class FirewallPolicies:
def __init__(self, fw):
self._fw = fw
self.__init_vars()
def __init_vars(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(LOCKDOWN_WHITELIST)
def cleanup(self):
self.__init_vars()
# lockdown
def access_check(self, key, value):
if key == "context":
log.debug2('Doing access check for context "%s"' % value)
if self.lockdown_whitelist.match_context(value):
log.debug3('context matches.')
return True
elif key == "uid":
log.debug2('Doing access check for uid %d' % value)
if self.lockdown_whitelist.match_uid(value):
log.debug3('uid matches.')
return True
elif key == "user":
log.debug2('Doing access check for user "%s"' % value)
if self.lockdown_whitelist.match_user(value):
log.debug3('user matches.')
return True
elif key == "command":
log.debug2('Doing access check for command "%s"' % value)
if self.lockdown_whitelist.match_command(value):
log.debug3('command matches.')
return True
return False
def enable_lockdown(self):
if self._lockdown:
raise FirewallError(ALREADY_ENABLED)
self._lockdown = True
def disable_lockdown(self):
if not self._lockdown:
raise FirewallError(NOT_ENABLED)
self._lockdown = False
def query_lockdown(self):
return (self._lockdown == True)
class FirewallPolicies:
def __init__(self, fw):
self._fw = fw
self.__init_vars()
def __init_vars(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(LOCKDOWN_WHITELIST)
def cleanup(self):
self.__init_vars()
# lockdown
def access_check(self, key, value):
if key == "context":
log.debug2('Doing access check for context "%s"' % value)
if self.lockdown_whitelist.match_context(value):
log.debug3('context matches.')
return True
elif key == "uid":
log.debug2('Doing access check for uid %d' % value)
if self.lockdown_whitelist.match_uid(value):
log.debug3('uid matches.')
return True
elif key == "user":
log.debug2('Doing access check for user "%s"' % value)
if self.lockdown_whitelist.match_user(value):
log.debug3('user matches.')
return True
elif key == "command":
log.debug2('Doing access check for command "%s"' % value)
if self.lockdown_whitelist.match_command(value):
log.debug3('command matches.')
return True
return False
def enable_lockdown(self):
if self._lockdown:
raise FirewallError(ALREADY_ENABLED)
self._lockdown = True
def disable_lockdown(self):
if not self._lockdown:
raise FirewallError(NOT_ENABLED)
self._lockdown = False
def query_lockdown(self):
return (self._lockdown == True)
class FirewallPolicies(object):
def __init__(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
def __repr__(self):
return '%s(%r, %r)' % (self.__class__, self._lockdown,
self.lockdown_whitelist)
def cleanup(self):
self._lockdown = False
self.lockdown_whitelist.cleanup()
# lockdown
def access_check(self, key, value):
if key == "context":
log.debug2('Doing access check for context "%s"' % value)
if self.lockdown_whitelist.match_context(value):
log.debug3('context matches.')
return True
elif key == "uid":
log.debug2('Doing access check for uid %d' % value)
if self.lockdown_whitelist.match_uid(value):
log.debug3('uid matches.')
return True
elif key == "user":
log.debug2('Doing access check for user "%s"' % value)
if self.lockdown_whitelist.match_user(value):
log.debug3('user matches.')
return True
elif key == "command":
log.debug2('Doing access check for command "%s"' % value)
if self.lockdown_whitelist.match_command(value):
log.debug3('command matches.')
return True
return False
def enable_lockdown(self):
if self._lockdown:
raise FirewallError(errors.ALREADY_ENABLED, "enable_lockdown()")
self._lockdown = True
def disable_lockdown(self):
if not self._lockdown:
raise FirewallError(errors.NOT_ENABLED, "disable_lockdown()")
self._lockdown = False
def query_lockdown(self):
return self._lockdown
class FirewallPolicies(object):
def __init__(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
def __repr__(self):
return '%s(%r, %r)' % (self.__class__, self._lockdown,
self.lockdown_whitelist)
def cleanup(self):
self._lockdown = False
self.lockdown_whitelist.cleanup()
# lockdown
def access_check(self, key, value):
if key == "context":
log.debug2('Doing access check for context "%s"' % value)
if self.lockdown_whitelist.match_context(value):
log.debug3('context matches.')
return True
elif key == "uid":
log.debug2('Doing access check for uid %d' % value)
if self.lockdown_whitelist.match_uid(value):
log.debug3('uid matches.')
return True
elif key == "user":
log.debug2('Doing access check for user "%s"' % value)
if self.lockdown_whitelist.match_user(value):
log.debug3('user matches.')
