def isXSEnabled(self): """ Check whether 'security' is enabled on this system. This currently only checks for ACM-enablement. """ rc = 0 if security.on(): rc |= xsconstants.XS_POLICY_ACM return rc
def isXSEnabled(self): """ Check whether 'security' is enabled on this system. This currently only checks for ACM-enablement. """ rc = 0 if security.on() == xsconstants.XS_POLICY_ACM: rc |= xsconstants.XS_POLICY_ACM return rc
def isXSEnabled(self): """ Check whether 'security' is enabled on this system. """ rc = 0 if security.on() == xsconstants.XS_POLICY_ACM: rc |= xsconstants.XS_POLICY_ACM else: rc |= xsconstants.XS_POLICY_FLASK return rc
def __init__(self, maxpolicies): """ Create a management class for managing the system's policies. @param maxpolicies: The max. number of policies allowed on the system (currently '1') """ self.maxpolicies = maxpolicies self.policies = {} self.xsobjs = {} bootloader.init() if security.on() == xsconstants.XS_POLICY_ACM: self.__acm_init()
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" if security.on() != xsconstants.XS_POLICY_ACM: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) # Remember old flags, so they can be restored if update fails old_flags = self.get_policy_flags(loadedpol) # Remove policy from bootloader in case of new name of policy self.rm_bootpolicy() rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. else: old_flags = old_flags & xsconstants.XS_INST_BOOT log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) if old_flags != 0: self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) return (loadedpol, rc, errors) try: dom = minidom.parseString(xmltext.encode("utf-8")) except: raise SecurityError(-xsconstants.XSERR_BAD_XML) ref = uuid.createString() acmpol = ACMPolicy(dom=dom, ref=ref) #First some basic tests that do not modify anything: if flags & xsconstants.XS_INST_BOOT and not overwrite: filename = acmpol.get_filename(".bin", "", dotted=True) if bootloader.get_default_policy != None and \ not bootloader.loads_default_policy(filename): raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if not overwrite and len(self.policies) >= self.maxpolicies: raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if overwrite: #This should only give one key since only one policy is #allowed. keys = self.policies.keys() for k in keys: self.rm_bootpolicy() rc = self.rm_policy_from_system(k, force=overwrite) if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) rc = acmpol.compile() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_LOAD: rc = acmpol.loadintohv() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_BOOT: rc = self.make_boot_policy(acmpol) if rc != 0: # If it cannot be installed due to unsupported # bootloader, let it be ok. pass if dom: new_entry = { ref: tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID]) } self.policies.update(new_entry) self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" if security.on() != xsconstants.XS_POLICY_ACM: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) # Remember old flags, so they can be restored if update fails old_flags = self.get_policy_flags(loadedpol) # Remove policy from bootloader in case of new name of policy self.rm_bootpolicy() rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. else: old_flags = old_flags & xsconstants.XS_INST_BOOT log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) if old_flags != 0: self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) return (loadedpol, rc, errors) try: dom = minidom.parseString(xmltext.encode("utf-8")) except: raise SecurityError(-xsconstants.XSERR_BAD_XML) ref = uuid.createString() acmpol = ACMPolicy(dom=dom, ref=ref) #First some basic tests that do not modify anything: if flags & xsconstants.XS_INST_BOOT and not overwrite: filename = acmpol.get_filename(".bin","",dotted=True) if bootloader.get_default_policy != None and \ not bootloader.loads_default_policy(filename): raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if not overwrite and len(self.policies) >= self.maxpolicies: raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED) if overwrite: #This should only give one key since only one policy is #allowed. keys = self.policies.keys() for k in keys: self.rm_bootpolicy() rc = self.rm_policy_from_system(k, force=overwrite) if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) rc = acmpol.compile() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_LOAD: rc = acmpol.loadintohv() if rc != 0: raise SecurityError(rc) if flags & xsconstants.XS_INST_BOOT: rc = self.make_boot_policy(acmpol) if rc != 0: # If it cannot be installed due to unsupported # bootloader, let it be ok. pass if dom: new_entry = { ref : tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID]) } self.policies.update(new_entry) self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors)