debuggers.hg
changeset 16619:433f6a6a862a
xend, acm: Extend Xen-API with function to reset the policy
This patch extends the Xen-API and the legacy XML-RPC interface with a
function to reset the policy on the system (through an update with the
default policy). I adapted the code in 'xm resetpolicy' to use this
now.
This patch also extends libxen and the documentation to reflect the
new function.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
This patch extends the Xen-API and the legacy XML-RPC interface with a
function to reset the policy on the system (through an update with the
default policy). I adapted the code in 'xm resetpolicy' to use this
now.
This patch also extends libxen and the documentation to reflect the
new function.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
| author | Keir Fraser <keir.fraser@citrix.com> |
|---|---|
| date | Wed Dec 12 09:57:55 2007 +0000 (2007-12-12) |
| parents | dad243d08849 |
| children | 96cdf88ba9ff |
| files | docs/xen-api/xenapi-datamodel.tex tools/libxen/include/xen/api/xen_xspolicy.h tools/libxen/src/xen_xspolicy.c tools/python/xen/util/acmpolicy.py tools/python/xen/util/xsm/acm/acm.py tools/python/xen/util/xsm/dummy/dummy.py tools/python/xen/xend/XendXSPolicy.py tools/python/xen/xend/XendXSPolicyAdmin.py tools/python/xen/xm/resetpolicy.py |
line diff
1.1 --- a/docs/xen-api/xenapi-datamodel.tex Wed Dec 12 09:54:21 2007 +0000 1.2 +++ b/docs/xen-api/xenapi-datamodel.tex Wed Dec 12 09:57:55 2007 +0000 1.3 @@ -14735,6 +14735,45 @@ xs\_policystate 1.4 State information about the policy. In case an error occurred, the 'xs\_err' 1.5 field contains the error code. The 'errors' may contain further information 1.6 about the error. 1.7 + \vspace{0.3cm} 1.8 +\vspace{0.3cm} 1.9 +\vspace{0.3cm} 1.10 +\subsubsection{RPC name:~reset\_xspolicy} 1.11 + 1.12 +{\bf Overview:} 1.13 +Attempt to reset the system's policy by installing the default policy. 1.14 +Since this function is implemented as an update to the current policy, it 1.15 +underlies the same restrictions. This function may fail if for example 1.16 +other domains than Domain-0 are running and use a different label than 1.17 +Domain-0 1.18 + 1.19 +\noindent {\bf Signature:} 1.20 +\begin{verbatim} xs_policystate reset_xspolicy (session_id s, xs_type type) 1.21 +\end{verbatim} 1.22 + 1.23 +\noindent{\bf Arguments:} 1.24 + 1.25 +\vspace{0.3cm} 1.26 + 1.27 +\begin{tabular}{|c|c|p{7cm}|} 1.28 + \hline 1.29 +{\bf type} & {\bf name} & {\bf description} \\ \hline 1.30 +{\tt xs\_type } & type & the type of policy \\ \hline 1.31 + 1.32 +\end{tabular} 1.33 + 1.34 +\vspace{0.3cm} 1.35 + 1.36 + 1.37 + \noindent {\bf Return Type:} 1.38 +{\tt 1.39 +xs\_policystate 1.40 +} 1.41 + 1.42 + 1.43 +State information about the policy. In case an error occurred, the 'xs\_err' 1.44 +field contains the error code. The 'errors' may contain further information 1.45 +about the error. 1.46 \vspace{0.3cm} 1.47 \vspace{0.3cm} 1.48 \vspace{0.3cm}
2.1 --- a/tools/libxen/include/xen/api/xen_xspolicy.h Wed Dec 12 09:54:21 2007 +0000 2.2 +++ b/tools/libxen/include/xen/api/xen_xspolicy.h Wed Dec 12 09:57:55 2007 +0000 2.3 @@ -240,6 +240,19 @@ xen_xspolicy_set_xspolicy(xen_session *s 2.4 bool overwrite); 2.5 2.6 2.7 + 2.8 +/** 2.9 + * Attempt to reset the system's policy to the DEFAULT policy for the 2.10 + * respective policy type. This is done by updating the system and therefore 2.11 + * underlies the same restrictions of a policy update. This operation may 2.12 + * for example fail if other domains than Domain-0 are running and have 2.13 + * different labels than Domain-0. 2.14 + */ 2.15 +bool 2.16 +xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result, 2.17 + xs_type type); 2.18 + 2.19 + 2.20 /** 2.21 * Remove any policy from having the system booted with. 2.22 */
3.1 --- a/tools/libxen/src/xen_xspolicy.c Wed Dec 12 09:54:21 2007 +0000 3.2 +++ b/tools/libxen/src/xen_xspolicy.c Wed Dec 12 09:57:55 2007 +0000 3.3 @@ -225,6 +225,24 @@ xen_xspolicy_set_xspolicy(xen_session *s 3.4 3.5 3.6 bool 3.7 +xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result, 3.8 + xs_type type) 3.9 +{ 3.10 + abstract_value param_values[] = 3.11 + { 3.12 + { .type = &abstract_type_int, 3.13 + .u.int_val = type }, 3.14 + }; 3.15 + 3.16 + abstract_type result_type = xen_xs_policystate_abstract_type_; 3.17 + 3.18 + *result = NULL; 3.19 + XEN_CALL_("XSPolicy.reset_xspolicy"); 3.20 + return session->ok; 3.21 +} 3.22 + 3.23 + 3.24 +bool 3.25 xen_xspolicy_get_xspolicy(xen_session *session, xen_xs_policystate **result) 3.26 { 3.27 abstract_value param_values[] =
4.1 --- a/tools/python/xen/util/acmpolicy.py Wed Dec 12 09:54:21 2007 +0000 4.2 +++ b/tools/python/xen/util/acmpolicy.py Wed Dec 12 09:57:55 2007 +0000 4.3 @@ -86,7 +86,7 @@ DEFAULT_policy = \ 4.4 " <SecurityLabelTemplate>\n" +\ 4.5 " <SubjectLabels bootstrap=\"SystemManagement\">\n" +\ 4.6 " <VirtualMachineLabel>\n" +\ 4.7 -" <Name>SystemManagement</Name>\n" +\ 4.8 +" <Name%s>SystemManagement</Name>\n" +\ 4.9 " <SimpleTypeEnforcementTypes>\n" +\ 4.10 " <Type>SystemManagement</Type>\n" +\ 4.11 " </SimpleTypeEnforcementTypes>\n" +\ 4.12 @@ -99,8 +99,11 @@ DEFAULT_policy = \ 4.13 "</SecurityPolicyDefinition>\n" 4.14 4.15 4.16 -def get_DEFAULT_policy(): 4.17 - return DEFAULT_policy 4.18 +def get_DEFAULT_policy(dom0label=""): 4.19 + fromnode = "" 4.20 + if dom0label != "": 4.21 + fromnode = " from=\"%s\"" % dom0label 4.22 + return DEFAULT_policy % fromnode 4.23 4.24 def initialize(): 4.25 xoptions = XendOptions.instance() 4.26 @@ -375,6 +378,12 @@ class ACMPolicy(XSPolicy): 4.27 4.28 force_default_policy = classmethod(force_default_policy) 4.29 4.30 + def get_reset_policy_xml(klass): 4.31 + dom0_label = security.get_ssid(0)[1] 4.32 + return get_DEFAULT_policy(dom0_label) 4.33 + 4.34 + get_reset_policy_xml = classmethod(get_reset_policy_xml) 4.35 + 4.36 def __do_update_version_check(self, acmpol_new): 4.37 acmpol_old = self 4.38
5.1 --- a/tools/python/xen/util/xsm/acm/acm.py Wed Dec 12 09:54:21 2007 +0000 5.2 +++ b/tools/python/xen/util/xsm/acm/acm.py Wed Dec 12 09:57:55 2007 +0000 5.3 @@ -86,6 +86,7 @@ xmlrpc_exports = [ 5.4 'list_labels', 5.5 'get_labeled_resources', 5.6 'set_policy', 5.7 + 'reset_policy', 5.8 'get_policy', 5.9 'activate_policy', 5.10 'rm_bootpolicy', 5.11 @@ -567,6 +568,20 @@ def set_policy(xs_type, xml, flags, over 5.12 err(str(e)) 5.13 5.14 5.15 +def reset_policy(): 5.16 + """ 5.17 + Xend exports this function via XML-RPC 5.18 + """ 5.19 + from xen.xend import XendXSPolicyAdmin 5.20 + xspoladmin = XendXSPolicyAdmin.XSPolicyAdminInstance() 5.21 + try: 5.22 + acmpol, rc, errors = \ 5.23 + xspoladmin.reset_acmpolicy() 5.24 + return rc, base64.b64encode(errors) 5.25 + except Exception, e: 5.26 + err(str(e)) 5.27 + 5.28 + 5.29 def get_policy(): 5.30 """ 5.31 Xend exports this function via XML-RPC
