def __init__(self, maxpolicies): """ Create a management class for managing the system's policies. @param maxpolicies: The max. number of policies allowed on the system (currently '1') """ self.maxpolicies = maxpolicies self.policies = {} self.xsobjs = {} act_pol_name = self.get_hv_loaded_policy_name() initialize() ref = uuid.createString() try: self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref) self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID) except Exception, e: log.error("Could not find XML representation of policy '%s': " "%s" % (act_pol_name, e)) rc, errors, acmpol_def = ACMPolicy.force_default_policy() if rc == xsconstants.XSERR_SUCCESS: self.xsobjs[ref] = acmpol_def self.policies[ref] = (acmpol_def.get_name(), xsconstants.ACM_POLICY_ID) log.info("Switched to DEFAULT policy.")
def resetpolicy(): msg = None xs_type = xsconstants.XS_POLICY_ACM flags = xsconstants.XS_INST_LOAD if xm_main.serverType == xm_main.SERVER_XEN_API: if int(server.xenapi.XSPolicy.get_xstype()) & xs_type == 0: raise security.XSMError("ACM policy type not supported.") policystate = server.xenapi.XSPolicy.get_xspolicy() acmpol = ACMPolicy(xml=policystate['repr']) now_flags = int(policystate['flags']) if now_flags & xsconstants.XS_INST_BOOT == 0 and \ not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." try: policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type) except Exception, e: raise security.XSMError("An error occurred resetting the " "policy: %s" % str(e)) xserr = int(policystate['xserr']) if xserr != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") else: print "Successfully reset the system's policy." if msg: print msg
def __init__(self, maxpolicies): """ Create a management class for managing the system's policies. @param maxpolicies: The max. number of policies allowed on the system (currently '1') """ self.maxpolicies = maxpolicies self.policies = {} self.xsobjs = {} act_pol_name = self.get_hv_loaded_policy_name() initialize() ref = uuid.createString() try: self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref) self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID) except Exception, e: log.error("Could not find XML representation of policy '%s': " "%s" % (act_pol_name,e)) rc, errors, acmpol_def = ACMPolicy.force_default_policy() if rc == xsconstants.XSERR_SUCCESS: self.xsobjs[ref] = acmpol_def self.policies[ref] = (acmpol_def.get_name(), xsconstants.ACM_POLICY_ID) log.info("Switched to DEFAULT policy.")
def getpolicy(dumpxml): if xm_main.serverType == xm_main.SERVER_XEN_API: xstype = int(server.xenapi.XSPolicy.get_xstype()) display_security_subsystems(xstype) policystate = server.xenapi.XSPolicy.get_xspolicy() if int(policystate["type"]) == 0: print "No policy is installed." return if int(policystate["type"]) != xsconstants.XS_POLICY_ACM: print "Unknown policy type '%s'." % policystate["type"] else: xml = policystate["repr"] acmpol = None if xml: acmpol = ACMPolicy(xml=xml) display_policy_info( acmpol, xsconstants.ACM_POLICY_ID, policystate["xs_ref"], policystate["version"], int(policystate["flags"]), dumpxml, xml, ) else: xstype = server.xend.security.get_xstype() display_security_subsystems(xstype) xml, flags = server.xend.security.get_policy() acmpol = None if xml != "": dom = None try: dom = minidom.parseString(xml) if dom: acmpol = ACMPolicy(dom=dom) except Exception, e: print "Error parsing the library: " + str(e) if acmpol: display_policy_info(acmpol, xsconstants.ACM_POLICY_ID, None, acmpol.get_version(), flags, dumpxml, xml) else: print "No policy is installed."
def __acm_init(self): act_pol_name = self.get_hv_loaded_policy_name() initialize() ref = uuid.createString() try: self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref) self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID) self.xsobjs[ref].validate_enforced_policy_hash() except Exception, e: log.error("Could not find XML representation of policy '%s': " "%s" % (act_pol_name, e)) rc, errors, acmpol_def = ACMPolicy.force_default_policy(ref) if rc == xsconstants.XSERR_SUCCESS: self.xsobjs[ref] = acmpol_def self.policies[ref] = (acmpol_def.get_name(), xsconstants.ACM_POLICY_ID) log.info("Switched to DEFAULT policy.")
def labels_xapi(policy, ptype): policystate = server.xenapi.XSPolicy.get_xspolicy() if int(policystate['type']) == xsconstants.XS_POLICY_ACM: acmpol = ACMPolicy(xml=policystate['repr']) if policy and policy != acmpol.get_name(): print "Warning: '%s' is not the currently loaded policy." % policy return labels(policy, ptype) names1 = [] names2 = [] if not ptype or ptype == 'dom' or ptype == 'any': names1 = acmpol.policy_get_virtualmachinelabel_names() if ptype == 'res' or ptype == 'any': names2 = acmpol.policy_get_resourcelabel_names() names = list(set(names1).union(names2)) names.sort() for n in names: print n elif int(policystate['type']) == 0: err("No policy installed on the system.") else: err("Unsupported type of policy installed on the system.")
def getpolicy(dumpxml): if xm_main.serverType == xm_main.SERVER_XEN_API: xstype = int(server.xenapi.XSPolicy.get_xstype()) display_security_subsystems(xstype) policystate = server.xenapi.XSPolicy.get_xspolicy() if int(policystate['type']) == 0: print "No policy is installed." return if int(policystate['type']) != xsconstants.XS_POLICY_ACM: print "Unknown policy type '%s'." % policystate['type'] else: xml = policystate['repr'] acmpol = None if xml: acmpol = ACMPolicy(xml=xml) display_policy_info(acmpol, xsconstants.ACM_POLICY_ID, policystate['xs_ref'], policystate['version'], int(policystate['flags']), dumpxml, xml) else: xstype = server.xend.security.get_xstype() display_security_subsystems(xstype) xml, flags = server.xend.security.get_policy() acmpol = None if xml != "": dom = None try: dom = minidom.parseString(xml) if dom: acmpol = ACMPolicy(dom=dom) except Exception, e: print "Error parsing the library: " + str(e) if acmpol: display_policy_info(acmpol, xsconstants.ACM_POLICY_ID, None, acmpol.get_version(), flags, dumpxml, xml) else: print "No policy is installed."
def reset_acmpolicy(self): """ Attempt to reset the system's policy by udating it with the DEFAULT policy. """ from xen.xend import XendDomain domains = XendDomain.instance() try: domains.domains_lock.acquire() xml = ACMPolicy.get_reset_policy_xml() flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD return self.__add_acmpolicy_to_system(xml, flags, True) finally: domains.domains_lock.release()
def __acm_init(self): act_pol_name = self.get_hv_loaded_policy_name() initialize() ref = uuid.createString() try: self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref) self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID) self.xsobjs[ref].validate_enforced_policy_hash() except Exception, e: log.error("Could not find XML representation of policy '%s': " "%s" % (act_pol_name,e)) rc, errors, acmpol_def = ACMPolicy.force_default_policy(ref) if rc == xsconstants.XSERR_SUCCESS: self.xsobjs[ref] = acmpol_def self.policies[ref] = (acmpol_def.get_name(), xsconstants.ACM_POLICY_ID) log.info("Switched to DEFAULT policy.")
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" if security.on() != xsconstants.XS_POLICY_ACM: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) # Remember old flags, so they can be restored if update fails old_flags = self.get_policy_flags(loadedpol) # Remove policy from bootloader in case of new name of policy self.rm_bootpolicy() rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. else: old_flags = old_flags & xsconstants.XS_INST_BOOT log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) if old_flags != 0: self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) return (loadedpol, rc, errors) try: dom = minidom.parseString(xmltext.encode("utf-8")) except: raise SecurityError(-xsconstants.XSERR_BAD_XML) ref = uuid.createString() acmpol = ACMPolicy(dom=dom, ref=ref) #First some basic tests that do not modify anything: if flags & xsconstants.XS_INST_BOOT and not overwrite: filename = acmpol.get_filename(".bin","",dotted=True) if bootloader.get_default_policy != None and \ not bootloader.loads_default_policy(filename): raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if not overwrite and len(self.policies) >= self.maxpolicies: raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if overwrite: #This should only give one key since only one policy is #allowed. keys = self.policies.keys() for k in keys: self.rm_bootpolicy() rc = self.rm_policy_from_system(k, force=overwrite) if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) rc = acmpol.compile() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_LOAD: rc = acmpol.loadintohv() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_BOOT: rc = self.make_boot_policy(acmpol) if rc != 0: # If it cannot be installed due to unsupported # bootloader, let it be ok. pass if dom: new_entry = { ref : tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID]) } self.policies.update(new_entry) self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def get_enforced_binary(self, xstype): res = None if xstype == xsconstants.XS_POLICY_ACM: res = ACMPolicy.get_enforced_binary() return res
