[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] xend: Updated setpolicy to support loading of flask policy



# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1254820313 -3600
# Node ID 10cfcbef68ee8ff7747e0150d93220c2b832cd08
# Parent  e39acea851f48598114a3c8ab90afc5a97b33952
xend: Updated setpolicy to support loading of flask policy

Updated xm setpolicy command to support the loading of flask security
policies.

Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
Signed-off-by : George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
---
 tools/python/xen/lowlevel/flask/flask.c    |   36 +++++++++
 tools/python/xen/util/xsconstants.py       |    1 
 tools/python/xen/util/xsm/acm/acm.py       |    1 
 tools/python/xen/util/xsm/flask/flask.py   |   11 ++
 tools/python/xen/xend/XendXSPolicy.py      |   12 ++-
 tools/python/xen/xend/XendXSPolicyAdmin.py |    3 
 tools/python/xen/xm/setpolicy.py           |  111 +++++++++++++++--------------
 7 files changed, 120 insertions(+), 55 deletions(-)

diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/lowlevel/flask/flask.c
--- a/tools/python/xen/lowlevel/flask/flask.c   Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/lowlevel/flask/flask.c   Tue Oct 06 10:11:53 2009 +0100
@@ -106,6 +106,35 @@ static PyObject *pyflask_sid_to_context(
     return Py_BuildValue("s", ctx, ctx_len);
 }
 
+static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
+{
+    int xc_handle;
+    char *policy;
+    uint32_t len;
+    int ret;
+
+    static char *kwd_list[] = { "policy", NULL };
+  
+    if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy, 
&len) )
+        return NULL;
+
+    xc_handle = xc_interface_open();
+    if (xc_handle < 0) {
+        errno = xc_handle;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    ret = flask_load(xc_handle, policy, len);
+
+    xc_interface_close(xc_handle);
+
+    if ( ret != 0 ) {
+        errno = -ret;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    return Py_BuildValue("i", ret);
+}
 
 static PyMethodDef pyflask_methods[] = {
     { "flask_context_to_sid",
@@ -122,6 +151,13 @@ static PyMethodDef pyflask_methods[] = {
       " context [int]: SID to be converted\n"
       "Returns: [str]: Numeric SID on success; -1 on error.\n" },
 
+    { "flask_load",
+      (PyCFunction)pyflask_load,
+      METH_KEYWORDS, "\n"
+      "Loads a policy into the hypervisor.\n"
+      " policy [str]: policy to be load\n"
+      "Returns: [int]: 0 on success; -1 on failure.\n" }, 
+      
     { NULL, NULL, 0, NULL }
 };
 
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsconstants.py
--- a/tools/python/xen/util/xsconstants.py      Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/util/xsconstants.py      Tue Oct 06 10:11:53 2009 +0100
@@ -106,6 +106,7 @@ def xserr2string(err):
 
 # Policy identifiers used in labels
 ACM_POLICY_ID = 'ACM'
+FLASK_POLICY_ID = 'FLASK'
 
 INVALID_POLICY_PREFIX = 'INV_'
 
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Tue Oct 06 10:11:53 2009 +0100
@@ -82,6 +82,7 @@ log = logging.getLogger("xend.util.secur
 
 #Functions exported through XML-RPC
 xmlrpc_exports = [
+  'on',
   'set_resource_label',
   'get_resource_label',
   'list_labels',
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py  Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py  Tue Oct 06 10:11:53 2009 +0100
@@ -1,10 +1,15 @@ import sys
 import sys
+import base64
 from xen.lowlevel import flask
 from xen.util import xsconstants
 from xen.xend import sxp
 
 #Functions exported through XML-RPC
-xmlrpc_exports = [ ]
+xmlrpc_exports = [
+  'on',
+  'set_policy'
+]
+
 
 def err(msg):
     """Raise XSM-Flask exception.
@@ -47,3 +52,7 @@ def get_security_label(self, xspol=None)
 def get_security_label(self, xspol=None):
     label = self.info['security_label']
     return label
+
+def set_policy(xs_type, policy_b64, flags=None, overwrite=None):
+    policy = base64.b64decode(policy_b64);
+    return flask.flask_load(policy), ""
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py     Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/xend/XendXSPolicy.py     Tue Oct 06 10:11:53 2009 +0100
@@ -73,7 +73,7 @@ class XendXSPolicy(XendBase):
     def get_xstype(self):
         return XSPolicyAdminInstance().isXSEnabled()
 
-    def set_xspolicy(self, xstype, xml, flags, overwrite):
+    def set_xspolicy(self, xstype, policy, flags, overwrite):
         ref = ""
         xstype = int(xstype)
         flags  = int(flags)
@@ -84,7 +84,7 @@ class XendXSPolicy(XendBase):
             poladmin = XSPolicyAdminInstance()
             try:
                 (xspol, rc, errors) = poladmin.add_acmpolicy_to_system(
-                                                                   xml, flags,
+                                                                   policy, 
flags,
                                                                    overwrite)
                 if rc != 0:
                     polstate.update( { 'xserr' : rc,
@@ -102,6 +102,14 @@ class XendXSPolicy(XendBase):
                     }
             except Exception, e:
                 raise
+        elif xstype == xsconstants.XS_POLICY_FLASK:
+            rc, errors = security.set_policy(xstype, policy);
+            if rc != 0:
+                polstate.update( { 'xserr' : 
-xsconstants.XSERR_POLICY_LOAD_FAILED,
+                                   'errors': errors } )
+            else:
+                polstate.update( { 'xserr' : xsconstants.XSERR_SUCCESS,
+                                   'errors': errors } )
         else:
             raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
         return polstate
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py        Tue Oct 06 10:11:14 
2009 +0100
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py        Tue Oct 06 10:11:53 
2009 +0100
@@ -75,11 +75,12 @@ class XSPolicyAdmin:
 
     def isXSEnabled(self):
         """ Check whether 'security' is enabled on this system.
-            This currently only checks for ACM-enablement.
         """
         rc = 0
         if security.on() == xsconstants.XS_POLICY_ACM:
             rc |= xsconstants.XS_POLICY_ACM
+       else:
+            rc |= xsconstants.XS_POLICY_FLASK
         return rc
 
     def add_acmpolicy_to_system(self, xmltext, flags, overwrite):
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xm/setpolicy.py
--- a/tools/python/xen/xm/setpolicy.py  Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/xm/setpolicy.py  Tue Oct 06 10:11:53 2009 +0100
@@ -43,8 +43,9 @@ def help():
 
     Set the policy managed by xend.
 
-    The only policytype that is currently supported is 'ACM'.
+    Only 'ACM' and 'FLASK' are supported as valid policytype parameters.
 
+    ACM:
     The filename of the policy is the policy name plus the suffic
     '-security_policy.xml'. The location of the policy file is either
     the the current directory or '/etc/xen/acm-security/policies'.
@@ -93,60 +94,68 @@ def setpolicy(policytype, policy_name, f
             if os.path.exists(policy_file):
                 break
 
-        try:
-            f = open(policy_file,"r")
-            xml = f.read()
-            f.close()
-        except:
-            raise OptionError("Could not read policy file from current"
-                              " directory or '%s'." %
-                              install_policy_dir_prefix)
+    elif policytype.upper() == xsconstants.FLASK_POLICY_ID:
+        xs_type = xsconstants.XS_POLICY_FLASK
+        policy_file = policy_name
 
-        if xm_main.serverType == xm_main.SERVER_XEN_API:
-            if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
-                raise security.XSMError("ACM policy type not supported.")
-
-            try:
-                policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
-                                                                  xml,
-                                                                  flags,
-                                                                  overwrite)
-            except Exception, e:
-                raise security.XSMError("An error occurred setting the "
-                                        "policy: %s" % str(e))
-            xserr = int(policystate['xserr'])
-            if xserr != xsconstants.XSERR_SUCCESS:
-                txt = "An error occurred trying to set the policy: %s." % \
-                      xsconstants.xserr2string(abs(xserr))
-                errors = policystate['errors']
-                if len(errors) > 0:
-                    txt += " " + 
build_hv_error_message(base64.b64decode(errors))
-                raise security.XSMError(txt)
-            else:
-                print "Successfully set the new policy."
-                getpolicy(False)
-        else:
-            # Non-Xen-API call.
-            if xs_type != server.xend.security.get_xstype():
-                raise security.XSMError("ACM policy type not supported.")
-
-            rc, errors = server.xend.security.set_policy(xs_type,
-                                                         xml,
-                                                         flags,
-                                                         overwrite)
-            if rc != xsconstants.XSERR_SUCCESS:
-                txt = "An error occurred trying to set the policy: %s." % \
-                      xsconstants.xserr2string(abs(rc))
-                if len(errors) > 0:
-                    txt += " " + build_hv_error_message(
-                                       base64.b64decode(errors))
-                raise security.XSMError(txt)
-            else:
-                print "Successfully set the new policy."
-                getpolicy(False)
     else:
         raise OptionError("Unsupported policytype '%s'." % policytype)
 
+    try:
+        f = open(policy_file,"r")
+        policy = f.read()
+        f.close()
+    except:
+        raise OptionError("Could not read policy file: %s" % policy_file)
+
+    
+    if xs_type == xsconstants.XS_POLICY_FLASK:
+        policy = base64.b64encode(policy)
+
+    if xm_main.serverType == xm_main.SERVER_XEN_API:
+        if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
+            raise security.XSMError("Policy type not supported.")
+
+        try:
+            policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
+                                                              policy,
+                                                              flags,
+                                                              overwrite)
+        except Exception, e:
+            raise security.XSMError("An error occurred setting the "
+                                    "policy: %s" % str(e))
+        xserr = int(policystate['xserr'])
+        if xserr != xsconstants.XSERR_SUCCESS:
+            txt = "An error occurred trying to set the policy: %s." % \
+                   xsconstants.xserr2string(abs(xserr))
+            errors = policystate['errors']
+            if len(errors) > 0:
+                txt += " " + build_hv_error_message(base64.b64decode(errors))
+            raise security.XSMError(txt)
+        else:
+            print "Successfully set the new policy."
+            if xs_type == xsconstants.XS_POLICY_ACM:
+                getpolicy(False)
+    else:
+        # Non-Xen-API call.
+        if xs_type != server.xend.security.on():
+            raise security.XSMError("Policy type not supported.")
+
+        rc, errors = server.xend.security.set_policy(xs_type,
+                                                     policy,
+                                                     flags,
+                                                     overwrite)
+        if rc != xsconstants.XSERR_SUCCESS:
+            txt = "An error occurred trying to set the policy: %s." % \
+                   xsconstants.xserr2string(abs(rc))
+            if len(errors) > 0:
+                txt += " " + build_hv_error_message(
+                       base64.b64decode(errors))
+            raise security.XSMError(txt)
+        else:
+            print "Successfully set the new policy."
+            if xs_type == xsconstants.XS_POLICY_ACM:
+                getpolicy(False)
 
 def main(argv):
     if len(argv) < 3:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.