direct-io.hg

view tools/security/xensec_ezpolicy @ 11330:3e54734e55f3

[IA64] Remove extraneous verbose output to clean up Fedora boot.

Signed-off-by: Aron Griffis <aron@hp.com>
author awilliam@xenbuild.aw
date Wed Aug 23 13:26:46 2006 -0600 (2006-08-23)
parents 947e09f90b3b
children 296d7aa451a3
line source
1 #!/usr/bin/env python
2 #===========================================================================
3 # This program is free software; you can redistribute it and/or
4 # modify it under the terms of version 2.1 of the GNU Lesser General Public
5 # License as published by the Free Software Foundation.
6 #
7 # This library is distributed in the hope that it will be useful,
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 # Lesser General Public License for more details.
11 #
12 # You should have received a copy of the GNU Lesser General Public
13 # License along with this library; if not, write to the Free Software
14 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
15 #============================================================================
16 # Copyright (C) 2006 International Business Machines Corp.
17 # Author: Reiner Sailer
18 #============================================================================
19 # use 'yum install wxPython' to get wx or download from www.wxpython.org
20 import sys, time, string
21 import wx
22 import wx.lib.buttons as buttons
23 """
24 This program creates a default policy based on names of organizations and departments.
25 The resulting policy can be refined using the policy generation tool (xensec_gen).
26 """
28 helpprovider = wx.SimpleHelpProvider()
29 wx.HelpProvider_Set(helpprovider)
31 ID_CS_START=1000
33 realm_bmp = None
34 workload_bmp = None
35 conflict_bmp = None
36 realm_icon = None
37 workload_icon = None
39 class orgTreeCtrl(wx.TreeCtrl):
41 event = None
43 def __init__(self, parent, id, pos, size, style, validator, name):
44 wx.TreeCtrl.__init__(self, parent, id, pos, size, style,
45 validator, name)
46 self.parent = parent
47 orgs_root = self.AddRoot(text="Organization / Department")
48 rootfont = wx.Font(pointSize=12, family=wx.FONTFAMILY_DEFAULT,
49 style=wx.FONTSTYLE_NORMAL, weight=wx.FONTWEIGHT_LIGHT)
50 self.SetItemFont(orgs_root, rootfont)
51 self.SetItemBackgroundColour(orgs_root, wx.LIGHT_GREY)
54 def LabelExists(self, label, item):
55 for i in iterchildren(self.GetItemParent(item)):
56 if (self.GetItemText(i) == label) and (i != item):
57 return True
58 return False
61 def _OrgEdt(self, event):
62 item = self.event.GetItem()
63 self.OrgEdt(item)
66 def OrgEdt(self, item):
67 oldlabel= self.GetItemText(item)
68 #get new name
69 dlg = wx.TextEntryDialog(self, "Please enter org/dept name:",
70 "Naming a Workload",
71 style=wx.CANCEL | wx.OK | wx.CENTRE | wx.TE_NOHIDESEL)
72 dlg.SetValue(oldlabel)
73 ret = dlg.ShowModal()
74 newlabel = dlg.GetValue()
75 dlg.Destroy()
76 if (ret == wx.ID_CANCEL) or (newlabel == ''):
77 return False
79 #now check if the new name is permissible
80 if self.LabelExists(newlabel, item):
81 dlg = wx.MessageDialog(self, 'Item with name ' + newlabel + ' already exists!',
82 'Rename', style=wx.OK)
83 dlg.ShowModal()
84 dlg.Destroy()
85 return False
87 #all checkspassed, change item and adapt runtime exclusion rules
88 self.SetItemText(item, newlabel)
89 app.win.LabelReplaceInConflictsets(item, oldlabel, newlabel)
90 return True
93 def _OrgRAdd(self, event):
94 self.OrgRAdd()
97 def OrgRAdd(self):
98 new = self.AppendItem(self.GetRootItem(), text="")
99 self.SetItemBold(new, True)
100 self.SetItemImage(new, realm_icon, wx.TreeItemIcon_Normal)
101 self.EnsureVisible(new)
102 if not self.OrgEdt(new):
103 self.Delete(new)
106 def _OrgWAdd(self, event):
107 item = self.event.GetItem()
108 self.OrgWAdd(item)
111 def OrgWAdd(self, item):
112 new = self.AppendItem(item, text="")
113 self.Expand(item)
114 self.SetItemImage(new, workload_icon, wx.TreeItemIcon_Normal)
115 self.EnsureVisible(new)
116 if not self.OrgEdt(new):
117 self.Delete(new)
120 class OrgsPanel(wx.Panel):
121 ID_CONSADDBTN = 145
122 ID_REALMADDBTN = 144
124 def __init__(self, parent, ID):
125 global realm_icon, workload_icon
127 wx.Panel.__init__(self, parent, -1)
129 #create image list
130 imagelist = wx.ImageList(16, 17, True)
131 #define generic function and use it for all input
132 realm_icon = imagelist.Add(realm_bmp)
133 workload_icon = imagelist.Add(workload_bmp)
135 #left tree control for organizations / workload definitions
136 orgshdrbox = wx.StaticBox(self, -1, "")
137 orgshdrboxsizer = wx.StaticBoxSizer(orgshdrbox, wx.HORIZONTAL)
138 orgshdr = wx.StaticText(self, -1, "Organization / Department Definition",
139 style=wx.ALIGN_CENTER)
140 orgshdr.SetHelpText(RealmWorkloadPanelHelp)
141 points = orgshdr.GetFont().GetPointSize() # get the current size
142 hdrfont = wx.Font(points + 2, family=wx.DEFAULT,
143 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
144 orgshdr.SetFont(hdrfont)
145 orgshdr.SetForegroundColour('MEDIUMBLUE')
146 orgshdr.SetBackgroundColour('SNOW')
147 orgshdrboxsizer.Add(orgshdr, proportion=1, flag=wx.EXPAND | wx.ALL | wx.ALIGN_LEFT, border=5)
148 addorgsbutton = wx.Button(self, self.ID_REALMADDBTN, "New Org", style=wx.BU_EXACTFIT)
149 addorgsbutton.SetToolTipString("Add A New Organization")
150 addorgsbutton.SetHelpText(NewRealmButtonHelp)
151 addorgsbutton.SetForegroundColour('MEDIUMBLUE')
152 addfont = wx.Font(points, family=wx.DEFAULT,
153 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
154 addorgsbutton.SetFont(addfont)
155 orgshdrboxsizer.Add(addorgsbutton, proportion=0, flag=wx.EXPAND | wx.ALL | wx.ALIGN_RIGHT, border=0)
157 self.orgs = orgTreeCtrl(self, -1,
158 pos=wx.DefaultPosition,
159 size=wx.DefaultSize,
160 style=wx.TR_HAS_BUTTONS | wx.TR_HIDE_ROOT | wx.TR_NO_LINES
161 | wx.TR_MULTIPLE,
162 validator=wx.DefaultValidator,
163 name="orgs")
164 self.orgs.AssignImageList(imagelist)
165 self.orgs.SetHelpText(RealmWorkloadPanelHelp)
167 self.addconsbutton = wx.Button(self, self.ID_CONSADDBTN,
168 "Create run-time exclusion rule from selection -->",
169 style=wx.BU_EXACTFIT)
170 self.addconsbutton.SetToolTipString("Create New Exclusion rule From Above Workload Selection")
171 self.addconsbutton.SetHelpText(CreateRunTimeButtonHelp)
172 self.addconsbutton.SetForegroundColour('MEDIUMBLUE')
173 addfont = wx.Font(points, family=wx.DEFAULT,
174 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
175 self.addconsbutton.SetFont(addfont)
176 self.addconsbutton.Bind(wx.EVT_BUTTON, self._AddConflict, id=self.ID_CONSADDBTN)
178 orgsvbox = wx.BoxSizer(wx.VERTICAL)
179 orgsvbox.Add(orgshdrboxsizer, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
180 orgsvbox.Add(self.orgs, proportion=1, flag=wx.EXPAND | wx.ALL, border=5)
181 orgsvbox.Add(self.addconsbutton, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
182 self.SetSizer(orgsvbox)
183 addorgsbutton.Bind(wx.EVT_BUTTON, self.orgs._OrgRAdd, id= self.ID_REALMADDBTN)
186 def _AddConflict(self, event):
187 app.win.conspanel._AddNewConflict(event)
190 class ConsPanel(wx.Panel):
191 ID_CONSSELECT = 151
192 ID_CONSADD = 152
193 ID_CONSRENAME = 153
194 ID_CONSDEL = 154
195 ID_CONSSELECTSUB= 155
197 conflictMAX = ID_CS_START
199 def __init__(self, parent, ID):
200 self.conflictsets = []
201 self.parent = parent
202 wx.Panel.__init__(self, parent, -1)
203 #header
204 conshdrbox = wx.StaticBox(self, -1, "")
205 conshdrboxsizer = wx.StaticBoxSizer(conshdrbox, wx.HORIZONTAL)
206 conshdr = wx.StaticText(self, -1, "Run-time Exclusion Rules", style=wx.ALIGN_CENTER)
207 conshdr.SetHelpText(RunTimeExclusionPanelHelp)
208 points = conshdr.GetFont().GetPointSize() # get the current size
209 hdrfont = wx.Font(points + 2, family=wx.DEFAULT,
210 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
211 conshdr.SetFont(hdrfont)
212 conshdr.SetForegroundColour('ORANGERED')
214 #context help button
215 ctxHelp = wx.ContextHelpButton(self)
216 ctxHelp.SetHelpText("Context Help Button.")
217 ctxHelp.SetToolTipString("Context Help: Press this button, then press any other button or panel to get help.")
220 conshdrboxsizer.Add(conshdr, proportion=1, flag=wx.EXPAND | wx.ALL | wx.ALIGN_LEFT, border=5)
221 conshdrboxsizer.Add(ctxHelp, proportion=0, flag=wx.EXPAND | wx.ALL | wx.ALIGN_RIGHT, border=0)
222 #scrolledwindow for all the run-time exclusion rules
223 conflictspanel = wx.ScrolledWindow(self, -1, (0,0),
224 style = wx.FULL_REPAINT_ON_RESIZE |
225 wx.VSCROLL )
226 conflictspanel.SetVirtualSize((1000, 1000))
227 conflictspanel.SetScrollRate(5,5)
228 self.conflictsboxsizer = wx.BoxSizer(wx.VERTICAL)
230 #self.conflictsboxsizer.Fit(self)
231 conflictspanel.SetSizer(self.conflictsboxsizer)
232 consvbox = wx.BoxSizer(wx.VERTICAL)
233 consvbox.Add(conshdrboxsizer, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
234 consvbox.Add(conflictspanel, proportion=1, flag=wx.EXPAND | wx.ALL, border=5)
235 self.SetSizer(consvbox)
236 self.consvbox = consvbox
237 self.conflictspanel=conflictspanel
239 self.cmenu = wx.Menu()
240 self.cmenu.Append(self.ID_CONSRENAME, "Rename Run-time Exclusion Rule", "Rename Run-time Exclusion Rule")
241 self.cmenu.AppendSeparator()
242 self.cmenu.Append(self.ID_CONSDEL, "Delete Run-time Exclusion Rule", "Delete Run-time Exclusion Rule")
243 self.Bind(wx.EVT_MENU, self._CSRename, id=self.ID_CONSRENAME)
244 self.Bind(wx.EVT_MENU, self._CSDelete, id=self.ID_CONSDEL)
247 #Helper methods called from anywhere
248 def New(self):
249 #delete all run-time exclusion rules
250 for i in self.conflictsets:
251 i.Disable()
252 i.Destroy()
253 self.conflictsets = []
254 self.conflictsboxsizer.Layout()
255 size=self.GetSize()
256 self.Fit()
257 self.SetSize(size)
260 def DelCSById(self, delid):
261 #delete CS representation
262 delpos, item = self.GetCSBox(delid)
263 if item:
264 self.DelCSByItem(item)
267 def DelCSByItem(self, item):
268 #delete CS representation
269 self.conflictsets.remove(item)
270 exists = self.conflictsboxsizer.Detach(item)
271 if exists:
272 item.Destroy()
273 self.RefreshMe()
276 def RefreshMe(self):
277 size=self.parent.GetSize()
278 self.parent.Fit()
279 self.parent.SetSize(size)
282 def GetOrgSelection(self):
283 (tree, selection) = GetOrgsSelection()
284 if not len(selection):
285 dlg = wx.MessageDialog(self, 'You must select first at least one Organization/Department workload!',
286 'Creating A New Run-time Rule', wx.OK | wx.ICON_ERROR)
287 dlg.ShowModal()
288 dlg.Destroy()
289 return None,None
290 # now rewrite selection (realm.workload extension, check consistency)
291 alist = []
292 for i in selection:
293 if isRealm(i):
294 alist.append(tree.GetItemText(i))
295 else:
296 alist.append(tree.GetItemText(tree.GetItemParent(i))
297 + "." + tree.GetItemText(i))
299 if isRealm(i):
300 for j in selection:
301 if tree.GetItemParent(j) == i:
302 violation = ("[ " + tree.GetItemText(i) + ", " +
303 tree.GetItemText(i) + "." + tree.GetItemText(j) + " ]")
304 dlg = wx.MessageDialog(self,
305 'Invalid Selection ' + violation + '.\n\n' +
306 'You can only select EITHER an Organization OR specific Department!',
307 'Creating A New Run-time Exclusion Rule', wx.OK | wx.ICON_ERROR)
308 dlg.ShowModal()
309 dlg.Destroy()
310 return None,None
311 return (alist, selection)
314 def AddConflict(self, name, types):
315 csbox = myCSPanel(self, self.conflictMAX, name, types)
316 self.conflictsboxsizer.Add(csbox, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
317 self.conflictsets.append(csbox)
318 self.conflictMAX = self.conflictMAX+3
319 self.RefreshMe()
320 csbox.RefreshMe()
323 def GetCSBox(self, id):
324 pos = -1
325 i = 0
326 while self.conflictsboxsizer.GetItem(i):
327 item = self.conflictsboxsizer.GetItem(i).GetWindow()
328 if ((item.cbmp.GetId() == id) or
329 (item.add_selection.GetId() == id) or
330 (item.del_selection.GetId() == id)):
331 pos = i
332 box = item
333 break
334 i = i + 1
335 if pos < 0:
336 print "Run-time Exclusion Rule Not Found ERROR!"
337 return (None, None)
338 else:
339 return (pos, box)
342 #bind methods
343 def _AddNewConflict(self, event):
344 # first get the conflicting workload types with current selection
345 types, items = self.GetOrgSelection()
346 if not types:
347 return
348 #get name for conflict set
349 dlg = wx.TextEntryDialog(
350 self, 'Please enter a name for the Run-time Exclusion Rule:', 'Creating A New Run-time Exclusion Rule')
351 dlg.SetValue("")
352 ret = dlg.ShowModal()
353 name = dlg.GetValue()
354 dlg.Destroy()
355 if ret != wx.ID_OK:
356 return
357 self.AddConflict(name, types)
360 def _OnClick(self, event):
361 self.event = event
362 app.win.SetStatusText("")
363 self.PopupMenu(self.cmenu)
366 def _CSRename(self, event):
367 delpos, item = self.GetCSBox(self.event.GetId())
368 if not item:
369 return
370 #allow to name the conflict set
371 dlg = wx.TextEntryDialog(
372 self, 'Please enter a new name for the Conflict Set:', 'Renaming A Run-time Exclusion Rule')
373 dlg.SetValue(item.box.GetLabel())
374 ret = dlg.ShowModal()
375 name = dlg.GetValue()
376 dlg.Destroy()
377 if ret != wx.ID_OK:
378 return
379 item.box.SetLabel(name)
380 item.box.SetFont(wx.Font(item.GetFont().GetPointSize(), family=wx.DEFAULT,
381 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD))
384 def _CSDelete(self, event):
385 delid = self.event.GetId()
386 self.DelCSById(delid)
389 def _AddOrgSelection(self, event):
390 addid = event.GetId()
391 addpos, item = self.GetCSBox(addid)
392 alist, items = self.GetOrgSelection()
393 if not alist:
394 return
395 existing = []
396 for i in range(0, item.clb.GetCount()):
397 existing.append(item.clb.GetString(i))
399 #now make sure that we don't get realm + workload into the same CS
400 for i in items:
401 if isRealm(i):
402 #ensure no workload of this realm is already in CS
403 realm = app.win.orgs.GetItemText(i)
404 for j in iterchildren(i):
405 workload = app.win.orgs.GetItemText(j)
406 try:
407 idx = existing.index (realm + "." + workload)
408 except:
409 #ok, does not exist
410 continue
411 #nok, exists already
412 violation = ("[ " + realm + ", " +
413 realm + "." + workload + " ]")
414 dlg = wx.MessageDialog(self,
415 'Invalid Selection ' + violation + '.\n\n' +
416 'You can only have EITHER an Organization OR a specific Department workload\n' +
417 'in a single Run-time Exclusion Rule',
418 'Adding Orgs/Depts workloads to a Run-time Exclusion Rule',
419 wx.OK | wx.ICON_ERROR)
420 dlg.ShowModal()
421 dlg.Destroy()
422 return
424 else:
425 #ensure realm of this workload is not in CS
426 realm = app.win.orgs.GetItemText(app.win.orgs.GetItemParent(i))
427 try:
428 idx = existing.index(realm)
429 except:
430 #ok, does not exist
431 continue
432 #nok, exists already
433 violation = ("[ " + realm + "." + app.win.orgs.GetItemText(i) +
434 ", " + realm + " ]")
435 dlg = wx.MessageDialog(self,
436 'Invalid Selection ' + violation + '.\n\n' +
437 'You can only have EITHER an Organization OR a specific Department workload\n' +
438 'in a single Run-time Exclusion Rule',
439 'Adding Orgs/Depts workloads to a Run-time Exclusion Rule',
440 wx.OK | wx.ICON_ERROR)
441 dlg.ShowModal()
442 dlg.Destroy()
443 return
444 #check if any of the selections are already in the conflict set
445 overlap=[]
446 for l in alist:
447 for e in existing:
448 if l == e:
449 overlap.append(str(l))
450 if len(overlap):
451 if len(overlap) == 1:
452 message = "Selected item " + str(overlap) +\
453 " is already in the Run-time Exclusion rule and will be ignored.\n\n Continue?"
454 else:
455 message = "Selected items " + str(overlap) +\
456 " are already in the Run-time Exclusion rule and will be ignored.\n\n Continue?"
