WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] xend: Updated setpolicy to support loadin

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] xend: Updated setpolicy to support loading of flask policy
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Oct 2009 02:15:11 -0700
Delivery-date: Tue, 06 Oct 2009 02:15:27 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1254820313 -3600
# Node ID 10cfcbef68ee8ff7747e0150d93220c2b832cd08
# Parent  e39acea851f48598114a3c8ab90afc5a97b33952
xend: Updated setpolicy to support loading of flask policy

Updated xm setpolicy command to support the loading of flask security
policies.

Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
Signed-off-by : George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
---
 tools/python/xen/lowlevel/flask/flask.c    |   36 +++++++++
 tools/python/xen/util/xsconstants.py       |    1 
 tools/python/xen/util/xsm/acm/acm.py       |    1 
 tools/python/xen/util/xsm/flask/flask.py   |   11 ++
 tools/python/xen/xend/XendXSPolicy.py      |   12 ++-
 tools/python/xen/xend/XendXSPolicyAdmin.py |    3 
 tools/python/xen/xm/setpolicy.py           |  111 +++++++++++++++--------------
 7 files changed, 120 insertions(+), 55 deletions(-)

diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/lowlevel/flask/flask.c
--- a/tools/python/xen/lowlevel/flask/flask.c   Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/lowlevel/flask/flask.c   Tue Oct 06 10:11:53 2009 +0100
@@ -106,6 +106,35 @@ static PyObject *pyflask_sid_to_context(
     return Py_BuildValue("s", ctx, ctx_len);
 }
 
+static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
+{
+    int xc_handle;
+    char *policy;
+    uint32_t len;
+    int ret;
+
+    static char *kwd_list[] = { "policy", NULL };
+  
+    if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy, 
&len) )
+        return NULL;
+
+    xc_handle = xc_interface_open();
+    if (xc_handle < 0) {
+        errno = xc_handle;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    ret = flask_load(xc_handle, policy, len);
+
+    xc_interface_close(xc_handle);
+
+    if ( ret != 0 ) {
+        errno = -ret;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    return Py_BuildValue("i", ret);
+}
 
 static PyMethodDef pyflask_methods[] = {
     { "flask_context_to_sid",
@@ -122,6 +151,13 @@ static PyMethodDef pyflask_methods[] = {
       " context [int]: SID to be converted\n"
       "Returns: [str]: Numeric SID on success; -1 on error.\n" },
 
+    { "flask_load",
+      (PyCFunction)pyflask_load,
+      METH_KEYWORDS, "\n"
+      "Loads a policy into the hypervisor.\n"
+      " policy [str]: policy to be load\n"
+      "Returns: [int]: 0 on success; -1 on failure.\n" }, 
+      
     { NULL, NULL, 0, NULL }
 };
 
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsconstants.py
--- a/tools/python/xen/util/xsconstants.py      Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/util/xsconstants.py      Tue Oct 06 10:11:53 2009 +0100
@@ -106,6 +106,7 @@ def xserr2string(err):
 
 # Policy identifiers used in labels
 ACM_POLICY_ID = 'ACM'
+FLASK_POLICY_ID = 'FLASK'
 
 INVALID_POLICY_PREFIX = 'INV_'
 
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Tue Oct 06 10:11:53 2009 +0100
@@ -82,6 +82,7 @@ log = logging.getLogger("xend.util.secur
 
 #Functions exported through XML-RPC
 xmlrpc_exports = [
+  'on',
   'set_resource_label',
   'get_resource_label',
   'list_labels',
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py  Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py  Tue Oct 06 10:11:53 2009 +0100
@@ -1,10 +1,15 @@ import sys
 import sys
+import base64
 from xen.lowlevel import flask
 from xen.util import xsconstants
 from xen.xend import sxp
 
 #Functions exported through XML-RPC
-xmlrpc_exports = [ ]
+xmlrpc_exports = [
+  'on',
+  'set_policy'
+]
+
 
 def err(msg):
     """Raise XSM-Flask exception.
@@ -47,3 +52,7 @@ def get_security_label(self, xspol=None)
 def get_security_label(self, xspol=None):
     label = self.info['security_label']
     return label
+
+def set_policy(xs_type, policy_b64, flags=None, overwrite=None):
+    policy = base64.b64decode(policy_b64);
+    return flask.flask_load(policy), ""
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py     Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/xend/XendXSPolicy.py     Tue Oct 06 10:11:53 2009 +0100
@@ -73,7 +73,7 @@ class XendXSPolicy(XendBase):
     def get_xstype(self):
         return XSPolicyAdminInstance().isXSEnabled()
 
-    def set_xspolicy(self, xstype, xml, flags, overwrite):
+    def set_xspolicy(self, xstype, policy, flags, overwrite):
         ref = ""
         xstype = int(xstype)
         flags  = int(flags)
@@ -84,7 +84,7 @@ class XendXSPolicy(XendBase):
             poladmin = XSPolicyAdminInstance()
             try:
                 (xspol, rc, errors) = poladmin.add_acmpolicy_to_system(
-                                                                   xml, flags,
+                                                                   policy, 
flags,
                                                                    overwrite)
                 if rc != 0:
                     polstate.update( { 'xserr' : rc,
@@ -102,6 +102,14 @@ class XendXSPolicy(XendBase):
                     }
             except Exception, e:
                 raise
+        elif xstype == xsconstants.XS_POLICY_FLASK:
+            rc, errors = security.set_policy(xstype, policy);
+            if rc != 0:
+                polstate.update( { 'xserr' : 
-xsconstants.XSERR_POLICY_LOAD_FAILED,
+                                   'errors': errors } )
+            else:
+                polstate.update( { 'xserr' : xsconstants.XSERR_SUCCESS,
+                                   'errors': errors } )
         else:
             raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
         return polstate
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py        Tue Oct 06 10:11:14 
2009 +0100
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py        Tue Oct 06 10:11:53 
2009 +0100
@@ -75,11 +75,12 @@ class XSPolicyAdmin:
 
     def isXSEnabled(self):
         """ Check whether 'security' is enabled on this system.
-            This currently only checks for ACM-enablement.
         """
         rc = 0
         if security.on() == xsconstants.XS_POLICY_ACM:
             rc |= xsconstants.XS_POLICY_ACM
+       else:
+            rc |= xsconstants.XS_POLICY_FLASK
         return rc
 
     def add_acmpolicy_to_system(self, xmltext, flags, overwrite):
diff -r e39acea851f4 -r 10cfcbef68ee tools/python/xen/xm/setpolicy.py
--- a/tools/python/xen/xm/setpolicy.py  Tue Oct 06 10:11:14 2009 +0100
+++ b/tools/python/xen/xm/setpolicy.py  Tue Oct 06 10:11:53 2009 +0100
@@ -43,8 +43,9 @@ def help():
 
     Set the policy managed by xend.
 
-    The only policytype that is currently supported is 'ACM'.
+    Only 'ACM' and 'FLASK' are supported as valid policytype parameters.
 
+    ACM:
     The filename of the policy is the policy name plus the suffic
     '-security_policy.xml'. The location of the policy file is either
     the the current directory or '/etc/xen/acm-security/policies'.
@@ -93,60 +94,68 @@ def setpolicy(policytype, policy_name, f
             if os.path.exists(policy_file):
                 break
 
-        try:
-            f = open(policy_file,"r")
-            xml = f.read()
-            f.close()
-        except:
-            raise OptionError("Could not read policy file from current"
-                              " directory or '%s'." %
-                              install_policy_dir_prefix)
+    elif policytype.upper() == xsconstants.FLASK_POLICY_ID:
+        xs_type = xsconstants.XS_POLICY_FLASK
+        policy_file = policy_name
 
