a iÙf¹7ã@s*ddlZddlZddlZddlZddlZddlZddlZddlmZm Z ddl Z ddl Z ddl Z dd„e_ dZdZdZdZdadadadadadad d „Zd*d d „Zd d„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Z dd„Z!d+dd„Z"Gd d!„d!ƒZ#d"d#„Z$d,d%d&„Z%d'd(„Z&e'd)kr&e&ƒdS)-éN)ÚmkdtempÚmkstempcOs2|j›dt|ƒdd… ¡t|ƒdd…›dS)Nz: éÚ )Ú__name__ÚstrÚupper)ÚmsgÚcategoryZ _unused_aZ _unused_kwa©r ú;/usr/share/crypto-policies/python/update-crypto-policies.pyÚsr z/usr/share/crypto-policiesz/etc/crypto-policieszreload-cmds.shz/proc/sys/crypto/fips_enabledcOst|dtji|¤ŽdS)NÚfile)ÚprintÚsysÚstderr)ÚargsÚkwargsr r r Úeprint&srcCs¦ztjdattj_Wnty,taYn0|dur<|an.ztjdattj_ Wntyht aYn0tj   td¡a tj   td¡atj   td¡atj   tt¡adS)NÚ profile_dirÚbase_dirzlocal.dz back-endsÚstate)ÚosÚenvironrÚcryptopoliciesÚUnscopedCryptoPolicyZ SHARE_DIRÚKeyErrorÚDEFAULT_PROFILE_DIRrZ CONFIG_DIRÚDEFAULT_BASE_DIRÚpathÚjoinÚ local_dirÚbackend_config_dirÚ state_dirÚRELOAD_CMD_NAMEÚreload_cmd_path©Úalt_baser r r Ú dir_paths*s         r(cCs@t ¡}t |¡t d¡}dd„|Dƒ}t|ƒ}t |¡|S)NÚ.css&|]\}}}|t|ƒt|ƒfVqdS©N)Úsorted)Ú.0ÚrootÚdirsÚfilesr r r Ú Pózget_walk..)rÚgetcwdÚchdirÚwalkr+)rZold_cwdr4r r r Úget_walkIs   r5cCs‚tjdd}| ¡}|jdddddd|jd d d d |jd d dd |jdd dd |jdd tjd |jdd dd | ¡S)zParse the command lineF)Ú allow_abbrevz--setú?ÚZPOLICYzset the policy POLICY)ÚnargsÚdefaultÚmetavarÚhelpz--showÚ store_truez.show the current policy from the configuration)Úactionr<z --is-appliedz+check whether the current policy is appliedz--checkzAcheck whether the generated policy files match the current policyz --no-checkz --no-reloadz3do not run the reload scripts when setting a policy)ÚargparseÚArgumentParserÚadd_mutually_exclusive_groupÚ add_argumentÚSUPPRESSÚ parse_args)ÚparserÚgroupr r r rDVs*  ÿÿÿÿÿÿrDcCs~z0t tj td¡¡j}t tj td¡¡j}WntyLt  d¡Yn0||krht dƒt  d¡t dƒt  d¡dS)NÚcurrentÚconfigéMz The configured policy is appliedrz$The configured policy is NOT appliedr) rÚstatrr r#Úst_mtimerÚOSErrorrÚexitr)Ztime1Ztime2r r r Ú is_appliedks  rNc CsØt}t}t}t}tƒ}t|dtj|tdtjt j   |d¡t j   td¡dt ƒt ƒ}t|dddt|ƒ}ttƒ}t|ƒ}ttƒ} d} ||kršd} || kr¦d} |t|f} |t| f} | | fD]Ú\} }}|D]Ê\}}}|D]º}| rêqÐt j   | ||¡}t j   |||¡}t|dƒr}t|dƒF}| sX| d¡}| d¡}||krJd} |s"qXq"Wdƒn1sn0YWdƒqÞ1sŽ0YqÞqÐqÂt |¡| rÂtd ƒt d ¡ntd ƒt d ¡dS) Nr&)ÚsrcÚdstrHF)Ú print_enabledÚallow_symlinkingTÚrbi z9The configured policy does NOT match the generated