Пример #1
0
def config_security_check(config, verbose):
    """Checks each resource listed in the config to see if the active
       policy will permit creation of a new domain using the config.
       Returns 1 if the config passes all tests, otherwise 0.
    """
    answer = 1

    # get the domain acm_label
    domain_label = None
    domain_policy = None
    for x in sxp.children(config):
        if sxp.name(x) == 'security':
            domain_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
            domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')

    # if no domain label, use default
    if not domain_label and security.on():
        try:
            domain_label = security.ssidref2label(security.NULL_SSIDREF)
        except:
            import traceback
            traceback.print_exc(limit=1)
            return 0
        domain_policy = 'NULL'
    elif not domain_label:
        domain_label = ""
        domain_policy = 'NULL'

    if verbose:
        print "Checking resources:"

    # build a list of all resources in the config file
    resources = []
    for x in sxp.children(config):
        if sxp.name(x) == 'device':
            if sxp.name(sxp.child0(x)) == 'vbd':
                resources.append(sxp.child_value(sxp.child0(x), 'uname'))

    # perform a security check on each resource
    for resource in resources:
        try:
            security.res_security_check(resource, domain_label)
            if verbose:
                print "   %s: PERMITTED" % (resource)

        except security.XSMError:
            print "   %s: DENIED" % (resource)
            (poltype, res_label, res_policy) = security.get_res_label(resource)
            if not res_label:
                res_label = ""
            print "   --> res: %s (%s:%s)" % (str(res_label),
                                           str(poltype), str(res_policy))
            print "   --> dom: %s (%s:%s)" % (str(domain_label),
                                           str(poltype), str(domain_policy))

            answer = 0

    return answer
Пример #2
0
def config_security_check(config, verbose):
    """Checks each resource listed in the config to see if the active
       policy will permit creation of a new domain using the config.
       Returns 1 if the config passes all tests, otherwise 0.
    """
    answer = 1

    # get the domain acm_label
    domain_label = None
    domain_policy = None
    for x in sxp.children(config):
        if sxp.name(x) == 'security':
            domain_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
            domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')

    # if no domain label, use default
    if not domain_label and security.on():
        try:
            domain_label = security.ssidref2label(security.NULL_SSIDREF)
        except:
            import traceback
            traceback.print_exc(limit=1)
            return 0
        domain_policy = 'NULL'
    elif not domain_label:
        domain_label = ""
        domain_policy = 'NULL'

    if verbose:
        print "Checking resources:"

    # build a list of all resources in the config file
    resources = []
    for x in sxp.children(config):
        if sxp.name(x) == 'device':
            if sxp.name(sxp.child0(x)) == 'vbd':
                resources.append(sxp.child_value(sxp.child0(x), 'uname'))

    # perform a security check on each resource
    for resource in resources:
        try:
            security.res_security_check(resource, domain_label)
            if verbose:
                print "   %s: PERMITTED" % (resource)

        except security.XSMError:
            print "   %s: DENIED" % (resource)
            (poltype, res_label, res_policy) = security.get_res_label(resource)
            if not res_label:
                res_label = ""
            print "   --> res: %s (%s:%s)" % (str(res_label), str(poltype),
                                              str(res_policy))
            print "   --> dom: %s (%s:%s)" % (str(domain_label), str(poltype),
                                              str(domain_policy))

            answer = 0

    return answer
Пример #3
0
def check_domain_label(config, verbose):
    """All that we need to check here is that the domain label exists and
       is not null when security is on.  Other error conditions are
       handled when the config file is parsed.
    """
    answer = 0
    default_label = None
    secon = 0
    if security.on():
        default_label = security.ssidref2label(security.NULL_SSIDREF)
        secon = 1

    # get the domain acm_label
    dom_label = None
    dom_name = None
    for x in sxp.children(config):
        if sxp.name(x) == 'security':
            dom_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
        if sxp.name(x) == 'name':
            dom_name = sxp.child0(x)

