forked from QubesOS/qubes-core-qrexec
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Also includes rudimentary protocol documentation. Contains only pure policy daemon that's not used by anything yet. references QubesOS/qubes-issues#5125
- Loading branch information
Showing
6 changed files
with
367 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| Qubes Policy Request Daemon | ||
| =========================== | ||
|
|
||
| Protocol | ||
| ^^^^^^^^ | ||
|
|
||
| Request | ||
| ------- | ||
|
|
||
| Newline-separated: | ||
|
|
||
| - domain_id= | ||
| - source= | ||
| - intended_target= | ||
| - service_and_arg= | ||
| - process_ident= | ||
|
|
||
| Optional arguments: | ||
|
|
||
| - assume_yes_for_ask=yes | ||
| - just_evaluate=yes | ||
|
|
||
|
|
||
| Response | ||
| -------- | ||
|
|
||
| `result=allow/deny` | ||
|
|
||
| Any possible extensions may be placed on next lines. | ||
| All responses that do not start with `result=allow` or `result=deny` are | ||
| incorrect and will be rejected. | ||
|
|
||
| End of response and request is always an empty line. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,178 @@ | ||
| # | ||
| # The Qubes OS Project, http://www.qubes-os.org | ||
| # | ||
| # Copyright (C) 2019 Marta Marczykowska-Górecka | ||
| # <[email protected]> | ||
| # | ||
| # This library is free software; you can redistribute it and/or | ||
| # modify it under the terms of the GNU Lesser General Public | ||
| # License as published by the Free Software Foundation; either | ||
| # version 2.1 of the License, or (at your option) any later version. | ||
| # | ||
| # This library is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| # Lesser General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU Lesser General Public | ||
| # License along with this library; if not, see <https://www.gnu.org/licenses/>. | ||
| # | ||
|
|
||
| import asyncio | ||
| from contextlib import suppress | ||
|
|
||
| import pytest | ||
| from unittest.mock import Mock | ||
| import functools | ||
|
|
||
| import unittest | ||
| import unittest.mock | ||
|
|
||
| from ..tools import qrexec_policy_daemon | ||
|
|
||
| class TestPolicyDaemon: | ||
| @pytest.fixture | ||
| def mock_request(self, monkeypatch): | ||
| mock_request = Mock() | ||
| monkeypatch.setattr('qrexec.tools.qrexec_policy_daemon.handle_request', | ||
| mock_request) | ||
| return mock_request | ||
|
|
||
| @pytest.fixture | ||
| async def async_server(self, tmp_path, request): | ||
| log = unittest.mock.Mock() | ||
| server = await asyncio.start_unix_server( | ||
| functools.partial(qrexec_policy_daemon.handle_client_connection, | ||
| log, "path"), | ||
| path=str(tmp_path / "socket.d")) | ||
|
|
||
| yield server | ||
|
|
||
| server.close() | ||
|
|
||
| async def send_data(self, server, path, data): | ||
| reader, writer = await asyncio.open_unix_connection( | ||
| str(path / "socket.d")) | ||
| writer.write(data) | ||
| await writer.drain() | ||
|
|
||
| await reader.read() | ||
|
|
||
| writer.close() | ||
|
|
||
| server.close() | ||
|
|
||
| await server.wait_closed() | ||
|
|
||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_simple_request(self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'domain_id=a\n' \ | ||
| b'source=b\n' \ | ||
| b'intended_target=c\n' \ | ||
| b'service_and_arg=d\n' \ | ||
| b'process_ident=1 9\n\n' | ||
|
|
||
| await self.send_data(async_server, tmp_path, data) | ||
|
|
||
| mock_request.assert_called_once_with( | ||
| domain_id='a', source='b', intended_target='c', | ||
| service_and_arg='d', process_ident='1 9', log=unittest.mock.ANY, | ||
| path="path") | ||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_complex_request(self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'domain_id=a\n' \ | ||
| b'source=b\n' \ | ||
| b'intended_target=c\n' \ | ||
| b'service_and_arg=d\n' \ | ||
| b'process_ident=9\n' \ | ||
| b'assume_yes_for_ask=yes\n' \ | ||
| b'just_evaluate=yes\n\n' | ||
|
|
||
| await self.send_data(async_server, tmp_path, data) | ||
|
|
||
| mock_request.assert_called_once_with( | ||
| domain_id='a', source='b', intended_target='c', | ||
| service_and_arg='d', process_ident='9', log=unittest.mock.ANY, | ||
| assume_yes_for_ask=True, just_evaluate=True, path="path") | ||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_complex_request2(self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'domain_id=a\n' \ | ||
| b'source=b\n' \ | ||
| b'intended_target=c\n' \ | ||
| b'service_and_arg=d\n' \ | ||
| b'process_ident=9\n' \ | ||
| b'assume_yes_for_ask=no\n' \ | ||
| b'just_evaluate=no\n\n' | ||
|
|
||
| await self.send_data(async_server, tmp_path, data) | ||
|
|
||
| mock_request.assert_called_once_with( | ||
| domain_id='a', source='b', intended_target='c', | ||
| service_and_arg='d', process_ident='9', log=unittest.mock.ANY, | ||
| assume_yes_for_ask=False, just_evaluate=False, path="path") | ||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_unfinished_request( | ||
| self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'unfinished' | ||
|
|
||
| task = self.send_data(async_server, tmp_path, data) | ||
|
|
||
| with pytest.raises(asyncio.TimeoutError): | ||
| await asyncio.wait_for(task, timeout=2) | ||
|
|
||
