[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] Implement legacy XML-RPC interface for ACM commands.



# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1196847913 0
# Node ID 54482c56e4354969f32e4f0e23e29a69d96784c1
# Parent  5255eac35270c53ddd2172ec16bca261f1a2c237
Implement legacy XML-RPC interface for ACM commands.

This patch moves the directory of files where xend is writing policies
and resource labels into to /var/lib/xend/security/policies.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/security/policies/default-security_policy.xml    |   30 ----
 tools/security/policies/default-ul-security_policy.xml |   41 ------
 tools/python/xen/util/acmpolicy.py                     |  111 +++++++++++++++--
 tools/python/xen/util/xsm/acm/acm.py                   |   11 -
 tools/python/xen/xend/XendOptions.py                   |    8 +
 tools/python/xen/xend/XendXSPolicyAdmin.py             |   38 +++--
 tools/python/xen/xm/setpolicy.py                       |   11 +
 tools/security/Makefile                                |    2 
 tools/security/policies/DEFAULT-UL-security_policy.xml |   41 ++++++
 9 files changed, 188 insertions(+), 105 deletions(-)

diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/util/acmpolicy.py
--- a/tools/python/xen/util/acmpolicy.py        Wed Dec 05 09:44:20 2007 +0000
+++ b/tools/python/xen/util/acmpolicy.py        Wed Dec 05 09:45:13 2007 +0000
@@ -1,4 +1,4 @@
- #============================================================================
+#============================================================================
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of version 2.1 of the GNU Lesser General Public
 # License as published by the Free Software Foundation.
@@ -17,10 +17,11 @@
 #============================================================================
 
 import os
-import commands
-import struct
 import stat
 import array
+import struct
+import shutil
+import commands
 from xml.dom import minidom, Node
 from xen.xend.XendLogging import log
 from xen.util import xsconstants, bootloader, mkdir
@@ -28,6 +29,7 @@ from xen.xend.XendError import SecurityE
 from xen.xend.XendError import SecurityError
 import xen.util.xsm.acm.acm as security
 from xen.util.xsm.xsm import XSMError
+from xen.xend import XendOptions
 
 ACM_POLICIES_DIR = security.policy_dir_prefix + "/"
 
@@ -62,6 +64,73 @@ ACM_DOMAIN_LOOKUP            = 0x102
 ACM_DOMAIN_LOOKUP            = 0x102
 ACM_CHWALL_CONFLICT          = 0x103
 ACM_SSIDREF_IN_USE           = 0x104
+
+
+DEFAULT_policy = \
+"<?xml version=\"1.0\" ?>\n" +\
+"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\"; 
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"; 
xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">\n" +\
+"  <PolicyHeader>\n" +\
+"    <PolicyName>DEFAULT</PolicyName>\n" +\
+"    <Version>1.0</Version>\n" +\
+"  </PolicyHeader>\n" +\
+"  <SimpleTypeEnforcement>\n" +\
+"    <SimpleTypeEnforcementTypes>\n" +\
+"      <Type>SystemManagement</Type>\n" +\
+"    </SimpleTypeEnforcementTypes>\n" +\
+"  </SimpleTypeEnforcement>\n" +\
+"  <ChineseWall>\n" +\
+"    <ChineseWallTypes>\n" +\
+"      <Type>SystemManagement</Type>\n" +\
+"    </ChineseWallTypes>\n" +\
+"  </ChineseWall>\n" +\
+"  <SecurityLabelTemplate>\n" +\
+"    <SubjectLabels bootstrap=\"SystemManagement\">\n" +\
+"      <VirtualMachineLabel>\n" +\
+"        <Name>SystemManagement</Name>\n" +\
+"        <SimpleTypeEnforcementTypes>\n" +\
+"          <Type>SystemManagement</Type>\n" +\
+"        </SimpleTypeEnforcementTypes>\n" +\
+"        <ChineseWallTypes>\n" +\
+"          <Type/>\n" +\
+"        </ChineseWallTypes>\n" +\
+"      </VirtualMachineLabel>\n" +\
+"    </SubjectLabels>\n" +\
+"  </SecurityLabelTemplate>\n" +\
+"</SecurityPolicyDefinition>\n"
+
+
+def get_DEFAULT_policy():
+    return DEFAULT_policy
+
+def initialize():
+    xoptions = XendOptions.instance()
+    basedir = xoptions.get_xend_security_path()
+    policiesdir = basedir + "/policies"
+    mkdir.parents(policiesdir, stat.S_IRWXU)
+
+    instdir = security.install_policy_dir_prefix
+    DEF_policy_file = "DEFAULT-security_policy.xml"
+    xsd_file = "security_policy.xsd"
+
+    files = [ xsd_file ]
+
+    for file in files:
+        if not os.path.isfile(policiesdir + "/" + file ):
+            try:
+                shutil.copyfile(instdir + "/" + file,
+                                policiesdir + "/" + file)
+            except Exception, e:
+                log.info("could not copy '%s': %s" %
+                         (file, str(e)))
+    #Install default policy.
+    f = open(policiesdir + "/" + DEF_policy_file, 'w')
+    if f:
+        f.write(get_DEFAULT_policy())
+        f.close()
+    else:
+        log.error("Could not write the default policy's file.")
+    defpol = ACMPolicy(xml=get_DEFAULT_policy())
+    defpol.compile()
 
