def __init__(self, maxpolicies):
""" Create a management class for managing the system's
policies.
@param maxpolicies: The max. number of policies allowed
on the system (currently '1')
"""
self.maxpolicies = maxpolicies
self.policies = {}
self.xsobjs = {}
act_pol_name = self.get_hv_loaded_policy_name()
initialize()
ref = uuid.createString()
try:
self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref)
self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID)
except Exception, e:
log.error("Could not find XML representation of policy '%s': "
"%s" % (act_pol_name, e))
rc, errors, acmpol_def = ACMPolicy.force_default_policy()
if rc == xsconstants.XSERR_SUCCESS:
self.xsobjs[ref] = acmpol_def
self.policies[ref] = (acmpol_def.get_name(),
xsconstants.ACM_POLICY_ID)
log.info("Switched to DEFAULT policy.")
def resetpolicy():
msg = None
xs_type = xsconstants.XS_POLICY_ACM
flags = xsconstants.XS_INST_LOAD
if xm_main.serverType == xm_main.SERVER_XEN_API:
if int(server.xenapi.XSPolicy.get_xstype()) & xs_type == 0:
raise security.XSMError("ACM policy type not supported.")
policystate = server.xenapi.XSPolicy.get_xspolicy()
acmpol = ACMPolicy(xml=policystate['repr'])
now_flags = int(policystate['flags'])
if now_flags & xsconstants.XS_INST_BOOT == 0 and \
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
try:
policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type)
except Exception, e:
raise security.XSMError("An error occurred resetting the "
"policy: %s" % str(e))
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
def __init__(self, maxpolicies):
""" Create a management class for managing the system's
policies.
@param maxpolicies: The max. number of policies allowed
on the system (currently '1')
"""
self.maxpolicies = maxpolicies
self.policies = {}
self.xsobjs = {}
act_pol_name = self.get_hv_loaded_policy_name()
initialize()
ref = uuid.createString()
try:
self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref)
self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID)
except Exception, e:
log.error("Could not find XML representation of policy '%s': "
"%s" % (act_pol_name,e))
rc, errors, acmpol_def = ACMPolicy.force_default_policy()
if rc == xsconstants.XSERR_SUCCESS:
self.xsobjs[ref] = acmpol_def
self.policies[ref] = (acmpol_def.get_name(),
xsconstants.ACM_POLICY_ID)
log.info("Switched to DEFAULT policy.")
def getpolicy(dumpxml):
if xm_main.serverType == xm_main.SERVER_XEN_API:
xstype = int(server.xenapi.XSPolicy.get_xstype())
display_security_subsystems(xstype)
policystate = server.xenapi.XSPolicy.get_xspolicy()
if int(policystate["type"]) == 0:
print "No policy is installed."
return
if int(policystate["type"]) != xsconstants.XS_POLICY_ACM:
print "Unknown policy type '%s'." % policystate["type"]
else:
xml = policystate["repr"]
acmpol = None
if xml:
acmpol = ACMPolicy(xml=xml)
display_policy_info(
acmpol,
xsconstants.ACM_POLICY_ID,
policystate["xs_ref"],
policystate["version"],
int(policystate["flags"]),
dumpxml,
xml,
)
else:
xstype = server.xend.security.get_xstype()
display_security_subsystems(xstype)
xml, flags = server.xend.security.get_policy()
acmpol = None
if xml != "":
dom = None
try:
dom = minidom.parseString(xml)
if dom:
acmpol = ACMPolicy(dom=dom)
except Exception, e:
print "Error parsing the library: " + str(e)
if acmpol:
display_policy_info(acmpol, xsconstants.ACM_POLICY_ID, None, acmpol.get_version(), flags, dumpxml, xml)
else:
print "No policy is installed."
def __acm_init(self):
act_pol_name = self.get_hv_loaded_policy_name()
initialize()
ref = uuid.createString()
try:
self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref)
self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID)
self.xsobjs[ref].validate_enforced_policy_hash()
except Exception, e:
log.error("Could not find XML representation of policy '%s': "
"%s" % (act_pol_name, e))
rc, errors, acmpol_def = ACMPolicy.force_default_policy(ref)
if rc == xsconstants.XSERR_SUCCESS:
self.xsobjs[ref] = acmpol_def
self.policies[ref] = (acmpol_def.get_name(),
xsconstants.ACM_POLICY_ID)
log.info("Switched to DEFAULT policy.")
