def rm_vif_label(vmname, idx):
if xm_main.serverType != xm_main.SERVER_XEN_API:
raise OptionError('Need to be configure for using xen-api.')
vm_refs = server.xenapi.VM.get_by_name_label(vmname)
if len(vm_refs) == 0:
raise OptionError('A VM with the name %s does not exist.' % vmname)
vif_refs = server.xenapi.VM.get_VIFs(vm_refs[0])
if len(vif_refs) <= idx:
raise OptionError("Bad VIF index.")
vif_ref = server.xenapi.VIF.get_by_uuid(vif_refs[idx])
if not vif_ref:
raise security.XSMError("A VIF with this UUID does not exist.")
try:
old_lab = server.xenapi.VIF.get_security_label(vif_ref)
if old_lab != "":
rc = server.xenapi.VIF.set_security_label(vif_ref, "", old_lab)
if int(rc) != 0:
raise security.XSMError("Could not remove the label from"
" the VIF.")
else:
print "Successfully removed the label from the VIF."
else:
raise security.XSMError("VIF is not labeled.")
except Exception, e:
raise security.XSMError("Could not remove the label from the VIF: %s" %
str(e))
def resetpolicy():
msg = None
xs_type = xsconstants.XS_POLICY_ACM
flags = xsconstants.XS_INST_LOAD
if xm_main.serverType == xm_main.SERVER_XEN_API:
if int(server.xenapi.XSPolicy.get_xstype()) & xs_type == 0:
raise security.XSMError("ACM policy type not supported.")
policystate = server.xenapi.XSPolicy.get_xspolicy()
acmpol = ACMPolicy(xml=policystate['repr'])
now_flags = int(policystate['flags'])
if now_flags & xsconstants.XS_INST_BOOT == 0 and \
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
try:
policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type)
except Exception, e:
raise security.XSMError("An error occurred resetting the "
"policy: %s" % str(e))
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
def setpolicy(policytype, policy_name, flags, overwrite):
if policytype.upper() == xsconstants.ACM_POLICY_ID:
xs_type = xsconstants.XS_POLICY_ACM
for prefix in ['./', install_policy_dir_prefix + "/"]:
policy_file = prefix + "/".join(policy_name.split(".")) + \
"-security_policy.xml"
if os.path.exists(policy_file):
break
try:
f = open(policy_file, "r")
xml = f.read()
f.close()
except:
raise OptionError("Could not read policy file from current"
" directory or '%s'." %
install_policy_dir_prefix)
if xm_main.serverType == xm_main.SERVER_XEN_API:
if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
raise security.XSMError("ACM policy type not supported.")
try:
policystate = server.xenapi.XSPolicy.set_xspolicy(
xs_type, xml, flags, overwrite)
except Exception, e:
raise security.XSMError("An error occurred setting the "
"policy: %s" % str(e))
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(xserr))
errors = policystate['errors']
if len(errors) > 0:
txt += " " + build_hv_error_message(
base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
getpolicy(False)
else:
# Non-Xen-API call.
if xs_type != server.xend.security.get_xstype():
raise security.XSMError("ACM policy type not supported.")
rc, errors = server.xend.security.set_policy(
xs_type, xml, flags, overwrite)
if rc != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(rc))
if len(errors) > 0:
txt += " " + build_hv_error_message(
base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
getpolicy(False)
def get_resource_label(resource):
"""Gets the resource label
"""
if xm_main.serverType == xm_main.SERVER_XEN_API:
reslabel = server.xenapi.XSPolicy.get_resource_label(resource)
if reslabel == "":
raise security.XSMError("Resource not labeled")
print reslabel
else:
reslabel = server.xend.security.get_resource_label(resource)
if len(reslabel) == 0:
raise security.XSMError("Resource not labeled")
print ":".join(reslabel)
def rm_resource_label(resource):
"""Removes a resource label from the global resource label file.