| for task in asyncio.Task.all_tasks(): | ||
| task.cancel() | ||
|
|
||
| with suppress(asyncio.CancelledError): | ||
| await asyncio.sleep(1) | ||
|
|
||
| mock_request.assert_not_called() | ||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_too_short_request( | ||
| self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'domain_id=None\n\n' | ||
|
|
||
| await self.send_data(async_server, tmp_path, data) | ||
|
|
||
| mock_request.assert_not_called() | ||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_duplicate_arg(self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'domain_id=a\n' \ | ||
| b'source=b\n' \ | ||
| b'intended_target=c\n' \ | ||
| b'service_and_arg=d\n' \ | ||
| b'process_ident=9\n' \ | ||
| b'assume_yes_for_ask=no\n' \ | ||
| b'just_evaluate=no\n' \ | ||
| b'domain_id=a\n\n' | ||
|
|
||
| await self.send_data(async_server, tmp_path, data) | ||
|
|
||
| mock_request.assert_not_called() | ||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_wrong_arg(self, mock_request, async_server, tmp_path): | ||
|
|
||
| data = b'domains_id=a\n' \ | ||
| b'source=b\n' \ | ||
| b'intended_target=c\n' \ | ||
| b'service_and_arg=d\n' \ | ||
| b'process_ident=9\n' \ | ||
| b'assume_yes_for_ask=no\n' \ | ||
| b'just_evaluate=no\n\n' | ||
|
|
||
| await self.send_data(async_server, tmp_path, data) | ||
|
|
||
| mock_request.assert_not_called() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| # | ||
| # The Qubes OS Project, http://www.qubes-os.org | ||
| # | ||
| # Copyright (C) 2019 Marta Marczykowska-Górecka | ||
| # <[email protected]> | ||
| # | ||
| # This library is free software; you can redistribute it and/or | ||
| # modify it under the terms of the GNU Lesser General Public | ||
| # License as published by the Free Software Foundation; either | ||
| # version 2.1 of the License, or (at your option) any later version. | ||
| # | ||
| # This library is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| # Lesser General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU Lesser General Public | ||
| # License along with this library; if not, see <https://www.gnu.org/licenses/>. | ||
| # | ||
|
|
||
| import argparse | ||
| import functools | ||
| import pathlib | ||
| import asyncio | ||
| import logging | ||
|
|
||
| from .. import POLICYPATH, POLICYSOCKET | ||
|
|
||
| from .qrexec_policy_exec import handle_request | ||
|
|
||
| argparser = argparse.ArgumentParser(description='Evaluate qrexec policy daemon') | ||
|
|
||
| argparser.add_argument('--policy-path', | ||
| type=pathlib.Path, default=POLICYPATH, | ||
| help='Use alternative policy path') | ||
| argparser.add_argument('--socket-path', | ||
| type=pathlib.Path, default=POLICYSOCKET, | ||
| help='Use alternative policy socket path') | ||
|
|
||
| REQUIRED_REQUEST_ARGUMENTS = ('domain_id', 'source', 'intended_target', | ||
| 'service_and_arg', 'process_ident') | ||
|
|
||
| OPTIONAL_REQUEST_ARGUMENTS = ('assume_yes_for_ask', 'just_evaluate') | ||
|
|
||
| ALLOWED_REQUEST_ARGUMENTS = REQUIRED_REQUEST_ARGUMENTS + \ | ||
| OPTIONAL_REQUEST_ARGUMENTS | ||
|
|
||
|
|
||
| async def handle_client_connection(log, policy_path, reader, writer): | ||
|
|
||
| args = {} | ||
|
|
||
| try: | ||
| while True: | ||
| line = await reader.readline() | ||
| line = line.decode('ascii').rstrip('\n') | ||
|
|
||
| if not line: | ||
| break | ||
|
|
||
| argument, value = line.split('=', 1) | ||
| if argument in args: | ||
| log.error( | ||
| 'error parsing policy request: ' | ||
| 'duplicate argument {}'.format(argument)) | ||
| return | ||
| if argument not in ALLOWED_REQUEST_ARGUMENTS: | ||
| log.error( | ||
| 'error parsing policy request: unknown argument {}'.format( | ||
| argument)) | ||
| return | ||
|
|
||
| if argument in ('assume_yes_for_ask', 'just_evaluate'): | ||
| if value == 'yes': | ||
| value = True | ||
| elif value == 'no': | ||
| value = False | ||
| else: | ||
| log.error( | ||
| 'error parsing policy request: invalid bool value ' | ||
| '{} for argument {}'.format(value, argument)) | ||
| return | ||
|
|
||
| args[argument] = value | ||
|
|
||
| if not all(arg in args for arg in REQUIRED_REQUEST_ARGUMENTS): | ||
| log.error( | ||
| 'error parsing policy request: required argument missing') | ||
| return | ||
|
|
||
| result = handle_request(**args, log=log, path=policy_path) | ||
|
|
||
| writer.write(b"result=deny\n" if result else b"result=allow\n") | ||
|
|
||
| await writer.drain() | ||
|
|
||
| finally: | ||
| writer.close() | ||
|
|
||
|
|
||
| async def start_serving(args=None): | ||
| args = argparser.parse_args(args) | ||
|
|
||
| log = logging.getLogger('policy') | ||
| log.setLevel(logging.INFO) | ||
| if not log.handlers: | ||
| handler = logging.handlers.SysLogHandler(address='/dev/log') | ||
| log.addHandler(handler) | ||
|
|
||
| server = await asyncio.start_unix_server( | ||
| functools.partial(handle_client_connection, log, args.policy_path), | ||
| path=args.socket_path) | ||
|
|
||
| await server.serve_forever() | ||
|
|
||
|
|
||
| def main(args=None): | ||
| # pylint: disable=no-member | ||
| # due to travis' limitations we have to use python 3.5 in pylint | ||
| asyncio.run(start_serving(args)) | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| main() |
Oops, something went wrong.