def runCmd(command, with_stdout = False, with_stderr = False, inputtext = None):
cmd = subprocess.Popen(command, bufsize = 1,
stdin = (inputtext and subprocess.PIPE or None),
stdout = subprocess.PIPE,
stderr = subprocess.PIPE,
shell = isinstance(command, str))
(out, err) = cmd.communicate(inputtext)
rv = cmd.returncode
l = "ran %s; rc %d" % (str(command), rv)
if inputtext:
l += " with input %s" % inputtext
if out != "":
l += "\nSTANDARD OUT:\n" + out
if err != "":
l += "\nSTANDARD ERROR:\n" + err
logger.debug(l)
if with_stdout and with_stderr:
return rv, out, err
elif with_stdout:
return rv, out
elif with_stderr:
return rv, err
return rv
def runCmd(command, with_stdout=False, with_stderr=False, inputtext=None):
cmd = subprocess.Popen(command,
bufsize=1,
stdin=(inputtext and subprocess.PIPE or None),
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=isinstance(command, str))
(out, err) = cmd.communicate(inputtext)
rv = cmd.returncode
l = "ran %s; rc %d" % (str(command), rv)
if inputtext:
l += " with input %s" % inputtext
if out != "":
l += "\nSTANDARD OUT:\n" + out
if err != "":
l += "\nSTANDARD ERROR:\n" + err
for line in l.split('\n'):
logger.debug(line)
if with_stdout and with_stderr:
return rv, out, err
elif with_stdout:
return rv, out
elif with_stderr:
return rv, err
return rv
def inject_to_vifs(args):
log.debug('Entry point: Inject IGMP query per pif')
if args.no_check_snooping_toggle:
vifs = args.vifs
else:
vifs = [vif for vif in args.vifs if igmp_snooping_is_enabled_on_bridge_of_vif(vif)]
injector = IGMPQueryInjector(args.max_resp_time, vifs, args.vif_connected_timeout)
return injector.inject()
def inject_to_vifs(args):
log.debug('Entry point: Inject IGMP query per pif')
if args.no_check_snooping_toggle:
vifs = args.vifs
else:
vifs = [vif for vif in args.vifs if igmp_snooping_is_enabled_on_bridge_of_vif(vif)]
injector = IGMPQueryInjector(args.max_resp_time, vifs, args.vif_connected_timeout)
return injector.inject()
def fileContents(self, fn):
key = 'file:' + fn
if key not in self.cache:
logger.debug("Opening " + fn)
f = open(fn)
self.cache[key] = ''.join(f.readlines())
f.close()
return self.cache[key]
def fileContents(self, fn):
key = 'file:' + fn
if key not in self.cache:
logger.debug("Opening " + fn)
f = open(fn)
self.cache[key] = ''.join(f.readlines())
f.close()
return self.cache[key]
def del_interface(self, interface):
"""remove an interface from this device
:param interface:(UsbInterface) the UsbInterface to remove
:return: None
"""
if interface in self.interfaces:
log.debug("removing interface: " + interface)
self.interfaces.remove(interface)
def openAddress(self, address):
logger.debug("Opening "+address)
self._cleanup()
url = urllib.unquote(address)
self.ftp.voidcmd('TYPE I')
s = self.ftp.transfercmd('RETR ' + url).makefile('rb')
self.cleanup = True
return s
def openAddress(self, address):
logger.debug("Opening " + address)
self._cleanup()
url = urllib.unquote(address)
self.ftp.voidcmd('TYPE I')
s = self.ftp.transfercmd('RETR ' + url).makefile('rb')
self.cleanup = True
return s
def add_interface(self, interface):
""" add an interface to this device
:param interface:(UsbInterface) the UsbInterface to add
:return: None
"""
if interface in self.interfaces:
log.debug("overriding existing interface: " + interface)
self.interfaces.remove(interface)
self.interfaces.add(interface)
def check(self, device):
"""check if a usb device can be passed through
if one of device's interfaces is denied by rule, the device is denied.
Normally, there should be a catch all rule at last line of policy file:
ALLOW: # Otherwise allow everything else
If there isn't, and no matching rule is found, the interface will also
be denied.
Only if all interfaces are allowed, the device is allowed to passed
through.
Example of a device before checking
UsbDevice: (u'1-2', {'idVendor': '17ef', 'ID_VENDOR_FROM_DATABASE':
u'Lenovo', 'bConfigurationValue': '1', 'bDeviceClass': '00',
'ID_MODEL_FROM_DATABASE': '', 'version': ' 2.00', 'idProduct': '383c',
'bNumInterfaces': ' 1', 'serial': 'H8RU2TGE', 'bcdDevice': '0100'})
|__ UsbInterface: (u'1-2:1.0', {'bInterfaceNumber': '00',
'bInterfaceClass': '08', 'bInterfaceProtocol': '50',
'bInterfaceSubClass': '06'})
|__ Allow: False
UsbDevice: (u'4-1.2', {'idVendor': '2717', 'ID_VENDOR_FROM_DATABASE':
'' , 'bConfigurationValue': '1', 'bDeviceClass': '00',
'ID_MODEL_FROM_DATABASE': '', 'version': ' 2.00', 'idProduct': 'ff48',
'bNumInterfaces': ' 2', 'serial': '7b06864', 'bcdDevice': '0404'})
|__ UsbInterface: (u'4-1.2:1.0', {'bInterfaceNumber': '00',
'bInterfaceClass': 'ff', 'bInterfaceProtocol': '00',
'bInterfaceSubClass': 'ff'})
|__ UsbInterface: (u'4-1.2:1.1', {'bInterfaceNumber': '01',
'bInterfaceClass': 'ff', 'bInterfaceProtocol': '01',
'bInterfaceSubClass': '42'})
|__ Allow: False
:param device:(UsbDevice) the device to check
:return:(bool) if allow pass through
"""
log.debug("policy check: " + device.get_node())
for i in device.get_all_interfaces():
allow_interface = False
for r in self.rule_list:
if self.match_device_interface(r, device, i):
if r[self._ALLOW]:
log.debug("allow " + i.get_node())
allow_interface = True
break
else:
log.debug("deny " + i.get_node())
return False
if not allow_interface:
log.debug("deny " + i.get_node() + ", no matching rule")
return False
log.debug("allow " + device.get_node())
return True
def access(self, path):
try:
logger.debug("Testing "+path)
self._cleanup()
url = urllib.unquote(path)
lst = self.ftp.nlst(os.path.dirname(url))
return os.path.basename(url) in map(os.path.basename, lst)
except Exception, e:
logger.info(str(e))
return False
def access(self, path):
try:
logger.debug("Testing " + path)
self._cleanup()
url = urllib.unquote(path)
if self.ftp.size(url) is not None:
return True
lst = self.ftp.nlst(os.path.dirname(url))
return os.path.basename(url) in map(os.path.basename, lst)
except Exception, e:
logger.info(str(e))
return False
def get_usb_info():
context, devices, interfaces = pyudev.Context(), [], []
for d in context.list_devices(subsystem="usb", DEVTYPE="usb_device"):
device = UsbDevice(d.sys_name, d, d.attributes)
if device.is_initialized() and not device.is_class_hub():
devices.append(device)
else:
log.debug("ignore usb device:" + str(device))
for d in context.list_devices(subsystem="usb", DEVTYPE="usb_interface"):
interface = UsbInterface(d.sys_name, d.attributes)
if interface.is_initialized() and not interface.is_class_hub():
interfaces.append(interface)
else:
log.debug("ignore usb interface:" + str(interface))
return devices, interfaces
def __init__(self):
""" parse policy file, generate rule list
Note: hubs are never allowed to pass through
"""
self.rule_list = []
try:
with open(self._PATH, "r") as f:
log.debug("=== policy file begin")
for line in f:
log.debug(line[0:-1])
self.parse_line(line)
