Updated xm setpolicy command to support the loading of flask security
policies.
Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
Signed-off-by : George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
---
tools/python/xen/lowlevel/flask/flask.c | 36 +++++++++
tools/python/xen/util/xsconstants.py | 1
tools/python/xen/util/xsm/acm/acm.py | 1
tools/python/xen/util/xsm/flask/flask.py | 11 ++
tools/python/xen/xend/XendXSPolicy.py | 12 ++-
tools/python/xen/xend/XendXSPolicyAdmin.py | 3
tools/python/xen/xm/setpolicy.py | 111
+++++++++++++++--------------
7 files changed, 120 insertions(+), 55 deletions(-)
--
Machon Gregory
National Information Assurance Research Lab (NIARL)
diff -r 6472342c8ab0 tools/python/xen/lowlevel/flask/flask.c
--- a/tools/python/xen/lowlevel/flask/flask.c
+++ b/tools/python/xen/lowlevel/flask/flask.c
@@ -106,6 +106,35 @@
return Py_BuildValue("s", ctx, ctx_len);
}
+static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ int xc_handle;
+ char *policy;
+ uint32_t len;
+ int ret;
+
+ static char *kwd_list[] = { "policy", NULL };
+
+ if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy,
&len) )
+ return NULL;
+
+ xc_handle = xc_interface_open();
+ if (xc_handle < 0) {
+ errno = xc_handle;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = flask_load(xc_handle, policy, len);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
static PyMethodDef pyflask_methods[] = {
{ "flask_context_to_sid",
@@ -122,6 +151,13 @@
" context [int]: SID to be converted\n"
"Returns: [str]: Numeric SID on success; -1 on error.\n" },
+ { "flask_load",
+ (PyCFunction)pyflask_load,
+ METH_KEYWORDS, "\n"
+ "Loads a policy into the hypervisor.\n"
+ " policy [str]: policy to be load\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
+
{ NULL, NULL, 0, NULL }
};
diff -r 6472342c8ab0 tools/python/xen/util/xsconstants.py
--- a/tools/python/xen/util/xsconstants.py
+++ b/tools/python/xen/util/xsconstants.py
@@ -106,6 +106,7 @@
# Policy identifiers used in labels
ACM_POLICY_ID = 'ACM'
+FLASK_POLICY_ID = 'FLASK'
INVALID_POLICY_PREFIX = 'INV_'
diff -r 6472342c8ab0 tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py
+++ b/tools/python/xen/util/xsm/acm/acm.py
@@ -82,6 +82,7 @@
#Functions exported through XML-RPC
xmlrpc_exports = [
+ 'on',
'set_resource_label',
'get_resource_label',
'list_labels',
diff -r 6472342c8ab0 tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py
+++ b/tools/python/xen/util/xsm/flask/flask.py
@@ -1,10 +1,15 @@
import sys
+import base64
from xen.lowlevel import flask
from xen.util import xsconstants
from xen.xend import sxp
#Functions exported through XML-RPC
-xmlrpc_exports = [ ]
+xmlrpc_exports = [
+ 'on',
+ 'set_policy'
+]
+
def err(msg):
"""Raise XSM-Flask exception.
@@ -47,3 +52,7 @@
def get_security_label(self, xspol=None):
label = self.info['security_label']
return label
+
+def set_policy(xs_type, policy_b64, flags=None, overwrite=None):
+ policy = base64.b64decode(policy_b64);
+ return flask.flask_load(policy), ""
diff -r 6472342c8ab0 tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py
+++ b/tools/python/xen/xend/XendXSPolicy.py
@@ -73,7 +73,7 @@
def get_xstype(self):
return XSPolicyAdminInstance().isXSEnabled()
- def set_xspolicy(self, xstype, xml, flags, overwrite):
+ def set_xspolicy(self, xstype, policy, flags, overwrite):
ref = ""
xstype = int(xstype)
flags = int(flags)
@@ -84,7 +84,7 @@
poladmin = XSPolicyAdminInstance()
try:
(xspol, rc, errors) = poladmin.add_acmpolicy_to_system(
- xml, flags,
+ policy,
flags,
overwrite)
if rc != 0:
polstate.update( { 'xserr' : rc,
@@ -102,6 +102,14 @@
}
except Exception, e:
raise
+ elif xstype == xsconstants.XS_POLICY_FLASK:
+ rc, errors = security.set_policy(xstype, policy);
+ if rc != 0:
+ polstate.update( { 'xserr' :
-xsconstants.XSERR_POLICY_LOAD_FAILED,
+ 'errors': errors } )
+ else:
+ polstate.update( { 'xserr' : xsconstants.XSERR_SUCCESS,
+ 'errors': errors } )
else:
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
return polstate
diff -r 6472342c8ab0 tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py
@@ -75,11 +75,12 @@
def isXSEnabled(self):
""" Check whether 'security' is enabled on this system.
