching VMs, not naming specific one (for actual
  88. # call target)
  89. if not specific_target:
  90. if value.startswith('@tag:') and len(value) > len('@tag:'):
  91. return True
  92. if value.startswith('@type:') and len(value) > len('@type:'):
  93. return True
  94. if for_target and value.startswith('@dispvm:@tag:') and \
  95. len(value) > len('@dispvm:@tag:'):
  96. return True
  97. if value == '@anyvm':
  98. return True
  99. if for_target and value == '@default':
  100. return True
  101. # those can be used to name one specific call VM
  102. if value == '@adminvm':
  103. return True
  104. # allow only specific dispvm, not based on any @xxx keyword - don't name
  105. # @tag here specifically, to work also with any future keywords
  106. if for_target and value.startswith('@dispvm:') and \
  107. not value.startswith('@dispvm:@'):
  108. return True
  109. if for_target and value == '@dispvm':
  110. return True
  111. return False
  112. class PolicyRule(object):
  113. ''' A single line of policy file '''
  114. def __init__(self, line, filename=None, lineno=None):
  115. '''
  116. Load a single line of qrexec policy and check its syntax.
  117. Do not verify existence of named objects.
  118. :raise PolicySyntaxError: when syntax error is found
  119. :param line: a single line of actual qrexec policy (not a comment,
  120. empty line or @include)
  121. :param filename: name of the file from which this line is loaded
  122. :param lineno: line number from which this line is loaded
  123. '''
  124. self.lineno = lineno
  125. self.filename = filename
  126. try:
  127. self.source, self.target, self.full_action = line.split(maxsplit=2)
  128. except ValueError:
  129. raise PolicySyntaxError(filename, lineno, 'wrong number of fields')
  130. (action, *params) = self.full_action.replace(',', ' ').split()
  131. try:
  132. self.action = Action[action]
  133. except KeyError:
  134. raise PolicySyntaxError(filename, lineno,
  135. 'invalid action: {}'.format(action))
  136. #: alternative target, used instead of the one specified by the caller
  137. self.override_target = None
  138. #: alternative user, used instead of vm.default_user
  139. self.override_user = None
  140. #: default target when asking the user for confirmation
  141. self.default_target = None
  142. for param in params:
  143. try:
  144. param_name, value = param.split('=')
  145. except ValueError:
  146. raise PolicySyntaxError(filename, lineno,
  147. 'invalid action parameter syntax: {}'.format(param))
  148. if param_name == 'target':
  149. if self.action == Action.deny:
  150. raise PolicySyntaxError(filename, lineno,
  151. 'target= option not allowed for deny action')
  152. self.override_target = value
  153. elif param_name == 'user':
  154. if self.action == Action.deny:
  155. raise PolicySyntaxError(filename, lineno,
  156. 'user= option not allowed for deny action')
  157. self.override_user = value
  158. elif param_name == 'default_target':
  159. if self.action != Action.ask:
  160. raise PolicySyntaxError(filename, lineno,
  161. 'default_target= option allowed only for ask action')
  162. self.default_target = value
  163. else:
  164. raise PolicySyntaxError(filename, lineno,
  165. 'invalid option {} for {} action'.format(param, action))
  166. # verify special values
  167. if is_special_value(self.source):
  168. if not verify_special_value(self.source, False, False):
  169. raise PolicySyntaxError(filename, lineno,
  170. 'invalid source specification: {}'.format(self.source))
  171. if is_special_value(self.target):
  172. if not verify_special_value(self.target, True, False):
  173. raise PolicySyntaxError(filename, lineno,
  174. 'invalid target specification: {}'.format(self.target))
  175. if self.target == '@default' \
  176. and self.action == Action.allow \
  177. and self.override_target is None:
  178. raise PolicySyntaxError(filename, lineno,
  179. 'allow action for @default rule must specify target= option')
  180. if self.override_target is not None:
  181. if is_special_value(self.override_target) and \
  182. not verify_special_value(self.override_target, True, True):
  183. raise PolicySyntaxError(filename, lineno,
  184. 'target= option needs to name specific target')
  185. if self.default_target is not None:
  186. if is_special_value(self.default_target) and \
  187. not verify_special_value(self.default_target, True, True):
  188. raise PolicySyntaxError(filename, lineno,
  189. 'target= option needs to name specific target')
  190. @staticmethod
  191. def is_match_single(system_info, policy_value, value):
  192. '''
  193. Evaluate if a single value (VM name or '@default') matches policy
  194. specification
  195. :param system_info: information about the system
  196. :param policy_value: value from qrexec policy (either self.source or
  197. self.target)
  198. :param value: value to be compared (source or target)
  199. :return: True or False
  200. '''
  201. # pylint: disable=too-many-return-statements
  202. # not specified target matches only with @default and @anyvm policy
  203. # entry
  204. if value == '@default':
  205. return policy_value in ('@default', '@anyvm')
  206. # if specific target used, check if it's valid
  207. # this function (is_match_single) is also used for checking call source
  208. # values, but this isn't a problem, because it will always be a
  209. # domain name (not @dispvm or such) - this is guaranteed by a nature
  210. # of qrexec call
  211. if not verify_target_value(system_info, value):
  212. return False
  213. # handle @adminvm keyword
  214. if policy_value == 'dom0':
  215. # TODO: log a warning in Qubes 4.1
  216. policy_value = '@adminvm'
  217. if value == 'dom0':
  218. value = '@adminvm'
  219. # allow any _valid_, non-dom0 target
  220. if policy_value == '@anyvm':
  221. return value != '@adminvm'
  222. # exact match, including @dispvm* and @adminvm
  223. if value == policy_value:
  224. return True
  225. # DispVM request, using tags to match
  226. if policy_value.startswith('@dispvm:@tag:') \
  227. and value.startswith('@dispvm:'):
  228. tag = policy_value.split(':', 2)[2]
  229. dispvm_base = value.split(':', 1)[1]
  230. # already checked for existence by verify_target_value call
  231. dispvm_base_info = system_info['domains'][dispvm_base]
  232. return tag in dispvm_base_info['tags']
  233. # if @dispvm* not matched above, reject it; default DispVM (bare
  234. # @dispvm) was resolved by the caller
  235. if value.startswith('@dispvm:'):
  236. return False
  237. # require @adminvm to be matched explicitly (not through @tag or @type)
  238. # - if not matched already, reject it
  239. if value == '@adminvm':
  240. return False
  241. # at this point, value name a specific target
  242. domain_info = system_info['domains'][value]
  243. if policy_value.startswith('@tag:'):
  244. tag = policy_value.split(':', 1)[1]
  245. return tag in domain_info['tags']
  246. if policy_value.startswith('@type:'):
  247. type_ = policy_value.split(':', 1)[1]
  248. return type_ == domain_info['type']
  249. return False
  250. def is_match(self, system_info, source, target):
  251. '''
  252. Check if given (source, target) matches this policy line.
  253. :param system_info: information about the system - available VMs,
  254. their types, labels, tags etc. as returned by
  255. :py:func:`app_to_system_info`
  256. :param source: name of the source VM
  257. :param target: name of the target VM, or None if not specified
  258. :return: True or False
  259. '''
  260. if not self.is_match_single(system_info, self.source, source):
  261. return False
  262. # @dispvm in policy matches _only_ @dispvm (but not @dispvm:some-vm,
  263. # even if that would be the default one)
  264. if self.target == '@dispvm' and target == '@dispvm':
  265. return True
  266. if target == '@dispvm':
  267. # resolve default DispVM, to check all kinds of @dispvm:*
  268. default_dispvm = system_info['domains'][source]['default_dispvm']
  269. if default_dispvm is None:
  270. # if this VM have no default DispVM, match only with @anyvm
  271. return self.target == '@anyvm'
  272. target = '@dispvm:' + default_dispvm
  273. if not self.is_match_single(system_info, self.target, target):
  274. return False
  275. return True
  276. def expand_target(self, system_info):
  277. '''
  278. Return domains matching target of this policy line
  279. :param system_info: information about the system
  280. :return: matching domains
  281. '''
  282. if self.target.startswith('@tag:'):
  283. tag = self.target.split(':', 1)[1]
  284. for name, domain in system_info['domains'].items():
  285. if tag in domain['tags']:
  286. yield name
  287. elif self.target.startswith('@type:'):
  288. type_ = self.target.split(':', 1)[1]
  289. for name, domain in system_info['domains'].items():
  290. if type_ == domain['type']:
  291. yield name
  292. elif self.target == '@anyvm':
  293. for name, domain in system_info['domains'].items():
  294. if name != 'dom0':
  295. yield name
  296. if domain['template_for_dispvms']:
  297. yield '@dispvm:' + name
  298. yield '@dispvm'
  299. elif self.target.startswith('@dispvm:@tag:'):
  300. tag = self.target.split(':', 2)[2]
  301. for name, domain in system_info['domains'].items():
  302. if tag in domain['tags']:
  303. if domain['template_for_dispvms']:
  304. yield '@dispvm:' + name
  305. elif self.target.startswith('@dispvm:'):
  306. dispvm_base = self.target.split(':', 1)[1]
  307. try:
  308. if system_info['domains'][dispvm_base]['template_for_dispvms']:
  309. yield self.target
  310. except KeyError:
  311. # TODO log a warning?
  312. pass
  313. elif self.target == '@adminvm':
  314. yield self.target
  315. elif self.target == '@dispvm':
  316. yield self.target
  317. else:
  318. if self.target in system_info['domains']:
  319. yield self.target
  320. def expand_override_target(self, system_info, source):
  321. '''
  322. Replace '@dispvm' with specific '@dispvm:...' value, based on qrexec
  323. call source.
  324. :param system_info: System information
  325. :param source: Source domain name
  326. :return: :py:attr:`override_target` with '@dispvm' substituted
  327. '''
  328. if self.override_target == '@dispvm':
  329. if system_info['domains'][source]['default_dispvm'] is None:
  330. return None
  331. return '@dispvm:' + system_info['domains'][source]['default_dispvm']
  332. else:
  333. return self.override_target
  334. class PolicyAction(object):
  335. ''' Object representing positive policy evaluation result -
  336. either ask or allow action '''
  337. def __init__(self, service, source, target, rule, original_target,
  338. targets_for_ask=None):
  339. #: service name
  340. self.service = service
  341. #: calling domain
  342. self.source = source
  343. #: target domain the service should be connected to, None if
  344. # not chosen yet
  345. if targets_for_ask is None or target in targets_for_ask:
  346. self.target = target
  347. else:
  348. # TODO: log a warning?
  349. self.target = None
  350. #: original target specified by the caller
  351. self.original_target = original_target
  352. #: targets for the user to choose from
  353. self.targets_for_ask = targets_for_ask
  354. #: policy rule from which this action is derived
  355. self.rule = rule
  356. if rule.action == Action.deny:
  357. # this should be really rejected by Policy.eval()
  358. raise AccessDenied(
  359. 'denied by policy {}:{}'.format(rule.filename, rule.lineno))
  360. elif rule.action == Action.ask:
  361. if targets_for_ask is None:
  362. raise AccessDenied(
  363. 'invalid policy {}:{}'.format(rule.filename, rule.lineno))
  364. elif rule.action == Action.allow:
  365. if targets_for_ask is not None or target is None:
  366. raise AccessDenied(
  367. 'invalid policy {}:{}'.format(rule.filename, rule.lineno))
  368. self.action = rule.action
  369. def handle_user_response(self, response, target=None):
  370. '''
  371. Handle user response for the 'ask' action
  372. :param response: whether the call was allowed or denied (bool)
  373. :param target: target chosen by the user (if reponse==True)
  374. :return: None
  375. '''
  376. assert self.action == Action.ask
  377. if response:
  378. assert target in self.targets_for_ask
  379. self.target = target
  380. self.action = Action.allow
  381. else:
  382. self.action = Action.deny
  383. raise AccessDenied(
  384. 'denied by the user {}:{}'.format(self.rule.filename,
  385. self.rule.lineno))
  386. def execute(self, caller_ident):
  387. ''' Execute allowed service call
  388. :param caller_ident: Service caller ident
  389. (`process_ident,source_name, source_id`)
  390. '''
  391. assert self.action == Action.allow
  392. assert self.target is not None
  393. if self.target == '@adminvm':
  394. self.target = 'dom0'
  395. if self.target == 'dom0':
  396. original_target_type = \
  397. 'keyword' if is_special_value(self.original_target) else 'name'
  398. original_target = self.original_target.lstrip('@')
  399. cmd = \
  400. 'QUBESRPC {service} {source} {original_target_type} ' \
  401. '{original_target}'.format(
  402. service=self.service,
  403. source=self.source,
  404. original_target_type=original_target_type,
  405. original_target=original_target)
  406. else:
  407. cmd = '{user}:QUBESRPC {service} {source}'.format(
  408. user=(self.rule.override_user or 'DEFAULT'),
  409. service=self.service,
  410. source=self.source)
  411. if self.target.startswith('@dispvm:'):
  412. target = self.spawn_dispvm()
  413. dispvm = True
  414. else:
  415. target = self.target
  416. dispvm = False
  417. self.ensure_target_running()
  418. qrexec_opts = ['-d', target, '-c', caller_ident]
  419. if dispvm:
  420. qrexec_opts.append('-W')
  421. try:
  422. subprocess.call([QREXEC_CLIENT] + qrexec_opts + [cmd])
  423. finally:
  424. if dispvm:
  425. self.cleanup_dispvm(target)
  426. def spawn_dispvm(self):
  427. '''
  428. Create and start Disposable VM based on AppVM specified in
  429. :py:attr:`target`
  430. :return: name of new Disposable VM
  431. '''
  432. base_appvm = self.target.split(':', 1)[1]
  433. dispvm_name = qubesd_call(base_appvm, 'admin.vm.CreateDisposable')
  434. dispvm_name = dispvm_name.decode('ascii')
  435. qubesd_call(dispvm_name, 'admin.vm.Start')
  436. return dispvm_name
  437. def ensure_target_running(self):
  438. '''
  439. Start domain if not running already
  440. :return: None
  441. '''
  442. if self.target == 'dom0':
  443. return
  444. try:
  445. qubesd_call(self.target, 'admin.vm.Start')
  446. except QubesMgmtException as e:
  447. if e.exc_type == 'QubesVMNotHaltedError':
  448. pass
  449. else:
  450. raise
  451. @staticmethod
  452. def cleanup_dispvm(dispvm):
  453. '''
  454. Kill and remove Disposable VM
  455. :param dispvm: name of Disposable VM
  456. :return: None
  457. '''
  458. qubesd_call(dispvm, 'admin.vm.Kill')
  459. class Policy(object):
  460. ''' Full policy for a given service
  461. Usage:
  462. >>> system_info = get_system_info()
  463. >>> policy = Policy('some-service')
  464. >>> action = policy.evaluate(system_info, 'source-name', 'target-name')
  465. >>> if action.action == Action.ask:
  466. >>> # ... ask the user, see action.targets_for_ask ...
