- #============================================================================
+#============================================================================
# This library is free software; you can redistribute it and/or
# modify it under the terms of version 2.1 of the GNU Lesser General Public
# License as published by the Free Software Foundation.
#============================================================================
import os
-import commands
-import struct
import stat
import array
+import struct
+import shutil
+import commands
from xml.dom import minidom, Node
from xen.xend.XendLogging import log
from xen.util import xsconstants, bootloader, mkdir
from xen.xend.XendError import SecurityError
import xen.util.xsm.acm.acm as security
from xen.util.xsm.xsm import XSMError
+from xen.xend import XendOptions
ACM_POLICIES_DIR = security.policy_dir_prefix + "/"
ACM_SSIDREF_IN_USE = 0x104
+DEFAULT_policy = \
+"<?xml version=\"1.0\" ?>\n" +\
+"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">\n" +\
+" <PolicyHeader>\n" +\
+" <PolicyName>DEFAULT</PolicyName>\n" +\
+" <Version>1.0</Version>\n" +\
+" </PolicyHeader>\n" +\
+" <SimpleTypeEnforcement>\n" +\
+" <SimpleTypeEnforcementTypes>\n" +\
+" <Type>SystemManagement</Type>\n" +\
+" </SimpleTypeEnforcementTypes>\n" +\
+" </SimpleTypeEnforcement>\n" +\
+" <ChineseWall>\n" +\
+" <ChineseWallTypes>\n" +\
+" <Type>SystemManagement</Type>\n" +\
+" </ChineseWallTypes>\n" +\
+" </ChineseWall>\n" +\
+" <SecurityLabelTemplate>\n" +\
+" <SubjectLabels bootstrap=\"SystemManagement\">\n" +\
+" <VirtualMachineLabel>\n" +\
+" <Name>SystemManagement</Name>\n" +\
+" <SimpleTypeEnforcementTypes>\n" +\
+" <Type>SystemManagement</Type>\n" +\
+" </SimpleTypeEnforcementTypes>\n" +\
+" <ChineseWallTypes>\n" +\
+" <Type/>\n" +\
+" </ChineseWallTypes>\n" +\
+" </VirtualMachineLabel>\n" +\
+" </SubjectLabels>\n" +\
+" </SecurityLabelTemplate>\n" +\
+"</SecurityPolicyDefinition>\n"
+
+
+def get_DEFAULT_policy():
+ return DEFAULT_policy
+
+def initialize():
+ xoptions = XendOptions.instance()
+ basedir = xoptions.get_xend_security_path()
+ policiesdir = basedir + "/policies"
+ mkdir.parents(policiesdir, stat.S_IRWXU)
+
+ instdir = security.install_policy_dir_prefix
+ DEF_policy_file = "DEFAULT-security_policy.xml"
+ xsd_file = "security_policy.xsd"
+
+ files = [ xsd_file ]
+
+ for file in files:
+ if not os.path.isfile(policiesdir + "/" + file ):
+ try:
+ shutil.copyfile(instdir + "/" + file,
+ policiesdir + "/" + file)
+ except Exception, e:
+ log.info("could not copy '%s': %s" %
+ (file, str(e)))
+ #Install default policy.
+ f = open(policiesdir + "/" + DEF_policy_file, 'w')
+ if f:
+ f.write(get_DEFAULT_policy())
+ f.close()
+ else:
+ log.error("Could not write the default policy's file.")
