← Back to branch summary

~ubuntu-branches/ubuntu/utopic/xen/utopic

« back to all changes in this revision

Viewing changes to tools/xm-test/tests/security-acm/07_security-acm_pol_update.py

  • Committer: Bazaar Package Importer
  • Author(s): Bastian Blank
  • Date: 2010-05-06 15:47:38 UTC
  • mto: (1.3.1) (15.1.1 sid) (4.1.1 experimental)
  • mto: This revision was merged to the branch mainline in revision 3.
  • Revision ID: james.westby@ubuntu.com-20100506154738-agoz0rlafrh1fnq7
Tags: upstream-4.0.0
ImportĀ upstreamĀ versionĀ 4.0.0

Show diffs side-by-side

added added

removed removed

Lines of Context:
tools/xm-test/tests/security-acm/07_security-acm_pol_update.py
 
1
#!/usr/bin/python
 
2
 
 
3
# Copyright (C) International Business Machines Corp., 2006
 
4
# Author: Stefan Berger <stefanb@us.ibm.com>
 
5
 
 
6
# Test to exercise the xspolicy class
 
7
 
 
8
from XmTestLib import xapi
 
9
from XmTestLib.XenAPIDomain import XmTestAPIDomain
 
10
from XmTestLib import *
 
11
from xen.xend import XendAPIConstants
 
12
import xen.util.xsm.xsm as security
 
13
from xen.util import acmpolicy, xsconstants
 
14
from xen.util.acmpolicy import ACMPolicy
 
15
from xen.xend.XendDomain import DOM0_UUID
 
16
from XmTestLib.acm import *
 
17
 
 
18
import commands
 
19
import os
 
20
import base64
 
21
 
 
22
if not isACMEnabled():
 
23
    SKIP("Not running this test since ACM not enabled.")
 
24
 
 
25
try:
 
26
    session = xapi.connect()
 
27
except:
 
28
    SKIP("Skipping this test since xm is not using the Xen-API.")
 
29
 
 
30
xm_test = {}
 
31
xm_test['policyname'] = "xm-test"
 
32
xm_test['date'] = "Fri Sep 29 14:44:38 2006"
 
33
xm_test['url']  = None
 
34
 
 
35
vm_label_red   = "%s:xm-test:red" % xsconstants.ACM_POLICY_ID
 
36
vm_label_green = "%s:xm-test:green" % xsconstants.ACM_POLICY_ID
 
37
vm_label_blue  = "%s:xm-test:blue" % xsconstants.ACM_POLICY_ID
 
38
vm_label_sys   = "%s:xm-test:SystemManagement" % xsconstants.ACM_POLICY_ID
 
39
 
 
40
vm_label_black = "%s:xm-test:black"
 
41
 
 
42
session = xapi.connect()
 
43
 
 
44
oldlabel = session.xenapi.VM.get_security_label(DOM0_UUID)
 
45
 
 
46
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
47
                                               vm_label_sys,
 
48
                                               oldlabel)
 
49
if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
 
50
    FAIL("(0) Domain-0 label for '%s' has unexpected failure: %08x" %
 
51
         (vm_label_sys, int(ssidref)))
 
52
print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
 
53
 
 
54
 
 
55
xstype = session.xenapi.XSPolicy.get_xstype()
 
56
if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
 
57
    SKIP("ACM not enabled/compiled in Xen")
 
58
 
 
59
policystate = session.xenapi.XSPolicy.get_xspolicy()
 
60
if not policystate.has_key('xs_ref'):
 
61
    FAIL("get_xspolicy must return member 'xs_ref'")
 
62
 
 
63
xs_ref = policystate['xs_ref']
 
64
if xs_ref != "":
 
65
    origpolicyxml = session.xenapi.ACMPolicy.get_xml(xs_ref)
 
66
else:
 
67
    origpolicyxml = ""
 
68
 
 
69
f = open("xm-test-security_policy.xml", 'r')
 
70
if f:
 
71
    newpolicyxml = f.read()
 
72
    f.close()
 
73
else:
 
74
    FAIL("Could not read 'xm-test' policy")
 
75
 
 
76
try:
 
77
    os.unlink("/boot/xm-test.bin")
 
78
except:
 
79
    pass
 
80
 
 
81
policystate = session.xenapi.XSPolicy.get_xspolicy()
 
82
 
 
83
if int(policystate['type']) == 0:
 
84
    policystate = session.xenapi.XSPolicy.set_xspolicy(
 
85
                          xsconstants.XS_POLICY_ACM,
 
86
                          newpolicyxml,
 
87
                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
 
88
                          1)
 
89
    if int(policystate['flags']) == -1:
 
90
        FAIL("Could not set the new policy.")
 
91
 
 
92
print "state of policy = %s " % policystate
 
93
 
 
94
rc = session.xenapi.XSPolicy.activate_xspolicy(
 
95
                          policystate['xs_ref'],
 
96
                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT)
 
97
if int(rc) != xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT:
 
98
    FAIL("Could not activate the current policy: rc = %08x" % int(rc))
 
99
 
 
100
if not os.path.exists("/boot/xm-test.bin"):
 
101
    FAIL("Binary policy was not installed. Check grub config file.")
 
102
 
 
103
policystate = session.xenapi.XSPolicy.get_xspolicy()
 
104
 
 
105
if int(policystate['flags']) != xsconstants.XS_INST_BOOT | \
 
106
                                xsconstants.XS_INST_LOAD:
 
107
    FAIL("Flags (%x) are not indicating the correct state of the policy.",
 
108
         int(policystate['flags']))
 
109
 
 
110
policystate = session.xenapi.XSPolicy.get_xspolicy()
 
111
xs_ref = policystate['xs_ref']
 
112
 
 
113
newpolicyxml = None
 
114
f = open("xm-test-new-security_policy.xml", 'r')
 
115
if f:
 
116
    newpolicyxml = f.read()
 
117
    f.close()
 
118
else:
 
119
    FAIL("Could not read 'xm-test-new' policy")
 
120
 
 
121
cur_acmpol = ACMPolicy(xml = policystate['repr'])
 
122
new_acmpol = ACMPolicy(xml = newpolicyxml)
 
123
 
 
124
new_acmpol.update_frompolicy(cur_acmpol)
 
125
 
 
126
policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
 
127
                          new_acmpol.toxml(),
 
128
                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
 
129
                          1)
 
130
 
 
131
f = open("xm-test-security_policy.xml", 'r')
 
132
if f:
 
133
    newpolicyxml = f.read()
 
134
    f.close()
 
135
else:
 
136
    FAIL("Could not read 'xm-test-new' policy")
 
137
 
 
138
cur_acmpol = new_acmpol
 
139
new_acmpol = ACMPolicy(xml = newpolicyxml)
 
140
 
 
141
new_acmpol.update_frompolicy(cur_acmpol)
 
142
 
 
143
policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
 
144
                          new_acmpol.toxml(),
 
145
                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
 
146
                          1)
 
147
 
 
148
dom0_lab = session.xenapi.VM.get_security_label(DOM0_UUID)
 
149
 
 
150
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
151
                                               vm_label_sys, dom0_lab)
 
152
if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
 
153
    FAIL("(1) Domain-0 label for '%s' has unexpected failure: %08x" %
 
154
         (vm_label_sys, int(ssidref)))
 
155
print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
 
156
 
 
157
try:
 
158
    ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
159
                                                   vm_label_black,
 
160
                                                   vm_label_sys)
 
161
    FAIL("Could set label '%s', although it's not in the policy. "
 
162
         "ssidref=%s" % (vm_label_black, ssidref))
 
163
except:
 
164
    pass
 
165
 
 
166
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
167
                                               vm_label_red,
 
168
                                               vm_label_sys)
 
169
if int(ssidref) <= 0:
 
170
    FAIL("(2) Domain-0 label for '%s' has unexpected failure: %08x" %
 
171
         (vm_label_red, int(ssidref)))
 
172
print "ssidref for '%s' is 0x%08x" % (vm_label_red, int(ssidref))
 
173
 
 
174
label = session.xenapi.VM.get_security_label(DOM0_UUID)
 
175
 
 
176
if label != vm_label_red:
 
177
    FAIL("Dom0 label '%s' not as expected '%s'" % (label, vm_label_red))
 
178
 
 
179
 
 
180
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
181
                                               vm_label_sys,
 
182
                                               vm_label_red)
 
183
if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
 
184
    FAIL("(3) Domain-0 label for '%s' has unexpected failure: %08x" %
 
185
         (vm_label_sys, int(ssidref)))
 
186
 
 
187
label = session.xenapi.VM.get_security_label(DOM0_UUID)
 
188
 
 
189
if label != vm_label_sys:
 
190
    FAIL("Dom0 label '%s' not as expected '%s'" % label, dom0_label)
 
191
 
 
192
header = session.xenapi.ACMPolicy.get_header(xs_ref)
 
193
 
 
194
if header['policyname'] != xm_test['policyname']:
 
195
    FAIL("Name in header is '%s', expected is '%s'." %
 
196
         (header['policyname'],xm_test['policyname']))
 
197
if header['date'] != xm_test['date']:
 
198
    FAIL("Date in header is '%s', expected is '%s'." %
 
199
         (header['date'],xm_test['date']))
 
200
if header.has_key("url") and header['url' ] != xm_test['url' ]:
 
201
    FAIL("URL  in header is '%s', expected is '%s'." %
 
202
         (header['url' ],xm_test['url' ]))
 
203
 
 
204
# Create another domain
 
205
try:
 
206
    # XmTestAPIDomain tries to establish a connection to XenD
 
207
    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_blue })
 
208
except Exception, e:
 
209
    SKIP("Skipping test. Error: %s" % str(e))
 
210
 
 
211
 
 
212
vm_uuid = domain.get_uuid()
 
213
 
 
214
res = session.xenapi.VM.get_security_label(vm_uuid)
 
215
if res != vm_label_blue:
 
216
    FAIL("VM has security label '%s', expected is '%s'" %
 
217
         (res, vm_label_blue))
 
218
 
 
219
try:
 
220
    domain.start(noConsole=True)
 
221
except:
 
222
    FAIL("Could not create domain")
 
223
 
 
224
 
 
225
# Attempt to relabel the running domain
 
226
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
 
227
                                               vm_label_red,
 
228
                                               vm_label_blue)
 
229
if int(ssidref) <= 0:
 
230
    FAIL("Could not relabel running domain to '%s'." % vm_label_red)
 
231
 
 
232
# user domain is 'red', dom0 is current 'SystemManagement'.
 
233
# Try to move domain-0 to 'red' first, then to 'blue'.
 
234
 
 
235
# Moving domain-0 to 'red' should work
 
236
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
237
                                               vm_label_red,
 
238
                                               vm_label_sys)
 
239
if int(ssidref) <= 0:
 
240
    FAIL("Could not label domain-0 '%s'" % vm_label_red)
 
241
 
 
242
# Moving the guest domain to 'blue' should not work due to conflict set
 
243
try:
 
244
    ssidref = session.xenapi.VM.set_security_label(vm_uuid,
 
245
                                                   vm_label_blue,
 
246
                                                   vm_label_red)
 
247
    FAIL("Could label guest domain with '%s', although this is in a conflict "
 
248
         "set. ssidref=%x" % (vm_label_blue,int(ssidref)))
 
249
except:
 
250
    pass
 
251
 
 
252
label = session.xenapi.VM.get_security_label(vm_uuid)
 
253
if label != vm_label_red:
 
254
    FAIL("User domain has wrong label '%s', expected '%s'." %
 
255
         (label, vm_label_red))
 
256
 
 
257
label = session.xenapi.VM.get_security_label(DOM0_UUID)
 
258
if label != vm_label_red:
 
259
    FAIL("Domain-0 has wrong label '%s'; expected '%s'." %
 
260
         (label, vm_label_red))
 
261
 
 
262
ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
 
263
                                               vm_label_sys,
 
264
                                               vm_label_red)
 
265
if int(ssidref) < 0:
 
266
    FAIL("Could not set the domain-0 security label to '%s'." %
 
267
         (vm_label_sys))
 
268
 
 
269
# pause the domain and relabel it...
 
270
session.xenapi.VM.pause(vm_uuid)
 
271
 
 
272
label = session.xenapi.VM.get_security_label(vm_uuid)
 
273
if label != vm_label_red:
 
274
    FAIL("User domain has wrong label '%s', expected '%s'." %
 
275
         (label, vm_label_red))
 
276
 
 
277
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
 
278
                                               vm_label_blue,
 
279
                                               vm_label_red)
 
280
print "guest domain new label '%s'; ssidref is 0x%08x" % \
 
281
      (vm_label_blue, int(ssidref))
 
282
if int(ssidref) <= 0:
 
283
    FAIL("Could not label guest domain with '%s'" % (vm_label_blue))
 
284
 
 
285
label = session.xenapi.VM.get_security_label(vm_uuid)
 
286
if label != vm_label_blue:
 
287
    FAIL("User domain has wrong label '%s', expected '%s'." %
 
288
         (label, vm_label_blue))
 
289
 
 
290
session.xenapi.VM.unpause(vm_uuid)
 
291
 
 
292
rc = session.xenapi.VM.suspend(vm_uuid)
 
293
 
 
294
ssidref = session.xenapi.VM.set_security_label(vm_uuid,
 
295
                                               vm_label_green,
 
296
                                               vm_label_blue)
 
297
print "guest domain new label '%s'; ssidref is 0x%08x" % \
 
298
      (vm_label_green, int(ssidref))
 
299
if int(ssidref) < 0:
 
300
    FAIL("Could not label suspended guest domain with '%s'" % (vm_label_blue))
 
301
 
 
302
label = session.xenapi.VM.get_security_label(vm_uuid)
 
303
if label != vm_label_green:
 
304
    FAIL("User domain has wrong label '%s', expected '%s'." %
 
305
         (label, vm_label_green))
 
306
 
 
307
 
 
308
rc = session.xenapi.VM.resume(vm_uuid, False)
 
309
 
 
310
label = session.xenapi.VM.get_security_label(vm_uuid)
 
311
if label != vm_label_green:
 
312
    FAIL("User domain has wrong label '%s', expected '%s'." %
 
313
         (label, vm_label_green))