1
#============================================================================
2
# This library is free software; you can redistribute it and/or
3
# modify it under the terms of version 2.1 of the GNU Lesser General Public
4
# License as published by the Free Software Foundation.
6
# This library is distributed in the hope that it will be useful,
7
# but WITHOUT ANY WARRANTY; without even the implied warranty of
8
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9
# Lesser General Public License for more details.
11
# You should have received a copy of the GNU Lesser General Public
12
# License along with this library; if not, write to the Free Software
13
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14
#============================================================================
15
# Copyright (c) 2007 IBM Corporation
16
# Copyright (c) 2006 Xensource
17
#============================================================================
21
from xen.xend import XendDomain
22
from xen.xend.XendBase import XendBase
23
from xen.xend.XendError import *
24
from xen.xend.XendAPIConstants import *
25
from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
26
from xen.util import xsconstants
27
import xen.util.xsm.xsm as security
29
log = logging.getLogger("xend.XendXSPolicy")
30
log.setLevel(logging.TRACE)
33
class XendXSPolicy(XendBase):
34
""" Administration class for an XSPolicy. """
40
methods = ['activate_xspolicy']
41
return XendBase.getMethods() + methods
44
funcs = [ 'get_xstype',
51
'get_labeled_resources',
55
return XendBase.getFuncs() + funcs
57
getClass = classmethod(getClass)
58
getMethods = classmethod(getMethods)
59
getFuncs = classmethod(getFuncs)
61
def __init__(self, xspol, record, uuid):
62
""" xspol = actual XSPolicy object """
64
XendBase.__init__(self, uuid, record)
68
'uuid' : self.get_uuid(),
69
'flags' : XSPolicyAdminInstance().get_policy_flags(self.xspol),
70
'repr' : self.xspol.toxml(),
71
'type' : self.xspol.get_type(),
76
return XSPolicyAdminInstance().isXSEnabled()
78
def set_xspolicy(self, xstype, policy, flags, overwrite):
83
polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0,
84
'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 }
85
if xstype == xsconstants.XS_POLICY_ACM:
86
poladmin = XSPolicyAdminInstance()
88
(xspol, rc, errors) = poladmin.add_acmpolicy_to_system(
92
polstate.update( { 'xserr' : rc,
93
'errors': base64.b64encode(errors) } )
98
'flags' : poladmin.get_policy_flags(xspol),
101
'version': xspol.get_version(),
102
'errors' : base64.b64encode(errors),
107
elif xstype == xsconstants.XS_POLICY_FLASK:
108
rc, errors = security.set_policy(xstype, policy);
110
polstate.update( { 'xserr' : -xsconstants.XSERR_POLICY_LOAD_FAILED,
113
polstate.update( { 'xserr' : xsconstants.XSERR_SUCCESS,
116
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
120
def reset_xspolicy(self, xstype):
122
polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0,
123
'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 }
124
if xstype == xsconstants.XS_POLICY_ACM:
125
poladmin = XSPolicyAdminInstance()
127
(xspol, rc, errors) = poladmin.reset_acmpolicy()
129
polstate.update( { 'xserr' : rc,
130
'errors': base64.b64encode(errors) } )
132
ref = xspol.get_ref()
135
'flags' : poladmin.get_policy_flags(xspol),
138
'version': xspol.get_version(),
139
'errors' : base64.b64encode(errors),
145
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
149
def activate_xspolicy(self, flags):
151
rc = -xsconstants.XSERR_GENERAL_FAILURE
152
poladmin = XSPolicyAdminInstance()
154
rc = poladmin.activate_xspolicy(self.xspol, flags)
