QubesOS/qubes-core-admin-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dom0-updates: code style fixes

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2017-02-22 12:20:34 +01:00
parent 514c27d681
commit 452b6c4ae2
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
1 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
dom0-updates/qubes-receive-updates
View File

@ -18,14 +18,12 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# #
#
import os import os
import os.path import os.path
import re import re
import sys import sys
import subprocess import subprocess
import shutil import shutil
import glob
import grp import grp
import qubes import qubes
@ -48,6 +46,7 @@ package_regex = re.compile(r"^[A-Za-z0-9._+-]{1,128}.rpm$")
# .....rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#246110c1) # .....rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#246110c1)
gpg_ok_regex = re.compile(r": [a-z0-9() ]* (pgp|gpg) [a-z0-9 ]*OK$") gpg_ok_regex = re.compile(r": [a-z0-9() ]* (pgp|gpg) [a-z0-9 ]*OK$")
def dom0updates_fatal(pkg, msg): def dom0updates_fatal(pkg, msg):
global updates_error_file_handle global updates_error_file_handle
print(msg, file=sys.stderr) print(msg, file=sys.stderr)
@ -56,10 +55,11 @@ def dom0updates_fatal(pkg, msg):
updates_error_file_handle.write(msg + "\n") updates_error_file_handle.write(msg + "\n")
os.remove(pkg) os.remove(pkg)
def handle_dom0updates(updatevm): def handle_dom0updates(updatevm):
global updates_error_file_handle global updates_error_file_handle
source=os.getenv("QREXEC_REMOTE_DOMAIN") source = os.getenv("QREXEC_REMOTE_DOMAIN")
if source != updatevm.name: if source != updatevm.name:
print('Domain ' + str(source) + ' not allowed to send dom0 updates', print('Domain ' + str(source) + ' not allowed to send dom0 updates',
file=sys.stderr) file=sys.stderr)
@ -77,11 +77,13 @@ def handle_dom0updates(updatevm):
os.mkdir(updates_rpm_dir) os.mkdir(updates_rpm_dir)
os.chown(updates_rpm_dir, -1, qubes_gid) os.chown(updates_rpm_dir, -1, qubes_gid)
os.chmod(updates_rpm_dir, 0o0775) os.chmod(updates_rpm_dir, 0o0775)
subprocess.check_call(["/usr/libexec/qubes/qfile-dom0-unpacker", str(os.getuid()), updates_rpm_dir]) subprocess.check_call(["/usr/libexec/qubes/qfile-dom0-unpacker",
str(os.getuid()), updates_rpm_dir])
# Verify received files # Verify received files
for untrusted_f in os.listdir(updates_rpm_dir): for untrusted_f in os.listdir(updates_rpm_dir):
if not package_regex.match(untrusted_f): if not package_regex.match(untrusted_f):
dom0updates_fatal(updates_rpm_dir + '/' + untrusted_f, 'Domain ' + source + ' sent unexpected file: ' + untrusted_f) dom0updates_fatal(updates_rpm_dir + '/' + untrusted_f,
'Domain ' + source + ' sent unexpected file: ' + untrusted_f)
else: else:
f = untrusted_f f = untrusted_f
assert '/' not in f assert '/' not in f
@ -90,14 +92,17 @@ def handle_dom0updates(updatevm):
full_path = updates_rpm_dir + "/" + f full_path = updates_rpm_dir + "/" + f
if os.path.islink(full_path) or not os.path.isfile(full_path): if os.path.islink(full_path) or not os.path.isfile(full_path):
dom0updates_fatal(full_path, 'Domain ' + source + ' sent not regular file') dom0updates_fatal(
p = subprocess.Popen (["/bin/rpm", "-K", full_path], full_path, 'Domain ' + source + ' sent not regular file')
p = subprocess.Popen(["/bin/rpm", "-K", full_path],
stdout=subprocess.PIPE) stdout=subprocess.PIPE)
output = p.communicate()[0].decode('ascii') output = p.communicate()[0].decode('ascii')
if p.returncode != 0: if p.returncode != 0:
dom0updates_fatal(full_path, 'Error while verifing %s signature: %s' % (f, output)) dom0updates_fatal(full_path,
'Error while verifing %s signature: %s' % (f, output))
if not gpg_ok_regex.search(output.strip()): if not gpg_ok_regex.search(output.strip()):
dom0updates_fatal(full_path, 'Domain ' + source + ' sent not signed rpm: ' + f) dom0updates_fatal(full_path,
'Domain ' + source + ' sent not signed rpm: ' + f)
if updates_error_file_handle is not None: if updates_error_file_handle is not None:
updates_error_file_handle.close() updates_error_file_handle.close()
# After updates received - create repo metadata # After updates received - create repo metadata
@ -109,19 +114,21 @@ def handle_dom0updates(updatevm):
os.chown(updates_repodata_dir, -1, qubes_gid) os.chown(updates_repodata_dir, -1, qubes_gid)
os.chmod(updates_repodata_dir, 0o0775) os.chmod(updates_repodata_dir, 0o0775)
# Clean old cache # Clean old cache
subprocess.call(["sudo", "/usr/bin/yum", "-q", "clean", "all"], stdout=sys.stderr) subprocess.call(["sudo", "/usr/bin/yum", "-q", "clean", "all"],
# This will fail because of "smart" detection of no-network, but it will invalidate the cache stdout=sys.stderr)
# This will fail because of "smart" detection of no-network,
# but it will invalidate the cache
try: try:
null = open('/dev/null','w') null = open('/dev/null', 'w')
subprocess.call(["/usr/bin/pkcon", "refresh"], stdout=null) subprocess.call(["/usr/bin/pkcon", "refresh"], stdout=null)
null.close() null.close()
except: except subprocess.CalledProcessError:
pass pass
os.umask(old_umask) os.umask(old_umask)
exit(0) exit(0)
def main():
def main():
app = qubes.Qubes() app = qubes.Qubes()
updatevm = app.updatevm updatevm = app.updatevm