[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Jun 9 17:45:01 UTC 2021
The branch, master has been updated
via 694dc56faf8 gpo: Apply Group Policy GNOME Settings
via 97593a49b0b gpo: Test Group Policy GNOME Setting
via 1cd65280abb gpo: Add GNOME Settings ADMX templates
from 14383909d22 lib:mscat: Don't use deprecated types
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 694dc56faf80263697a972a1e43ddb038942b272
Author: David Mulder <dmulder at samba.org>
Date: Tue May 18 15:37:10 2021 +0000
gpo: Apply Group Policy GNOME Settings
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jun 9 17:44:25 UTC 2021 on sn-devel-184
commit 97593a49b0b8a0dd693914fb141a27413f085e6b
Author: David Mulder <dmulder at samba.org>
Date: Tue May 18 15:35:24 2021 +0000
gpo: Test Group Policy GNOME Setting
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1cd65280abbcbc02507459c6b6a4a0a859f694c7
Author: David Mulder <dmulder at suse.com>
Date: Mon May 17 12:46:56 2021 -0600
gpo: Add GNOME Settings ADMX templates
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libgpo/admx/GNOME Settings.admx | 90 +++++++
libgpo/admx/en-US/GNOME Settings.adml | 110 +++++++++
python/samba/gp_gnome_settings_ext.py | 452 ++++++++++++++++++++++++++++++++++
python/samba/tests/gpo.py | 363 +++++++++++++++++++++++++++
source4/scripting/bin/samba-gpupdate | 2 +
5 files changed, 1017 insertions(+)
create mode 100644 libgpo/admx/GNOME Settings.admx
create mode 100644 libgpo/admx/en-US/GNOME Settings.adml
create mode 100644 python/samba/gp_gnome_settings_ext.py
Changeset truncated at 500 lines:
diff --git a/libgpo/admx/GNOME Settings.admx b/libgpo/admx/GNOME Settings.admx
new file mode 100644
index 00000000000..6e506b1377f
--- /dev/null
+++ b/libgpo/admx/GNOME Settings.admx
@@ -0,0 +1,90 @@
+<policyDefinitions revision="1.0" schemaVersion="1.0">
+ <policyNamespaces>
+ <target prefix="system" namespace="Samba.Policies.System" />
+ <using prefix="windows" namespace="Microsoft.Policies.Windows" />
+ </policyNamespaces>
+ <resources minRequiredRevision="1.0" />
+ <supportedOn>
+ <definitions>
+ <definition name="SUPPORTED_SAMBA_4_15" displayName="$(string.SUPPORTED_SAMBA_4_15)"/>
+ </definitions>
+ </supportedOn>
+ <categories>
+ <category name="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" displayName="$(string.CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323)">
+ <parentCategory ref="windows:ControlPanel" />
+ </category>
+ <category name="CAT_7E067B4B_2FE1_4AAD_8D76_54209466A491" displayName="$(string.CAT_7E067B4B_2FE1_4AAD_8D76_54209466A491)">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ </category>
+ </categories>
+ <policies>
+ <policy name="POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC" class="Machine" displayName="$(string.POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC)" explainText="$(string.POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC_Help)" presentation="$(presentation.POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC)" key="GNOME Settings\Lock Down Settings" valueName="Whitelisted Online Accounts">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ <elements>
+ <list id="LST_B2FA2836_7FE0_4C2D_9D40_073E4BBDF0F3" key="GNOME Settings\Lock Down Settings\Whitelisted Online Accounts" />
+ </elements>
+ </policy>
