Merge branch 'core3-firewall2'

QubesOS · Jul 4, 2017 · 3748eb3 · 3748eb3
2 parents f83c516 + 2abdbc4
commit 3748eb3
Show file tree

Hide file tree

Showing 6 changed files with 358 additions and 79 deletions.
diff --git a/qubes/__init__.py b/qubes/__init__.py
@@ -331,11 +331,12 @@ def sanitize(self, *, untrusted_newvalue):
         # do not treat type='str' as sufficient validation
         if self.type is not None and self.type is not str:
             # assume specific type will preform enough validation
+            try:
+                untrusted_newvalue = untrusted_newvalue.decode('ascii',
+                    errors='strict')
+            except UnicodeDecodeError:
+                raise qubes.exc.QubesValueError
             if self.type is bool:
-                try:
-                    untrusted_newvalue = untrusted_newvalue.decode('ascii')
-                except UnicodeDecodeError:
-                    raise qubes.exc.QubesValueError
                 return self.bool(None, None, untrusted_newvalue)
             else:
                 try:

diff --git a/qubes/api/admin.py b/qubes/api/admin.py
@@ -30,6 +30,7 @@
 
 import qubes.api
 import qubes.devices
+import qubes.firewall
 import qubes.storage
 import qubes.utils
 import qubes.vm
@@ -992,3 +993,38 @@ def vm_device_detach(self, endpoint):
             dev.backend_domain, dev.ident)
         self.dest.devices[devclass].detach(assignment)
         self.app.save()
+
+    @qubes.api.method('admin.vm.firewall.Get', no_payload=True)
+    @asyncio.coroutine
+    def vm_firewall_get(self):
+        assert not self.arg
+
+        self.fire_event_for_permission()
+
+        return ''.join('{}\n'.format(rule.api_rule)
+            for rule in self.dest.firewall.rules)
+
+    @qubes.api.method('admin.vm.firewall.Set')
+    @asyncio.coroutine
+    def vm_firewall_set(self, untrusted_payload):
+        assert not self.arg
+        rules = []
+        for untrusted_line in untrusted_payload.decode('ascii',
+                errors='strict').splitlines():
+            rule = qubes.firewall.Rule.from_api_string(
+                untrusted_rule=untrusted_line)
+            rules.append(rule)
+
+        self.fire_event_for_permission(rules=rules)
+
+        self.dest.firewall.rules = rules
+        self.dest.firewall.save()
+
+    @qubes.api.method('admin.vm.firewall.Reload', no_payload=True)
+    @asyncio.coroutine
+    def vm_firewall_reload(self):
+        assert not self.arg
+
+        self.fire_event_for_permission()
+
+        self.dest.fire_event('firewall-changed')