return Py_BuildValue("s", ctx, ctx_len);
}
+static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ int xc_handle;
+ char *policy;
+ uint32_t len;
+ int ret;
+
+ static char *kwd_list[] = { "policy", NULL };
+
+ if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy, &len) )
+ return NULL;
+
+ xc_handle = xc_interface_open();
+ if (xc_handle < 0) {
+ errno = xc_handle;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = flask_load(xc_handle, policy, len);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
static PyMethodDef pyflask_methods[] = {
{ "flask_context_to_sid",
" context [int]: SID to be converted\n"
"Returns: [str]: Numeric SID on success; -1 on error.\n" },
+ { "flask_load",
+ (PyCFunction)pyflask_load,
+ METH_KEYWORDS, "\n"
+ "Loads a policy into the hypervisor.\n"
+ " policy [str]: policy to be load\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
+
{ NULL, NULL, 0, NULL }
};
def get_xstype(self):
return XSPolicyAdminInstance().isXSEnabled()
- def set_xspolicy(self, xstype, xml, flags, overwrite):
+ def set_xspolicy(self, xstype, policy, flags, overwrite):
ref = ""
xstype = int(xstype)
flags = int(flags)
poladmin = XSPolicyAdminInstance()
try:
(xspol, rc, errors) = poladmin.add_acmpolicy_to_system(
- xml, flags,
+ policy, flags,
overwrite)
if rc != 0:
polstate.update( { 'xserr' : rc,
}
except Exception, e:
raise
+ elif xstype == xsconstants.XS_POLICY_FLASK:
+ rc, errors = security.set_policy(xstype, policy);
+ if rc != 0:
+ polstate.update( { 'xserr' : -xsconstants.XSERR_POLICY_LOAD_FAILED,
+ 'errors': errors } )
+ else:
+ polstate.update( { 'xserr' : xsconstants.XSERR_SUCCESS,
+ 'errors': errors } )
else:
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
return polstate
Set the policy managed by xend.
- The only policytype that is currently supported is 'ACM'.
+ Only 'ACM' and 'FLASK' are supported as valid policytype parameters.
+ ACM:
The filename of the policy is the policy name plus the suffic
'-security_policy.xml'. The location of the policy file is either
the the current directory or '/etc/xen/acm-security/policies'.
if os.path.exists(policy_file):
break
+ elif policytype.upper() == xsconstants.FLASK_POLICY_ID:
+ xs_type = xsconstants.XS_POLICY_FLASK
+ policy_file = policy_name
+
+ else:
+ raise OptionError("Unsupported policytype '%s'." % policytype)
+
+ try:
+ f = open(policy_file,"r")
+ policy = f.read()
+ f.close()
+ except:
+ raise OptionError("Could not read policy file: %s" % policy_file)
+
+
+ if xs_type == xsconstants.XS_POLICY_FLASK:
+ policy = base64.b64encode(policy)
+
+ if xm_main.serverType == xm_main.SERVER_XEN_API:
+ if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
+ raise security.XSMError("Policy type not supported.")
+
try:
- f = open(policy_file,"r")
- xml = f.read()
- f.close()
- except:
- raise OptionError("Could not read policy file from current"
- " directory or '%s'." %
- install_policy_dir_prefix)
-
- if xm_main.serverType == xm_main.SERVER_XEN_API:
- if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
- raise security.XSMError("ACM policy type not supported.")
-
- try:
- policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
- xml,
- flags,
- overwrite)
- except Exception, e:
- raise security.XSMError("An error occurred setting the "
- "policy: %s" % str(e))
- xserr = int(policystate['xserr'])
- if xserr != xsconstants.XSERR_SUCCESS:
- txt = "An error occurred trying to set the policy: %s." % \
- xsconstants.xserr2string(abs(xserr))
- errors = policystate['errors']
- if len(errors) > 0:
- txt += " " + build_hv_error_message(base64.b64decode(errors))
- raise security.XSMError(txt)
- else:
- print "Successfully set the new policy."
- getpolicy(False)
+ policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
+ policy,
+ flags,
+ overwrite)
+ except Exception, e:
+ raise security.XSMError("An error occurred setting the "
+ "policy: %s" % str(e))
+ xserr = int(policystate['xserr'])
+ if xserr != xsconstants.XSERR_SUCCESS:
+ txt = "An error occurred trying to set the policy: %s." % \
+ xsconstants.xserr2string(abs(xserr))
+ errors = policystate['errors']
+ if len(errors) > 0:
+ txt += " " + build_hv_error_message(base64.b64decode(errors))
+ raise security.XSMError(txt)
else:
- # Non-Xen-API call.
- if xs_type != server.xend.security.get_xstype():
- raise security.XSMError("ACM policy type not supported.")
-
- rc, errors = server.xend.security.set_policy(xs_type,
- xml,
- flags,
- overwrite)
- if rc != xsconstants.XSERR_SUCCESS:
- txt = "An error occurred trying to set the policy: %s." % \
- xsconstants.xserr2string(abs(rc))
- if len(errors) > 0:
- txt += " " + build_hv_error_message(
- base64.b64decode(errors))
- raise security.XSMError(txt)
- else:
- print "Successfully set the new policy."
+ print "Successfully set the new policy."
+ if xs_type == xsconstants.XS_POLICY_ACM:
getpolicy(False)
else:
- raise OptionError("Unsupported policytype '%s'." % policytype)
-
+ # Non-Xen-API call.
+ if xs_type != server.xend.security.on():
+ raise security.XSMError("Policy type not supported.")
+
+ rc, errors = server.xend.security.set_policy(xs_type,
+ policy,
+ flags,
+ overwrite)
+ if rc != xsconstants.XSERR_SUCCESS:
+ txt = "An error occurred trying to set the policy: %s." % \
+ xsconstants.xserr2string(abs(rc))
+ if len(errors) > 0:
+ txt += " " + build_hv_error_message(
+ base64.b64decode(errors))
+ raise security.XSMError(txt)
+ else:
+ print "Successfully set the new policy."
+ if xs_type == xsconstants.XS_POLICY_ACM:
+ getpolicy(False)
def main(argv):
if len(argv) < 3:
projects / xen.git / commitdiff