return True
elif key == "command":
log.debug2('Doing access check for command "%s"' % value)
if self.lockdown_whitelist.match_command(value):
log.debug3('command matches.')
return True
return False
def enable_lockdown(self):
if self._lockdown:
raise FirewallError(errors.ALREADY_ENABLED, "enable_lockdown()")
self._lockdown = True
def disable_lockdown(self):
if not self._lockdown:
raise FirewallError(errors.NOT_ENABLED, "disable_lockdown()")
self._lockdown = False
def query_lockdown(self):
return self._lockdown
def check_config(fw):
fw_config = FirewallConfig(fw)
readers = {
"ipset": {
"reader": ipset_reader,
"add": fw_config.add_ipset,
"dirs": [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS],
},
"helper": {
"reader": helper_reader,
"add": fw_config.add_helper,
"dirs": [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS],
},
"icmptype": {
"reader": icmptype_reader,
"add": fw_config.add_icmptype,
"dirs":
[config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES],
},
"service": {
"reader": service_reader,
"add": fw_config.add_service,
"dirs": [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES],
},
"zone": {
"reader": zone_reader,
"add": fw_config.add_zone,
"dirs": [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES],
},
"policy": {
"reader": policy_reader,
"add": fw_config.add_policy_object,
"dirs": [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES],
},
}
for reader in readers.keys():
for _dir in readers[reader]["dirs"]:
if not os.path.isdir(_dir):
continue
for file in sorted(os.listdir(_dir)):
if file.endswith(".xml"):
try:
obj = readers[reader]["reader"](file, _dir)
if reader in ["zone", "policy"]:
obj.fw_config = fw_config
obj.check_config(obj.export_config())
readers[reader]["add"](obj)
except FirewallError as error:
raise FirewallError(error.code,
"'%s': %s" % (file, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (file, msg))
if os.path.isfile(config.FIREWALLD_DIRECT):
try:
obj = Direct(config.FIREWALLD_DIRECT)
obj.read()
obj.check_config(obj.export_config())
except FirewallError as error:
raise FirewallError(
error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (config.FIREWALLD_DIRECT, msg))
if os.path.isfile(config.LOCKDOWN_WHITELIST):
try:
obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
obj.read()
obj.check_config(obj.export_config())
except FirewallError as error:
raise FirewallError(
error.code,
"'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (config.LOCKDOWN_WHITELIST, msg))
if os.path.isfile(config.FIREWALLD_CONF):
try:
obj = firewalld_conf(config.FIREWALLD_CONF)
obj.read()
except FirewallError as error:
raise FirewallError(
error.code, "'%s': %s" % (config.FIREWALLD_CONF, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (config.FIREWALLD_CONF, msg))
def __init__(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
def __init_vars(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(LOCKDOWN_WHITELIST)
def __init_vars(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(LOCKDOWN_WHITELIST)
def __init__(self):
self._lockdown = False
self.lockdown_whitelist = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
def check_config(fw=None):
readers = {
"ipset":
(ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]),
"helper": (helper_reader,
[config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]),
"icmptype":
(icmptype_reader,
[config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]),
"service": (service_reader,
[config.FIREWALLD_SERVICES,
config.ETC_FIREWALLD_SERVICES]),
"zone":
(zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]),
}
for reader in readers.keys():
for dir in readers[reader][1]:
if not os.path.isdir(dir):
continue
for file in sorted(os.listdir(dir)):
if file.endswith(".xml"):
try:
obj = readers[reader][0](file, dir)
if fw and reader == "zone":
obj.fw_config = fw.config
obj.check_config(obj.export_config())
except FirewallError as error:
raise FirewallError(error.code,
"'%s': %s" % (file, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (file, msg))
if os.path.isfile(config.FIREWALLD_DIRECT):
try:
obj = Direct(config.FIREWALLD_DIRECT)
obj.read()
obj.check_config(obj.export_config())
except FirewallError as error:
raise FirewallError(
error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (config.FIREWALLD_DIRECT, msg))
if os.path.isfile(config.LOCKDOWN_WHITELIST):
try:
obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST)
obj.read()
obj.check_config(obj.export_config())
except FirewallError as error:
raise FirewallError(
error.code,
"'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (config.LOCKDOWN_WHITELIST, msg))
if os.path.isfile(config.FIREWALLD_CONF):
try:
obj = firewalld_conf(config.FIREWALLD_CONF)
obj.read()
except FirewallError as error:
raise FirewallError(
error.code, "'%s': %s" % (config.FIREWALLD_CONF, error.msg))
except Exception as msg:
raise Exception("'%s': %s" % (config.FIREWALLD_CONF, msg))
