[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xend, acm: Extend Xen-API with function to reset the policy
# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1197453475 0 # Node ID 433f6a6a862a072d51ba952e77e21918ea7ac381 # Parent dad243d08849279c26057d71fba3125bf2e15bde xend, acm: Extend Xen-API with function to reset the policy This patch extends the Xen-API and the legacy XML-RPC interface with a function to reset the policy on the system (through an update with the default policy). I adapted the code in 'xm resetpolicy' to use this now. This patch also extends libxen and the documentation to reflect the new function. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> --- docs/xen-api/xenapi-datamodel.tex | 39 ++++++++++++++++++ tools/libxen/include/xen/api/xen_xspolicy.h | 13 ++++++ tools/libxen/src/xen_xspolicy.c | 18 ++++++++ tools/python/xen/util/acmpolicy.py | 15 +++++-- tools/python/xen/util/xsm/acm/acm.py | 15 +++++++ tools/python/xen/util/xsm/dummy/dummy.py | 4 + tools/python/xen/xend/XendXSPolicy.py | 32 ++++++++++++++ tools/python/xen/xend/XendXSPolicyAdmin.py | 17 +++++++ tools/python/xen/xm/resetpolicy.py | 60 ---------------------------- 9 files changed, 152 insertions(+), 61 deletions(-) diff -r dad243d08849 -r 433f6a6a862a docs/xen-api/xenapi-datamodel.tex --- a/docs/xen-api/xenapi-datamodel.tex Wed Dec 12 09:54:21 2007 +0000 +++ b/docs/xen-api/xenapi-datamodel.tex Wed Dec 12 09:57:55 2007 +0000 @@ -14735,6 +14735,45 @@ State information about the policy. In c State information about the policy. In case an error occurred, the 'xs\_err' field contains the error code. The 'errors' may contain further information about the error. + \vspace{0.3cm} +\vspace{0.3cm} +\vspace{0.3cm} +\subsubsection{RPC name:~reset\_xspolicy} + +{\bf Overview:} +Attempt to reset the system's policy by installing the default policy. +Since this function is implemented as an update to the current policy, it +underlies the same restrictions. This function may fail if for example +other domains than Domain-0 are running and use a different label than +Domain-0 + +\noindent {\bf Signature:} +\begin{verbatim} xs_policystate reset_xspolicy (session_id s, xs_type type) +\end{verbatim} + +\noindent{\bf Arguments:} + +\vspace{0.3cm} + +\begin{tabular}{|c|c|p{7cm}|} + \hline +{\bf type} & {\bf name} & {\bf description} \\ \hline +{\tt xs\_type } & type & the type of policy \\ \hline + +\end{tabular} + +\vspace{0.3cm} + + + \noindent {\bf Return Type:} +{\tt +xs\_policystate +} + + +State information about the policy. In case an error occurred, the 'xs\_err' +field contains the error code. The 'errors' may contain further information +about the error. \vspace{0.3cm} \vspace{0.3cm} \vspace{0.3cm} diff -r dad243d08849 -r 433f6a6a862a tools/libxen/include/xen/api/xen_xspolicy.h --- a/tools/libxen/include/xen/api/xen_xspolicy.h Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/libxen/include/xen/api/xen_xspolicy.h Wed Dec 12 09:57:55 2007 +0000 @@ -240,6 +240,19 @@ xen_xspolicy_set_xspolicy(xen_session *s bool overwrite); + +/** + * Attempt to reset the system's policy to the DEFAULT policy for the + * respective policy type. This is done by updating the system and therefore + * underlies the same restrictions of a policy update. This operation may + * for example fail if other domains than Domain-0 are running and have + * different labels than Domain-0. + */ +bool +xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result, + xs_type type); + + /** * Remove any policy from having the system booted with. */ diff -r dad243d08849 -r 433f6a6a862a tools/libxen/src/xen_xspolicy.c --- a/tools/libxen/src/xen_xspolicy.c Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/libxen/src/xen_xspolicy.c Wed Dec 12 09:57:55 2007 +0000 @@ -225,6 +225,24 @@ xen_xspolicy_set_xspolicy(xen_session *s bool +xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result, + xs_type type) +{ + abstract_value param_values[] = + { + { .type = &abstract_type_int, + .u.int_val = type }, + }; + + abstract_type result_type = xen_xs_policystate_abstract_type_; + + *result = NULL; + XEN_CALL_("XSPolicy.reset_xspolicy"); + return session->ok; +} + + +bool