457 dlg = wx.MessageDialog(self,
458 message, 'Adding Orgs/Depts workloads to a Run-time Exclusion rule',
459 wx.YES | wx.NO | wx.ICON_EXCLAMATION)
460 ret = dlg.ShowModal()
461 dlg.Destroy()
462 if ret != wx.ID_YES:
463 return
465 for s in alist:
466 try:
467 existing.index(s)
468 except Exception:
469 # s not yet in list box, add it
470 item.AddTypes([s])
471 self.RefreshMe()
474 def _DelConSelection(self, event):
475 eventid = event.GetId()
476 pos, item = self.GetCSBox(eventid)
477 idtuple = item.clb.GetSelections()
478 idlist = []
479 for i in idtuple:
480 idlist.append(i)
481 #delete reverse, otherwise item mubers get messed up while deleting
482 idlist.reverse()
483 for i in idlist:
484 item.clb.Delete(i)
485 item.RefreshMe()
486 if item.clb.GetCount() < 2:
487 dlg = wx.MessageDialog(self,
488 """Run-time exclusion set has less than two types.\n\n
489 Do you want to delete this rule?""",
490 'Deleting Orgs/Depts workloads from a Run-time Exclusion rule',
491 wx.YES| wx.NO | wx.ICON_QUESTION)
492 ret = dlg.ShowModal()
493 dlg.Destroy()
494 if ret == wx.ID_YES:
495 self.DelCSById(eventid)
496 return
497 else:
498 for i in item.clb.GetSelections():
499 item.clb.Deselect(i)
500 self.RefreshMe()
503 class myCSPanel(wx.Panel):
504 def __init__(self, parent, ID, title, list=[]):
505 wx.Panel.__init__(self, parent.conflictspanel, -1)
506 self.parent = parent
507 cspansizer = wx.BoxSizer(wx.VERTICAL)
508 self.box = wx.StaticBox(self, -1, title)
509 csboxsizer = wx.StaticBoxSizer(self.box, wx.HORIZONTAL)
510 #left: type add/del
511 typesizer = wx.BoxSizer(wx.VERTICAL)
512 self.add_selection = wx.Button(self, ID+1, "--> Add", style=wx.BU_EXACTFIT)
513 self.add_selection.SetToolTipString("Add Workload Selection To Run-time Exclusion rule")
514 self.add_selection.SetHelpText(AddToExclusionButtonHelp)
515 self.add_selection.SetForegroundColour('MEDIUMBLUE')
516 points = self.add_selection.GetFont().GetPointSize()
517 addfont = wx.Font(points, family=wx.DEFAULT,
518 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
519 self.add_selection.SetFont(addfont)
520 self.box.SetFont(addfont)
521 typesizer.Add(self.add_selection, proportion = 0, flag = wx.EXPAND | wx.ALL,border=0)
522 typesizer.Add((5,5))
523 self.del_selection = wx.Button(self, ID+2, "<-- Del", style=wx.BU_EXACTFIT)
524 self.del_selection.SetToolTipString("Delete Workload Selection From Run-time Exclusion Rule")
525 self.del_selection.SetHelpText(DelFromExclusionButtonHelp)
526 self.del_selection.SetForegroundColour('ORANGERED')
527 self.del_selection.SetFont(addfont)
528 typesizer.Add(self.del_selection, proportion = 0, flag = wx.EXPAND | wx.ALL, border=0)
529 csboxsizer.Add(typesizer, proportion = 0, border=0)
530 csboxsizer.Add((5,5))
531 #middle: types
532 self.clb = wx.ListBox(self, id=-1, choices=list,
533 style= wx.LB_MULTIPLE | wx.LB_SORT )
534 self.clb.SetHelpText(ExclusionSetHelp)
535 csboxsizer.Add(self.clb, proportion=1, flag=wx.EXPAND | wx.ALL, border=0)
536 csboxsizer.Add((5,5))
537 #right: Conflictset-global ops button
538 bmpsizer = wx.BoxSizer(wx.VERTICAL)
539 self.cbmp = buttons.GenBitmapButton(self, ID, conflict_bmp, style=wx.BU_EXACTFIT)
540 self.cbmp.SetHelpText(ManageExclusionButtonHelp)
541 self.cbmp.SetToolTipString("Rename/Delete\nAssociated Run-time Exclusion Rule")
542 bmpsizer.Add(self.cbmp, proportion = 0, flag = wx.EXPAND | wx.ALL, border=0)
543 csboxsizer.Add(bmpsizer, proportion=0, border=5)
544 cspansizer.Add(csboxsizer, proportion=0, flag=wx.EXPAND | wx.ALL, border=0)
545 self.csboxsizer=csboxsizer
546 self.cspansizer=cspansizer
547 self.SetSizer(cspansizer)
548 self.cbmp.Bind(wx.EVT_LEFT_DOWN, parent._OnClick, id=ID)
549 self.add_selection.Bind(wx.EVT_BUTTON, parent._AddOrgSelection, id=ID + 1)
550 self.del_selection.Bind(wx.EVT_BUTTON, parent._DelConSelection, id=ID + 2)
552 # append and delete an item to get rid of
553 # the ugly vertical scroll bar on the Listbox on Linux
554 def RefreshMe(self):
555 x = self.clb.Append(" ")
556 app.win.conspanel.RefreshMe()
557 self.clb.Delete(x)
558 self.Layout()
559 app.win.conspanel.Layout()
562 def AddTypes(self, list):
563 for i in list:
564 self.clb.Append(i)
565 self.RefreshMe()
568 def GetTypes(self):
569 alist = []
570 for i in range(0, self.clb.GetCount()):
571 alist.append(self.clb.GetString(i))
572 return alist
575 def GetBoxName(self):
576 return self.box.GetLabel()
579 def Replace(self, oldlabel, newlabel):
580 index = self.clb.FindString(oldlabel)
581 if index != wx.NOT_FOUND:
582 self.clb.SetString(index, newlabel)
585 def Delete(self, label):
586 index = self.clb.FindString(label)
587 if index != wx.NOT_FOUND:
588 self.clb.Delete(index)
591 class myHelpPanel(wx.Panel):
592 def __init__(self, parent, ID):
593 wx.Panel.__init__(self, parent, -1)
596 class ezFrame(wx.Frame):
598 ID_ABOUT = 101
599 ID_NEW = 102
600 ID_OPEN = 103
601 ID_SAVE = 104
602 ID_SAVEAS = 105
603 ID_EXIT = 106
604 ID_HELP = 107
606 ID_ITRENAME = 111
607 ID_ITADD = 112
608 ID_ITDEL = 113
610 ID_COLLAPSEALL = 121
611 ID_EXPANDALL = 122
612 ID_SORTALL = 123
614 ID_TRANSLATE = 131
616 ID_ORGEDT = 141
617 ID_ORGADD = 142
618 ID_ORGDEL = 143
620 def __init__(self, parent, ID, title):
621 global realm_bmp, workload_bmp, conflict_bmp
623 wx.Frame.__init__(self, parent, ID, title,
624 wx.DefaultPosition,
625 wx.Size(700,450)
626 )
628 realm_bmp = GetIconBitmap('Organization')
629 workload_bmp = GetIconBitmap('Department')
630 conflict_bmp = GetIconBitmap('Conflict')
631 self.SetHelpText(GetHelp)
632 self.orgfilename = None
633 self.CreateStatusBar()
634 self.SetStatusText("")
635 self.bkg = wx.Panel(self)
637 self.orgswin = wx.SashLayoutWindow(
638 self.bkg, -1, wx.DefaultPosition, (300, 150),wx.SW_3DSASH | wx.SW_BORDER)
640 self.orgswin.SetDefaultSize((300,150))
641 self.orgswin.SetOrientation(wx.LAYOUT_VERTICAL)
642 self.orgswin.SetAlignment(wx.LAYOUT_LEFT)
643 self.orgspanel = OrgsPanel(self.orgswin, -1)
644 self.orgs = self.orgspanel.orgs
646 self.realm_menu = wx.Menu()
647 self.realm_menu.Append(self.ID_ORGADD, "Add Department\tctrl-a", "Add Department Workload")
648 self.realm_menu.AppendSeparator()
649 self.realm_menu.AppendSeparator()
650 self.realm_menu.Append(self.ID_ORGEDT, "Rename Organization\tctrl-r", "Rename Organization Workload")
651 self.realm_menu.Append(self.ID_ORGDEL, "Delete Organization\tctrl-d", "Delete Organization Workload")
652 self.realm_menu.Bind(wx.EVT_MENU, self.orgs._OrgEdt, id= self.ID_ORGEDT)
653 self.realm_menu.Bind(wx.EVT_MENU, self.orgs._OrgWAdd, id= self.ID_ORGADD)
654 self.realm_menu.Bind(wx.EVT_MENU, self._ItemDel, id=self.ID_ORGDEL)
656 self.workload_menu = wx.Menu()
657 self.workload_menu.Append(self.ID_ORGEDT, "Rename Department\tctrl-r", "Rename Department Workload")
658 self.workload_menu.Append(self.ID_ORGDEL, "Delete Department\tctrl-d", "Delete Department Workload")
659 self.workload_menu.Bind(wx.EVT_MENU, self.orgs._OrgEdt, id= self.ID_ORGEDT)
660 self.workload_menu.Bind(wx.EVT_MENU, self._ItemDel, id=self.ID_ORGDEL)
662 self.orgs.Bind(wx.EVT_TREE_ITEM_RIGHT_CLICK, self._OrgRightClick)
663 self.orgs.Bind(wx.EVT_TREE_SEL_CHANGED, self._OrgSelectionChanged)
665 self.conswin = wx.SashLayoutWindow(
666 self.bkg, -1, wx.DefaultPosition, (300, 150),
667 #wx.NO_BORDER | wx.SW_3D
668 wx.SW_3DSASH | wx.SW_BORDER
669 )
670 self.conswin.SetDefaultSize((300,150))
671 self.conswin.SetOrientation(wx.LAYOUT_VERTICAL)
672 self.conswin.SetAlignment(wx.LAYOUT_RIGHT)
673 self.conswin.SetSashVisible(wx.SASH_LEFT, True)
674 self.conswin.SetSashVisible(wx.SASH_RIGHT, False)
676 #right tree control for non-concurrent workload execution
677 self.conspanel = ConsPanel(self.conswin, -1)
678 self.conspanel.RefreshMe()
679 self.bkg.Bind(wx.EVT_SASH_DRAGGED_RANGE, self._OnSashDrag, id=self.conswin.GetId(),
680 id2=self.conswin.GetId())
681 self.bkg.Bind(wx.EVT_SIZE, self._OnSize)
683 # Main Menu
684 # -File
685 fmenu = wx.Menu()
686 fmenu.Append(self.ID_OPEN, "Open Workload Definition...\tctrl-o", "Open current workload definition")
687 fmenu.Append(self.ID_SAVE, "Save Workload Definition\tctrl-s", "Save workload defintion")
688 fmenu.Append(self.ID_SAVEAS, "Save Workload Defintion as...\talt-s", "Save into new file")
689 fmenu.AppendSeparator()
690 fmenu.Append(self.ID_TRANSLATE, "Save as Xen ACM Security Policy ...\talt-t", "Create Xen ACM security policy")
691 fmenu.AppendSeparator()
692 fmenu.Append(self.ID_NEW, "New\tctrl-n", "Create a new oganization definition")
693 fmenu.AppendSeparator()
694 fmenu.Append(self.ID_EXIT, "Exit\tctrl-x", "Terminate the program")
695 self.fmenu = fmenu
697 # -Edit
698 emenu = wx.Menu()
699 emenu.Append(self.ID_ITRENAME, "Rename\tctrl-r", "Rename Selected Organization/Department")
700 emenu.Append(self.ID_ITADD, "Add\tctrl-a", "Add Child to Selected Organization/Department")
701 emenu.Append(self.ID_ITDEL, "Delete\tctrl-d", "Delete Selected Organization/Department")
702 self.emenu = emenu
703 # -Help
704 hmenu = wx.Menu()
705 hmenu.Append(self.ID_HELP, "Step-By-Step Help\tctrl-h", "More information about this program")
706 hmenu.Append(self.ID_ABOUT, "About", "More information about this program")
707 self.hmenu = hmenu
709 # -View
710 vmenu = wx.Menu()
711 vmenu.Append(self.ID_SORTALL, "Sort All", "Sort Entries In All Trees")
712 vmenu.Append(self.ID_COLLAPSEALL, "Collapse All\tctrl-c", "Collapse All Trees")
713 vmenu.Append(self.ID_EXPANDALL, "Expand All\tctrl-e", "Expand All Trees")
714 self.vmenu = vmenu
716 menuBar = wx.MenuBar()
717 menuBar.Append(fmenu, "&File");
718 menuBar.Append(emenu, "&Edit");
719 menuBar.Append(vmenu, "&View");
720 menuBar.Append(hmenu, "&Help");
722 self.SetMenuBar(menuBar)
724 self.Bind(wx.EVT_MENU, self._OpenSpec, id=self.ID_OPEN)
725 self.Bind(wx.EVT_MENU, self._SaveSpec, id=self.ID_SAVE)
726 self.Bind(wx.EVT_MENU, self._SaveAsSpec,id=self.ID_SAVEAS)
727 self.Bind(wx.EVT_MENU, self._NewSpec, id=self.ID_NEW)
728 self.Bind(wx.EVT_MENU, self._TimeToQuit,id=self.ID_EXIT)
729 self.Bind(wx.EVT_MENU, self._TranslateSpec, id=self.ID_TRANSLATE)
731 self.Bind(wx.EVT_MENU, self._ItemRename, id=self.ID_ITRENAME)
732 self.Bind(wx.EVT_MENU, self._ItemAdd, id=self.ID_ITADD)
733 self.Bind(wx.EVT_MENU, self._ItemDel, id=self.ID_ITDEL)
735 self.Bind(wx.EVT_MENU, self._SortAll, id=self.ID_SORTALL)
736 self.Bind(wx.EVT_MENU, self._CollapseAll,id=self.ID_COLLAPSEALL)
737 self.Bind(wx.EVT_MENU, self._ExpandAll, id=self.ID_EXPANDALL)
739 self.Bind(wx.EVT_MENU, self._Help, id=self.ID_HELP)
740 self.Bind(wx.EVT_MENU, self._OnAbout, id=self.ID_ABOUT)
741 self.Bind(wx.EVT_CLOSE, self._TimeToQuit)
744 def RefreshMe(self):
745 size=self.GetSize()
746 self.Fit()
747 self.SetSize(size)
749 #helper methods
750 def Load(self, file):
751 self.orgfilename = file
752 dictname = 'ezpolicy'
753 d = {}
754 # read in the config file
755 globs = {}
756 locs = {}
757 execfile(file, globs, locs)
758 for (k, v) in locs.items():
759 if k == dictname:
760 d = v
761 break
762 dict2org(d)
763 self.orgspanel.orgs.UnselectAll()
764 self.SetTitle("ezPolicy: " + self.orgfilename)
765 self._ExpandAll(None)
768 def Save(self, file):
769 dictname = 'ezpolicy'
770 d = org2dict()
771 fd = open(file, "w")
772 fd.write(dictname + " = ")
773 fd.write(str(d))
774 fd.close()
777 def New(self):
778 self.orgspanel.orgs.DeleteChildren(self.orgspanel.orgs.GetRootItem())
779 self.conspanel.New()
782 def LabelReplaceInConflictsets(self, item, oldlabel, newlabel):
783 if isRealm(item):
784 replace = [[ oldlabel, newlabel]]
785 for i in iterchildren(item):
786 replace.append([(oldlabel + "." + self.orgs.GetItemText(i)),
787 (newlabel + "." + self.orgs.GetItemText(i))])
788 else:
789 parent = self.orgs.GetItemParent(item)
790 replace = [
791 [(self.orgs.GetItemText(parent) + "." + oldlabel),
792 (self.orgs.GetItemText(parent) + "." + newlabel)]
793 ]
794 for r in replace:
795 for i in self.conspanel.conflictsets:
796 if r[0] in i.GetTypes():
797 i.Replace(r[0], r[1])
800 def OrgDelItem(self, item):
801 label = self.orgs.GetItemText(item)
802 if isRealm(item):
803 delset = [label]
804 for i in iterchildren(item):
805 delset.append(label + "." + self.orgs.GetItemText(i))
806 else:
807 parent = self.orgs.GetItemParent(item)
808 delset = [self.orgs.GetItemText(parent) + "." + label]
809 for i in self.conspanel.conflictsets:
810 for l in delset:
811 i.Delete(l)
812 #need to run in reverse order when deleting items
813 rev = []
814 for i in self.conspanel.conflictsets:
815 rev.append(i)
816 rev.reverse()
817 for i in rev:
818 if len(i.GetTypes()) < 1:
819 self.conspanel.DelCSByItem(i)
820 self.orgs.Delete(item)
823 def _OnSashDrag(self, event):
824 if event.GetDragStatus() == wx.SASH_STATUS_OUT_OF_RANGE:
825 return
826 w = event.GetEventObject()
827 if w is self.conswin:
828 self.conswin.SetDefaultSize((event.GetDragRect().width, 1000))
829 wx.LayoutAlgorithm().LayoutWindow(self.bkg, self.orgswin)
830 self.RefreshMe()
833 def _OnSize(self, event):
834 wx.LayoutAlgorithm().LayoutWindow(self.bkg, self.orgswin)
837 def _OrgSelectionChanged(self, event):
838 self.orgs.event = event
839 item = self.orgs.event.GetItem()
840 if not item.IsOk() or not self.orgs.IsSelected(item):
841 self.emenu.Enable(self.ID_ITRENAME, False)
842 self.emenu.Enable(self.ID_ITADD, False)
843 self.emenu.Enable(self.ID_ITDEL, False)
844 return
845 self.SetStatusText("")
846 #enable/disable edit menu functions
847 if isRealm(item):
848 self.emenu.Enable(self.ID_ITRENAME, True)
849 self.emenu.Enable(self.ID_ITADD, True)
850 self.emenu.Enable(self.ID_ITDEL, True)
851 elif isWorkload(item):
852 self.emenu.Enable(self.ID_ITRENAME, True)
853 self.emenu.Enable(self.ID_ITADD, False)
854 self.emenu.Enable(self.ID_ITDEL, True)
855 if len(self.orgs.GetSelections()) > 1:
856 self.emenu.Enable(self.ID_ITRENAME, False)
857 self.emenu.Enable(self.ID_ITADD, False)
860 def _OrgRightClick(self, event):
861 self.SetStatusText("")
862 self.orgs.event = event
863 item = self.orgs.event.GetItem()
864 #del not permitted on root items
865 if isWorkload(item):
866 self.workload_menu.Enable(self.ID_ORGDEL, True)
867 self.workload_menu.Enable(self.ID_ORGEDT, True)
868 if len(self.orgs.GetSelections()) > 1:
869 self.workload_menu.Enable(self.ID_ORGEDT, False)
870 self.PopupMenu(self.workload_menu)
871 else:
872 self.realm_menu.Enable(self.ID_ORGDEL, True)
873 self.realm_menu.Enable(self.ID_ORGEDT, True)
874 self.realm_menu.Enable(self.ID_ORGADD, True)
875 if len(self.orgs.GetSelections()) > 1:
876 self.realm_menu.Enable(self.ID_ORGEDT, False)
877 self.realm_menu.Enable(self.ID_ORGADD, False)
878 self.PopupMenu(self.realm_menu)
881 def _OpenSpec(self, event):
882 filediag = wx.FileDialog(self, defaultFile="myspec.wld",
883 wildcard="*.wld", style=wx.OPEN | wx.OVERWRITE_PROMPT,
884 message="Select Workload Definition file name")
885 ret = filediag.ShowModal()
886 name = filediag.GetPath()
887 filediag.Destroy()
888 if ret not in [wx.ID_OK]:
889 return
890 self.orgfilename = name
891 self.Load(self.orgfilename)
892 self.SetTitle("ezPolicy: " + self.orgfilename)
895 def _SaveSpec(self, event):
896 if not self.orgfilename:
897 filediag = wx.FileDialog(self, defaultFile="myspec.wld",
898 wildcard="*.wld", style=wx.SAVE | wx.OVERWRITE_PROMPT,
899 message="Select Workload Definition file name")
900 ret = filediag.ShowModal()
901 name = filediag.GetPath()
902 filediag.Destroy()
903 if ret not in [wx.ID_OK]:
904 return
905 self.orgfilename = name
906 self.Save(self.orgfilename)
907 self.SetTitle("ezPolicy: " + self.orgfilename)
910 def _SaveAsSpec(self, event):
911 if not self.orgfilename:
912 self.orgfilename = "DEFAULT.wld"
913 filediag = wx.FileDialog(self, defaultFile=self.orgfilename,
914 wildcard="*.wld", style=wx.SAVE | wx.OVERWRITE_PROMPT,
915 message="Select Workload Definition file name")
916 ret = filediag.ShowModal()
917 name = filediag.GetPath()
918 filediag.Destroy()
919 if ret not in [wx.ID_OK]:
920 return
921 self.orgfilename = name
922 self.Save(self.orgfilename)
923 self.SetTitle("ezPolicy: " + self.orgfilename)
926 def _NewSpec(self, event):
927 self.orgfilename = None
928 #reset trees etc
929 self.New()
930 self.SetTitle("ezPolicy: *New File*")
933 def _TranslateSpec(self, event):
934 policyname = transInfo()
935 if not policyname:
936 return
937 path="/etc/xen/acm-security/policies/"
938 nameparts=string.split(policyname, ".")
939 if len(nameparts) > 1:
940 path = path + "/".join(nameparts[0:len(nameparts)-1])
941 deffile = nameparts[len(nameparts) - 1] + "-security_policy.xml"
942 filediag = wx.FileDialog(self, defaultDir=path, defaultFile=deffile,
943 wildcard="*.xml", message="Select Policy File Name",
944 style=wx.SAVE | wx.OVERWRITE_PROMPT)
945 ret = filediag.ShowModal()
946 filename = filediag.GetPath()
947 filediag.Destroy()
948 if ret not in [wx.ID_OK]:
949 return
950 #translate data into default policy
951 timestamp = time.asctime()
952 d = org2dict()
953 types = []
954 for i in d['orgs']:
955 types.append(str(i[0]))
956 for j in i[1]:
957 types.append(str(i[0]) + "." + str(j))
958 f = open(filename, "w")
959 printPolicyHeader (f, policyname, timestamp)
960 printPolicy(f, types, d['cons'])
961 printLabels(f, d, types)#, d['cons'])
962 printTrailer(f)
963 f.close()
966 def _ItemRename(self, event):
967 #ensure only 1 item is selected
968 sels = self.orgs.GetSelections()
969 if len(sels) != 1:
970 return
971 self.orgs.OrgEdt(sels[0])
974 def _ItemAdd(self, event):
975 #ensure only 1 item is selected + add figure
976 sels = self.orgs.GetSelections()
977 if len(sels) != 1:
978 return
979 self.orgs.OrgWAdd(sels[0])
982 def _ItemDel(self, event):
983 sels = self.orgs.GetSelections()
984 for i in sels:
985 self.OrgDelItem(i)
988 def _CollapseAll(self, event):
989 for i in iterchildren(self.orgs.GetRootItem()):
990 self.orgs.Collapse(i)
993 def _ExpandAll(self, event):
994 for i in iterchildren(self.orgs.GetRootItem()):
995 self.orgs.Expand(i)
998 def _SortAll(self, event):
999 #would be nice to also sort the organizations
1000 for i in iterchildren(self.orgs.GetRootItem()):
1001 if self.orgs.GetChildrenCount(i) > 0:
1002 self.orgs.SortChildren(i)
1005 def _OnAbout(self, event):
1006 dlg = wx.MessageDialog(self,
1007 "This program helps you to define the structure\n"
1008 "of organizations and their departments.\n\n"
1009 "It translates this \'Workload Definition\' into\n"
1010 "a simple workload protection policy for the\n"
1011 "Xen Access Control Module.\n\n\n"
1012 "Copyright (c) 2006: IBM Corporation\n"
1013 "Author:\nReiner Sailer <sailer@us.ibm.com>",
1014 "About Me", wx.OK | wx.ICON_INFORMATION)
1015 dlg.ShowModal()
1016 dlg.Destroy()
1019 def _Help(self, event):
1020 hpopup = wx.Frame(self,-1, "HELP: Creating a Xen Security Policy in 3 Steps" )
1021 HelpHtmlWindow(hpopup, -1)
1022 hpopup.SetSize((650,650))
1023 hpopup.Show(True)
1026 def _TimeToQuit(self, event):
1027 self.Bind(wx.EVT_CLOSE, None)
1028 self.orgs.Bind(wx.EVT_TREE_ITEM_RIGHT_CLICK, None)
1029 self.orgs.Bind(wx.EVT_TREE_SEL_CHANGED, None)
1030 self.Close(True)
1033 class ezApp(wx.App):
1035 def OnInit(self):
1036 self.win = ezFrame(None, -1, title="EZ Workload Protection Policy Tool")
1037 self.win.Show(True)
1038 self.SetTopWindow(self.win)
1039 return True
1042 def Load(self, file):
1043 self.win.Load(file)
1046 def New(self):
1047 self.win.New()
1050 def isRealm(it):
1051 if not it:
1052 return False
1053 return (app.win.orgspanel.orgs.GetItemParent(it) == app.win.orgspanel.orgs.GetRootItem())
1056 def isWorkload(it):
1057 if not it or not app.win.orgs.GetItemParent(it):
1058 return False
1059 return (app.win.orgspanel.orgs.GetItemParent(app.win.orgspanel.orgs.GetItemParent(it))
1060 == app.win.orgspanel.orgs.GetRootItem())
1063 def GetOrgsSelection():
1064 return (app.win.orgspanel.orgs, app.win.orgspanel.orgs.GetSelections())
1067 def transInfo():
1068 info = wx.TextEntryDialog(app.win, message="POLICYNAME",
1069 caption="Translate: Creating The Xen/ACM Policy")
1070 ret = info.ShowModal()
1071 name = info.GetValue()
1072 info.Destroy()
1073 if ret in [wx.ID_OK]:
1074 return name
1075 return None
1078 def iterchildren(node):
1079 cid, citem = app.win.orgspanel.orgs.GetFirstChild(node)
1080 while cid.IsOk():
1081 yield cid
1082 cid, citem = app.win.orgspanel.orgs.GetNextChild(node, citem)
1085 def dict2org(d):
1086 # release old structure
1087 app.New()
1088 # fill them with dict content
1089 for i in d['orgs']:
1090 orgnode = app.win.orgspanel.orgs.AppendItem(app.win.orgspanel.orgs.GetRootItem(), text=i[0])
1091 app.win.orgspanel.orgs.SetItemBold(orgnode, True)
1092 app.win.orgspanel.orgs.SetItemImage(orgnode, realm_icon, wx.TreeItemIcon_Normal)
1093 for j in i[1]:
1094 wlnode = app.win.orgspanel.orgs.AppendItem(orgnode, text=j)
1095 app.win.orgspanel.orgs.SetItemImage(wlnode, workload_icon, wx.TreeItemIcon_Normal)
1096 for i in d['cons']:
1097 app.win.conspanel.AddConflict(i[0], i[1])
1100 def org2dict():
1101 global app
1102 dic = {}
1103 o= []
1104 for i in iterchildren(app.win.orgs.GetRootItem()):
1105 d = []
1106 for j in iterchildren(i):
1107 d.append(str(app.win.orgspanel.orgs.GetItemText(j)))
1108 o.append([str(app.win.orgspanel.orgs.GetItemText(i)) , d])
1109 dic['orgs'] = o
1110 c=[]
1111 for i in app.win.conspanel.conflictsets:
1112 c.append([i.GetBoxName() , i.GetTypes()])
1113 dic['cons'] = c
1114 return dic
1117 def dict_read(dictname, filename):
1118 """Loads <filename> and returns the dictionary named <dictname> from
1119 the file.
1120 """
1121 dic = {}
1123 # read in the config file
1124 globs = {}
1125 locs = {}
1126 execfile(filename, globs, locs)
1128 for (k, v) in locs.items():
1129 if k == dictname:
1130 dic = v
1131 break
1132 return dic
1134 #==================== Policy Generation/Translation functions
1136 def printPolicyHeader (fd, policyname, timestamp):
1137 fd.write( """<?xml version=\"1.0\" encoding=\"UTF-8\"?>
1138 <!-- Auto-generated by ezPolicy -->
1139 <SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd \">
1140 <PolicyHeader>
1141 <PolicyName>%s</PolicyName>
1142 <Date>%s</Date>
1143 </PolicyHeader>
1144 """ % (policyname, timestamp))
1148 def printPolicy(fd, types, cons):
1149 fd.write("""
1150 <SimpleTypeEnforcement>
1151 <SimpleTypeEnforcementTypes>
1152 <Type>SystemManagement</Type>\n""")
1154 # add dynamically created type definitions org.dept
1155 for i in types:
1156 fd.write(""" <Type>%s</Type>\n""" % i)
1158 fd.write(""" </SimpleTypeEnforcementTypes>
1159 </SimpleTypeEnforcement>
1161 <ChineseWall priority="PrimaryPolicyComponent">
1162 <ChineseWallTypes>
1163 <Type>SystemManagement</Type>\n""")
1165 #add dinamically created cw types
1166 for i in types:
1167 fd.write(""" <Type>%s</Type>\n""" % i)
1169 fd.write(""" </ChineseWallTypes>\n\n""")
1171 if len(cons):
1172 fd.write(""" <ConflictSets>\n""")
1173 for i in cons:
1174 if len(i[1]) < 2:
1175 print "Ignoring Run-time exclusion set %s (less than 2 types}" % i[0]
1176 continue
1177 #name is optional but must be set
1178 if i[0]:
1179 rer_name = str(i[0])
1180 else:
1181 rer_name = str("RER")
1182 fd.write(""" <Conflict name=\"%s\">\n""" % rer_name)
1183 for j in i[1]:
1184 fd.write(""" <Type>%s</Type>\n""" % str(j))
1185 fd.write(""" </Conflict>\n""")
1186 fd.write(""" </ConflictSets>\n""")
1188 fd.write(""" </ChineseWall>\n\n""")
1192 def printLabels(fd, d, types): #, cons):
1193 fd.write( """ <SecurityLabelTemplate>
1194 <SubjectLabels bootstrap=\"SystemManagement\">""")
