Post release corrections

DGAC · Nov 18, 2022 · df1f64c · df1f64c
1 parent 087cab7
commit df1f64c
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,7 @@
+# Changelog
+
+## [1.0.1] - 2022-11-18
+
+### Fixed
+
+- minor items
diff --git a/components/inseca-live-server/README.md b/components/inseca-live-server/README.md
@@ -5,14 +5,13 @@ Main component to manage a running INSECA system without any UI (server OS).
 - **userdata-skey-pub-file**: public key used to verify the signature of USERDATA resources,
   relative to the build's config file
 - **allowed-virtualized**: list of virtual environments in which the devices is allowed to be used as a CSV or "", refer to systemd-detect-virt's man page
-- **disabled-net-services**: list of INSECA's network services to disable, as a CSV of:
+- **disable-inseca-services**: list of INSECA's network services to disable, as a CSV of:
   - `all`: disable all services
   - `updates`: disable the live Linux updates service
 - **data-mapping**: lists directories which will be mapped from the DATA partition in the system,
   as a CVS of `<directory to map>:<where to map it in the system>`
 - **post-unlock-script**: script to execute once the device has been unlocked (e.g. to start services)
-
-- NOT YET **network-connections-allowed**: boolean indicating if the network stack (managed by NetworkManager) is enabled
+- **allow-network-connections**: boolean indicating if the network stack (managed by NetworkManager) is enabled
   (which allows the user to connect to wired or wireless networks) or disabled
 - NOT YET **network-allow-list**: if defined, the network access is denied by default and restricted only to the
   provided list of system names and/or IP address ranges.

diff --git a/components/inseca-live-server/config.json b/components/inseca-live-server/config.json
@@ -13,7 +13,7 @@
             "descr": "CSV list of allowed virtualization execution environment, use 'all' to allow any",
             "type": "str"
         },
-        "disabled-net-services": {
+        "disable-inseca-services": {
             "descr": "List of INSECA's network services to disable",
             "type": "str"
         },

diff --git a/components/inseca-live-server/opt/inseca/manager b/components/inseca-live-server/opt/inseca/manager
@@ -151,7 +151,8 @@ def _term_signal_ignore(signum, frame):
 def _term_signal_handle(signum, frame):
     syslog.syslog(syslog.LOG_INFO, "Received TERM signal, preparing shutdown")
     bp=Live.BootProcessWKS.get_instance()
-    bp.prepare_shutdown()
+    if bp:
+        bp.prepare_shutdown()
     sys.exit(0)
 
 # define default TERM signal handler tu properly umount partitions
@@ -233,8 +234,8 @@ class Remote(dbus.service.Object):
         # disable some INSECA services if specificed
         dservs=[]
         servs=["update"] # services which can be disabled
-        if conf and "disabled-net-services" in conf:
-            data=conf["disabled-net-services"]
+        if conf and "disable-inseca-services" in conf:
+            data=conf["disable-inseca-services"]
             if data is not None:
                 dservs=data.split(",")
         if "all" in dservs:
@@ -246,6 +247,10 @@ class Remote(dbus.service.Object):
                 if serv=="update":
                     self._updates_enabled=False
 
+        # enable network after authentication?
+        if conf and "allow-network-connections" in conf and conf["allow-network-connections"]==False:
+            self._net.force_always_disabled()
+
         # start shutdown timer and disable networking
         self._start_killer_counter()
         if cm.disable_network_before_unlock:

diff --git a/components/inseca-live-server/prepare.py b/components/inseca-live-server/prepare.py
@@ -64,8 +64,9 @@
 # other config. elements
 protected_conf={
     "allowed-virtualized": conf.get("allowed-virtualized", ""),
-    "disabled-net-services": conf.get("disabled-net-services", "")
+    "disable-inseca-services": conf.get("disable-inseca-services", ""),
+    "allow-network-connections": conf.get("allow-network-connections", True)
 }
 util.write_data_to_file(json.dumps(protected_conf), "%s/etc/inseca-live.json"%os.environ["LIVE_DIR"])
 util.write_data_to_file("Allowed virtual environments: %s\n"%protected_conf["allowed-virtualized"], os.environ["BUILD_DATA_FILE"], append=True)
-util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disabled-net-services"], os.environ["BUILD_DATA_FILE"], append=True)
+util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disable-inseca-services"], os.environ["BUILD_DATA_FILE"], append=True)
diff --git a/components/inseca-live-wks/README.md b/components/inseca-live-wks/README.md
@@ -5,10 +5,10 @@ Main component to manage a running INSECA system with a GUI.
 - **userdata-skey-pub-file**: public key used to verify the signature of USERDATA resources,
   relative to the build's config file
 - **allowed-virtualized**: list of virtual environments in which the devices is allowed to be used as a CSV or "", refer to systemd-detect-virt's man page
-- **disabled-net-services**: list of INSECA's network services to disable, as a CSV of:
+- **disable-inseca-services**: list of INSECA's network services to disable, as a CSV of:
   - `all`: disable all services
   - `updates`: disable the live Linux updates service
-- NOT YET **network-connections-allowed**: boolean indicating if the network stack (managed by NetworkManager) is enabled
+- **allow-network-connections**: boolean indicating if the network stack (managed by NetworkManager) is enabled
   (which allows the user to connect to wired or wireless networks) or disabled
 - NOT YET **network-allow-list**: if defined, the network access is denied by default and restricted only to the
   provided list of system names and/or IP address ranges.

diff --git a/components/inseca-live-wks/config.json b/components/inseca-live-wks/config.json
@@ -16,7 +16,11 @@
             "descr": "CSV list of allowed virtualization execution environment",
             "type": "str"
         },
-        "disabled-net-services": {
+        "allow-network-connections": {
+            "descr": "True if the network stack (managed by NetworkManager) is enabled",
+            "type": "boolean"
+        },
+        "disable-inseca-services": {
             "descr": "List of INSECA's network services to disable",
             "type": "str"
         }

diff --git a/components/inseca-live-wks/prepare.py b/components/inseca-live-wks/prepare.py
@@ -45,8 +45,9 @@
 # other config. elements
 protected_conf={
     "allowed-virtualized": conf.get("allowed-virtualized", ""),
-    "disabled-net-services": conf.get("disabled-net-services", "")
+    "disable-inseca-services": conf.get("disable-inseca-services", ""),
+    "allow-network-connections": conf.get("allow-network-connections", True)
 }
 util.write_data_to_file(json.dumps(protected_conf), "%s/etc/inseca-live.json"%os.environ["LIVE_DIR"])
 util.write_data_to_file("Allowed virtual environments: %s\n"%protected_conf["allowed-virtualized"], os.environ["BUILD_DATA_FILE"], append=True)
-util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disabled-net-services"], os.environ["BUILD_DATA_FILE"], append=True)
+util.write_data_to_file("Disabled net services: %s\n"%protected_conf["disable-inseca-services"], os.environ["BUILD_DATA_FILE"], append=True)