1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
#!/usr/bin/env python3
#
# Copyright (C) 2012-2019 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
#
import re
import sys
objects = [
"CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
"NETWORK", "NODE_DEVICE", "NWFILTER_BINDING",
"NWFILTER", "SECRET", "STORAGE_POOL", "STORAGE_VOL",
]
objectstr = "|".join(objects)
# Data we're going to be generating looks like this
#
# <policyconfig>
# <action id="org.libvirt.unix.monitor">
# <description>Monitor local virtualized systems</description>
# <message>System policy prevents monitoring of
# local virtualized systems</message>
# <defaults>
# <allow_any>yes</allow_any>
# <allow_inactive>yes</allow_inactive>
# <allow_active>yes</allow_active>
# </defaults>
# </action>
# ...more <action> rules...
# </policyconfig>
opts = {}
in_opts = False
perms = {}
aclfile = sys.argv[1]
with open(aclfile, "r") as fh:
for line in fh:
if in_opts:
if "*/" in line:
in_opts = False
else:
m = re.search(r'''\*\s*\@(\w+):\s*(.*?)\s*$''', line)
if m is not None:
opts[m.group(1)] = m.group(2)
elif "**" in line:
in_opts = True
else:
m = re.search(r'''VIR_ACCESS_PERM_(%s)_((?:\w|_)+),''' %
objectstr, line)
if m is not None:
obj = m.group(1).lower()
perm = m.group(2).lower()
if perm == "last":
continue
obj = obj.replace("_", "-")
perm = perm.replace("_", "-")
if obj not in perms:
perms[obj] = {}
perms[obj][perm] = {
"desc": opts.get("desc", None),
"message": opts.get("message", None),
"anonymous": opts.get("anonymous", None),
}
opts = {}
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<!DOCTYPE policyconfig PUBLIC ' +
'"-//freedesktop//DTD polkit Policy Configuration 1.0//EN"')
print(' "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">')
print('<policyconfig>')
print(' <vendor>Libvirt Project</vendor>')
print(' <vendor_url>https://libvirt.org</vendor_url>')
for obj in sorted(perms.keys()):
for perm in sorted(perms[obj].keys()):
description = perms[obj][perm]["desc"]
message = perms[obj][perm]["message"]
anonymous = perms[obj][perm]["anonymous"]
if description is None:
raise Exception("missing description for %s.%s" % (obj, perm))
if message is None:
raise Exception("missing message for %s.%s" % (obj, perm))
allow_any = "no"
if anonymous:
allow_any = "yes"
allow_inactive = allow_any
allow_active = allow_any
print(' <action id="org.libvirt.api.%s.%s">' % (obj, perm))
print(' <description>%s</description>' % description)
print(' <message>%s</message>' % message)
print(' <defaults>')
print(' <allow_any>%s</allow_any>' % allow_any)
print(' <allow_inactive>%s</allow_inactive>' % allow_inactive)
print(' <allow_active>%s</allow_active>' % allow_active)
print(' </defaults>')
print(' </action>')
print('</policyconfig>')
|