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" if security.on() != xsconstants.XS_POLICY_ACM: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) # Remember old flags, so they can be restored if update fails old_flags = self.get_policy_flags(loadedpol) # Remove policy from bootloader in case of new name of policy self.rm_bootpolicy() rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. else: old_flags = old_flags & xsconstants.XS_INST_BOOT log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) if old_flags != 0: self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) return (loadedpol, rc, errors) try: dom = minidom.parseString(xmltext.encode("utf-8")) except: raise SecurityError(-xsconstants.XSERR_BAD_XML) ref = uuid.createString() acmpol = ACMPolicy(dom=dom, ref=ref) #First some basic tests that do not modify anything: if flags & xsconstants.XS_INST_BOOT and not overwrite: filename = acmpol.get_filename(".bin", "", dotted=True) if bootloader.get_default_policy != None and \ not bootloader.loads_default_policy(filename): raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if not overwrite and len(self.policies) >= self.maxpolicies: raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if overwrite: #This should only give one key since only one policy is #allowed. keys = self.policies.keys() for k in keys: self.rm_bootpolicy() rc = self.rm_policy_from_system(k, force=overwrite) if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) rc = acmpol.compile() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_LOAD: rc = acmpol.loadintohv() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_BOOT: rc = self.make_boot_policy(acmpol) if rc != 0: # If it cannot be installed due to unsupported # bootloader, let it be ok. pass if dom: new_entry = { ref: tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID]) } self.policies.update(new_entry) self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors)
tmp = vers.split('.') if len(tmp) == 1: rev = 1 else: rev = int(tmp[1]) + 1 hdr['version'] = "%s.%s" % (tmp[0],rev) return hdr session = xapi.connect() policystate = session.xenapi.XSPolicy.get_xspolicy() if policystate['repr'] != "": print "%s" % policystate['repr'] try: acmpol = ACMPolicy(xml=policystate['repr']) except Exception, e: FAIL("Failure from creating ACMPolicy object: %s" % str(e)) oldname = acmpol.policy_dom_get_hdr_item("PolicyName") oldvers = acmpol.policy_dom_get_hdr_item("Version") tmp = oldvers.split(".") if len(tmp) == 1: rev = 1 else: rev = int(tmp[1]) + 1 newvers = "%s.%s" % (tmp[0], str(rev)) print "old name/version = %s/%s" % (oldname, oldvers) else: oldname = None oldvers = None newvers = "1.0"
xserr = int(policystate['xserr']) if xserr != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") else: print "Successfully reset the system's policy." if msg: print msg else: if server.xend.security.get_xstype() & xs_type == 0: raise security.XSMError("ACM policy type not supported.") xml, now_flags = server.xend.security.get_policy() acmpol = ACMPolicy(xml=xml) if int(now_flags) & xsconstants.XS_INST_BOOT == 0 and \ not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." rc, errors = server.xend.security.reset_policy() if rc != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") else: print "Successfully reset the system's policy." if msg: print msg
FAIL("Flags (%x) are not indicating the correct state of the policy.", int(policystate['flags'])) policystate = session.xenapi.XSPolicy.get_xspolicy() xs_ref = policystate['xs_ref'] newpolicyxml = None f = open("xm-test-new-security_policy.xml", 'r') if f: newpolicyxml = f.read() f.close() else: FAIL("Could not read 'xm-test-new' policy") cur_acmpol = ACMPolicy(xml = policystate['repr']) new_acmpol = ACMPolicy(xml = newpolicyxml) new_acmpol.update_frompolicy(cur_acmpol) policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM, new_acmpol.toxml(), xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT, 1) f = open("xm-test-security_policy.xml", 'r') if f: newpolicyxml = f.read() f.close() else: FAIL("Could not read 'xm-test-new' policy")
xsconstants.XS_INST_LOAD: FAIL("Flags (%x) are not indicating the correct state of the policy.", int(policystate['flags'])) policystate = session.xenapi.XSPolicy.get_xspolicy() xs_ref = policystate['xs_ref'] newpolicyxml = None f = open("xm-test-new-security_policy.xml", 'r') if f: newpolicyxml = f.read() f.close() else: FAIL("Could not read 'xm-test-new' policy") cur_acmpol = ACMPolicy(xml=policystate['repr']) new_acmpol = ACMPolicy(xml=newpolicyxml) new_acmpol.update_frompolicy(cur_acmpol) policystate = session.xenapi.XSPolicy.set_xspolicy( xsconstants.XS_POLICY_ACM, new_acmpol.toxml(), xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT, 1) f = open("xm-test-security_policy.xml", 'r') if f: newpolicyxml = f.read() f.close() else: FAIL("Could not read 'xm-test-new' policy")
if len(tmp) == 1: rev = 1 else: rev = int(tmp[1]) + 1 hdr['version'] = "%s.%s" % (tmp[0], rev) return hdr session = xapi.connect() policystate = session.xenapi.XSPolicy.get_xspolicy() if policystate['repr'] != "": print "%s" % policystate['repr'] try: acmpol = ACMPolicy(xml=policystate['repr']) except Exception, e: FAIL("Failure from creating ACMPolicy object: %s" % str(e)) oldname = acmpol.policy_dom_get_hdr_item("PolicyName") oldvers = acmpol.policy_dom_get_hdr_item("Version") tmp = oldvers.split(".") if len(tmp) == 1: rev = 1 else: rev = int(tmp[1]) + 1 newvers = "%s.%s" % (tmp[0], str(rev)) print "old name/version = %s/%s" % (oldname, oldvers) else: oldname = None oldvers = None newvers = "1.0"