def get_policy_flags(self, acmpol): """ Get the currently active flags of a policy, i.e., whether the system is using this policy as its boot policy for the default boot title. """ flags = 0 filename = acmpol.get_filename(".bin", "", dotted=True) if bootloader.loads_default_policy(filename) or \ acmpol.is_default_policy(): flags |= xsconstants.XS_INST_BOOT if acmpol.isloaded(): flags |= xsconstants.XS_INST_LOAD return flags
def get_policy_flags(self, acmpol): """ Get the currently active flags of a policy, i.e., whether the system is using this policy as its boot policy for the default boot title. """ flags = 0 filename = acmpol.get_filename(".bin","", dotted=True) if bootloader.loads_default_policy(filename) or \ acmpol.is_default_policy(): flags |= xsconstants.XS_INST_BOOT if acmpol.isloaded(): flags |= xsconstants.XS_INST_LOAD return flags
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" if security.on() != xsconstants.XS_POLICY_ACM: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) # Remember old flags, so they can be restored if update fails old_flags = self.get_policy_flags(loadedpol) # Remove policy from bootloader in case of new name of policy self.rm_bootpolicy() rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. else: old_flags = old_flags & xsconstants.XS_INST_BOOT log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) if old_flags != 0: self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) return (loadedpol, rc, errors) try: dom = minidom.parseString(xmltext.encode("utf-8")) except: raise SecurityError(-xsconstants.XSERR_BAD_XML) ref = uuid.createString() acmpol = ACMPolicy(dom=dom, ref=ref) #First some basic tests that do not modify anything: if flags & xsconstants.XS_INST_BOOT and not overwrite: filename = acmpol.get_filename(".bin", "", dotted=True) if bootloader.get_default_policy != None and \ not bootloader.loads_default_policy(filename): raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if not overwrite and len(self.policies) >= self.maxpolicies: raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if overwrite: #This should only give one key since only one policy is #allowed. keys = self.policies.keys() for k in keys: self.rm_bootpolicy() rc = self.rm_policy_from_system(k, force=overwrite) if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) rc = acmpol.compile() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_LOAD: rc = acmpol.loadintohv() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_BOOT: rc = self.make_boot_policy(acmpol) if rc != 0: # If it cannot be installed due to unsupported # bootloader, let it be ok. pass if dom: new_entry = { ref: tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID]) } self.policies.update(new_entry) self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" if security.on() != xsconstants.XS_POLICY_ACM: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) # Remember old flags, so they can be restored if update fails old_flags = self.get_policy_flags(loadedpol) # Remove policy from bootloader in case of new name of policy self.rm_bootpolicy() rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. else: old_flags = old_flags & xsconstants.XS_INST_BOOT log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) if old_flags != 0: self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) return (loadedpol, rc, errors) try: dom = minidom.parseString(xmltext.encode("utf-8")) except: raise SecurityError(-xsconstants.XSERR_BAD_XML) ref = uuid.createString() acmpol = ACMPolicy(dom=dom, ref=ref) #First some basic tests that do not modify anything: if flags & xsconstants.XS_INST_BOOT and not overwrite: filename = acmpol.get_filename(".bin","",dotted=True) if bootloader.get_default_policy != None and \ not bootloader.loads_default_policy(filename): raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if not overwrite and len(self.policies) >= self.maxpolicies: raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if overwrite: #This should only give one key since only one policy is #allowed. keys = self.policies.keys() for k in keys: self.rm_bootpolicy() rc = self.rm_policy_from_system(k, force=overwrite) if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) rc = acmpol.compile() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_LOAD: rc = acmpol.loadintohv() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_BOOT: rc = self.make_boot_policy(acmpol) if rc != 0: # If it cannot be installed due to unsupported # bootloader, let it be ok. pass if dom: new_entry = { ref : tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID]) } self.policies.update(new_entry) self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors)