QubesOS/qubes-core-admin-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qrexec: fix "yes to all" for qrexec calls with custom argument

Browse Source 
If argument-specific policy file do not exists, create one based on
generic one.

Fixes QubesOS/qubes-issues#2403
Reported by @Rudd-O
This commit is contained in:
Marek Marczykowski-Górecki 2016-10-28 13:28:04 +02:00
parent 2768b22494
commit 1dff6361b7
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
qrexec/qrexec-policy
View File

@ -9,6 +9,7 @@ import qubes.guihelpers
import libvirt import libvirt
from optparse import OptionParser from optparse import OptionParser
import fcntl import fcntl
import shutil
POLICY_FILE_DIR="/etc/qubes-rpc/policy" POLICY_FILE_DIR="/etc/qubes-rpc/policy"
# XXX: Backward compatibility, to be removed soon # XXX: Backward compatibility, to be removed soon
@ -136,7 +137,12 @@ def confirm_execution(domain, target, service_name):
def add_always_allow(domain, target, service_name, options): def add_always_allow(domain, target, service_name, options):
policy_file=POLICY_FILE_DIR+"/"+service_name policy_file=POLICY_FILE_DIR+"/"+service_name
if not os.path.isfile(policy_file): if not os.path.isfile(policy_file):
# if we add "always allow" for specifc argument value, base the new
# file on the generic one
policy_file_source = os.path.join(POLICY_FILE_DIR, service_name.split("+")[0])
if not os.path.isfile(policy_file_source):
return None return None
shutil.copy2(policy_file_source, policy_file)
f = open(policy_file, 'r+') f = open(policy_file, 'r+')
fcntl.flock(f, fcntl.LOCK_EX) fcntl.flock(f, fcntl.LOCK_EX)
lines = [] lines = []