156
log.info("Activate_policy: %s" % str(e))
158
raise SecurityError(rc)
161
def get_xspolicy(self):
162
polstate = { 'xs_ref' : "",
169
poladmin = XSPolicyAdminInstance()
170
refs = poladmin.get_policies_refs()
171
# Will return one or no policy
172
if refs and len(refs) > 0:
174
xspol = XSPolicyAdminInstance().policy_from_ref(ref)
178
'repr' : xspol.toxml(),
179
'type' : xspol.get_type(),
180
'flags' : poladmin.get_policy_flags(xspol),
181
'version': xspol.get_version(),
187
def rm_xsbootpolicy(self):
188
rc = XSPolicyAdminInstance().rm_bootpolicy()
189
if rc != xsconstants.XSERR_SUCCESS:
190
raise SecurityError(rc)
192
def get_labeled_resources(self):
193
return security.get_labeled_resources_xapi()
195
def set_resource_label(self, resource, sec_lab, old_lab):
196
rc = security.set_resource_label_xapi(resource, sec_lab, old_lab)
197
if rc != xsconstants.XSERR_SUCCESS:
198
raise SecurityError(rc)
200
def get_resource_label(self, resource):
201
res = security.get_resource_label_xapi(resource)
204
def can_run(self, sec_label):
205
irc = security.validate_label_xapi(sec_label, 'dom')
206
if irc != xsconstants.XSERR_SUCCESS:
207
raise SecurityError(irc)
208
return security.check_can_run(sec_label)
210
def getenforce(self):
211
return security.getenforce()
213
def setenforce(self, mode):
214
return security.setenforce(mode)
216
get_xstype = classmethod(get_xstype)
217
get_xspolicy = classmethod(get_xspolicy)
218
set_xspolicy = classmethod(set_xspolicy)
219
reset_xspolicy = classmethod(reset_xspolicy)
220
rm_xsbootpolicy = classmethod(rm_xsbootpolicy)
221
set_resource_label = classmethod(set_resource_label)
222
get_resource_label = classmethod(get_resource_label)
223
get_labeled_resources = classmethod(get_labeled_resources)
224
can_run = classmethod(can_run)
225
getenforce = classmethod(getenforce)
226
setenforce = classmethod(setenforce)
229
class XendACMPolicy(XendXSPolicy):
230
""" Administration class of an ACMPolicy """
240
return XendXSPolicy.getAttrRO() + attrRO
243
funcs = [ 'get_enforced_binary', 'get_VM_ssidref' ]
244
return XendBase.getFuncs() + funcs
246
getClass = classmethod(getClass)
247
getAttrRO = classmethod(getAttrRO)
248
getFuncs = classmethod(getFuncs)
250
def __init__(self, acmpol, record, uuid):
251
""" acmpol = actual ACMPolicy object """
253
XendXSPolicy.__init__(self, acmpol, record, uuid)
255
def get_record(self):
257
'uuid' : self.get_uuid(),
258
'flags' : XSPolicyAdminInstance().get_policy_flags(self.acmpol),
259
'repr' : self.acmpol.toxml(),
260
'type' : self.acmpol.get_type(),
264
def get_header(self):
266
'policyname' : "", 'policyurl' : "", 'reference' : "",
267
'date' : "", 'namespaceurl' : "", 'version' : "",
270
header = self.acmpol.get_header_fields_map()
276
return self.acmpol.toxml()
279
return self.acmpol.get_map()
281
def get_binary(self):
282
polbin = self.acmpol.get_bin()
283
return base64.b64encode(polbin)
285
def get_VM_ssidref(self, vm_ref):
286
dom = XendDomain.instance().get_vm_by_uuid(vm_ref)
288
raise InvalidHandleError("VM", vm_ref)
289
if dom._stateGet() not in [ XEN_API_VM_POWER_STATE_RUNNING, \
290
XEN_API_VM_POWER_STATE_PAUSED ]:
291
raise VMBadState("Domain is not running or paused.")
292
ssid = security.get_ssid(dom.getDomid())
294
raise SecurityError(-xsconstants.XSERR_GENERAL_FAILURE)
297
def get_enforced_binary(self):
298
polbin = XSPolicyAdminInstance(). \
299
get_enforced_binary(xsconstants.XS_POLICY_ACM)
301
return base64.b64encode(polbin)
304
get_enforced_binary = classmethod(get_enforced_binary)
305
get_VM_ssidref = classmethod(get_VM_ssidref)