def cleanup(names): """ <function internal="yes"> </function> """ import KZorp ## LOG ## # This message reports that the given instance is freeing its external # resources (for example its kernel-level policy objects). ## log(None, CORE_DEBUG, 6, "Cleaning up instance; name='%s'", (names,)) if Globals.kzorp_responds_to_ping and config.options.kzorp_enabled: try: KZorp.flushKZorpConfig(names[0]) except: ## LOG ## # This message indicates that flushing the instance-related information in the # kernel-level KZorp subsystem has failed. ## log(None, CORE_ERROR, 0, "Error flushing KZorp configuration; error='%s'" % (sys.exc_value)) for s in traceback.format_tb(sys.exc_traceback): for l in s.split("\n"): if l: log(None, CORE_ERROR, 4, "Traceback: %s" % (l))
def cleanup(names, virtual_name, is_master): """ <function internal="yes"> </function> """ import KZorp ## LOG ## # This message reports that the given instance is freeing its external # resources (for example its kernel-level policy objects). ## log(None, CORE_DEBUG, 6, "Cleaning up instance; name='%s'", (names,)) if is_master and Globals.kzorp_available and config.options.kzorp_enabled: try: KZorp.flushKZorpConfig(names[0]) except: ## LOG ## # This message indicates that flushing the instance-related information in the # kernel-level KZorp subsystem has failed. ## log(None, CORE_ERROR, 0, "Error flushing KZorp configuration; error='%s'" % (sys.exc_value)) for s in traceback.format_tb(sys.exc_traceback): for l in s.split("\n"): if l: log(None, CORE_ERROR, 4, "Traceback: %s" % (l))
def init(names): """ <function internal="yes"> <summary> Default init() function provided by Zorp </summary> <description> This function is a default <function>init()</function> calling the init function identified by the <parameter>name</parameter> argument. This way several Zorp instances can use the same policy file. </description> <metainfo> <attributes> <attribute maturity="stable"> <name>name</name> <type></type> <description>Name of this instance.</description> </attribute> </attributes> </metainfo> </function> """ import __main__ import SockAddr, KZorp import kznf.nfnetlink import kznf.kznfnetlink import errno # miscelanneous initialization if config.audit.encrypt_certificate_file: try: config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file)) if config.audit.encrypt_certificate_list_file: try: config.audit.encrypt_certificate_list = [ ] for list in config.audit.encrypt_certificate_list_file: newlist = [ ] for file in list: try: newlist.append( open(file, 'r').read() ) except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file)) config.audit.encrypt_certificate_list.append( newlist ) except TypeError: log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;") if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate: config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ] if config.audit.sign_private_key_file: try: config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file)) if config.audit.sign_certificate_file: try: config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file)) Globals.kzorp_responds_to_ping = False if config.options.kzorp_enabled: # ping kzorp to see if it's there try: h = KZorp.openHandle() m = h.create_message(kznf.nfnetlink.NFNL_SUBSYS_KZORP, kznf.kznfnetlink.KZNL_MSG_GET_ZONE, kznf.nfnetlink.NLM_F_REQUEST | kznf.nfnetlink.NLM_F_DUMP) m.set_nfmessage(kznf.kznfnetlink.create_get_zone_msg(None)) result = h.talk(m, (0, 0), KZorp.netlinkmsg_handler) if result < 0: log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; result='%d'" % (result)) else: Globals.kzorp_responds_to_ping = True except: log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value)) Globals.instance_name = names[0] for i in names: try: func = getattr(__main__, i) except AttributeError: ## LOG ## # This message indicates that the initialization function of # the given instance was not found in the policy file. ## log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,)) return FALSE func() if config.options.kzorp_enabled: # ping kzorp to see if it's there try: h = KZorp.openHandle() m = h.create_message(kznf.nfnetlink.NFNL_SUBSYS_KZORP, kznf.kznfnetlink.KZNL_MSG_GET_ZONE, kznf.nfnetlink.NLM_F_REQUEST) m.set_nfmessage(kznf.kznfnetlink.create_get_zone_msg("__nonexistent_zone__")) result = h.talk(m, (0, 0), KZorp.netlinkmsg_handler) if result < 0 and result != -errno.ENOENT: log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; result='%d'" % (result)) else: Globals.kzorp_responds_to_ping = True except: log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value)) if Globals.kzorp_responds_to_ping: try: KZorp.downloadKZorpConfig(names[0]) except: ## LOG ## # This message indicates that downloading the necessary information to the # kernel-level KZorp subsystem has failed. ## log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value)) for s in traceback.format_tb(sys.exc_traceback): for l in s.split("\n"): if l: log(None, CORE_ERROR, 0, "Traceback: %s" % (l)) # if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out return FALSE return TRUE
def init(names, virtual_name, is_master): """ <function internal="yes"> <summary> Default init() function provided by Zorp </summary> <description> This function is a default <function>init()</function> calling the init function identified by the <parameter>name</parameter> argument. This way several Zorp instances can use the same policy file. </description> <metainfo> <attributes> <attribute maturity="stable"> <name>names</name> <type></type> <description>Names (instance name and also-as names) of this instance.</description> </attribute> <attribute maturity="stable"> <name>virtual_name</name> <type>string</type> <description> Virtual instance name of this process. If a Zorp instance is backed by multiple Zorp processes using the same configuration each process has a unique virtual instance name that is used for SZIG communication, PID file creation, etc. </description> </attribute> <attribute> <name>is_master</name> <type>int</type> <description> TRUE if Zorp is running in master mode, FALSE for slave processes. Each Zorp instance should have exactly one master process and an arbitrary number of slaves. </description> </attribute> </attributes> </metainfo> </function> """ import __main__ import SockAddr, Matcher, Rule import errno Globals.virtual_instance_name = virtual_name # miscelanneous initialization if config.audit.encrypt_certificate_file: try: config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file)) if config.audit.encrypt_certificate_list_file: try: config.audit.encrypt_certificate_list = [ ] for list in config.audit.encrypt_certificate_list_file: newlist = [ ] for file in list: try: newlist.append( open(file, 'r').read() ) except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file)) config.audit.encrypt_certificate_list.append( newlist ) except TypeError: log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;") if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate: config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ] if config.audit.sign_private_key_file: try: config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file)) if config.audit.sign_certificate_file: try: config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file)) Globals.rules = Rule.RuleSet() if config.options.kzorp_enabled: import kzorp.communication # ping kzorp to see if it's there try: h = kzorp.communication.Handle() Globals.kzorp_available = True except: Globals.kzorp_available = False log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value)) Globals.instance_name = names[0] for i in names: try: func = getattr(__main__, i) except AttributeError: ## LOG ## # This message indicates that the initialization function of # the given instance was not found in the policy file. ## log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,)) return FALSE func() Matcher.validateMatchers() if Globals.kzorp_available: import KZorp try: KZorp.downloadKZorpConfig(names[0], is_master) except: ## LOG ## # This message indicates that downloading the necessary information to the # kernel-level KZorp subsystem has failed. ## log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value)) for s in traceback.format_tb(sys.exc_traceback): for l in s.split("\n"): if l: log(None, CORE_ERROR, 0, "Traceback: %s" % (l)) # if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out return FALSE return TRUE
def init(names, virtual_name, is_master): """ <function internal="yes"> <summary> Default init() function provided by Zorp </summary> <description> This function is a default <function>init()</function> calling the init function identified by the <parameter>name</parameter> argument. This way several Zorp instances can use the same policy file. </description> <metainfo> <attributes> <attribute maturity="stable"> <name>names</name> <type></type> <description>Names (instance name and also-as names) of this instance.</description> </attribute> <attribute maturity="stable"> <name>virtual_name</name> <type>string</type> <description> Virtual instance name of this process. If a Zorp instance is backed by multiple Zorp processes using the same configuration each process has a unique virtual instance name that is used for SZIG communication, PID file creation, etc. </description> </attribute> <attribute> <name>is_master</name> <type>int</type> <description> TRUE if Zorp is running in master mode, FALSE for slave processes. Each Zorp instance should have exactly one master process and an arbitrary number of slaves. </description> </attribute> </attributes> </metainfo> </function> """ import __main__ import SockAddr, KZorp, Matcher, Rule import kzorp.netlink import kzorp.kzorp_netlink import errno # miscelanneous initialization if config.audit.encrypt_certificate_file: try: config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file)) if config.audit.encrypt_certificate_list_file: try: config.audit.encrypt_certificate_list = [ ] for list in config.audit.encrypt_certificate_list_file: newlist = [ ] for file in list: try: newlist.append( open(file, 'r').read() ) except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file)) config.audit.encrypt_certificate_list.append( newlist ) except TypeError: log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;") if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate: config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ] if config.audit.sign_private_key_file: try: config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file)) if config.audit.sign_certificate_file: try: config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file)) Globals.rules = Rule.RuleSet() if config.options.kzorp_enabled: # ping kzorp to see if it's there try: h = kzorp.kzorp_netlink.Handle() Globals.kzorp_available = True except: Globals.kzorp_available = False log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value)) Globals.instance_name = names[0] for i in names: try: func = getattr(__main__, i) except AttributeError: ## LOG ## # This message indicates that the initialization function of # the given instance was not found in the policy file. ## log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,)) return FALSE func() Matcher.validateMatchers() if Globals.kzorp_available: try: KZorp.downloadKZorpConfig(names[0], is_master) except: ## LOG ## # This message indicates that downloading the necessary information to the # kernel-level KZorp subsystem has failed. ## log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value)) for s in traceback.format_tb(sys.exc_traceback): for l in s.split("\n"): if l: log(None, CORE_ERROR, 0, "Traceback: %s" % (l)) # if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out return FALSE return TRUE
def init(names): """ <function internal="yes"> <summary> Default init() function provided by Zorp </summary> <description> This function is a default <function>init()</function> calling the init function identified by the <parameter>name</parameter> argument. This way several Zorp instances can use the same policy file. </description> <metainfo> <attributes> <attribute maturity="stable"> <name>name</name> <type></type> <description>Name of this instance.</description> </attribute> </attributes> </metainfo> </function> """ import __main__ import SockAddr, KZorp import kznf.nfnetlink import kznf.kznfnetlink import errno # miscelanneous initialization if config.audit.encrypt_certificate_file: try: config.audit.encrypt_certificate = open(config.audit.encrypt_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (config.audit.encrypt_certificate_file)) if config.audit.encrypt_certificate_list_file: try: config.audit.encrypt_certificate_list = [ ] for list in config.audit.encrypt_certificate_list_file: newlist = [ ] for file in list: try: newlist.append( open(file, 'r').read() ) except IOError: log(None, CORE_ERROR, 1, "Error reading audit encryption certificate; file='%s'", (file)) config.audit.encrypt_certificate_list.append( newlist ) except TypeError: log(None, CORE_ERROR, 1, "Error iterating encryption certificate file list;") if config.audit.encrypt_certificate_list == None and config.audit.encrypt_certificate: config.audit.encrypt_certificate_list = [ [ config.audit.encrypt_certificate ] ] if config.audit.sign_private_key_file: try: config.audit.sign_private_key = open(config.audit.sign_private_key_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's private key; file='%s'", (config.audit.sign_private_key_file)) if config.audit.sign_certificate_file: try: config.audit.sign_certificate = open(config.audit.sign_certificate_file, 'r').read() except IOError: log(None, CORE_ERROR, 1, "Error reading audit signature's certificate; file='%s'", (config.audit.sign_certificate_file)) Globals.kzorp_responds_to_ping = False if config.options.kzorp_enabled: # ping kzorp to see if it's there try: h = KZorp.openHandle() m = h.create_message(kznf.nfnetlink.NFNL_SUBSYS_KZORP, kznf.kznfnetlink.KZNL_MSG_GET_ZONE, kznf.nfnetlink.NLM_F_REQUEST | kznf.nfnetlink.NLM_F_DUMP) m.set_nfmessage(kznf.kznfnetlink.create_get_zone_msg(None)) result = h.talk(m, (0, 0), KZorp.netlinkmsg_handler) if result < 0: log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; result='%d'" % (result)) else: Globals.kzorp_responds_to_ping = True except: log(None, CORE_ERROR, 0, "Error pinging KZorp, it is probably unavailable; exc_value='%s'" % (sys.exc_value)) Globals.instance_name = names[0] for i in names: try: func = getattr(__main__, i) except AttributeError: ## LOG ## # This message indicates that the initialization function of # the given instance was not found in the policy file. ## log(None, CORE_ERROR, 0, "Instance definition not found in policy; instance='%s'", (names,)) return FALSE func() if Globals.kzorp_responds_to_ping: try: KZorp.downloadKZorpConfig(names[0]) except: ## LOG ## # This message indicates that downloading the necessary information to the # kernel-level KZorp subsystem has failed. ## log(None, CORE_ERROR, 0, "Error downloading KZorp configuration, Python traceback follows; error='%s'" % (sys.exc_value)) for s in traceback.format_tb(sys.exc_traceback): for l in s.split("\n"): if l: log(None, CORE_ERROR, 0, "Traceback: %s" % (l)) # if kzorp did respond to the ping, the configuration is erroneous -- we die here so the user finds out return FALSE return TRUE