[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xend: Updated setpolicy to support loading of flask policy
# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1254820313 -3600 # Node ID 10cfcbef68ee8ff7747e0150d93220c2b832cd08 # Parent e39acea851f48598114a3c8ab90afc5a97b33952 xend: Updated setpolicy to support loading of flask policy Updated xm setpolicy command to support the loading of flask security policies. Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx> Signed-off-by : George S. Coker, II <gscoker@xxxxxxxxxxxxxx> --- tools/python/xen/lowlevel/flask/flask.c | 36 +++++++++ tools/python/xen/util/xsconstants.py | 1 tools/python/xen/util/xsm/acm/acm.py | 1 tools/python/xen/util/xsm/flask/flask.py | 11 ++ tools/python/xen/xend/XendXSPolicy.py | 12 ++- tools/python/xen/xend/XendXSPolicyAdmin.py | 3 tools/python/xen/xm/setpolicy.py | 111 +++++++++++++++-------------- 7 files changed, 120 insertions(+), 55 deletions(-) diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/lowlevel/flask/flask.c --- a/tools/python/xen/lowlevel/flask/flask.c Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/lowlevel/flask/flask.c Tue Oct 06 10:11:53 2009 +0100 @@ -106,6 +106,35 @@ static PyObject *pyflask_sid_to_context( return Py_BuildValue("s", ctx, ctx_len); } +static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds) +{ + int xc_handle; + char *policy; + uint32_t len; + int ret; + + static char *kwd_list[] = { "policy", NULL }; + + if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy, &len) ) + return NULL; + + xc_handle = xc_interface_open(); + if (xc_handle < 0) { + errno = xc_handle; + return PyErr_SetFromErrno(xc_error_obj); + } + + ret = flask_load(xc_handle, policy, len); + + xc_interface_close(xc_handle); + + if ( ret != 0 ) { + errno = -ret; + return PyErr_SetFromErrno(xc_error_obj); + } + + return Py_BuildValue("i", ret); +} static PyMethodDef pyflask_methods[] = { { "flask_context_to_sid", @@ -122,6 +151,13 @@ static PyMethodDef pyflask_methods[] = { " context [int]: SID to be converted\n" "Returns: [str]: Numeric SID on success; -1 on error.\n" }, + { "flask_load", + (PyCFunction)pyflask_load, + METH_KEYWORDS, "\n" + "Loads a policy into the hypervisor.\n" + " policy [str]: policy to be load\n" + "Returns: [int]: 0 on success; -1 on failure.\n" }, + { NULL, NULL, 0, NULL } }; diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsconstants.py --- a/tools/python/xen/util/xsconstants.py Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/util/xsconstants.py Tue Oct 06 10:11:53 2009 +0100 @@ -106,6 +106,7 @@ def xserr2string(err): # Policy identifiers used in labels ACM_POLICY_ID = 'ACM' +FLASK_POLICY_ID = 'FLASK' INVALID_POLICY_PREFIX = 'INV_' diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsm/acm/acm.py --- a/tools/python/xen/util/xsm/acm/acm.py Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/util/xsm/acm/acm.py Tue Oct 06 10:11:53 2009 +0100 @@ -82,6 +82,7 @@ log = logging.getLogger("xend.util.secur #Functions exported through XML-RPC xmlrpc_exports = [ + 'on', 'set_resource_label', 'get_resource_label', 'list_labels', diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsm/flask/flask.py --- a/tools/python/xen/util/xsm/flask/flask.py Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/util/xsm/flask/flask.py Tue Oct 06 10:11:53 2009 +0100 @@ -1,10 +1,15 @@ import sys import sys +import base64 from xen.lowlevel import flask from xen.util import xsconstants from xen.xend import sxp #Functions exported through XML-RPC -xmlrpc_exports = [ ] +xmlrpc_exports = [ + 'on', + 'set_policy' +] + def err(msg): """Raise XSM-Flask exception. @@ -47,3 +52,7 @@ def get_security_label(self, xspol=None) def get_security_label(self, xspol=None): label = self.info['security_label'] return label + +def set_policy(xs_type, policy_b64, flags=None, overwrite=None): + policy = base64.b64decode(policy_b64); + return flask.flask_load(policy), "" diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xend/XendXSPolicy.py --- a/tools/python/xen/xend/XendXSPolicy.py Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/xend/XendXSPolicy.py Tue Oct 06 10:11:53 2009 +0100 @@ -73,7 +73,7 @@ class XendXSPolicy(XendBase): def get_xstype(self): return XSPolicyAdminInstance().isXSEnabled() - def set_xspolicy(self, xstype, xml, flags, overwrite): + def set_xspolicy(self, xstype, policy, flags, overwrite): ref = "" xstype = int(xstype) flags = int(flags) @@ -84,7 +84,7 @@ class XendXSPolicy(XendBase): poladmin = XSPolicyAdminInstance() try: (xspol, rc, errors) = poladmin.add_acmpolicy_to_system( - xml, flags, + policy, flags, overwrite) if rc != 0: polstate.update( { 'xserr' : rc, @@ -102,6 +102,14 @@ class XendXSPolicy(XendBase): } except Exception, e: raise + elif xstype == xsconstants.XS_POLICY_FLASK: + rc, errors = security.set_policy(xstype, policy); + if rc != 0: + polstate.update( { 'xserr' : -xsconstants.XSERR_POLICY_LOAD_FAILED, + 'errors': errors } ) + else: + polstate.update( { 'xserr' : xsconstants.XSERR_SUCCESS, + 'errors': errors } ) else: raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) return polstate diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xend/XendXSPolicyAdmin.py --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Tue Oct 06 10:11:53 2009 +0100 @@ -75,11 +75,12 @@ class XSPolicyAdmin: def isXSEnabled(self): """ Check whether 'security' is enabled on this system. - This currently only checks for ACM-enablement. """ rc = 0 if security.on() == xsconstants.XS_POLICY_ACM: rc |= xsconstants.XS_POLICY_ACM + else: + rc |= xsconstants.XS_POLICY_FLASK return rc def add_acmpolicy_to_system(self, xmltext, flags, overwrite): diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xm/setpolicy.py --- a/tools/python/xen/xm/setpolicy.py Tue Oct 06 10:11:14 2009 +0100 +++ b/tools/python/xen/xm/setpolicy.py Tue Oct 06 10:11:53 2009 +0100 @@ -43,8 +43,9 @@ def help(): Set the policy managed by xend. - The only policytype that is currently supported is 'ACM'. + Only 'ACM' and 'FLASK' are supported as valid policytype parameters. + ACM: The filename of the policy is the policy name plus the suffic '-security_policy.xml'. The location of the policy file is either the the current directory or '/etc/xen/acm-security/policies'. @@ -93,60 +94,68 @@ def setpolicy(policytype, policy_name, f if os.path.exists(policy_file): break - try: - f = open(policy_file,"r") - xml = f.read() - f.close() - except: - raise OptionError("Could not read policy file from current" - " directory or '%s'." % - install_policy_dir_prefix) + elif policytype.upper() == xsconstants.FLASK_POLICY_ID: + xs_type = xsconstants.XS_POLICY_FLASK + policy_file = policy_name - if xm_main.serverType == xm_main.SERVER_XEN_API: - if xs_type != int(server.xenapi.XSPolicy.get_xstype()): - raise security.XSMError("ACM policy type not supported.") - - try: - policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type, - xml, - flags, - overwrite) - except Exception, e: - raise security.XSMError("An error occurred setting the " - "policy: %s" % str(e)) - xserr = int(policystate['xserr']) - if xserr != xsconstants.XSERR_SUCCESS: - txt = "An error occurred trying to set the policy: %s." % \ - xsconstants.xserr2string(abs(xserr)) - errors = policystate['errors'] - if len(errors) > 0: - txt += " " + build_hv_error_message(base64.b64decode(errors)) - raise security.XSMError(txt) - else: - print "Successfully set the new policy." - getpolicy(False) - else: - # Non-Xen-API call. - if xs_type != server.xend.security.get_xstype(): - raise security.XSMError("ACM policy type not supported.") - - rc, errors = server.xend.security.set_policy(xs_type, - xml, - flags, - overwrite) - if rc != xsconstants.XSERR_SUCCESS: - txt = "An error occurred trying to set the policy: %s." % \ - xsconstants.xserr2string(abs(rc)) - if len(errors) > 0: - txt += " " + build_hv_error_message( - base64.b64decode(errors)) - raise security.XSMError(txt) - else: - print "Successfully set the new policy." - getpolicy(False) else: raise OptionError("Unsupported policytype '%s'." % policytype) + try: + f = open(policy_file,"r") + policy = f.read() + f.close() + except: + raise OptionError("Could not read policy file: %s" % policy_file) + + + if xs_type == xsconstants.XS_POLICY_FLASK: + policy = base64.b64encode(policy) + + if xm_main.serverType == xm_main.SERVER_XEN_API: + if xs_type != int(server.xenapi.XSPolicy.get_xstype()): + raise security.XSMError("Policy type not supported.") + + try: + policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type, + policy, + flags, + overwrite) + except Exception, e: + raise security.XSMError("An error occurred setting the " + "policy: %s" % str(e)) + xserr = int(policystate['xserr']) + if xserr != xsconstants.XSERR_SUCCESS: + txt = "An error occurred trying to set the policy: %s." % \ + xsconstants.xserr2string(abs(xserr)) + errors = policystate['errors'] + if len(errors) > 0: + txt += " " + build_hv_error_message(base64.b64decode(errors)) + raise security.XSMError(txt) + else: + print "Successfully set the new policy." + if xs_type == xsconstants.XS_POLICY_ACM: + getpolicy(False) + else: + # Non-Xen-API call. + if xs_type != server.xend.security.on(): + raise security.XSMError("Policy type not supported.") + + rc, errors = server.xend.security.set_policy(xs_type, + policy, + flags, + overwrite) + if rc != xsconstants.XSERR_SUCCESS: + txt = "An error occurred trying to set the policy: %s." % \ + xsconstants.xserr2string(abs(rc)) + if len(errors) > 0: + txt += " " + build_hv_error_message( + base64.b64decode(errors)) + raise security.XSMError(txt) + else: + print "Successfully set the new policy." + if xs_type == xsconstants.XS_POLICY_ACM: + getpolicy(False) def main(argv): if len(argv) < 3: _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |