def rm_vif_label(vmname, idx): if xm_main.serverType != xm_main.SERVER_XEN_API: raise OptionError('Need to be configure for using xen-api.') vm_refs = server.xenapi.VM.get_by_name_label(vmname) if len(vm_refs) == 0: raise OptionError('A VM with the name %s does not exist.' % vmname) vif_refs = server.xenapi.VM.get_VIFs(vm_refs[0]) if len(vif_refs) <= idx: raise OptionError("Bad VIF index.") vif_ref = server.xenapi.VIF.get_by_uuid(vif_refs[idx]) if not vif_ref: raise security.XSMError("A VIF with this UUID does not exist.") try: old_lab = server.xenapi.VIF.get_security_label(vif_ref) if old_lab != "": rc = server.xenapi.VIF.set_security_label(vif_ref, "", old_lab) if int(rc) != 0: raise security.XSMError("Could not remove the label from" " the VIF.") else: print "Successfully removed the label from the VIF." else: raise security.XSMError("VIF is not labeled.") except Exception, e: raise security.XSMError("Could not remove the label from the VIF: %s" % str(e))
def resetpolicy(): msg = None xs_type = xsconstants.XS_POLICY_ACM flags = xsconstants.XS_INST_LOAD if xm_main.serverType == xm_main.SERVER_XEN_API: if int(server.xenapi.XSPolicy.get_xstype()) & xs_type == 0: raise security.XSMError("ACM policy type not supported.") policystate = server.xenapi.XSPolicy.get_xspolicy() acmpol = ACMPolicy(xml=policystate['repr']) now_flags = int(policystate['flags']) if now_flags & xsconstants.XS_INST_BOOT == 0 and \ not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." try: policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type) except Exception, e: raise security.XSMError("An error occurred resetting the " "policy: %s" % str(e)) xserr = int(policystate['xserr']) if xserr != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") else: print "Successfully reset the system's policy." if msg: print msg
def setpolicy(policytype, policy_name, flags, overwrite): if policytype.upper() == xsconstants.ACM_POLICY_ID: xs_type = xsconstants.XS_POLICY_ACM for prefix in ['./', install_policy_dir_prefix + "/"]: policy_file = prefix + "/".join(policy_name.split(".")) + \ "-security_policy.xml" if os.path.exists(policy_file): break try: f = open(policy_file, "r") xml = f.read() f.close() except: raise OptionError("Could not read policy file from current" " directory or '%s'." % install_policy_dir_prefix) if xm_main.serverType == xm_main.SERVER_XEN_API: if xs_type != int(server.xenapi.XSPolicy.get_xstype()): raise security.XSMError("ACM policy type not supported.") try: policystate = server.xenapi.XSPolicy.set_xspolicy( xs_type, xml, flags, overwrite) except Exception, e: raise security.XSMError("An error occurred setting the " "policy: %s" % str(e)) xserr = int(policystate['xserr']) if xserr != xsconstants.XSERR_SUCCESS: txt = "An error occurred trying to set the policy: %s." % \ xsconstants.xserr2string(abs(xserr)) errors = policystate['errors'] if len(errors) > 0: txt += " " + build_hv_error_message( base64.b64decode(errors)) raise security.XSMError(txt) else: print "Successfully set the new policy." getpolicy(False) else: # Non-Xen-API call. if xs_type != server.xend.security.get_xstype(): raise security.XSMError("ACM policy type not supported.") rc, errors = server.xend.security.set_policy( xs_type, xml, flags, overwrite) if rc != xsconstants.XSERR_SUCCESS: txt = "An error occurred trying to set the policy: %s." % \ xsconstants.xserr2string(abs(rc)) if len(errors) > 0: txt += " " + build_hv_error_message( base64.b64decode(errors)) raise security.XSMError(txt) else: print "Successfully set the new policy." getpolicy(False)
def get_resource_label(resource): """Gets the resource label """ if xm_main.serverType == xm_main.SERVER_XEN_API: reslabel = server.xenapi.XSPolicy.get_resource_label(resource) if reslabel == "": raise security.XSMError("Resource not labeled") print reslabel else: reslabel = server.xend.security.get_resource_label(resource) if len(reslabel) == 0: raise security.XSMError("Resource not labeled") print ":".join(reslabel)
def rm_resource_label(resource): """Removes a resource label from the global resource label file. """ # Try Xen-API first if configured to use it if xm_main.serverType == xm_main.SERVER_XEN_API: try: oldlabel = server.xenapi.XSPolicy.get_resource_label(resource) if oldlabel != "": server.xenapi.XSPolicy.set_resource_label( resource, "", oldlabel) else: raise security.XSMError("Resource not labeled") except Exception, e: raise security.XSMError("Could not remove label " "from resource: %s" % e) return
def add_domain_label_xapi(label, domainname, policyref, policy_type): sec_lab = "%s:%s:%s" % (policy_type, policyref, label) if xm_main.serverType != xm_main.SERVER_XEN_API: old_seclab = server.xend.security.get_domain_label(domainname) if old_seclab[0] == '\'': old_seclab = old_seclab[1:] results = server.xend.security.set_domain_label( domainname, sec_lab, old_seclab) rc, ssidref = results if rc == xsconstants.XSERR_SUCCESS: if ssidref != 0: print "Successfully set the label of domain '%s' to '%s'.\n" \ % (domainname,label) else: print "Successfully set the label of the dormant domain " \ "'%s' to '%s'." % (domainname,label) else: msg = xsconstants.xserr2string(-rc) raise security.XSMError("An error occurred relabeling " "the domain: %s" % msg) else: uuids = server.xenapi.VM.get_by_name_label(domainname) if len(uuids) == 0: raise OptionError('A VM with that name does not exist.') if len(uuids) != 1: raise OptionError('There are multiple domains with the same name.') uuid = uuids[0] try: old_lab = server.xenapi.VM.get_security_label(uuid) rc = server.xenapi.VM.set_security_label(uuid, sec_lab, old_lab) except Exception, e: raise security.XSMError("Could not label the domain: %s" % e) if int(rc) < 0: raise OptionError('Could not label domain.') else: ssidref = int(rc) if ssidref != 0: print "Successfully set the label of domain '%s' to '%s'.\n" \ % (domainname,label) else: print "Successfully set the label of the dormant domain " \ "'%s' to '%s'." % (domainname,label)
def rm_domain_label_xapi(domain): if xm_main.serverType != xm_main.SERVER_XEN_API: old_lab = server.xend.security.get_domain_label(domain) vmlabel = "" if old_lab != "": tmp = old_lab.split(":") if len(tmp) == 3: vmlabel = tmp[2] if old_lab != "" and vmlabel != ACM_LABEL_UNLABELED: server.xend.security.set_domain_label(domain, "", old_lab) print "Successfully removed label from domain %s." % domain else: raise security.XSMError("Domain was not labeled.") else: uuids = server.xenapi.VM.get_by_name_label(domain) if len(uuids) == 0: raise OptionError('A VM with that name does not exist.') if len(uuids) != 1: raise OptionError('Too many domains with the same name.') uuid = uuids[0] try: old_lab = server.xenapi.VM.get_security_label(uuid) vmlabel = "" if old_lab != "": tmp = old_lab.split(":") if len(tmp) == 3: vmlabel = tmp[2] if old_lab != "": server.xenapi.VM.set_security_label(uuid, "", old_lab) else: raise security.XSMError("Domain was not labeled.") except Exception, e: raise security.XSMError('Could not remove label from domain: %s' % e)
def rm_domain_label(configfile): # open the domain config file fd = None fil = None if configfile[0] == '/': fil = configfile fd = open(fil, "rb") else: for prefix in [".", auxbin.xen_configdir()]: fil = prefix + "/" + configfile if os.path.isfile(fil): fd = open(fil, "rb") break if not fd: raise OptionError("Configuration file '%s' not found." % configfile) # read in the domain config file, removing label ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE) ac_exit_re = re.compile(".*'\].*") file_contents = "" comment = 0 removed = 0 for line in fd.readlines(): if ac_entry_re.match(line): comment = 1 if comment: removed = 1 line = "#" + line if comment and ac_exit_re.match(line): comment = 0 file_contents = file_contents + line fd.close() # send error message if we didn't find anything to remove if not removed: raise security.XSMError('Domain not labeled') # write the data back out to the file fd = open(fil, "wb") fd.writelines(file_contents) fd.close()
