def setpolicy(policytype, policy_name, flags, overwrite):
if policytype.upper() == xsconstants.ACM_POLICY_ID:
xs_type = xsconstants.XS_POLICY_ACM
for prefix in ['./', install_policy_dir_prefix + "/"]:
policy_file = prefix + "/".join(policy_name.split(".")) + \
"-security_policy.xml"
if os.path.exists(policy_file):
break
try:
f = open(policy_file, "r")
xml = f.read()
f.close()
except:
raise OptionError("Could not read policy file from current"
" directory or '%s'." %
install_policy_dir_prefix)
if xm_main.serverType == xm_main.SERVER_XEN_API:
if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
raise security.XSMError("ACM policy type not supported.")
try:
policystate = server.xenapi.XSPolicy.set_xspolicy(
xs_type, xml, flags, overwrite)
except Exception, e:
raise security.XSMError("An error occurred setting the "
"policy: %s" % str(e))
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(xserr))
errors = policystate['errors']
if len(errors) > 0:
txt += " " + build_hv_error_message(
base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
getpolicy(False)
else:
# Non-Xen-API call.
if xs_type != server.xend.security.get_xstype():
raise security.XSMError("ACM policy type not supported.")
rc, errors = server.xend.security.set_policy(
xs_type, xml, flags, overwrite)
if rc != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(rc))
if len(errors) > 0:
txt += " " + build_hv_error_message(
base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
getpolicy(False)
def __init__(self, error, message=None):
XendAPIError.__init__(self)
self.error = error
if not message:
self.message = xserr2string(-error)
else:
self.message = message
def __init__(self, error, message=None):
XendAPIError.__init__(self)
self.error = error
if not message:
self.message = xserr2string(-error)
else:
self.message = message
def setpolicy(policytype, policy_name, flags, overwrite):
if policytype.upper() == xsconstants.ACM_POLICY_ID:
xs_type = xsconstants.XS_POLICY_ACM
for prefix in [ './', install_policy_dir_prefix+"/" ]:
policy_file = prefix + "/".join(policy_name.split(".")) + \
"-security_policy.xml"
if os.path.exists(policy_file):
break
elif policytype.upper() == xsconstants.FLASK_POLICY_ID:
xs_type = xsconstants.XS_POLICY_FLASK
policy_file = policy_name
else:
raise OptionError("Unsupported policytype '%s'." % policytype)
try:
f = open(policy_file,"r")
policy = f.read()
f.close()
except:
raise OptionError("Could not read policy file: %s" % policy_file)
if xs_type == xsconstants.XS_POLICY_FLASK:
policy = base64.b64encode(policy)
if xm_main.serverType == xm_main.SERVER_XEN_API:
if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
raise security.XSMError("Policy type not supported.")
try:
policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
policy,
flags,
overwrite)
except Exception, e:
raise security.XSMError("An error occurred setting the "
"policy: %s" % str(e))
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(xserr))
errors = policystate['errors']
if len(errors) > 0:
txt += " " + build_hv_error_message(base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
def add_domain_label_xapi(label, domainname, policyref, policy_type):
sec_lab = "%s:%s:%s" % (policy_type, policyref, label)
if xm_main.serverType != xm_main.SERVER_XEN_API:
old_seclab = server.xend.security.get_domain_label(domainname)
if old_seclab[0] == '\'':
old_seclab = old_seclab[1:]
results = server.xend.security.set_domain_label(domainname,
sec_lab,
old_seclab)
rc, ssidref = results
if rc == xsconstants.XSERR_SUCCESS:
if ssidref != 0:
print "Successfully set the label of domain '%s' to '%s'.\n" \
% (domainname,label)
else:
print "Successfully set the label of the dormant domain " \
"'%s' to '%s'." % (domainname,label)
else:
msg = xsconstants.xserr2string(-rc)
raise security.XSMError("An error occurred relabeling "
"the domain: %s" % msg)
else:
uuids = server.xenapi.VM.get_by_name_label(domainname)
if len(uuids) == 0:
raise OptionError('A VM with that name does not exist.')
if len(uuids) != 1:
raise OptionError('There are multiple domains with the same name.')
uuid = uuids[0]
try:
old_lab = server.xenapi.VM.get_security_label(uuid)
rc = server.xenapi.VM.set_security_label(uuid, sec_lab, old_lab)
except Exception, e:
raise security.XSMError("Could not label the domain: %s" % e)
if int(rc) < 0:
raise OptionError('Could not label domain.')
else:
ssidref = int(rc)
if ssidref != 0:
print "Successfully set the label of domain '%s' to '%s'.\n" \
% (domainname,label)
else:
print "Successfully set the label of the dormant domain " \
"'%s' to '%s'." % (domainname,label)
def add_resource_label(label, resource, policyref, policy_type):
"""Adds a resource label to the global resource label file.
"""
if xm_main.serverType != xm_main.SERVER_XEN_API:
old = server.xend.security.get_resource_label(resource)
if len(old) == 0:
try:
rc = server.xend.security.set_resource_label(
resource, policy_type, policyref, label)
except Exception, e:
raise
if rc != xsconstants.XSERR_SUCCESS:
security.err("An error occurred labeling the resource: %s" % \
xsconstants.xserr2string(-rc))
else:
old = security.format_resource_label(old)
security.err("'%s' is already labeled with '%s'." % \
(resource,old))
def add_domain_label_xapi(label, domainname, policyref, policy_type):
sec_lab = "%s:%s:%s" % (policy_type, policyref, label)
if xm_main.serverType != xm_main.SERVER_XEN_API:
old_seclab = server.xend.security.get_domain_label(domainname)
if old_seclab[0] == '\'':
old_seclab = old_seclab[1:]
results = server.xend.security.set_domain_label(
domainname, sec_lab, old_seclab)
rc, ssidref = results
if rc == xsconstants.XSERR_SUCCESS:
if ssidref != 0:
print "Successfully set the label of domain '%s' to '%s'.\n" \
% (domainname,label)
else:
print "Successfully set the label of the dormant domain " \
"'%s' to '%s'." % (domainname,label)
else:
msg = xsconstants.xserr2string(-rc)
raise security.XSMError("An error occurred relabeling "
"the domain: %s" % msg)
else:
uuids = server.xenapi.VM.get_by_name_label(domainname)
if len(uuids) == 0:
raise OptionError('A VM with that name does not exist.')