"""
# Try Xen-API first if configured to use it
if xm_main.serverType == xm_main.SERVER_XEN_API:
try:
oldlabel = server.xenapi.XSPolicy.get_resource_label(resource)
if oldlabel != "":
server.xenapi.XSPolicy.set_resource_label(
resource, "", oldlabel)
else:
raise security.XSMError("Resource not labeled")
except Exception, e:
raise security.XSMError("Could not remove label "
"from resource: %s" % e)
return
def add_domain_label_xapi(label, domainname, policyref, policy_type):
sec_lab = "%s:%s:%s" % (policy_type, policyref, label)
if xm_main.serverType != xm_main.SERVER_XEN_API:
old_seclab = server.xend.security.get_domain_label(domainname)
if old_seclab[0] == '\'':
old_seclab = old_seclab[1:]
results = server.xend.security.set_domain_label(
domainname, sec_lab, old_seclab)
rc, ssidref = results
if rc == xsconstants.XSERR_SUCCESS:
if ssidref != 0:
print "Successfully set the label of domain '%s' to '%s'.\n" \
% (domainname,label)
else:
print "Successfully set the label of the dormant domain " \
"'%s' to '%s'." % (domainname,label)
else:
msg = xsconstants.xserr2string(-rc)
raise security.XSMError("An error occurred relabeling "
"the domain: %s" % msg)
else:
uuids = server.xenapi.VM.get_by_name_label(domainname)
if len(uuids) == 0:
raise OptionError('A VM with that name does not exist.')
if len(uuids) != 1:
raise OptionError('There are multiple domains with the same name.')
uuid = uuids[0]
try:
old_lab = server.xenapi.VM.get_security_label(uuid)
rc = server.xenapi.VM.set_security_label(uuid, sec_lab, old_lab)
except Exception, e:
raise security.XSMError("Could not label the domain: %s" % e)
if int(rc) < 0:
raise OptionError('Could not label domain.')
else:
ssidref = int(rc)
if ssidref != 0:
print "Successfully set the label of domain '%s' to '%s'.\n" \
% (domainname,label)
else:
print "Successfully set the label of the dormant domain " \
"'%s' to '%s'." % (domainname,label)
def rm_domain_label_xapi(domain):
if xm_main.serverType != xm_main.SERVER_XEN_API:
old_lab = server.xend.security.get_domain_label(domain)
vmlabel = ""
if old_lab != "":
tmp = old_lab.split(":")
if len(tmp) == 3:
vmlabel = tmp[2]
if old_lab != "" and vmlabel != ACM_LABEL_UNLABELED:
server.xend.security.set_domain_label(domain, "", old_lab)
print "Successfully removed label from domain %s." % domain
else:
raise security.XSMError("Domain was not labeled.")
else:
uuids = server.xenapi.VM.get_by_name_label(domain)
if len(uuids) == 0:
raise OptionError('A VM with that name does not exist.')
if len(uuids) != 1:
raise OptionError('Too many domains with the same name.')
uuid = uuids[0]
try:
old_lab = server.xenapi.VM.get_security_label(uuid)
vmlabel = ""
if old_lab != "":
tmp = old_lab.split(":")
if len(tmp) == 3:
vmlabel = tmp[2]
if old_lab != "":
server.xenapi.VM.set_security_label(uuid, "", old_lab)
else:
raise security.XSMError("Domain was not labeled.")