  467. >>> action.handle_user_response(response, target_chosen_by_user)
  468. >>> action.execute('process-ident')
  469. '''
  470. def __init__(self, service, policy_dir=POLICY_DIR):
  471. policy_file = os.path.join(policy_dir, service)
  472. if not os.path.exists(policy_file):
  473. # fallback to policy without specific argument set (if any)
  474. policy_file = os.path.join(policy_dir, service.split('+')[0])
  475. if not os.path.exists(policy_file):
  476. raise PolicyNotFound(service)
  477. #: policy storage directory
  478. self.policy_dir = policy_dir
  479. #: service name
  480. self.service = service
  481. #: list of PolicyLine objects
  482. self.policy_rules = []
  483. try:
  484. self.load_policy_file(policy_file)
  485. except OSError as e:
  486. raise AccessDenied(
  487. 'failed to load {} file: {!s}'.format(e.filename, e))
  488. def load_policy_file(self, path):
  489. ''' Load policy file and append rules to :py:attr:`policy_rules`
  490. :param path: file to load
  491. '''
  492. with open(path) as policy_file:
  493. for lineno, line in zip(itertools.count(start=1),
  494. policy_file.readlines()):
  495. line = line.strip()
  496. # compatibility with old keywords notation
  497. line = line.replace('$', '@')
  498. if not line:
  499. # skip empty lines
  500. continue
  501. if line[0] == '#':
  502. # skip comments
  503. continue
  504. if line.startswith('@include:'):
  505. include_path = line.split(':', 1)[1]
  506. # os.path.join will leave include_path unchanged if it's
  507. # already absolute
  508. include_path = os.path.join(self.policy_dir, include_path)
  509. self.load_policy_file(include_path)
  510. else:
  511. self.policy_rules.append(PolicyRule(line, path, lineno))
  512. def find_matching_rule(self, system_info, source, target):
  513. ''' Find the first rule matching given arguments '''
  514. for rule in self.policy_rules:
  515. if rule.is_match(system_info, source, target):
  516. return rule
  517. raise AccessDenied('no matching rule found')
  518. def collect_targets_for_ask(self, system_info, source):
  519. ''' Collect targets the user can choose from in 'ask' action
  520. Word 'targets' is used intentionally instead of 'domains', because it
  521. can also contains @dispvm like keywords.
  522. '''
  523. targets = set()
  524. # iterate over rules in reversed order to easier handle 'deny'
  525. # actions - simply remove matching domains from allowed set
  526. for rule in reversed(self.policy_rules):
  527. if rule.is_match_single(system_info, rule.source, source):
  528. if rule.action == Action.deny:
  529. targets -= set(rule.expand_target(system_info))
  530. else:
  531. if rule.override_target is not None:
  532. override_target = rule.expand_override_target(
  533. system_info, source)
  534. if verify_target_value(system_info, override_target):
  535. targets.add(rule.override_target)
  536. else:
  537. targets.update(rule.expand_target(system_info))
  538. # expand default DispVM
  539. if '@dispvm' in targets:
  540. targets.remove('@dispvm')
  541. if system_info['domains'][source]['default_dispvm'] is not None:
  542. dispvm = '@dispvm:' + \
  543. system_info['domains'][source]['default_dispvm']
  544. if verify_target_value(system_info, dispvm):
  545. targets.add(dispvm)
  546. # expand other keywords
  547. if '@adminvm' in targets:
  548. targets.remove('@adminvm')
  549. targets.add('dom0')
  550. return targets
  551. def evaluate(self, system_info, source, target):
  552. ''' Evaluate policy
  553. :raise AccessDenied: when action should be denied unconditionally
  554. :return tuple(rule, considered_targets) - where considered targets is a
  555. list of possible targets for 'ask' action (rule.action == Action.ask)
  556. '''
  557. if target == '':
  558. target = '@default'