+ <policy name="POL_6307C5EA_766A_4D39_BBAE_B1F9A651F08C" class="Machine" displayName="$(string.POL_6307C5EA_766A_4D39_BBAE_B1F9A651F08C)" explainText="$(string.POL_6307C5EA_766A_4D39_BBAE_B1F9A651F08C_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disable Command-Line Access">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_373CCAD2_D0BC_49A3_A078_10CB073AA949" class="Machine" displayName="$(string.POL_373CCAD2_D0BC_49A3_A078_10CB073AA949)" explainText="$(string.POL_373CCAD2_D0BC_49A3_A078_10CB073AA949_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disable File Saving">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_2B71227C_C44B_4F77_B32A_FF92F312BCE2" class="Machine" displayName="$(string.POL_2B71227C_C44B_4F77_B32A_FF92F312BCE2)" explainText="$(string.POL_2B71227C_C44B_4F77_B32A_FF92F312BCE2_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disable Printing">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_F5785112_422C_4426_BF69_164FED2D6075" class="Machine" displayName="$(string.POL_F5785112_422C_4426_BF69_164FED2D6075)" explainText="$(string.POL_F5785112_422C_4426_BF69_164FED2D6075_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disable Repartitioning">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_DBD5262E_1014_4778_92C8_C3258C0D8EEE" class="Machine" displayName="$(string.POL_DBD5262E_1014_4778_92C8_C3258C0D8EEE)" explainText="$(string.POL_DBD5262E_1014_4778_92C8_C3258C0D8EEE_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disable User Logout">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_E5211A0E_F684_4E93_B62B_4F6B8BE5BBAD" class="Machine" displayName="$(string.POL_E5211A0E_F684_4E93_B62B_4F6B8BE5BBAD)" explainText="$(string.POL_E5211A0E_F684_4E93_B62B_4F6B8BE5BBAD_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disable User Switching">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_942D0D38_C946_4805_8339_92B661BE64E7" class="Machine" displayName="$(string.POL_942D0D38_C946_4805_8339_92B661BE64E7)" explainText="$(string.POL_942D0D38_C946_4805_8339_92B661BE64E7_Help)" key="GNOME Settings\Lock Down Settings" valueName="Disallow Login Using a Fingerprint">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_0906773B_31CA_48E7_B173_A2A8435FA31C" class="Machine" displayName="$(string.POL_0906773B_31CA_48E7_B173_A2A8435FA31C)" explainText="$(string.POL_0906773B_31CA_48E7_B173_A2A8435FA31C_Help)" key="GNOME Settings\Lock Down Settings" valueName="Lock Down Enabled Extensions">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ </policy>
+ <policy name="POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B" class="Machine" displayName="$(string.POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B)" explainText="$(string.POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B_Help)" presentation="$(presentation.POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B)" key="GNOME Settings\Lock Down Settings" valueName="Lock Down Specific Settings">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ <elements>
+ <list id="LST_19198E2B_79A2_4263_B09E_CC40151A265B" key="GNOME Settings\Lock Down Settings\Lock Down Specific Settings" />
+ </elements>
+ </policy>
+ <policy name="POL_1F00D0C9_3190_42E1_870F_33A0E560E873" class="Machine" displayName="$(string.POL_1F00D0C9_3190_42E1_870F_33A0E560E873)" explainText="$(string.POL_1F00D0C9_3190_42E1_870F_33A0E560E873_Help)" presentation="$(presentation.POL_1F00D0C9_3190_42E1_870F_33A0E560E873)" key="GNOME Settings\Lock Down Settings" valueName="Dim Screen when User is Idle">
+ <parentCategory ref="CAT_7E067B4B_2FE1_4AAD_8D76_54209466A491" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ <elements>
+ <decimal id="DXT_B46B9503_767D_43E6_8844_8852AC9211C9" key="GNOME Settings\Lock Down Settings\Dim Screen when User is Idle" valueName="Delay" />
+ <decimal id="DXT_C652079A_D03D_4DE0_A43A_F5AC3F416F4D" key="GNOME Settings\Lock Down Settings\Dim Screen when User is Idle" valueName="Dim Idle Brightness" />