except Exception, e:
raise security.XSMError('Could not remove label from domain: %s' %
e)
def rm_domain_label(configfile):
# open the domain config file
fd = None
fil = None
if configfile[0] == '/':
fil = configfile
fd = open(fil, "rb")
else:
for prefix in [".", auxbin.xen_configdir()]:
fil = prefix + "/" + configfile
if os.path.isfile(fil):
fd = open(fil, "rb")
break
if not fd:
raise OptionError("Configuration file '%s' not found." % configfile)
# read in the domain config file, removing label
ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE)
ac_exit_re = re.compile(".*'\].*")
file_contents = ""
comment = 0
removed = 0
for line in fd.readlines():
if ac_entry_re.match(line):
comment = 1
if comment:
removed = 1
line = "#" + line
if comment and ac_exit_re.match(line):
comment = 0
file_contents = file_contents + line
fd.close()
# send error message if we didn't find anything to remove
if not removed:
raise security.XSMError('Domain not labeled')
# write the data back out to the file
fd = open(fil, "wb")
fd.writelines(file_contents)
fd.close()
def get_domain_label(configfile):
# open the domain config file
fd = None
if configfile[0] == '/':
fd = open(configfile, "rb")
else:
for prefix in [".", "/etc/xen"]:
abs_file = prefix + "/" + configfile
if os.path.isfile(abs_file):
fd = open(abs_file, "rb")
break
if not fd:
raise OptionError("Configuration file '%s' not found." % configfile)
# read in the domain config file, finding the label line
ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE)
ac_exit_re = re.compile(".*'\].*")
acline = ""
record = 0
for line in fd.readlines():
if ac_entry_re.match(line):
record = 1
if record:
acline = acline + line
if record and ac_exit_re.match(line):
record = 0
fd.close()
# send error message if we didn't find anything
if acline == "":
raise security.XSMError("Domain not labeled")
# print out the label
(title, data) = acline.split("=", 1)
data = data.strip()
data = data.lstrip("[\'")
data = data.rstrip("\']")
print "policytype=%s," % xsconstants.ACM_POLICY_ID + data
policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type)
except Exception, e:
raise security.XSMError("An error occurred resetting the "
"policy: %s" % str(e))
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
else:
if server.xend.security.get_xstype() & xs_type == 0:
raise security.XSMError("ACM policy type not supported.")
xml, now_flags = server.xend.security.get_policy()
acmpol = ACMPolicy(xml=xml)
if int(now_flags) & xsconstants.XS_INST_BOOT == 0 and \
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
rc, errors = server.xend.security.reset_policy()
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
security.err("An error occurred labeling the resource: %s" % \
xsconstants.xserr2string(-rc))
else:
old = security.format_resource_label(old)
security.err("'%s' is already labeled with '%s'." % \
(resource,old))
else:
res = [policy_type, policyref, label]
res_xapi = security.format_resource_label(res)
old = server.xenapi.XSPolicy.get_resource_label(resource)
if old == "":
try:
server.xenapi.XSPolicy.set_resource_label(
resource, res_xapi, "")
except Exception, e:
raise security.XSMError("Could not label this resource: %s" %
str(e))
else:
raise security.XSMError("'%s' is already labeled with '%s'" %
(resource, old))
def add_domain_label(label, configfile, policyref):
# sanity checks: make sure this label can be instantiated later on
ssidref = security.label2ssidref(label, policyref, 'dom')
new_label = "access_control = ['policy=%s,label=%s']\n" % \
(policyref, label)
if not os.path.isfile(configfile):
security.err("Configuration file \'" + configfile + "\' not found.")
config_fd = open(configfile, "ra+")
for line in config_fd:
if oldlabel != "":
server.xenapi.XSPolicy.set_resource_label(
resource, "", oldlabel)
else:
raise security.XSMError("Resource not labeled")
except Exception, e:
raise security.XSMError("Could not remove label "
"from resource: %s" % e)
return
else:
oldlabel = server.xend.security.get_resource_label(resource)
if len(oldlabel) != 0:
rc = server.xend.security.set_resource_label(resource, "", "", "")
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("An error occurred removing the "
"label: %s" % \
xsconstants.xserr2string(-rc))
else:
raise security.XSMError("Resource not labeled")
def rm_domain_label(configfile):
# open the domain config file
fd = None
fil = None
if configfile[0] == '/':
fil = configfile
fd = open(fil, "rb")
else:
for prefix in [".", auxbin.xen_configdir()]:
fil = prefix + "/" + configfile
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(xserr))
errors = policystate['errors']
if len(errors) > 0:
txt += " " + build_hv_error_message(base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
else:
# Non-Xen-API call.
if xs_type != server.xend.security.on():
raise security.XSMError("Policy type not supported.")
rc, errors = server.xend.security.set_policy(xs_type, policy, flags,
overwrite)
if rc != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(rc))
if len(errors) > 0:
txt += " " + build_hv_error_message(base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
