def isXSEnabled(self):
""" Check whether 'security' is enabled on this system.
This currently only checks for ACM-enablement.
"""
rc = 0
if security.on():
rc |= xsconstants.XS_POLICY_ACM
return rc
def isXSEnabled(self):
""" Check whether 'security' is enabled on this system.
This currently only checks for ACM-enablement.
"""
rc = 0
if security.on() == xsconstants.XS_POLICY_ACM:
rc |= xsconstants.XS_POLICY_ACM
return rc
def isXSEnabled(self):
""" Check whether 'security' is enabled on this system.
"""
rc = 0
if security.on() == xsconstants.XS_POLICY_ACM:
rc |= xsconstants.XS_POLICY_ACM
else:
rc |= xsconstants.XS_POLICY_FLASK
return rc
def __init__(self, maxpolicies):
""" Create a management class for managing the system's
policies.
@param maxpolicies: The max. number of policies allowed
on the system (currently '1')
"""
self.maxpolicies = maxpolicies
self.policies = {}
self.xsobjs = {}
bootloader.init()
if security.on() == xsconstants.XS_POLICY_ACM:
self.__acm_init()
def __init__(self, maxpolicies):
""" Create a management class for managing the system's
policies.
@param maxpolicies: The max. number of policies allowed
on the system (currently '1')
"""
self.maxpolicies = maxpolicies
self.policies = {}
self.xsobjs = {}
bootloader.init()
if security.on() == xsconstants.XS_POLICY_ACM:
self.__acm_init()
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
errors = ""
if security.on() != xsconstants.XS_POLICY_ACM:
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
loadedpol = self.get_loaded_policy()
if loadedpol:
# This is meant as an update to a currently loaded policy
if flags & xsconstants.XS_INST_LOAD == 0:
raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
# Remember old flags, so they can be restored if update fails
old_flags = self.get_policy_flags(loadedpol)
# Remove policy from bootloader in case of new name of policy
self.rm_bootpolicy()
rc, errors = loadedpol.update(xmltext)
if rc == 0:
irc = self.activate_xspolicy(loadedpol, flags)
# policy is loaded; if setting the boot flag fails it's ok.
else:
old_flags = old_flags & xsconstants.XS_INST_BOOT
log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
if old_flags != 0:
self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
return (loadedpol, rc, errors)
try:
dom = minidom.parseString(xmltext.encode("utf-8"))
except:
raise SecurityError(-xsconstants.XSERR_BAD_XML)
ref = uuid.createString()
acmpol = ACMPolicy(dom=dom, ref=ref)
#First some basic tests that do not modify anything:
if flags & xsconstants.XS_INST_BOOT and not overwrite:
filename = acmpol.get_filename(".bin", "", dotted=True)
if bootloader.get_default_policy != None and \
not bootloader.loads_default_policy(filename):
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if not overwrite and len(self.policies) >= self.maxpolicies:
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if overwrite:
#This should only give one key since only one policy is
#allowed.
keys = self.policies.keys()
for k in keys:
self.rm_bootpolicy()
rc = self.rm_policy_from_system(k, force=overwrite)
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
rc = acmpol.compile()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_LOAD:
rc = acmpol.loadintohv()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_BOOT:
rc = self.make_boot_policy(acmpol)
if rc != 0:
# If it cannot be installed due to unsupported
# bootloader, let it be ok.
pass
if dom:
new_entry = {
ref: tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID])
}
self.policies.update(new_entry)
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
errors = ""
if security.on() != xsconstants.XS_POLICY_ACM:
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
loadedpol = self.get_loaded_policy()
if loadedpol:
# This is meant as an update to a currently loaded policy
if flags & xsconstants.XS_INST_LOAD == 0:
raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
# Remember old flags, so they can be restored if update fails
old_flags = self.get_policy_flags(loadedpol)
# Remove policy from bootloader in case of new name of policy
self.rm_bootpolicy()
rc, errors = loadedpol.update(xmltext)
if rc == 0:
irc = self.activate_xspolicy(loadedpol, flags)
# policy is loaded; if setting the boot flag fails it's ok.
else:
old_flags = old_flags & xsconstants.XS_INST_BOOT
log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
if old_flags != 0:
self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
return (loadedpol, rc, errors)
try:
dom = minidom.parseString(xmltext.encode("utf-8"))
except:
raise SecurityError(-xsconstants.XSERR_BAD_XML)
ref = uuid.createString()
acmpol = ACMPolicy(dom=dom, ref=ref)
#First some basic tests that do not modify anything:
if flags & xsconstants.XS_INST_BOOT and not overwrite:
filename = acmpol.get_filename(".bin","",dotted=True)
if bootloader.get_default_policy != None and \
not bootloader.loads_default_policy(filename):
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if not overwrite and len(self.policies) >= self.maxpolicies:
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if overwrite:
#This should only give one key since only one policy is
#allowed.
keys = self.policies.keys()
for k in keys:
self.rm_bootpolicy()
rc = self.rm_policy_from_system(k, force=overwrite)
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
rc = acmpol.compile()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_LOAD:
rc = acmpol.loadintohv()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_BOOT:
rc = self.make_boot_policy(acmpol)
if rc != 0:
# If it cannot be installed due to unsupported
# bootloader, let it be ok.
pass
if dom:
new_entry = { ref : tuple([acmpol.get_name(),
xsconstants.ACM_POLICY_ID]) }
self.policies.update(new_entry)
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
