ia64/xen-unstable

diff tools/python/xen/xend/XendXSPolicyAdmin.py @ 16522:54482c56e435

Implement legacy XML-RPC interface for ACM commands.

This patch moves the directory of files where xend is writing policies
and resource labels into to /var/lib/xend/security/policies.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 05 09:45:13 2007 +0000 (2007-12-05)
parents 5255eac35270
children 3221dff4b460
line diff
     1.1 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py	Wed Dec 05 09:44:20 2007 +0000
     1.2 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py	Wed Dec 05 09:45:13 2007 +0000
     1.3 @@ -22,10 +22,10 @@ from xml.dom import minidom, Node
     1.4  
     1.5  from xen.xend.XendLogging import log
     1.6  from xen.xend import uuid
     1.7 -from xen.util import xsconstants, dictio, bootloader
     1.8 +from xen.util import xsconstants, bootloader
     1.9  import xen.util.xsm.acm.acm as security
    1.10  from xen.util.xspolicy import XSPolicy
    1.11 -from xen.util.acmpolicy import ACMPolicy
    1.12 +from xen.util.acmpolicy import ACMPolicy, initialize
    1.13  from xen.xend.XendError import SecurityError
    1.14  
    1.15  
    1.16 @@ -48,6 +48,7 @@ class XSPolicyAdmin:
    1.17          self.xsobjs = {}
    1.18  
    1.19          act_pol_name = self.get_hv_loaded_policy_name()
    1.20 +        initialize()
    1.21  
    1.22          ref = uuid.createString()
    1.23          try:
    1.24 @@ -59,6 +60,7 @@ class XSPolicyAdmin:
    1.25  
    1.26          log.debug("XSPolicyAdmin: Known policies: %s" % self.policies)
    1.27  
    1.28 +
    1.29      def isXSEnabled(self):
    1.30          """ Check whether 'security' is enabled on this system.
    1.31              This currently only checks for ACM-enablement.
    1.32 @@ -99,12 +101,23 @@ class XSPolicyAdmin:
    1.33              # This is meant as an update to a currently loaded policy
    1.34              if flags & xsconstants.XS_INST_LOAD == 0:
    1.35                  raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
    1.36 -            if flags & xsconstants.XS_INST_BOOT == 0:
    1.37 -                self.rm_bootpolicy()
    1.38 +
    1.39 +            # Remember old flags, so they can be restored if update fails
    1.40 +            old_flags = self.get_policy_flags(loadedpol)
    1.41 +
    1.42 +            # Remove policy from bootloader in case of new name of policy
    1.43 +            self.rm_bootpolicy()
    1.44 +
    1.45              rc, errors = loadedpol.update(xmltext)
    1.46              if rc == 0:
    1.47                  irc = self.activate_xspolicy(loadedpol, flags)
    1.48                  # policy is loaded; if setting the boot flag fails it's ok.
    1.49 +            else:
    1.50 +                old_flags = old_flags & xsconstants.XS_INST_BOOT
    1.51 +                log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
    1.52 +                if old_flags != 0:
    1.53 +                    self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
    1.54 +
    1.55              return (loadedpol, rc, errors)
    1.56  
    1.57          try:
    1.58 @@ -161,15 +174,11 @@ class XSPolicyAdmin:
    1.59          return (acmpol, xsconstants.XSERR_SUCCESS, errors)
    1.60  
    1.61      def make_boot_policy(self, acmpol):
    1.62 -        spolfile = acmpol.get_filename(".bin")
    1.63 -        dpolfile = "/boot/" + acmpol.get_filename(".bin","",dotted=True)
    1.64 -        if not os.path.isfile(spolfile):
    1.65 -            log.error("binary policy file does not exist.")
    1.66 -            return -xsconstants.XSERR_FILE_ERROR
    1.67 -        try:
    1.68 -            shutil.copyfile(spolfile, dpolfile)
    1.69 -        except:
    1.70 -            return -xsconstants.XSERR_FILE_ERROR
    1.71 +        if acmpol.is_default_policy():
    1.72 +            return xsconstants.XSERR_SUCCESS
    1.73 +        rc = acmpol.copy_policy_file(".bin","/boot")
    1.74 +        if rc != xsconstants.XSERR_SUCCESS:
    1.75 +            return rc
    1.76  
    1.77          try:
    1.78              filename = acmpol.get_filename(".bin","",dotted=True)
    1.79 @@ -231,7 +240,8 @@ class XSPolicyAdmin:
    1.80          flags = 0
    1.81  
    1.82          filename = acmpol.get_filename(".bin","", dotted=True)
    1.83 -        if bootloader.loads_default_policy(filename):
    1.84 +        if bootloader.loads_default_policy(filename) or \
    1.85 +           acmpol.is_default_policy():
    1.86              flags |= xsconstants.XS_INST_BOOT
    1.87  
    1.88          if acmpol.isloaded():