def cleanup(names):
"""
<function internal="yes">
</function>
"""
import KZorp
## LOG ##
# This message reports that the given instance is freeing its external
# resources (for example its kernel-level policy objects).
##
log(None, CORE_DEBUG, 6, "Cleaning up instance; name='%s'", (names,))
if Globals.kzorp_responds_to_ping and config.options.kzorp_enabled:
try:
KZorp.flushKZorpConfig(names[0])
except:
## LOG ##
# This message indicates that flushing the instance-related information in the
# kernel-level KZorp subsystem has failed.
##
log(None, CORE_ERROR, 0, "Error flushing KZorp configuration; error='%s'" % (sys.exc_value))
for s in traceback.format_tb(sys.exc_traceback):
for l in s.split("\n"):
if l:
log(None, CORE_ERROR, 4, "Traceback: %s" % (l))
def cleanup(names, virtual_name, is_master):
"""
<function internal="yes">
</function>
"""
import KZorp
## LOG ##
# This message reports that the given instance is freeing its external
# resources (for example its kernel-level policy objects).
##
log(None, CORE_DEBUG, 6, "Cleaning up instance; name='%s'", (names,))
if is_master and Globals.kzorp_available and config.options.kzorp_enabled:
try:
KZorp.flushKZorpConfig(names[0])
except:
## LOG ##
# This message indicates that flushing the instance-related information in the
# kernel-level KZorp subsystem has failed.
##
log(None, CORE_ERROR, 0, "Error flushing KZorp configuration; error='%s'" % (sys.exc_value))
for s in traceback.format_tb(sys.exc_traceback):
for l in s.split("\n"):
if l:
log(None, CORE_ERROR, 4, "Traceback: %s" % (l))
def init(names):
"""
<function internal="yes">
<summary>
Default init() function provided by Zorp
</summary>
<description>
This function is a default <function>init()</function> calling the init function
identified by the <parameter>name</parameter> argument. This way several Zorp
instances can use the same policy file.
</description>
<metainfo>
<attributes>
<attribute maturity="stable">
<name>name</name>
<type></type>
<description>Name of this instance.</description>
</attribute>
</attributes>
</metainfo>
</function>
"""
import __main__
import SockAddr, KZorp
import kznf.nfnetlink
import kznf.kznfnetlink
import errno
# miscelanneous initialization
if config.audit.encrypt_certificate_file:
try:
config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file))
if config.audit.encrypt_certificate_list_file:
try:
config.audit.encrypt_certificate_list = [ ]
for list in config.audit.encrypt_certificate_list_file:
newlist = [ ]
for file in list:
try:
newlist.append( open(file, 'r').read() )
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file))
config.audit.encrypt_certificate_list.append( newlist )
except TypeError:
log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;")
if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate:
config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ]
if config.audit.sign_private_key_file:
try:
config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file))
if config.audit.sign_certificate_file:
try:
config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file))
Globals.kzorp_responds_to_ping = False
if config.options.kzorp_enabled:
# ping kzorp to see if it's there
try:
h = KZorp.openHandle()
m = h.create_message(kznf.nfnetlink.NFNL_SUBSYS_KZORP, kznf.kznfnetlink.KZNL_MSG_GET_ZONE,
kznf.nfnetlink.NLM_F_REQUEST | kznf.nfnetlink.NLM_F_DUMP)
m.set_nfmessage(kznf.kznfnetlink.create_get_zone_msg(None))
result = h.talk(m, (0, 0), KZorp.netlinkmsg_handler)
if result < 0:
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; result='%d'" % (result))
else:
Globals.kzorp_responds_to_ping = True
except:
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value))
Globals.instance_name = names[0]
for i in names:
try:
func = getattr(__main__, i)
except AttributeError:
## LOG ##
# This message indicates that the initialization function of
# the given instance was not found in the policy file.
##
log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,))
return FALSE
func()
if config.options.kzorp_enabled:
# ping kzorp to see if it's there
try:
h = KZorp.openHandle()
m = h.create_message(kznf.nfnetlink.NFNL_SUBSYS_KZORP, kznf.kznfnetlink.KZNL_MSG_GET_ZONE,
kznf.nfnetlink.NLM_F_REQUEST)
m.set_nfmessage(kznf.kznfnetlink.create_get_zone_msg("__nonexistent_zone__"))
result = h.talk(m, (0, 0), KZorp.netlinkmsg_handler)
if result < 0 and result != -errno.ENOENT:
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; result='%d'" % (result))
else:
Globals.kzorp_responds_to_ping = True
except:
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value))
if Globals.kzorp_responds_to_ping:
try:
KZorp.downloadKZorpConfig(names[0])
except:
## LOG ##
# This message indicates that downloading the necessary information to the
# kernel-level KZorp subsystem has failed.
##
log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value))
for s in traceback.format_tb(sys.exc_traceback):
for l in s.split("\n"):
if l:
log(None, CORE_ERROR, 0, "Traceback: %s" % (l))
# if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out
return FALSE
return TRUE
def init(names, virtual_name, is_master):
"""
<function internal="yes">
<summary>
Default init() function provided by Zorp
</summary>
<description>
This function is a default <function>init()</function> calling the init function
identified by the <parameter>name</parameter> argument. This way several Zorp
instances can use the same policy file.
</description>
<metainfo>
<attributes>
<attribute maturity="stable">
<name>names</name>
<type></type>
<description>Names (instance name and also-as names) of this instance.</description>
</attribute>
<attribute maturity="stable">
<name>virtual_name</name>
<type>string</type>
<description>
Virtual instance name of this process. If a Zorp instance is backed by multiple
Zorp processes using the same configuration each process has a unique virtual
instance name that is used for SZIG communication, PID file creation, etc.
</description>
</attribute>
<attribute>
<name>is_master</name>
<type>int</type>
<description>
TRUE if Zorp is running in master mode, FALSE for slave processes. Each Zorp instance
should have exactly one master process and an arbitrary number of slaves.
</description>
</attribute>
</attributes>
</metainfo>
</function>
"""
import __main__
import SockAddr, Matcher, Rule
import errno
Globals.virtual_instance_name = virtual_name
# miscelanneous initialization
if config.audit.encrypt_certificate_file:
try:
config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file))
if config.audit.encrypt_certificate_list_file:
try:
config.audit.encrypt_certificate_list = [ ]
for list in config.audit.encrypt_certificate_list_file:
newlist = [ ]
for file in list:
try:
newlist.append( open(file, 'r').read() )
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file))
config.audit.encrypt_certificate_list.append( newlist )
except TypeError:
log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;")
if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate:
config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ]
if config.audit.sign_private_key_file:
try:
config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file))
if config.audit.sign_certificate_file:
try:
config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file))
Globals.rules = Rule.RuleSet()
if config.options.kzorp_enabled:
import kzorp.communication
# ping kzorp to see if it's there
try:
h = kzorp.communication.Handle()
Globals.kzorp_available = True
except:
Globals.kzorp_available = False
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value))
Globals.instance_name = names[0]
for i in names:
try:
func = getattr(__main__, i)
except AttributeError:
## LOG ##
# This message indicates that the initialization function of
# the given instance was not found in the policy file.
##
log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,))
return FALSE
func()
Matcher.validateMatchers()
if Globals.kzorp_available:
import KZorp
try:
KZorp.downloadKZorpConfig(names[0], is_master)
except:
## LOG ##
# This message indicates that downloading the necessary information to the
# kernel-level KZorp subsystem has failed.
##
log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value))
for s in traceback.format_tb(sys.exc_traceback):
for l in s.split("\n"):
if l:
log(None, CORE_ERROR, 0, "Traceback: %s" % (l))
# if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out
return FALSE
return TRUE
def init(names, virtual_name, is_master):
"""
<function internal="yes">
<summary>
Default init() function provided by Zorp
</summary>
<description>
This function is a default <function>init()</function> calling the init function
identified by the <parameter>name</parameter> argument. This way several Zorp
instances can use the same policy file.
</description>
<metainfo>
<attributes>
<attribute maturity="stable">
<name>names</name>
<type></type>
<description>Names (instance name and also-as names) of this instance.</description>
</attribute>
<attribute maturity="stable">
<name>virtual_name</name>
<type>string</type>
<description>
Virtual instance name of this process. If a Zorp instance is backed by multiple
Zorp processes using the same configuration each process has a unique virtual
instance name that is used for SZIG communication, PID file creation, etc.
</description>
</attribute>
<attribute>
<name>is_master</name>
<type>int</type>
<description>
TRUE if Zorp is running in master mode, FALSE for slave processes. Each Zorp instance
should have exactly one master process and an arbitrary number of slaves.
</description>
</attribute>
</attributes>
</metainfo>
</function>
"""
import __main__
import SockAddr, KZorp, Matcher, Rule
import kzorp.netlink
import kzorp.kzorp_netlink
import errno
# miscelanneous initialization
if config.audit.encrypt_certificate_file:
try:
config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file))
if config.audit.encrypt_certificate_list_file:
try:
config.audit.encrypt_certificate_list = [ ]
for list in config.audit.encrypt_certificate_list_file:
newlist = [ ]
for file in list:
try:
newlist.append( open(file, 'r').read() )
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file))
config.audit.encrypt_certificate_list.append( newlist )
except TypeError:
log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;")
if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate:
config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ]
if config.audit.sign_private_key_file:
try:
config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file))
if config.audit.sign_certificate_file:
try:
config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file))
Globals.rules = Rule.RuleSet()
if config.options.kzorp_enabled:
# ping kzorp to see if it's there
try:
h = kzorp.kzorp_netlink.Handle()
Globals.kzorp_available = True
except:
Globals.kzorp_available = False
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value))
Globals.instance_name = names[0]
for i in names:
try:
func = getattr(__main__, i)
except AttributeError:
## LOG ##
# This message indicates that the initialization function of
# the given instance was not found in the policy file.
##
log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,))
return FALSE
func()
Matcher.validateMatchers()
if Globals.kzorp_available:
try:
KZorp.downloadKZorpConfig(names[0], is_master)
except:
## LOG ##
# This message indicates that downloading the necessary information to the
# kernel-level KZorp subsystem has failed.
##
log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value))
for s in traceback.format_tb(sys.exc_traceback):
for l in s.split("\n"):
if l:
log(None, CORE_ERROR, 0, "Traceback: %s" % (l))
# if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out
return FALSE
return TRUE
def init(names):
"""
<function internal="yes">
<summary>
Default init() function provided by Zorp
</summary>
<description>
This function is a default <function>init()</function> calling the init function
identified by the <parameter>name</parameter> argument. This way several Zorp
instances can use the same policy file.
</description>
<metainfo>
<attributes>
<attribute maturity="stable">
<name>name</name>
<type></type>
<description>Name of this instance.</description>
</attribute>
</attributes>
</metainfo>
</function>
"""
import __main__
import SockAddr, KZorp
import kznf.nfnetlink
import kznf.kznfnetlink
import errno
# miscelanneous initialization
if config.audit.encrypt_certificate_file:
try:
config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file))
if config.audit.encrypt_certificate_list_file:
try:
config.audit.encrypt_certificate_list = [ ]
for list in config.audit.encrypt_certificate_list_file:
newlist = [ ]
for file in list:
try:
newlist.append( open(file, 'r').read() )
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file))
config.audit.encrypt_certificate_list.append( newlist )
except TypeError:
log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;")
if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate:
config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ]
if config.audit.sign_private_key_file:
try:
config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file))
if config.audit.sign_certificate_file:
try:
config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read()
except IOError:
log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file))
Globals.kzorp_responds_to_ping = False
if config.options.kzorp_enabled:
# ping kzorp to see if it's there
try:
h = KZorp.openHandle()
m = h.create_message(kznf.nfnetlink.NFNL_SUBSYS_KZORP, kznf.kznfnetlink.KZNL_MSG_GET_ZONE,
kznf.nfnetlink.NLM_F_REQUEST | kznf.nfnetlink.NLM_F_DUMP)
m.set_nfmessage(kznf.kznfnetlink.create_get_zone_msg(None))
result = h.talk(m, (0, 0), KZorp.netlinkmsg_handler)
if result < 0:
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; result='%d'" % (result))
else:
Globals.kzorp_responds_to_ping = True
except:
log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value))
Globals.instance_name = names[0]
for i in names:
try:
func = getattr(__main__, i)
except AttributeError:
## LOG ##
# This message indicates that the initialization function of
# the given instance was not found in the policy file.
##
log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,))
return FALSE
func()
if Globals.kzorp_responds_to_ping:
try:
KZorp.downloadKZorpConfig(names[0])
except:
## LOG ##
# This message indicates that downloading the necessary information to the
# kernel-level KZorp subsystem has failed.
##
log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value))
for s in traceback.format_tb(sys.exc_traceback):
for l in s.split("\n"):
if l:
log(None, CORE_ERROR, 0, "Traceback: %s" % (l))
# if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out
return FALSE
return TRUE
