3
# Copyright (C) International Business Machines Corp., 2006
4
# Author: Stefan Berger <stefanb@us.ibm.com>
6
# Test to exercise the xspolicy class
8
from XmTestLib import xapi
9
from XmTestLib.XenAPIDomain import XmTestAPIDomain
10
from XmTestLib import *
11
from xen.xend import XendAPIConstants
12
import xen.util.xsm.xsm as security
13
from xen.util import acmpolicy, xsconstants
14
from xen.util.acmpolicy import ACMPolicy
15
from xen.xend.XendDomain import DOM0_UUID
16
from XmTestLib.acm import *
22
if not isACMEnabled():
23
SKIP("Not running this test since ACM not enabled.")
26
session = xapi.connect()
28
SKIP("Skipping this test since xm is not using the Xen-API.")
31
xm_test['policyname'] = "xm-test"
32
xm_test['date'] = "Fri Sep 29 14:44:38 2006"
35
vm_label_red = "%s:xm-test:red" % xsconstants.ACM_POLICY_ID
36
vm_label_green = "%s:xm-test:green" % xsconstants.ACM_POLICY_ID
37
vm_label_blue = "%s:xm-test:blue" % xsconstants.ACM_POLICY_ID
38
vm_label_sys = "%s:xm-test:SystemManagement" % xsconstants.ACM_POLICY_ID
40
vm_label_black = "%s:xm-test:black"
42
session = xapi.connect()
44
oldlabel = session.xenapi.VM.get_security_label(DOM0_UUID)
46
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
49
if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
50
FAIL("(0) Domain-0 label for '%s' has unexpected failure: %08x" %
51
(vm_label_sys, int(ssidref)))
52
print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
55
xstype = session.xenapi.XSPolicy.get_xstype()
56
if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
57
SKIP("ACM not enabled/compiled in Xen")
59
policystate = session.xenapi.XSPolicy.get_xspolicy()
60
if not policystate.has_key('xs_ref'):
61
FAIL("get_xspolicy must return member 'xs_ref'")
63
xs_ref = policystate['xs_ref']
65
origpolicyxml = session.xenapi.ACMPolicy.get_xml(xs_ref)
69
f = open("xm-test-security_policy.xml", 'r')
71
newpolicyxml = f.read()
74
FAIL("Could not read 'xm-test' policy")
77
os.unlink("/boot/xm-test.bin")
81
policystate = session.xenapi.XSPolicy.get_xspolicy()
83
if int(policystate['type']) == 0:
84
policystate = session.xenapi.XSPolicy.set_xspolicy(
85
xsconstants.XS_POLICY_ACM,
87
xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
89
if int(policystate['flags']) == -1:
90
FAIL("Could not set the new policy.")
92
print "state of policy = %s " % policystate
94
rc = session.xenapi.XSPolicy.activate_xspolicy(
95
policystate['xs_ref'],
96
xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT)
97
if int(rc) != xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT:
98
FAIL("Could not activate the current policy: rc = %08x" % int(rc))
100
if not os.path.exists("/boot/xm-test.bin"):
101
FAIL("Binary policy was not installed. Check grub config file.")
103
policystate = session.xenapi.XSPolicy.get_xspolicy()
105
if int(policystate['flags']) != xsconstants.XS_INST_BOOT | \
106
xsconstants.XS_INST_LOAD:
107
FAIL("Flags (%x) are not indicating the correct state of the policy.",
108
int(policystate['flags']))
110
policystate = session.xenapi.XSPolicy.get_xspolicy()
111
xs_ref = policystate['xs_ref']
114
f = open("xm-test-new-security_policy.xml", 'r')
116
newpolicyxml = f.read()
119
FAIL("Could not read 'xm-test-new' policy")
121
cur_acmpol = ACMPolicy(xml = policystate['repr'])
122
new_acmpol = ACMPolicy(xml = newpolicyxml)
124
new_acmpol.update_frompolicy(cur_acmpol)
126
policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
128
xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
131
f = open("xm-test-security_policy.xml", 'r')
133
newpolicyxml = f.read()
136
FAIL("Could not read 'xm-test-new' policy")
138
cur_acmpol = new_acmpol
139
new_acmpol = ACMPolicy(xml = newpolicyxml)
141
new_acmpol.update_frompolicy(cur_acmpol)
143
policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
145
xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
148
dom0_lab = session.xenapi.VM.get_security_label(DOM0_UUID)
150
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
151
vm_label_sys, dom0_lab)
152
if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
153
FAIL("(1) Domain-0 label for '%s' has unexpected failure: %08x" %
154
(vm_label_sys, int(ssidref)))
155
print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
158
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
161
FAIL("Could set label '%s', although it's not in the policy. "
162
"ssidref=%s" % (vm_label_black, ssidref))
166
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
169
if int(ssidref) <= 0:
170
FAIL("(2) Domain-0 label for '%s' has unexpected failure: %08x" %
171
(vm_label_red, int(ssidref)))
172
print "ssidref for '%s' is 0x%08x" % (vm_label_red, int(ssidref))
174
label = session.xenapi.VM.get_security_label(DOM0_UUID)
176
if label != vm_label_red:
177
FAIL("Dom0 label '%s' not as expected '%s'" % (label, vm_label_red))
180
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
183
if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
184
FAIL("(3) Domain-0 label for '%s' has unexpected failure: %08x" %
185
(vm_label_sys, int(ssidref)))
187
label = session.xenapi.VM.get_security_label(DOM0_UUID)
189
if label != vm_label_sys:
190
FAIL("Dom0 label '%s' not as expected '%s'" % label, dom0_label)
192
header = session.xenapi.ACMPolicy.get_header(xs_ref)
194
if header['policyname'] != xm_test['policyname']:
195
FAIL("Name in header is '%s', expected is '%s'." %
196
(header['policyname'],xm_test['policyname']))
197
if header['date'] != xm_test['date']:
198
FAIL("Date in header is '%s', expected is '%s'." %
199
(header['date'],xm_test['date']))
200
if header.has_key("url") and header['url' ] != xm_test['url' ]:
201
FAIL("URL in header is '%s', expected is '%s'." %
202
(header['url' ],xm_test['url' ]))
204
# Create another domain
206
# XmTestAPIDomain tries to establish a connection to XenD
207
domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_blue })
209
SKIP("Skipping test. Error: %s" % str(e))
212
vm_uuid = domain.get_uuid()
214
res = session.xenapi.VM.get_security_label(vm_uuid)
215
if res != vm_label_blue:
216
FAIL("VM has security label '%s', expected is '%s'" %
217
(res, vm_label_blue))
220
domain.start(noConsole=True)
222
FAIL("Could not create domain")
225
# Attempt to relabel the running domain
226
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
229
if int(ssidref) <= 0:
230
FAIL("Could not relabel running domain to '%s'." % vm_label_red)
232
# user domain is 'red', dom0 is current 'SystemManagement'.
233
# Try to move domain-0 to 'red' first, then to 'blue'.
235
# Moving domain-0 to 'red' should work
236
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
239
if int(ssidref) <= 0:
240
FAIL("Could not label domain-0 '%s'" % vm_label_red)
242
# Moving the guest domain to 'blue' should not work due to conflict set
244
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
247
FAIL("Could label guest domain with '%s', although this is in a conflict "
248
"set. ssidref=%x" % (vm_label_blue,int(ssidref)))
252
label = session.xenapi.VM.get_security_label(vm_uuid)
253
if label != vm_label_red:
254
FAIL("User domain has wrong label '%s', expected '%s'." %
255
(label, vm_label_red))
257
label = session.xenapi.VM.get_security_label(DOM0_UUID)
258
if label != vm_label_red:
259
FAIL("Domain-0 has wrong label '%s'; expected '%s'." %
260
(label, vm_label_red))
262
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
266
FAIL("Could not set the domain-0 security label to '%s'." %
269
# pause the domain and relabel it...
270
session.xenapi.VM.pause(vm_uuid)
272
label = session.xenapi.VM.get_security_label(vm_uuid)
273
if label != vm_label_red:
274
FAIL("User domain has wrong label '%s', expected '%s'." %
275
(label, vm_label_red))
277
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
280
print "guest domain new label '%s'; ssidref is 0x%08x" % \
281
(vm_label_blue, int(ssidref))
282
if int(ssidref) <= 0:
283
FAIL("Could not label guest domain with '%s'" % (vm_label_blue))
285
label = session.xenapi.VM.get_security_label(vm_uuid)
286
if label != vm_label_blue:
287
FAIL("User domain has wrong label '%s', expected '%s'." %
288
(label, vm_label_blue))
290
session.xenapi.VM.unpause(vm_uuid)
292
rc = session.xenapi.VM.suspend(vm_uuid)
294
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
297
print "guest domain new label '%s'; ssidref is 0x%08x" % \
298
(vm_label_green, int(ssidref))
300
FAIL("Could not label suspended guest domain with '%s'" % (vm_label_blue))
302
label = session.xenapi.VM.get_security_label(vm_uuid)
303
if label != vm_label_green:
304
FAIL("User domain has wrong label '%s', expected '%s'." %
305
(label, vm_label_green))
308
rc = session.xenapi.VM.resume(vm_uuid, False)
310
label = session.xenapi.VM.get_security_label(vm_uuid)
311
if label != vm_label_green:
312
FAIL("User domain has wrong label '%s', expected '%s'." %
313
(label, vm_label_green))