    # sanity check on domain label
    if verbose:
        print "Checking domain:"
    if (not secon) and (not dom_label):
        answer = 1
        if verbose:
            print "   %s: PERMITTED" % (dom_name)
    elif (secon) and (dom_label) and (dom_label != default_label):
        answer = 1
        if verbose:
            print "   %s: PERMITTED" % (dom_name)
    else:
        print "   %s: DENIED" % (dom_name)
        if not secon:
            print "   --> Security off, but domain labeled"
        else:
            print "   --> Domain not labeled"
        answer = 0

    return answer
Пример #4
0
def check_domain_label(config, verbose):
    """All that we need to check here is that the domain label exists and
       is not null when security is on.  Other error conditions are
       handled when the config file is parsed.
    """
    answer = 0
    default_label = None
    secon = 0
    if security.on():
        default_label = security.ssidref2label(security.NULL_SSIDREF)
        secon = 1

    # get the domain acm_label
    dom_label = None
    dom_name = None
    for x in sxp.children(config):
        if sxp.name(x) == 'security':
            dom_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
        if sxp.name(x) == 'name':
            dom_name = sxp.child0(x)

    # sanity check on domain label
    if verbose:
        print "Checking domain:"
    if (not secon) and (not dom_label):
        answer = 1
        if verbose:
            print "   %s: PERMITTED" % (dom_name)
    elif (secon) and (dom_label) and (dom_label != default_label):
        answer = 1
        if verbose:
            print "   %s: PERMITTED" % (dom_name)
    else:
        print "   %s: DENIED" % (dom_name)
        if not secon:
            print "   --> Security off, but domain labeled"
        else:
            print "   --> Domain not labeled"
        answer = 0

    return answer
Пример #5
0
def findImageHandlerClass(image):
    """Find the image handler class for an image config.

    @param image config
    @return ImageHandler subclass or None
    """
    ty = sxp.name(image)
    if ty is None:
        raise VmError('missing image type')
    imageClass = imageHandlerClasses.get(ty)
    if imageClass is None:
        raise VmError('unknown image type: ' + ty)
    return imageClass
Пример #6
0
 def dispatch(self, req):
     op_name = sxp.name(req)
     op_method_name = self.opname(op_name)
     op_method = getattr(self, op_method_name, self.operror)
     return op_method(op_name, req)
Пример #7
0
 def dispatch(self, req):
     op_name = sxp.name(req)
     op_method_name = self.opname(op_name)
     op_method = getattr(self, op_method_name, self.operror)
     return op_method(op_name, req)
Пример #8
0
class XendClientProtocol:
    """Abstract class for xend clients.
    """
    def xendRequest(self, url, method, args=None):
        """Make a request to xend.
        Implement in a subclass.

        @param url:    xend request url
        @param method: http method: POST or GET
        @param args:   request arguments (dict)
        """
        raise NotImplementedError()

    def xendGet(self, url, args=None):
        """Make a xend request using HTTP GET.
        Requests using GET are usually 'safe' and may be repeated without
        nasty side-effects.

        @param url:    xend request url
        @param data:   request arguments (dict)
        """
        return self.xendRequest(url, "GET", args)

    def xendPost(self, url, args):
        """Make a xend request using HTTP POST.
        Requests using POST potentially cause side-effects, and should
        not be repeated unless you really want to repeat the side
        effect.

        @param url:    xend request url
        @param args:   request arguments (dict)
        """
        return self.xendRequest(url, "POST", args)

    def handleStatus(self, _, status, message):
        """Handle the status returned from the request.
        """
        status = int(status)
        if status in [HTTP_NO_CONTENT]:
            return None
        if status not in [HTTP_OK, HTTP_CREATED, HTTP_ACCEPTED]:
            return self.handleException(XendError(message))
        return 'ok'

    def handleResponse(self, data):
        """Handle the data returned in response to the request.
        """
        if data is None: return None
        typ = self.getHeader('Content-Type')
        if typ != sxp.mime_type:
            return data
        try:
            pin = sxp.Parser()
            pin.input(data)
            pin.input_eof()
            val = pin.get_val()
        except sxp.ParseError, err:
            return self.handleException(err)
        if isinstance(val, types.ListType) and sxp.name(val) == 'xend.err':
            err = XendError(val[1])
            return self.handleException(err)
        return val