def test_620_qdb_standalone(self, mock_qubesdb, mock_urandom,
mock_timezone):
mock_urandom.return_value = b'A' * 64
mock_timezone.return_value = 'UTC'
vm = self.get_vm(cls=qubes.vm.standalonevm.StandaloneVM)
vm.netvm = None
vm.events_enabled = True
test_qubesdb = TestQubesDB()
mock_qubesdb.write.side_effect = test_qubesdb.write
mock_qubesdb.rm.side_effect = test_qubesdb.rm
vm.create_qdb_entries()
self.maxDiff = None
iptables_header = (
'# Generated by Qubes Core on {}\n'
'*filter\n'
':INPUT DROP [0:0]\n'
':FORWARD DROP [0:0]\n'
':OUTPUT ACCEPT [0:0]\n'
'-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n'
'-A INPUT -m conntrack --ctstate '
'RELATED,ESTABLISHED -j ACCEPT\n'
'-A INPUT -p icmp -j ACCEPT\n'
'-A INPUT -i lo -j ACCEPT\n'
'-A INPUT -j REJECT --reject-with '
'icmp-host-prohibited\n'
'-A FORWARD -m conntrack --ctstate '
'RELATED,ESTABLISHED -j ACCEPT\n'
'-A FORWARD -i vif+ -o vif+ -j DROP\n'
'COMMIT\n'.format(datetime.datetime.now().ctime()))
self.assertEqual(
test_qubesdb.data, {
'/name': 'test-inst-test',
'/type': 'StandaloneVM',
'/default-user': '******',
'/qubes-vm-type': 'AppVM',
'/qubes-debug-mode': '0',
'/qubes-base-template': '',
'/qubes-timezone': 'UTC',
'/qubes-random-seed': base64.b64encode(b'A' * 64),
'/qubes-vm-persistence': 'full',
'/qubes-vm-updateable': 'True',
'/qubes-block-devices': '',
'/qubes-usb-devices': '',
'/qubes-iptables': 'reload',
'/qubes-iptables-error': '',
'/qubes-iptables-header': iptables_header,
'/qubes-service/qubes-update-check': '0',
})
def test_621_qdb_vm_with_network(self, mock_qubesdb, mock_urandom,
mock_timezone):
mock_urandom.return_value = b'A' * 64
mock_timezone.return_value = 'UTC'
template = self.get_vm(cls=qubes.vm.templatevm.TemplateVM,
name='template')
template.netvm = None
netvm = self.get_vm(cls=qubes.vm.appvm.AppVM,
template=template,
name='netvm',
qid=2,
provides_network=True)
vm = self.get_vm(cls=qubes.vm.appvm.AppVM,
template=template,
name='appvm',
qid=3)
vm.netvm = netvm
vm.kernel = None
# pretend the VM is running...
vm._qubesprop_xid = 3
netvm.kernel = None
test_qubesdb = TestQubesDB()
mock_qubesdb.write.side_effect = test_qubesdb.write
mock_qubesdb.rm.side_effect = test_qubesdb.rm
self.maxDiff = None
iptables_header = (
'# Generated by Qubes Core on {}\n'
'*filter\n'
':INPUT DROP [0:0]\n'
':FORWARD DROP [0:0]\n'
':OUTPUT ACCEPT [0:0]\n'
'-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n'
'-A INPUT -m conntrack --ctstate '
'RELATED,ESTABLISHED -j ACCEPT\n'
'-A INPUT -p icmp -j ACCEPT\n'
'-A INPUT -i lo -j ACCEPT\n'
'-A INPUT -j REJECT --reject-with '
'icmp-host-prohibited\n'
'-A FORWARD -m conntrack --ctstate '
'RELATED,ESTABLISHED -j ACCEPT\n'
'-A FORWARD -i vif+ -o vif+ -j DROP\n'
'COMMIT\n'.format(datetime.datetime.now().ctime()))
expected = {
'/name': 'test-inst-appvm',
'/type': 'AppVM',
'/default-user': '******',
'/qubes-vm-type': 'AppVM',
'/qubes-debug-mode': '0',
'/qubes-base-template': 'test-inst-template',
'/qubes-timezone': 'UTC',
'/qubes-random-seed': base64.b64encode(b'A' * 64),
'/qubes-vm-persistence': 'rw-only',
'/qubes-vm-updateable': 'False',
'/qubes-block-devices': '',
'/qubes-usb-devices': '',
'/qubes-iptables': 'reload',
'/qubes-iptables-error': '',
'/qubes-iptables-header': iptables_header,
'/qubes-service/qubes-update-check': '0',
'/qubes-ip': '10.137.0.3',
'/qubes-netmask': '255.255.255.255',
'/qubes-gateway': '10.137.0.2',
'/qubes-primary-dns': '10.139.1.1',
'/qubes-secondary-dns': '10.139.1.2',
}
with self.subTest('ipv4'):
vm.create_qdb_entries()
self.assertEqual(test_qubesdb.data, expected)
test_qubesdb.data.clear()
with self.subTest('ipv6'):
netvm.features['ipv6'] = True
expected['/qubes-ip6'] = \
qubes.config.qubes_ipv6_prefix.replace(':0000', '') + \
'::a89:3'
expected['/qubes-gateway6'] = expected['/qubes-ip6'][:-1] + '2'
vm.create_qdb_entries()
self.assertEqual(test_qubesdb.data, expected)
test_qubesdb.data.clear()
with self.subTest('ipv6_just_appvm'):
del netvm.features['ipv6']
vm.features['ipv6'] = True
expected['/qubes-ip6'] = \
qubes.config.qubes_ipv6_prefix.replace(':0000', '') + \
'::a89:3'
del expected['/qubes-gateway6']
vm.create_qdb_entries()
self.assertEqual(test_qubesdb.data, expected)
test_qubesdb.data.clear()
with self.subTest('proxy_ipv4'):
del vm.features['ipv6']
expected['/name'] = 'test-inst-netvm'
expected['/qubes-vm-type'] = 'NetVM'
del expected['/qubes-ip']
del expected['/qubes-gateway']
del expected['/qubes-netmask']
del expected['/qubes-ip6']
del expected['/qubes-primary-dns']
del expected['/qubes-secondary-dns']
expected['/qubes-netvm-primary-dns'] = '10.139.1.1'
expected['/qubes-netvm-secondary-dns'] = '10.139.1.2'
expected['/qubes-netvm-network'] = '10.137.0.2'
expected['/qubes-netvm-gateway'] = '10.137.0.2'
expected['/qubes-netvm-netmask'] = '255.255.255.255'
expected['/qubes-iptables-domainrules/3'] = \
'*filter\n' \
'-A FORWARD -s 10.137.0.3 -j ACCEPT\n' \
'-A FORWARD -s 10.137.0.3 -j DROP\n' \
'COMMIT\n'
expected['/mapped-ip/10.137.0.3/visible-ip'] = '10.137.0.3'
expected['/mapped-ip/10.137.0.3/visible-gateway'] = '10.137.0.2'
expected['/qubes-firewall/10.137.0.3'] = ''
expected['/qubes-firewall/10.137.0.3/0000'] = 'action=accept'
expected['/qubes-firewall/10.137.0.3/policy'] = 'drop'
with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running',
lambda _: True):
netvm.create_qdb_entries()
self.assertEqual(test_qubesdb.data, expected)
test_qubesdb.data.clear()
with self.subTest('proxy_ipv6'):
netvm.features['ipv6'] = True
ip6 = qubes.config.qubes_ipv6_prefix.replace(':0000',
'') + '::a89:3'
expected['/qubes-netvm-gateway6'] = ip6[:-1] + '2'
expected['/qubes-firewall/' + ip6] = ''
expected['/qubes-firewall/' + ip6 + '/0000'] = 'action=accept'
expected['/qubes-firewall/' + ip6 + '/policy'] = 'drop'
with unittest.mock.patch('qubes.vm.qubesvm.QubesVM.is_running',
lambda _: True):
netvm.create_qdb_entries()
self.assertEqual(test_qubesdb.data, expected)