[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] Implement legacy XML-RPC interface for ACM commands.
# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1196847913 0 # Node ID 54482c56e4354969f32e4f0e23e29a69d96784c1 # Parent 5255eac35270c53ddd2172ec16bca261f1a2c237 Implement legacy XML-RPC interface for ACM commands. This patch moves the directory of files where xend is writing policies and resource labels into to /var/lib/xend/security/policies. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> --- tools/security/policies/default-security_policy.xml | 30 ---- tools/security/policies/default-ul-security_policy.xml | 41 ------ tools/python/xen/util/acmpolicy.py | 111 +++++++++++++++-- tools/python/xen/util/xsm/acm/acm.py | 11 - tools/python/xen/xend/XendOptions.py | 8 + tools/python/xen/xend/XendXSPolicyAdmin.py | 38 +++-- tools/python/xen/xm/setpolicy.py | 11 + tools/security/Makefile | 2 tools/security/policies/DEFAULT-UL-security_policy.xml | 41 ++++++ 9 files changed, 188 insertions(+), 105 deletions(-) diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/util/acmpolicy.py --- a/tools/python/xen/util/acmpolicy.py Wed Dec 05 09:44:20 2007 +0000 +++ b/tools/python/xen/util/acmpolicy.py Wed Dec 05 09:45:13 2007 +0000 @@ -1,4 +1,4 @@ - #============================================================================ +#============================================================================ # This library is free software; you can redistribute it and/or # modify it under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. @@ -17,10 +17,11 @@ #============================================================================ import os -import commands -import struct import stat import array +import struct +import shutil +import commands from xml.dom import minidom, Node from xen.xend.XendLogging import log from xen.util import xsconstants, bootloader, mkdir @@ -28,6 +29,7 @@ from xen.xend.XendError import SecurityE from xen.xend.XendError import SecurityError import xen.util.xsm.acm.acm as security from xen.util.xsm.xsm import XSMError +from xen.xend import XendOptions ACM_POLICIES_DIR = security.policy_dir_prefix + "/" @@ -62,6 +64,73 @@ ACM_DOMAIN_LOOKUP = 0x102 ACM_DOMAIN_LOOKUP = 0x102 ACM_CHWALL_CONFLICT = 0x103 ACM_SSIDREF_IN_USE = 0x104 + + +DEFAULT_policy = \ +"<?xml version=\"1.0\" ?>\n" +\ +"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">\n" +\ +" <PolicyHeader>\n" +\ +" <PolicyName>DEFAULT</PolicyName>\n" +\ +" <Version>1.0</Version>\n" +\ +" </PolicyHeader>\n" +\ +" <SimpleTypeEnforcement>\n" +\ +" <SimpleTypeEnforcementTypes>\n" +\ +" <Type>SystemManagement</Type>\n" +\ +" </SimpleTypeEnforcementTypes>\n" +\ +" </SimpleTypeEnforcement>\n" +\ +" <ChineseWall>\n" +\ +" <ChineseWallTypes>\n" +\ +" <Type>SystemManagement</Type>\n" +\ +" </ChineseWallTypes>\n" +\ +" </ChineseWall>\n" +\ +" <SecurityLabelTemplate>\n" +\ +" <SubjectLabels bootstrap=\"SystemManagement\">\n" +\ +" <VirtualMachineLabel>\n" +\ +" <Name>SystemManagement</Name>\n" +\ +" <SimpleTypeEnforcementTypes>\n" +\ +" <Type>SystemManagement</Type>\n" +\ +" </SimpleTypeEnforcementTypes>\n" +\ +" <ChineseWallTypes>\n" +\ +" <Type/>\n" +\ +" </ChineseWallTypes>\n" +\ +" </VirtualMachineLabel>\n" +\ +" </SubjectLabels>\n" +\ +" </SecurityLabelTemplate>\n" +\ +"</SecurityPolicyDefinition>\n" + + +def get_DEFAULT_policy(): + return DEFAULT_policy + +def initialize(): + xoptions = XendOptions.instance() + basedir = xoptions.get_xend_security_path() + policiesdir = basedir + "/policies" + mkdir.parents(policiesdir, stat.S_IRWXU) + + instdir = security.install_policy_dir_prefix + DEF_policy_file = "DEFAULT-security_policy.xml" + xsd_file = "security_policy.xsd" + + files = [ xsd_file ] + + for file in files: + if not os.path.isfile(policiesdir + "/" + file ): + try: + shutil.copyfile(instdir + "/" + file, + policiesdir + "/" + file) + except Exception, e: + log.info("could not copy '%s': %s" % + (file, str(e))) + #Install default policy. + f = open(policiesdir + "/" + DEF_policy_file, 'w') + if f: + f.write(get_DEFAULT_policy()) + f.close() + else: + log.error("Could not write the default policy's file.") + defpol = ACMPolicy(xml=get_DEFAULT_policy()) + defpol.compile() class ACMPolicy(XSPolicy): @@ -92,7 +161,6 @@ class ACMPolicy(XSPolicy): rc = self.validate() if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) - mkdir.parents(ACM_POLICIES_DIR, stat.S_IRWXU) if ref: from xen.xend.XendXSPolicy import XendACMPolicy self.xendacmpolicy = XendACMPolicy(self, {}, ref) @@ -341,8 +409,13 @@ class ACMPolicy(XSPolicy): minor = int(tmp[1]) return (major, minor) - - def policy_path(self, name, prefix = ACM_POLICIES_DIR ): + def get_policies_path(self): + xoptions = XendOptions.instance() + basedir = xoptions.get_xend_security_path() + return basedir + "/policies/" + + def policy_path(self, name): + prefix = self.get_policies_path() path = prefix + name.replace('.','/') _path = path.split("/") del _path[-1] @@ -394,12 +467,14 @@ class ACMPolicy(XSPolicy): # # Utility functions related to the policy's files # - def get_filename(self, postfix, prefix = ACM_POLICIES_DIR, dotted=False): + def get_filename(self, postfix, prefix=None, dotted=False): """ Create the filename for the policy. The prefix is prepended to the path. If dotted is True, then a policy name like 'a.b.c' will remain as is, otherwise it will become 'a/b/c' """ + if prefix == None: + prefix = self.get_policies_path() name = self.get_name() if name: p = name.split(".") @@ -431,6 +506,17 @@ class ACMPolicy(XSPolicy): def get_bin(self): return self.__readfile(".bin") + + def copy_policy_file(self, suffix, destdir): + spolfile = self.get_filename(suffix) + dpolfile = destdir + "/" + self.get_filename(suffix,"",dotted=True) + try: + shutil.copyfile(spolfile, dpolfile) + except Exception, e: + log.error("Could not copy policy file %s to %s: %s" % + (spolfile, dpolfile, str(e))) + return -xsconstants.XSERR_FILE_ERROR + return xsconstants.XSERR_SUCCESS # # DOM-related functions @@ -831,9 +917,14 @@ class ACMPolicy(XSPolicy): if path: f = open(path, 'w') if f: - f.write(self.toxml()) - f.close() - rc = 0 + try: + try: + f.write(self.toxml()) + rc = 0 + except: + pass + finally: + f.close() return rc def __write_to_file(self, suffix, data): diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/util/xsm/acm/acm.py --- a/tools/python/xen/util/xsm/acm/acm.py Wed Dec 05 09:44:20 2007 +0000 +++ b/tools/python/xen/util/xsm/acm/acm.py Wed Dec 05 09:45:13 2007 +0000 @@ -35,7 +35,8 @@ from xen.xend.XendConstants import * from xen.xend.XendConstants import * #global directories and tools for security management -security_dir_prefix = "/etc/xen/acm-security" +install_policy_dir_prefix = "/etc/xen/acm-security/policies" +security_dir_prefix = XendOptions.instance().get_xend_security_path() policy_dir_prefix = security_dir_prefix + "/policies" res_label_filename = policy_dir_prefix + "/resource_labels" boot_filename = "/boot/grub/menu.lst" @@ -323,7 +324,7 @@ def label2ssidref(labelname, policyname, maps current policy to default directory to find mapping file """ - if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]: + if policyname in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]: err("Cannot translate labels for \'" + policyname + "\' policy.") allowed_types = ['ANY'] @@ -447,10 +448,8 @@ def get_ssid(domain): except: err("Cannot determine security information.") - if active_policy in ["DEFAULT"]: - label = "DEFAULT" - else: - label = ssidref2label(ssid_info["ssidref"]) + label = ssidref2label(ssid_info["ssidref"]) + return(ssid_info["policyreference"], label, ssid_info["policytype"], diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/xend/XendOptions.py --- a/tools/python/xen/xend/XendOptions.py Wed Dec 05 09:44:20 2007 +0000 +++ b/tools/python/xen/xend/XendOptions.py Wed Dec 05 09:45:13 2007 +0000 @@ -120,6 +120,9 @@ class XendOptions: """Default xend QCoW storage repository location.""" xend_storage_path_default = '/var/lib/xend/storage' + """Default xend security state storage path.""" + xend_security_path_default = '/var/lib/xend/security' + """Default script to configure a backend network interface""" vif_script = osdep.vif_script @@ -244,6 +247,11 @@ class XendOptions: """ Get the path for persistent domain configuration storage """ return self.get_config_string("xend-storage-path", self.xend_storage_path_default) + + def get_xend_security_path(self): + """ Get the path for security state + """ + return self.get_config_string("xend-security-path", self.xend_security_path_default) def get_network_script(self): """@return the script used to alter the network configuration when diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/xend/XendXSPolicyAdmin.py --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 05 09:44:20 2007 +0000 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 05 09:45:13 2007 +0000 @@ -22,10 +22,10 @@ from xml.dom import minidom, Node from xen.xend.XendLogging import log from xen.xend import uuid -from xen.util import xsconstants, dictio, bootloader +from xen.util import xsconstants, bootloader import xen.util.xsm.acm.acm as security from xen.util.xspolicy import XSPolicy -from xen.util.acmpolicy import ACMPolicy +from xen.util.acmpolicy import ACMPolicy, initialize from xen.xend.XendError import SecurityError @@ -48,6 +48,7 @@ class XSPolicyAdmin: self.xsobjs = {} act_pol_name = self.get_hv_loaded_policy_name() + initialize() ref = uuid.createString() try: @@ -58,6 +59,7 @@ class XSPolicyAdmin: "%s" % (act_pol_name,e)) log.debug("XSPolicyAdmin: Known policies: %s" % self.policies) + def isXSEnabled(self): """ Check whether 'security' is enabled on this system. @@ -99,12 +101,23 @@ class XSPolicyAdmin: # This is meant as an update to a currently loaded policy if flags & xsconstants.XS_INST_LOAD == 0: raise SecurityError(-xsconstants.XSERR_POLICY_LOADED) - if flags & xsconstants.XS_INST_BOOT == 0: - self.rm_bootpolicy() + + # Remember old flags, so they can be restored if update fails + old_flags = self.get_policy_flags(loadedpol) + + # Remove policy from bootloader in case of new name of policy + self.rm_bootpolicy() + rc, errors = loadedpol.update(xmltext) if rc == 0: irc = self.activate_xspolicy(loadedpol, flags) # policy is loaded; if setting the boot flag fails it's ok. + else: + old_flags = old_flags & xsconstants.XS_INST_BOOT + log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags)) + if old_flags != 0: + self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT) + return (loadedpol, rc, errors) try: @@ -161,15 +174,11 @@ class XSPolicyAdmin: return (acmpol, xsconstants.XSERR_SUCCESS, errors) def make_boot_policy(self, acmpol): - spolfile = acmpol.get_filename(".bin") - dpolfile = "/boot/" + acmpol.get_filename(".bin","",dotted=True) - if not os.path.isfile(spolfile): - log.error("binary policy file does not exist.") - return -xsconstants.XSERR_FILE_ERROR - try: - shutil.copyfile(spolfile, dpolfile) - except: - return -xsconstants.XSERR_FILE_ERROR + if acmpol.is_default_policy(): + return xsconstants.XSERR_SUCCESS + rc = acmpol.copy_policy_file(".bin","/boot") + if rc != xsconstants.XSERR_SUCCESS: + return rc try: filename = acmpol.get_filename(".bin","",dotted=True) @@ -231,7 +240,8 @@ class XSPolicyAdmin: flags = 0 filename = acmpol.get_filename(".bin","", dotted=True) - if bootloader.loads_default_policy(filename): + if bootloader.loads_default_policy(filename) or \ + acmpol.is_default_policy(): flags |= xsconstants.XS_INST_BOOT if acmpol.isloaded(): diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/xm/setpolicy.py --- a/tools/python/xen/xm/setpolicy.py Wed Dec 05 09:44:20 2007 +0000 +++ b/tools/python/xen/xm/setpolicy.py Wed Dec 05 09:45:13 2007 +0000 @@ -25,6 +25,7 @@ import struct import struct import xen.util.xsm.xsm as security from xen.util import xsconstants +from xen.util.xsm.acm.acm import install_policy_dir_prefix from xen.util.acmpolicy import ACMPolicy, \ ACM_EVTCHN_SHARING_VIOLATION,\ ACM_GNTTAB_SHARING_VIOLATION, \ @@ -32,7 +33,6 @@ from xen.util.acmpolicy import ACMPolicy ACM_CHWALL_CONFLICT, \ ACM_SSIDREF_IN_USE from xen.xm.opts import OptionError -from xen.util.xsm.acm.acm import policy_dir_prefix from xen.xm import main as xm_main from xen.xm.getpolicy import getpolicy from xen.xm.main import server @@ -86,7 +86,7 @@ def setpolicy(policytype, policy_name, f if policytype.upper() == xsconstants.ACM_POLICY_ID: xs_type = xsconstants.XS_POLICY_ACM - for prefix in [ './', policy_dir_prefix+"/" ]: + for prefix in [ './', install_policy_dir_prefix+"/" ]: policy_file = prefix + "/".join(policy_name.split(".")) + \ "-security_policy.xml" @@ -99,9 +99,12 @@ def setpolicy(policytype, policy_name, f f.close() except: raise OptionError("Could not read policy file from current" - " directory or '%s'." % policy_dir_prefix) + " directory or '%s'." % + install_policy_dir_prefix) if xm_main.serverType == xm_main.SERVER_XEN_API: + if xs_type != int(server.xenapi.XSPolicy.get_xstype()): + raise security.XSMError("ACM policy type not supported.") try: policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type, @@ -124,6 +127,8 @@ def setpolicy(policytype, policy_name, f getpolicy(False) else: # Non-Xen-API call. + if xs_type != server.xend.security.get_xstype(): + raise security.XSMError("ACM policy type not supported.") rc, errors = server.xend.security.set_policy(xs_type, xml, diff -r 5255eac35270 -r 54482c56e435 tools/security/Makefile --- a/tools/security/Makefile Wed Dec 05 09:44:20 2007 +0000 +++ b/tools/security/Makefile Wed Dec 05 09:45:13 2007 +0000 @@ -32,7 +32,7 @@ ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR ACM_SCHEMA = security_policy.xsd ACM_EXAMPLES = client_v1 test -ACM_DEF_POLICIES = default default-ul +ACM_DEF_POLICIES = DEFAULT-UL ACM_POLICY_SUFFIX = security_policy.xml ifeq ($(ACM_SECURITY),y) diff -r 5255eac35270 -r 54482c56e435 tools/security/policies/DEFAULT-UL-security_policy.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/security/policies/DEFAULT-UL-security_policy.xml Wed Dec 05 09:45:13 2007 +0000 @@ -0,0 +1,41 @@ +<?xml version="1.0" ?> +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd"> + <PolicyHeader> + <PolicyName>DEFAULT-UL</PolicyName> + <Version>1.0</Version> + </PolicyHeader> + <SimpleTypeEnforcement> + <SimpleTypeEnforcementTypes> + <Type>SystemManagement</Type> + <Type>__UNLABELED__</Type> + </SimpleTypeEnforcementTypes> + </SimpleTypeEnforcement> + <ChineseWall> + <ChineseWallTypes> + <Type>SystemManagement</Type> + </ChineseWallTypes> + </ChineseWall> + <SecurityLabelTemplate> + <SubjectLabels bootstrap="SystemManagement"> + <VirtualMachineLabel> + <Name>SystemManagement</Name> + <SimpleTypeEnforcementTypes> + <Type>SystemManagement</Type> + <Type>__UNLABELED__</Type> + </SimpleTypeEnforcementTypes> + <ChineseWallTypes> + <Type/> + </ChineseWallTypes> + </VirtualMachineLabel> + <VirtualMachineLabel> + <Name>__UNLABELED__</Name> + <SimpleTypeEnforcementTypes> + <Type>__UNLABELED__</Type> + </SimpleTypeEnforcementTypes> + <ChineseWallTypes> + <Type/> + </ChineseWallTypes> + </VirtualMachineLabel> + </SubjectLabels> + </SecurityLabelTemplate> +</SecurityPolicyDefinition> diff -r 5255eac35270 -r 54482c56e435 tools/security/policies/default-security_policy.xml --- a/tools/security/policies/default-security_policy.xml Wed Dec 05 09:44:20 2007 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,30 +0,0 @@ -<?xml version="1.0" ?> -<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd"> - <PolicyHeader> - <PolicyName>DEFAULT</PolicyName> - <Version>1.0</Version> - </PolicyHeader> - <SimpleTypeEnforcement> - <SimpleTypeEnforcementTypes> - <Type>SystemManagement</Type> - </SimpleTypeEnforcementTypes> - </SimpleTypeEnforcement> - <ChineseWall> - <ChineseWallTypes> - <Type>SystemManagement</Type> - </ChineseWallTypes> - </ChineseWall> - <SecurityLabelTemplate> - <SubjectLabels bootstrap="SystemManagement"> - <VirtualMachineLabel> - <Name>SystemManagement</Name> - <SimpleTypeEnforcementTypes> - <Type>SystemManagement</Type> - </SimpleTypeEnforcementTypes> - <ChineseWallTypes> - <Type/> - </ChineseWallTypes> - </VirtualMachineLabel> - </SubjectLabels> - </SecurityLabelTemplate> -</SecurityPolicyDefinition> diff -r 5255eac35270 -r 54482c56e435 tools/security/policies/default-ul-security_policy.xml --- a/tools/security/policies/default-ul-security_policy.xml Wed Dec 05 09:44:20 2007 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,41 +0,0 @@ -<?xml version="1.0" ?> -<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd"> - <PolicyHeader> - <PolicyName>DEFAULT-UL</PolicyName> - <Version>1.0</Version> - </PolicyHeader> - <SimpleTypeEnforcement> - <SimpleTypeEnforcementTypes> - <Type>SystemManagement</Type> - <Type>__UNLABELED__</Type> - </SimpleTypeEnforcementTypes> - </SimpleTypeEnforcement> - <ChineseWall> - <ChineseWallTypes> - <Type>SystemManagement</Type> - </ChineseWallTypes> - </ChineseWall> - <SecurityLabelTemplate> - <SubjectLabels bootstrap="SystemManagement"> - <VirtualMachineLabel> - <Name>SystemManagement</Name> - <SimpleTypeEnforcementTypes> - <Type>SystemManagement</Type> - <Type>__UNLABELED__</Type> - </SimpleTypeEnforcementTypes> - <ChineseWallTypes> - <Type/> - </ChineseWallTypes> - </VirtualMachineLabel> - <VirtualMachineLabel> - <Name>__UNLABELED__</Name> - <SimpleTypeEnforcementTypes> - <Type>__UNLABELED__</Type> - </SimpleTypeEnforcementTypes> - <ChineseWallTypes> - <Type/> - </ChineseWallTypes> - </VirtualMachineLabel> - </SubjectLabels> - </SecurityLabelTemplate> -</SecurityPolicyDefinition> _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |