ia64/xen-unstable

view tools/security/xensec_ezpolicy @ 13981:296d7aa451a3

[ACM] Update the xensec_ezpolicy ACM policy generation tool so
that it works with wxPython under Python 2.5.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
author kfraser@localhost.localdomain
date Thu Feb 15 14:20:05 2007 +0000 (2007-02-15)
parents 947e09f90b3b
children d5d6d2a8d10c
line source
1 #!/usr/bin/env python
2 #===========================================================================
3 # This program is free software; you can redistribute it and/or
4 # modify it under the terms of version 2.1 of the GNU Lesser General Public
5 # License as published by the Free Software Foundation.
6 #
7 # This library is distributed in the hope that it will be useful,
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 # Lesser General Public License for more details.
11 #
12 # You should have received a copy of the GNU Lesser General Public
13 # License along with this library; if not, write to the Free Software
14 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
15 #============================================================================
16 # Copyright (C) 2006 International Business Machines Corp.
17 # Author: Reiner Sailer
18 #============================================================================
19 # use 'yum install wxPython' to get wx or download from www.wxpython.org
20 import sys, time, string
21 import wx
22 import wx.lib.buttons as buttons
23 """
24 This program creates a default policy based on names of organizations and departments.
25 The resulting policy can be refined using the policy generation tool (xensec_gen).
26 """
28 helpprovider = wx.SimpleHelpProvider()
29 wx.HelpProvider_Set(helpprovider)
31 ID_CS_START=1000
33 realm_bmp = None
34 workload_bmp = None
35 conflict_bmp = None
36 realm_icon = None
37 workload_icon = None
39 class orgTreeCtrl(wx.TreeCtrl):
41 event = None
43 def __init__(self, parent, id, pos, size, style, validator, name):
44 wx.TreeCtrl.__init__(self, parent, id, pos, size, style,
45 validator, name)
46 self.parent = parent
47 orgs_root = self.AddRoot(text="Organization / Department")
48 self.SetItemBackgroundColour(orgs_root, wx.LIGHT_GREY)
51 def LabelExists(self, label, item):
52 for i in iterchildren(self.GetItemParent(item)):
53 if (self.GetItemText(i) == label) and (i != item):
54 return True
55 return False
58 def _OrgEdt(self, event):
59 item = self.event.GetItem()
60 self.OrgEdt(item)
63 def OrgEdt(self, item):
64 oldlabel= self.GetItemText(item)
65 #get new name
66 dlg = wx.TextEntryDialog(self, "Please enter org/dept name:",
67 "Naming a Workload",
68 style=wx.CANCEL | wx.OK | wx.CENTRE | wx.TE_NOHIDESEL)
69 dlg.SetValue(oldlabel)
70 ret = dlg.ShowModal()
71 newlabel = dlg.GetValue()
72 dlg.Destroy()
73 if (ret == wx.ID_CANCEL) or (newlabel == ''):
74 return False
76 #now check if the new name is permissible
77 if self.LabelExists(newlabel, item):
78 dlg = wx.MessageDialog(self, 'Item with name ' + newlabel + ' already exists!',
79 'Rename', style=wx.OK)
80 dlg.ShowModal()
81 dlg.Destroy()
82 return False
84 #all checkspassed, change item and adapt runtime exclusion rules
85 self.SetItemText(item, newlabel)
86 app.win.LabelReplaceInConflictsets(item, oldlabel, newlabel)
87 return True
90 def _OrgRAdd(self, event):
91 self.OrgRAdd()
94 def OrgRAdd(self):
95 new = self.AppendItem(self.GetRootItem(), text="")
96 self.SetItemBold(new, True)
97 self.SetItemImage(new, realm_icon, wx.TreeItemIcon_Normal)
98 self.EnsureVisible(new)
99 if not self.OrgEdt(new):
100 self.Delete(new)
103 def _OrgWAdd(self, event):
104 item = self.event.GetItem()
105 self.OrgWAdd(item)
108 def OrgWAdd(self, item):
109 new = self.AppendItem(item, text="")
110 self.Expand(item)
111 self.SetItemImage(new, workload_icon, wx.TreeItemIcon_Normal)
112 self.EnsureVisible(new)
113 if not self.OrgEdt(new):
114 self.Delete(new)
117 class OrgsPanel(wx.Panel):
118 ID_CONSADDBTN = 145
119 ID_REALMADDBTN = 144
121 def __init__(self, parent, ID):
122 global realm_icon, workload_icon
124 wx.Panel.__init__(self, parent, -1)
126 #create image list
127 imagelist = wx.ImageList(16, 17, True)
128 #define generic function and use it for all input
129 realm_icon = imagelist.Add(realm_bmp)
130 workload_icon = imagelist.Add(workload_bmp)
132 #left tree control for organizations / workload definitions
133 orgshdrbox = wx.StaticBox(self, -1, "")
134 orgshdrboxsizer = wx.StaticBoxSizer(orgshdrbox, wx.HORIZONTAL)
135 orgshdr = wx.StaticText(self, -1, "Organization / Department Definition",
136 style=wx.ALIGN_CENTER)
137 orgshdr.SetHelpText(RealmWorkloadPanelHelp)
138 points = orgshdr.GetFont().GetPointSize() # get the current size
139 hdrfont = wx.Font(points + 2, family=wx.DEFAULT,
140 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
141 orgshdr.SetFont(hdrfont)
142 orgshdr.SetForegroundColour('MEDIUMBLUE')
143 orgshdr.SetBackgroundColour('SNOW')
144 orgshdrboxsizer.Add(orgshdr, proportion=1, flag=wx.EXPAND | wx.ALL | wx.ALIGN_LEFT, border=5)
145 addorgsbutton = wx.Button(self, self.ID_REALMADDBTN, "New Org", style=wx.BU_EXACTFIT)
146 addorgsbutton.SetToolTipString("Add A New Organization")
147 addorgsbutton.SetHelpText(NewRealmButtonHelp)
148 addorgsbutton.SetForegroundColour('MEDIUMBLUE')
149 addfont = wx.Font(points, family=wx.DEFAULT,
150 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
151 addorgsbutton.SetFont(addfont)
152 orgshdrboxsizer.Add(addorgsbutton, proportion=0, flag=wx.EXPAND | wx.ALL | wx.ALIGN_RIGHT, border=0)
154 self.orgs = orgTreeCtrl(self, -1,
155 pos=wx.DefaultPosition,
156 size=wx.DefaultSize,
157 style=wx.TR_HAS_BUTTONS | wx.TR_HIDE_ROOT | wx.TR_NO_LINES
158 | wx.TR_MULTIPLE,
159 validator=wx.DefaultValidator,
160 name="orgs")
161 self.orgs.AssignImageList(imagelist)
162 self.orgs.SetHelpText(RealmWorkloadPanelHelp)
164 self.addconsbutton = wx.Button(self, self.ID_CONSADDBTN,
165 "Create run-time exclusion rule from selection -->",
166 style=wx.BU_EXACTFIT)
167 self.addconsbutton.SetToolTipString("Create New Exclusion rule From Above Workload Selection")
168 self.addconsbutton.SetHelpText(CreateRunTimeButtonHelp)
169 self.addconsbutton.SetForegroundColour('MEDIUMBLUE')
170 addfont = wx.Font(points, family=wx.DEFAULT,
171 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
172 self.addconsbutton.SetFont(addfont)
173 self.addconsbutton.Bind(wx.EVT_BUTTON, self._AddConflict, id=self.ID_CONSADDBTN)
175 orgsvbox = wx.BoxSizer(wx.VERTICAL)
176 orgsvbox.Add(orgshdrboxsizer, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
177 orgsvbox.Add(self.orgs, proportion=1, flag=wx.EXPAND | wx.ALL, border=5)
178 orgsvbox.Add(self.addconsbutton, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
179 self.SetSizer(orgsvbox)
180 addorgsbutton.Bind(wx.EVT_BUTTON, self.orgs._OrgRAdd, id= self.ID_REALMADDBTN)
183 def _AddConflict(self, event):
184 app.win.conspanel._AddNewConflict(event)
187 class ConsPanel(wx.Panel):
188 ID_CONSSELECT = 151
189 ID_CONSADD = 152
190 ID_CONSRENAME = 153
191 ID_CONSDEL = 154
192 ID_CONSSELECTSUB= 155
194 conflictMAX = ID_CS_START
196 def __init__(self, parent, ID):
197 self.conflictsets = []
198 self.parent = parent
199 wx.Panel.__init__(self, parent, -1)
200 #header
201 conshdrbox = wx.StaticBox(self, -1, "")
202 conshdrboxsizer = wx.StaticBoxSizer(conshdrbox, wx.HORIZONTAL)
203 conshdr = wx.StaticText(self, -1, "Run-time Exclusion Rules", style=wx.ALIGN_CENTER)
204 conshdr.SetHelpText(RunTimeExclusionPanelHelp)
205 points = conshdr.GetFont().GetPointSize() # get the current size
206 hdrfont = wx.Font(points + 2, family=wx.DEFAULT,
207 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
208 conshdr.SetFont(hdrfont)
209 conshdr.SetForegroundColour('ORANGERED')
211 #context help button
212 ctxHelp = wx.ContextHelpButton(self)
213 ctxHelp.SetHelpText("Context Help Button.")
214 ctxHelp.SetToolTipString("Context Help: Press this button, then press any other button or panel to get help.")
217 conshdrboxsizer.Add(conshdr, proportion=1, flag=wx.EXPAND | wx.ALL | wx.ALIGN_LEFT, border=5)
218 conshdrboxsizer.Add(ctxHelp, proportion=0, flag=wx.EXPAND | wx.ALL | wx.ALIGN_RIGHT, border=0)
219 #scrolledwindow for all the run-time exclusion rules
220 conflictspanel = wx.ScrolledWindow(self, -1, (0,0),
221 style = wx.FULL_REPAINT_ON_RESIZE |
222 wx.VSCROLL )
223 conflictspanel.SetVirtualSize((1000, 1000))
224 conflictspanel.SetScrollRate(5,5)
225 self.conflictsboxsizer = wx.BoxSizer(wx.VERTICAL)
227 #self.conflictsboxsizer.Fit(self)
228 conflictspanel.SetSizer(self.conflictsboxsizer)
229 consvbox = wx.BoxSizer(wx.VERTICAL)
230 consvbox.Add(conshdrboxsizer, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
231 consvbox.Add(conflictspanel, proportion=1, flag=wx.EXPAND | wx.ALL, border=5)
232 self.SetSizer(consvbox)
233 self.consvbox = consvbox
234 self.conflictspanel=conflictspanel
236 self.cmenu = wx.Menu()
237 self.cmenu.Append(self.ID_CONSRENAME, "Rename Run-time Exclusion Rule", "Rename Run-time Exclusion Rule")
238 self.cmenu.AppendSeparator()
239 self.cmenu.Append(self.ID_CONSDEL, "Delete Run-time Exclusion Rule", "Delete Run-time Exclusion Rule")
240 self.Bind(wx.EVT_MENU, self._CSRename, id=self.ID_CONSRENAME)
241 self.Bind(wx.EVT_MENU, self._CSDelete, id=self.ID_CONSDEL)
244 #Helper methods called from anywhere
245 def New(self):
246 #delete all run-time exclusion rules
247 for i in self.conflictsets:
248 i.Disable()
249 i.Destroy()
250 self.conflictsets = []
251 self.conflictsboxsizer.Layout()
252 size=self.GetSize()
253 self.Fit()
254 self.SetSize(size)
257 def DelCSById(self, delid):
258 #delete CS representation
259 delpos, item = self.GetCSBox(delid)
260 if item:
261 self.DelCSByItem(item)
264 def DelCSByItem(self, item):
265 #delete CS representation
266 self.conflictsets.remove(item)
267 exists = self.conflictsboxsizer.Detach(item)
268 if exists:
269 item.Destroy()
270 self.RefreshMe()
273 def RefreshMe(self):
274 size=self.parent.GetSize()
275 self.parent.Fit()
276 self.parent.SetSize(size + (1,1))
277 self.parent.SetSize(size)
280 def GetOrgSelection(self):
281 (tree, selection) = GetOrgsSelection()
282 if not len(selection):
283 dlg = wx.MessageDialog(self, 'You must select first at least one Organization/Department workload!',
284 'Creating A New Run-time Rule', wx.OK | wx.ICON_ERROR)
285 dlg.ShowModal()
286 dlg.Destroy()
287 return None,None
288 # now rewrite selection (realm.workload extension, check consistency)
289 alist = []
290 for i in selection:
291 if isRealm(i):
292 alist.append(tree.GetItemText(i))
293 else:
294 alist.append(tree.GetItemText(tree.GetItemParent(i))
295 + "." + tree.GetItemText(i))
297 if isRealm(i):
298 for j in selection:
299 if tree.GetItemParent(j) == i:
300 violation = ("[ " + tree.GetItemText(i) + ", " +
301 tree.GetItemText(i) + "." + tree.GetItemText(j) + " ]")
302 dlg = wx.MessageDialog(self,
303 'Invalid Selection ' + violation + '.\n\n' +
304 'You can only select EITHER an Organization OR specific Department!',
305 'Creating A New Run-time Exclusion Rule', wx.OK | wx.ICON_ERROR)
306 dlg.ShowModal()
307 dlg.Destroy()
308 return None,None
309 return (alist, selection)
312 def AddConflict(self, name, types):
313 csbox = myCSPanel(self, self.conflictMAX, name, types)
314 self.conflictsboxsizer.Add(csbox, proportion=0, flag=wx.EXPAND | wx.ALL, border=5)
315 self.conflictsets.append(csbox)
316 self.conflictMAX = self.conflictMAX+3
317 self.RefreshMe()
318 csbox.RefreshMe()
321 def GetCSBox(self, id):
322 pos = -1
323 i = 0
324 while self.conflictsboxsizer.GetItem(i):
325 item = self.conflictsboxsizer.GetItem(i).GetWindow()
326 if ((item.cbmp.GetId() == id) or
327 (item.add_selection.GetId() == id) or
328 (item.del_selection.GetId() == id)):
329 pos = i
330 box = item
331 break
332 i = i + 1
333 if pos < 0:
334 print "Run-time Exclusion Rule Not Found ERROR!"
335 return (None, None)
336 else:
337 return (pos, box)
340 #bind methods
341 def _AddNewConflict(self, event):
342 # first get the conflicting workload types with current selection
343 types, items = self.GetOrgSelection()
344 if not types:
345 return
346 #get name for conflict set
347 dlg = wx.TextEntryDialog(
348 self, 'Please enter a name for the Run-time Exclusion Rule:', 'Creating A New Run-time Exclusion Rule')
349 dlg.SetValue("")
350 ret = dlg.ShowModal()
351 name = dlg.GetValue()
352 dlg.Destroy()
353 if ret != wx.ID_OK:
354 return
355 self.AddConflict(name, types)
358 def _OnClick(self, event):
359 self.event = event
360 app.win.SetStatusText("")
361 self.PopupMenu(self.cmenu)
364 def _CSRename(self, event):
365 delpos, item = self.GetCSBox(self.event.GetId())
366 if not item:
367 return
368 #allow to name the conflict set
369 dlg = wx.TextEntryDialog(
370 self, 'Please enter a new name for the Conflict Set:', 'Renaming A Run-time Exclusion Rule')
371 dlg.SetValue(item.box.GetLabel())
372 ret = dlg.ShowModal()
373 name = dlg.GetValue()
374 dlg.Destroy()
375 if ret != wx.ID_OK:
376 return
377 item.box.SetLabel(name)
378 item.box.SetFont(wx.Font(item.GetFont().GetPointSize(), family=wx.DEFAULT,
379 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD))
382 def _CSDelete(self, event):
383 delid = self.event.GetId()
384 self.DelCSById(delid)
387 def _AddOrgSelection(self, event):
388 addid = event.GetId()
389 addpos, item = self.GetCSBox(addid)
390 alist, items = self.GetOrgSelection()
391 if not alist:
392 return
393 existing = []
394 for i in range(0, item.clb.GetCount()):
395 existing.append(item.clb.GetString(i))
397 #now make sure that we don't get realm + workload into the same CS
398 for i in items:
399 if isRealm(i):
400 #ensure no workload of this realm is already in CS
401 realm = app.win.orgs.GetItemText(i)
402 for j in iterchildren(i):
403 workload = app.win.orgs.GetItemText(j)
404 try:
405 idx = existing.index (realm + "." + workload)
406 except:
407 #ok, does not exist
408 continue
409 #nok, exists already
410 violation = ("[ " + realm + ", " +
411 realm + "." + workload + " ]")
412 dlg = wx.MessageDialog(self,
413 'Invalid Selection ' + violation + '.\n\n' +
414 'You can only have EITHER an Organization OR a specific Department workload\n' +
415 'in a single Run-time Exclusion Rule',
416 'Adding Orgs/Depts workloads to a Run-time Exclusion Rule',
417 wx.OK | wx.ICON_ERROR)
418 dlg.ShowModal()
419 dlg.Destroy()
420 return
422 else:
423 #ensure realm of this workload is not in CS
424 realm = app.win.orgs.GetItemText(app.win.orgs.GetItemParent(i))
425 try:
426 idx = existing.index(realm)
427 except:
428 #ok, does not exist
429 continue
430 #nok, exists already
431 violation = ("[ " + realm + "." + app.win.orgs.GetItemText(i) +
432 ", " + realm + " ]")
433 dlg = wx.MessageDialog(self,
434 'Invalid Selection ' + violation + '.\n\n' +
435 'You can only have EITHER an Organization OR a specific Department workload\n' +
436 'in a single Run-time Exclusion Rule',
437 'Adding Orgs/Depts workloads to a Run-time Exclusion Rule',
438 wx.OK | wx.ICON_ERROR)
439 dlg.ShowModal()
440 dlg.Destroy()
441 return
442 #check if any of the selections are already in the conflict set
443 overlap=[]
444 for l in alist:
445 for e in existing:
446 if l == e:
447 overlap.append(str(l))
448 if len(overlap):
449 if len(overlap) == 1:
450 message = "Selected item " + str(overlap) +\
451 " is already in the Run-time Exclusion rule and will be ignored.\n\n Continue?"
452 else:
453 message = "Selected items " + str(overlap) +\
454 " are already in the Run-time Exclusion rule and will be ignored.\n\n Continue?"
455 dlg = wx.MessageDialog(self,
456 message, 'Adding Orgs/Depts workloads to a Run-time Exclusion rule',
457 wx.YES | wx.NO | wx.ICON_EXCLAMATION)
458 ret = dlg.ShowModal()
459 dlg.Destroy()
460 if ret != wx.ID_YES:
461 return
463 for s in alist:
464 try:
465 existing.index(s)
466 except Exception:
467 # s not yet in list box, add it
468 item.AddTypes([s])
469 self.RefreshMe()
472 def _DelConSelection(self, event):
473 eventid = event.GetId()
474 pos, item = self.GetCSBox(eventid)
475 idtuple = item.clb.GetSelections()
476 idlist = []
477 for i in idtuple:
478 idlist.append(i)
479 #delete reverse, otherwise item mubers get messed up while deleting
480 idlist.reverse()
481 for i in idlist:
482 item.clb.Delete(i)
483 item.RefreshMe()
484 if item.clb.GetCount() < 2:
485 dlg = wx.MessageDialog(self,
486 """Run-time exclusion set has less than two types.\n\n
487 Do you want to delete this rule?""",
488 'Deleting Orgs/Depts workloads from a Run-time Exclusion rule',
489 wx.YES| wx.NO | wx.ICON_QUESTION)
490 ret = dlg.ShowModal()
491 dlg.Destroy()
492 if ret == wx.ID_YES:
493 self.DelCSById(eventid)
494 return
495 else:
496 for i in item.clb.GetSelections():
497 item.clb.Deselect(i)
498 self.RefreshMe()
501 class myCSPanel(wx.Panel):
502 def __init__(self, parent, ID, title, list=[]):
503 wx.Panel.__init__(self, parent.conflictspanel, -1)
504 self.parent = parent
505 cspansizer = wx.BoxSizer(wx.VERTICAL)
506 self.box = wx.StaticBox(self, -1, title)
507 csboxsizer = wx.StaticBoxSizer(self.box, wx.HORIZONTAL)
508 #left: type add/del
509 typesizer = wx.BoxSizer(wx.VERTICAL)
510 self.add_selection = wx.Button(self, ID+1, "--> Add", style=wx.BU_EXACTFIT)
511 self.add_selection.SetToolTipString("Add Workload Selection To Run-time Exclusion rule")
512 self.add_selection.SetHelpText(AddToExclusionButtonHelp)
513 self.add_selection.SetForegroundColour('MEDIUMBLUE')
514 points = self.add_selection.GetFont().GetPointSize()
515 addfont = wx.Font(points, family=wx.DEFAULT,
516 style=wx.FONTSTYLE_NORMAL, weight=wx.BOLD)
517 self.add_selection.SetFont(addfont)
518 self.box.SetFont(addfont)
519 typesizer.Add(self.add_selection, proportion = 0, flag = wx.EXPAND | wx.ALL,border=0)
520 typesizer.Add((5,5))
521 self.del_selection = wx.Button(self, ID+2, "<-- Del", style=wx.BU_EXACTFIT)
522 self.del_selection.SetToolTipString("Delete Workload Selection From Run-time Exclusion Rule")
523 self.del_selection.SetHelpText(DelFromExclusionButtonHelp)
524 self.del_selection.SetForegroundColour('ORANGERED')
525 self.del_selection.SetFont(addfont)
526 typesizer.Add(self.del_selection, proportion = 0, flag = wx.EXPAND | wx.ALL, border=0)
527 csboxsizer.Add(typesizer, proportion = 0, border=0)
528 csboxsizer.Add((5,5))
529 #middle: types
530 self.clb = wx.ListBox(self, id=-1, choices=list,
531 style= wx.LB_MULTIPLE | wx.LB_SORT )
532 self.clb.SetHelpText(ExclusionSetHelp)
533 csboxsizer.Add(self.clb, proportion=1, flag=wx.EXPAND | wx.ALL, border=0)
534 csboxsizer.Add((5,5))
535 #right: Conflictset-global ops button
536 bmpsizer = wx.BoxSizer(wx.VERTICAL)
537 self.cbmp = buttons.GenBitmapButton(self, ID, conflict_bmp, style=wx.BU_EXACTFIT)
538 self.cbmp.SetHelpText(ManageExclusionButtonHelp)
539 self.cbmp.SetToolTipString("Rename/Delete\nAssociated Run-time Exclusion Rule")
540 bmpsizer.Add(self.cbmp, proportion = 0, flag = wx.EXPAND | wx.ALL, border=0)
541 csboxsizer.Add(bmpsizer, proportion=0, border=5)
542 cspansizer.Add(csboxsizer, proportion=0, flag=wx.EXPAND | wx.ALL, border=0)
543 self.csboxsizer=csboxsizer
544 self.cspansizer=cspansizer
545 self.SetSizer(cspansizer)
546 self.cbmp.Bind(wx.EVT_LEFT_DOWN, parent._OnClick, id=ID)
547 self.add_selection.Bind(wx.EVT_BUTTON, parent._AddOrgSelection, id=ID + 1)
548 self.del_selection.Bind(wx.EVT_BUTTON, parent._DelConSelection, id=ID + 2)
550 # append and delete an item to get rid of
551 # the ugly vertical scroll bar on the Listbox on Linux
552 def RefreshMe(self):
553 x = self.clb.Append(" ")
554 app.win.conspanel.RefreshMe()
555 self.clb.Delete(x)
556 self.Layout()
557 app.win.conspanel.Layout()
560 def AddTypes(self, list):
561 for i in list:
562 self.clb.Append(i)
563 self.RefreshMe()
566 def GetTypes(self):
567 alist = []
568 for i in range(0, self.clb.GetCount()):
569 alist.append(self.clb.GetString(i))
570 return alist
573 def GetBoxName(self):
574 return self.box.GetLabel()
577 def Replace(self, oldlabel, newlabel):
578 index = self.clb.FindString(oldlabel)
579 if index != wx.NOT_FOUND:
580 self.clb.SetString(index, newlabel)
583 def Delete(self, label):
584 index = self.clb.FindString(label)
585 if index != wx.NOT_FOUND:
586 self.clb.Delete(index)
589 class myHelpPanel(wx.Panel):
590 def __init__(self, parent, ID):
591 wx.Panel.__init__(self, parent, -1)
594 class ezFrame(wx.Frame):
596 ID_ABOUT = 101
597 ID_NEW = 102
598 ID_OPEN = 103
599 ID_SAVE = 104
600 ID_SAVEAS = 105
601 ID_EXIT = 106
602 ID_HELP = 107
604 ID_ITRENAME = 111
605 ID_ITADD = 112
606 ID_ITDEL = 113
608 ID_COLLAPSEALL = 121
609 ID_EXPANDALL = 122
610 ID_SORTALL = 123
612 ID_TRANSLATE = 131
614 ID_ORGEDT = 141
615 ID_ORGADD = 142
616 ID_ORGDEL = 143
618 def __init__(self, parent, ID, title):
619 global realm_bmp, workload_bmp, conflict_bmp
621 wx.Frame.__init__(self, parent, ID, title,
622 wx.DefaultPosition,
623 wx.Size(700,450)
624 )
626 realm_bmp = GetIconBitmap('Organization')
627 workload_bmp = GetIconBitmap('Department')
628 conflict_bmp = GetIconBitmap('Conflict')
629 self.SetHelpText(GetHelp)
630 self.orgfilename = None
631 self.CreateStatusBar()
632 self.SetStatusText("")
633 self.bkg = wx.Panel(self)
635 self.orgswin = wx.SashLayoutWindow(
636 self.bkg, -1, wx.DefaultPosition, (300, 150),wx.SW_3DSASH | wx.SW_BORDER)
638 self.orgswin.SetDefaultSize((300,150))
639 self.orgswin.SetOrientation(wx.LAYOUT_VERTICAL)
640 self.orgswin.SetAlignment(wx.LAYOUT_LEFT)
641 self.orgspanel = OrgsPanel(self.orgswin, -1)
642 self.orgs = self.orgspanel.orgs
644 self.realm_menu = wx.Menu()
645 self.realm_menu.Append(self.ID_ORGADD, "Add Department\tctrl-a", "Add Department Workload")
646 self.realm_menu.AppendSeparator()
647 self.realm_menu.AppendSeparator()
648 self.realm_menu.Append(self.ID_ORGEDT, "Rename Organization\tctrl-r", "Rename Organization Workload")
649 self.realm_menu.Append(self.ID_ORGDEL, "Delete Organization\tctrl-d", "Delete Organization Workload")
650 self.realm_menu.Bind(wx.EVT_MENU, self.orgs._OrgEdt, id= self.ID_ORGEDT)
651 self.realm_menu.Bind(wx.EVT_MENU, self.orgs._OrgWAdd, id= self.ID_ORGADD)
652 self.realm_menu.Bind(wx.EVT_MENU, self._ItemDel, id=self.ID_ORGDEL)
654 self.workload_menu = wx.Menu()
655 self.workload_menu.Append(self.ID_ORGEDT, "Rename Department\tctrl-r", "Rename Department Workload")
656 self.workload_menu.Append(self.ID_ORGDEL, "Delete Department\tctrl-d", "Delete Department Workload")
657 self.workload_menu.Bind(wx.EVT_MENU, self.orgs._OrgEdt, id= self.ID_ORGEDT)
658 self.workload_menu.Bind(wx.EVT_MENU, self._ItemDel, id=self.ID_ORGDEL)
660 self.orgs.Bind(wx.EVT_TREE_ITEM_RIGHT_CLICK, self._OrgRightClick)
661 self.orgs.Bind(wx.EVT_TREE_SEL_CHANGED, self._OrgSelectionChanged)
663 self.conswin = wx.SashLayoutWindow(
664 self.bkg, -1, wx.DefaultPosition, (300, 150),
665 #wx.NO_BORDER | wx.SW_3D
666 wx.SW_3DSASH | wx.SW_BORDER
667 )
668 self.conswin.SetDefaultSize((300,150))
669 self.conswin.SetOrientation(wx.LAYOUT_VERTICAL)
670 self.conswin.SetAlignment(wx.LAYOUT_RIGHT)
671 self.conswin.SetSashVisible(wx.SASH_LEFT, True)
672 self.conswin.SetSashVisible(wx.SASH_RIGHT, False)
674 #right tree control for non-concurrent workload execution
675 self.conspanel = ConsPanel(self.conswin, -1)
676 self.conspanel.RefreshMe()
677 self.bkg.Bind(wx.EVT_SASH_DRAGGED_RANGE, self._OnSashDrag, id=self.conswin.GetId(),
678 id2=self.conswin.GetId())
679 self.bkg.Bind(wx.EVT_SIZE, self._OnSize)
681 # Main Menu
682 # -File
683 fmenu = wx.Menu()
684 fmenu.Append(self.ID_OPEN, "Open Workload Definition...\tctrl-o", "Open current workload definition")
685 fmenu.Append(self.ID_SAVE, "Save Workload Definition\tctrl-s", "Save workload defintion")
686 fmenu.Append(self.ID_SAVEAS, "Save Workload Defintion as...\talt-s", "Save into new file")
687 fmenu.AppendSeparator()
688 fmenu.Append(self.ID_TRANSLATE, "Save as Xen ACM Security Policy ...\talt-t", "Create Xen ACM security policy")
689 fmenu.AppendSeparator()
690 fmenu.Append(self.ID_NEW, "New\tctrl-n", "Create a new oganization definition")
691 fmenu.AppendSeparator()
692 fmenu.Append(self.ID_EXIT, "Exit\tctrl-x", "Terminate the program")
693 self.fmenu = fmenu
695 # -Edit
696 emenu = wx.Menu()
697 emenu.Append(self.ID_ITRENAME, "Rename\tctrl-r", "Rename Selected Organization/Department")
698 emenu.Append(self.ID_ITADD, "Add\tctrl-a", "Add Child to Selected Organization/Department")
699 emenu.Append(self.ID_ITDEL, "Delete\tctrl-d", "Delete Selected Organization/Department")
700 self.emenu = emenu
701 # -Help
702 hmenu = wx.Menu()
703 hmenu.Append(self.ID_HELP, "Step-By-Step Help\tctrl-h", "More information about this program")
704 hmenu.Append(self.ID_ABOUT, "About", "More information about this program")
705 self.hmenu = hmenu
707 # -View
708 vmenu = wx.Menu()
709 vmenu.Append(self.ID_SORTALL, "Sort All", "Sort Entries In All Trees")
710 vmenu.Append(self.ID_COLLAPSEALL, "Collapse All\tctrl-c", "Collapse All Trees")
711 vmenu.Append(self.ID_EXPANDALL, "Expand All\tctrl-e", "Expand All Trees")
712 self.vmenu = vmenu
714 menuBar = wx.MenuBar()
715 menuBar.Append(fmenu, "&File");
716 menuBar.Append(emenu, "&Edit");
717 menuBar.Append(vmenu, "&View");
718 menuBar.Append(hmenu, "&Help");
720 self.SetMenuBar(menuBar)
722 self.Bind(wx.EVT_MENU, self._OpenSpec, id=self.ID_OPEN)
723 self.Bind(wx.EVT_MENU, self._SaveSpec, id=self.ID_SAVE)
724 self.Bind(wx.EVT_MENU, self._SaveAsSpec,id=self.ID_SAVEAS)
725 self.Bind(wx.EVT_MENU, self._NewSpec, id=self.ID_NEW)
726 self.Bind(wx.EVT_MENU, self._TimeToQuit,id=self.ID_EXIT)
727 self.Bind(wx.EVT_MENU, self._TranslateSpec, id=self.ID_TRANSLATE)
729 self.Bind(wx.EVT_MENU, self._ItemRename, id=self.ID_ITRENAME)
730 self.Bind(wx.EVT_MENU, self._ItemAdd, id=self.ID_ITADD)
731 self.Bind(wx.EVT_MENU, self._ItemDel, id=self.ID_ITDEL)
733 self.Bind(wx.EVT_MENU, self._SortAll, id=self.ID_SORTALL)
734 self.Bind(wx.EVT_MENU, self._CollapseAll,id=self.ID_COLLAPSEALL)
735 self.Bind(wx.EVT_MENU, self._ExpandAll, id=self.ID_EXPANDALL)
737 self.Bind(wx.EVT_MENU, self._Help, id=self.ID_HELP)
738 self.Bind(wx.EVT_MENU, self._OnAbout, id=self.ID_ABOUT)
739 self.Bind(wx.EVT_CLOSE, self._TimeToQuit)
742 def RefreshMe(self):
743 size=self.GetSize()
744 self.Fit()
745 self.SetSize(size)
747 #helper methods
748 def Load(self, file):
749 self.orgfilename = file
750 dictname = 'ezpolicy'
751 d = {}
752 # read in the config file
753 globs = {}
754 locs = {}
755 execfile(file, globs, locs)
756 for (k, v) in locs.items():
757 if k == dictname:
758 d = v
759 break
760 dict2org(d)
761 self.orgspanel.orgs.UnselectAll()
762 self.SetTitle("ezPolicy: " + self.orgfilename)
763 self._ExpandAll(None)
766 def Save(self, file):
767 dictname = 'ezpolicy'
768 d = org2dict()
769 fd = open(file, "w")
770 fd.write(dictname + " = ")
771 fd.write(str(d))
772 fd.close()
775 def New(self):
776 self.orgspanel.orgs.DeleteChildren(self.orgspanel.orgs.GetRootItem())
777 self.conspanel.New()
780 def LabelReplaceInConflictsets(self, item, oldlabel, newlabel):
781 if isRealm(item):
782 replace = [[ oldlabel, newlabel]]
783 for i in iterchildren(item):
784 replace.append([(oldlabel + "." + self.orgs.GetItemText(i)),
785 (newlabel + "." + self.orgs.GetItemText(i))])
786 else:
787 parent = self.orgs.GetItemParent(item)
788 replace = [
789 [(self.orgs.GetItemText(parent) + "." + oldlabel),
790 (self.orgs.GetItemText(parent) + "." + newlabel)]
791 ]
792 for r in replace:
793 for i in self.conspanel.conflictsets:
794 if r[0] in i.GetTypes():
795 i.Replace(r[0], r[1])
798 def OrgDelItem(self, item):
799 label = self.orgs.GetItemText(item)
800 if isRealm(item):
801 delset = [label]
802 for i in iterchildren(item):
803 delset.append(label + "." + self.orgs.GetItemText(i))
804 else:
805 parent = self.orgs.GetItemParent(item)
806 delset = [self.orgs.GetItemText(parent) + "." + label]
807 for i in self.conspanel.conflictsets:
808 for l in delset:
809 i.Delete(l)
810 #need to run in reverse order when deleting items
811 rev = []
812 for i in self.conspanel.conflictsets:
813 rev.append(i)
814 rev.reverse()
815 for i in rev:
816 if len(i.GetTypes()) < 1:
817 self.conspanel.DelCSByItem(i)
818 self.orgs.Delete(item)
821 def _OnSashDrag(self, event):
822 if event.GetDragStatus() == wx.SASH_STATUS_OUT_OF_RANGE:
823 return
824 w = event.GetEventObject()
825 if w is self.conswin:
826 self.conswin.SetDefaultSize((event.GetDragRect().width, 1000))
827 wx.LayoutAlgorithm().LayoutWindow(self.bkg, self.orgswin)
828 self.RefreshMe()
831 def _OnSize(self, event):
832 wx.LayoutAlgorithm().LayoutWindow(self.bkg, self.orgswin)
835 def _OrgSelectionChanged(self, event):
836 self.orgs.event = event
837 item = self.orgs.event.GetItem()
838 if not item.IsOk() or not self.orgs.IsSelected(item):
839 self.emenu.Enable(self.ID_ITRENAME, False)
840 self.emenu.Enable(self.ID_ITADD, False)
841 self.emenu.Enable(self.ID_ITDEL, False)
842 return
843 self.SetStatusText("")
844 #enable/disable edit menu functions
845 if isRealm(item):
846 self.emenu.Enable(self.ID_ITRENAME, True)
847 self.emenu.Enable(self.ID_ITADD, True)
848 self.emenu.Enable(self.ID_ITDEL, True)
849 elif isWorkload(item):
850 self.emenu.Enable(self.ID_ITRENAME, True)
851 self.emenu.Enable(self.ID_ITADD, False)
852 self.emenu.Enable(self.ID_ITDEL, True)
853 if len(self.orgs.GetSelections()) > 1:
854 self.emenu.Enable(self.ID_ITRENAME, False)
855 self.emenu.Enable(self.ID_ITADD, False)
858 def _OrgRightClick(self, event):
859 self.SetStatusText("")
860 self.orgs.event = event
861 item = self.orgs.event.GetItem()
862 #del not permitted on root items
863 if isWorkload(item):
864 self.workload_menu.Enable(self.ID_ORGDEL, True)
865 self.workload_menu.Enable(self.ID_ORGEDT, True)
866 if len(self.orgs.GetSelections()) > 1:
867 self.workload_menu.Enable(self.ID_ORGEDT, False)
868 self.PopupMenu(self.workload_menu)
869 else:
870 self.realm_menu.Enable(self.ID_ORGDEL, True)
871 self.realm_menu.Enable(self.ID_ORGEDT, True)
872 self.realm_menu.Enable(self.ID_ORGADD, True)
873 if len(self.orgs.GetSelections()) > 1:
874 self.realm_menu.Enable(self.ID_ORGEDT, False)
875 self.realm_menu.Enable(self.ID_ORGADD, False)
876 self.PopupMenu(self.realm_menu)
879 def _OpenSpec(self, event):
880 filediag = wx.FileDialog(self, defaultFile="myspec.wld",
881 wildcard="*.wld", style=wx.OPEN,
882 message="Select Workload Definition file name")
883 ret = filediag.ShowModal()
884 name = filediag.GetPath()
885 filediag.Destroy()
886 if ret not in [wx.ID_OK]:
887 return
888 self.orgfilename = name
889 self.Load(self.orgfilename)
890 self.SetTitle("ezPolicy: " + self.orgfilename)
893 def _SaveSpec(self, event):
894 if not self.orgfilename:
895 filediag = wx.FileDialog(self, defaultFile="myspec.wld",
896 wildcard="*.wld", style=wx.SAVE | wx.OVERWRITE_PROMPT,
897 message="Select Workload Definition file name")
898 ret = filediag.ShowModal()
899 name = filediag.GetPath()
900 filediag.Destroy()
901 if ret not in [wx.ID_OK]:
902 return
903 self.orgfilename = name
904 self.Save(self.orgfilename)
905 self.SetTitle("ezPolicy: " + self.orgfilename)
908 def _SaveAsSpec(self, event):
909 if not self.orgfilename:
910 self.orgfilename = "DEFAULT.wld"
911 filediag = wx.FileDialog(self, defaultFile=self.orgfilename,
912 wildcard="*.wld", style=wx.SAVE | wx.OVERWRITE_PROMPT,
913 message="Select Workload Definition file name")
914 ret = filediag.ShowModal()
915 name = filediag.GetPath()
916 filediag.Destroy()
917 if ret not in [wx.ID_OK]:
918 return
919 self.orgfilename = name
920 self.Save(self.orgfilename)
921 self.SetTitle("ezPolicy: " + self.orgfilename)
924 def _NewSpec(self, event):
925 self.orgfilename = None
926 #reset trees etc
927 self.New()
928 self.SetTitle("ezPolicy: *New File*")
931 def _TranslateSpec(self, event):
932 policyname = transInfo()
933 if not policyname:
934 return
935 path="/etc/xen/acm-security/policies/"
936 nameparts=string.split(policyname, ".")
937 if len(nameparts) > 1:
938 path = path + "/".join(nameparts[0:len(nameparts)-1])
939 deffile = nameparts[len(nameparts) - 1] + "-security_policy.xml"
940 filediag = wx.FileDialog(self, defaultDir=path, defaultFile=deffile,
941 wildcard="*.xml", message="Select Policy File Name",
942 style=wx.SAVE | wx.OVERWRITE_PROMPT)
943 ret = filediag.ShowModal()
944 filename = filediag.GetPath()
945 filediag.Destroy()
946 if ret not in [wx.ID_OK]:
947 return
948 #translate data into default policy
949 timestamp = time.asctime()
950 d = org2dict()
951 types = []
952 for i in d['orgs']:
953 types.append(str(i[0]))
954 for j in i[1]:
955 types.append(str(i[0]) + "." + str(j))
956 f = open(filename, "w")
957 printPolicyHeader (f, policyname, timestamp)
958 printPolicy(f, types, d['cons'])
959 printLabels(f, d, types)#, d['cons'])
960 printTrailer(f)
961 f.close()
964 def _ItemRename(self, event):
965 #ensure only 1 item is selected
966 sels = self.orgs.GetSelections()
967 if len(sels) != 1:
968 return
969 self.orgs.OrgEdt(sels[0])
972 def _ItemAdd(self, event):
973 #ensure only 1 item is selected + add figure
974 sels = self.orgs.GetSelections()
975 if len(sels) != 1:
976 return
977 self.orgs.OrgWAdd(sels[0])
980 def _ItemDel(self, event):
981 sels = self.orgs.GetSelections()
982 for i in sels:
983 self.OrgDelItem(i)
986 def _CollapseAll(self, event):
987 for i in iterchildren(self.orgs.GetRootItem()):
988 self.orgs.Collapse(i)
991 def _ExpandAll(self, event):
992 for i in iterchildren(self.orgs.GetRootItem()):
993 self.orgs.Expand(i)
996 def _SortAll(self, event):
997 #would be nice to also sort the organizations
998 for i in iterchildren(self.orgs.GetRootItem()):
999 if self.orgs.GetChildrenCount(i) > 0:
1000 self.orgs.SortChildren(i)
1003 def _OnAbout(self, event):
1004 dlg = wx.MessageDialog(self,
1005 "This program helps you to define the structure\n"
1006 "of organizations and their departments.\n\n"
1007 "It translates this \'Workload Definition\' into\n"
1008 "a simple workload protection policy for the\n"
1009 "Xen Access Control Module.\n\n\n"
1010 "Copyright (c) 2006: IBM Corporation\n"
1011 "Author:\nReiner Sailer <sailer@us.ibm.com>",
1012 "About Me", wx.OK | wx.ICON_INFORMATION)
1013 dlg.ShowModal()
1014 dlg.Destroy()
1017 def _Help(self, event):
1018 hpopup = wx.Frame(self,-1, "HELP: Creating a Xen Security Policy in 3 Steps" )
1019 HelpHtmlWindow(hpopup, -1)
1020 hpopup.SetSize((650,650))
1021 hpopup.Show(True)
1024 def _TimeToQuit(self, event):
1025 self.Bind(wx.EVT_CLOSE, None)
1026 self.orgs.Bind(wx.EVT_TREE_ITEM_RIGHT_CLICK, None)
1027 self.orgs.Bind(wx.EVT_TREE_SEL_CHANGED, None)
1028 self.Close(True)
1031 class ezApp(wx.App):
1033 def OnInit(self):
1034 self.win = ezFrame(None, -1, title="EZ Workload Protection Policy Tool")
1035 self.win.Show(True)
1036 self.SetTopWindow(self.win)
1037 return True
1040 def Load(self, file):
1041 self.win.Load(file)
1044 def New(self):
1045 self.win.New()
1048 def isRealm(it):
1049 if not it:
1050 return False
1051 return (app.win.orgspanel.orgs.GetItemParent(it) == app.win.orgspanel.orgs.GetRootItem())
1054 def isWorkload(it):
1055 if not it or not app.win.orgs.GetItemParent(it):
1056 return False
1057 return (app.win.orgspanel.orgs.GetItemParent(app.win.orgspanel.orgs.GetItemParent(it))
1058 == app.win.orgspanel.orgs.GetRootItem())
1061 def GetOrgsSelection():
1062 return (app.win.orgspanel.orgs, app.win.orgspanel.orgs.GetSelections())
1065 def transInfo():
1066 info = wx.TextEntryDialog(app.win, message="POLICYNAME",
1067 caption="Translate: Creating The Xen/ACM Policy")
1068 ret = info.ShowModal()
1069 name = info.GetValue()
1070 info.Destroy()
1071 if ret in [wx.ID_OK]:
1072 return name
1073 return None
1076 def iterchildren(node):
1077 cid, citem = app.win.orgspanel.orgs.GetFirstChild(node)
1078 while cid.IsOk():
1079 yield cid
1080 cid, citem = app.win.orgspanel.orgs.GetNextChild(node, citem)
1083 def dict2org(d):
1084 # release old structure
1085 app.New()
1086 # fill them with dict content
1087 for i in d['orgs']:
1088 orgnode = app.win.orgspanel.orgs.AppendItem(app.win.orgspanel.orgs.GetRootItem(), text=i[0])
1089 app.win.orgspanel.orgs.SetItemBold(orgnode, True)
1090 app.win.orgspanel.orgs.SetItemImage(orgnode, realm_icon, wx.TreeItemIcon_Normal)
1091 for j in i[1]:
1092 wlnode = app.win.orgspanel.orgs.AppendItem(orgnode, text=j)
1093 app.win.orgspanel.orgs.SetItemImage(wlnode, workload_icon, wx.TreeItemIcon_Normal)
1094 for i in d['cons']:
1095 app.win.conspanel.AddConflict(i[0], i[1])
1098 def org2dict():
1099 global app
1100 dic = {}
1101 o= []
1102 for i in iterchildren(app.win.orgs.GetRootItem()):
1103 d = []
1104 for j in iterchildren(i):
1105 d.append(str(app.win.orgspanel.orgs.GetItemText(j)))
1106 o.append([str(app.win.orgspanel.orgs.GetItemText(i)) , d])
1107 dic['orgs'] = o
1108 c=[]
1109 for i in app.win.conspanel.conflictsets:
1110 c.append([i.GetBoxName() , i.GetTypes()])
1111 dic['cons'] = c
1112 return dic
1115 def dict_read(dictname, filename):
1116 """Loads <filename> and returns the dictionary named <dictname> from
1117 the file.
1118 """
1119 dic = {}
1121 # read in the config file
1122 globs = {}
1123 locs = {}
1124 execfile(filename, globs, locs)
1126 for (k, v) in locs.items():
1127 if k == dictname:
1128 dic = v
1129 break
1130 return dic
1132 #==================== Policy Generation/Translation functions
1134 def printPolicyHeader (fd, policyname, timestamp):
1135 fd.write( """<?xml version=\"1.0\" encoding=\"UTF-8\"?>
1136 <!-- Auto-generated by ezPolicy -->
1137 <SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd \">
1138 <PolicyHeader>
1139 <PolicyName>%s</PolicyName>
1140 <Date>%s</Date>
1141 </PolicyHeader>
1142 """ % (policyname, timestamp))
1146 def printPolicy(fd, types, cons):
1147 fd.write("""
1148 <SimpleTypeEnforcement>
1149 <SimpleTypeEnforcementTypes>
1150 <Type>SystemManagement</Type>\n""")
1152 # add dynamically created type definitions org.dept
1153 for i in types:
1154 fd.write(""" <Type>%s</Type>\n""" % i)
1156 fd.write(""" </SimpleTypeEnforcementTypes>
1157 </SimpleTypeEnforcement>
1159 <ChineseWall priority="PrimaryPolicyComponent">
1160 <ChineseWallTypes>
1161 <Type>SystemManagement</Type>\n""")
1163 #add dinamically created cw types
1164 for i in types:
1165 fd.write(""" <Type>%s</Type>\n""" % i)
1167 fd.write(""" </ChineseWallTypes>\n\n""")
1169 if len(cons):
1170 fd.write(""" <ConflictSets>\n""")
1171 for i in cons:
1172 if len(i[1]) < 2:
1173 print "Ignoring Run-time exclusion set %s (less than 2 types}" % i[0]
1174 continue
1175 #name is optional but must be set
1176 if i[0]:
1177 rer_name = str(i[0])
1178 else:
1179 rer_name = str("RER")
1180 fd.write(""" <Conflict name=\"%s\">\n""" % rer_name)
1181 for j in i[1]:
1182 fd.write(""" <Type>%s</Type>\n""" % str(j))
1183 fd.write(""" </Conflict>\n""")
1184 fd.write(""" </ConflictSets>\n""")
1186 fd.write(""" </ChineseWall>\n\n""")
1190 def printLabels(fd, d, types): #, cons):
1191 fd.write( """ <SecurityLabelTemplate>
1192 <SubjectLabels bootstrap=\"SystemManagement\">""")
1194 # create default boot label for dom0
1195 fd.write("""\n <VirtualMachineLabel>
1196 <Name>SystemManagement</Name>
1197 <SimpleTypeEnforcementTypes>
1198 <Type>SystemManagement</Type>\n""")
1199 # add dynamically created type definitions org.dept
1200 for i in types:
1201 fd.write(""" <Type>%s</Type>\n""" % i)
1203 fd.write(""" </SimpleTypeEnforcementTypes>
1204 <ChineseWallTypes>
1205 <Type>SystemManagement</Type>
1206 </ChineseWallTypes>
1207 </VirtualMachineLabel>\n""")
1209 # create one Udom label for each type ste type
1210 for i in d['orgs']:
1211 organization = i[0]
1212 fd.write("""\n <VirtualMachineLabel>
1213 <Name>%s</Name>
1214 <SimpleTypeEnforcementTypes>
1215 <Type>%s</Type>
1216 </SimpleTypeEnforcementTypes>
1217 <ChineseWallTypes>
1218 <Type>%s</Type>
1219 </ChineseWallTypes>
1220 </VirtualMachineLabel>\n""" % (organization, organization, organization))
1221 for j in i[1]:
1222 workload = organization + "." + j
1223 fd.write("""\n <VirtualMachineLabel>
1224 <Name>%s</Name>
1225 <SimpleTypeEnforcementTypes>
1226 <Type>%s</Type>
1227 </SimpleTypeEnforcementTypes>
1228 <ChineseWallTypes>
1229 <Type>%s</Type>
1230 <Type>%s</Type>
1231 </ChineseWallTypes>
1232 </VirtualMachineLabel>\n""" % (workload, workload, organization , workload))
1234 fd.write(""" </SubjectLabels>\n\n""")
1236 #create resource labels for each type
1237 fd.write(""" <ObjectLabels>""")
1238 for i in ['SystemManagement'] + types:
1239 fd.write("""\n <ResourceLabel>
1240 <Name>%s</Name>
1241 <SimpleTypeEnforcementTypes>
1242 <Type>%s</Type>
1243 </SimpleTypeEnforcementTypes>
1244 </ResourceLabel>\n""" % (i, i))
1245 fd.write(""" </ObjectLabels>
1246 </SecurityLabelTemplate>\n""")
1248 def printTrailer(fd):
1249 fd.write( """</SecurityPolicyDefinition>\n""")
1251 #============== the icons/bitmaps ======================================
1252 # to ensure the program runs anywhere, we include the buttons right here
1253 # while this makes the file even bigger, it also makes it easier to use
1254 import cStringIO
1256 def GetIconBitmap(name):
1257 return wx.BitmapFromImage(GetIconImage(name))
1259 def GetIconImage(name):
1260 if name == 'Organization':
1261 iostream = cStringIO.StringIO(GetOrganizationIconData())
1262 elif name == 'Department':
1263 iostream = cStringIO.StringIO(GetDepartmentIconData())
1264 elif name == 'Conflict':
1265 iostream = cStringIO.StringIO(GetConflictIconData())
1266 else:
1267 sys.exit("UNKNOWN ICON NAME")
1268 return wx.ImageFromStream(iostream)
1270 def GetOrganizationIconData():
1271 return \
1272 '\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\
1273 \x00\x00\x00\x10\x00\x00\x00\x11\x08\x02\x00\x00\x00\x5b\xcd\xbb\
1274 \x93\x00\x00\x00\x03\x73\x42\x49\x54\x08\x08\x08\xdb\xe1\x4f\xe0\
1275 \x00\x00\x02\x7b\x49\x44\x41\x54\x28\x91\x5d\xd1\xcb\x4f\x13\x51\
1276 \x14\x06\xf0\x73\x1f\x74\x3a\x33\x9d\x96\x87\x0a\x14\x30\x3c\xd4\
1277 \x60\x34\xf1\xb1\x70\xa5\x26\x2e\xfc\x87\x4d\xdc\x18\x17\x26\x08\
1278 \x26\x44\x01\xc1\x07\x10\x52\x1e\x96\xb6\x94\x4a\x87\x0e\x33\x73\
1279 \xef\xdc\x7b\xcf\x71\x01\x31\x81\x6f\x73\x36\xe7\xb7\xf8\xf2\x31\
1280 \x22\x82\xab\x50\x51\x68\xa5\xd2\x6e\x77\xbf\xdd\xf8\x36\x52\x1b\
