firewall: add an option to temporary allow full network access (#760)
Add rule "*" with expire time set.
This commit is contained in:
Marek Marczykowski-Górecki
parent
3b3846eeb5
commit
41bf7b448e
@ -26,6 +26,7 @@ import xml.etree.ElementTree
|
||||
|
||||
from PyQt4.QtCore import *
|
||||
from PyQt4.QtGui import *
|
||||
import datetime
|
||||
|
||||
from qubes.qubes import QubesVmCollection
|
||||
from qubes.qubes import QubesException
|
||||
@ -200,17 +201,23 @@ class QubesFirewallRulesModel(QAbstractItemModel):
|
||||
self.allowDns = conf["allowDns"]
|
||||
self.allowIcmp = conf["allowIcmp"]
|
||||
self.allowYumProxy = conf["allowYumProxy"]
|
||||
self.tempFullAccessExpireTime = 0
|
||||
|
||||
for rule in conf["rules"]:
|
||||
self.appendChild(rule)
|
||||
if "expire" in rule and rule["address"] == "0.0.0.0":
|
||||
self.tempFullAccessExpireTime = rule["expire"]
|
||||
|
||||
def get_vm_name(self):
|
||||
return self.__vm.name
|
||||
|
||||
def apply_rules(self, allow, dns, icmp, yumproxy):
|
||||
def apply_rules(self, allow, dns, icmp, yumproxy, tempFullAccess=False,
|
||||
tempFullAccessTime=None):
|
||||
assert self.__vm is not None
|
||||
|
||||
if(self.allow != allow or self.allowDns != dns or self.allowIcmp != icmp or self.allowYumProxy != yumproxy):
|
||||
if self.allow != allow or self.allowDns != dns or \
|
||||
self.allowIcmp != icmp or self.allowYumProxy != yumproxy or \
|
||||
(self.tempFullAccessExpireTime != 0) != tempFullAccess:
|
||||
self.fw_changed = True
|
||||
|
||||
conf = { "allow": allow,
|
||||
@ -221,8 +228,25 @@ class QubesFirewallRulesModel(QAbstractItemModel):
|
||||
}
|
||||
|
||||
for rule in self.children:
|
||||
if "expire" in rule and rule["address"] == "0.0.0.0" and \
|
||||
rule["netmask"] == 0 and rule["proto"] == "any":
|
||||
# rule already present, update its time
|
||||
if tempFullAccess:
|
||||
rule["expire"] = \
|
||||
int(datetime.datetime.now().strftime("%s")) + \
|
||||
tempFullAccessTime*60
|
||||
tempFullAccess = False
|
||||
conf["rules"].append(rule)
|
||||
|
||||
if tempFullAccess and not allow:
|
||||
conf["rules"].append({"address": "0.0.0.0",
|
||||
"netmask": 0,
|
||||
"proto": "any",
|
||||
"expire": int(
|
||||
datetime.datetime.now().strftime("%s"))+\
|
||||
tempFullAccessTime*60
|
||||
})
|
||||
|
||||
if self.fw_changed:
|
||||
self.__vm.write_firewall_conf(conf)
|
||||
|
||||
|
||||
@ -102,6 +102,8 @@ class VMSettingsWindow(Ui_SettingsDialog, QDialog):
|
||||
self.newRuleButton.clicked.connect(self.new_rule_button_pressed)
|
||||
self.editRuleButton.clicked.connect(self.edit_rule_button_pressed)
|
||||
self.deleteRuleButton.clicked.connect(self.delete_rule_button_pressed)
|
||||
self.policyDenyRadioButton.clicked.connect(self.policy_changed)
|
||||
self.policyAllowRadioButton.clicked.connect(self.policy_changed)
|
||||
|
||||
####### devices tab
|
||||
self.__init_devices_tab__()
|
||||
@ -179,7 +181,9 @@ class VMSettingsWindow(Ui_SettingsDialog, QDialog):
|
||||
self.fw_model.apply_rules(self.policyAllowRadioButton.isChecked(),
|
||||
self.dnsCheckBox.isChecked(),
|
||||
self.icmpCheckBox.isChecked(),
|
||||
self.yumproxyCheckBox.isChecked())
|
||||
self.yumproxyCheckBox.isChecked(),
|
||||
self.tempFullAccess.isChecked(),
|
||||
self.tempFullAccessTime.value())
|
||||
except Exception as ex:
|
||||
ret += ["Firewall tab:", str(ex)]
|
||||
|
||||
@ -782,10 +786,19 @@ class VMSettingsWindow(Ui_SettingsDialog, QDialog):
|
||||
self.dnsCheckBox.setChecked(model.allowDns)
|
||||
self.icmpCheckBox.setChecked(model.allowIcmp)
|
||||
self.yumproxyCheckBox.setChecked(model.allowYumProxy)
|
||||
if model.tempFullAccessExpireTime:
|
||||
self.tempFullAccess.setChecked(True)
|
||||
self.tempFullAccessTime.setValue(
|
||||
(model.tempFullAccessExpireTime -
|
||||
int(datetime.datetime.now().strftime("%s")))/60)
|
||||
|
||||
def set_allow(self, allow):
|
||||
self.policyAllowRadioButton.setChecked(allow)
|
||||
self.policyDenyRadioButton.setChecked(not allow)
|
||||
self.policy_changed(allow)
|
||||
|
||||
def policy_changed(self, checked):
|
||||
self.tempFullAccessWidget.setEnabled(self.policyDenyRadioButton.isChecked())
|
||||
|
||||
def new_rule_button_pressed(self):
|
||||
dialog = NewFwRuleDlg()
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
<locale language="English" country="UnitedStates"/>
|
||||
</property>
|
||||
<property name="currentIndex">
|
||||
<number>0</number>
|
||||
<number>2</number>
|
||||
</property>
|
||||
<widget class="QWidget" name="basic_tab">
|
||||
<property name="locale">
|
||||
@ -922,6 +922,41 @@
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="2" column="0">
|
||||
<widget class="QWidget" name="tempFullAccessWidget" native="true">
|
||||
<property name="enabled">
|
||||
<bool>true</bool>
|
||||
</property>
|
||||
<layout class="QGridLayout" name="gridLayout_6">
|
||||
<property name="leftMargin">
|
||||
<number>0</number>
|
||||
</property>
|
||||
<property name="topMargin">
|
||||
<number>0</number>
|
||||
</property>
|
||||
<property name="bottomMargin">
|
||||
<number>0</number>
|
||||
</property>
|
||||
<item row="0" column="0">
|
||||
<widget class="QCheckBox" name="tempFullAccess">
|
||||
<property name="text">
|
||||
<string>Allow full access for </string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="0" column="1">
|
||||
<widget class="QSpinBox" name="tempFullAccessTime">
|
||||
<property name="suffix">
|
||||
<string> min</string>
|
||||
</property>
|
||||
<property name="value">
|
||||
<number>5</number>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
</layout>
|
||||
</widget>
|
||||
</item>
|
||||
</layout>
|
||||
</widget>
|
||||
<widget class="QWidget" name="devices_tab">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user