debuggers.hg

view tools/python/xen/xm/rmlabel.py @ 16559:5255eac35270

Implement legacy XML-RPC interface for ACM commands.

This patch implements a (non Xen-API) legacy XML-RPC interface for the
ACM commands and funnels the calls into code introduced by the Xen-API
support for ACM security management. Since some of the functionality
has changed, also the xm applications have changed. In particular the
following old commands have been removed along with some tools the
have become obsolete now:

- loadpolicy (included in: setpolicy)
- makepolicy (included in: setpolicy)
- cfgbootpolicy (included in: setpolicy)

and the following commands been introduced:

- setpolicy
- getpolicy
- resetpolicy

All tools have been adapted to work in Xen-API and legacy XML-RPC
mode. Both modes support the same functionality.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 05 09:44:20 2007 +0000 (2007-12-05)
parents ceb195042ca7
children 23f9857f642f
line source
1 #============================================================================
2 # This library is free software; you can redistribute it and/or
3 # modify it under the terms of version 2.1 of the GNU Lesser General Public
4 # License as published by the Free Software Foundation.
5 #
6 # This library is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9 # Lesser General Public License for more details.
10 #
11 # You should have received a copy of the GNU Lesser General Public
12 # License along with this library; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14 #============================================================================
15 # Copyright (C) 2006 International Business Machines Corp.
16 # Author: Bryan D. Payne <bdpayne@us.ibm.com>
17 #============================================================================
19 """Remove a label from a domain configuration file or a resoruce.
20 """
21 import os
22 import re
23 import sys
24 import xen.util.xsm.xsm as security
25 from xen.util import xsconstants
26 from xen.util.acmpolicy import ACM_LABEL_UNLABELED
27 from xen.xm.opts import OptionError
28 from xen.xm import main as xm_main
29 from xen.xm.main import server
31 def help():
32 return """
33 Example: xm rmlabel dom <configfile>
34 xm rmlabel res <resource>
35 xm rmlabel mgt <domain name>
36 xm rmlabel vif-<idx> <domain name>
38 This program removes an acm_label entry from the 'configfile'
39 for a domain, the label from a Xend-managed domain or a resources
40 or from the network interface of a Xend-managed domain (requires
41 xm to be used in Xen-API mode). If the label does not exist for
42 the given domain or resource, then rmlabel fails and reports an error.
43 """
46 def rm_resource_label(resource):
47 """Removes a resource label from the global resource label file.
48 """
49 # Try Xen-API first if configured to use it
50 if xm_main.serverType == xm_main.SERVER_XEN_API:
51 try:
52 oldlabel = server.xenapi.XSPolicy.get_resource_label(resource)
53 if oldlabel != "":
54 server.xenapi.XSPolicy.set_resource_label(resource,"",
55 oldlabel)
56 else:
57 raise security.XSMError("Resource not labeled")
58 except Exception, e:
59 raise security.XSMError("Could not remove label "
60 "from resource: %s" % e)
61 return
62 else:
63 oldlabel = server.xend.security.get_resource_label(resource)
64 if len(oldlabel) != 0:
65 rc = server.xend.security.set_resource_label(resource,
66 "",
67 "",
68 "")
69 if rc != xsconstants.XSERR_SUCCESS:
70 raise security.XSMError("An error occurred removing the "
71 "label: %s" % \
72 xsconstants.xserr2string(-rc))
73 else:
74 raise security.XSMError("Resource not labeled")
76 def rm_domain_label(configfile):
77 # open the domain config file
78 fd = None
79 fil = None
80 if configfile[0] == '/':
81 fil = configfile
82 fd = open(fil, "rb")
83 else:
84 for prefix in [".", "/etc/xen"]:
85 fil = prefix + "/" + configfile
86 if os.path.isfile(fil):
87 fd = open(fil, "rb")
88 break
89 if not fd:
90 raise OptionError("Configuration file '%s' not found." % configfile)
92 # read in the domain config file, removing label
93 ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE)
94 ac_exit_re = re.compile(".*'\].*")
95 file_contents = ""
96 comment = 0
97 removed = 0
98 for line in fd.readlines():
99 if ac_entry_re.match(line):
100 comment = 1
101 if comment:
102 removed = 1
103 line = "#"+line
104 if comment and ac_exit_re.match(line):
105 comment = 0
106 file_contents = file_contents + line
107 fd.close()
109 # send error message if we didn't find anything to remove
110 if not removed:
111 raise security.XSMError('Domain not labeled')
113 # write the data back out to the file
114 fd = open(fil, "wb")
115 fd.writelines(file_contents)
116 fd.close()
118 def rm_domain_label_xapi(domain):
119 if xm_main.serverType != xm_main.SERVER_XEN_API:
120 old_lab = server.xend.security.get_domain_label(domain)
122 vmlabel = ""
123 if old_lab != "":
124 tmp = old_lab.split(":")
125 if len(tmp) == 3:
126 vmlabel = tmp[2]
128 if old_lab != "" and vmlabel != ACM_LABEL_UNLABELED:
129 server.xend.security.set_domain_label(domain, "", old_lab)
130 print "Successfully removed label from domain %s." % domain
131 else:
132 raise security.XSMError("Domain was not labeled.")
133 else:
134 uuids = server.xenapi.VM.get_by_name_label(domain)
135 if len(uuids) == 0:
136 raise OptionError('A VM with that name does not exist.')
137 if len(uuids) != 1:
138 raise OptionError('Too many domains with the same name.')
139 uuid = uuids[0]
140 try:
141 old_lab = server.xenapi.VM.get_security_label(uuid)
143 vmlabel = ""
144 if old_lab != "":
145 tmp = old_lab.split(":")
146 if len(tmp) == 3:
147 vmlabel = tmp[2]
149 if old_lab != "":
150 server.xenapi.VM.set_security_label(uuid, "", old_lab)
151 else:
152 raise security.XSMError("Domain was not labeled.")
153 except Exception, e:
154 raise security.XSMError('Could not remove label from domain: %s' % e)
156 def rm_vif_label(vmname, idx):
157 if xm_main.serverType != xm_main.SERVER_XEN_API:
158 raise OptionError('Need to be configure for using xen-api.')
159 vm_refs = server.xenapi.VM.get_by_name_label(vmname)
160 if len(vm_refs) == 0:
161 raise OptionError('A VM with the name %s does not exist.' %
162 vmname)
163 vif_refs = server.xenapi.VM.get_VIFs(vm_refs[0])
164 if len(vif_refs) <= idx:
165 raise OptionError("Bad VIF index.")
166 vif_ref = server.xenapi.VIF.get_by_uuid(vif_refs[idx])
167 if not vif_ref:
168 raise security.XSMError("A VIF with this UUID does not exist.")
169 try:
170 old_lab = server.xenapi.VIF.get_security_label(vif_ref)
171 if old_lab != "":
172 rc = server.xenapi.VIF.set_security_label(vif_ref, "", old_lab)
173 if int(rc) != 0:
174 raise security.XSMError("Could not remove the label from"
175 " the VIF.")
176 else:
177 print "Successfully removed the label from the VIF."
178 else:
179 raise security.XSMError("VIF is not labeled.")
180 except Exception, e:
181 raise security.XSMError("Could not remove the label from the VIF: %s" %
182 str(e))
185 def main (argv):
187 if len(argv) != 3:
188 raise OptionError('Requires 2 arguments')
190 if argv[1].lower() == "dom":
191 configfile = argv[2]
192 rm_domain_label(configfile)
193 elif argv[1].lower() == "mgt":
194 domain = argv[2]
195 rm_domain_label_xapi(domain)
196 elif argv[1].lower().startswith("vif-"):
197 try:
198 idx = int(argv[1][4:])
199 if idx < 0:
200 raise
201 except:
202 raise OptionError("Bad VIF device index.")
203 vmname = argv[2]
204 rm_vif_label(vmname, idx)
205 elif argv[1].lower() == "res":
206 resource = argv[2]
207 rm_resource_label(resource)
208 else:
209 raise OptionError('Unrecognised type argument: %s' % argv[1])
211 if __name__ == '__main__':
212 try:
213 main(sys.argv)
214 except Exception, e:
215 sys.stderr.write('Error: %s\n' % str(e))
216 sys.exit(-1)