6.1 --- a/tools/python/xen/util/xsm/dummy/dummy.py Wed Dec 12 09:54:21 2007 +0000 6.2 +++ b/tools/python/xen/util/xsm/dummy/dummy.py Wed Dec 12 09:57:55 2007 +0000 6.3 @@ -21,6 +21,7 @@ xmlrpc_exports = [ 6.4 'list_labels', 6.5 'get_labeled_resources', 6.6 'set_policy', 6.7 + 'reset_policy', 6.8 'get_policy', 6.9 'activate_policy', 6.10 'rm_bootpolicy', 6.11 @@ -102,6 +103,9 @@ def get_labeled_resources(): 6.12 def set_policy(xs_type, xml, flags, overwrite): 6.13 err("Command not supported under xsm 'dummy' module.") 6.14 6.15 +def reset_policy(): 6.16 + err("Command not supported under xsm 'dummy' module.") 6.17 + 6.18 def get_policy(): 6.19 return "", 0 6.20
7.1 --- a/tools/python/xen/xend/XendXSPolicy.py Wed Dec 12 09:54:21 2007 +0000 7.2 +++ b/tools/python/xen/xend/XendXSPolicy.py Wed Dec 12 09:57:55 2007 +0000 7.3 @@ -43,6 +43,7 @@ class XendXSPolicy(XendBase): 7.4 def getFuncs(self): 7.5 funcs = [ 'get_xstype', 7.6 'set_xspolicy', 7.7 + 'reset_xspolicy', 7.8 'get_xspolicy', 7.9 'rm_xsbootpolicy', 7.10 'get_resource_label', 7.11 @@ -104,6 +105,36 @@ class XendXSPolicy(XendBase): 7.12 raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) 7.13 return polstate 7.14 7.15 + 7.16 + def reset_xspolicy(self, xstype): 7.17 + xstype = int(xstype) 7.18 + polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0, 7.19 + 'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 } 7.20 + if xstype == xsconstants.XS_POLICY_ACM: 7.21 + poladmin = XSPolicyAdminInstance() 7.22 + try: 7.23 + (xspol, rc, errors) = poladmin.reset_acmpolicy() 7.24 + if rc != 0: 7.25 + polstate.update( { 'xserr' : rc, 7.26 + 'errors': base64.b64encode(errors) } ) 7.27 + else: 7.28 + ref = xspol.get_ref() 7.29 + polstate = { 7.30 + 'xs_ref' : ref, 7.31 + 'flags' : poladmin.get_policy_flags(xspol), 7.32 + 'type' : xstype, 7.33 + 'repr' : "", 7.34 + 'version': xspol.get_version(), 7.35 + 'errors' : base64.b64encode(errors), 7.36 + 'xserr' : rc, 7.37 + } 7.38 + except Exception, e: 7.39 + raise 7.40 + else: 7.41 + raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) 7.42 + return polstate 7.43 + 7.44 + 7.45 def activate_xspolicy(self, flags): 7.46 flags = int(flags) 7.47 rc = -xsconstants.XSERR_GENERAL_FAILURE 7.48 @@ -162,6 +193,7 @@ class XendXSPolicy(XendBase): 7.49 get_xstype = classmethod(get_xstype) 7.50 get_xspolicy = classmethod(get_xspolicy) 7.51 set_xspolicy = classmethod(set_xspolicy) 7.52 + reset_xspolicy = classmethod(reset_xspolicy) 7.53 rm_xsbootpolicy = classmethod(rm_xsbootpolicy) 7.54 set_resource_label = classmethod(set_resource_label) 7.55 get_resource_label = classmethod(get_resource_label)
8.1 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 12 09:54:21 2007 +0000 8.2 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 12 09:57:55 2007 +0000 8.3 @@ -179,6 +179,23 @@ class XSPolicyAdmin: 8.4 self.xsobjs[ref] = acmpol 8.5 return (acmpol, xsconstants.XSERR_SUCCESS, errors) 8.6 8.7 + 8.8 + def reset_acmpolicy(self): 8.9 + """ 8.10 + Attempt to reset the system's policy by udating it with 8.11 + the DEFAULT policy. 8.12 + """ 8.13 + from xen.xend import XendDomain 8.14 + domains = XendDomain.instance() 8.15 + try: 8.16 + domains.domains_lock.acquire() 8.17 + xml = ACMPolicy.get_reset_policy_xml() 8.18 + flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD 8.19 + return self.__add_acmpolicy_to_system(xml, flags, True) 8.20 + finally: 8.21 + domains.domains_lock.release() 8.22 + 8.23 + 8.24 def make_boot_policy(self, acmpol): 8.25 if acmpol.is_default_policy(): 8.26 return xsconstants.XSERR_SUCCESS
9.1 --- a/tools/python/xen/xm/resetpolicy.py Wed Dec 12 09:54:21 2007 +0000 9.2 +++ b/tools/python/xen/xm/resetpolicy.py Wed Dec 12 09:57:55 2007 +0000 9.3 @@ -26,40 +26,6 @@ from xen.xm.main import server 9.4 from xen.util import xsconstants 9.5 from xen.util.acmpolicy import ACMPolicy 9.6 9.7 -DOM0_UUID = "00000000-0000-0000-0000-000000000000" 9.8 - 9.9 -DEFAULT_policy_template = \ 9.10 -"<?xml version=\"1.0\" ?>" +\ 9.11 -"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">" +\ 9.12 -" <PolicyHeader>" +\ 9.13 -" <PolicyName>DEFAULT</PolicyName>" +\ 9.14 -" <Version>1.0</Version>" +\ 9.15 -" </PolicyHeader>" +\ 9.16 -" <SimpleTypeEnforcement>" +\ 9.17 -" <SimpleTypeEnforcementTypes>" +\ 9.18 -" <Type>SystemManagement</Type>" +\ 9.19 -" </SimpleTypeEnforcementTypes>" +\ 9.20 -" </SimpleTypeEnforcement>" +\ 9.21 -" <ChineseWall>" +\ 9.22 -" <ChineseWallTypes>" +\ 9.23 -" <Type>SystemManagement</Type>" +\ 9.24 -" </ChineseWallTypes>" +\ 9.25 -" </ChineseWall>" +\ 9.26 -" <SecurityLabelTemplate>" +\ 9.27 -" <SubjectLabels bootstrap=\"SystemManagement\">" +\ 9.28 -" <VirtualMachineLabel>" +\ 9.29 -" <Name%s>SystemManagement</Name>" +\ 9.30 -" <SimpleTypeEnforcementTypes>" +\ 9.31 -" <Type>SystemManagement</Type>" +\ 9.32 -" </SimpleTypeEnforcementTypes>" +\ 9.33 -" <ChineseWallTypes>" +\ 9.34 -" <Type/>" +\ 9.35 -" </ChineseWallTypes>" +\ 9.36 -" </VirtualMachineLabel>" +\ 9.37 -" </SubjectLabels>" +\ 9.38 -" </SecurityLabelTemplate>" +\ 9.39 -"</SecurityPolicyDefinition>" 9.40 - 9.41 9.42 def help(): 9.43 return """ 9.44 @@ -69,16 +35,6 @@ def help(): 9.45 since otherwise this operation will fail. 9.46 """ 9.47 9.48 -def get_reset_policy_xml(dom0_seclab): 9.49 - if dom0_seclab == "": 9.50 - return DEFAULT_policy_template % "" 9.51 - else: 9.52 - poltyp, policy, label = dom0_seclab.split(":") 9.53 - if label != "SystemManagement": 9.54 - return DEFAULT_policy_template % \ 9.55 - (" from=\"%s\"" % label) 9.56 - else: 9.57 - return DEFAULT_policy_template % "" 9.58 9.59 def resetpolicy(): 9.60 msg = None 9.61 @@ -99,13 +55,8 @@ def resetpolicy(): 9.62 not acmpol.is_default_policy(): 9.63 msg = "Old policy not found in bootloader file." 9.64 9.65 - seclab = server.xenapi.VM.get_security_label(DOM0_UUID) 9.66 - xml = get_reset_policy_xml(seclab) 9.67 try: 9.68 - policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type, 9.69 - xml, 9.70 - flags, 9.71 - True) 9.72 + policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type) 9.73 except Exception, e: 9.74 raise security.XSMError("An error occurred resetting the " 9.75 "policy: %s" % str(e)) 9.76 @@ -130,14 +81,7 @@ def resetpolicy(): 9.77 not acmpol.is_default_policy(): 9.78 msg = "Old policy not found in bootloader file." 9.79 9.80 - seclab = server.xend.security.get_domain_label(0) 9.81 - if seclab[0] == '\'': 9.82 - seclab = seclab[1:] 9.83 - xml = get_reset_policy_xml(seclab) 9.84 - rc, errors = server.xend.security.set_policy(xs_type, 9.85 - xml, 9.86 - flags, 9.87 - True) 9.88 + rc, errors = server.xend.security.reset_policy() 9.89 if rc != xsconstants.XSERR_SUCCESS: 9.90 raise security.XSMError("Could not reset the system's policy. " 9.91 "Try to halt all guests.")