# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1197453475 0
# Node ID 433f6a6a862a072d51ba952e77e21918ea7ac381
# Parent dad243d08849279c26057d71fba3125bf2e15bde
xend, acm: Extend Xen-API with function to reset the policy
This patch extends the Xen-API and the legacy XML-RPC interface with a
function to reset the policy on the system (through an update with the
default policy). I adapted the code in 'xm resetpolicy' to use this
now.
This patch also extends libxen and the documentation to reflect the
new function.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
docs/xen-api/xenapi-datamodel.tex | 39 ++++++++++++++++++
tools/libxen/include/xen/api/xen_xspolicy.h | 13 ++++++
tools/libxen/src/xen_xspolicy.c | 18 ++++++++
tools/python/xen/util/acmpolicy.py | 15 +++++--
tools/python/xen/util/xsm/acm/acm.py | 15 +++++++
tools/python/xen/util/xsm/dummy/dummy.py | 4 +
tools/python/xen/xend/XendXSPolicy.py | 32 ++++++++++++++
tools/python/xen/xend/XendXSPolicyAdmin.py | 17 +++++++
tools/python/xen/xm/resetpolicy.py | 60 ----------------------------
9 files changed, 152 insertions(+), 61 deletions(-)
diff -r dad243d08849 -r 433f6a6a862a docs/xen-api/xenapi-datamodel.tex
--- a/docs/xen-api/xenapi-datamodel.tex Wed Dec 12 09:54:21 2007 +0000
+++ b/docs/xen-api/xenapi-datamodel.tex Wed Dec 12 09:57:55 2007 +0000
@@ -14735,6 +14735,45 @@ State information about the policy. In c
State information about the policy. In case an error occurred, the 'xs\_err'
field contains the error code. The 'errors' may contain further information
about the error.
+ \vspace{0.3cm}
+\vspace{0.3cm}
+\vspace{0.3cm}
+\subsubsection{RPC name:~reset\_xspolicy}
+
+{\bf Overview:}
+Attempt to reset the system's policy by installing the default policy.
+Since this function is implemented as an update to the current policy, it
+underlies the same restrictions. This function may fail if for example
+other domains than Domain-0 are running and use a different label than
+Domain-0
+
+\noindent {\bf Signature:}
+\begin{verbatim} xs_policystate reset_xspolicy (session_id s, xs_type type)
+\end{verbatim}
+
+\noindent{\bf Arguments:}
+
+\vspace{0.3cm}
+
+\begin{tabular}{|c|c|p{7cm}|}
+ \hline
+{\bf type} & {\bf name} & {\bf description} \\ \hline
+{\tt xs\_type } & type & the type of policy \\ \hline
+
+\end{tabular}
+
+\vspace{0.3cm}
+
+
+ \noindent {\bf Return Type:}
+{\tt
+xs\_policystate
+}
+
+
+State information about the policy. In case an error occurred, the 'xs\_err'
+field contains the error code. The 'errors' may contain further information
+about the error.
\vspace{0.3cm}
\vspace{0.3cm}
\vspace{0.3cm}
diff -r dad243d08849 -r 433f6a6a862a tools/libxen/include/xen/api/xen_xspolicy.h
--- a/tools/libxen/include/xen/api/xen_xspolicy.h Wed Dec 12 09:54:21
2007 +0000
+++ b/tools/libxen/include/xen/api/xen_xspolicy.h Wed Dec 12 09:57:55
2007 +0000
@@ -240,6 +240,19 @@ xen_xspolicy_set_xspolicy(xen_session *s
bool overwrite);
+
+/**
+ * Attempt to reset the system's policy to the DEFAULT policy for the
+ * respective policy type. This is done by updating the system and therefore
+ * underlies the same restrictions of a policy update. This operation may
+ * for example fail if other domains than Domain-0 are running and have
+ * different labels than Domain-0.
+ */
+bool
+xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result,
+ xs_type type);
+
+
/**
* Remove any policy from having the system booted with.
*/
diff -r dad243d08849 -r 433f6a6a862a tools/libxen/src/xen_xspolicy.c
--- a/tools/libxen/src/xen_xspolicy.c Wed Dec 12 09:54:21 2007 +0000
+++ b/tools/libxen/src/xen_xspolicy.c Wed Dec 12 09:57:55 2007 +0000
@@ -225,6 +225,24 @@ xen_xspolicy_set_xspolicy(xen_session *s
bool
+xen_xspolicy_reset_xspolicy(xen_session *session, xen_xs_policystate **result,
+ xs_type type)
+{
+ abstract_value param_values[] =
+ {
+ { .type = &abstract_type_int,
+ .u.int_val = type },
+ };
+
+ abstract_type result_type = xen_xs_policystate_abstract_type_;
+
+ *result = NULL;
+ XEN_CALL_("XSPolicy.reset_xspolicy");
+ return session->ok;
+}
+
+
+bool
xen_xspolicy_get_xspolicy(xen_session *session, xen_xs_policystate **result)
{
abstract_value param_values[] =
diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/util/acmpolicy.py
--- a/tools/python/xen/util/acmpolicy.py Wed Dec 12 09:54:21 2007 +0000
+++ b/tools/python/xen/util/acmpolicy.py Wed Dec 12 09:57:55 2007 +0000
@@ -86,7 +86,7 @@ DEFAULT_policy = \
" <SecurityLabelTemplate>\n" +\
" <SubjectLabels bootstrap=\"SystemManagement\">\n" +\
" <VirtualMachineLabel>\n" +\
-" <Name>SystemManagement</Name>\n" +\
+" <Name%s>SystemManagement</Name>\n" +\
" <SimpleTypeEnforcementTypes>\n" +\
" <Type>SystemManagement</Type>\n" +\
" </SimpleTypeEnforcementTypes>\n" +\
@@ -99,8 +99,11 @@ DEFAULT_policy = \
"</SecurityPolicyDefinition>\n"
-def get_DEFAULT_policy():
- return DEFAULT_policy
+def get_DEFAULT_policy(dom0label=""):
+ fromnode = ""
+ if dom0label != "":
+ fromnode = " from=\"%s\"" % dom0label
+ return DEFAULT_policy % fromnode
def initialize():
xoptions = XendOptions.instance()
@@ -375,6 +378,12 @@ class ACMPolicy(XSPolicy):
force_default_policy = classmethod(force_default_policy)
+ def get_reset_policy_xml(klass):
+ dom0_label = security.get_ssid(0)[1]
+ return get_DEFAULT_policy(dom0_label)
+
+ get_reset_policy_xml = classmethod(get_reset_policy_xml)
+
def __do_update_version_check(self, acmpol_new):
acmpol_old = self
diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py Wed Dec 12 09:54:21 2007 +0000
+++ b/tools/python/xen/util/xsm/acm/acm.py Wed Dec 12 09:57:55 2007 +0000
@@ -86,6 +86,7 @@ xmlrpc_exports = [
'list_labels',
'get_labeled_resources',
'set_policy',
+ 'reset_policy',
'get_policy',
'activate_policy',
'rm_bootpolicy',
@@ -562,6 +563,20 @@ def set_policy(xs_type, xml, flags, over
xspoladmin.add_acmpolicy_to_system(xml,
int(flags),
True)
+ return rc, base64.b64encode(errors)
+ except Exception, e:
+ err(str(e))
+
+
+def reset_policy():
+ """
+ Xend exports this function via XML-RPC
+ """
+ from xen.xend import XendXSPolicyAdmin
+ xspoladmin = XendXSPolicyAdmin.XSPolicyAdminInstance()
+ try:
+ acmpol, rc, errors = \
+ xspoladmin.reset_acmpolicy()
return rc, base64.b64encode(errors)
except Exception, e:
err(str(e))
diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/util/xsm/dummy/dummy.py
--- a/tools/python/xen/util/xsm/dummy/dummy.py Wed Dec 12 09:54:21 2007 +0000
+++ b/tools/python/xen/util/xsm/dummy/dummy.py Wed Dec 12 09:57:55 2007 +0000
@@ -21,6 +21,7 @@ xmlrpc_exports = [
'list_labels',
'get_labeled_resources',
'set_policy',
+ 'reset_policy',
'get_policy',
'activate_policy',
'rm_bootpolicy',
@@ -102,6 +103,9 @@ def set_policy(xs_type, xml, flags, over
def set_policy(xs_type, xml, flags, overwrite):
err("Command not supported under xsm 'dummy' module.")
+def reset_policy():
+ err("Command not supported under xsm 'dummy' module.")
+
def get_policy():
return "", 0
diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py Wed Dec 12 09:54:21 2007 +0000
+++ b/tools/python/xen/xend/XendXSPolicy.py Wed Dec 12 09:57:55 2007 +0000
@@ -43,6 +43,7 @@ class XendXSPolicy(XendBase):
def getFuncs(self):
funcs = [ 'get_xstype',
'set_xspolicy',
+ 'reset_xspolicy',
'get_xspolicy',
'rm_xsbootpolicy',
'get_resource_label',
@@ -104,6 +105,36 @@ class XendXSPolicy(XendBase):
raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
return polstate
+
+ def reset_xspolicy(self, xstype):
+ xstype = int(xstype)
+ polstate = { 'xs_ref': "", 'repr' : "", 'type' : 0,
+ 'flags' : 0 , 'version': 0 , 'errors' : "", 'xserr' : 0 }
+ if xstype == xsconstants.XS_POLICY_ACM:
+ poladmin = XSPolicyAdminInstance()
+ try:
+ (xspol, rc, errors) = poladmin.reset_acmpolicy()
+ if rc != 0:
+ polstate.update( { 'xserr' : rc,
+ 'errors': base64.b64encode(errors) } )
+ else:
+ ref = xspol.get_ref()
+ polstate = {
+ 'xs_ref' : ref,
+ 'flags' : poladmin.get_policy_flags(xspol),
+ 'type' : xstype,
+ 'repr' : "",
+ 'version': xspol.get_version(),
+ 'errors' : base64.b64encode(errors),
+ 'xserr' : rc,
+ }
+ except Exception, e:
+ raise
+ else:
+ raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
+ return polstate
+
+
def activate_xspolicy(self, flags):
flags = int(flags)
rc = -xsconstants.XSERR_GENERAL_FAILURE
@@ -162,6 +193,7 @@ class XendXSPolicy(XendBase):
get_xstype = classmethod(get_xstype)
get_xspolicy = classmethod(get_xspolicy)
set_xspolicy = classmethod(set_xspolicy)
+ reset_xspolicy = classmethod(reset_xspolicy)
rm_xsbootpolicy = classmethod(rm_xsbootpolicy)
set_resource_label = classmethod(set_resource_label)
get_resource_label = classmethod(get_resource_label)
diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 12 09:54:21
2007 +0000
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Dec 12 09:57:55
2007 +0000
@@ -179,6 +179,23 @@ class XSPolicyAdmin:
self.xsobjs[ref] = acmpol
return (acmpol, xsconstants.XSERR_SUCCESS, errors)
+
+ def reset_acmpolicy(self):
+ """
+ Attempt to reset the system's policy by udating it with
+ the DEFAULT policy.
