def set_xspolicy(self, xstype, xml, flags, overwrite):
ref = ""
xstype = int(xstype)
flags = int(flags)
polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0,
'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 }
if xstype == xsconstants.XS_POLICY_ACM:
poladmin = XSPolicyAdminInstance()
try:
(xspol, rc, errors) = poladmin.add_acmpolicy_to_system(
xml, flags,
overwrite)
if rc != 0:
polstate.update( { 'xserr' : rc,
'errors': base64.b64encode(errors) } )
else:
ref = xspol.get_ref()
polstate = {
'xs_ref' : ref,
'flags' : poladmin.get_policy_flags(xspol),
'type' : xstype,
'repr' : "",
'version': xspol.get_version(),
'errors' : base64.b64encode(errors),
'xserr' : rc,
}
except Exception, e:
raise
def activate_xspolicy(self, flags):
flags = int(flags)
rc = -xsconstants.XSERR_GENERAL_FAILURE
poladmin = XSPolicyAdminInstance()
try:
rc = poladmin.activate_xspolicy(self.xspol, flags)
except Exception, e:
log.info("Activate_policy: %s" % str(e))
def get_xspolicy(self):
polstate = { 'xs_ref' : "",
'repr' : "",
'type' : 0,
'flags' : 0,
'version': "",
'errors' : "",
'xserr' : 0 }
poladmin = XSPolicyAdminInstance()
refs = poladmin.get_policies_refs()
# Will return one or no policy
if refs and len(refs) > 0:
ref = refs[0]
xspol = XSPolicyAdminInstance().policy_from_ref(ref)
if xspol:
polstate = {
'xs_ref' : ref,
'repr' : xspol.toxml(),
'type' : xspol.get_type(),
'flags' : poladmin.get_policy_flags(xspol),
'version': xspol.get_version(),
'errors' : "",
'xserr' : 0,
}
return polstate
def get_record(self):
xspol_record = {
'uuid' : self.get_uuid(),
'flags' : XSPolicyAdminInstance().get_policy_flags(self.xspol),
'repr' : self.xspol.toxml(),
'type' : self.xspol.get_type(),
}
return xspol_record
def do_access_control(self, config):
""" do access control checking. Throws a VMError if access is denied """
domain_label = self.vm.get_security_label()
stes = XSPolicyAdminInstance().get_stes_of_vmlabel(domain_label)
res_label = config.get('security_label')
if len(stes) > 1 or res_label:
if not res_label:
raise VmError("'VIF' must be labeled")
(label, ssidref, policy) = \
security.security_label_to_details(res_label)
if domain_label:
rc = security.res_security_check_xapi(label, ssidref, policy,
domain_label)
if rc == 0:
raise VmError("VM's access to network device denied. "
"Check labeling")
else:
raise VmError("VM must have a security label to access "
"network device")
def get_xstype(self):
return XSPolicyAdminInstance().isXSEnabled()
def get_enforced_binary(self):
polbin = XSPolicyAdminInstance(). \
get_enforced_binary(xsconstants.XS_POLICY_ACM)
if polbin:
return base64.b64encode(polbin)
return None
def rm_xsbootpolicy(self):
rc = XSPolicyAdminInstance().rm_bootpolicy()
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