 
 class ACMPolicy(XSPolicy):
@@ -92,7 +161,6 @@ class ACMPolicy(XSPolicy):
         rc = self.validate()
         if rc != xsconstants.XSERR_SUCCESS:
             raise SecurityError(rc)
-        mkdir.parents(ACM_POLICIES_DIR, stat.S_IRWXU)
         if ref:
             from xen.xend.XendXSPolicy import XendACMPolicy
             self.xendacmpolicy = XendACMPolicy(self, {}, ref)
@@ -341,8 +409,13 @@ class ACMPolicy(XSPolicy):
                 minor = int(tmp[1])
         return (major, minor)
 
-
-    def policy_path(self, name, prefix = ACM_POLICIES_DIR ):
+    def get_policies_path(self):
+        xoptions = XendOptions.instance()
+        basedir = xoptions.get_xend_security_path()
+        return basedir + "/policies/"
+
+    def policy_path(self, name):
+        prefix = self.get_policies_path()
         path = prefix + name.replace('.','/')
         _path = path.split("/")
         del _path[-1]
@@ -394,12 +467,14 @@ class ACMPolicy(XSPolicy):
     #
     # Utility functions related to the policy's files
     #
-    def get_filename(self, postfix, prefix = ACM_POLICIES_DIR, dotted=False):
+    def get_filename(self, postfix, prefix=None, dotted=False):
         """
            Create the filename for the policy. The prefix is prepended
            to the path. If dotted is True, then a policy name like
            'a.b.c' will remain as is, otherwise it will become 'a/b/c'
         """
+        if prefix == None:
+            prefix = self.get_policies_path()
         name = self.get_name()
         if name:
             p = name.split(".")
@@ -431,6 +506,17 @@ class ACMPolicy(XSPolicy):
 
     def get_bin(self):
         return self.__readfile(".bin")
+
+    def copy_policy_file(self, suffix, destdir):
+        spolfile = self.get_filename(suffix)
+        dpolfile = destdir + "/" + self.get_filename(suffix,"",dotted=True)
+        try:
+            shutil.copyfile(spolfile, dpolfile)
+        except Exception, e:
+            log.error("Could not copy policy file %s to %s: %s" %
+                      (spolfile, dpolfile, str(e)))
+            return -xsconstants.XSERR_FILE_ERROR
+        return xsconstants.XSERR_SUCCESS
 
     #
     # DOM-related functions
@@ -831,9 +917,14 @@ class ACMPolicy(XSPolicy):
             if path:
                 f = open(path, 'w')
                 if f:
-                    f.write(self.toxml())
-                    f.close()
-                    rc = 0
+                    try:
+                        try:
+                            f.write(self.toxml())
+                            rc = 0
+                        except:
+                            pass
+                    finally:
+                        f.close()
         return rc
 
     def __write_to_file(self, suffix, data):
diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Wed Dec 05 09:44:20 2007 +0000
+++ b/tools/python/xen/util/xsm/acm/acm.py      Wed Dec 05 09:45:13 2007 +0000
@@ -35,7 +35,8 @@ from xen.xend.XendConstants import *
 from xen.xend.XendConstants import *
 
 #global directories and tools for security management
-security_dir_prefix = "/etc/xen/acm-security"
+install_policy_dir_prefix = "/etc/xen/acm-security/policies"
+security_dir_prefix = XendOptions.instance().get_xend_security_path()
 policy_dir_prefix = security_dir_prefix + "/policies"
 res_label_filename = policy_dir_prefix + "/resource_labels"
 boot_filename = "/boot/grub/menu.lst"
@@ -323,7 +324,7 @@ def label2ssidref(labelname, policyname,
     maps current policy to default directory
     to find mapping file    """
 
-    if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]:
+    if policyname in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]:
         err("Cannot translate labels for \'" + policyname + "\' policy.")
 
     allowed_types = ['ANY']
@@ -447,10 +448,8 @@ def get_ssid(domain):
     except:
         err("Cannot determine security information.")
 
-    if active_policy in ["DEFAULT"]:
-        label = "DEFAULT"
-    else:
-        label = ssidref2label(ssid_info["ssidref"])
+    label = ssidref2label(ssid_info["ssidref"])
+
     return(ssid_info["policyreference"],
            label,
            ssid_info["policytype"],
diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/xend/XendOptions.py
--- a/tools/python/xen/xend/XendOptions.py      Wed Dec 05 09:44:20 2007 +0000
+++ b/tools/python/xen/xend/XendOptions.py      Wed Dec 05 09:45:13 2007 +0000
@@ -120,6 +120,9 @@ class XendOptions:
     """Default xend QCoW storage repository location."""
     xend_storage_path_default = '/var/lib/xend/storage'
 
+    """Default xend security state storage path."""
+    xend_security_path_default = '/var/lib/xend/security'
+
     """Default script to configure a backend network interface"""
     vif_script = osdep.vif_script
 
@@ -244,6 +247,11 @@ class XendOptions:
         """ Get the path for persistent domain configuration storage
         """
         return self.get_config_string("xend-storage-path", 
self.xend_storage_path_default)        
+
+    def get_xend_security_path(self):
+        """ Get the path for security state
+        """
+        return self.get_config_string("xend-security-path", 
self.xend_security_path_default)
 
     def get_network_script(self):
         """@return the script used to alter the network configuration when
diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py        Wed Dec 05 09:44:20 
2007 +0000
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py        Wed Dec 05 09:45:13 
2007 +0000
@@ -22,10 +22,10 @@ from xml.dom import minidom, Node
 
 from xen.xend.XendLogging import log
 from xen.xend import uuid
-from xen.util import xsconstants, dictio, bootloader
+from xen.util import xsconstants, bootloader
 import xen.util.xsm.acm.acm as security
 from xen.util.xspolicy import XSPolicy
-from xen.util.acmpolicy import ACMPolicy
+from xen.util.acmpolicy import ACMPolicy, initialize
 from xen.xend.XendError import SecurityError
 
 
@@ -48,6 +48,7 @@ class XSPolicyAdmin:
         self.xsobjs = {}
 
         act_pol_name = self.get_hv_loaded_policy_name()
+        initialize()
 
         ref = uuid.createString()
         try:
@@ -58,6 +59,7 @@ class XSPolicyAdmin:
                       "%s" % (act_pol_name,e))
 
         log.debug("XSPolicyAdmin: Known policies: %s" % self.policies)
+
 
     def isXSEnabled(self):
         """ Check whether 'security' is enabled on this system.
@@ -99,12 +101,23 @@ class XSPolicyAdmin:
             # This is meant as an update to a currently loaded policy
             if flags & xsconstants.XS_INST_LOAD == 0:
                 raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
-            if flags & xsconstants.XS_INST_BOOT == 0:
-                self.rm_bootpolicy()
+
+            # Remember old flags, so they can be restored if update fails
+            old_flags = self.get_policy_flags(loadedpol)
+
+            # Remove policy from bootloader in case of new name of policy
+            self.rm_bootpolicy()
+
             rc, errors = loadedpol.update(xmltext)
             if rc == 0:
                 irc = self.activate_xspolicy(loadedpol, flags)
                 # policy is loaded; if setting the boot flag fails it's ok.
+            else:
+                old_flags = old_flags & xsconstants.XS_INST_BOOT
+                log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
+                if old_flags != 0:
+                    self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
+
             return (loadedpol, rc, errors)
 
         try:
@@ -161,15 +174,11 @@ class XSPolicyAdmin:
         return (acmpol, xsconstants.XSERR_SUCCESS, errors)
 
     def make_boot_policy(self, acmpol):
-        spolfile = acmpol.get_filename(".bin")
-        dpolfile = "/boot/" + acmpol.get_filename(".bin","",dotted=True)
-        if not os.path.isfile(spolfile):
-            log.error("binary policy file does not exist.")
-            return -xsconstants.XSERR_FILE_ERROR
-        try:
-            shutil.copyfile(spolfile, dpolfile)
-        except:
-            return -xsconstants.XSERR_FILE_ERROR
+        if acmpol.is_default_policy():
+            return xsconstants.XSERR_SUCCESS
+        rc = acmpol.copy_policy_file(".bin","/boot")
+        if rc != xsconstants.XSERR_SUCCESS:
+            return rc
 
         try:
             filename = acmpol.get_filename(".bin","",dotted=True)
@@ -231,7 +240,8 @@ class XSPolicyAdmin:
         flags = 0
 
         filename = acmpol.get_filename(".bin","", dotted=True)
-        if bootloader.loads_default_policy(filename):
+        if bootloader.loads_default_policy(filename) or \
+           acmpol.is_default_policy():
             flags |= xsconstants.XS_INST_BOOT
 
         if acmpol.isloaded():
diff -r 5255eac35270 -r 54482c56e435 tools/python/xen/xm/setpolicy.py
--- a/tools/python/xen/xm/setpolicy.py  Wed Dec 05 09:44:20 2007 +0000
+++ b/tools/python/xen/xm/setpolicy.py  Wed Dec 05 09:45:13 2007 +0000
@@ -25,6 +25,7 @@ import struct
 import struct
 import xen.util.xsm.xsm as security
 from xen.util import xsconstants
+from xen.util.xsm.acm.acm import install_policy_dir_prefix
 from xen.util.acmpolicy import ACMPolicy, \
    ACM_EVTCHN_SHARING_VIOLATION,\
    ACM_GNTTAB_SHARING_VIOLATION, \
@@ -32,7 +33,6 @@ from xen.util.acmpolicy import ACMPolicy
    ACM_CHWALL_CONFLICT, \
    ACM_SSIDREF_IN_USE
 from xen.xm.opts import OptionError
-from xen.util.xsm.acm.acm import policy_dir_prefix
 from xen.xm import main as xm_main
 from xen.xm.getpolicy import getpolicy
 from xen.xm.main import server
@@ -86,7 +86,7 @@ def setpolicy(policytype, policy_name, f
     if policytype.upper() == xsconstants.ACM_POLICY_ID:
         xs_type = xsconstants.XS_POLICY_ACM
 
-        for prefix in [ './', policy_dir_prefix+"/" ]:
+        for prefix in [ './', install_policy_dir_prefix+"/" ]:
             policy_file = prefix + "/".join(policy_name.split(".")) + \
                           "-security_policy.xml"
 
@@ -99,9 +99,12 @@ def setpolicy(policytype, policy_name, f
             f.close()
         except:
             raise OptionError("Could not read policy file from current"
-                              " directory or '%s'." % policy_dir_prefix)
+                              " directory or '%s'." %
+                              install_policy_dir_prefix)
 
         if xm_main.serverType == xm_main.SERVER_XEN_API:
+            if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
+                raise security.XSMError("ACM policy type not supported.")
 
             try:
                 policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
@@ -124,6 +127,8 @@ def setpolicy(policytype, policy_name, f
                 getpolicy(False)
         else:
             # Non-Xen-API call.
+            if xs_type != server.xend.security.get_xstype():
+                raise security.XSMError("ACM policy type not supported.")
 
             rc, errors = server.xend.security.set_policy(xs_type,
                                                          xml,
diff -r 5255eac35270 -r 54482c56e435 tools/security/Makefile
--- a/tools/security/Makefile   Wed Dec 05 09:44:20 2007 +0000
+++ b/tools/security/Makefile   Wed Dec 05 09:45:13 2007 +0000
@@ -32,7 +32,7 @@ ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR
 
 ACM_SCHEMA        = security_policy.xsd
 ACM_EXAMPLES      = client_v1 test
-ACM_DEF_POLICIES  = default default-ul
+ACM_DEF_POLICIES  = DEFAULT-UL
 ACM_POLICY_SUFFIX = security_policy.xml
 
 ifeq ($(ACM_SECURITY),y)
diff -r 5255eac35270 -r 54482c56e435 
tools/security/policies/DEFAULT-UL-security_policy.xml
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/security/policies/DEFAULT-UL-security_policy.xml    Wed Dec 05 
09:45:13 2007 +0000
@@ -0,0 +1,41 @@
+<?xml version="1.0" ?>
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
+  <PolicyHeader>
+    <PolicyName>DEFAULT-UL</PolicyName>
+    <Version>1.0</Version>
+  </PolicyHeader>
+  <SimpleTypeEnforcement>
+    <SimpleTypeEnforcementTypes>
+      <Type>SystemManagement</Type>
+      <Type>__UNLABELED__</Type>
+    </SimpleTypeEnforcementTypes>
+  </SimpleTypeEnforcement>
+  <ChineseWall>
+    <ChineseWallTypes>
+      <Type>SystemManagement</Type>
+    </ChineseWallTypes>
+  </ChineseWall>
+  <SecurityLabelTemplate>
+    <SubjectLabels bootstrap="SystemManagement">
+      <VirtualMachineLabel>
+        <Name>SystemManagement</Name>
+        <SimpleTypeEnforcementTypes>
+          <Type>SystemManagement</Type>
+          <Type>__UNLABELED__</Type>
+        </SimpleTypeEnforcementTypes>
+        <ChineseWallTypes>
+          <Type/>
+        </ChineseWallTypes>
+      </VirtualMachineLabel>
+      <VirtualMachineLabel>
+        <Name>__UNLABELED__</Name>
+        <SimpleTypeEnforcementTypes>
+          <Type>__UNLABELED__</Type>
+        </SimpleTypeEnforcementTypes>
+        <ChineseWallTypes>
+          <Type/>
+        </ChineseWallTypes>
+      </VirtualMachineLabel>
+    </SubjectLabels>
+  </SecurityLabelTemplate>
+</SecurityPolicyDefinition>
diff -r 5255eac35270 -r 54482c56e435 
tools/security/policies/default-security_policy.xml
--- a/tools/security/policies/default-security_policy.xml       Wed Dec 05 
09:44:20 2007 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-<?xml version="1.0" ?>
-<SecurityPolicyDefinition xmlns="http://www.ibm.com"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
-  <PolicyHeader>
-    <PolicyName>DEFAULT</PolicyName>
-    <Version>1.0</Version>
-  </PolicyHeader>
-  <SimpleTypeEnforcement>
-    <SimpleTypeEnforcementTypes>
-      <Type>SystemManagement</Type>
-    </SimpleTypeEnforcementTypes>
-  </SimpleTypeEnforcement>
-  <ChineseWall>
-    <ChineseWallTypes>
-      <Type>SystemManagement</Type>
-    </ChineseWallTypes>
-  </ChineseWall>
-  <SecurityLabelTemplate>
-    <SubjectLabels bootstrap="SystemManagement">
-      <VirtualMachineLabel>
-        <Name>SystemManagement</Name>
-        <SimpleTypeEnforcementTypes>
-          <Type>SystemManagement</Type>
-        </SimpleTypeEnforcementTypes>
-        <ChineseWallTypes>
-          <Type/>
-        </ChineseWallTypes>
-      </VirtualMachineLabel>
-    </SubjectLabels>
-  </SecurityLabelTemplate>
-</SecurityPolicyDefinition>
diff -r 5255eac35270 -r 54482c56e435 
tools/security/policies/default-ul-security_policy.xml
--- a/tools/security/policies/default-ul-security_policy.xml    Wed Dec 05 
09:44:20 2007 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,41 +0,0 @@
-<?xml version="1.0" ?>
-<SecurityPolicyDefinition xmlns="http://www.ibm.com"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
-  <PolicyHeader>
-    <PolicyName>DEFAULT-UL</PolicyName>
-    <Version>1.0</Version>
-  </PolicyHeader>
-  <SimpleTypeEnforcement>
-    <SimpleTypeEnforcementTypes>
-      <Type>SystemManagement</Type>
-      <Type>__UNLABELED__</Type>
-    </SimpleTypeEnforcementTypes>
-  </SimpleTypeEnforcement>
-  <ChineseWall>
-    <ChineseWallTypes>
-      <Type>SystemManagement</Type>
-    </ChineseWallTypes>
-  </ChineseWall>
-  <SecurityLabelTemplate>
-    <SubjectLabels bootstrap="SystemManagement">
-      <VirtualMachineLabel>
-        <Name>SystemManagement</Name>
-        <SimpleTypeEnforcementTypes>
-          <Type>SystemManagement</Type>
-          <Type>__UNLABELED__</Type>
-        </SimpleTypeEnforcementTypes>
-        <ChineseWallTypes>
-          <Type/>
-        </ChineseWallTypes>
-      </VirtualMachineLabel>
-      <VirtualMachineLabel>
-        <Name>__UNLABELED__</Name>
-        <SimpleTypeEnforcementTypes>
-          <Type>__UNLABELED__</Type>
-        </SimpleTypeEnforcementTypes>
-        <ChineseWallTypes>
-          <Type/>
-        </ChineseWallTypes>
-      </VirtualMachineLabel>
-    </SubjectLabels>
-  </SecurityLabelTemplate>
-</SecurityPolicyDefinition>

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.