- This currently only checks for ACM-enablement.
"""
rc = 0
if security.on() == xsconstants.XS_POLICY_ACM:
rc |= xsconstants.XS_POLICY_ACM
+ else:
+ rc |= xsconstants.XS_POLICY_FLASK
return rc
def add_acmpolicy_to_system(self, xmltext, flags, overwrite):
diff -r 6472342c8ab0 tools/python/xen/xm/setpolicy.py
--- a/tools/python/xen/xm/setpolicy.py
+++ b/tools/python/xen/xm/setpolicy.py
@@ -43,8 +43,9 @@
Set the policy managed by xend.
- The only policytype that is currently supported is 'ACM'.
+ Only 'ACM' and 'FLASK' are supported as valid policytype parameters.
+ ACM:
The filename of the policy is the policy name plus the suffic
'-security_policy.xml'. The location of the policy file is either
the the current directory or '/etc/xen/acm-security/policies'.
@@ -93,60 +94,68 @@
if os.path.exists(policy_file):
break
- try:
- f = open(policy_file,"r")
- xml = f.read()
- f.close()
- except:
- raise OptionError("Could not read policy file from current"
- " directory or '%s'." %
- install_policy_dir_prefix)
+ elif policytype.upper() == xsconstants.FLASK_POLICY_ID:
+ xs_type = xsconstants.XS_POLICY_FLASK
+ policy_file = policy_name
- if xm_main.serverType == xm_main.SERVER_XEN_API:
- if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
- raise security.XSMError("ACM policy type not supported.")
-
- try:
- policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
- xml,
- flags,
- overwrite)
- except Exception, e:
- raise security.XSMError("An error occurred setting the "
- "policy: %s" % str(e))
- xserr = int(policystate['xserr'])
- if xserr != xsconstants.XSERR_SUCCESS:
- txt = "An error occurred trying to set the policy: %s." % \
- xsconstants.xserr2string(abs(xserr))
- errors = policystate['errors']
- if len(errors) > 0:
- txt += " " +
build_hv_error_message(base64.b64decode(errors))
- raise security.XSMError(txt)
- else:
- print "Successfully set the new policy."
- getpolicy(False)
- else:
- # Non-Xen-API call.
- if xs_type != server.xend.security.get_xstype():
- raise security.XSMError("ACM policy type not supported.")
-
- rc, errors = server.xend.security.set_policy(xs_type,
- xml,
- flags,
- overwrite)
- if rc != xsconstants.XSERR_SUCCESS:
- txt = "An error occurred trying to set the policy: %s." % \
- xsconstants.xserr2string(abs(rc))
- if len(errors) > 0:
- txt += " " + build_hv_error_message(
- base64.b64decode(errors))
- raise security.XSMError(txt)
- else:
- print "Successfully set the new policy."
- getpolicy(False)
else:
raise OptionError("Unsupported policytype '%s'." % policytype)
+ try:
+ f = open(policy_file,"r")
+ policy = f.read()
+ f.close()
+ except:
+ raise OptionError("Could not read policy file: %s" % policy_file)
+
+
+ if xs_type == xsconstants.XS_POLICY_FLASK:
+ policy = base64.b64encode(policy)
+
+ if xm_main.serverType == xm_main.SERVER_XEN_API:
+ if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
+ raise security.XSMError("Policy type not supported.")
+
+ try:
+ policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
+ policy,
+ flags,
+ overwrite)
+ except Exception, e:
+ raise security.XSMError("An error occurred setting the "
+ "policy: %s" % str(e))
+ xserr = int(policystate['xserr'])
+ if xserr != xsconstants.XSERR_SUCCESS:
+ txt = "An error occurred trying to set the policy: %s." % \
+ xsconstants.xserr2string(abs(xserr))
+ errors = policystate['errors']
+ if len(errors) > 0:
+ txt += " " + build_hv_error_message(base64.b64decode(errors))
+ raise security.XSMError(txt)
+ else:
+ print "Successfully set the new policy."
+ if xs_type == xsconstants.XS_POLICY_ACM:
+ getpolicy(False)
+ else:
+ # Non-Xen-API call.
+ if xs_type != server.xend.security.on():
+ raise security.XSMError("Policy type not supported.")
+
+ rc, errors = server.xend.security.set_policy(xs_type,
+ policy,
+ flags,
+ overwrite)
+ if rc != xsconstants.XSERR_SUCCESS:
+ txt = "An error occurred trying to set the policy: %s." % \
+ xsconstants.xserr2string(abs(rc))
+ if len(errors) > 0:
+ txt += " " + build_hv_error_message(
+ base64.b64decode(errors))
+ raise security.XSMError(txt)
+ else:
+ print "Successfully set the new policy."
+ if xs_type == xsconstants.XS_POLICY_ACM:
+ getpolicy(False)
def main(argv):
if len(argv) < 3:
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home