policyrz2The configured policy matches the generated policyr)rr!r"r#rr(ÚshutilÚcopytreeÚcopyrrr Úsetup_directoriesÚ parse_pconfigÚ apply_policyr5ÚopenÚreadÚrmtreerrrMr)Z orig_base_dirZorig_local_dirZorig_backend_config_dirZorig_state_dirr'ÚpconfigZwalk_orig_backendZ walk_backendZwalk_orig_stateZ walk_stateÚerrZ_backendÚ_stateZ orig_prefixZ tmp_prefixr4ÚdÚ_ZflÚfZf_origZf_tmpÚfp1Úfp2Úb1Úb2r r r ÚcheckysZ  ÿ     N  rgcCs<z$tjtdddtjtdddWnty6Yn0dS)NiíT)ÚmodeÚexist_ok)rÚmakedirsr"r#rLr r r r rW³s  rWcCs\zBttdd"}t| ¡ƒdkWdƒWS1s60YWntyVYdS0dS)NÚascii©ÚencodingrF)rZÚFIPS_MODE_FLAGÚintr[rL)rbr r r Ú fips_mode»s 4 rpc Csœt||d\}}t |t|dƒ¡t |¡t |d¡zRzt |tj ||¡¡Wn(t y|t  |¡t  |¡‚Yn0Wt  |¡n t  |¡0dS)N©ÚprefixÚdirúutf-8i¤) rrÚwriteÚbytesÚfsyncÚfchmodÚrenamerr rLÚunlinkÚclose)Ú directoryÚfilenameÚcontentsÚfdrr r r Ú safe_writeÃs      r€cCsnt||d\}}t |¡t |¡t ||¡zt |tj ||¡¡Wntyht |¡‚Yn0dS)Nrq) rrr{rzÚsymlinkryrr rL)r|r}Útargetrrr r r Ú safe_symlinkÒs     rƒFc Csøtj ||d¡}tt |¡ƒ} d} | D]} tj | ¡r(d} qBq(tj |t|ƒ|d¡} t | tj¡} | sˆ| rˆ|rˆt ||d| ƒdS| rÊ|j sÊ|rÊt | dd}|  ¡}Wdƒn1sÀ0Yt ||d|ƒ| rôtj ||d¡}zÜt |ddd¸}| D]¢} z:t | dd}|  ¡}Wdƒn1s:0YWn(tyntd | ›ƒYqYn0z| |¡Wn(ty¦td | ›d |›ƒYn0qWdƒn1sÂ0YWn$tyòtd |›d ƒYn0dS)Nz -*.configFTz.txtz.configrtrlÚazCannot read local policy file z$Error appending local configuration z to zError opening configuration z" for appending local configuration)rrr r+ÚglobÚexistsrÚaccessÚR_OKrƒÚ subpoliciesrZr[r€rLrru)r]ZcfgnameZcfgdataZcfgdirZlocaldirZ profiledirÚpolicy_was_emptyrRZlocal_cfg_pathZ local_cfgsZlocal_cfg_presentZlcfgZ profilepathZprofilepath_existsZf_preZcfgfileÚcfZlfZ local_datar r r Ú save_configßsJ  &, ÿÿ6rŒc@s>eZdZdd„Zddd„Zdd„Zdd „Zd d „Zd d „ZdS)Ú ProfileConfigcCsd|_g|_dS)Nr8)Úpolicyr‰©Úselfr r r Ú__init__szProfileConfig.__init__Fcs^| ¡ d¡‰ˆdr0|s0ˆd|_ˆdd…‰‡fdd„ˆDƒ‰|rT|j ˆ¡nˆ|_dS)Nú:rrcsg|] }ˆr|‘qSr r ©r,Úi©Úlr r Ú r1z.ProfileConfig.parse_string..)rÚsplitrŽr‰Úextend)rÚsÚ subpolicyr r•r Ú parse_strings   zProfileConfig.parse_stringcCsjd}t|ddF}|D]0}| dd¡d}| ¡}|r| ||¡d}qWdƒn1s\0YdS)NFrtrlú#rrT)rZr˜Ústriprœ)rr}r›rbÚliner r r Ú parse_file"s zProfileConfig.parse_filecs(| ¡ d¡‰‡fdd„|jDƒ|_dS)Nr’csg|]}|ˆvr|‘qSr r r“r•r r r—.r1z4ProfileConfig.remove_subpolicies..)rr˜r‰)rršr r•r Úremove_subpolicies,sz ProfileConfig.remove_subpoliciescCs&|j}d |j¡}|r"|d|}|S)Nr’)rŽr r‰)rršZsubsr r r Ú__str__0s   zProfileConfig.__str__cCstt|ƒƒdSr*)rrrr r r Úshow7szProfileConfig.showN)F) rÚ __module__Ú __qualname__r‘rœr r¡r¢r£r r r r rs   rcCsXtƒ}tj td¡}t |tj¡r.| |¡n&tƒr@|  d¡n| tj t d¡¡|S)NrHÚFIPSzdefault-config) rrrr rr‡rˆr rprœr)r]Z configfiler r r rX;s  rXTc Csôd}d}|rˆ|j}| |¡d}tj d¡}|j|krˆ|rˆ|jdkrb|sˆtdƒtdƒtdƒn&tƒrˆtd ƒtd ƒtd ƒtd ƒttkr®t  ¡dkr®td ƒt   d¡zt j |jg|j¢RŽ}Wn|t jjy} zt| ƒt   d¡WYd} ~ nJd} ~ 0t jjyD} z$td| ›ƒt   d¡WYd} ~ n d} ~ 00|r\tdt|ƒƒdd„ttƒDƒ} | D]®} tj| } | ƒ} z|  | | j¡¡}Wn.tyÊtd| jƒtdƒd}Yn0z"t|| j|ttt|  ¡|dWn.t!ytd| jƒtdƒd}Yn0qr|rbzt"tdt|ƒdƒWn t!y`tdƒd}Yn0zt"t#dt|ƒdƒWn t!yštdƒd}Yn0zt"t#dt|ƒƒWn t!yÐtdƒd}Yn0|rðtd ƒtd!ƒtd"ƒ|S)#NrFTz/usr/bin/bootcr¦zHWarning: Using 'update-crypto-policies --set FIPS' is not sufficient forz FIPS compliance.z8 Use 'fips-mode-setup --enable' command instead.zOWarning: Using 'update-crypto-policies --set' in FIPS mode will make the systemz! non-compliant with FIPS.z8 It can also break the ssh access to the system.zI Use 'fips-mode-setup --disable' to disable the system FIPS mode.z/You must be root to run update-crypto-policies.rz%Errors found in policy, first one: zSetting system policy to cSsg|]}d|vr|‘qS)Ú Generatorr )r,Úgr r r r—wr1z apply_policy..zError generating config for zKeeping original configuration)rŠrRzError saving config for rHrz.Error setting the current policy configurationérGz$Error updating current policy markeréz CURRENT.polz"Error updating current policy dumpzFNote: System-wide crypto policies are applied on application start-up.zBIt is recommended to restart the system for the change of policieszto fully take place.)$rŽrœrrr†rrprrÚgeteuidrrMrrr‰Z validationZPolicyFileNotFoundErrorZPolicySyntaxErrorrrrsÚpolicygeneratorsÚ__dict__Zgenerate_configZscopedZSCOPESÚ LookupErrorZ CONFIG_NAMErŒr"r!rZis_emptyrLr€r#)r]ÚprofilerQrRr^Z set_configZ oldpolicyZbootcZcpÚexÚ generatorsr¨ÚclsÚgenrHr r r rYIs”      ÿ     ý    rYcCsŽtƒtƒ}|jr"tƒt d¡|jr8tƒt d¡tƒtƒ}|jr\| ¡t d¡|j }t ||ƒ}|j s€t   dtg¡t |¡dS)z!The actual command implementationrz /bin/bashN)r(rDrNrrMrgrWrXr£ÚsetrYZ no_reloadÚ subprocessÚcallr%)Zcmdliner]r¯r^r r r Úmainªs$    r·Ú__main__)N)F)NTT)(r?r…rrTrµrÚwarningsZtempfilerrrZcryptopolicies.validationr¬Ú formatwarningrrr$rnrrr!r"r#r%rr(r5rDrNrgrWrpr€rƒrŒrrXrYr·rr r r r ÚsR   :ÿ 3)ÿ a!