debuggers.hg

view tools/python/xen/xm/resetpolicy.py @ 16559:5255eac35270

Implement legacy XML-RPC interface for ACM commands.

This patch implements a (non Xen-API) legacy XML-RPC interface for the
ACM commands and funnels the calls into code introduced by the Xen-API
support for ACM security management. Since some of the functionality
has changed, also the xm applications have changed. In particular the
following old commands have been removed along with some tools the
have become obsolete now:

- loadpolicy (included in: setpolicy)
- makepolicy (included in: setpolicy)
- cfgbootpolicy (included in: setpolicy)

and the following commands been introduced:

- setpolicy
- getpolicy
- resetpolicy

All tools have been adapted to work in Xen-API and legacy XML-RPC
mode. Both modes support the same functionality.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 05 09:44:20 2007 +0000 (2007-12-05)
parents
children 433f6a6a862a
line source
1 #============================================================================
2 # This library is free software; you can redistribute it and/or
3 # modify it under the terms of version 2.1 of the GNU Lesser General Public
4 # License as published by the Free Software Foundation.
5 #
6 # This library is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9 # Lesser General Public License for more details.
10 #
11 # You should have received a copy of the GNU Lesser General Public
12 # License along with this library; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14 #============================================================================
15 # Copyright (C) 2007 International Business Machines Corp.
16 # Author: Stefan Berger <stefanb@us.ibm.com>
17 #============================================================================
18 """ Reset the system's current policy to the default state.
19 """
20 import sys
21 import xen.util.xsm.xsm as security
22 from xen.util.xsm.xsm import XSMError
23 from xen.xm.opts import OptionError
24 from xen.xm import main as xm_main
25 from xen.xm.main import server
26 from xen.util import xsconstants
27 from xen.util.acmpolicy import ACMPolicy
29 DOM0_UUID = "00000000-0000-0000-0000-000000000000"
31 DEFAULT_policy_template = \
32 "<?xml version=\"1.0\" ?>" +\
33 "<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">" +\
34 " <PolicyHeader>" +\
35 " <PolicyName>DEFAULT</PolicyName>" +\
36 " <Version>1.0</Version>" +\
37 " </PolicyHeader>" +\
38 " <SimpleTypeEnforcement>" +\
39 " <SimpleTypeEnforcementTypes>" +\
40 " <Type>SystemManagement</Type>" +\
41 " </SimpleTypeEnforcementTypes>" +\
42 " </SimpleTypeEnforcement>" +\
43 " <ChineseWall>" +\
44 " <ChineseWallTypes>" +\
45 " <Type>SystemManagement</Type>" +\
46 " </ChineseWallTypes>" +\
47 " </ChineseWall>" +\
48 " <SecurityLabelTemplate>" +\
49 " <SubjectLabels bootstrap=\"SystemManagement\">" +\
50 " <VirtualMachineLabel>" +\
51 " <Name%s>SystemManagement</Name>" +\
52 " <SimpleTypeEnforcementTypes>" +\
53 " <Type>SystemManagement</Type>" +\
54 " </SimpleTypeEnforcementTypes>" +\
55 " <ChineseWallTypes>" +\
56 " <Type/>" +\
57 " </ChineseWallTypes>" +\
58 " </VirtualMachineLabel>" +\
59 " </SubjectLabels>" +\
60 " </SecurityLabelTemplate>" +\
61 "</SecurityPolicyDefinition>"
64 def help():
65 return """
66 Reset the system's policy to the default.
68 When the system's policy is reset, all guest VMs should be halted,
69 since otherwise this operation will fail.
70 """
72 def get_reset_policy_xml(dom0_seclab):
73 if dom0_seclab == "":
74 return DEFAULT_policy_template % ""
75 else:
76 poltyp, policy, label = dom0_seclab.split(":")
77 if label != "SystemManagement":
78 return DEFAULT_policy_template % \
79 (" from=\"%s\"" % label)
80 else:
81 return DEFAULT_policy_template % ""
83 def resetpolicy():
84 msg = None
85 xs_type = xsconstants.XS_POLICY_ACM
86 flags = xsconstants.XS_INST_LOAD
88 if xm_main.serverType == xm_main.SERVER_XEN_API:
89 if int(server.xenapi.XSPolicy.get_xstype()) & xs_type == 0:
90 raise security.XSMError("ACM policy type not supported.")
92 policystate = server.xenapi.XSPolicy.get_xspolicy()
94 acmpol = ACMPolicy(xml=policystate['repr'])
96 now_flags = int(policystate['flags'])
98 if now_flags & xsconstants.XS_INST_BOOT == 0 and \
99 not acmpol.is_default_policy():
100 msg = "Old policy not found in bootloader file."
102 seclab = server.xenapi.VM.get_security_label(DOM0_UUID)
103 xml = get_reset_policy_xml(seclab)
104 try:
105 policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
106 xml,
107 flags,
108 True)
109 except Exception, e:
110 raise security.XSMError("An error occurred resetting the "
111 "policy: %s" % str(e))
113 xserr = int(policystate['xserr'])
114 if xserr != xsconstants.XSERR_SUCCESS:
115 raise security.XSMError("Could not reset the system's policy. "
116 "Try to halt all guests.")
117 else:
118 print "Successfully reset the system's policy."
119 if msg:
120 print msg
121 else:
122 if server.xend.security.get_xstype() & xs_type == 0:
123 raise security.XSMError("ACM policy type not supported.")
125 xml, now_flags = server.xend.security.get_policy()
127 acmpol = ACMPolicy(xml=xml)
129 if int(now_flags) & xsconstants.XS_INST_BOOT == 0 and \
130 not acmpol.is_default_policy():
131 msg = "Old policy not found in bootloader file."
133 seclab = server.xend.security.get_domain_label(0)
134 if seclab[0] == '\'':
135 seclab = seclab[1:]
136 xml = get_reset_policy_xml(seclab)
137 rc, errors = server.xend.security.set_policy(xs_type,
138 xml,
139 flags,
140 True)
141 if rc != xsconstants.XSERR_SUCCESS:
142 raise security.XSMError("Could not reset the system's policy. "
143 "Try to halt all guests.")
144 else:
145 print "Successfully reset the system's policy."
146 if msg:
147 print msg
150 def main(argv):
151 if len(argv) != 1:
152 raise OptionError("No arguments expected.")
154 resetpolicy()
157 if __name__ == '__main__':
158 try:
159 main(sys.argv)
160 except Exception, e:
161 sys.stderr.write('Error: %s\n' % str(e))
162 sys.exit(-1)