dbfdg 3 ."d$!@spddlZddlZddlZddlZddlmZddlZddlZddlZddl Zddl Z dde_ dZ dZ dZdZd d Zyejd Zeej_Wnek re ZYnXyejd Zeej_Wnek re ZYnXejjed ZejjedZejjedZejjeeZddZddZddZ ddZ!ddZ"ddZ#ddZ$GdddZ%d d!Z&e'd"krle&dS)#N)mkstempcOs|jdt|jdS)Nz:  )__name__str capitalize)msgcategoryaZkwar <./usr/share/crypto-policies/python/update-crypto-policies.pysr z/usr/share/crypto-policiesz/etc/crypto-policieszreload-cmds.shz/proc/sys/crypto/fips_enabledcOst|dtji|dS)Nfile)printsysstderr)argskwargsr r r eprint sr profile_dirbase_dirzlocal.dz back-endsstatecCsrtjdd}|j}|jdddddd|jd d d d |jd d dd |jdd tjd |jdd dd |jS)zParse the command lineF)Z allow_abbrevz--set?ZPOLICYzset the policy POLICY)nargsdefaultmetavarhelpz--show store_truez.show the current policy from the configuration)actionrz --is-appliedz+check whether the current policy is appliedz --no-checkz --no-reloadz3do not run the reload scripts when setting a policy)argparseArgumentParserZadd_mutually_exclusive_group add_argumentZSUPPRESS parse_args)parsergroupr r r r"8s   r"c Csy0tjtjjtdj}tjtjjtdj}Wntk rNtj dYnX||krjt dtj dt dtj ddS)NcurrentconfigMz The configured policy is appliedrz$The configured policy is NOT applied) osstatpathjoin state_dirst_mtimerOSErrorrexitr)Ztime1Ztime2r r r is_appliedIs r1c Cs2ytjttjtWntk r,YnXdS)N)r)makedirsbackend_config_dirr-r/r r r r setup_directoriesWs  r4cCs>y$tt}t|jdkSQRXWntk r8dSXdS)NrF)openFIPS_MODE_FLAGintreadr/)fr r r fips_mode_s  r:cCst||d\}}tj|t|dtj|tj|dzZytj|tjj||Wn:t k r}ztj |tj ||WYdd}~XnXWdtj |XdS)N)prefixdirzutf-8i) rr)writebytesfsyncfchmodrenamer+r,r/unlinkclose) directoryfilenamecontentsfdr+er r r safe_writegs    rIcCst||d\}}tj|tj|tj||ytj|tjj||Wn0tk rz}ztj||WYdd}~XnXdS)N)r;r<) rr)rCrBsymlinkrAr+r,r/)rDrEtargetrGr+rHr r r safe_symlinkvs    rLc$Cs|tjj||d}ttj|}d} x|D]} tjj| r*d} q*Wtjj|t||d} tj| tj} | r| rt ||d| dS| r|j r|rt | } | j }WdQRXt ||d|| rxtjj||d}x|D]} y"t | d}|j }WdQRXWn$tk r*td|wYnXy$t |d}|j|WdQRXWqtk rrtd |YqXqWdS) Nz -*.configFTz.txtz.configrzCannot read local policy file r z&Error applying local configuration to )r)r+r,sortedglobexistsraccessR_OKrL subpoliciesr5r8rIr/rr=)pconfigZcfgnameZcfgdataZcfgdirZlocaldirZ profiledirpolicy_was_emptyZlocal_cfg_pathZ local_cfgsZlocal_cfg_presentZlcfgZ profilepathZprofilepath_existsZf_preZcfgfileZlfZ local_dataZcfr r r save_configs:        rVc@s>eZdZddZdddZddZdd Zd d Zd d ZdS) ProfileConfigcCsd|_g|_dS)Nr)policyrS)selfr r r __init__szProfileConfig.