1
#============================================================================
2
# This library is free software; you can redistribute it and/or
3
# modify it under the terms of version 2.1 of the GNU Lesser General Public
4
# License as published by the Free Software Foundation.
6
# This library is distributed in the hope that it will be useful,
7
# but WITHOUT ANY WARRANTY; without even the implied warranty of
8
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9
# Lesser General Public License for more details.
11
# You should have received a copy of the GNU Lesser General Public
12
# License along with this library; if not, write to the Free Software
13
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14
#============================================================================
15
# Copyright (C) 2006 International Business Machines Corp.
16
# Author: Bryan D. Payne <bdpayne@us.ibm.com>
17
#============================================================================
19
"""Tests the security settings for a domain and its resources.
22
import xen.util.xsm.xsm as security
23
from xen.xm import create
24
from xen.xend import sxp
25
from xen.util import xsconstants
26
from xen.xm.opts import OptionError
30
This program checks each resource listed in the configfile
31
to see if the domain created by the configfile can access
32
the resources. The status of each resource is listed
33
individually along with the final security decision."""
36
def check_domain_label(config, verbose):
37
"""All that we need to check here is that the domain label exists and
38
is not null when security is on. Other error conditions are
39
handled when the config file is parsed.
44
if security.on() == xsconstants.XS_POLICY_ACM:
45
default_label = security.ssidref2label(security.NULL_SSIDREF)
48
# get the domain acm_label
51
for x in sxp.children(config):
52
if sxp.name(x) == 'security':
53
dom_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
54
if sxp.name(x) == 'name':
55
dom_name = sxp.child0(x)
57
# sanity check on domain label
59
print "Checking domain:"
60
if (not secon) and (not dom_label):
63
print " %s: PERMITTED" % (dom_name)
64
elif (secon) and (dom_label) and (dom_label != default_label):
67
print " %s: PERMITTED" % (dom_name)
69
print " %s: DENIED" % (dom_name)
71
print " --> Security off, but domain labeled"
73
print " --> Domain not labeled"
78
def config_security_check(config, verbose):
79
"""Checks each resource listed in the config to see if the active
80
policy will permit creation of a new domain using the config.
81
Returns 1 if the config passes all tests, otherwise 0.
85
# get the domain acm_label
88
for x in sxp.children(config):
89
if sxp.name(x) == 'security':
90
domain_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
91
domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
93
# if no domain label, use default
94
if not domain_label and security.on() == xsconstants.XS_POLICY_ACM:
96
domain_label = security.ssidref2label(security.NULL_SSIDREF)
99
traceback.print_exc(limit=1)
101
domain_policy = 'NULL'
102
elif not domain_label:
104
domain_policy = 'NULL'
107
print "Checking resources:"
109
# build a list of all resources in the config file
111
for x in sxp.children(config):
112
if sxp.name(x) == 'device':
113
if sxp.name(sxp.child0(x)) == 'vbd':
114
resources.append(sxp.child_value(sxp.child0(x), 'uname'))
116
# perform a security check on each resource
117
for resource in resources:
119
security.res_security_check(resource, domain_label)
121
print " %s: PERMITTED" % (resource)
123
except security.XSMError:
124
print " %s: DENIED" % (resource)
125
(poltype, res_label, res_policy) = security.get_res_label(resource)
128
print " --> res: %s (%s:%s)" % (str(res_label),
129
str(poltype), str(res_policy))
130
print " --> dom: %s (%s:%s)" % (str(domain_label),
131
str(poltype), str(domain_policy))
140
raise OptionError('Invalid number of arguments')
143
(opts, config) = create.parseCommandLine(argv)
144
if check_domain_label(config, verbose=1):
145
if config_security_check(config, verbose=1):
148
print "Checking resources: (skipped)"
151
print "Dry Run: PASSED"
153
print "Dry Run: FAILED"
156
if __name__ == '__main__':
160
sys.stderr.write('Error: %s\n' % str(e))