summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/util
diff options
context:
space:
mode:
authorRuben Pollan <meskio@sindominio.net>2014-09-08 14:22:29 -0500
committerRuben Pollan <meskio@sindominio.net>2014-09-11 10:39:42 -0500
commit3d0708ad3e20aa8dddf6894b7536be3cd59cfbca (patch)
treeeac85deaef3b9e4aa1a8e1861c73d79b5c639c14 /src/leap/bitmask/util
parenta96c163b3ef6281eae1cf9c04fcbeb46b9fc43f4 (diff)
Add email firewall
Diffstat (limited to 'src/leap/bitmask/util')
-rw-r--r--src/leap/bitmask/util/privilege_policies.py98
1 files changed, 98 insertions, 0 deletions
diff --git a/src/leap/bitmask/util/privilege_policies.py b/src/leap/bitmask/util/privilege_policies.py
index f894d73b..2016e67b 100644
--- a/src/leap/bitmask/util/privilege_policies.py
+++ b/src/leap/bitmask/util/privilege_policies.py
@@ -18,17 +18,30 @@
Helpers to determine if the needed policies for privilege escalation
are operative under this client run.
"""
+import commands
import logging
import os
+import subprocess
import platform
+import time
from abc import ABCMeta, abstractmethod
from leap.bitmask.config import flags
+from leap.common.check import leap_assert
+from leap.common.files import which
logger = logging.getLogger(__name__)
+class NoPolkitAuthAgentAvailable(Exception):
+ pass
+
+
+class NoPkexecAvailable(Exception):
+ pass
+
+
def is_missing_policy_permissions():
"""
Returns True if we do not have implemented a policy checker for this
@@ -75,6 +88,7 @@ class LinuxPolicyChecker(PolicyChecker):
"se.leap.bitmask.policy")
LINUX_POLKIT_FILE_BUNDLE = ("/usr/share/polkit-1/actions/"
"se.leap.bitmask.bundle.policy")
+ PKEXEC_BIN = 'pkexec'
@classmethod
def get_polkit_path(self):
@@ -97,3 +111,87 @@ class LinuxPolicyChecker(PolicyChecker):
"""
path = self.get_polkit_path()
return not os.path.isfile(path)
+
+ @classmethod
+ def maybe_pkexec(self):
+ """
+ Checks whether pkexec is available in the system, and
+ returns the path if found.
+
+ Might raise:
+ NoPkexecAvailable,
+ NoPolkitAuthAgentAvailable.
+
+ :returns: a list of the paths where pkexec is to be found
+ :rtype: list
+ """
+ if self._is_pkexec_in_system():
+ if not self.is_up():
+ self.launch()
+ time.sleep(2)
+ if self.is_up():
+ pkexec_possibilities = which(self.PKEXEC_BIN)
+ leap_assert(len(pkexec_possibilities) > 0,
+ "We couldn't find pkexec")
+ return pkexec_possibilities
+ else:
+ logger.warning("No polkit auth agent found. pkexec " +
+ "will use its own auth agent.")
+ raise NoPolkitAuthAgentAvailable()
+ else:
+ logger.warning("System has no pkexec")
+ raise NoPkexecAvailable()
+
+ @classmethod
+ def launch(self):
+ """
+ Tries to launch policykit
+ """
+ env = None
+ if flags.STANDALONE:
+ env = {"PYTHONPATH": os.path.abspath('../../../../lib/')}
+ try:
+ # We need to quote the command because subprocess call
+ # will do "sh -c 'foo'", so if we do not quoute it we'll end
+ # up with a invocation to the python interpreter. And that
+ # is bad.
+ logger.debug("Trying to launch polkit agent")
+ subprocess.call(["python -m leap.bitmask.util.polkit_agent"],
+ shell=True, env=env)
+ except Exception as exc:
+ logger.exception(exc)
+
+ @classmethod
+ def is_up(self):
+ """
+ Checks if a polkit daemon is running.
+
+ :return: True if it's running, False if it's not.
+ :rtype: boolean
+ """
+ # Note that gnome-shell does not uses a separate process for the
+ # polkit-agent, it uses a polkit-agent within its own process so we
+ # can't ps-grep a polkit process, we can ps-grep gnome-shell itself.
+
+ # the [x] thing is to avoid grep match itself
+ polkit_options = [
+ 'ps aux | grep "polkit-[g]nome-authentication-agent-1"',
+ 'ps aux | grep "polkit-[k]de-authentication-agent-1"',
+ 'ps aux | grep "polkit-[m]ate-authentication-agent-1"',
+ 'ps aux | grep "[l]xpolkit"',
+ 'ps aux | grep "[g]nome-shell"',
+ 'ps aux | grep "[f]ingerprint-polkit-agent"',
+ ]
+ is_running = [commands.getoutput(cmd) for cmd in polkit_options]
+
+ return any(is_running)
+
+ @classmethod
+ def _is_pkexec_in_system(self):
+ """
+ Checks the existence of the pkexec binary in system.
+ """
+ pkexec_path = which('pkexec')
+ if len(pkexec_path) == 0:
+ return False
+ return True