__init__Fcs`|jjddr2| r2d|_ddfddD|rV|jjn|_dS)N:rr(csg|] }r|qSr r ).0i)lr r sz.ProfileConfig.parse_string..)uppersplitrXrSappend)rYs subpolicyr )r^r parse_strings  zProfileConfig.parse_stringc CsVd}t|@}x8|D]0}|jddd}|j}|r|j||d}qWWdQRXdS)NF#r(rT)r5rastripre)rYrErdr9liner r r parse_files   zProfileConfig.parse_filecs(|jjdfdd|jD|_dS)Nr[csg|]}|kr|qSr r )r\r])r^r r r_sz4ProfileConfig.remove_subpolicies..)r`rarS)rYrcr )r^r remove_subpoliciessz ProfileConfig.remove_subpoliciescCs&|j}dj|j}|r"|d|}|S)Nr[)rXr,rS)rYrcZsubsr r r __str__s   zProfileConfig.__str__cCstt|dS)N)rr)rYr r r showszProfileConfig.showN)F) r __module__ __qualname__rZrerirjrkrlr r r r rWs   rWc)Cst}|jrttjdd}tt}d}tjjt d}tj |tj rX|j |n&t rj|jdn|j tjjtd|jr|jtjd|j}|r|j}|j|d}|j|kr|jdkrtdtdtd n(t rtd td td td t tkr8tjdks8tdtjdytj|jf|j}Wnxtjjk r}zt|tjdWYdd}~Xn@tjjk r}ztd|tjdWYdd}~XnXtdt|ddttD} x| D]} tj | } | } y| j!|j"| j#} Wn0t$k rLtd| j%tdd}YnXy t&|| j%| t't(t|j)dWn0t*k rtd| j%tdd}YnXqW|ryt+t dt|dWn"t*k rtdd}YnXyt+t,dt|dWn"t*k r"tdd}YnXyt+t,dt|Wn"t*k rZtd d}YnXtd!td"td#|j-st.j/d$t0gtj|dS)%z!The actual command implementationrFr&ZFIPSzdefault-configTzHWarning: Using 'update-crypto-policies --set FIPS' is not sufficient forz FIPS compliance.z8 Use 'fips-mode-setup --enable' command instead.zOWarning: Using 'update-crypto-policies --set' in FIPS mode will make the systemz! non-compliant with FIPS.z8 It can also break the ssh access to the system.zI Use 'fips-mode-setup --disable' to disable the system FIPS mode.z/You must be root to run update-crypto-policies.r(Nz%Errors found in policy, first one: zSetting system policy to cSsg|]}d|kr|qS) Generatorr )r\gr r r r_szmain..zError generating config for zKeeping original configuration)rUzError saving config for rz.Error setting the current policy configurationr%z$Error updating current policy markerz CURRENT.polz"Error updating current policy dumpzFNote: System-wide crypto policies are applied on application start-up.zBIt is recommended to restart the system for the change of policieszto fully take place.z /bin/bash)1r"r1rr0r4rWr)r+r,rrQrRrir:rerrlsetrXrDEFAULT_BASE_DIRgeteuidcryptopoliciesUnscopedCryptoPolicyrSZ validationZPolicyFileNotFoundErrorZPolicySyntaxErrorrrr<policygenerators__dict__Zgenerate_configZscopedZSCOPES LookupErrorZ CONFIG_NAMErVr3 local_dirZis_emptyr/rIr-Z no_reload subprocessZcallreload_cmd_path)ZcmdlineerrrTZ set_configZ configfileZprofileZ oldpolicyZcpexZ generatorsrpclsgenr&r r r mains                  r__main__)(rrr)r|ZtempfilerrOwarningsrvZcryptopolicies.validationrx formatwarningZDEFAULT_PROFILE_DIRrtZRELOAD_CMD_NAMEr6renvironrrwZ SHARE_DIRKeyErrorrZ CONFIG_DIRr+r,r{r3r-r}r"r1r4r:rIrLrVrWrrr r r r sP         +)s