def do_api(self, msg, sender):
"""
API ENTRY
"""
try:
if not self.check_auth(sender):
raise Exception('no authority')
rules = self.GRAC.data_center.get_json_rules()
if not rules:
raise Exception('not ready yet')
letter = msg['letter']
fname = letter['func_name']
if not fname in self.api_list:
raise Exception('unknown function name')
getattr(self, fname)(msg)
except Exception as e:
self.logger.error(grac_format_exc())
self.make_response(msg, API_ERROR, str(e))
except:
e = grac_format_exc()
self.logger.error(e)
self.make_response(msg, API_ERROR, 'INTERNAL ERROR')
return json.dumps(msg)
def save_printers(self):
"""
사용하고 있는 프린터 정보를 저장.
"""
try:
printers = self._conn.getPrinters()
if len(printers) <= 0:
return
except:
self.logger.error(grac_format_exc())
return
backup_path = META_FILE_PRINTER_BACKUP_PATH
os.makedirs(backup_path, exist_ok=True)
with open(backup_path + '/' + META_FILE_PRINTER_LIST, 'w') as f:
for printer_name, v in printers.items():
try:
uri = v['device-uri']
ppd = self._conn.getPPD(printer_name)
with open(ppd) as f2:
with open(backup_path + '/' + printer_name, 'w') as f3:
f3.write(f2.read())
f.write('{}{}{}\n'.format(printer_name, GRAC_PRINTER_DELIM,
uri))
except:
self.logger.error(grac_format_exc())
def reload(self, args):
"""
reload
"""
try:
self.logger.info('GRAC RELOADING BY DBUS')
try:
self.check_cert()
except:
self.logger.error(grac_format_exc())
self.data_center.show()
#SOUND/MICROPHONE INOTIFY THREAD
try:
if not self.data_center.sound_mic_inotify:
self.data_center.sound_mic_inotify = \
SoundMicInotify(self.data_center)
self.data_center.sound_mic_inotify.WM = \
self.start_sound_mic_inotify(self.data_center)
else:
self.reload_snd_mic_dev(
self.data_center.sound_mic_inotify.WM)
except:
self.logger.error(grac_format_exc())
#CLIPBOARD
'''
try:
if not self.clipboard_init:
self.clipboard_init = True
self.start_clipboard_handler(self.data_center)
except:
self.logger.error(grac_format_exc())
'''
if self.udev_dispatcher:
self.udev_dispatcher.stop_monitor()
self.synchronize_json_rule_and_device()
self.udev_dispatcher.start_monitor()
if self.grac_printer:
self.grac_printer.reload()
if self.grac_network:
self.grac_network.reload()
self.logger.info('GRAC RELOADED BY DBUS')
except:
self.logger.error(grac_format_exc())
return GRAC_OK
def stop(self, args):
"""
dbus stop
"""
try:
self.logger.info('GRAC STOPPING BY DBUS')
if self.udev_dispatcher:
self.udev_dispatcher.stop_monitor()
if self.grac_printer:
self.grac_printer.teardown()
if self._loop and self._loop.is_running():
self._loop.quit()
self.logger.info('GRAC STOPPED BY DBUS')
except:
e = grac_format_exc()
self.logger.error(e)
return e
return GRAC_OK
def rescan_pci(self):
"""
rescan pci devices
"""
try:
if os.path.exists(META_FILE_PCI_RESCAN):
'''
with open(META_FILE_PCI_RESCAN, 'r') as f:
lines = f.read().split('\n')
for line in lines:
if not line:
continue
media, path = line.split('=>')
parent_path = '/'.join(path.split('/')[:-2])
if os.path.exists(parent_path+'/rescan'):
with open(parent_path+'/rescan', 'w') as f2:
f2.write('1')
self.logger.info(
'rescan media={}:parent_path={}'.format(
media,
parent_path))
'''
with open('/sys/bus/pci/rescan', 'w') as f:
f.write('1')
os.unlink(META_FILE_PCI_RESCAN)
self.logger.info('---rescan pci---')
except:
self.logger.error(grac_format_exc())
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
authorized_path = search_file_reversely('/sys/' + param[1],
'authorized',
REVERSE_LOOKUP_LIMIT)
with open(authorized_path, 'w') as f:
f.write('0')
logger.info('mode has changed to {}'.format(mode))
logger.debug('***** DVD MODULE disallow {}'.format(param[1]))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_CD_DVD, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center)
write_event_log(
SOMANSA,
datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'),
JSON_RULE_CD_DVD, SOMANSA_STATE_DISALLOW, 'null', 'null',
'null', 'null')
except:
e = grac_format_exc()
logger.error(e)
return GRAC_OK
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
#skeep 'event' of mouse events
#for processing task once
if 'event' in param[1].split('/')[-1]:
return GRAC_OK
bConfigurationValue_path = search_file_reversely(
'/sys/' + param[1], 'bConfigurationValue', REVERSE_LOOKUP_LIMIT)
with open(bConfigurationValue_path, 'w') as f:
f.write('0')
logger.info('mode has changed to {}'.format(mode))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_MOUSE, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center)
except:
e = grac_format_exc()
logger.error(e)
return GRAC_OK
def _watch_printers(self):
"""
thread target
"""
while True:
if self._watchdog_dead:
break
if self._watchdog_bark_on:
try:
printers = self._conn.getPrinters()
for printer_name in printers:
self._conn.deletePrinter(printer_name)
self.logger.debug(
'(watch) delete printer({})'.format(printer_name))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_PRINTER, JSON_RULE_DISALLOW)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI,
grmcode, self.data_center)
except:
self.logger.error(grac_format_exc())
time.sleep(1)
def reload(self):
"""
grac reload
"""
self.logger.info('reloading')
try:
#printer state is allow or not
json_rules = self.data_center.get_json_rules()
v = json_rules[JSON_RULE_PRINTER]
state = None
if isinstance(v, str):
state = v
else:
state = v[JSON_RULE_STATE]
if state == JSON_RULE_ALLOW:
self.stop_watching()
self.load_and_add_printers()
self.start_cups_browsed()
else:
self.stop_cups_browsed()
self.save_printers()
self.delete_printers()
self.start_to_watch()
except:
self.logger.error(grac_format_exc())
self.logger.info('reloaded')
def get_usb_network_port_blacklist(self):
"""
get usb network whitelist regex
"""
usb_port_blacklist = '/usb[0-9]*/'
try:
block_usb_regex = re.compile('/usb[0-9]*/')
whitelist = self._usb_network_whitelist
ports = None
for k, v in whitelist.items():
if k.strip().lower() == 'usbbus':
ports = [int(n) for n in v.strip().split(',') if n]
break
if not ports:
return usb_port_blacklist
if ports:
black = ''
for n in range(10):
if n in ports:
continue
black += str(n)
if not black:
return None
return '/usb[{}]*/'.format(black)
except:
self.logger.error(grac_format_exc())
return usb_port_blacklist
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
bConfigurationValue_path = search_file_reversely(
'/sys/' + param[1], 'bConfigurationValue', REVERSE_LOOKUP_LIMIT)
with open(bConfigurationValue_path, 'w') as f:
f.write('0')
with open('{}/{}.bcvp'.format(META_ROOT, JSON_RULE_CAMERA),
'w') as f2:
f2.write(bConfigurationValue_path)
logger.info('mode has changed to {}'.format(mode))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_CAMERA, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center)
except:
e = grac_format_exc()
logger.error(e)
return GRAC_OK
def load_and_add_printers(self):
"""
저장되어 있는 프린터정보를 이용해서 프린터 추가
"""
backup_path = META_FILE_PRINTER_BACKUP_PATH
if not os.path.exists(backup_path):
return
printer_list = backup_path + '/' + META_FILE_PRINTER_LIST
if not os.path.exists(printer_list):
return
with open(printer_list) as f:
try:
for print_info in f.readlines():
print_name, uri = print_info.split(GRAC_PRINTER_DELIM)
ppd = cups.PPD(backup_path + '/' + print_name)
self._conn.addPrinter(print_name, device=uri, ppd=ppd)
self._conn.enablePrinter(print_name)
self._conn.acceptJobs(print_name)
except:
self.logger.error(grac_format_exc())
shutil.rmtree(backup_path)
def dns_resolver(self, domain):
"""
dns resolver
"""
try:
import DNS
req = DNS.DnsRequest(domain, qtype='A').req().answers
return [r['data'] for r in req if r['typename'] == 'A']
except:
self.logger.error(grac_format_exc())
return []
def stop_cups_browsed(self):
"""
stop cups-browsed.service
"""
try:
bus = dbus.SystemBus()
systemd1 = bus.get_object(SD_BUS_NAME, SD_BUS_OBJ)
manager = dbus.Interface(systemd1, dbus_interface=SD_BUS_IFACE)
manager.StopUnit('cups-browsed.service', "fail")
except:
self.logger.error(grac_format_exc())
def delete_printers(self):
"""
사용하고 있는 프린터를 삭제
"""
try:
printers = self._conn.getPrinters()
if len(printers) <= 0:
return
except:
self.logger.error(grac_format_exc())
return
for printer_name in printers:
try:
self._conn.deletePrinter(printer_name)
self.logger.debug('delete printer({})'.format(printer_name))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_PRINTER, JSON_RULE_DISALLOW)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
self.data_center)
except:
self.logger.error(grac_format_exc())
def do_api(self, args, sender=None):
"""
media api method
"""
try:
msg = json.loads(args)
api = GracApi(self)
return api.do_api(msg, sender)
except:
e = grac_format_exc()
self.logger.error(e)
return args
def get_login_username(self):
"""
get login username
"""
try:
login_id, _ = catch_user_id()
if login_id and login_id[0] == '-':
login_id = None
except:
login_id = None
self.logger.error(grac_format_exc())
return login_id
def ip_type(self, ip):
"""
check ipv4 | ipv6 | domain
"""
try:
ip = ip.split('/')[0]
it = ipaddress.ip_address(ip)
if isinstance(it, ipaddress.IPv4Address):
return 'v4'
return 'v6'
except:
#not checking value
self.logger.info(grac_format_exc())
return 'domain'
def get_username_with_uid(self, pid):
"""
get username with uid of the process that have called api
"""
try:
with open('/proc/{}/status'.format(pid)) as f:
for l in f.readlines():
if l.startswith('Uid:'):
uid = int(l.split()[1])
return pwd.getpwuid(uid).pw_name
except:
self.logger.error(grac_format_exc())
return None
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
if mode == JSON_RULE_DISALLOW:
devpath = param[1]
#################### WHITE LIST ####################
usb_port_blacklist = \
data_center.get_usb_network_port_blacklist()
logger.debug(
'(UNW MOD) usb_port_blacklist={}'.format(usb_port_blacklist))
if not usb_port_blacklist:
logger.info('(UNW MOD) blacklist is empty')
return
block_usb_regex = re.compile(usb_port_blacklist)
if not block_usb_regex.search(devpath):
logger.info('(UNW MOD) path={} not in blacklist={}'.format(
devpath, usb_port_blacklist))
return
###################################################
authorized_path = search_file_reversely('/sys/' + devpath,
'authorized',
REVERSE_LOOKUP_LIMIT)
with open(authorized_path, 'w') as f:
f.write('0')
logger.info('mode has changed to {}'.format(mode))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_USB_NETWORK, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center)
logger.debug('***** USB NETWORK MODULE disallow {}'.format(
param[1]))
except:
e = grac_format_exc()
GracLog.get_logger().error(e)
logger.error(e)
return GRAC_OK
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
remove_path = search_file_reversely('/sys/' + param[1], 'remove',
REVERSE_LOOKUP_LIMIT)
#v2.0
if not os.path.exists(remove_path):
logger.error('(wireless) REMOVE NOT FOUND')
return
with open(remove_path, 'w') as f:
f.write('1')
if os.path.exists(remove_path):
remove_second = '/'.join(remove_path.split('/')[:-2]) + '/remove'
if not os.path.exists(remove_second):
logger.error('(wireless) FAIL TO REMOVE 1')
return
else:
with open(remove_second, 'w') as sf:
sf.write('1')
if os.path.exists(remove_path):
logger.error('(wireless) FAIL TO REMOVE 2')
return
with open(META_FILE_PCI_RESCAN, 'a') as f2:
f2.write('wireless=>{}'.format(remove_path))
logger.info('mode has changed to {}'.format(mode))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_WIRELESS, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center)
write_event_log(SOMANSA,
datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'),
JSON_RULE_WIRELESS, SOMANSA_STATE_DISALLOW, 'null',
'null', 'null', 'null')
except:
e = grac_format_exc()
logger.error(e)
return GRAC_OK
def clipboard_handler(self, *args):
"""
clipboard handler
"""
try:
#CHECK EXTENSION(screencapture/clipboard)
if os.path.exists(EXTENSION_FULLPATH):
return
data_center = args[2]
clipboard_rule = data_center.get_media_state(JSON_RULE_CLIPBOARD)
if clipboard_rule == JSON_RULE_ALLOW:
return
clip = args[0]
if clip.wait_is_text_available() and clip.wait_for_text():
Gtk.Clipboard.set_text(clip, "", 0)
Gtk.Clipboard.clear(clip)
GracLog.get_logger().info('clipboard text blocked')
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_CLIPBOARD, clipboard_rule)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center) #, flag=RED_ALERT_ALERTONLY)
elif clip.wait_is_image_available() and clip.wait_for_image():
new_pb = gi.repository.GdkPixbuf.Pixbuf()
Gtk.Clipboard.set_image(clip, new_pb)
Gtk.Clipboard.clear(clip)
GracLog.get_logger().info('clipboard image blocked')
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_CLIPBOARD, clipboard_rule)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center) #, flag=RED_ALERT_ALERTONLY)
elif clip.wait_is_rich_text_available(Gtk.TextBuffer()) \
and clip.wait_for_rich_text():
Gtk.Clipboard.clear(clip)
GracLog.get_logger().info('clipboard rich blocked')
elif clip.wait_is_uris_available() and clip.wait_for_uris():
Gtk.Clipboard.clear(clip)
GracLog.get_logger().info('clipboard uris blocked')
except:
GracLog.get_logger().error(grac_format_exc())
def synchronize_json_rule_and_device(self):
"""
json rule의 모드와 장치의 모드가 다를 경우 동기화
"""
self.rescan_pci()
json_rules = self.data_center.get_json_rules()
for k, v in json_rules.items():
try:
media_name = k
media_type = None
for sm in GracSynchronizer.supported_media:
if media_name == sm[0]:
media_type = sm[1]
break
else:
continue
if media_type == MC_TYPE_NOSYNC:
continue
state = v
if isinstance(state, dict):
state = state[JSON_RULE_STATE]
if media_type != MC_TYPE_ALLOWSYNC and state == JSON_RULE_ALLOW:
if media_type == MC_TYPE_BCONFIG:
GracSynchronizer.recover_bConfigurationValue(
media_name)
continue
self.logger.debug('evaluating sync_{}()'.format(media_name))
eval(
'GracSynchronizer.sync_{}(state, self.data_center)'.format(
media_name))
except:
self.logger.error(grac_format_exc())
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
if data_center.sound_mic_inotify:
wm = data_center.sound_mic_inotify.WM
dev_snd_path = "/dev/snd/"
file_list = os.listdir(dev_snd_path)
for control_file in file_list:
if control_file.find("control") is not -1:
idx = control_file.split("controlC")
wm.add_watch(dev_snd_path + control_file,
pyinotify.IN_ACCESS,
rec=True)
except:
logger.error(grac_format_exc())
return GRAC_OK