def labels_xapi(policy, ptype):
policystate = server.xenapi.XSPolicy.get_xspolicy()
if int(policystate['type']) == xsconstants.XS_POLICY_ACM:
acmpol = ACMPolicy(xml=policystate['repr'])
if policy and policy != acmpol.get_name():
print "Warning: '%s' is not the currently loaded policy." % policy
return labels(policy, ptype)
names1 = []
names2 = []
if not ptype or ptype == 'dom' or ptype == 'any':
names1 = acmpol.policy_get_virtualmachinelabel_names()
if ptype == 'res' or ptype == 'any':
names2 = acmpol.policy_get_resourcelabel_names()
names = list(set(names1).union(names2))
names.sort()
for n in names:
print n
elif int(policystate['type']) == 0:
err("No policy installed on the system.")
else:
err("Unsupported type of policy installed on the system.")
def labels_xapi(policy, ptype):
policystate = server.xenapi.XSPolicy.get_xspolicy()
if int(policystate['type']) == xsconstants.XS_POLICY_ACM:
acmpol = ACMPolicy(xml=policystate['repr'])
if policy and policy != acmpol.get_name():
print "Warning: '%s' is not the currently loaded policy." % policy
return labels(policy, ptype)
names1 = []
names2 = []
if not ptype or ptype == 'dom' or ptype == 'any':
names1 = acmpol.policy_get_virtualmachinelabel_names()
if ptype == 'res' or ptype == 'any':
names2 = acmpol.policy_get_resourcelabel_names()
names = list(set(names1).union(names2))
names.sort()
for n in names:
print n
elif int(policystate['type']) == 0:
err("No policy installed on the system.")
else:
err("Unsupported type of policy installed on the system.")
def getpolicy(dumpxml):
if xm_main.serverType == xm_main.SERVER_XEN_API:
xstype = int(server.xenapi.XSPolicy.get_xstype())
display_security_subsystems(xstype)
policystate = server.xenapi.XSPolicy.get_xspolicy()
if int(policystate['type']) == 0:
print "No policy is installed."
return
if int(policystate['type']) != xsconstants.XS_POLICY_ACM:
print "Unknown policy type '%s'." % policystate['type']
else:
xml = policystate['repr']
acmpol = None
if xml:
acmpol = ACMPolicy(xml=xml)
display_policy_info(acmpol, xsconstants.ACM_POLICY_ID,
policystate['xs_ref'], policystate['version'],
int(policystate['flags']), dumpxml, xml)
else:
xstype = server.xend.security.get_xstype()
display_security_subsystems(xstype)
xml, flags = server.xend.security.get_policy()
acmpol = None
if xml != "":
dom = None
try:
dom = minidom.parseString(xml)
if dom:
acmpol = ACMPolicy(dom=dom)
except Exception, e:
print "Error parsing the library: " + str(e)
if acmpol:
display_policy_info(acmpol, xsconstants.ACM_POLICY_ID, None,
acmpol.get_version(), flags, dumpxml, xml)
else:
print "No policy is installed."
def reset_acmpolicy(self):
"""
Attempt to reset the system's policy by udating it with
the DEFAULT policy.
"""
from xen.xend import XendDomain
domains = XendDomain.instance()
try:
domains.domains_lock.acquire()
xml = ACMPolicy.get_reset_policy_xml()
flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD
return self.__add_acmpolicy_to_system(xml, flags, True)
finally:
domains.domains_lock.release()
def reset_acmpolicy(self):
"""
Attempt to reset the system's policy by udating it with
the DEFAULT policy.
"""
from xen.xend import XendDomain
domains = XendDomain.instance()
try:
domains.domains_lock.acquire()
xml = ACMPolicy.get_reset_policy_xml()
flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD
return self.__add_acmpolicy_to_system(xml, flags, True)
finally:
domains.domains_lock.release()
def __acm_init(self):
act_pol_name = self.get_hv_loaded_policy_name()
initialize()
ref = uuid.createString()
try:
self.xsobjs[ref] = ACMPolicy(name=act_pol_name, ref=ref)
self.policies[ref] = (act_pol_name, xsconstants.ACM_POLICY_ID)
self.xsobjs[ref].validate_enforced_policy_hash()
except Exception, e:
log.error("Could not find XML representation of policy '%s': "
"%s" % (act_pol_name,e))
rc, errors, acmpol_def = ACMPolicy.force_default_policy(ref)
if rc == xsconstants.XSERR_SUCCESS:
self.xsobjs[ref] = acmpol_def
self.policies[ref] = (acmpol_def.get_name(),
xsconstants.ACM_POLICY_ID)
log.info("Switched to DEFAULT policy.")