xen_xspolicy_get_xspolicy(xen_session *session, xen_xs_policystate **result) { abstract_value param_values[] = diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/util/acmpolicy.py --- a/tools/python/xen/util/acmpolicy.py Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/python/xen/util/acmpolicy.py Wed Dec 12 09:57:55 2007 +0000 @@ -86,7 +86,7 @@ DEFAULT_policy = \ " <SecurityLabelTemplate>\n" +\ " <SubjectLabels bootstrap=\"SystemManagement\">\n" +\ " <VirtualMachineLabel>\n" +\ -" <Name>SystemManagement</Name>\n" +\ +" <Name%s>SystemManagement</Name>\n" +\ " <SimpleTypeEnforcementTypes>\n" +\ " <Type>SystemManagement</Type>\n" +\ " </SimpleTypeEnforcementTypes>\n" +\ @@ -99,8 +99,11 @@ DEFAULT_policy = \ "</SecurityPolicyDefinition>\n" -def get_DEFAULT_policy(): - return DEFAULT_policy +def get_DEFAULT_policy(dom0label=""): + fromnode = "" + if dom0label != "": + fromnode = " from=\"%s\"" % dom0label + return DEFAULT_policy % fromnode def initialize(): xoptions = XendOptions.instance() @@ -375,6 +378,12 @@ class ACMPolicy(XSPolicy): force_default_policy = classmethod(force_default_policy) + def get_reset_policy_xml(klass): + dom0_label = security.get_ssid(0)[1] + return get_DEFAULT_policy(dom0_label) + + get_reset_policy_xml = classmethod(get_reset_policy_xml) + def __do_update_version_check(self, acmpol_new): acmpol_old = self diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/util/xsm/acm/acm.py --- a/tools/python/xen/util/xsm/acm/acm.py Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/python/xen/util/xsm/acm/acm.py Wed Dec 12 09:57:55 2007 +0000 @@ -86,6 +86,7 @@ xmlrpc_exports = [ 'list_labels', 'get_labeled_resources', 'set_policy', + 'reset_policy', 'get_policy', 'activate_policy', 'rm_bootpolicy', @@ -562,6 +563,20 @@ def set_policy(xs_type, xml, flags, over xspoladmin.add_acmpolicy_to_system(xml, int(flags), True) + return rc, base64.b64encode(errors) + except Exception, e: + err(str(e)) + + +def reset_policy(): + """ + Xend exports this function via XML-RPC + """ + from xen.xend import XendXSPolicyAdmin + xspoladmin = XendXSPolicyAdmin.XSPolicyAdminInstance() + try: + acmpol, rc, errors = \ + xspoladmin.reset_acmpolicy() return rc, base64.b64encode(errors) except Exception, e: err(str(e)) diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/util/xsm/dummy/dummy.py --- a/tools/python/xen/util/xsm/dummy/dummy.py Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/python/xen/util/xsm/dummy/dummy.py Wed Dec 12 09:57:55 2007 +0000 @@ -21,6 +21,7 @@ xmlrpc_exports = [ 'list_labels', 'get_labeled_resources', 'set_policy', + 'reset_policy', 'get_policy', 'activate_policy', 'rm_bootpolicy', @@ -102,6 +103,9 @@ def set_policy(xs_type, xml, flags, over def set_policy(xs_type, xml, flags, overwrite): err("Command not supported under xsm 'dummy' module.") +def reset_policy(): + err("Command not supported under xsm 'dummy' module.") + def get_policy(): return "", 0 diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/xend/XendXSPolicy.py --- a/tools/python/xen/xend/XendXSPolicy.py Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/python/xen/xend/XendXSPolicy.py Wed Dec 12 09:57:55 2007 +0000 @@ -43,6 +43,7 @@ class XendXSPolicy(XendBase): def getFuncs(self): funcs = [ 'get_xstype', 'set_xspolicy', + 'reset_xspolicy', 'get_xspolicy', 'rm_xsbootpolicy', 'get_resource_label', @@ -104,6 +105,36 @@ class XendXSPolicy(XendBase): raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) return polstate + + def reset_xspolicy(self, xstype): + xstype = int(xstype) + polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0, + 'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 } + if xstype == xsconstants.XS_POLICY_ACM: + poladmin = XSPolicyAdminInstance() + try: + (xspol, rc, errors) = poladmin.reset_acmpolicy() + if rc != 0: + polstate.update( { 'xserr' : rc, + 'errors': base64.b64encode(errors) } ) + else: + ref = xspol.get_ref() + polstate = { + 'xs_ref' : ref, + 'flags' : poladmin.get_policy_flags(xspol), + 'type' : xstype, + 'repr' : "", + 'version': xspol.get_version(), + 'errors' : base64.b64encode(errors), + 'xserr' : rc, + } + except Exception, e: + raise + else: + raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) + return polstate + + def activate_xspolicy(self, flags): flags = int(flags) rc = -xsconstants.XSERR_GENERAL_FAILURE @@ -162,6 +193,7 @@ class XendXSPolicy(XendBase): get_xstype = classmethod(get_xstype) get_xspolicy = classmethod(get_xspolicy) set_xspolicy = classmethod(set_xspolicy) + reset_xspolicy = classmethod(reset_xspolicy) rm_xsbootpolicy = classmethod(rm_xsbootpolicy) set_resource_label = classmethod(set_resource_label) get_resource_label = classmethod(get_resource_label) diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/xend/XendXSPolicyAdmin.py --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 12 09:57:55 2007 +0000 @@ -179,6 +179,23 @@ class XSPolicyAdmin: self.xsobjs[ref] = acmpol return (acmpol, xsconstants.XSERR_SUCCESS, errors) + + def reset_acmpolicy(self): + """ + Attempt to reset the system's policy by udating it with + the DEFAULT policy. + """ + from xen.xend import XendDomain + domains = XendDomain.instance() + try: + domains.domains_lock.acquire() + xml = ACMPolicy.get_reset_policy_xml() + flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD + return self.__add_acmpolicy_to_system(xml, flags, True) + finally: + domains.domains_lock.release() + + def make_boot_policy(self, acmpol): if acmpol.is_default_policy(): return xsconstants.XSERR_SUCCESS diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/xm/resetpolicy.py --- a/tools/python/xen/xm/resetpolicy.py Wed Dec 12 09:54:21 2007 +0000 +++ b/tools/python/xen/xm/resetpolicy.py Wed Dec 12 09:57:55 2007 +0000 @@ -26,40 +26,6 @@ from xen.util import xsconstants from xen.util import xsconstants from xen.util.acmpolicy import ACMPolicy -DOM0_UUID = "00000000-0000-0000-0000-000000000000" - -DEFAULT_policy_template = \ -"<?xml version=\"1.0\" ?>" +\ -"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">" +\ -" <PolicyHeader>" +\ -" <PolicyName>DEFAULT</PolicyName>" +\ -" <Version>1.0</Version>" +\ -" </PolicyHeader>" +\ -" <SimpleTypeEnforcement>" +\ -" <SimpleTypeEnforcementTypes>" +\ -" <Type>SystemManagement</Type>" +\ -" </SimpleTypeEnforcementTypes>" +\ -" </SimpleTypeEnforcement>" +\ -" <ChineseWall>" +\ -" <ChineseWallTypes>" +\ -" <Type>SystemManagement</Type>" +\ -" </ChineseWallTypes>" +\ -" </ChineseWall>" +\ -" <SecurityLabelTemplate>" +\ -" <SubjectLabels bootstrap=\"SystemManagement\">" +\ -" <VirtualMachineLabel>" +\ -" <Name%s>SystemManagement</Name>" +\ -" <SimpleTypeEnforcementTypes>" +\ -" <Type>SystemManagement</Type>" +\ -" </SimpleTypeEnforcementTypes>" +\ -" <ChineseWallTypes>" +\ -" <Type/>" +\ -" </ChineseWallTypes>" +\ -" </VirtualMachineLabel>" +\ -" </SubjectLabels>" +\ -" </SecurityLabelTemplate>" +\ -"</SecurityPolicyDefinition>" - def help(): return """ @@ -69,16 +35,6 @@ def help(): since otherwise this operation will fail. """ -def get_reset_policy_xml(dom0_seclab): - if dom0_seclab == "": - return DEFAULT_policy_template % "" - else: - poltyp, policy, label = dom0_seclab.split(":") - if label != "SystemManagement": - return DEFAULT_policy_template % \ - (" from=\"%s\"" % label) - else: - return DEFAULT_policy_template % "" def resetpolicy(): msg = None @@ -99,13 +55,8 @@ def resetpolicy(): not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." - seclab = server.xenapi.VM.get_security_label(DOM0_UUID) - xml = get_reset_policy_xml(seclab) try: - policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type, - xml, - flags, - True) + policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type) except Exception, e: raise security.XSMError("An error occurred resetting the " "policy: %s" % str(e)) @@ -130,14 +81,7 @@ def resetpolicy(): not acmpol.is_default_policy(): msg = "Old policy not found in bootloader file." - seclab = server.xend.security.get_domain_label(0) - if seclab[0] == '\'': - seclab = seclab[1:] - xml = get_reset_policy_xml(seclab) - rc, errors = server.xend.security.set_policy(xs_type, - xml, - flags, - True) + rc, errors = server.xend.security.reset_policy() if rc != xsconstants.XSERR_SUCCESS: raise security.XSMError("Could not reset the system's policy. " "Try to halt all guests.") _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |