Current File : //kunden/usr/share/crypto-policies/python/__pycache__/update-crypto-policies.cpython-39.pyc
a

�
�g�7�@s*ddlZddlZddlZddlZddlZddlZddlZddlmZm	Z	ddl
Z
ddlZ
ddlZdd�e_
dZdZdZdZdadadadadadad	d
�Zd*dd�Zd
d�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Z dd�Z!d+dd�Z"Gd d!�d!�Z#d"d#�Z$d,d%d&�Z%d'd(�Z&e'd)k�r&e&�dS)-�N)�mkdtemp�mkstempcOs2|j�dt|�dd���t|�dd��d�S)Nz: ��
)�__name__�str�upper)�msg�categoryZ	_unused_aZ_unused_kwa�r�;/usr/share/crypto-policies/python/update-crypto-policies.py�<lambda>sr
z/usr/share/crypto-policiesz/etc/crypto-policieszreload-cmds.shz/proc/sys/crypto/fips_enabledcOst|dtji|��dS)N�file)�print�sys�stderr)�args�kwargsrrr�eprint&srcCs�ztjdattj_Wnty,taYn0|dur<|an.ztjdattj_	Wntyht
aYn0tj�td�a
tj�td�atj�td�atj�tt�adS)N�profile_dir�base_dirzlocal.dz	back-ends�state)�os�environr�cryptopolicies�UnscopedCryptoPolicyZ	SHARE_DIR�KeyError�DEFAULT_PROFILE_DIRrZ
CONFIG_DIR�DEFAULT_BASE_DIR�path�join�	local_dir�backend_config_dir�	state_dir�RELOAD_CMD_NAME�reload_cmd_path��alt_baserrr�	dir_paths*s 	



r(cCs@t��}t�|�t�d�}dd�|D�}t|�}t�|�|S)N�.css&|]\}}}|t|�t|�fVqdS�N)�sorted)�.0�root�dirs�filesrrr�	<genexpr>P�zget_walk.<locals>.<genexpr>)r�getcwd�chdir�walkr+)rZold_cwdr4rrr�get_walkIs


r5cCs�tjdd�}|��}|jdddddd�|jd	d
dd�|jd
d
dd�|jdd
dd�|jdd
tjd�|jdd
dd�|��S)zParse the command lineF)�allow_abbrevz--set�?�ZPOLICYzset the policy POLICY)�nargs�default�metavar�helpz--show�
store_truez.show the current policy from the configuration)�actionr<z--is-appliedz+check whether the current policy is appliedz--checkzAcheck whether the generated policy files match the current policyz
--no-checkz--no-reloadz3do not run the reload scripts when setting a policy)�argparse�ArgumentParser�add_mutually_exclusive_group�add_argument�SUPPRESS�
parse_args)�parser�grouprrrrDVs*������rDcCs~z0t�tj�td��j}t�tj�td��j}WntyLt�	d�Yn0||krht
d�t�	d�t
d�t�	d�dS)N�current�config�Mz The configured policy is appliedrz$The configured policy is NOT appliedr)r�statrr r#�st_mtimer�OSErrorr�exitr)Ztime1Ztime2rrr�
is_appliedks
rNcCs�t}t}t}t}t�}t|d�tj|td�tjt	j
�|d�t	j
�td�d�t�t
�}t|ddd�t|�}tt�}t|�}tt�}	d}
||kr�d}
||	kr�d}
|t|f}|t|	f}||fD]�\}
}}|D]�\}}}|D]�}|
r�q�t	j
�|
||�}t	j
�|||�}t|d��r}t|d��F}|
�sX|�d�}|�d�}||k�rJd}
|�s"�qX�q"Wd�n1�sn0YWd�q�1�s�0Yq�q�q�t�|�|
�r�td	�t�d
�ntd�t�d�dS)
Nr&)�src�dstrHF)�
print_enabled�allow_symlinkingT�rbi z9The configured policy does NOT match the generated policyrz2The configured policy matches the generated policyr)rr!r"r#rr(�shutil�copytree�copyrrr �setup_directories�
parse_pconfig�apply_policyr5�open�read�rmtreerrrMr)Z
orig_base_dirZorig_local_dirZorig_backend_config_dirZorig_state_dirr'�pconfigZwalk_orig_backendZwalk_backendZwalk_orig_stateZ
walk_state�errZ_backend�_stateZorig_prefixZ
tmp_prefixr4�d�_Zfl�fZf_origZf_tmp�fp1�fp2�b1�b2rrr�checkysZ
�




N
rgcCs<z$tjtddd�tjtddd�Wnty6Yn0dS)Ni�T)�mode�exist_ok)r�makedirsr"r#rLrrrrrW�s
rWcCs\zBttdd��"}t|���dkWd�WS1s60YWntyVYdS0dS)N�ascii��encodingrF)rZ�FIPS_MODE_FLAG�intr[rL)rbrrr�	fips_mode�s
4rpc	Cs�t||d�\}}t�|t|d��t�|�t�|d�zRzt�|tj�||��Wn(t	y|t�
|�t�|��Yn0Wt�|�nt�|�0dS)N��prefix�dir�utf-8i�)rr�write�bytes�fsync�fchmod�renamerr rL�unlink�close)�	directory�filename�contents�fdrrrr�
safe_write�s



r�cCsnt||d�\}}t�|�t�|�t�||�zt�|tj�||��Wntyht�|��Yn0dS)Nrq)	rrr{rz�symlinkryrr rL)r|r}�targetrrrrr�safe_symlink�s


r�Fc
Cs�tj�||d�}tt�|��}	d}
|	D]}tj�|�r(d}
qBq(tj�|t|�|d�}t�|tj�}
|
s�|
r�|r�t	||d|�dS|
r�|j
s�|r�t|dd��}|��}Wd�n1s�0Yt
||d|�|
�r�tj�||d�}z�t|ddd���}|	D]�}z:t|dd��}|��}Wd�n1�s:0YWn(t�yntd	|���Y�qYn0z|�|�Wn(t�y�td
|�d|���Yn0�qWd�n1�s�0YWn$t�y�td|�d
��Yn0dS)Nz	-*.configFTz.txtz.configrtrl�azCannot read local policy file z$Error appending local configuration z to zError opening configuration z" for appending local configuration)rrr r+�glob�existsr�access�R_OKr��subpoliciesrZr[r�rLrru)r]ZcfgnameZcfgdataZcfgdirZlocaldirZ
profiledir�policy_was_emptyrRZlocal_cfg_pathZ
local_cfgsZlocal_cfg_presentZlcfgZprofilepathZprofilepath_existsZf_preZcfgfile�cfZlfZ
local_datarrr�save_config�sJ&,��6r�c@s>eZdZdd�Zddd�Zdd�Zdd	�Zd
d�Zdd
�ZdS)�
ProfileConfigcCsd|_g|_dS)Nr8)�policyr���selfrrr�__init__szProfileConfig.__init__Fcs^|���d���dr0|s0�d|_�dd���fdd��D��|rT|j���n�|_dS)N�:rrcsg|]}�r|�qSrr�r,�i��lrr�
<listcomp>r1z.ProfileConfig.parse_string.<locals>.<listcomp>)r�splitr�r��extend)r��s�	subpolicyrr�r�parse_strings
zProfileConfig.parse_stringcCsjd}t|dd��F}|D]0}|�dd�d}|��}|r|�||�d}qWd�n1s\0YdS)NFrtrl�#rrT)rZr��stripr�)r�r}r�rb�linerrr�
parse_file"szProfileConfig.parse_filecs(|���d���fdd�|jD�|_dS)Nr�csg|]}|�vr|�qSrrr�r�rrr�.r1z4ProfileConfig.remove_subpolicies.<locals>.<listcomp>)rr�r�)r�r�rr�r�remove_subpolicies,sz ProfileConfig.remove_subpoliciescCs&|j}d�|j�}|r"|d|}|S)Nr�)r�r r�)r�r�Zsubsrrr�__str__0s
zProfileConfig.__str__cCstt|��dSr*)rrr�rrr�show7szProfileConfig.showN)F)	r�
__module__�__qualname__r�r�r�r�r�r�rrrrr�s

r�cCsXt�}tj�td�}t�|tj�r.|�|�n&t�r@|�	d�n|�tj�t
d��|S)NrH�FIPSzdefault-config)r�rrr rr�r�r�rpr�r)r]Z
configfilerrrrX;srXTcCs�d}d}|r�|j}|�|�d}tj�d�}|j|kr�|r�|jdkrb|s�td�td�td�n&t�r�td	�td
�td�td�ttkr�t�	�dkr�td
�t
�d�ztj
|jg|j�R�}Wn|tjj�y}	zt|	�t
�d�WYd}	~	nJd}	~	0tjj�yD}	z$td|	���t
�d�WYd}	~	n
d}	~	00|�r\tdt|��dd�tt�D�}
|
D]�}tj|}|�}
z|
�|�|
j��}Wn.t�y�td|
j�td�d}Yn0z"t||
j|ttt|� �|d�Wn.t!�ytd|
j�td�d}Yn0�qr|�rbzt"tdt|�d�Wn t!�y`td�d}Yn0zt"t#dt|�d�Wn t!�y�td�d}Yn0zt"t#dt|��Wn t!�y�td�d}Yn0|�r�td �td!�td"�|S)#NrFTz/usr/bin/bootcr�zHWarning: Using 'update-crypto-policies --set FIPS' is not sufficient forz         FIPS compliance.z8         Use 'fips-mode-setup --enable' command instead.zOWarning: Using 'update-crypto-policies --set' in FIPS mode will make the systemz!         non-compliant with FIPS.z8         It can also break the ssh access to the system.zI         Use 'fips-mode-setup --disable' to disable the system FIPS mode.z/You must be root to run update-crypto-policies.rz%Errors found in policy, first one:  
zSetting system policy to cSsg|]}d|vr|�qS)�	Generatorr)r,�grrrr�wr1z apply_policy.<locals>.<listcomp>zError generating config for zKeeping original configuration)r�rRzError saving config for rHrz.Error setting the current policy configuration�rGz$Error updating current policy marker�zCURRENT.polz"Error updating current policy dumpzFNote: System-wide crypto policies are applied on application start-up.zBIt is recommended to restart the system for the change of policieszto fully take place.)$r�r�rrr�rrprr�geteuidrrMrrr�Z
validationZPolicyFileNotFoundErrorZPolicySyntaxErrorrrrs�policygenerators�__dict__Zgenerate_configZscopedZSCOPES�LookupErrorZCONFIG_NAMEr�r"r!rZis_emptyrLr�r#)r]�profilerQrRr^Z
set_configZ	oldpolicyZbootcZcp�ex�
generatorsr��cls�genrHrrrrYIs�




� 


�



rYcCs�t�t�}|jr"t�t�d�|jr8t�t�d�t�t�}|jr\|��t�d�|j	}t
||�}|js�t�
dtg�t�|�dS)z!The actual command implementationrz	/bin/bashN)r(rDrNrrMrgrWrXr��setrYZ	no_reload�
subprocess�callr%)Zcmdliner]r�r^rrr�main�s$



r��__main__)N)F)NTT)(r?r�rrTr�r�warningsZtempfilerrrZcryptopolicies.validationr��
formatwarningrrr$rnrrr!r"r#r%rr(r5rDrNrgrWrpr�r�r�r�rXrYr�rrrrr�<module>sR


:�
3)�
a!