1196 # create default boot label for dom0
1197 fd.write("""\n <VirtualMachineLabel>
1198 <Name>SystemManagement</Name>
1199 <SimpleTypeEnforcementTypes>
1200 <Type>SystemManagement</Type>\n""")
1201 # add dynamically created type definitions org.dept
1202 for i in types:
1203 fd.write(""" <Type>%s</Type>\n""" % i)
1205 fd.write(""" </SimpleTypeEnforcementTypes>
1206 <ChineseWallTypes>
1207 <Type>SystemManagement</Type>
1208 </ChineseWallTypes>
1209 </VirtualMachineLabel>\n""")
1211 # create one Udom label for each type ste type
1212 for i in d['orgs']:
1213 organization = i[0]
1214 fd.write("""\n <VirtualMachineLabel>
1215 <Name>%s</Name>
1216 <SimpleTypeEnforcementTypes>
1217 <Type>%s</Type>
1218 </SimpleTypeEnforcementTypes>
1219 <ChineseWallTypes>
1220 <Type>%s</Type>
1221 </ChineseWallTypes>
1222 </VirtualMachineLabel>\n""" % (organization, organization, organization))
1223 for j in i[1]:
1224 workload = organization + "." + j
1225 fd.write("""\n <VirtualMachineLabel>
1226 <Name>%s</Name>
1227 <SimpleTypeEnforcementTypes>
1228 <Type>%s</Type>
1229 </SimpleTypeEnforcementTypes>
1230 <ChineseWallTypes>
1231 <Type>%s</Type>
1232 <Type>%s</Type>
1233 </ChineseWallTypes>
1234 </VirtualMachineLabel>\n""" % (workload, workload, organization , workload))
1236 fd.write(""" </SubjectLabels>\n\n""")
1238 #create resource labels for each type
1239 fd.write(""" <ObjectLabels>""")
1240 for i in ['SystemManagement'] + types:
1241 fd.write("""\n <ResourceLabel>
1242 <Name>%s</Name>
1243 <SimpleTypeEnforcementTypes>
1244 <Type>%s</Type>
1245 </SimpleTypeEnforcementTypes>
1246 </ResourceLabel>\n""" % (i, i))
1247 fd.write(""" </ObjectLabels>
1248 </SecurityLabelTemplate>\n""")
1250 def printTrailer(fd):
1251 fd.write( """</SecurityPolicyDefinition>\n""")
1253 #============== the icons/bitmaps ======================================
1254 # to ensure the program runs anywhere, we include the buttons right here
1255 # while this makes the file even bigger, it also makes it easier to use
1256 import cStringIO
1258 def GetIconBitmap(name):
1259 return wx.BitmapFromImage(GetIconImage(name))
1261 def GetIconImage(name):
1262 if name == 'Organization':
1263 iostream = cStringIO.StringIO(GetOrganizationIconData())
1264 elif name == 'Department':
1265 iostream = cStringIO.StringIO(GetDepartmentIconData())
1266 elif name == 'Conflict':
1267 iostream = cStringIO.StringIO(GetConflictIconData())
1268 else:
1269 sys.exit("UNKNOWN ICON NAME")
1270 return wx.ImageFromStream(iostream)
1272 def GetOrganizationIconData():
1273 return \
1274 '\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\
1275 \x00\x00\x00\x10\x00\x00\x00\x11\x08\x02\x00\x00\x00\x5b\xcd\xbb\
1276 \x93\x00\x00\x00\x03\x73\x42\x49\x54\x08\x08\x08\xdb\xe1\x4f\xe0\
1277 \x00\x00\x02\x7b\x49\x44\x41\x54\x28\x91\x5d\xd1\xcb\x4f\x13\x51\
1278 \x14\x06\xf0\x73\x1f\x74\x3a\x33\x9d\x96\x87\x0a\x14\x30\x3c\xd4\
1279 \x60\x34\xf1\xb1\x70\xa5\x26\x2e\xfc\x87\x4d\xdc\x18\x17\x26\x08\
1280 \x26\x44\x01\xc1\x07\x10\x52\x1e\x96\xb6\x94\x4a\x87\x0e\x33\x73\
1281 \xef\xdc\x7b\xcf\x71\x01\x31\x81\x6f\x73\x36\xe7\xb7\xf8\xf2\x31\
1282 \x22\x82\xab\x50\x51\x68\xa5\xd2\x6e\x77\xbf\xdd\xf8\x36\x52\x1b\
1283 \x5f\x78\xfc\xc6\x0f\x6b\x70\x3d\xf2\xea\x97\x28\x8e\xbb\xfd\x7e\
1284 \xd7\xb9\xb4\x3e\xe9\xe3\x99\x1d\x34\x3f\x34\xb9\xaa\x2f\xbe\x0d\
1285 \x2a\xa3\x8c\xb1\xff\x80\x5f\x1e\x63\x4c\x9a\x1e\x23\xaa\x24\xd1\
1286 \x8c\x91\xe0\xae\x04\xb1\xed\x7e\x6a\xff\x7e\x7f\x11\xb7\x01\xe8\
1287 \x26\x90\x52\x02\x98\x30\xac\xf8\x7e\x95\x88\x13\x5a\x0e\x4e\xe0\
1288 \xb9\xe9\x6f\xf5\xbb\x87\x5a\x17\x37\x01\xe7\x1c\x00\x38\x37\x9e\
1289 \x87\x9c\x91\xb3\xce\x21\x2f\xc8\x4b\xac\xec\xf5\xf6\x76\xd7\xdf\
1290 \xa9\x6c\x70\xad\x03\x00\x30\xc6\x6b\x35\x19\x86\x5c\x48\x42\x59\
1291 \x71\xd1\x3d\x88\x26\x82\x68\x8a\xf4\xa0\x68\x7f\x69\xed\xc0\x9d\
1292 \xb9\xd7\x41\xf5\xf6\x15\x50\x2a\x07\x60\xe5\xb2\x04\x00\x6b\x1d\
1293 \x56\x67\x71\x68\xbc\x67\x43\xe3\xa2\x49\x8c\xcb\x10\xe7\xad\xa5\
1294 \x53\x80\x5b\xb3\xaf\xa4\x52\x79\x9e\x0f\x8c\x4d\x01\xdc\x25\xb6\
1295 \x08\x27\x38\xaa\xb9\x3b\x4a\xb4\x13\x30\x02\x69\xc0\x1c\xc7\x9e\
1296 \xea\x2c\x1f\x1b\x23\x9b\xad\x46\xaa\xce\x53\x60\x7e\x09\xa7\x2e\
1297 \x81\xc3\xf6\x05\x58\xc7\x12\x2c\x45\x1e\x17\x45\xce\x19\x32\x42\
1298 \x61\xbb\x67\xad\x75\x79\xd0\x69\x9f\x23\x0e\xc0\x1f\x2e\xb3\x67\
1299 \x00\x00\x80\x04\x85\x25\x72\x56\x7a\xa1\xc7\x32\x61\x33\xb8\x1a\
1300 \x97\xca\xc1\xa8\x74\xa2\xd2\xd3\x8a\x0b\xc8\x0c\x68\xa5\x8c\xb1\
1301 \x8e\x0d\x21\x22\x3a\xc7\x3c\xe9\x51\x21\x51\x01\x21\x00\x38\xe4\
1302 \x95\xb1\xfb\x7c\xb8\x12\x0a\x00\xb2\x46\x19\x6c\xfd\x39\xdc\xda\
1303 \xda\x56\xca\x5c\x6e\x6f\xb4\x4e\xe2\x93\xbf\x49\xac\x8d\x23\x00\
1304 \xc7\x82\x70\x64\x5a\xd6\xc2\x00\x6d\x47\x08\x40\x12\x8d\x9d\x5f\
1305 \x5f\x77\xe2\xdb\x33\x73\x51\x89\x98\x60\x71\xaf\xf9\xf3\x70\xa5\
1306 \x99\x1c\x3c\x19\xe3\xf5\x9a\x57\x1d\x1e\xf5\x82\x31\x59\xe8\x84\
1307 \x9b\x6c\x38\x08\x98\xc7\xb2\x76\x7a\xd2\xcf\x38\xc0\xf3\x49\xe6\
1308 \x97\x82\xc1\xc9\xd2\x86\x5b\xdf\x3f\x75\x8d\x01\x3d\xb9\x55\x79\
1309 \x51\xf2\x26\x84\x2f\x3f\xaf\x7d\x0c\xfd\xe0\xe9\xdd\xa7\xbe\x70\
1310 \xdb\x1d\x1f\x31\x16\x9c\xcd\x4f\x8d\x29\xad\x3b\x71\x13\x88\x72\
1311 \x8d\x22\xa2\x8d\x63\xdd\xef\x37\xa2\xf9\x16\xdf\x6d\x6f\x4a\x91\
1312 \xf9\x43\xae\x1a\xf9\x82\x0b\x21\xf8\x45\x9a\x69\x5d\x74\xba\xa7\
1313 \x44\x90\xb7\x1c\x9d\x1b\x8c\x2d\xa5\xf4\xeb\xa8\xb9\x77\xb4\x2f\
1314 \x1f\xd5\x17\xbf\x6f\xad\x2d\xaf\xad\x3e\x9c\x78\x50\xaf\x08\xa5\
1315 \xcc\xee\xee\xfe\x4e\x63\x73\xe5\xc7\xea\x41\xe3\xf8\x0e\x8a\x97\
1316 \xf7\x66\x92\x3c\xa9\x4f\x4f\x64\xa5\xb9\x87\x0b\x8b\xff\x00\x63\
1317 \xce\x84\xe6\xf7\x5b\x7e\xce\x00\x00\x00\x00\x49\x45\x4e\x44\xae\
1318 \x42\x60\x82'
1320 def GetDepartmentIconData():
1321 return \
1322 '\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\
1323 \x00\x00\x00\x10\x00\x00\x00\x11\x08\x06\x00\x00\x00\xd4\xaf\x2c\
1324 \xc4\x00\x00\x00\x04\x73\x42\x49\x54\x08\x08\x08\x08\x7c\x08\x64\
1325 \x88\x00\x00\x01\x52\x49\x44\x41\x54\x38\x8d\xd5\x92\x3d\x4b\x42\
1326 \x61\x18\x86\xaf\xf3\xfa\xfa\x81\xa9\x58\x48\x60\x08\x49\xd2\x26\
1327 \xb4\x37\x4a\x14\x6d\x6d\x42\x42\x7f\x20\x68\xae\x31\x28\xff\x85\
1328 \x83\xd0\x90\x05\x0d\x6d\x0d\xd2\x2a\x89\x24\x48\xb8\x85\x49\x1a\
1329 \x48\x87\xd4\xca\x93\xbe\xd4\x69\x38\x39\x1c\xa8\x34\x1a\xa2\x7b\
1330 \xbb\x79\xb8\xaf\x87\xe7\x43\x0b\x2f\x6c\xad\x05\x23\x4b\x39\x4d\
1331 \x38\x5d\xe6\xdb\x80\x9b\xab\xd3\x7a\xaf\x96\x99\x65\x4c\xc9\xfb\
1332 \x97\xd9\xdc\x43\xb3\xef\x82\x3e\xaf\xc6\x2d\x4a\x9b\x33\xc7\x0d\
1333 \x03\x48\x25\xa3\x4e\x25\x86\x0d\x0d\xbc\x8e\x8e\xff\x28\x95\x3a\
1334 \x70\x08\x21\x01\x0e\xcb\xe5\x5a\xb6\x52\xd9\xfe\x12\x60\x73\xa6\
1335 \x62\x7f\xae\x3a\x15\xf5\xf8\x52\x00\x8d\x6e\x97\xc5\x40\xe0\x32\
1336 \x0b\xdb\x00\x3e\x9f\xf0\xa4\xd3\x33\x9b\x5e\xaf\x70\x01\xe4\xf3\
1337 \x9d\xb6\x1d\xf0\xd6\x67\x3d\xe4\x60\xfa\xc3\xb6\x0d\x03\xb7\x10\
1338 \xc3\xaa\xd8\xd9\x99\x3c\x49\x24\x3c\xab\x00\xdd\xae\xc2\x30\x1e\
1339 \xaf\xed\x80\xef\xe5\x4e\x26\xf5\x95\x58\x4c\x07\xa0\x50\x80\x60\
1340 \x10\xc4\x88\xd0\x48\xfd\x1a\x30\x72\x84\x62\x24\x12\x9b\xdf\xdd\
1341 \x3d\x33\x95\x12\x26\x7b\xda\x8f\x00\xe7\x42\x70\x1c\x8f\x07\x34\
1342 \x29\x97\x91\x12\xd0\x00\xfb\x9b\x7c\x0b\xd0\xc3\x61\x5a\xa1\x90\
1343 \x65\x06\x03\xcc\x4f\x5e\xec\xef\x97\xf8\xcf\x01\x4f\x4f\xd4\x25\
1344 \xbd\xea\x05\x4a\xb7\xee\xdb\xab\x3e\x17\x5a\xad\x89\xa0\xdb\x0d\
1345 \x40\x43\x08\x0d\xbf\xdf\xda\xbd\x52\x14\x8b\x26\x77\x4d\x2b\x5c\
1346 \x2a\xa1\x67\x32\x6c\xbc\x03\x17\xdb\x6e\x97\x68\x69\xf7\x4f\x00\
1347 \x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82'
1349 def GetConflictIconData():
1350 return \
1351 '\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\
1352 \x00\x00\x00\x10\x00\x00\x00\x10\x08\x02\x00\x00\x00\x90\x91\x68\
1353 \x36\x00\x00\x00\x03\x73\x42\x49\x54\x08\x08\x08\xdb\xe1\x4f\xe0\
1354 \x00\x00\x02\x45\x49\x44\x41\x54\x28\x91\x6d\x92\x4f\x48\x9a\x71\
1355 \x18\xc7\x7f\xbe\xef\xab\xcd\xed\x95\xcd\x8c\x25\x83\xc0\x24\xa9\
1356 \xc3\x4a\x17\xce\xea\x96\x3b\xe4\x0e\x5d\xba\xce\xa8\x88\xe8\x20\
1357 \x1a\x15\x1d\x3a\x78\x09\xf2\xed\xcf\xe8\x32\x68\x45\x56\x93\x66\
1358 \x94\x78\x99\x53\x68\x4e\x1b\xe1\x61\x30\xc2\x19\x5b\x16\xac\x9c\
1359 \x76\x19\x92\x2e\x35\xa6\x7b\xf7\xda\xfb\x3e\x3b\xd8\x9c\x9b\x7e\
1360 \x8e\xdf\xdf\xf3\x81\xdf\xf3\x87\x07\x00\xe8\x0f\x99\xb3\xb3\xd0\
1361 \xca\xca\x17\x97\x2b\x75\x7a\x8a\xf1\xf9\x77\xea\xeb\xe5\x3a\xdd\
1362 \x83\xe1\xe1\x6a\x85\xa2\x58\xc3\x2b\x08\x5c\x3e\x1f\x98\x9a\xfa\
1363 \xb0\xb0\x80\xf3\xf9\x72\x9d\xae\x56\xa5\xe2\x58\x36\x13\x8b\x9d\
1364 \xb8\xdd\x3f\x2f\x2e\x1e\x8e\x8c\x3c\x9a\x9d\xc5\xab\xaa\x10\x42\
1365 \x08\x00\x38\x96\x75\xf6\xf4\x58\x78\xbc\x37\x46\x23\x9d\x4e\x43\
1366 \x09\x57\x34\xfd\x7e\x6e\x6e\x4e\x28\xb4\x6b\xb5\x2c\xc3\x00\x00\
1367 \x02\x80\x77\x93\x93\xd3\x08\x51\x04\x71\xec\x74\x42\x25\xbe\xfa\
1368 \x7c\xf3\x24\xb9\x63\x30\x00\x00\x4a\x45\x22\x33\x02\x81\xd7\x64\
1369 \x5a\x69\x6e\x9e\xe1\xf3\x8f\x1c\x8e\x8a\xce\xc7\xe5\x65\x0b\x86\
1370 \x7d\xdb\xdf\x47\xfe\x89\x89\xa7\x22\xd1\xaf\xcb\xcb\x6c\x22\x61\
1371 \x55\x2a\x29\x82\x08\x6f\x6d\x95\x0b\x1c\xcb\x3e\x57\x28\x3c\x43\
1372 \x43\x68\x5d\xa3\x71\x74\x77\x17\xd2\x5c\x32\x69\x55\xa9\x28\x82\
1373 \x38\xdc\xdc\x2c\x77\xbc\x26\xd3\xb3\xba\x3a\xec\xfb\xf1\xb1\xb8\
1374 \xa1\xa1\x30\x32\xa1\x44\xa2\xdf\xdd\xbd\xdb\xd2\xf2\xba\xbf\xff\
1375 \xd0\x6e\x47\xff\x22\x69\x6a\xfa\x11\x8f\x63\x1c\xcb\xb2\x0c\x53\
1376 \x4c\x85\xd5\xd5\x7a\xbf\xbf\x56\xa9\x74\x0f\x0c\x7c\xde\xd8\x28\
1377 \x15\x80\xe3\x80\xe3\xb0\xdb\x32\x59\x26\x1a\x2d\x7d\xb8\x21\x16\
1378 \x3f\xf1\xf9\xa4\xad\xad\x9e\xc1\xc1\x4f\x36\x5b\x31\x4f\x47\xa3\
1379 \xa4\x54\x8a\x7c\xe3\xe3\xf3\x24\x99\x4b\x26\xff\xfb\x31\x9d\x4a\
1380 \xad\x6b\x34\x14\x8e\x1f\xac\xad\x15\x9a\x5e\x6a\x6c\x74\xf5\xf5\
1381 \xa1\x44\x38\x4c\xe1\xf8\xdb\xd1\xd1\xf2\x2e\xe9\x74\xfa\x45\x7b\
1382 \xbb\x05\xc3\x42\x56\x6b\x70\x69\xc9\xc2\xe3\x9d\x05\x02\x08\x00\
1383 \x76\x0c\x06\x8a\x20\xc2\xdb\xdb\x15\x9c\x4c\xc6\xd6\xd1\x61\xc1\
1384 \xb0\x79\x92\x7c\xa5\xd7\x5f\x6f\x9a\x65\x98\x97\x9d\x9d\x14\x8e\
1385 \xef\x99\xcd\x57\x34\x5d\x2a\xb0\x0c\xb3\x67\x36\x4f\x23\xb4\xae\
1386 \x56\xe7\x73\x39\x00\xb8\x3e\xbe\x7c\x2e\xe7\x1b\x1b\x3b\x58\x5d\
1387 \xbd\x59\x53\x23\xef\xea\x2a\x0c\x3a\x13\x8b\x45\xbc\xde\x6c\x3c\
1388 \x7e\xbf\xb7\xf7\xf1\xe2\xa2\x40\x24\xfa\x7b\xad\x05\xe2\xc1\x60\
1389 \xc8\x6a\x3d\xf1\x78\xb2\xe7\xe7\x88\xe3\x6e\x49\xa5\x32\xad\x56\
1390 \x6d\x34\xde\x6b\x6b\x2b\xd6\xfc\x06\xb3\xcb\xb3\xdb\x2f\x3f\x31\
1391 \xa9\x00\x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82'
1393 #=============== help texts
1395 NewRealmButtonHelp = \
1396 "Use this button to add a new top-level REALM type. \n\n\
1397 You can refine an existing realm by right-clicking it \
1398 and selecting \"Add workload\" from the pop-up menu.\n\n<Ctrl>-h for help"
1400 RealmWorkloadPanelHelp = \
1401 "\
1402 Use this panel to define names for types of workloads that \
1403 shall be confined against each other.\n\n<Ctrl>-h for help"
1405 RunTimeExclusionPanelHelp = \
1406 "\
1407 The run-time exclusion rules restrict which workload types \
1408 can run simultaneously on the same platform. At most one \
1409 type in an exclusion rule can run. If a domain starts, its \
1410 workload type is looked up and if it is in any exclusion rule \
1411 of which another type is already running, then it is denied \
1412 to start.\n\n<Ctrl>-h for help"
1414 CreateRunTimeButtonHelp = \
1415 "\
1416 This button creates a new run-time exclusion rule using the \
1417 selection from the left side workload definition panel.\n\n<Ctrl>-h for help"
1419 AddToExclusionButtonHelp = \
1420 "\
1421 This button adds the current selection in the left side \
1422 workload definition panel to the associated exclusion rule.\n\n<Ctrl>-h for help"
1424 DelFromExclusionButtonHelp = \
1425 "\
1426 This button deletes the current selection of the associated \
1427 exclusion rule from the associated exclusion rule.\n\n<Ctrl>-h for help"
1429 ManageExclusionButtonHelp = \
1430 "\
1431 This button allows to rename or delete the associated exclusion \
1432 rule. Left-click the button for the menu.\n\n<Ctrl>-h for help"
1434 ExclusionSetHelp = \
1435 "\
1436 Of the workload types specified in an exclusion rule, \
1437 only one can run at a time on the same platform.\n\n<Ctrl>-h for help"
1439 GetHelp = \
1440 "\
1441 Use <CTRL>-h to open the help window. Use the context help on buttons."
1443 #================ html help page =================
1444 # for ez use included in a single file, one could also
1445 # optionally try to fetch the page from a public location
1446 import wx.html as html
1448 class HelpHtmlWindow(html.HtmlWindow):
1449 def __init__(self, parent, id):
1450 html.HtmlWindow.__init__(self, parent, id, style=wx.NO_FULL_REPAINT_ON_RESIZE)
1451 if "gtk2" in wx.PlatformInfo:
1452 self.SetStandardFonts()
1453 self.SetPage(helptext)
1455 helptext = """
1456 <HTML>
1457 <HEAD>
1458 <META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
1459 <META name="GENERATOR" content="IBM WebSphere Studio Homepage Builder V6.0.2 for Windows">
1460 <META http-equiv="Content-Style-Type" content="text/css">
1461 <TITLE>Overview</TITLE>
1462 </HEAD>
1463 <BODY bgcolor="#dfdfdf" text="#000000">
1464 <H3><FONT color="#000000" face="Palatino Linotype">Creating A Xen Workload-Protection Security Policy</FONT></H3>
1465 <FONT face="Palatino Linotype">The purpose of this tool is to create a Xen security policy that understands
1466 the workload types that you want to confine against each other. For this
1467 purpose you enter the names of workload types that you want to assign to
1468 domains and resources. You can also define groups of workload types that
1469 should not run on the same system simultaneously for any reason; such groups
1470 are called Runtime Exclusion Sets. Please refer to the Xen User Guide for
1471 more information.<BR>
1472 <BR>
1473 This tool will create a unique security label for each workload type. Every
1474 domain and resource must be labeled so that the hypervisor system can correctly
1475 identify the associated workload type and control the sharing among domains
1476 in a way that keeps different workload types confined from each other.
