def set_xspolicy(self, xstype, xml, flags, overwrite): ref = "" xstype = int(xstype) flags = int(flags) polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0, 'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 } if xstype == xsconstants.XS_POLICY_ACM: poladmin = XSPolicyAdminInstance() try: (xspol, rc, errors) = poladmin.add_acmpolicy_to_system( xml, flags, overwrite) if rc != 0: polstate.update( { 'xserr' : rc, 'errors': base64.b64encode(errors) } ) else: ref = xspol.get_ref() polstate = { 'xs_ref' : ref, 'flags' : poladmin.get_policy_flags(xspol), 'type' : xstype, 'repr' : "", 'version': xspol.get_version(), 'errors' : base64.b64encode(errors), 'xserr' : rc, } except Exception, e: raise
def activate_xspolicy(self, flags): flags = int(flags) rc = -xsconstants.XSERR_GENERAL_FAILURE poladmin = XSPolicyAdminInstance() try: rc = poladmin.activate_xspolicy(self.xspol, flags) except Exception, e: log.info("Activate_policy: %s" % str(e))
def get_xspolicy(self): polstate = { 'xs_ref' : "", 'repr' : "", 'type' : 0, 'flags' : 0, 'version': "", 'errors' : "", 'xserr' : 0 } poladmin = XSPolicyAdminInstance() refs = poladmin.get_policies_refs() # Will return one or no policy if refs and len(refs) > 0: ref = refs[0] xspol = XSPolicyAdminInstance().policy_from_ref(ref) if xspol: polstate = { 'xs_ref' : ref, 'repr' : xspol.toxml(), 'type' : xspol.get_type(), 'flags' : poladmin.get_policy_flags(xspol), 'version': xspol.get_version(), 'errors' : "", 'xserr' : 0, } return polstate
def get_record(self): xspol_record = { 'uuid' : self.get_uuid(), 'flags' : XSPolicyAdminInstance().get_policy_flags(self.xspol), 'repr' : self.xspol.toxml(), 'type' : self.xspol.get_type(), } return xspol_record
def do_access_control(self, config): """ do access control checking. Throws a VMError if access is denied """ domain_label = self.vm.get_security_label() stes = XSPolicyAdminInstance().get_stes_of_vmlabel(domain_label) res_label = config.get('security_label') if len(stes) > 1 or res_label: if not res_label: raise VmError("'VIF' must be labeled") (label, ssidref, policy) = \ security.security_label_to_details(res_label) if domain_label: rc = security.res_security_check_xapi(label, ssidref, policy, domain_label) if rc == 0: raise VmError("VM's access to network device denied. " "Check labeling") else: raise VmError("VM must have a security label to access " "network device")
def get_xstype(self): return XSPolicyAdminInstance().isXSEnabled()
def get_enforced_binary(self): polbin = XSPolicyAdminInstance(). \ get_enforced_binary(xsconstants.XS_POLICY_ACM) if polbin: return base64.b64encode(polbin) return None
def rm_xsbootpolicy(self): rc = XSPolicyAdminInstance().rm_bootpolicy() if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc)