Add user policy implementation for deny all removable storages

gpoa/frontend/appliers/polkit.py

@@ -28,11 +28,15 @@ class polkit:
     __template_loader = jinja2.FileSystemLoader(searchpath=__template_path)
     __template_environment = jinja2.Environment(loader=__template_loader)
 
-    def __init__(self, template_name, arglist):
+    def __init__(self, template_name, arglist, username=None):
         self.template_name = template_name
         self.args = arglist
+        self.username = username
         self.infilename = '{}.rules.j2'.format(self.template_name)
-        self.outfile = os.path.join(self.__policy_dir, '{}.rules'.format(self.template_name))
+        if self.username:
+            self.outfile = os.path.join(self.__policy_dir, '{}.{}.rules'.format(self.template_name, self.username))
+        else:
+            self.outfile = os.path.join(self.__policy_dir, '{}.rules'.format(self.template_name))
 
     def generate(self):
         try:

gpoa/frontend/frontend_manager.py

@@ -19,7 +19,10 @@
 from storage import registry_factory
 
 from .control_applier import control_applier
-from .polkit_applier import polkit_applier
+from .polkit_applier import (
+      polkit_applier
+    , polkit_applier_user
+)
 from .systemd_applier import systemd_applier
 from .firefox_applier import firefox_applier
 from .chromium_applier import chromium_applier
@@ -107,6 +110,7 @@ class frontend_manager:
             , 'gsettings': gsettings_applier_user(self.storage, self.sid, self.username)
             , 'cifs': cifs_applier_user(self.storage, self.sid, self.username)
             , 'package': package_applier_user(self.storage, self.sid, self.username)
+            , 'polkit': polkit_applier_user(self.storage, self.sid, self.username)
         })
 
     def machine_apply(self):
@@ -132,6 +136,7 @@ class frontend_manager:
             self.user_appliers['gsettings'].admin_context_apply()
             self.user_appliers['cifs'].admin_context_apply()
             self.user_appliers['package'].admin_context_apply()
+            self.user_appliers['polkit'].admin_context_apply()
 
             logging.debug(slogm('Running user appliers for user context'))
             with_privileges(self.username, self.user_appliers['shortcuts'].user_context_apply)

gpoa/frontend/polkit_applier.py

@@ -25,7 +25,7 @@ import logging
 class polkit_applier(applier_frontend):
     __deny_all = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
     __polkit_map = {
-        __deny_all: ['99-gpoa_disk_permissions', { 'Deny_All': 0 }]
+        __deny_all: ['49-gpoa_disk_permissions', { 'Deny_All': 0 }]
     }
 
     def __init__(self, storage):
@@ -49,3 +49,37 @@ class polkit_applier(applier_frontend):
         for policy in self.policies:
             policy.generate()
 
+class polkit_applier_user(applier_frontend):
+    __deny_all = 'Software\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\Deny_All'
+    __polkit_map = {
+            __deny_all: ['48-gpoa_disk_permissions_user', { 'Deny_All': 0, 'User': '' }]
+    }
+
+    def __init__(self, storage, sid, username):
+        self.storage = storage
+        self.sid = sid
+        self.username = username
+
+        deny_all = storage.filter_hkcu_entries(self.sid, self.__deny_all).first()
+        # Deny_All hook: initialize defaults
+        template_file = self.__polkit_map[self.__deny_all][0]
+        template_vars = self.__polkit_map[self.__deny_all][1]
+        if deny_all:
+            logging.debug(slogm('Deny_All setting for user {} found: {}'.format(self.username, deny_all.data)))
+            self.__polkit_map[self.__deny_all][1]['Deny_All'] = deny_all.data
+            self.__polkit_map[self.__deny_all][1]['User'] = self.username
+        else:
+            logging.debug(slogm('Deny_All setting not found'))
+        self.policies = []
+        self.policies.append(polkit(template_file, template_vars, self.username))
+
+    def user_context_apply(self):
+        pass
+
+    def admin_context_apply(self):
+        '''
+        Trigger control facility invocation.
+        '''
+        for policy in self.policies:
+            policy.generate()
+

gpoa/templates/48-gpoa_disk_permissions_user.rules.j2

@@ -0,0 +1,29 @@
+{#
+ # GPOA - GPO Applier for Linux
+ #
+ # Copyright (C) 2019-2020 BaseALT Ltd.
+ #
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
+ # (at your option) any later version.
+ #
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #}
+
+{% if Deny_All == '1' %}
+polkit.addRule(function (action, subject) {
+	if ((action.id == "org.freedesktop.udisks2.filesystem-mount" ||
+	    action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
+	    action.id == "org.freedesktop.udisks2.filesystem-mount-other-seat") &&
+	    subject.user == "{{User}}" ) {
+		return polkit.Result.NO;
+	}
+});
+{% endif %}