Add script for removing SD tags from VMs

freedomofpress · Apr 17, 2020 · 3951038 · 3951038
1 parent 38dba62
commit 3951038
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -110,6 +110,7 @@ clean: assert-dom0 prep-salt ## Destroys all SD VMs
 	$(MAKE) destroy-all
 	sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix
 	sudo qubesctl --show-output state.sls sd-clean-all
+	./scripts/remove-tags
 	sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true
 	$(MAKE) clean-salt
 

diff --git a/scripts/remove-tags b/scripts/remove-tags
@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+"""
+Removes tags used for exempting VMs from default SecureDrop Workstation
+RPC policies from all VMs (including non-SecureDrop ones).
+"""
+import qubesadmin
+
+q = qubesadmin.Qubes()
+
+TAGS_TO_REMOVE = ["sd-send-clipboard", "sd-receive-clipboard", "sd-receive-logs"]
+
+
+def main():
+    tags_removed = False
+    for vm in q.domains:
+        for tag in TAGS_TO_REMOVE:
+            if tag in q.domains[vm].tags:
+                print("Removing tag '{}' from VM '{}'.".format(tag, vm))
+                try:
+                    q.domains[vm].tags.remove(tag)
+                except Exception as error:
+                    print("Error removing tag: '{}'".format(error))
+                    print("Aborting.")
+                    exit(1)
+                tags_removed = True
+
+    if tags_removed is False:
+        print("Tags {} not set on any VMs, nothing removed.".format(TAGS_TO_REMOVE))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py
@@ -106,6 +106,8 @@ def perform_uninstall():
         subprocess.check_call(
             ["sudo", "dnf", "-y", "-q", "remove", "qubes-template-securedrop-workstation-buster"]
         )
+        print("Removing SecureDrop tags from remaining VMs")
+        subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/remove-tags")])
         print("Uninstalling dom0 config package")
         subprocess.check_call(
             ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"]
@@ -132,7 +134,8 @@ def main():
     elif args.uninstall:
         print(
             "Uninstalling will remove all packages and destroy all VMs associated\n"
-            "with SecureDrop Workstation."
+            "with SecureDrop Workstation. It will also remove all SecureDrop tags\n"
+            "from other VMs on the system."
         )
         response = input("Are you sure you want to uninstall (y/N)? ")
         if response.lower() != 'y':