if len(uuids) != 1:
raise OptionError('There are multiple domains with the same name.')
uuid = uuids[0]
try:
old_lab = server.xenapi.VM.get_security_label(uuid)
rc = server.xenapi.VM.set_security_label(uuid, sec_lab, old_lab)
except Exception, e:
raise security.XSMError("Could not label the domain: %s" % e)
if int(rc) < 0:
raise OptionError('Could not label domain.')
else:
ssidref = int(rc)
if ssidref != 0:
print "Successfully set the label of domain '%s' to '%s'.\n" \
% (domainname,label)
else:
print "Successfully set the label of the dormant domain " \
"'%s' to '%s'." % (domainname,label)
def add_resource_label(label, resource, policyref, policy_type):
"""Adds a resource label to the global resource label file.
"""
if xm_main.serverType != xm_main.SERVER_XEN_API:
old = server.xend.security.get_resource_label(resource)
if len(old) == 0:
try:
rc = server.xend.security.set_resource_label(resource,
policy_type,
policyref,
label)
except Exception, e:
raise
if rc != xsconstants.XSERR_SUCCESS:
security.err("An error occurred labeling the resource: %s" % \
xsconstants.xserr2string(-rc))
else:
old = security.format_resource_label(old)
security.err("'%s' is already labeled with '%s'." % \
(resource,old))
if xm_main.serverType == xm_main.SERVER_XEN_API:
try:
oldlabel = server.xenapi.XSPolicy.get_resource_label(resource)
if oldlabel != "":
server.xenapi.XSPolicy.set_resource_label(resource, "", oldlabel)
else:
raise security.XSMError("Resource not labeled")
except Exception, e:
raise security.XSMError("Could not remove label " "from resource: %s" % e)
return
else:
oldlabel = server.xend.security.get_resource_label(resource)
if len(oldlabel) != 0:
rc = server.xend.security.set_resource_label(resource, "", "", "")
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("An error occurred removing the " "label: %s" % xsconstants.xserr2string(-rc))
else:
raise security.XSMError("Resource not labeled")
def rm_domain_label(configfile):
# open the domain config file
fd = None
fil = None
if configfile[0] == "/":
fil = configfile
fd = open(fil, "rb")
else:
for prefix in [".", "/etc/xen"]:
fil = prefix + "/" + configfile
if os.path.isfile(fil):
server.xenapi.XSPolicy.set_resource_label(
resource, "", oldlabel)
else:
raise security.XSMError("Resource not labeled")
except Exception, e:
raise security.XSMError("Could not remove label "
"from resource: %s" % e)
return
else:
oldlabel = server.xend.security.get_resource_label(resource)
if len(oldlabel) != 0:
rc = server.xend.security.set_resource_label(resource, "", "", "")
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("An error occurred removing the "
"label: %s" % \
xsconstants.xserr2string(-rc))
else:
raise security.XSMError("Resource not labeled")
def rm_domain_label(configfile):
# open the domain config file
fd = None
fil = None
if configfile[0] == '/':
fil = configfile
fd = open(fil, "rb")
else:
for prefix in [".", auxbin.xen_configdir()]:
fil = prefix + "/" + configfile
if os.path.isfile(fil):
raise security.XSMError("Resource not labeled")
except Exception, e:
raise security.XSMError("Could not remove label "
"from resource: %s" % e)
return
else:
oldlabel = server.xend.security.get_resource_label(resource)
if len(oldlabel) != 0:
rc = server.xend.security.set_resource_label(resource,
"",
"",
"")
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("An error occurred removing the "
"label: %s" % \
xsconstants.xserr2string(-rc))
else:
raise security.XSMError("Resource not labeled")
def rm_domain_label(configfile):
# open the domain config file
fd = None
fil = None
if configfile[0] == '/':
fil = configfile
fd = open(fil, "rb")
else:
for prefix in [".", auxbin.xen_configdir() ]:
fil = prefix + "/" + configfile
if os.path.isfile(fil):
fd = open(fil, "rb")
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
else:
# Non-Xen-API call.
if xs_type != server.xend.security.on():
raise security.XSMError("Policy type not supported.")
rc, errors = server.xend.security.set_policy(xs_type,
policy,
flags,
overwrite)
if rc != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(rc))
if len(errors) > 0:
txt += " " + build_hv_error_message(
base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
def main(argv):
if len(argv) < 3:
raise OptionError("Need at least 3 arguments.")
if "-?" in argv:
help()
txt += " " + build_hv_error_message(base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
else:
# Non-Xen-API call.
if xs_type != server.xend.security.on():
raise security.XSMError("Policy type not supported.")
rc, errors = server.xend.security.set_policy(xs_type, policy, flags,
overwrite)
if rc != xsconstants.XSERR_SUCCESS:
txt = "An error occurred trying to set the policy: %s." % \
xsconstants.xserr2string(abs(rc))
if len(errors) > 0:
txt += " " + build_hv_error_message(base64.b64decode(errors))
raise security.XSMError(txt)
else:
print "Successfully set the new policy."
if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
def main(argv):
if len(argv) < 3:
raise OptionError("Need at least 3 arguments.")
if "-?" in argv:
help()