+ </elements>
+ </policy>
+ <policy name="POL_05BFA99F_C8C1_4486_AA35_CFB72EF94CAE" class="Machine" displayName="$(string.POL_05BFA99F_C8C1_4486_AA35_CFB72EF94CAE)" presentation="$(presentation.POL_05BFA99F_C8C1_4486_AA35_CFB72EF94CAE)" key="GNOME Settings\Lock Down Settings" valueName="Compose Key">
+ <parentCategory ref="CAT_7E067B4B_2FE1_4AAD_8D76_54209466A491" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ <elements>
+ <text id="CMB_F3CCB880_E12B_4068_8B8A_66DE04211F69" key="GNOME Settings\Lock Down Settings\Compose Key" valueName="Key Name" required="true" />
+ </elements>
+ </policy>
+ <policy name="POL_93280789_E7BA_4EB8_924B_61BA1EEB0437" class="Machine" displayName="$(string.POL_93280789_E7BA_4EB8_924B_61BA1EEB0437)" explainText="$(string.POL_93280789_E7BA_4EB8_924B_61BA1EEB0437_Help)" presentation="$(presentation.POL_93280789_E7BA_4EB8_924B_61BA1EEB0437)" key="GNOME Settings\Lock Down Settings" valueName="Enabled Extensions">
+ <parentCategory ref="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323" />
+ <supportedOn ref="SUPPORTED_SAMBA_4_15" />
+ <elements>
+ <list id="LST_FAD2DD29_CDD9_45BC_99CA_1C47084D09A8" key="GNOME Settings\Lock Down Settings\Enabled Extensions" />
+ </elements>
+ </policy>
+ </policies>
+</policyDefinitions>
diff --git a/libgpo/admx/en-US/GNOME Settings.adml b/libgpo/admx/en-US/GNOME Settings.adml
new file mode 100644
index 00000000000..5cc8534060c
--- /dev/null
+++ b/libgpo/admx/en-US/GNOME Settings.adml
@@ -0,0 +1,110 @@
+<policyDefinitionResources revision="1.0" schemaVersion="1.0">
+ <displayName>
+ </displayName>
+ <description>
+ </description>
+ <resources>
+ <stringTable>
+ <string id="SUPPORTED_SAMBA_4_15">Samba 4.15</string>
+ <string id="CAT_351B0FDF_55F3_4904_AC71_D3A6CF8DB323">GNOME Settings</string>
+ <string id="POL_541A888A_A96D_4A21_9A8F_1021EF6D2F25">Allow Online Accounts</string>
+ <string id="POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC">Whitelisted Online Accounts</string>
+ <string id="POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC_Help">The GNOME Online Accounts (GOA) are used for integrating personal network accounts with the GNOME Desktop and applications. The user can add their online accounts, such as Google, Facebook, Flickr, ownCloud, and others using the Online Accounts application.
+As a system administrator, you can:
+selectively enable a few online accounts.</string>
+ <string id="POL_541A888A_A96D_4A21_9A8F_1021EF6D2F25_Help">The GNOME Online Accounts (GOA) are used for integrating personal network accounts with the GNOME Desktop and applications. The user can add their online accounts, such as Google, Facebook, Flickr, ownCloud, and others using the Online Accounts application.
+As a system administrator, you can:
+enable all online accounts;
+disable all online accounts.</string>
+ <string id="POL_6307C5EA_766A_4D39_BBAE_B1F9A651F08C">Disable Command-Line Access</string>
+ <string id="POL_6307C5EA_766A_4D39_BBAE_B1F9A651F08C_Help">To disable command-line access for your desktop user, you need to make configuration changes in a number of different contexts. Bear in mind that the following steps do not remove the desktop user's permissions to access a command line, but rather remove the ways that the desktop user could access the command line.
+
+Set the org.gnome.desktop.lockdown.disable-command-line GSettings key, which prevents the user from accessing the terminal or specifying a command line to be executed (the Alt+F2 command prompt).
+
+Prevent users from accessing the Alt+F2 command prompt.