log.debug("=== policy file end")
except IOError as e:
# without policy file, no device will be allowed to passed through
log_exit("Caught error {}, policy file error".format(str(e)))
log.debug("=== rule list begin")
log_list(self.rule_list)
log.debug("=== rule list end")
def start(self):
if self.start_count == 0:
self.ftp = ftplib.FTP()
#self.ftp.set_debuglevel(1)
port = ftplib.FTP_PORT
if self.url_parts.port:
port = self.url_parts.port
self.ftp.connect(self.url_parts.hostname, port)
username = self.url_parts.username
password = self.url_parts.password
if username:
username = urllib.unquote(username)
if password:
password = urllib.unquote(password)
self.ftp.login(username, password)
directory = urllib.unquote(self.url_parts.path[1:])
if directory != '':
logger.debug("Changing to " + directory)
self.ftp.cwd(directory)
self.start_count += 1
def start(self):
if self.start_count == 0:
self.ftp = ftplib.FTP()
#self.ftp.set_debuglevel(1)
port = ftplib.FTP_PORT
if self.url_parts.port:
port = self.url_parts.port
self.ftp.connect(self.url_parts.hostname, port)
username = self.url_parts.username
password = self.url_parts.password
if username:
username = urllib.unquote(username)
if password:
password = urllib.unquote(password)
self.ftp.login(username, password)
directory = urllib.unquote(self.url_parts.path[1:])
if directory != '':
logger.debug("Changing to " + directory)
self.ftp.cwd(directory)
self.start_count += 1
def match_device_interface(self, rule, device, interface):
"""check if a rule can match a device and one of its interface
for device, check its vid, pid, rel
for interface, check its class, subclass, prot
:param rule: (dict) the rule to match
:param device:(UsbDevice) the device to check
:param interface:(UsbInterface) the interface to check
:return:(bool) if they match
"""
for k in [k for k in rule if k in self._KEY_MAP_DEVICE]:
log.debug("check {} props[{}] against {}".format(
interface.get_node(), k, str(rule)))
if not hex_equal(rule[k], device[self._KEY_MAP_DEVICE[k]]):
return False
for k in [k for k in rule if k in self._KEY_MAP_INTERFACE]:
log.debug("check {} props[{}] against {}".format(
interface.get_node(), k, str(rule)))
if not hex_equal(rule[k], interface[self._KEY_MAP_INTERFACE[k]]):
return False
log.debug("found matching rule: " + str(rule))
return True
def read_int(path):
with open(path) as f:
return int(f.readline())
def reset_device(bus, dev):
with open("/dev/bus/usb/{0:03d}/{1:03d}".format(bus, dev), "w") as f:
fcntl.ioctl(f.fileno(), USBDEVFS_RESET, 0)
if __name__ == "__main__":
log.logToSyslog(level=logging.DEBUG)
if len(sys.argv) != 2:
sys.exit("usage: {} device_node".format(sys.argv[0]))
device = sys.argv[1]
pattern = re.compile(r"^\d+-\d+(\.\d+)*$")
if pattern.match(device) is None:
log.debug("unexpected device node: {}".format(device))
exit(1)
try:
bus = read_int("/sys/bus/usb/devices/{}/busnum".format(device))
dev = read_int("/sys/bus/usb/devices/{}/devnum".format(device))
reset_device(bus, dev)
except (IOError, ValueError):
log.debug(traceback.format_exc())
exit(1)
def log_list(l):
for s in l:
log.debug(s)
(eth.get("Kernel name", "Unknown"), ))
try:
current_state.append(
MACPCI(eth["Assigned MAC"],
eth["Bus Info"],
kname=eth["Kernel name"],
order=int(eth["BIOS device"]["all_ethN"][3:]),
ppn=eth["BIOS device"]["physical"],