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
errors = ""
if security.on() != xsconstants.XS_POLICY_ACM:
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
loadedpol = self.get_loaded_policy()
if loadedpol:
# This is meant as an update to a currently loaded policy
if flags & xsconstants.XS_INST_LOAD == 0:
raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
# Remember old flags, so they can be restored if update fails
old_flags = self.get_policy_flags(loadedpol)
# Remove policy from bootloader in case of new name of policy
self.rm_bootpolicy()
rc, errors = loadedpol.update(xmltext)
if rc == 0:
irc = self.activate_xspolicy(loadedpol, flags)
# policy is loaded; if setting the boot flag fails it's ok.
else:
old_flags = old_flags & xsconstants.XS_INST_BOOT
log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
if old_flags != 0:
self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
return (loadedpol, rc, errors)
try:
dom = minidom.parseString(xmltext.encode("utf-8"))
except:
raise SecurityError(-xsconstants.XSERR_BAD_XML)
ref = uuid.createString()
acmpol = ACMPolicy(dom=dom, ref=ref)
#First some basic tests that do not modify anything:
if flags & xsconstants.XS_INST_BOOT and not overwrite:
filename = acmpol.get_filename(".bin","",dotted=True)
if bootloader.get_default_policy != None and \
not bootloader.loads_default_policy(filename):
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if not overwrite and len(self.policies) >= self.maxpolicies:
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if overwrite:
#This should only give one key since only one policy is
#allowed.
keys = self.policies.keys()
for k in keys:
self.rm_bootpolicy()
rc = self.rm_policy_from_system(k, force=overwrite)
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
rc = acmpol.compile()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_LOAD:
rc = acmpol.loadintohv()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_BOOT:
rc = self.make_boot_policy(acmpol)
if rc != 0:
# If it cannot be installed due to unsupported
# bootloader, let it be ok.
pass
if dom:
new_entry = { ref : tuple([acmpol.get_name(),
xsconstants.ACM_POLICY_ID]) }
self.policies.update(new_entry)
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def get_enforced_binary(self, xstype):
res = None
if xstype == xsconstants.XS_POLICY_ACM:
res = ACMPolicy.get_enforced_binary()
return res
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
errors = ""
if security.on() != xsconstants.XS_POLICY_ACM:
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
loadedpol = self.get_loaded_policy()
if loadedpol:
# This is meant as an update to a currently loaded policy
if flags & xsconstants.XS_INST_LOAD == 0:
raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
# Remember old flags, so they can be restored if update fails
old_flags = self.get_policy_flags(loadedpol)
# Remove policy from bootloader in case of new name of policy
self.rm_bootpolicy()
rc, errors = loadedpol.update(xmltext)
if rc == 0:
irc = self.activate_xspolicy(loadedpol, flags)
# policy is loaded; if setting the boot flag fails it's ok.
else:
old_flags = old_flags & xsconstants.XS_INST_BOOT
log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
if old_flags != 0:
self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
return (loadedpol, rc, errors)
try:
dom = minidom.parseString(xmltext.encode("utf-8"))
except:
raise SecurityError(-xsconstants.XSERR_BAD_XML)
ref = uuid.createString()
acmpol = ACMPolicy(dom=dom, ref=ref)
#First some basic tests that do not modify anything:
if flags & xsconstants.XS_INST_BOOT and not overwrite:
filename = acmpol.get_filename(".bin", "", dotted=True)
if bootloader.get_default_policy != None and \
not bootloader.loads_default_policy(filename):
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if not overwrite and len(self.policies) >= self.maxpolicies:
raise SecurityError(-xsconstants.XSERR_BOOTPOLICY_INSTALLED)
if overwrite:
#This should only give one key since only one policy is
#allowed.
keys = self.policies.keys()
for k in keys:
self.rm_bootpolicy()
rc = self.rm_policy_from_system(k, force=overwrite)
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
rc = acmpol.compile()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_LOAD:
rc = acmpol.loadintohv()
if rc != 0:
raise SecurityError(rc)
if flags & xsconstants.XS_INST_BOOT:
rc = self.make_boot_policy(acmpol)
if rc != 0:
# If it cannot be installed due to unsupported
# bootloader, let it be ok.
pass
if dom:
new_entry = {
ref: tuple([acmpol.get_name(), xsconstants.ACM_POLICY_ID])
}
self.policies.update(new_entry)
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def get_enforced_binary(self, xstype):
res = None
if xstype == xsconstants.XS_POLICY_ACM:
res = ACMPolicy.get_enforced_binary()
return res
tmp = vers.split('.')
if len(tmp) == 1:
rev = 1
else:
rev = int(tmp[1]) + 1
hdr['version'] = "%s.%s" % (tmp[0],rev)
return hdr
session = xapi.connect()
policystate = session.xenapi.XSPolicy.get_xspolicy()
if policystate['repr'] != "":
print "%s" % policystate['repr']
try:
acmpol = ACMPolicy(xml=policystate['repr'])
except Exception, e:
FAIL("Failure from creating ACMPolicy object: %s" % str(e))
oldname = acmpol.policy_dom_get_hdr_item("PolicyName")
oldvers = acmpol.policy_dom_get_hdr_item("Version")
tmp = oldvers.split(".")
if len(tmp) == 1:
rev = 1
else:
rev = int(tmp[1]) + 1
newvers = "%s.%s" % (tmp[0], str(rev))
print "old name/version = %s/%s" % (oldname, oldvers)
else:
oldname = None
oldvers = None
newvers = "1.0"
xserr = int(policystate['xserr'])
if xserr != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
else:
if server.xend.security.get_xstype() & xs_type == 0:
raise security.XSMError("ACM policy type not supported.")
xml, now_flags = server.xend.security.get_policy()
acmpol = ACMPolicy(xml=xml)
if int(now_flags) & xsconstants.XS_INST_BOOT == 0 and \
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
rc, errors = server.xend.security.reset_policy()
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
else:
print "Successfully reset the system's policy."
if msg:
print msg
FAIL("Flags (%x) are not indicating the correct state of the policy.",
int(policystate['flags']))
policystate = session.xenapi.XSPolicy.get_xspolicy()
xs_ref = policystate['xs_ref']
newpolicyxml = None
f = open("xm-test-new-security_policy.xml", 'r')
if f:
newpolicyxml = f.read()
f.close()
else:
FAIL("Could not read 'xm-test-new' policy")
cur_acmpol = ACMPolicy(xml = policystate['repr'])
new_acmpol = ACMPolicy(xml = newpolicyxml)
new_acmpol.update_frompolicy(cur_acmpol)
policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
new_acmpol.toxml(),
xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
1)
f = open("xm-test-security_policy.xml", 'r')
if f:
newpolicyxml = f.read()
f.close()
else:
FAIL("Could not read 'xm-test-new' policy")
xsconstants.XS_INST_LOAD:
FAIL("Flags (%x) are not indicating the correct state of the policy.",
int(policystate['flags']))
policystate = session.xenapi.XSPolicy.get_xspolicy()
xs_ref = policystate['xs_ref']
newpolicyxml = None
f = open("xm-test-new-security_policy.xml", 'r')
if f:
newpolicyxml = f.read()
f.close()
else:
FAIL("Could not read 'xm-test-new' policy")
cur_acmpol = ACMPolicy(xml=policystate['repr'])
new_acmpol = ACMPolicy(xml=newpolicyxml)
new_acmpol.update_frompolicy(cur_acmpol)
policystate = session.xenapi.XSPolicy.set_xspolicy(
xsconstants.XS_POLICY_ACM, new_acmpol.toxml(),
xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT, 1)
f = open("xm-test-security_policy.xml", 'r')
if f:
newpolicyxml = f.read()
f.close()
else:
FAIL("Could not read 'xm-test-new' policy")
if len(tmp) == 1:
rev = 1
else:
rev = int(tmp[1]) + 1
hdr['version'] = "%s.%s" % (tmp[0], rev)
return hdr
session = xapi.connect()
policystate = session.xenapi.XSPolicy.get_xspolicy()
if policystate['repr'] != "":
print "%s" % policystate['repr']
try:
acmpol = ACMPolicy(xml=policystate['repr'])
except Exception, e:
FAIL("Failure from creating ACMPolicy object: %s" % str(e))
oldname = acmpol.policy_dom_get_hdr_item("PolicyName")
oldvers = acmpol.policy_dom_get_hdr_item("Version")
tmp = oldvers.split(".")
if len(tmp) == 1:
rev = 1
else:
rev = int(tmp[1]) + 1
newvers = "%s.%s" % (tmp[0], str(rev))
print "old name/version = %s/%s" % (oldname, oldvers)
else:
oldname = None
oldvers = None
newvers = "1.0"