+ defpol = ACMPolicy(xml=get_DEFAULT_policy())
+ defpol.compile()
+
+
class ACMPolicy(XSPolicy):
"""
ACMPolicy class. Implements methods for getting information from
rc = self.validate()
if rc != xsconstants.XSERR_SUCCESS:
raise SecurityError(rc)
- mkdir.parents(ACM_POLICIES_DIR, stat.S_IRWXU)
if ref:
from xen.xend.XendXSPolicy import XendACMPolicy
self.xendacmpolicy = XendACMPolicy(self, {}, ref)
minor = int(tmp[1])
return (major, minor)
+ def get_policies_path(self):
+ xoptions = XendOptions.instance()
+ basedir = xoptions.get_xend_security_path()
+ return basedir + "/policies/"
- def policy_path(self, name, prefix = ACM_POLICIES_DIR ):
+ def policy_path(self, name):
+ prefix = self.get_policies_path()
path = prefix + name.replace('.','/')
_path = path.split("/")
del _path[-1]
#
# Utility functions related to the policy's files
#
- def get_filename(self, postfix, prefix = ACM_POLICIES_DIR, dotted=False):
+ def get_filename(self, postfix, prefix=None, dotted=False):
"""
Create the filename for the policy. The prefix is prepended
to the path. If dotted is True, then a policy name like
'a.b.c' will remain as is, otherwise it will become 'a/b/c'
"""
+ if prefix == None:
+ prefix = self.get_policies_path()
name = self.get_name()
if name:
p = name.split(".")
def get_bin(self):
return self.__readfile(".bin")
+ def copy_policy_file(self, suffix, destdir):
+ spolfile = self.get_filename(suffix)
+ dpolfile = destdir + "/" + self.get_filename(suffix,"",dotted=True)
+ try:
+ shutil.copyfile(spolfile, dpolfile)
+ except Exception, e:
+ log.error("Could not copy policy file %s to %s: %s" %
+ (spolfile, dpolfile, str(e)))
+ return -xsconstants.XSERR_FILE_ERROR
+ return xsconstants.XSERR_SUCCESS
+
#
# DOM-related functions
#
if path:
f = open(path, 'w')
if f:
- f.write(self.toxml())
- f.close()
- rc = 0
+ try:
+ try:
+ f.write(self.toxml())
+ rc = 0
+ except:
+ pass
+ finally:
+ f.close()
return rc
def __write_to_file(self, suffix, data):
from xen.xend.XendConstants import *
#global directories and tools for security management
-security_dir_prefix = "/etc/xen/acm-security"
+install_policy_dir_prefix = "/etc/xen/acm-security/policies"
+security_dir_prefix = XendOptions.instance().get_xend_security_path()
policy_dir_prefix = security_dir_prefix + "/policies"
res_label_filename = policy_dir_prefix + "/resource_labels"
boot_filename = "/boot/grub/menu.lst"
maps current policy to default directory
to find mapping file """
- if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]:
+ if policyname in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]:
err("Cannot translate labels for \'" + policyname + "\' policy.")
allowed_types = ['ANY']
except:
err("Cannot determine security information.")
- if active_policy in ["DEFAULT"]:
- label = "DEFAULT"
- else:
- label = ssidref2label(ssid_info["ssidref"])
+ label = ssidref2label(ssid_info["ssidref"])
+
return(ssid_info["policyreference"],
label,
ssid_info["policytype"],
"""Default xend QCoW storage repository location."""
xend_storage_path_default = '/var/lib/xend/storage'
+ """Default xend security state storage path."""
+ xend_security_path_default = '/var/lib/xend/security'
+
"""Default script to configure a backend network interface"""
vif_script = osdep.vif_script
"""
return self.get_config_string("xend-storage-path", self.xend_storage_path_default)
+ def get_xend_security_path(self):
+ """ Get the path for security state
+ """
+ return self.get_config_string("xend-security-path", self.xend_security_path_default)
+
def get_network_script(self):
"""@return the script used to alter the network configuration when
Xend starts and stops, or None if no such script is specified."""
from xen.xend.XendLogging import log
from xen.xend import uuid
-from xen.util import xsconstants, dictio, bootloader
+from xen.util import xsconstants, bootloader
import xen.util.xsm.acm.acm as security
from xen.util.xspolicy import XSPolicy
-from xen.util.acmpolicy import ACMPolicy
+from xen.util.acmpolicy import ACMPolicy, initialize
from xen.xend.XendError import SecurityError
self.xsobjs = {}
act_pol_name = self.get_hv_loaded_policy_name()
+ initialize()
ref = uuid.createString()
try:
log.debug("XSPolicyAdmin: Known policies: %s" % self.policies)
+
def isXSEnabled(self):
""" Check whether 'security' is enabled on this system.
This currently only checks for ACM-enablement.
# This is meant as an update to a currently loaded policy
if flags & xsconstants.XS_INST_LOAD == 0:
raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
- if flags & xsconstants.XS_INST_BOOT == 0:
- self.rm_bootpolicy()
+
+ # Remember old flags, so they can be restored if update fails
+ old_flags = self.get_policy_flags(loadedpol)
+
+ # Remove policy from bootloader in case of new name of policy
+ self.rm_bootpolicy()
+
rc, errors = loadedpol.update(xmltext)
if rc == 0:
irc = self.activate_xspolicy(loadedpol, flags)
# policy is loaded; if setting the boot flag fails it's ok.
+ else:
+ old_flags = old_flags & xsconstants.XS_INST_BOOT
+ log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
+ if old_flags != 0:
+ self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
+
return (loadedpol, rc, errors)
try:
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
def make_boot_policy(self, acmpol):
- spolfile = acmpol.get_filename(".bin")
- dpolfile = "/boot/" + acmpol.get_filename(".bin","",dotted=True)
- if not os.path.isfile(spolfile):
- log.error("binary policy file does not exist.")
- return -xsconstants.XSERR_FILE_ERROR
- try:
- shutil.copyfile(spolfile, dpolfile)
- except:
- return -xsconstants.XSERR_FILE_ERROR
+ if acmpol.is_default_policy():
+ return xsconstants.XSERR_SUCCESS
+ rc = acmpol.copy_policy_file(".bin","/boot")
+ if rc != xsconstants.XSERR_SUCCESS:
+ return rc
try:
filename = acmpol.get_filename(".bin","",dotted=True)
flags = 0
filename = acmpol.get_filename(".bin","", dotted=True)
- if bootloader.loads_default_policy(filename):
+ if bootloader.loads_default_policy(filename) or \
+ acmpol.is_default_policy():
flags |= xsconstants.XS_INST_BOOT
if acmpol.isloaded():
import struct
import xen.util.xsm.xsm as security
from xen.util import xsconstants
+from xen.util.xsm.acm.acm import install_policy_dir_prefix
from xen.util.acmpolicy import ACMPolicy, \
ACM_EVTCHN_SHARING_VIOLATION,\
ACM_GNTTAB_SHARING_VIOLATION, \
ACM_CHWALL_CONFLICT, \
ACM_SSIDREF_IN_USE
from xen.xm.opts import OptionError
-from xen.util.xsm.acm.acm import policy_dir_prefix
from xen.xm import main as xm_main
from xen.xm.getpolicy import getpolicy
from xen.xm.main import server
if policytype.upper() == xsconstants.ACM_POLICY_ID:
xs_type = xsconstants.XS_POLICY_ACM
- for prefix in [ './', policy_dir_prefix+"/" ]:
+ for prefix in [ './', install_policy_dir_prefix+"/" ]:
policy_file = prefix + "/".join(policy_name.split(".")) + \
"-security_policy.xml"
f.close()
except:
raise OptionError("Could not read policy file from current"
- " directory or '%s'." % policy_dir_prefix)
+ " directory or '%s'." %
+ install_policy_dir_prefix)
if xm_main.serverType == xm_main.SERVER_XEN_API:
+ if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
+ raise security.XSMError("ACM policy type not supported.")
try:
policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
getpolicy(False)
else:
# Non-Xen-API call.
+ if xs_type != server.xend.security.get_xstype():
+ raise security.XSMError("ACM policy type not supported.")
rc, errors = server.xend.security.set_policy(xs_type,
xml,
ACM_SCHEMA = security_policy.xsd
ACM_EXAMPLES = client_v1 test
-ACM_DEF_POLICIES = default default-ul
+ACM_DEF_POLICIES = DEFAULT-UL
ACM_POLICY_SUFFIX = security_policy.xml
ifeq ($(ACM_SECURITY),y)
--- /dev/null
+<?xml version="1.0" ?>
+<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
+ <PolicyHeader>
+ <PolicyName>DEFAULT-UL</PolicyName>
+ <Version>1.0</Version>
+ </PolicyHeader>
+ <SimpleTypeEnforcement>
+ <SimpleTypeEnforcementTypes>
+ <Type>SystemManagement</Type>
+ <Type>__UNLABELED__</Type>
+ </SimpleTypeEnforcementTypes>
+ </SimpleTypeEnforcement>
+ <ChineseWall>
+ <ChineseWallTypes>
+ <Type>SystemManagement</Type>
+ </ChineseWallTypes>
+ </ChineseWall>
+ <SecurityLabelTemplate>
+ <SubjectLabels bootstrap="SystemManagement">
+ <VirtualMachineLabel>
+ <Name>SystemManagement</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>SystemManagement</Type>
+ <Type>__UNLABELED__</Type>
+ </SimpleTypeEnforcementTypes>
+ <ChineseWallTypes>
+ <Type/>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+ <VirtualMachineLabel>
+ <Name>__UNLABELED__</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>__UNLABELED__</Type>
+ </SimpleTypeEnforcementTypes>
+ <ChineseWallTypes>
+ <Type/>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+ </SubjectLabels>
+ </SecurityLabelTemplate>
+</SecurityPolicyDefinition>
+++ /dev/null
-<?xml version="1.0" ?>
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
- <PolicyHeader>
- <PolicyName>DEFAULT</PolicyName>
- <Version>1.0</Version>
- </PolicyHeader>
- <SimpleTypeEnforcement>
- <SimpleTypeEnforcementTypes>
- <Type>SystemManagement</Type>
- </SimpleTypeEnforcementTypes>
- </SimpleTypeEnforcement>
- <ChineseWall>
- <ChineseWallTypes>
- <Type>SystemManagement</Type>
- </ChineseWallTypes>
- </ChineseWall>
- <SecurityLabelTemplate>
- <SubjectLabels bootstrap="SystemManagement">
- <VirtualMachineLabel>
- <Name>SystemManagement</Name>
- <SimpleTypeEnforcementTypes>
- <Type>SystemManagement</Type>
- </SimpleTypeEnforcementTypes>
- <ChineseWallTypes>
- <Type/>
- </ChineseWallTypes>
- </VirtualMachineLabel>
- </SubjectLabels>
- </SecurityLabelTemplate>
-</SecurityPolicyDefinition>
+++ /dev/null
-<?xml version="1.0" ?>
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
- <PolicyHeader>
- <PolicyName>DEFAULT-UL</PolicyName>
- <Version>1.0</Version>
- </PolicyHeader>
- <SimpleTypeEnforcement>
- <SimpleTypeEnforcementTypes>
- <Type>SystemManagement</Type>
- <Type>__UNLABELED__</Type>
- </SimpleTypeEnforcementTypes>
- </SimpleTypeEnforcement>
- <ChineseWall>
- <ChineseWallTypes>
- <Type>SystemManagement</Type>
- </ChineseWallTypes>
- </ChineseWall>
- <SecurityLabelTemplate>
- <SubjectLabels bootstrap="SystemManagement">
- <VirtualMachineLabel>
- <Name>SystemManagement</Name>
- <SimpleTypeEnforcementTypes>
- <Type>SystemManagement</Type>
- <Type>__UNLABELED__</Type>
- </SimpleTypeEnforcementTypes>
- <ChineseWallTypes>
- <Type/>
- </ChineseWallTypes>
- </VirtualMachineLabel>
- <VirtualMachineLabel>
- <Name>__UNLABELED__</Name>
- <SimpleTypeEnforcementTypes>
- <Type>__UNLABELED__</Type>
- </SimpleTypeEnforcementTypes>
- <ChineseWallTypes>
- <Type/>
- </ChineseWallTypes>
- </VirtualMachineLabel>
- </SubjectLabels>
- </SecurityLabelTemplate>
-</SecurityPolicyDefinition>
projects / xen.git / commitdiff