label=eth.get("SMBIOS Label", "")))
except Exception, e:
LOG.error("Can't generate current state for interface '%s' - "
"%s" % (eth, e))
current_state.sort()
LOG.debug("Current state = %s" % (niceformat(current_state), ))
static_rules.generate(current_state)
dynamic_rules.generate(current_state)
static_eths = [x.tname for x in static_rules.rules]
last_boot = [x for x in dynamic_rules.rules if x.tname not in static_eths]
LOG.debug("StaticRules Formulae = %s" %
(niceformat(static_rules.formulae), ))
LOG.debug("StaticRules Rules = %s" % (niceformat(static_rules.rules), ))
LOG.debug("DynamicRules Lastboot = %s" % (niceformat(last_boot), ))
# Invoke the renaming logic
try:
transactions = rename(static_rules=static_rules.rules,
def writeFile(self, in_fh, out_name):
self._cleanup()
fname = urllib.unquote(out_name)
logger.debug("Storing as " + fname)
self.ftp.storbinary('STOR ' + fname, in_fh)
def remap_netdevs(remap_list):
# # rename everything sideways to safe faffing with temp renanes
# for x in ( x for x in os.listdir("/sys/class/net/") if x[:3] == "eth" ):
# util.runCmd2(['ip', 'link', 'set', x, 'name', 'side-'+x])
for cmd in remap_list:
parse_arg(cmd)
# Grab the current state from biosdevname
current_eths = all_devices_all_names()
current_state = []
for nic in current_eths:
eth = current_eths[nic]
if not ("BIOS device" in eth and "Kernel name" in eth
and "Assigned MAC" in eth and "Bus Info" in eth and "all_ethN"
in eth["BIOS device"] and "physical" in eth["BIOS device"]):
LOG.error("Interface information for '%s' from biosdevname is "
"incomplete; Discarding." %
(eth.get("Kernel name", "Unknown"), ))
try:
current_state.append(
MACPCI(eth["Assigned MAC"],
eth["Bus Info"],
kname=eth["Kernel name"],
order=int(eth["BIOS device"]["all_ethN"][3:]),
ppn=eth["BIOS device"]["physical"],
label=eth.get("SMBIOS Label", "")))
except Exception as e:
LOG.error("Can't generate current state for interface '%s' - "
"%s" % (eth, e))
current_state.sort()
LOG.debug("Current state = %s" % (niceformat(current_state), ))
static_rules.generate(current_state)
dynamic_rules.generate(current_state)
static_eths = [x.tname for x in static_rules.rules]
last_boot = [x for x in dynamic_rules.rules if x.tname not in static_eths]
LOG.debug("StaticRules Formulae = %s" %
(niceformat(static_rules.formulae), ))
LOG.debug("StaticRules Rules = %s" % (niceformat(static_rules.rules), ))
LOG.debug("DynamicRules Lastboot = %s" % (niceformat(last_boot), ))
# Invoke the renaming logic
try:
transactions = rename(static_rules=static_rules.rules,
cur_state=current_state,
last_state=last_boot,
old_state=[])
except Exception as e:
LOG.critical("Problem from rename logic: %s. Giving up" % (e, ))
return
# Apply transactions, or explicitly state that there are none
if len(transactions):
for src, dst in transactions:
ip_link_set_name(src, dst)
else:
LOG.info("No transactions. No need to rename any nics")
# Regenerate dynamic configuration
def macpci_as_list(x):
return [str(x.mac), str(x.pci), x.tname]
new_lastboot = map(macpci_as_list, current_state)
dynamic_rules.lastboot = new_lastboot
LOG.info("All done ordering the network devices")
def writeFile(self, in_fh, out_name):
self._cleanup()
fname = urllib.unquote(out_name)
logger.debug("Storing as " + fname)
self.ftp.storbinary('STOR ' + fname, in_fh)
