}
+State information about the policy. In case an error occurred, the 'xs\_err'
+field contains the error code. The 'errors' may contain further information
+about the error.
+ \vspace{0.3cm}
+\vspace{0.3cm}
+\vspace{0.3cm}
+\subsubsection{RPC name:~reset\_xspolicy}
+
+{\bf Overview:}
+Attempt to reset the system's policy by installing the default policy.
+Since this function is implemented as an update to the current policy, it
+underlies the same restrictions. This function may fail if for example
+other domains than Domain-0 are running and use a different label than
+Domain-0
+
+\noindent {\bf Signature:}
+\begin{verbatim} xs_policystate reset_xspolicy (session_id s, xs_type type)
+\end{verbatim}
+
+\noindent{\bf Arguments:}
+
+\vspace{0.3cm}
+
+\begin{tabular}{|c|c|p{7cm}|}
+ \hline
+{\bf type} & {\bf name} & {\bf description} \\ \hline
+{\tt xs\_type } & type & the type of policy \\ \hline
+
+\end{tabular}
+
+\vspace{0.3cm}
+
+
+ \noindent {\bf Return Type:}
+{\tt
+xs\_policystate
+}
+
+
State information about the policy. In case an error occurred, the 'xs\_err'
field contains the error code. The 'errors' may contain further information
about the error.
bool overwrite);
+
+/**
+ * Attempt to reset the system's policy to the DEFAULT policy for the
+ * respective policy type. This is done by updating the system and therefore
+ * underlies the same restrictions of a policy update. This operation may
+ * for example fail if other domains than Domain-0 are running and have
+ * different labels than Domain-0.
+ */
+bool
+xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result,
+ xs_type type);
+
+
/**
* Remove any policy from having the system booted with.
*/
}
+bool
+xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result,
+ xs_type type)
+{
+ abstract_value param_values[] =
+ {
+ { .type = &abstract_type_int,
+ .u.int_val = type },
+ };
+
+ abstract_type result_type = xen_xs_policystate_abstract_type_;
+
+ *result = NULL;
+ XEN_CALL_("XSPolicy.reset_xspolicy");
+ return session->ok;
+}
+
+
bool
xen_xspolicy_get_xspolicy(xen_session *session, xen_xs_policystate **result)
{
" <SecurityLabelTemplate>\n" +\
" <SubjectLabels bootstrap=\"SystemManagement\">\n" +\
" <VirtualMachineLabel>\n" +\
-" <Name>SystemManagement</Name>\n" +\
+" <Name%s>SystemManagement</Name>\n" +\
" <SimpleTypeEnforcementTypes>\n" +\
" <Type>SystemManagement</Type>\n" +\
" </SimpleTypeEnforcementTypes>\n" +\
"</SecurityPolicyDefinition>\n"
-def get_DEFAULT_policy():
- return DEFAULT_policy
+def get_DEFAULT_policy(dom0label=""):
+ fromnode = ""
+ if dom0label != "":
+ fromnode = " from=\"%s\"" % dom0label
+ return DEFAULT_policy % fromnode
def initialize():
xoptions = XendOptions.instance()
force_default_policy = classmethod(force_default_policy)
+ def get_reset_policy_xml(klass):
+ dom0_label = security.get_ssid(0)[1]
+ return get_DEFAULT_policy(dom0_label)
+
+ get_reset_policy_xml = classmethod(get_reset_policy_xml)
+
def __do_update_version_check(self, acmpol_new):
acmpol_old = self
'list_labels',
'get_labeled_resources',
'set_policy',
+ 'reset_policy',
'get_policy',
'activate_policy',
'rm_bootpolicy',
err(str(e))
+def reset_policy():
+ """
+ Xend exports this function via XML-RPC
+ """
+ from xen.xend import XendXSPolicyAdmin
+ xspoladmin = XendXSPolicyAdmin.XSPolicyAdminInstance()
+ try:
+ acmpol, rc, errors = \
+ xspoladmin.reset_acmpolicy()
+ return rc, base64.b64encode(errors)
+ except Exception, e:
+ err(str(e))
+
+
def get_policy():
"""
Xend exports this function via XML-RPC
'list_labels',
'get_labeled_resources',
'set_policy',
+ 'reset_policy',
'get_policy',
'activate_policy',
'rm_bootpolicy',
def set_policy(xs_type, xml, flags, overwrite):
err("Command not supported under xsm 'dummy' module.")
+def reset_policy():
+ err("Command not supported under xsm 'dummy' module.")
+
def get_policy():
return "", 0
def getFuncs(self):
funcs = [ 'get_xstype',
'set_xspolicy',
+ 'reset_xspolicy',
'get_xspolicy',
'rm_xsbootpolicy',
'get_resource_label',
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
return polstate
+
+ def reset_xspolicy(self, xstype):
+ xstype = int(xstype)
+ polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0,
+ 'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 }
+ if xstype == xsconstants.XS_POLICY_ACM:
+ poladmin = XSPolicyAdminInstance()
+ try:
+ (xspol, rc, errors) = poladmin.reset_acmpolicy()
+ if rc != 0:
+ polstate.update( { 'xserr' : rc,
+ 'errors': base64.b64encode(errors) } )
+ else:
+ ref = xspol.get_ref()
+ polstate = {
+ 'xs_ref' : ref,
+ 'flags' : poladmin.get_policy_flags(xspol),
+ 'type' : xstype,
+ 'repr' : "",
+ 'version': xspol.get_version(),
+ 'errors' : base64.b64encode(errors),
+ 'xserr' : rc,
+ }
+ except Exception, e:
+ raise
+ else:
+ raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
+ return polstate
+
+
def activate_xspolicy(self, flags):
flags = int(flags)
rc = -xsconstants.XSERR_GENERAL_FAILURE
get_xstype = classmethod(get_xstype)
get_xspolicy = classmethod(get_xspolicy)
set_xspolicy = classmethod(set_xspolicy)
+ reset_xspolicy = classmethod(reset_xspolicy)
rm_xsbootpolicy = classmethod(rm_xsbootpolicy)
set_resource_label = classmethod(set_resource_label)
get_resource_label = classmethod(get_resource_label)
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
+
+ def reset_acmpolicy(self):
+ """
+ Attempt to reset the system's policy by udating it with
+ the DEFAULT policy.
+ """
+ from xen.xend import XendDomain
+ domains = XendDomain.instance()
+ try:
+ domains.domains_lock.acquire()
+ xml = ACMPolicy.get_reset_policy_xml()
+ flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD
+ return self.__add_acmpolicy_to_system(xml, flags, True)
+ finally:
+ domains.domains_lock.release()
+
+
def make_boot_policy(self, acmpol):
if acmpol.is_default_policy():
return xsconstants.XSERR_SUCCESS
from xen.util import xsconstants
from xen.util.acmpolicy import ACMPolicy
-DOM0_UUID = "00000000-0000-0000-0000-000000000000"
-
-DEFAULT_policy_template = \
-"<?xml version=\"1.0\" ?>" +\
-"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">" +\
-" <PolicyHeader>" +\
-" <PolicyName>DEFAULT</PolicyName>" +\
-" <Version>1.0</Version>" +\
-" </PolicyHeader>" +\
-" <SimpleTypeEnforcement>" +\
-" <SimpleTypeEnforcementTypes>" +\
-" <Type>SystemManagement</Type>" +\
-" </SimpleTypeEnforcementTypes>" +\
-" </SimpleTypeEnforcement>" +\
-" <ChineseWall>" +\
-" <ChineseWallTypes>" +\
-" <Type>SystemManagement</Type>" +\
-" </ChineseWallTypes>" +\
-" </ChineseWall>" +\
-" <SecurityLabelTemplate>" +\
-" <SubjectLabels bootstrap=\"SystemManagement\">" +\
-" <VirtualMachineLabel>" +\
-" <Name%s>SystemManagement</Name>" +\
-" <SimpleTypeEnforcementTypes>" +\
-" <Type>SystemManagement</Type>" +\
-" </SimpleTypeEnforcementTypes>" +\
-" <ChineseWallTypes>" +\
-" <Type/>" +\
-" </ChineseWallTypes>" +\
-" </VirtualMachineLabel>" +\
-" </SubjectLabels>" +\
-" </SecurityLabelTemplate>" +\
-"</SecurityPolicyDefinition>"
-
def help():
return """
since otherwise this operation will fail.
"""
-def get_reset_policy_xml(dom0_seclab):
- if dom0_seclab == "":
- return DEFAULT_policy_template % ""
- else:
- poltyp, policy, label = dom0_seclab.split(":")
- if label != "SystemManagement":
- return DEFAULT_policy_template % \
- (" from=\"%s\"" % label)
- else:
- return DEFAULT_policy_template % ""
def resetpolicy():
msg = None
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
- seclab = server.xenapi.VM.get_security_label(DOM0_UUID)
- xml = get_reset_policy_xml(seclab)
try:
- policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
- xml,
- flags,
- True)
+ policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type)
except Exception, e:
raise security.XSMError("An error occurred resetting the "
"policy: %s" % str(e))
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
- seclab = server.xend.security.get_domain_label(0)
- if seclab[0] == '\'':
- seclab = seclab[1:]
- xml = get_reset_policy_xml(seclab)
- rc, errors = server.xend.security.set_policy(xs_type,
- xml,
- flags,
- True)
+ rc, errors = server.xend.security.reset_policy()
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
projects / xen.git / commitdiff