006QubesProxyVm.py 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201
  1. #!/usr/bin/python2
  2. #
  3. # The Qubes OS Project, http://www.qubes-os.org
  4. #
  5. # Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>
  6. # Copyright (C) 2013 Marek Marczykowski <marmarek@invisiblethingslab.com>
  7. #
  8. # This program is free software; you can redistribute it and/or
  9. # modify it under the terms of the GNU General Public License
  10. # as published by the Free Software Foundation; either version 2
  11. # of the License, or (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program; if not, write to the Free Software
  20. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  21. #
  22. #
  23. from datetime import datetime
  24. from qubes.qubes import QubesNetVm,register_qubes_vm_class,xs,dry_run
  25. from qubes.qubes import QubesVmCollection,QubesException
  26. yum_proxy_ip = '10.137.255.254'
  27. yum_proxy_port = '8082'
  28. class QubesProxyVm(QubesNetVm):
  29. """
  30. A class that represents a ProxyVM, ex FirewallVM. A child of QubesNetVM.
  31. """
  32. def get_attrs_config(self):
  33. attrs_config = super(QubesProxyVm, self).get_attrs_config()
  34. attrs_config['uses_default_netvm']['eval'] = 'False'
  35. # Save netvm prop again
  36. attrs_config['netvm']['save'] = 'str(self.netvm.qid) if self.netvm is not None else "none"'
  37. return attrs_config
  38. def __init__(self, **kwargs):
  39. super(QubesProxyVm, self).__init__(**kwargs)
  40. self.rules_applied = None
  41. @property
  42. def type(self):
  43. return "ProxyVM"
  44. def is_proxyvm(self):
  45. return True
  46. def _set_netvm(self, new_netvm):
  47. old_netvm = self.netvm
  48. super(QubesProxyVm, self)._set_netvm(new_netvm)
  49. if self.netvm is not None:
  50. self.netvm.add_external_ip_permission(self.get_xid())
  51. self.write_netvm_domid_entry()
  52. if old_netvm is not None:
  53. old_netvm.remove_external_ip_permission(self.get_xid())
  54. def post_vm_net_attach(self, vm):
  55. """ Called after some VM net-attached to this ProxyVm """
  56. self.write_iptables_xenstore_entry()
  57. def post_vm_net_detach(self, vm):
  58. """ Called after some VM net-detached from this ProxyVm """
  59. self.write_iptables_xenstore_entry()
  60. def start(self, **kwargs):
  61. if dry_run:
  62. return
  63. retcode = super(QubesProxyVm, self).start(**kwargs)
  64. if self.netvm is not None:
  65. self.netvm.add_external_ip_permission(self.get_xid())
  66. self.write_netvm_domid_entry()
  67. return retcode
  68. def force_shutdown(self, **kwargs):
  69. if dry_run:
  70. return
  71. if self.netvm is not None:
  72. self.netvm.remove_external_ip_permission(kwargs['xid'] if 'xid' in kwargs else self.get_xid())
  73. super(QubesProxyVm, self).force_shutdown(**kwargs)
  74. def create_xenstore_entries(self, xid = None):
  75. if dry_run:
  76. return
  77. if xid is None:
  78. xid = self.xid
  79. super(QubesProxyVm, self).create_xenstore_entries(xid)
  80. xs.write('', "/local/domain/{0}/qubes-iptables-error".format(xid), '')
  81. xs.set_permissions('', "/local/domain/{0}/qubes-iptables-error".format(xid),
  82. [{ 'dom': xid, 'write': True }])
  83. self.write_iptables_xenstore_entry()
  84. def write_netvm_domid_entry(self, xid = -1):
  85. if not self.is_running():
  86. return
  87. if xid < 0:
  88. xid = self.get_xid()
  89. if self.netvm is None:
  90. xs.write('', "/local/domain/{0}/qubes-netvm-domid".format(xid), '')
  91. else:
  92. xs.write('', "/local/domain/{0}/qubes-netvm-domid".format(xid),
  93. "{0}".format(self.netvm.get_xid()))
  94. def write_iptables_xenstore_entry(self):
  95. xs.rm('', "/local/domain/{0}/qubes-iptables-domainrules".format(self.get_xid()))
  96. iptables = "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime())
  97. iptables += "*filter\n"
  98. iptables += ":INPUT DROP [0:0]\n"
  99. iptables += ":FORWARD DROP [0:0]\n"
  100. iptables += ":OUTPUT ACCEPT [0:0]\n"
  101. # Strict INPUT rules
  102. iptables += "-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n"
  103. iptables += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
  104. iptables += "-A INPUT -p icmp -j ACCEPT\n"
  105. iptables += "-A INPUT -i lo -j ACCEPT\n"
  106. iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
  107. iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
  108. # Allow dom0 networking
  109. iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
  110. # Deny inter-VMs networking
  111. iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
  112. iptables += "COMMIT\n"
  113. xs.write('', "/local/domain/{0}/qubes-iptables-header".format(self.get_xid()), iptables)
  114. vms = [vm for vm in self.connected_vms.values()]
  115. for vm in vms:
  116. iptables="*filter\n"
  117. conf = vm.get_firewall_conf()
  118. xid = vm.get_xid()
  119. if xid < 0: # VM not active ATM
  120. continue
  121. ip = vm.ip
  122. if ip is None:
  123. continue
  124. # Anti-spoof rules are added by vif-script (vif-route-qubes), here we trust IP address
  125. accept_action = "ACCEPT"
  126. reject_action = "REJECT --reject-with icmp-host-prohibited"
  127. if conf["allow"]:
  128. default_action = accept_action
  129. rules_action = reject_action
  130. else:
  131. default_action = reject_action
  132. rules_action = accept_action
  133. for rule in conf["rules"]:
  134. iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"])
  135. if rule["netmask"] != 32:
  136. iptables += "/{0}".format(rule["netmask"])
  137. if rule["proto"] is not None and rule["proto"] != "any":
  138. iptables += " -p {0}".format(rule["proto"])
  139. if rule["portBegin"] is not None and rule["portBegin"] > 0:
  140. iptables += " --dport {0}".format(rule["portBegin"])
  141. if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
  142. iptables += ":{0}".format(rule["portEnd"])
  143. iptables += " -j {0}\n".format(rules_action)
  144. if conf["allowDns"] and self.netvm is not None:
  145. # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties
  146. iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.gateway)
  147. iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
  148. if conf["allowIcmp"]:
  149. iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
  150. if conf["allowYumProxy"]:
  151. iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
  152. else:
  153. iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
  154. iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
  155. iptables += "COMMIT\n"
  156. xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes-iptables-domainrules/"+str(xid), iptables)
  157. # no need for ending -A FORWARD -j DROP, cause default action is DROP
  158. self.write_netvm_domid_entry()
  159. self.rules_applied = None
  160. xs.write('', "/local/domain/{0}/qubes-iptables".format(self.get_xid()), 'reload')
  161. register_qubes_vm_class(QubesProxyVm)