1477 This tool ensures two things:<BR>
1478 <BR>
1479 1. The created security policy includes a distinctive label for each workload
1480 type defined in step 1 below. These labels must later be assigned to Domains
1481 and Resources to enable Xen to enforce the confinement.<BR>
1482 <BR>
1483 2. The created security policy includes access control rules that are enforced
1484 by the Xen Hypervisor (independently of the guest Domains) and guarantee
1485 that:</FONT>
1486 <BLOCKQUOTE><FONT face="Palatino Linotype">(i) Domains that are assigned the same workload type label can
1487 share (communicate,
1488 use common resources) without restriction through the hypervisor. Their
1489 interoperation can still be constraint by the domains (domain-internal
1490 means).</FONT></BLOCKQUOTE>
1491 <BLOCKQUOTE><FONT face="Palatino Linotype">(ii) Domains that are assigned different workload type labels cannot share,
1492 i.e., cannot communicate or use common resources. Independently enforced
1493 by the hypervisor, the domains cannot overrule this decision.</FONT></BLOCKQUOTE>
1494 <BLOCKQUOTE><FONT face="Palatino Linotype">(iii) Once a Domain labeled with a workload type of a Runtime Exclusion
1495 Rule is running, no other domain labeled with another workload type of
1496 the same Runtime Exclusion Rule can start. This holds for all Runtime Exclusion
1497 Rules.</FONT></BLOCKQUOTE>
1498 <FONT face="Palatino Linotype">While all workloads share common hardware resources, the core hypervisor
1499 isolation and virtualization in combination with the Xen access control
1500 policy ensure that, e.g., viruses in one workload type cannot infect other
1501 workload types and that secrets used within one workload type cannot leak
1502 into another workload type. Currently the Xen access control enforcement
1503 covers domains, local storage resources, and the local virtual network
1504 interfaces. Protecting sharing through the open network is subject of ongoing
1505 work; such protection must currently be setup manually using IP filtering
1506 rules in Domain0.
1507 <BR>
1508 </FONT>
1509 <H2><FONT color="#000000" face="Palatino Linotype">Step 1</FONT></H2>
1510 <FONT face="Palatino Linotype">The first step of creating a workload protection policy is to determine
1511 names for the different workload types. The left panel offers the means
1512 to define and and manage workload type definitions.<BR>
1513 <BR>
1514 A workload can be an organization name (coarse-grained type), e.g. a corporate
1515 realm such as IBM or PepsiCo. An organization can be refined to describe
1516 independent functional groupings within the organization, such as IBM.Financing
1517 or Pepsi.Payroll. Use the<B><I> &lt;New Org&gt;</I></B> button on the left panel
1518 to create a new organization workload. To refine such a workload, right-click the
1519 organization and chose <B><I>&lt;Add Department&gt;</I></B>. You can add multiple
1520 departments to an organization but you do not have to add any.<BR>
1521 <BR>
1522 This tool will create a separate label name for each organization and for
1523 each department workload. The policy will be computed so that there is
1524 no sharing between organizations or departments by default. IBM, IBM.Financing,
1525 Pepsi, and Pepsi.Payroll will by default not be able to share in this simple
1526 policy example. You can introduce controlled sharing by refining the policy,
1527 which is beyond the scope of this help.<BR>
1528 <BR>
1529 As an example, define the four organizations PepsiCo, CocaCola, Avis, Hertz.
1530 Define department workloads Payroll, HumanResources and Financing for Avis
1531 and CocaCola, and PepsiCo.<BR>
1532 </FONT>
1533 <H2><FONT color="#000000" face="Palatino Linotype">Step 2</FONT></H2>
1534 <FONT face="Palatino Linotype">In this second step, we enter those workload types that should not run
1535 simultaneously on the same hardware platform. There might be multiple reasons
1536 for this, e.g., imperfect resource control.<BR>
1537 <BR>
1538 As an example, we will create a policy that guarantees that PepsiCo workloads
1539 and CocaCola workloads never run simultaneously on the same platform: <BR>
1540 <BR>
1541 1. Select the PepsiCo organization on the left panel by left-clicking it..<BR>
1542 <BR>
1543 2. Press the &lt;Ctrl&gt;-Key and then select CocaCola organization by
1544 left-clicking it while keeping the &lt;Ctrl&gt;-Key pressed..<BR>
1545 <BR>
1546 3. Click the <B><I>&lt;Create run-time exclusion rule from selection&gt;</I></B>
1547 button and enter a name for this Run-time Exclusion rule (e.g., RER1). The name is
1548 for your reference only. It has no impact on the policy. On the right panel, a run-time
1549 exclusion rule with the chosen name appears. <BR>
1550 <BR>
1551 The interpretation of the rule is as follows: If a domain labeled PepsiCo
1552 is running, then another domain labeled CocaCola cannot start on the same
1553 system and the other way round. This also holds for departments of PepsiCo
1554 and CocaCola (organizations dominate their departments). If PepsiCo or
1555 PepsiCo.Payroll etc. are running, then a domain with label CocaCola or
1556 CocaCola.Payroll etc. cannot start. If you want to restrict concurrency
1557 between specific subtypes, then you must create a Run-time Exclusion rule
1558 that specifies the department workload types. To exclude only CocaCola.Payroll
1559 and PepsiCo.Payroll from running simultaneously the Run-time Exclusion
1560 rule must be formed using Coca.Cola.Payroll and PepsiCo.Payroll, not their
1561 organizations. Consequently it does not make sense to add both an organization
1562 and any of its departments to the same Run-time Exclusion rule because
1563 any department is already covered by its organization (this tool will not
1564 allow it).<BR>
1565 <BR>
1566 You can create multiple Run-time Exclusion rules, all of which will be
1567 enforced simultaneously by the hypervisor. You do not need to define any
1568 Run-time Exclusion rule if you do not find it necessary. You can add or
1569 delete workload types from Run-time Exclusion rules using the <B><I>&lt;Add&gt;</I></B>
1570 and <I><B>&lt;Del&gt;</B></I> buttons associated with the rule. The <I><B>&lt;Add&gt;</B></I>
1571 button adds the workload types selected in the left panel to the Run-time
1572 Exclusion rule. The <I><B>&lt;Del&gt;</B></I> button deletes the workload types selected
1573 in the associated Run-time Exclusion rule from the rule. <BR>
1574 </FONT>
1575 <H2><FONT color="#000000" face="Palatino Linotype">Step 3</FONT></H2>
1576 <FONT face="Palatino Linotype">Now that we have defined the workloads and Run-time Exclusion rules, we
1577 can save the workload definition for later reference or refinement. Select
1578 the <I><B>File-&gt;Save Workload
1579 Definition as..</B></I> menu entry and choose a file name.<BR>
1580 <BR>
1581 Please use the <B><I>File-&gt;Save as Xen ACM Security Policy..</I></B> menu entry and choose a policy
1582 name to create a Xen Workload Protection
1583 security policy from the current workload definition. To simplify the succeeding
1584 steps, please use a name of the form &quot;example.chwall_ste.NAME&quot;
1585 where you merely replace &quot;NAME&quot; with a policy name of your choice.
1586 Save the policy under the name proposed by the tool in the proposed directory
1587 if you are using this tool in your Xen environment. Otherwise, you need
1588 to copy the resulting file into your Xen environment to the directory
1589 &quot;/etc/xen/acm-security/policies/example/chwall_ste/&quot;.<BR>
1590 <BR>
1591 This tool creates policies for the Xen Chinese Wall and Simple Type Enforcement
1592 policy. The Xen access control policy in general is more expressive and
1593 this tool only uses a small subset of the possible configurations. <B><BR>
1594 <BR>
1595 Where to go from here.</B> <BR>
1596 <BR>
1597 Before the new policy can be activated, we need to translate the policy into a representation that
1598 Xen and the Xen-tools can work with. To this end, in your Xen environment, please issue the command
1599 <B><I>xm makepolicy example.chwall_ste.NAME</I></B> where NAME must be replaced by the name you chose
1600 for your policy in step 3 above. Then, we need to make the policy available to the Xen hypervisor. In
1601 your Xen environment, please issue the command <B><I>xm cfgbootpolicy example.chwall_ste.NAME</I></B>
1602 to install the policy for the next reboot. If the command cannot find the correct boot title, then you
1603 can manually install it as described in the xm man page.<BR>
1604 <BR>
1605 Finally, reboot your security-enabled Xen environment. Please refer to the xm man page for how to enable
1606 Xen security. After reboot, you can use <I><B>xm labels type=any</B></I> to list all the created workload l
1607 abels. Use the <I><B>xm addlabel</B></I> command to assign workload type labels to the associated domains
1608 and resources.<BR>
1609 <BR>
1610 From here, please check the Xen user guide.<BR>
1611 </FONT></BODY>
1612 </HTML>
1613 """
1615 #=============== main =====
1617 def main():
1618 global app
1619 app = ezApp(0)
1620 if len(sys.argv) in [2]:
1621 app.Load(sys.argv[1])
1622 app.MainLoop()
1623 print "Goodbye"
1625 if __name__ == '__main__':
1626 main()
1628 #==== end of file