+
+Disable switching to virtual terminals (VTs) with the Ctrl+Alt+function key shortcuts by modifying the X server configuration.
+
+Remove Terminal and all other terminal applications from the Activities overview in GNOME Shell. You will also need to prevent the user from installing a new terminal application.</string>
+ <string id="POL_373CCAD2_D0BC_49A3_A078_10CB073AA949">Disable File Saving</string>
+ <string id="POL_373CCAD2_D0BC_49A3_A078_10CB073AA949_Help">You can disable the Save and Save As dialogs. This can be useful if you are giving temporary access to a user or you do not want the user to save files to the computer.
+
+WARNING: This feature will only work in applications which support it! Not all GNOME and third party applications have this feature enabled. These changes will have no effect on applications which do not support this feature.</string>
+ <string id="POL_2B71227C_C44B_4F77_B32A_FF92F312BCE2">Disable Printing</string>
+ <string id="POL_2B71227C_C44B_4F77_B32A_FF92F312BCE2_Help">You can disable the print dialog from being shown to users. This can be useful if you are giving temporary access to a user or you do not want the user to print to network printers.
+
+WARNING: This feature will only work in applications which support it! Not all GNOME and third party applications have this feature enabled. These changes will have no effect on applications which do not support this feature.</string>
+ <string id="POL_F5785112_422C_4426_BF69_164FED2D6075">Disable Repartitioning</string>
+ <string id="POL_F5785112_422C_4426_BF69_164FED2D6075_Help">polkit enables you to set permissions for individual operations. For udisks2, the utility for disk management services, the configuration is located at /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy. This file contains a set of actions and default values, which can be overridden by system administrator.
+
+TIP: The polkit configuration in /etc overrides that shipped by packages in /usr/share.</string>
+ <string id="POL_DBD5262E_1014_4778_92C8_C3258C0D8EEE">Disable User Logout</string>
+ <string id="POL_DBD5262E_1014_4778_92C8_C3258C0D8EEE_Help">Preventing the user from logging out is useful for special kind of GNOME deployments (unmanned kiosks, public internet access terminals, and so on).
+
+IMPORTANT: Users can evade the logout lockdown by switching to a different user. That is the reason why it is recommended to also disable user switching when configuring the system.</string>
+ <string id="POL_E5211A0E_F684_4E93_B62B_4F6B8BE5BBAD">Disable User Switching</string>
+ <string id="POL_E5211A0E_F684_4E93_B62B_4F6B8BE5BBAD_Help">Preventing the user from logging out is useful for special kind of GNOME deployments (unmanned kiosks, public internet access terminals, and so on).
+
+IMPORTANT: Users can evade the logout lockdown by switching to a different user. That is the reason why it is recommended to also disable user switching when configuring the system.</string>
+ <string id="POL_942D0D38_C946_4805_8339_92B661BE64E7">Disallow Login Using a Fingerprint</string>
+ <string id="POL_942D0D38_C946_4805_8339_92B661BE64E7_Help">Users with a fingerprint scanner can use their fingerprints instead of a password to log in. Fingerprint login needs to be set up by the user before it can be used.
+
+Fingerprint readers are not always reliable, so you may wish to disable login using the reader for security reasons.
+ </string>
+ <string id="POL_0906773B_31CA_48E7_B173_A2A8435FA31C">Lock Down Enabled Extensions</string>
+ <string id="POL_0906773B_31CA_48E7_B173_A2A8435FA31C_Help">In GNOME Shell, you can prevent the user from enabling or disabling extensions by locking down the org.gnome.shell.enabled-extensions and org.gnome.shell.development-tools keys. This allows you to provide a set of extensions that the user has to use.
+
+Locking down the org.gnome.shell.development-tools key ensures that the user cannot use GNOME Shell’s integrated debugger and inspector tool (Looking Glass) to disable any mandatory extensions.</string>
+ <string id="POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B">Lock Down Specific Settings</string>
+ <string id="POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B_Help">By using the lockdown mode in dconf, you can prevent users from changing specific settings. Without locking down the system settings, user settings take precedence over the system settings.
+
+To lock down a dconf key or subpath, you will need to create a locks subdirectory in the keyfile directory. The files inside this directory contain a list of keys or subpaths to lock. Just as with the keyfiles, you may add any number of files to this directory.</string>
+ <string id="CAT_7E067B4B_2FE1_4AAD_8D76_54209466A491">User Settings</string>
+ <string id="POL_1F00D0C9_3190_42E1_870F_33A0E560E873">Dim Screen when User is Idle</string>
+ <string id="POL_1F00D0C9_3190_42E1_870F_33A0E560E873_Help">You can make the computer screen dim after the computer has been idle (not used) for some period of time.</string>
+ <string id="POL_05BFA99F_C8C1_4486_AA35_CFB72EF94CAE">Compose Key</string>
+ <string id="POL_93280789_E7BA_4EB8_924B_61BA1EEB0437">Enabled Extensions</string>
+ <string id="POL_93280789_E7BA_4EB8_924B_61BA1EEB0437_Help">The enabled-extensions key specifies the enabled extensions using the extensions’ uuid.</string>
+ </stringTable>
+ <presentationTable>
+ <presentation id="POL_B00E46C8_3837_4FE2_91EF_3C13D50B0BDC">
+ <listBox refId="LST_B2FA2836_7FE0_4C2D_9D40_073E4BBDF0F3">
+ </listBox>
+ </presentation>
+ <presentation id="POL_1DE280F7_3BE5_4DDD_BE10_5A31D6E7ED9B">
+ <listBox refId="LST_19198E2B_79A2_4263_B09E_CC40151A265B">Settings</listBox>
+ </presentation>
+ <presentation id="POL_1F00D0C9_3190_42E1_870F_33A0E560E873">
+ <decimalTextBox refId="DXT_B46B9503_767D_43E6_8844_8852AC9211C9" defaultValue="300">Idle Delay</decimalTextBox>
+ <decimalTextBox refId="DXT_C652079A_D03D_4DE0_A43A_F5AC3F416F4D" defaultValue="30">Idle Brightness</decimalTextBox>
+ </presentation>
+ <presentation id="POL_05BFA99F_C8C1_4486_AA35_CFB72EF94CAE">
+ <comboBox refId="CMB_F3CCB880_E12B_4068_8B8A_66DE04211F69">
+ <label>Compose Key</label>
+ <default>Right Alt</default>
+ <suggestion>Right Alt</suggestion>
+ <suggestion>Left Win</suggestion>
+ <suggestion>3rd level of Left Win</suggestion>
+ <suggestion>Right Win</suggestion>
+ <suggestion>3rd level of Right Win</suggestion>
+ <suggestion>Menu</suggestion>
+ <suggestion>3rd level of Menu</suggestion>
+ <suggestion>Left Ctrl</suggestion>
+ <suggestion>3rd level of Left Ctrl</suggestion>
+ <suggestion>Right Ctrl</suggestion>
+ <suggestion>3rd level of Right Ctrl</suggestion>
+ <suggestion>Caps Lock</suggestion>
+ <suggestion>3rd level of Caps Lock</suggestion>
+ <suggestion>The "< >" key</suggestion>
+ <suggestion>3rd level of the "< >" key</suggestion>
+ <suggestion>Pause</suggestion>
+ <suggestion>PrtSc</suggestion>
+ <suggestion>Scroll Lock</suggestion>
+ </comboBox>
+ </presentation>
+ <presentation id="POL_93280789_E7BA_4EB8_924B_61BA1EEB0437">
+ <listBox refId="LST_FAD2DD29_CDD9_45BC_99CA_1C47084D09A8">Enabled Extensions</listBox>
+ </presentation>
+ </presentationTable>
+ </resources>
+</policyDefinitionResources>
diff --git a/python/samba/gp_gnome_settings_ext.py b/python/samba/gp_gnome_settings_ext.py
new file mode 100644
index 00000000000..27425029d05
--- /dev/null
+++ b/python/samba/gp_gnome_settings_ext.py
@@ -0,0 +1,452 @@
+# gp_gnome_settings_ext samba gpo policy
+# Copyright (C) David Mulder <dmulder at suse.com> 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os, re
