QubesOS/qubes-core-admin-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qubespolicy: use '@' instead of '$' for policy keywords

Browse Source 
Using '$' is easy to misuse in shell scripts, shell commands etc. After
all this years, lets abandon this dangerous character and move to
something safer: '@'. The choice was made after reviewing specifications
of various shells on different operating systems and this is the
character that have no special meaning in none of them.

To preserve compatibility, automatically translate '$' to '@' when
loading policy files.
This commit is contained in:
Marek Marczykowski-Górecki 2018-02-19 02:26:02 +01:00
parent 6b0fef6dba
commit fe271c5672
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
qrexec/qrexec-policy
View File

@ -63,6 +63,7 @@ def read_policy_file(service_name):
f = open(policy_file)
fcntl.flock(f, fcntl.LOCK_SH)
for iter in f.readlines():
iter = iter.replace('$', '@')
dict = line_to_dict(iter)
if dict is not None:
policy_list.append(dict)
@ -70,7 +71,7 @@ def read_policy_file(service_name):
return policy_list
def is_match(item, config_term):
return (item != "dom0" and config_term == "$anyvm") or item == config_term
return (item != "dom0" and config_term == "@anyvm") or item == config_term
def get_default_policy():
dict={}
@ -89,7 +90,7 @@ def find_policy(policy, domain, target):
def validate_target(target):
# special targets
if target in ['$dispvm']:
if target in ['@dispvm']:
return True
qc = QubesVmCollection()
@ -110,7 +111,7 @@ def spawn_target_if_necessary(vm):
null.close()
def do_execute(domain, target, user, service_name, process_ident, vm=None):
if target == "$dispvm":
if target == "@dispvm":
cmd = "/usr/lib/qubes/qfile-daemon-dvm " + service_name + " " + domain + " " +user
os.execl(QREXEC_CLIENT, "qrexec-client",
"-d", "dom0", "-c", process_ident, cmd)
@ -179,11 +180,11 @@ def create_policy(service_name):
policyFile = "/etc/qubes-rpc/policy/"+service_name
policy = open(policyFile, "w")
policy.write("## Note that policy parsing stops at the first match,\n")
policy.write("## so adding anything below \"$anyvm $anyvm action\" line will have no effect\n")
policy.write("## so adding anything below \"@anyvm @anyvm action\" line will have no effect\n")
policy.write("\n")
policy.write("## Please use a single # to start your custom comments\n")
policy.write("\n")
policy.write("$anyvm $anyvm ask\n")
policy.write("@anyvm @anyvm ask\n")
policy.close()
def main():