+ """
+ from xen.xend import XendDomain
+ domains = XendDomain.instance()
+ try:
+ domains.domains_lock.acquire()
+ xml = ACMPolicy.get_reset_policy_xml()
+ flags = xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD
+ return self.__add_acmpolicy_to_system(xml, flags, True)
+ finally:
+ domains.domains_lock.release()
+
+
def make_boot_policy(self, acmpol):
if acmpol.is_default_policy():
return xsconstants.XSERR_SUCCESS
diff -r dad243d08849 -r 433f6a6a862a tools/python/xen/xm/resetpolicy.py
--- a/tools/python/xen/xm/resetpolicy.py Wed Dec 12 09:54:21 2007 +0000
+++ b/tools/python/xen/xm/resetpolicy.py Wed Dec 12 09:57:55 2007 +0000
@@ -26,40 +26,6 @@ from xen.util import xsconstants
from xen.util import xsconstants
from xen.util.acmpolicy import ACMPolicy
-DOM0_UUID = "00000000-0000-0000-0000-000000000000"
-
-DEFAULT_policy_template = \
-"<?xml version=\"1.0\" ?>" +\
-"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\";
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\";
xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">" +\
-" <PolicyHeader>" +\
-" <PolicyName>DEFAULT</PolicyName>" +\
-" <Version>1.0</Version>" +\
-" </PolicyHeader>" +\
-" <SimpleTypeEnforcement>" +\
-" <SimpleTypeEnforcementTypes>" +\
-" <Type>SystemManagement</Type>" +\
-" </SimpleTypeEnforcementTypes>" +\
-" </SimpleTypeEnforcement>" +\
-" <ChineseWall>" +\
-" <ChineseWallTypes>" +\
-" <Type>SystemManagement</Type>" +\
-" </ChineseWallTypes>" +\
-" </ChineseWall>" +\
-" <SecurityLabelTemplate>" +\
-" <SubjectLabels bootstrap=\"SystemManagement\">" +\
-" <VirtualMachineLabel>" +\
-" <Name%s>SystemManagement</Name>" +\
-" <SimpleTypeEnforcementTypes>" +\
-" <Type>SystemManagement</Type>" +\
-" </SimpleTypeEnforcementTypes>" +\
-" <ChineseWallTypes>" +\
-" <Type/>" +\
-" </ChineseWallTypes>" +\
-" </VirtualMachineLabel>" +\
-" </SubjectLabels>" +\
-" </SecurityLabelTemplate>" +\
-"</SecurityPolicyDefinition>"
-
def help():
return """
@@ -69,16 +35,6 @@ def help():
since otherwise this operation will fail.
"""
-def get_reset_policy_xml(dom0_seclab):
- if dom0_seclab == "":
- return DEFAULT_policy_template % ""
- else:
- poltyp, policy, label = dom0_seclab.split(":")
- if label != "SystemManagement":
- return DEFAULT_policy_template % \
- (" from=\"%s\"" % label)
- else:
- return DEFAULT_policy_template % ""
def resetpolicy():
msg = None
@@ -99,13 +55,8 @@ def resetpolicy():
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
- seclab = server.xenapi.VM.get_security_label(DOM0_UUID)
- xml = get_reset_policy_xml(seclab)
try:
- policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
- xml,
- flags,
- True)
+ policystate = server.xenapi.XSPolicy.reset_xspolicy(xs_type)
except Exception, e:
raise security.XSMError("An error occurred resetting the "
"policy: %s" % str(e))
@@ -130,14 +81,7 @@ def resetpolicy():
not acmpol.is_default_policy():
msg = "Old policy not found in bootloader file."
- seclab = server.xend.security.get_domain_label(0)
- if seclab[0] == '\'':
- seclab = seclab[1:]
- xml = get_reset_policy_xml(seclab)
- rc, errors = server.xend.security.set_policy(xs_type,
- xml,
- flags,
- True)
+ rc, errors = server.xend.security.reset_policy()
if rc != xsconstants.XSERR_SUCCESS:
raise security.XSMError("Could not reset the system's policy. "
"Try to halt all guests.")
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home