Qubes/manager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

firewall: add an option to temporary allow full network access (#760)

Browse Source 
Add rule "*" with expire time set.
This commit is contained in:
Marek Marczykowski-Górecki 2014-03-28 05:19:07 +01:00
parent 3b3846eeb5
commit 41bf7b448e
3 changed files with 76 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
qubesmanager/firewall.py
View File

@ -26,6 +26,7 @@ import xml.etree.ElementTree
from PyQt4.QtCore import * from PyQt4.QtCore import *
from PyQt4.QtGui import * from PyQt4.QtGui import *
import datetime
from qubes.qubes import QubesVmCollection from qubes.qubes import QubesVmCollection
from qubes.qubes import QubesException from qubes.qubes import QubesException
@ -200,17 +201,23 @@ class QubesFirewallRulesModel(QAbstractItemModel):
self.allowDns = conf["allowDns"] self.allowDns = conf["allowDns"]
self.allowIcmp = conf["allowIcmp"] self.allowIcmp = conf["allowIcmp"]
self.allowYumProxy = conf["allowYumProxy"] self.allowYumProxy = conf["allowYumProxy"]
self.tempFullAccessExpireTime = 0
for rule in conf["rules"]: for rule in conf["rules"]:
self.appendChild(rule) self.appendChild(rule)
if "expire" in rule and rule["address"] == "0.0.0.0":
self.tempFullAccessExpireTime = rule["expire"]
def get_vm_name(self): def get_vm_name(self):
return self.__vm.name return self.__vm.name
def apply_rules(self, allow, dns, icmp, yumproxy): def apply_rules(self, allow, dns, icmp, yumproxy, tempFullAccess=False,
tempFullAccessTime=None):
assert self.__vm is not None assert self.__vm is not None
if(self.allow != allow or self.allowDns != dns or self.allowIcmp != icmp or self.allowYumProxy != yumproxy): if self.allow != allow or self.allowDns != dns or \
self.allowIcmp != icmp or self.allowYumProxy != yumproxy or \
(self.tempFullAccessExpireTime != 0) != tempFullAccess:
self.fw_changed = True self.fw_changed = True
conf = { "allow": allow, conf = { "allow": allow,
@ -221,8 +228,25 @@ class QubesFirewallRulesModel(QAbstractItemModel):
} }
for rule in self.children: for rule in self.children:
if "expire" in rule and rule["address"] == "0.0.0.0" and \
rule["netmask"] == 0 and rule["proto"] == "any":
# rule already present, update its time
if tempFullAccess:
rule["expire"] = \
int(datetime.datetime.now().strftime("%s")) + \
tempFullAccessTime*60
tempFullAccess = False
conf["rules"].append(rule) conf["rules"].append(rule)
if tempFullAccess and not allow:
conf["rules"].append({"address": "0.0.0.0",
"netmask": 0,
"proto": "any",
"expire": int(
datetime.datetime.now().strftime("%s"))+\
tempFullAccessTime*60
})
if self.fw_changed: if self.fw_changed:
self.__vm.write_firewall_conf(conf) self.__vm.write_firewall_conf(conf)

15
qubesmanager/settings.py
View File

@ -102,6 +102,8 @@ class VMSettingsWindow(Ui_SettingsDialog, QDialog):
self.newRuleButton.clicked.connect(self.new_rule_button_pressed) self.newRuleButton.clicked.connect(self.new_rule_button_pressed)
self.editRuleButton.clicked.connect(self.edit_rule_button_pressed) self.editRuleButton.clicked.connect(self.edit_rule_button_pressed)
self.deleteRuleButton.clicked.connect(self.delete_rule_button_pressed) self.deleteRuleButton.clicked.connect(self.delete_rule_button_pressed)
self.policyDenyRadioButton.clicked.connect(self.policy_changed)
self.policyAllowRadioButton.clicked.connect(self.policy_changed)
####### devices tab ####### devices tab
self.__init_devices_tab__() self.__init_devices_tab__()
@ -179,7 +181,9 @@ class VMSettingsWindow(Ui_SettingsDialog, QDialog):
self.fw_model.apply_rules(self.policyAllowRadioButton.isChecked(), self.fw_model.apply_rules(self.policyAllowRadioButton.isChecked(),
self.dnsCheckBox.isChecked(), self.dnsCheckBox.isChecked(),
self.icmpCheckBox.isChecked(), self.icmpCheckBox.isChecked(),
self.yumproxyCheckBox.isChecked()) self.yumproxyCheckBox.isChecked(),
self.tempFullAccess.isChecked(),
self.tempFullAccessTime.value())
except Exception as ex: except Exception as ex:
ret += ["Firewall tab:", str(ex)] ret += ["Firewall tab:", str(ex)]
@ -782,10 +786,19 @@ class VMSettingsWindow(Ui_SettingsDialog, QDialog):
self.dnsCheckBox.setChecked(model.allowDns) self.dnsCheckBox.setChecked(model.allowDns)
self.icmpCheckBox.setChecked(model.allowIcmp) self.icmpCheckBox.setChecked(model.allowIcmp)
self.yumproxyCheckBox.setChecked(model.allowYumProxy) self.yumproxyCheckBox.setChecked(model.allowYumProxy)
if model.tempFullAccessExpireTime:
self.tempFullAccess.setChecked(True)
self.tempFullAccessTime.setValue(
(model.tempFullAccessExpireTime -
int(datetime.datetime.now().strftime("%s")))/60)
def set_allow(self, allow): def set_allow(self, allow):
self.policyAllowRadioButton.setChecked(allow) self.policyAllowRadioButton.setChecked(allow)
self.policyDenyRadioButton.setChecked(not allow) self.policyDenyRadioButton.setChecked(not allow)
self.policy_changed(allow)
def policy_changed(self, checked):
self.tempFullAccessWidget.setEnabled(self.policyDenyRadioButton.isChecked())
def new_rule_button_pressed(self): def new_rule_button_pressed(self):
dialog = NewFwRuleDlg() dialog = NewFwRuleDlg()

37
settingsdlg.ui
View File

@ -29,7 +29,7 @@
<locale language="English" country="UnitedStates"/> <locale language="English" country="UnitedStates"/>
</property> </property>
<property name="currentIndex"> <property name="currentIndex">
<number>0</number> <number>2</number>
</property> </property>
<widget class="QWidget" name="basic_tab"> <widget class="QWidget" name="basic_tab">
<property name="locale"> <property name="locale">
@ -922,6 +922,41 @@
</property> </property>
</widget> </widget>
</item> </item>
<item row="2" column="0">
<widget class="QWidget" name="tempFullAccessWidget" native="true">
<property name="enabled">
<bool>true</bool>
</property>
<layout class="QGridLayout" name="gridLayout_6">
<property name="leftMargin">
<number>0</number>
</property>
<property name="topMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="tempFullAccess">
<property name="text">
<string>Allow full access for </string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QSpinBox" name="tempFullAccessTime">
<property name="suffix">
<string> min</string>
</property>
<property name="value">
<number>5</number>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout> </layout>
</widget> </widget>
<widget class="QWidget" name="devices_tab"> <widget class="QWidget" name="devices_tab">