+from samba.gpclass import gp_pol_ext
+from tempfile import NamedTemporaryFile
+import shutil
+from configparser import ConfigParser
+from subprocess import Popen, PIPE
+from samba.common import get_bytes, get_string
+from glob import glob
+import xml.etree.ElementTree as etree
+
+def dconf_update(log, test_dir):
+ if test_dir is not None:
+ return
+ dconf = shutil.which('dconf')
+ if dconf is None:
+ log.error('Failed to update dconf. Command not found')
+ return
+ p = Popen([dconf, 'update'], stdout=PIPE, stderr=PIPE)
+ out, err = p.communicate()
+ if p.returncode != 0:
+ log.error('Failed to update dconf: %s' % get_string(err))
+
+def create_locks_dir(test_dir):
+ locks_dir = '/etc/dconf/db/local.d/locks'
+ if test_dir is not None:
+ locks_dir = os.path.join(test_dir, locks_dir[1:])
+ os.makedirs(locks_dir, exist_ok=True)
+ return locks_dir
+
+def create_user_profile(test_dir):
+ user_profile = '/etc/dconf/profile/user'
+ if test_dir is not None:
+ user_profile = os.path.join(test_dir, user_profile[1:])
+ if os.path.exists(user_profile):
+ return
+ os.makedirs(os.path.dirname(user_profile), exist_ok=True)
+ with NamedTemporaryFile('w', dir=os.path.dirname(user_profile),
+ delete=False) as w:
+ w.write('user-db:user\nsystem-db:local')
+ fname = w.name
+ shutil.move(fname, user_profile)
+
+def create_local_db(test_dir):
+ local_db = '/etc/dconf/db/local.d'
+ if test_dir is not None:
+ local_db = os.path.join(test_dir, local_db[1:])
+ os.makedirs(local_db, exist_ok=True)
+ return local_db
+
+def select_next_conf(directory, fname=''):
+ configs = [re.match(r'(\d+)%s' % fname, f) for f in os.listdir(directory)]
+ return max([int(m.group(1)) for m in configs if m]+[0])+1
+
+class gp_gnome_settings_ext(gp_pol_ext):
+ def __init__(self, *args):
+ super().__init__(*args)
+ self.keys = ['Compose Key',
+ 'Dim Screen when User is Idle',
+ 'Lock Down Specific Settings',
+ 'Whitelisted Online Accounts',
+ 'Enabled Extensions']
+ self.lock_down_settings = {}
+ self.test_dir = None
+
+ def __str__(self):
+ return 'GNOME Settings/Lock Down Settings'
+
+ def __add_lockdown_data(self, k, e):
+ if k not in self.lock_down_settings:
+ self.lock_down_settings[k] = {}
+ self.lock_down_settings[k][e.valuename] = e.data
+
+ def __enable_lockdown_data(self, e):
+ if e.valuename not in self.lock_down_settings:
+ self.lock_down_settings[e.valuename] = {}
+ self.lock_down_settings[e.valuename]['Enabled'] = e.data == 1
+
+ def __apply_compose_key(self, data):
+ attribute = self.keys[0]
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ create_user_profile(self.test_dir)
+ local_db_dir = create_local_db(self.test_dir)
+
+ if old_val is not None:
+ # Overwrite the old policy if it exists
+ local_db, lock = old_val.split(';')
+ else:
+ conf_id = select_next_conf(local_db_dir, '-input-sources')
+ local_db = os.path.join(local_db_dir,
+ '%010d-input-sources' % conf_id)
+ data_map = { 'Right Alt': 'compose:ralt',
+ 'Left Win': 'compose:lwin',
+ '3rd level of Left Win': 'compose:lwin-altgr',
+ 'Right Win': 'compose:rwin',
+ '3rd level of Right Win': 'compose:rwin-altgr',
+ 'Menu': 'compose:menu',
+ '3rd level of Menu': 'compose:menu-altgr',
+ 'Left Ctrl': 'compose:lctrl',
+ '3rd level of Left Ctrl': 'compose:lctrl-altgr',
+ 'Right Ctrl': 'compose:rctrl',
+ '3rd level of Right Ctrl': 'compose:rctrl-altgr',
+ 'Caps Lock': 'compose:caps',
+ '3rd level of Caps Lock': 'compose:caps-altgr',
+ 'The "< >" key': 'compose:102',
+ '3rd level of the "< >" key': 'compose:102-altgr',
+ 'Pause': 'compose:paus',
+ 'PrtSc': 'compose:prsc',
+ 'Scroll Lock': 'compose:sclk'
+ }
+ if data['Key Name'] not in data_map.keys():
+ self.logger.error('Compose Key \'%s\' not recognized' % \
+ data['Key Name'])
+ return
+ parser = ConfigParser()
+ section = 'org/gnome/desktop/input-sources'
+ parser.add_section(section)
+ parser.set(section, 'xkb-options',
+ "['%s']" % data_map[data['Key Name']])
+ with open(local_db, 'w') as w:
+ parser.write(w)
+
+ # Lock xkb-options
+ locks_dir = create_locks_dir(self.test_dir)
+ if old_val is None:
+ conf_id = select_next_conf(locks_dir)
+ lock = os.path.join(locks_dir, '%010d-input-sources' % conf_id)
+ with open(lock, 'w') as w:
+ w.write('/org/gnome/desktop/input-sources/xkb-options')
+
+ dconf_update(self.logger, self.test_dir)
+ self.gp_db.store(str(self), attribute, ';'.join([local_db, lock]))
+
+ def __apply_dim_idle(self, data):
+ attribute = self.keys[1]
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ create_user_profile(self.test_dir)
+ local_db_dir = create_local_db(self.test_dir)
+ if old_val is not None:
+ # Overwrite the old policy if it exists
+ local_power_db, local_session_db, lock = old_val.split(';')
+ else:
+ conf_id = select_next_conf(local_db_dir, '-power')
+ local_power_db = os.path.join(local_db_dir, '%010d-power' % conf_id)
+ parser = ConfigParser()
+ section = 'org/gnome/settings-daemon/plugins/power'
+ parser.add_section(section)
+ parser.set(section, 'idle-dim', 'true')
+ parser.set(section, 'idle-brightness', str(data['Dim Idle Brightness']))
+ with open(local_power_db, 'w') as w:
+ parser.write(w)
+ if old_val is None:
+ conf_id = select_next_conf(local_db_dir, '-session')
+ local_session_db = os.path.join(local_db_dir, '%010d-session' % conf_id)
+ parser = ConfigParser()
+ section = 'org/gnome/desktop/session'
+ parser.add_section(section)
+ parser.set(section, 'idle-delay', 'uint32 %d' % data['Delay'])
+ with open(local_session_db, 'w') as w:
+ parser.write(w)
+
+ # Lock power-saving
+ locks_dir = create_locks_dir(self.test_dir)
+ if old_val is None:
+ conf_id = select_next_conf(locks_dir)
+ lock = os.path.join(locks_dir, '%010d-power-saving' % conf_id)
+ with open(lock, 'w') as w:
+ w.write('/org/gnome/settings-daemon/plugins/power/idle-dim\n')
+ w.write('/org/gnome/settings-daemon/plugins/power/idle-brightness\n')
+ w.write('/org/gnome/desktop/session/idle-delay')
+
+ dconf_update(self.logger, self.test_dir)
+ self.gp_db.store(str(self), attribute, ';'.join([local_power_db,
+ local_session_db,
+ lock]))
+
+ def __apply_specific_settings(self, data):
+ attribute = self.keys[2]
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ create_user_profile(self.test_dir)
+ locks_dir = create_locks_dir(self.test_dir)