-        if xm_main.serverType == xm_main.SERVER_XEN_API:
-            if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
-                raise security.XSMError("ACM policy type not supported.")
-
-            try:
-                policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
-                                                                  xml,
-                                                                  flags,
-                                                                  overwrite)
-            except Exception, e:
-                raise security.XSMError("An error occurred setting the "
-                                        "policy: %s" % str(e))
-            xserr = int(policystate['xserr'])
-            if xserr != xsconstants.XSERR_SUCCESS:
-                txt = "An error occurred trying to set the policy: %s." % \
-                      xsconstants.xserr2string(abs(xserr))
-                errors = policystate['errors']
-                if len(errors) > 0:
-                    txt += " " + 
build_hv_error_message(base64.b64decode(errors))
-                raise security.XSMError(txt)
-            else:
-                print "Successfully set the new policy."
-                getpolicy(False)
-        else:
-            # Non-Xen-API call.
-            if xs_type != server.xend.security.get_xstype():
-                raise security.XSMError("ACM policy type not supported.")
-
-            rc, errors = server.xend.security.set_policy(xs_type,
-                                                         xml,
-                                                         flags,
-                                                         overwrite)
-            if rc != xsconstants.XSERR_SUCCESS:
-                txt = "An error occurred trying to set the policy: %s." % \
-                      xsconstants.xserr2string(abs(rc))
-                if len(errors) > 0:
-                    txt += " " + build_hv_error_message(
-                                       base64.b64decode(errors))
-                raise security.XSMError(txt)
-            else:
-                print "Successfully set the new policy."
-                getpolicy(False)
     else:
         raise OptionError("Unsupported policytype '%s'." % policytype)
 
+    try:
+        f = open(policy_file,"r")
+        policy = f.read()
+        f.close()
+    except:
+        raise OptionError("Could not read policy file: %s" % policy_file)
+
+    
+    if xs_type == xsconstants.XS_POLICY_FLASK:
+        policy = base64.b64encode(policy)
+
+    if xm_main.serverType == xm_main.SERVER_XEN_API:
+        if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
+            raise security.XSMError("Policy type not supported.")
+
+        try:
+            policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
+                                                              policy,
+                                                              flags,
+                                                              overwrite)
+        except Exception, e:
+            raise security.XSMError("An error occurred setting the "
+                                    "policy: %s" % str(e))
+        xserr = int(policystate['xserr'])
+        if xserr != xsconstants.XSERR_SUCCESS:
+            txt = "An error occurred trying to set the policy: %s." % \
+                   xsconstants.xserr2string(abs(xserr))
+            errors = policystate['errors']
+            if len(errors) > 0:
+                txt += " " + build_hv_error_message(base64.b64decode(errors))
+            raise security.XSMError(txt)
+        else:
+            print "Successfully set the new policy."
+            if xs_type == xsconstants.XS_POLICY_ACM:
+                getpolicy(False)
+    else:
+        # Non-Xen-API call.
+        if xs_type != server.xend.security.on():
+            raise security.XSMError("Policy type not supported.")
+
+        rc, errors = server.xend.security.set_policy(xs_type,
+                                                     policy,
+                                                     flags,
+                                                     overwrite)
+        if rc != xsconstants.XSERR_SUCCESS:
+            txt = "An error occurred trying to set the policy: %s." % \
+                   xsconstants.xserr2string(abs(rc))
+            if len(errors) > 0:
+                txt += " " + build_hv_error_message(
+                       base64.b64decode(errors))
+            raise security.XSMError(txt)
+        else:
+            print "Successfully set the new policy."
+            if xs_type == xsconstants.XS_POLICY_ACM:
+                getpolicy(False)
 
 def main(argv):
     if len(argv) < 3:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] xend: Updated setpolicy to support loading of flask policy, Xen patchbot-unstable <=