2019-12-04 00:29:12 +08:00
|
|
|
#!/usr/bin/env python3
|
2019-08-30 20:22:54 +08:00
|
|
|
#
|
|
|
|
# Copyright (C) 2012-2019 Red Hat, Inc.
|
|
|
|
#
|
|
|
|
# This library is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
|
|
# License as published by the Free Software Foundation; either
|
|
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This library is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
# Lesser General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
|
|
# License along with this library. If not, see
|
|
|
|
# <http://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
|
|
|
|
|
|
import re
|
|
|
|
import sys
|
|
|
|
|
|
|
|
objects = [
|
|
|
|
"CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
|
|
|
|
"NETWORK", "NODE_DEVICE", "NWFILTER_BINDING",
|
|
|
|
"NWFILTER", "SECRET", "STORAGE_POOL", "STORAGE_VOL",
|
|
|
|
]
|
|
|
|
|
|
|
|
objectstr = "|".join(objects)
|
|
|
|
|
|
|
|
# Data we're going to be generating looks like this
|
|
|
|
#
|
|
|
|
# <policyconfig>
|
|
|
|
# <action id="org.libvirt.unix.monitor">
|
|
|
|
# <description>Monitor local virtualized systems</description>
|
|
|
|
# <message>System policy prevents monitoring of
|
|
|
|
# local virtualized systems</message>
|
|
|
|
# <defaults>
|
|
|
|
# <allow_any>yes</allow_any>
|
|
|
|
# <allow_inactive>yes</allow_inactive>
|
|
|
|
# <allow_active>yes</allow_active>
|
|
|
|
# </defaults>
|
|
|
|
# </action>
|
|
|
|
# ...more <action> rules...
|
|
|
|
# </policyconfig>
|
|
|
|
|
|
|
|
opts = {}
|
|
|
|
in_opts = False
|
|
|
|
|
|
|
|
perms = {}
|
|
|
|
|
|
|
|
aclfile = sys.argv[1]
|
|
|
|
with open(aclfile, "r") as fh:
|
|
|
|
for line in fh:
|
|
|
|
if in_opts:
|
2019-11-21 03:10:13 +08:00
|
|
|
if "*/" in line:
|
2019-08-30 20:22:54 +08:00
|
|
|
in_opts = False
|
|
|
|
else:
|
|
|
|
m = re.search(r'''\*\s*\@(\w+):\s*(.*?)\s*$''', line)
|
|
|
|
if m is not None:
|
|
|
|
opts[m.group(1)] = m.group(2)
|
2019-11-21 03:10:13 +08:00
|
|
|
elif "**" in line:
|
2019-08-30 20:22:54 +08:00
|
|
|
in_opts = True
|
|
|
|
else:
|
|
|
|
m = re.search(r'''VIR_ACCESS_PERM_(%s)_((?:\w|_)+),''' %
|
|
|
|
objectstr, line)
|
|
|
|
if m is not None:
|
|
|
|
obj = m.group(1).lower()
|
|
|
|
perm = m.group(2).lower()
|
|
|
|
if perm == "last":
|
|
|
|
continue
|
|
|
|
|
|
|
|
obj = obj.replace("_", "-")
|
|
|
|
perm = perm.replace("_", "-")
|
|
|
|
|
|
|
|
if obj not in perms:
|
|
|
|
perms[obj] = {}
|
|
|
|
perms[obj][perm] = {
|
|
|
|
"desc": opts.get("desc", None),
|
|
|
|
"message": opts.get("message", None),
|
|
|
|
"anonymous": opts.get("anonymous", None),
|
|
|
|
}
|
|
|
|
opts = {}
|
|
|
|
|
|
|
|
print('<?xml version="1.0" encoding="UTF-8"?>')
|
|
|
|
print('<!DOCTYPE policyconfig PUBLIC ' +
|
|
|
|
'"-//freedesktop//DTD polkit Policy Configuration 1.0//EN"')
|
|
|
|
print(' "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">')
|
|
|
|
print('<policyconfig>')
|
|
|
|
print(' <vendor>Libvirt Project</vendor>')
|
|
|
|
print(' <vendor_url>https://libvirt.org</vendor_url>')
|
|
|
|
|
|
|
|
for obj in sorted(perms.keys()):
|
|
|
|
for perm in sorted(perms[obj].keys()):
|
|
|
|
description = perms[obj][perm]["desc"]
|
|
|
|
message = perms[obj][perm]["message"]
|
|
|
|
anonymous = perms[obj][perm]["anonymous"]
|
|
|
|
|
|
|
|
if description is None:
|
|
|
|
raise Exception("missing description for %s.%s" % (obj, perm))
|
|
|
|
if message is None:
|
|
|
|
raise Exception("missing message for %s.%s" % (obj, perm))
|
|
|
|
|
|
|
|
allow_any = "no"
|
|
|
|
if anonymous:
|
|
|
|
allow_any = "yes"
|
|
|
|
allow_inactive = allow_any
|
|
|
|
allow_active = allow_any
|
|
|
|
|
|
|
|
print(' <action id="org.libvirt.api.%s.%s">' % (obj, perm))
|
|
|
|
print(' <description>%s</description>' % description)
|
|
|
|
print(' <message>%s</message>' % message)
|
|
|
|
print(' <defaults>')
|
|
|
|
print(' <allow_any>%s</allow_any>' % allow_any)
|
|
|
|
print(' <allow_inactive>%s</allow_inactive>' % allow_inactive)
|
|
|
|
print(' <allow_active>%s</allow_active>' % allow_active)
|
|
|
|
print(' </defaults>')
|
|
|
|
print(' </action>')
|
|
|
|
|
|
|
|
print('</policyconfig>')
|