def load_json_rules(self):
"""
load user|default rules file
"""
default_json_rules_path = self.conf.get(
'MAIN', 'GRAC_DEFAULT_JSON_RULES_PATH')
user_json_rules_path = self.conf.get('MAIN',
'GRAC_USER_JSON_RULES_PATH')
json_rules_path = None
if os.path.exists(user_json_rules_path):
json_rules_path = user_json_rules_path
try:
verify_rule(json_rules_path)
m = 'The signature verification of the policy file was successful'
self.logger.info('{}: {}'.format(json_rules_path, m))
red_alert2(m,
'',
JLEVEL_DEFAULT_SHOW,
GRMCODE_SIGNATURE_SUCCESS,
self,
flag=RED_ALERT_JOURNALONLY)
except:
json_rules_path = default_json_rules_path
self.logger.error(grac_format_exc())
m = 'The signature verification of the policy file failed'
self.logger.info('{}: {}: opening default'.format(
json_rules_path, m))
red_alert2(m, '서명 검증 실패', JLEVEL_DEFAULT_NOTI,
GRMCODE_SIGNATURE_FAIL, self)
else:
json_rules_path = default_json_rules_path
with open(json_rules_path) as f:
json_rules = json.loads(f.read().strip('\n'))
return json_rules
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
authorized_path = search_file_reversely('/sys/' + param[1],
'authorized',
REVERSE_LOOKUP_LIMIT)
with open(authorized_path, 'w') as f:
f.write('0')
logger.info('mode has changed to {}'.format(mode))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_PRINTER, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center)
logger.debug('***** PRINTER MODULE disallow {}'.format(param[1]))
except:
e = grac_format_exc()
logger.error(e)
return GRAC_OK
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
if not bluetooth_exists():
logger.error('bluetooth controller not found')
return GRAC_OK
try:
mode = param[0]
unique = param[1].strip() if param[1] else param[1]
name = param[2].strip() if param[2] else param[2]
mac = ''
if unique:
mac = unique
elif name:
name = name.upper()
delim_cnt = 0
num_cnt = 0
for n in name:
if n == '.' or n == ':':
delim_cnt += 1
continue
if ord(n) >= ord('0') and ord(n) <= ord('9'):
num_cnt += 1
continue
if ord(n) >= ord('A') and ord(n) <= ord('F'):
num_cnt += 1
continue
break
else:
if (delim_cnt == 0 or delim_cnt == 5) and num_cnt == 12:
mac = name
if not mac:
raise Exception('!! bluetooth mac not found')
mac = mac.replace('.', ':').strip('\n').upper()
for m in data_center.get_bluetooth_whitelist():
if m.upper() == mac:
logger.info('mac({}) is in whitelist'.format(mac))
return GRAC_OK
p1 = subprocess.Popen(
['echo', '-e', 'disconnect {}\nquit'.format(mac)],
stdout=subprocess.PIPE)
p2 = subprocess.Popen(['bluetoothctl'],
stdin=p1.stdout,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
p1.stdout.close()
logger.info(p2.communicate()[0].decode('utf8'))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_BLUETOOTH, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode, data_center)
write_event_log(SOMANSA,
datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'),
JSON_RULE_BLUETOOTH, SOMANSA_STATE_DISALLOW, 'null',
'null', 'null', 'null')
except:
e = grac_format_exc()
logger.error(e)
return GRAC_OK
def reload(self):
"""
reload
"""
try:
json_rules = self.data_center.get_json_rules()
network_json = json_rules[JSON_RULE_NETWORK]
#ADDING VERSION PROCESS
server_version = '1.0'
if isinstance(network_json, str):
policy_state = network_json
else:
policy_state = network_json[JSON_RULE_NETWORK_STATE]
if 'version' in network_json:
server_version = network_json[JSON_RULE_NETWORK_VERSION]
if server_version.startswith('2.'):
self.now_v2_x(policy_state, network_json)
return
#flush
self.flush_chain()
self.flush_chain()
#policy to accept
self.set_chain_policy(JSON_RULE_NETWORK_ACCEPT)
#rules
if isinstance(network_json, str) \
or not JSON_RULE_NETWORK_RULES in network_json:
self.set_chain_policy(policy_state)
return
rules_json = network_json[JSON_RULE_NETWORK_RULES]
rules_json.reverse()
for rule_json in rules_json:
ip = rule_json[JSON_RULE_NETWORK_IPADDRESS]
if ip:
ip = ip.strip()
direction_org = rule_json[JSON_RULE_NETWORK_DIRECTION].lower()
rule_state = rule_json[JSON_RULE_NETWORK_STATE].lower()
directions = None
if direction_org == JSON_RULE_NETWORK_ALLBOUND:
directions = (JSON_RULE_NETWORK_INBOUND,
JSON_RULE_NETWORK_OUTBOUND)
else:
directions = (direction_org, None)
for direction in directions:
if not direction:
continue
#SERVER VERSION 1.0
if server_version.startswith('1.0'):
if JSON_RULE_NETWORK_PORTS in rule_json:
ports_json = rule_json[JSON_RULE_NETWORK_PORTS]
else:
ports_json = []
#no ports
if len(ports_json) == 0:
rule = self.create_rule(rule_state, ip)
self.insert_rule(rule, direction, ip, None)
continue
#ports
for port_json in ports_json:
rule = self.create_rule(rule_state, ip)
protocol = port_json[JSON_RULE_NETWORK_PROTOCOL]
rule.protocol = protocol
if protocol != 'icmp':
src_ports = self.ranged_ports_to_string(
port_json[JSON_RULE_NETWORK_SRC_PORT])
dst_ports = self.ranged_ports_to_string(
port_json[JSON_RULE_NETWORK_DST_PORT])
if src_ports and len(src_ports) > 0 and src_ports[0]:
self.logger.debug('src ports={}'.format(src_ports))
sp_match = iptc.Match(rule, 'multiport')
sp_match.sports = src_ports
rule.add_match(sp_match)
if dst_ports and len(dst_ports) > 0 and dst_ports[0]:
self.logger.debug('dst prots={}'.format(dst_ports))
dp_match = iptc.Match(rule, 'multiport')
dp_match.dports = dst_ports
rule.add_match(dp_match)
self.insert_rule(rule, direction, ip, protocol)
#SERVER VERSION NOT 1.0
else:
protocol = rule_json[JSON_RULE_NETWORK_PROTOCOL].lower()
#ICMP HERE
if protocol == 'icmp':
rule = self.create_rule(rule_state, ip)
rule.protocol = protocol
self.insert_rule(rule, direction, ip, protocol)
continue
elif not protocol:
rule = self.create_rule(rule_state, ip)
self.insert_rule(rule, direction, ip, None)
continue
src_ports = rule_json[JSON_RULE_NETWORK_SRC_PORTS]
dst_ports = rule_json[JSON_RULE_NETWORK_DST_PORTS]
#no ports
if not src_ports and not dst_ports:
rule = self.create_rule(rule_state, ip)
rule.protocol = protocol
self.insert_rule(rule, direction, ip, None)
continue
#ports
rule = self.create_rule(rule_state, ip)
rule.protocol = protocol
if src_ports:
src_ports = \
self.ranged_ports_to_string(src_ports.split(','))
sp_match = iptc.Match(rule, 'multiport')
sp_match.sports = src_ports
rule.add_match(sp_match)
if dst_ports:
dst_ports = \
self.ranged_ports_to_string(dst_ports.split(','))
sp_match = iptc.Match(rule, 'multiport')
sp_match.dports = dst_ports
rule.add_match(sp_match)
self.insert_rule(rule, direction, ip, protocol)
self.set_chain_policy(policy_state)
except:
self.logger.error(grac_format_exc())
def now_v2_x(self, policy_state, network_json):
"""
processing more than v2.x with raw input
"""
if not isinstance(network_json, str) and JSON_RULE_NETWORK_RULES in network_json:
rules = network_json[JSON_RULE_NETWORK_RULES]
rules = [(int(rule['seq']), 'MENUAL', rule) for rule in rules]
else:
rules = []
if not isinstance(network_json, str) and JSON_RULE_NETWORK_RULES_RAW in network_json:
rules_law = network_json[JSON_RULE_NETWORK_RULES_RAW]
rules_law = [(int(rule_law['seq']), 'RAW', rule_law) for rule_law in rules_law]
else:
rules_law = []
rules_all = sorted(rules+rules_law, key=lambda i:i[0])
with open(GRAC_IPTABLES_SV_PATH, 'w') as f:
f.write('/usr/sbin/iptables-legacy -F\n')
f.write('/usr/sbin/iptables-legacy -P INPUT {}\n'.format(policy_state.upper()))
f.write('/usr/sbin/iptables-legacy -P OUTPUT {}\n'.format(policy_state.upper()))
f.write('/usr/sbin/iptables-legacy -P FORWARD {}\n'.format(policy_state.upper()))
for rule in rules_all:
try:
if rule[1] == 'MENUAL':
l = rule[2]
direction = l['direction']
protocol = l['protocol']
ipaddress = l['ipaddress']
src_ports = l['src_ports']
dst_ports = l['dst_ports']
state = l['state']
if direction.lower() == 'all':
directions = ('INPUT', 'OUTPUT')
else:
directions = (direction.upper(),)
for di in directions:
s = ''
s += '-A {}'.format(di)
s += ' -p {}'.format(protocol)
if ipaddress:
if di == 'INPUT':
s += ' -s {}'.format(ipaddress)
else:
s += ' -d {}'.format(ipaddress)
if src_ports and protocol != 'icmp':
if protocol.lower() != 'icmp':
s += ' -m multiport'
s += ' --sports {}'.format(src_ports)
if dst_ports and protocol != 'icmp':
if protocol.lower() != 'icmp':
s += ' -m multiport'
s += ' --dports {}'.format(dst_ports)
s += ' -j {}'.format(state.upper())
f.write('/usr/sbin/iptables-legacy ' +s+'\n')
else:
f.write('/usr/sbin/iptables-legacy ' + rule[2]['cmd']+'\n')
except:
self.logger.error(grac_format_exc())
p0 = subprocess.Popen(
['/bin/bash', GRAC_IPTABLES_SV_PATH],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
pp_out, pp_err = p0.communicate()
if pp_err:
self.logger.error(pp_err.decode('utf8'))
def do_task(param, data_center):
"""
do task
"""
logger = GracLog.get_logger()
try:
mode = param[0]
serial = param[2].strip() if param[2] else ''
#whitelist
if serial: #param[2]:
#serial = param[2].strip('\n')
for s in data_center.get_usb_memory_whitelist():
if s == serial:
logger.info('serial({}) is in whitelist'.format(serial))
#usb whitelist register signal
signal_msg = ['except', '103', 'already in whitelist']
data_center.GRAC.media_usb_info(','.join(signal_msg))
return GRAC_OK
#usb whitelist register signal
product = param[3].strip() if param[3] else ''
vendor = param[4].strip() if param[4] else ''
model = param[5].strip() if param[5] else ''
user_id, _ = catch_user_id()
if not user_id or user_id[0] == '-':
signal_msg = ['except', '101', 'not login']
if user_id[0] == '+':
signal_msg = ['except', '102', 'local user not supported']
else:
signal_msg = [
'normal', user_id, serial, '', product, '', vendor, model
]
data_center.GRAC.media_usb_info(','.join(signal_msg))
else:
signal_msg = ['except', '104', 'serial not found']
data_center.GRAC.media_usb_info(','.join(signal_msg))
if mode == JSON_RULE_DISALLOW:
devpath = param[1]
authorized_path = search_file_reversely('/sys/' + devpath,
'authorized',
REVERSE_LOOKUP_LIMIT)
with open(authorized_path, 'w') as f:
f.write('0')
logger.info('mode has changed to {}'.format(mode))
logmsg, notimsg, grmcode = \
make_media_msg(JSON_RULE_USB_MEMORY, mode)
red_alert2(logmsg, notimsg, JLEVEL_DEFAULT_NOTI, grmcode,
data_center)
write_event_log(
SOMANSA,
datetime.datetime.now().strftime('%Y%m%d %H:%M:%S'),
JSON_RULE_USB_MEMORY, SOMANSA_STATE_DISALLOW, 'null',
'null', 'null', 'null')
logger.debug('***** USB MODULE disallow {}'.format(param[1]))
elif mode == JSON_RULE_READONLY:
devnode = '/dev/' + param[1]
thr = threading.Thread(target=remount_thread,
args=(devnode, mode, data_center))
thr.daemon = True
thr.start()
logger.info('{} mode is changing to {}'.format(devnode, mode))
logger.debug('***** USB MODULE read_only {}'.format(param[1]))
except:
e = grac_format_exc()
GracLog.get_logger().error(e)
logger.error(e)
return GRAC_OK
