def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
errors = ""
loadedpol = self.get_loaded_policy()
if loadedpol:
# This is meant as an update to a currently loaded policy
if flags & xsconstants.XS_INST_LOAD == 0:
raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
# Remember old flags, so they can be restored if update fails
old_flags = self.get_policy_flags(loadedpol)
# Remove policy from bootloader in case of new name of policy
self.rm_bootpolicy()
rc, errors = loadedpol.update(xmltext)
if rc == 0:
irc = self.activate_xspolicy(loadedpol, flags)
# policy is loaded; if setting the boot flag fails it's ok.
else:
old_flags = old_flags & xsconstants.XS_INST_BOOT
log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
if old_flags != 0:
self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
return (loadedpol, rc, errors)
try:
dom = minidom.parseString(xmltext.encode("utf-8"))
except:
raise SecurityError(-xsconstants.XSERR_BAD_XML)
ref = uuid.createString()
acmpol = ACMPolicy(dom=dom, ref=ref)
#First some basic tests that do not modify anything:
if flags & xsconstants.XS_INST_BOOT and not overwrite:
filename = acmpol.get_filename(".bin", "", dotted=True)
if bootloader.get_default_policy != None and \
not bootloader.loads_default_policy(filename):
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if not overwrite and len(self.policies) >= self.maxpolicies:
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if overwrite:
#This should only give one key since only one policy is
#allowed.
keys = self.policies.keys()
for k in keys:
self.rm_bootpolicy()
rc = self.rm_policy_from_system(k, force=overwrite)
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
rc = acmpol.compile()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_LOAD:
rc = acmpol.loadintohv()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_BOOT:
rc = self.make_boot_policy(acmpol)
if rc != 0:
# If it cannot be installed due to unsupported
# bootloader, let it be ok.
pass
if dom:
new_entry = {
ref: tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID])
}
self.policies.update(new_entry)
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
else:
if server.xend.security.get_xstype() & xs_type == 0:
raise security.XSMError("ACM policy type not supported.")
xml, now_flags = server.xend.security.get_policy()
acmpol = ACMPolicy(xml=xml)
if int(now_flags) & xsconstants.XS_INST_BOOT == 0 and \
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
rc, errors = server.xend.security.reset_policy()
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
if len(tmp) == 1:
rev = 1
else:
rev = int(tmp[1]) + 1
hdr['version'] = "%s.%s" % (tmp[0], rev)
return hdr
session = xapi.connect()
policystate = session.xenapi.XSPolicy.get_xspolicy()
if policystate['repr'] != "":
print "%s" % policystate['repr']
try:
acmpol = ACMPolicy(xml=policystate['repr'])
except Exception, e:
FAIL("Failure from creating ACMPolicy object: %s" % str(e))
oldname = acmpol.policy_dom_get_hdr_item("PolicyName")
oldvers = acmpol.policy_dom_get_hdr_item("Version")
tmp = oldvers.split(".")
if len(tmp) == 1:
rev = 1
else:
rev = int(tmp[1]) + 1
newvers = "%s.%s" % (tmp[0], str(rev))
print "old name/version = %s/%s" % (oldname, oldvers)
else:
oldname = None
oldvers = None
newvers = "1.0"