  559. rule = self.find_matching_rule(system_info, source, target)
  560. if rule.action == Action.deny:
  561. raise AccessDenied(
  562. 'denied by policy {}:{}'.format(rule.filename, rule.lineno))
  563. if rule.override_target is not None:
  564. override_target = rule.expand_override_target(system_info, source)
  565. if not verify_target_value(system_info, override_target):
  566. raise AccessDenied('invalid target= value in {}:{}'.format(
  567. rule.filename, rule.lineno))
  568. actual_target = override_target
  569. else:
  570. actual_target = target
  571. if rule.action == Action.ask:
  572. if rule.override_target is not None:
  573. targets = [actual_target]
  574. else:
  575. targets = list(
  576. self.collect_targets_for_ask(system_info, source))
  577. if not targets:
  578. raise AccessDenied(
  579. 'policy define \'ask\' action at {}:{} but no target is '
  580. 'available to choose from'.format(
  581. rule.filename, rule.lineno))
  582. return PolicyAction(self.service, source, rule.default_target,
  583. rule, target, targets)
  584. elif rule.action == Action.allow:
  585. if actual_target == '@default':
  586. raise AccessDenied(
  587. 'policy define \'allow\' action at {}:{} but no target is '
  588. 'specified by caller or policy'.format(
  589. rule.filename, rule.lineno))
  590. if actual_target == '@dispvm':
  591. if system_info['domains'][source]['default_dispvm'] is None:
  592. raise AccessDenied(
  593. 'policy define \'allow\' action to @dispvm at {}:{} '
  594. 'but no DispVM base is set for this VM'.format(
  595. rule.filename, rule.lineno))
  596. actual_target = '@dispvm:' + \
  597. system_info['domains'][source]['default_dispvm']
  598. return PolicyAction(self.service, source,
  599. actual_target, rule, target)
  600. else:
  601. # should be unreachable
  602. raise AccessDenied(
  603. 'invalid action?! {}:{}'.format(rule.filename, rule.lineno))
  604. class QubesMgmtException(Exception):
  605. ''' Exception returned by qubesd '''
  606. def __init__(self, exc_type):
  607. super(QubesMgmtException, self).__init__()
  608. self.exc_type = exc_type
  609. def qubesd_call(dest, method, arg=None, payload=None):
  610. if method.startswith('internal.'):
  611. socket_path = QUBESD_INTERNAL_SOCK
  612. else:
  613. socket_path = QUBESD_SOCK
  614. try:
  615. client_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
  616. client_socket.connect(socket_path)
  617. except IOError:
  618. # TODO:
  619. raise
  620. # src, method, dest, arg
  621. for call_arg in ('dom0', method, dest, arg):
  622. if call_arg is not None:
  623. client_socket.sendall(call_arg.encode('ascii'))
  624. client_socket.sendall(b'\0')
  625. if payload is not None:
  626. client_socket.sendall(payload)
  627. client_socket.shutdown(socket.SHUT_WR)
  628. return_data = client_socket.makefile('rb').read()
  629. if return_data.startswith(b'0\x00'):
  630. return return_data[2:]
  631. elif return_data.startswith(b'2\x00'):
  632. (_, exc_type, _traceback, _format_string, _args) = \
  633. return_data.split(b'\x00', 4)
  634. raise QubesMgmtException(exc_type.decode('ascii'))
  635. else:
  636. raise AssertionError(
  637. 'invalid qubesd response: {!r}'.format(return_data))
  638. def get_system_info():
  639. ''' Get system information
  640. This retrieve information necessary to process qrexec policy. Returned
  641. data is nested dict structure with this structure:
  642. - domains:
  643. - `<domain name>`:
  644. - tags: list of tags
  645. - type: domain type
  646. - template_for_dispvms: should DispVM based on this VM be allowed
  647. - default_dispvm: name of default AppVM for DispVMs started from here
  648. '''
  649. system_info = qubesd_call('dom0', 'internal.GetSystemInfo')
  650. return json.loads(system_info.decode('utf-8'))