def initialize():
"""Initialize security policy tracking."""
logger.debug("TrSv", "Initializing security policy tracking")
# arkOS
policy = policies.get("arkos", "arkos", 2)
port = [("tcp", int(config.get("genesis", "port")))]
pol = SecurityPolicy("arkos", "arkos", "System Management (Genesis/APIs)",
"server", port, policy)
storage.policies[pol.id] = pol
# uPNP
policy = policies.get("arkos", "upnp", 1)
pol = SecurityPolicy("arkos", "upnp", "uPnP Firewall Comms", "server",
[("udp", 1900)], policy)
if config.get("general", "enable_upnp"):
storage.policies[pol.id] = pol
# SSHd
policy = policies.get("arkos", "sshd", 1)
pol = SecurityPolicy("arkos", "sshd", "SSH", "server", [("tcp", 22)],
policy)
# ACME dummies
for x in glob.glob("/etc/nginx/sites-enabled/acme-*"):
acme_name = x.split("/etc/nginx/sites-enabled/acme-")[1]
pol = SecurityPolicy("acme", acme_name,
"{0} (ACME Validation)".format(acme_name),
"globe", [('tcp', 80)], 2)
storage.policies[pol.id] = pol
for x in policies.get_all("custom"):
pol = SecurityPolicy("custom", x["id"], x["name"], x["icon"],
x["ports"], x["policy"])
storage.policies[pol.id] = pol
def initialize():
policy = policies.get("arkos", "arkos", 2)
storage.policies.add("policies", SecurityPolicy("arkos", "arkos",
"System Management (Genesis/APIs)", "fa fa-desktop",
[("tcp", int(config.get("genesis", "port")))], policy))
for x in policies.get_all("custom"):
storage.policies.add("policies", SecurityPolicy("custom", x["id"],
x["name"], x["icon"], x["ports"], x["policy"]))
def register(type, id, name, icon, ports, addr=None, policy=0, default_policy=2, fw=True):
if not policy:
policy = policies.get(type, id, default_policy)
pget = get(type=type)
if pget:
for x in pget:
if x.id == id:
storage.policies.remove("policies", x)
svc = SecurityPolicy(type, id, name, icon, ports, policy, addr)
svc.save(fw)
def refresh_policies():
svcs = get()
newpolicies = {}
for x in policies.get_all():
if x == "custom":
newpolicies["custom"] = policies.get_all("custom")
for y in svcs:
if x == y.type:
if not x in newpolicies:
newpolicies[x] = {}
for s in policies.get_all(x):
if s == y.id:
newpolicies[x][s] = policies.get(x, s)
policies.config = newpolicies
policies.save()
def refresh_policies():
"""Recreate security policies based on what is stored in config."""
svcs = get()
newpolicies = {}
for x in policies.get_all():
if x == "custom":
newpolicies["custom"] = policies.get_all("custom")
for y in svcs:
if x == y.type:
if x not in newpolicies:
newpolicies[x] = {}
for s in policies.get_all(x):
if s == y.id:
newpolicies[x][s] = policies.get(x, s)
policies.config = newpolicies
policies.save()
def register(type,
id,
name,
icon,
ports,
domain=None,
policy=0,
default_policy=2,
fw=True):
"""
Register a new security policy with the system.
The ``ports`` parameter takes tuples of ports to manage, like so:
ports = [('tcp', 8000), ('udp', 21500)]
The ``policy`` parameter is an integer with the following meaning:
0 = Restrict access from all outside hosts. (excludes loopback)
1 = Restrict access to local networks only.
2 = Allow access to all networks and ultimately the whole Internet.
Addresses should be provided for websites, because multiple websites can
be served from the same port (SNI) as long as the address is different.
:param str type: Policy type ('website', 'app', etc)
:param str id: Website or app ID
:param str name: Display name to use in Security settings pane
:param str icon: FontAwesome icon class name
:param list ports: List of port tuples to allow/restrict
:param str domain: Address (for websites)
:param int policy: Policy identifier
:param int default_policy: Application default policy to use on first init
:param bool fw: Regenerate the firewall after save?
"""
if not policy:
policy = policies.get(type, id, default_policy)
svc = SecurityPolicy(type, id, name, icon, ports, policy, domain)
svc.save(fw)