+ if old_val is not None:
+ # Overwrite the old policy if it exists
+ policy_file = old_val
+ else:
+ conf_id = select_next_conf(locks_dir, '-group-policy')
+ policy_file = os.path.join(locks_dir, '%010d-group-policy' % conf_id)
+ with open(policy_file, 'w') as w:
+ for key in data.keys():
+ w.write('%s\n' % key)
+ dconf_update(self.logger, self.test_dir)
+ self.gp_db.store(str(self), attribute, policy_file)
+
+ def __apply_whitelisted_account(self, data):
+ attribute = self.keys[3]
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ create_user_profile(self.test_dir)
+ local_db_dir = create_local_db(self.test_dir)
+ locks_dir = create_locks_dir(self.test_dir)
+ val = "['%s']" % "', '".join(data.keys())
+ policy_files = self.__lockdown(local_db_dir, locks_dir, 'goa',
+ 'whitelisted-providers', val, old_val,
+ 'org/gnome/online-accounts')
+ dconf_update(self.logger, self.test_dir)
+ self.gp_db.store(str(self), attribute, ';'.join(policy_files))
+
+ def __apply_enabled_extensions(self, data):
+ attribute = self.keys[4]
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ create_user_profile(self.test_dir)
+ local_db_dir = create_local_db(self.test_dir)
+ if old_val is not None:
+ # Overwrite the old policy if it exists
+ policy_file = old_val
+ else:
+ conf_id = select_next_conf(local_db_dir)
+ policy_file = os.path.join(local_db_dir, '%010d-extensions' % conf_id)
+ parser = ConfigParser()
+ section = 'org/gnome/shell'
+ parser.add_section(section)
+ exts = data.keys()
+ parser.set(section, 'enabled-extensions', "['%s']" % "', '".join(exts))
+ parser.set(section, 'development-tools', 'false')
+ with open(policy_file, 'w') as w:
+ parser.write(w)
+ dconf_update(self.logger, self.test_dir)
+ self.gp_db.store(str(self), attribute, policy_file)
+
+ def __lockdown(self, local_db_dir, locks_dir, name, key, val,
+ old_val, section='org/gnome/desktop/lockdown'):
+ if old_val is None:
+ policy_files = []
+ conf_id = select_next_conf(local_db_dir)
+ policy_file = os.path.join(local_db_dir,
+ '%010d-%s' % (conf_id, name))
+ policy_files.append(policy_file)
+ conf_id = select_next_conf(locks_dir)
+ lock = os.path.join(locks_dir, '%010d-%s' % (conf_id, name))
+ policy_files.append(lock)
+ else:
+ policy_files = old_val.split(';')
+ policy_file, lock = policy_files
+ parser = ConfigParser()
+ parser.add_section(section)
+ parser.set(section, key, val)
+ with open(policy_file, 'w') as w:
+ parser.write(w)
+ with open(lock, 'w') as w:
+ w.write('/%s/%s' % (section, key))
+ return policy_files
+
+ def __apply_enabled(self, k):
+ old_val = self.gp_db.retrieve(str(self), k)
+ if old_val is not None:
+ # Overwrite the old policy if it exists
+ policy_files = old_val.split(';')
+ else:
+ policy_files = []
+
+ create_user_profile(self.test_dir)
+ local_db_dir = create_local_db(self.test_dir)
+ locks_dir = create_locks_dir(self.test_dir)
+
+ if k == 'Lock Down Enabled Extensions':
+ if old_val is None:
+ conf_id = select_next_conf(locks_dir)
+ policy_file = os.path.join(locks_dir, '%010d-extensions' % conf_id)
--
Samba Shared Repository
More information about the samba-cvs
mailing list