r3compatibility.py 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
  1. #
  2. # The Qubes OS Project, https://www.qubes-os.org/
  3. #
  4. # Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>
  5. # Copyright (C) 2013-2016 Marek Marczykowski-Górecki
  6. # <marmarek@invisiblethingslab.com>
  7. #
  8. # This library is free software; you can redistribute it and/or
  9. # modify it under the terms of the GNU Lesser General Public
  10. # License as published by the Free Software Foundation; either
  11. # version 2.1 of the License, or (at your option) any later version.
  12. #
  13. # This library is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16. # Lesser General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU Lesser General Public
  19. # License along with this library; if not, see <https://www.gnu.org/licenses/>.
  20. #
  21. import datetime
  22. import qubes.ext
  23. import qubes.firewall
  24. import qubes.vm.qubesvm
  25. import qubes.vm.appvm
  26. import qubes.vm.templatevm
  27. import qubes.utils
  28. yum_proxy_ip = '10.137.255.254'
  29. yum_proxy_port = '8082'
  30. class R3Compatibility(qubes.ext.Extension):
  31. '''Maintain VM interface compatibility with R3.0 and R3.1.
  32. At least where possible.
  33. '''
  34. features_to_services = {
  35. 'service.ntpd': 'ntpd',
  36. 'check-updates': 'qubes-update-check',
  37. 'dvm': 'qubes-dvm',
  38. }
  39. # noinspection PyUnusedLocal
  40. @qubes.ext.handler('domain-qdb-create')
  41. def on_domain_qdb_create(self, vm, event):
  42. '''
  43. :param qubes.vm.qubesvm.QubesVM vm: \
  44. VM on which QubesDB entries were just created
  45. ''' # pylint: disable=unused-argument
  46. # /qubes-vm-type: AppVM, NetVM, ProxyVM, TemplateVM
  47. if isinstance(vm, qubes.vm.templatevm.TemplateVM):
  48. vmtype = 'TemplateVM'
  49. elif vm.netvm is not None and vm.provides_network:
  50. vmtype = 'ProxyVM'
  51. elif vm.netvm is None and vm.provides_network:
  52. vmtype = 'NetVM'
  53. else:
  54. vmtype = 'AppVM'
  55. vm.untrusted_qdb.write('/qubes-vm-type', vmtype)
  56. vm.untrusted_qdb.write("/qubes-iptables-error", '')
  57. self.write_iptables_qubesdb_entry(vm)
  58. self.write_services(vm)
  59. @qubes.ext.handler('domain-spawn')
  60. def on_domain_started(self, vm, event, **kwargs):
  61. # pylint: disable=unused-argument
  62. if vm.netvm:
  63. self.write_iptables_qubesdb_entry(vm.netvm)
  64. @qubes.ext.handler('firewall-changed')
  65. def on_firewall_changed(self, vm, event):
  66. # pylint: disable=unused-argument
  67. if vm.is_running() and vm.netvm:
  68. self.write_iptables_qubesdb_entry(vm.netvm)
  69. def write_iptables_qubesdb_entry(self, firewallvm):
  70. # pylint: disable=no-self-use
  71. firewallvm.untrusted_qdb.rm("/qubes-iptables-domainrules/")
  72. iptables = "# Generated by Qubes Core on {0}\n".format(
  73. datetime.datetime.now().ctime())
  74. iptables += "*filter\n"
  75. iptables += ":INPUT DROP [0:0]\n"
  76. iptables += ":FORWARD DROP [0:0]\n"
  77. iptables += ":OUTPUT ACCEPT [0:0]\n"
  78. # Strict INPUT rules
  79. iptables += "-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n"
  80. iptables += "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED " \
  81. "-j ACCEPT\n"
  82. iptables += "-A INPUT -p icmp -j ACCEPT\n"
  83. iptables += "-A INPUT -i lo -j ACCEPT\n"
  84. iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
  85. iptables += "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED " \
  86. "-j ACCEPT\n"
  87. # Deny inter-VMs networking
  88. iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
  89. iptables += "COMMIT\n"
  90. firewallvm.untrusted_qdb.write("/qubes-iptables-header", iptables)
  91. for vm in firewallvm.connected_vms:
  92. iptables = "*filter\n"
  93. conf = vm.firewall
  94. xid = vm.xid
  95. if xid < 0: # VM not active ATM
  96. continue
  97. ip = vm.ip
  98. if ip is None:
  99. continue
  100. # Anti-spoof rules are added by vif-script (vif-route-qubes),
  101. # here we trust IP address
  102. for rule in conf.rules:
  103. if rule.specialtarget == 'dns':
  104. if rule.dstports not in ('53', None):
  105. continue
  106. if rule.proto:
  107. protos = {'tcp', 'udp'}.intersection(str(rule.proto))
  108. else:
  109. protos = {'tcp', 'udp'}
  110. for proto in protos:
  111. if rule.dsthost:
  112. dsthosts = set(vm.dns).intersection(
  113. [str(rule.dsthost).replace('/24', '')])
  114. else:
  115. dsthosts = vm.dns
  116. for dsthost in dsthosts:
  117. iptables += '-A FORWARD -s {}'.format(ip)
  118. iptables += ' -d {!s}'.format(dsthost)
  119. iptables += ' -p {!s}'.format(proto)
  120. iptables += ' --dport 53'
  121. iptables += ' -j {}\n'.format(
  122. str(rule.action).upper())
  123. else:
  124. iptables += '-A FORWARD -s {}'.format(ip)
  125. if rule.dsthost:
  126. iptables += ' -d {!s}'.format(rule.dsthost)
  127. if rule.proto:
  128. iptables += ' -p {!s}'.format(rule.proto)
  129. if rule.dstports:
  130. iptables += ' --dport {}'.format(
  131. str(rule.dstports).replace('-', ':'))
  132. iptables += ' -j {0}\n'.format(str(rule.action).upper())
  133. iptables += '-A FORWARD -s {0} -j {1}\n'.format(ip,
  134. str(conf.policy).upper())
  135. iptables += 'COMMIT\n'
  136. firewallvm.untrusted_qdb.write(
  137. '/qubes-iptables-domainrules/' + str(xid),
  138. iptables)
  139. # no need for ending -A FORWARD -j DROP, cause default action is DROP
  140. firewallvm.untrusted_qdb.write('/qubes-iptables', 'reload')
  141. def write_services(self, vm):
  142. for feature, value in vm.features.items():
  143. service = self.features_to_services.get(feature, None)
  144. if service is None:
  145. continue
  146. # forcefully convert to '0' or '1'
  147. vm.untrusted_qdb.write('/qubes-service/{}'.format(service),
  148. str(int(bool(value))))
  149. if 'updates-proxy-setup' in vm.features.keys():
  150. vm.untrusted_qdb.write(
  151. '/qubes-service/{}'.format('yum-proxy-setup'),
  152. str(int(bool(vm.features['updates-proxy-setup']))))