def get_domain_label(configfile): # open the domain config file fd = None if configfile[0] == '/': fd = open(configfile, "rb") else: for prefix in [".", "/etc/xen"]: abs_file = prefix + "/" + configfile if os.path.isfile(abs_file): fd = open(abs_file, "rb") break if not fd: raise OptionError("Configuration file '%s' not found." % configfile) # read in the domain config file, finding the label line ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE) ac_exit_re = re.compile(".*'\].*") acline = "" record = 0 for line in fd.readlines(): if ac_entry_re.match(line): record = 1 if record: acline = acline + line if record and ac_exit_re.match(line): record = 0 fd.close() # send error message if we didn't find anything if acline == "": raise security.XSMError("Domain not labeled") # print out the label (title, data) = acline.split("=", 1) data = data.strip() data = data.lstrip("[\'") data = data.rstrip("\']") print "policytype=%s," % xsconstants.ACM_POLICY_ID + data
policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type) except Exception, e: raise security.XSMError("An error occurred resetting the " "policy: %s" % str(e)) xserr = int(policystate['xserr']) if xserr != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") else: print "Successfully reset the system's policy." if msg: print msg else: if server.xend.security.get_xstype() & xs_type == 0: raise security.XSMError("ACM policy type not supported.") xml, now_flags = server.xend.security.get_policy() acmpol = ACMPolicy(xml=xml) if int(now_flags) & xsconstants.XS_INST_BOOT == 0 and \ not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." rc, errors = server.xend.security.reset_policy() if rc != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") else: print "Successfully reset the system's policy."
security.err("An error occurred labeling the resource: %s" % \ xsconstants.xserr2string(-rc)) else: old = security.format_resource_label(old) security.err("'%s' is already labeled with '%s'." % \ (resource,old)) else: res = [policy_type, policyref, label] res_xapi = security.format_resource_label(res) old = server.xenapi.XSPolicy.get_resource_label(resource) if old == "": try: server.xenapi.XSPolicy.set_resource_label( resource, res_xapi, "") except Exception, e: raise security.XSMError("Could not label this resource: %s" % str(e)) else: raise security.XSMError("'%s' is already labeled with '%s'" % (resource, old)) def add_domain_label(label, configfile, policyref): # sanity checks: make sure this label can be instantiated later on ssidref = security.label2ssidref(label, policyref, 'dom') new_label = "access_control = ['policy=%s,label=%s']\n" % \ (policyref, label) if not os.path.isfile(configfile): security.err("Configuration file \'" + configfile + "\' not found.") config_fd = open(configfile, "ra+") for line in config_fd:
if oldlabel != "": server.xenapi.XSPolicy.set_resource_label( resource, "", oldlabel) else: raise security.XSMError("Resource not labeled") except Exception, e: raise security.XSMError("Could not remove label " "from resource: %s" % e) return else: oldlabel = server.xend.security.get_resource_label(resource) if len(oldlabel) != 0: rc = server.xend.security.set_resource_label(resource, "", "", "") if rc != xsconstants.XSERR_SUCCESS: raise security.XSMError("An error occurred removing the " "label: %s" % \ xsconstants.xserr2string(-rc)) else: raise security.XSMError("Resource not labeled") def rm_domain_label(configfile): # open the domain config file fd = None fil = None if configfile[0] == '/': fil = configfile fd = open(fil, "rb") else: for prefix in [".", auxbin.xen_configdir()]: fil = prefix + "/" + configfile
xserr = int(policystate['xserr']) if xserr != xsconstants.XSERR_SUCCESS: txt = "An error occurred trying to set the policy: %s." % \ xsconstants.xserr2string(abs(xserr)) errors = policystate['errors'] if len(errors) > 0: txt += " " + build_hv_error_message(base64.b64decode(errors)) raise security.XSMError(txt) else: print "Successfully set the new policy." if xs_type == xsconstants.XS_POLICY_ACM: getpolicy(False) else: # Non-Xen-API call. if xs_type != server.xend.security.on(): raise security.XSMError("Policy type not supported.") rc, errors = server.xend.security.set_policy(xs_type, policy, flags, overwrite) if rc != xsconstants.XSERR_SUCCESS: txt = "An error occurred trying to set the policy: %s." % \ xsconstants.xserr2string(abs(rc)) if len(errors) > 0: txt += " " + build_hv_error_message(base64.b64decode(errors)) raise security.XSMError(txt) else: print "Successfully set the new policy." if xs_type == xsconstants.XS_POLICY_ACM: getpolicy(False)