Add a tool to convert legacy policy files to new format #123
Conversation
marmarta
force-pushed
the
policyconvert
branch
from
34d6af8
to
28211c1
Compare
Codecov Report
@@ Coverage Diff @@
## main #123 +/- ##
==========================================
+ Coverage 85.09% 86.66% +1.56%
==========================================
Files 31 33 +2
Lines 5174 5503 +329
==========================================
+ Hits 4403 4769 +366
+ Misses 771 734 -37
|
| rules_to_save[CONFIG_FILE].append(rule) | ||
| continue | ||
| rules_to_save[filename].append(rule) | ||
| rules_to_save[filename] = missing |
There was a problem hiding this comment.
This overrides what could be added above. I don't think this assignment is supposed to be here.
| print(line) | ||
| if input("Do you want to restore initial state? [Y/n] ").upper() != "N": | ||
| # rename all old | ||
| for file in OLD_POLICY_DIR.iterdir(): |
There was a problem hiding this comment.
Better store list of renamed files, there could be some rpmsave files before (not created by this tool).
| for filename in rules_to_save: | ||
| file = NEW_POLICY_DIR / (filename + ".policy") | ||
| if file.exists(): | ||
| file.unlink() | ||
|
|
||
| # revert all new | ||
| for file in NEW_POLICY_DIR.iterdir(): | ||
| if file.is_file() and file.name.endswith('.bak'): | ||
| file.rename(file.with_suffix('')) |
There was a problem hiding this comment.
Here too - you do use list of files you saved to remove new files, but you should use that for restoring from .bak too.
| def __str__(self): | ||
| return str(self.rule) | ||
|
|
||
| def main(_args=None): |
There was a problem hiding this comment.
This tool should handle some arguments, even if it's just help that no arguments are there. Otherwise running qrexec-legacy-convert --help will actually make the conversion, which isn't nice.
|
|
||
| def main(_args=None): | ||
| # get initial state | ||
| initial_state = set(subprocess.check_output( |
There was a problem hiding this comment.
This takes a bit of time, add some message before what is happening.
| if missing: | ||
| rules_to_save[CONFIG_FILE].extend(missing) | ||
|
|
||
| elif service in ('u2f.Authenticate', 'u2f.Register', |
There was a problem hiding this comment.
This is not specific enough - it puts rules for specific U2F keys in the policy file too, but they aren't currently handled correctly by the global config tool: QubesOS/qubes-issues#8525
There was a problem hiding this comment.
this probably means those rules with a specified argument should go into their appropriate file - 60-registered-arguments.policy
marmarta
force-pushed
the
policyconvert
branch
2 times, most recently
from
cbe7ef2
to
c3a82be
Compare
marmarta
force-pushed
the
policyconvert
branch
2 times, most recently
from
b3fb06a
to
8e96e9a
Compare
There was a problem hiding this comment.
I've found few more cases that are mishandled:
qubes.Gpgwith@anyvm @anyvm askat the end, but some other rules earlier. For example:
work1 keys1 allow
work2 keys2 allow
work2-bis keys2 allow
@anyvm keys1 deny
@anyvm keys2 deny
@anyvm keys3 deny
@anyvm @anyvm ask
This sets special handling for keys1/2/3 (and some qubes that use them), but otherwise allows user to choose. And more importantly, for interactive selection, those keys1/2/3 are not available (due to the deny rules). The conversion tool puts @anyvm @anyvm ask into 30-user.policy, and other rules to 50-config-splitgpg.policy. And then correctly detects it isn't the same semantics (because in this case order matters).
This case is important, because default qubes.Gpg policy used to have @anyvm @anyvm ask, so this case will trigger for many users. Maybe put this wildcard rule to 51-config-splitgpg-default.policy (if found in legacy policy) ? The removal of the wildcard rule in default config was intentional (since we have nice GUI for setting specific rules now), but I don't know how to nicely handle it during conversion, to not risk breaking existing setup (removing this rule might be okay in some cases, but not some others).
Or maybe, just put all qubes.Gpg rules into 30-user.policy (preserving their order), and let the user migrate this part manually (see 1a below)?
1a. The global config GUI complains it doesn't understand the "allow" rules for qubes.Gpg service from the point above. So, those shouldn't be added to 50-config-splitgpg.policy.
- Some updates proxy rules were put in 30-user.policy, instead of 50-config-updates.policy:
qubes.UpdatesProxy * fedora-39-mintest @default allow target=sys-net
qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-whonix
The first one is expected as custom rule I think, but the second one looks standard, no?
policy.RegisterArgument +u2f.Authenticateput into30-user.policyinstead of50-config-u2f.policy:
policy.RegisterArgument +u2f.Authenticate sys-usb vm1 allow target=@adminvm
policy.RegisterArgument +u2f.Authenticate sys-usb vm2 allow target=@adminvm
policy.RegisterArgument +u2f.Authenticate sys-usb vm3 allow target=@adminvm
policy.RegisterArgument +u2f.Authenticate sys-usb @anyvm ask default_target=@adminvm
Not sure about the last one, but others look standard. This one I found why - see below.
marmarta
force-pushed
the
policyconvert
branch
from
8e96e9a
to
bb40592
Compare
Enable outputting more information about permissions/actions Make output more flexible (can be provided as output parameter, not just sys.stdout)
marmarta
force-pushed
the
policyconvert
branch
from
bb40592
to
2849c90
Compare
fixes QubesOS/qubes-issues#8000