1281 \x5f\x78\xfc\xc6\x0f\x6b\x70\x3d\xf2\xea\x97\x28\x8e\xbb\xfd\x7e\
1282 \xd7\xb9\xb4\x3e\xe9\xe3\x99\x1d\x34\x3f\x34\xb9\xaa\x2f\xbe\x0d\
1283 \x2a\xa3\x8c\xb1\xff\x80\x5f\x1e\x63\x4c\x9a\x1e\x23\xaa\x24\xd1\
1284 \x8c\x91\xe0\xae\x04\xb1\xed\x7e\x6a\xff\x7e\x7f\x11\xb7\x01\xe8\
1285 \x26\x90\x52\x02\x98\x30\xac\xf8\x7e\x95\x88\x13\x5a\x0e\x4e\xe0\
1286 \xb9\xe9\x6f\xf5\xbb\x87\x5a\x17\x37\x01\xe7\x1c\x00\x38\x37\x9e\
1287 \x87\x9c\x91\xb3\xce\x21\x2f\xc8\x4b\xac\xec\xf5\xf6\x76\xd7\xdf\
1288 \xa9\x6c\x70\xad\x03\x00\x30\xc6\x6b\x35\x19\x86\x5c\x48\x42\x59\
1289 \x71\xd1\x3d\x88\x26\x82\x68\x8a\xf4\xa0\x68\x7f\x69\xed\xc0\x9d\
1290 \xb9\xd7\x41\xf5\xf6\x15\x50\x2a\x07\x60\xe5\xb2\x04\x00\x6b\x1d\
1291 \x56\x67\x71\x68\xbc\x67\x43\xe3\xa2\x49\x8c\xcb\x10\xe7\xad\xa5\
1292 \x53\x80\x5b\xb3\xaf\xa4\x52\x79\x9e\x0f\x8c\x4d\x01\xdc\x25\xb6\
1293 \x08\x27\x38\xaa\xb9\x3b\x4a\xb4\x13\x30\x02\x69\xc0\x1c\xc7\x9e\
1294 \xea\x2c\x1f\x1b\x23\x9b\xad\x46\xaa\xce\x53\x60\x7e\x09\xa7\x2e\
1295 \x81\xc3\xf6\x05\x58\xc7\x12\x2c\x45\x1e\x17\x45\xce\x19\x32\x42\
1296 \x61\xbb\x67\xad\x75\x79\xd0\x69\x9f\x23\x0e\xc0\x1f\x2e\xb3\x67\
1297 \x00\x00\x80\x04\x85\x25\x72\x56\x7a\xa1\xc7\x32\x61\x33\xb8\x1a\
1298 \x97\xca\xc1\xa8\x74\xa2\xd2\xd3\x8a\x0b\xc8\x0c\x68\xa5\x8c\xb1\
1299 \x8e\x0d\x21\x22\x3a\xc7\x3c\xe9\x51\x21\x51\x01\x21\x00\x38\xe4\
1300 \x95\xb1\xfb\x7c\xb8\x12\x0a\x00\xb2\x46\x19\x6c\xfd\x39\xdc\xda\
1301 \xda\x56\xca\x5c\x6e\x6f\xb4\x4e\xe2\x93\xbf\x49\xac\x8d\x23\x00\
1302 \xc7\x82\x70\x64\x5a\xd6\xc2\x00\x6d\x47\x08\x40\x12\x8d\x9d\x5f\
1303 \x5f\x77\xe2\xdb\x33\x73\x51\x89\x98\x60\x71\xaf\xf9\xf3\x70\xa5\
1304 \x99\x1c\x3c\x19\xe3\xf5\x9a\x57\x1d\x1e\xf5\x82\x31\x59\xe8\x84\
1305 \x9b\x6c\x38\x08\x98\xc7\xb2\x76\x7a\xd2\xcf\x38\xc0\xf3\x49\xe6\
1306 \x97\x82\xc1\xc9\xd2\x86\x5b\xdf\x3f\x75\x8d\x01\x3d\xb9\x55\x79\
1307 \x51\xf2\x26\x84\x2f\x3f\xaf\x7d\x0c\xfd\xe0\xe9\xdd\xa7\xbe\x70\
1308 \xdb\x1d\x1f\x31\x16\x9c\xcd\x4f\x8d\x29\xad\x3b\x71\x13\x88\x72\
1309 \x8d\x22\xa2\x8d\x63\xdd\xef\x37\xa2\xf9\x16\xdf\x6d\x6f\x4a\x91\
1310 \xf9\x43\xae\x1a\xf9\x82\x0b\x21\xf8\x45\x9a\x69\x5d\x74\xba\xa7\
1311 \x44\x90\xb7\x1c\x9d\x1b\x8c\x2d\xa5\xf4\xeb\xa8\xb9\x77\xb4\x2f\
1312 \x1f\xd5\x17\xbf\x6f\xad\x2d\xaf\xad\x3e\x9c\x78\x50\xaf\x08\xa5\
1313 \xcc\xee\xee\xfe\x4e\x63\x73\xe5\xc7\xea\x41\xe3\xf8\x0e\x8a\x97\
1314 \xf7\x66\x92\x3c\xa9\x4f\x4f\x64\xa5\xb9\x87\x0b\x8b\xff\x00\x63\
1315 \xce\x84\xe6\xf7\x5b\x7e\xce\x00\x00\x00\x00\x49\x45\x4e\x44\xae\
1316 \x42\x60\x82'
1318 def GetDepartmentIconData():
1319 return \
1320 '\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\
1321 \x00\x00\x00\x10\x00\x00\x00\x11\x08\x06\x00\x00\x00\xd4\xaf\x2c\
1322 \xc4\x00\x00\x00\x04\x73\x42\x49\x54\x08\x08\x08\x08\x7c\x08\x64\
1323 \x88\x00\x00\x01\x52\x49\x44\x41\x54\x38\x8d\xd5\x92\x3d\x4b\x42\
1324 \x61\x18\x86\xaf\xf3\xfa\xfa\x81\xa9\x58\x48\x60\x08\x49\xd2\x26\
1325 \xb4\x37\x4a\x14\x6d\x6d\x42\x42\x7f\x20\x68\xae\x31\x28\xff\x85\
1326 \x83\xd0\x90\x05\x0d\x6d\x0d\xd2\x2a\x89\x24\x48\xb8\x85\x49\x1a\
1327 \x48\x87\xd4\xca\x93\xbe\xd4\x69\x38\x39\x1c\xa8\x34\x1a\xa2\x7b\
1328 \xbb\x79\xb8\xaf\x87\xe7\x43\x0b\x2f\x6c\xad\x05\x23\x4b\x39\x4d\
1329 \x38\x5d\xe6\xdb\x80\x9b\xab\xd3\x7a\xaf\x96\x99\x65\x4c\xc9\xfb\
1330 \x97\xd9\xdc\x43\xb3\xef\x82\x3e\xaf\xc6\x2d\x4a\x9b\x33\xc7\x0d\
1331 \x03\x48\x25\xa3\x4e\x25\x86\x0d\x0d\xbc\x8e\x8e\xff\x28\x95\x3a\
1332 \x70\x08\x21\x01\x0e\xcb\xe5\x5a\xb6\x52\xd9\xfe\x12\x60\x73\xa6\
1333 \x62\x7f\xae\x3a\x15\xf5\xf8\x52\x00\x8d\x6e\x97\xc5\x40\xe0\x32\
1334 \x0b\xdb\x00\x3e\x9f\xf0\xa4\xd3\x33\x9b\x5e\xaf\x70\x01\xe4\xf3\
1335 \x9d\xb6\x1d\xf0\xd6\x67\x3d\xe4\x60\xfa\xc3\xb6\x0d\x03\xb7\x10\
1336 \xc3\xaa\xd8\xd9\x99\x3c\x49\x24\x3c\xab\x00\xdd\xae\xc2\x30\x1e\
1337 \xaf\xed\x80\xef\xe5\x4e\x26\xf5\x95\x58\x4c\x07\xa0\x50\x80\x60\
1338 \x10\xc4\x88\xd0\x48\xfd\x1a\x30\x72\x84\x62\x24\x12\x9b\xdf\xdd\
1339 \x3d\x33\x95\x12\x26\x7b\xda\x8f\x00\xe7\x42\x70\x1c\x8f\x07\x34\
1340 \x29\x97\x91\x12\xd0\x00\xfb\x9b\x7c\x0b\xd0\xc3\x61\x5a\xa1\x90\
1341 \x65\x06\x03\xcc\x4f\x5e\xec\xef\x97\xf8\xcf\x01\x4f\x4f\xd4\x25\
1342 \xbd\xea\x05\x4a\xb7\xee\xdb\xab\x3e\x17\x5a\xad\x89\xa0\xdb\x0d\
1343 \x40\x43\x08\x0d\xbf\xdf\xda\xbd\x52\x14\x8b\x26\x77\x4d\x2b\x5c\
1344 \x2a\xa1\x67\x32\x6c\xbc\x03\x17\xdb\x6e\x97\x68\x69\xf7\x4f\x00\
1345 \x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82'
1347 def GetConflictIconData():
1348 return \
1349 '\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52\
1350 \x00\x00\x00\x10\x00\x00\x00\x10\x08\x02\x00\x00\x00\x90\x91\x68\
1351 \x36\x00\x00\x00\x03\x73\x42\x49\x54\x08\x08\x08\xdb\xe1\x4f\xe0\
1352 \x00\x00\x02\x45\x49\x44\x41\x54\x28\x91\x6d\x92\x4f\x48\x9a\x71\
1353 \x18\xc7\x7f\xbe\xef\xab\xcd\xed\x95\xcd\x8c\x25\x83\xc0\x24\xa9\
1354 \xc3\x4a\x17\xce\xea\x96\x3b\xe4\x0e\x5d\xba\xce\xa8\x88\xe8\x20\
1355 \x1a\x15\x1d\x3a\x78\x09\xf2\xed\xcf\xe8\x32\x68\x45\x56\x93\x66\
1356 \x94\x78\x99\x53\x68\x4e\x1b\xe1\x61\x30\xc2\x19\x5b\x16\xac\x9c\
1357 \x76\x19\x92\x2e\x35\xa6\x7b\xf7\xda\xfb\x3e\x3b\xd8\x9c\x9b\x7e\
1358 \x8e\xdf\xdf\xf3\x81\xdf\xf3\x87\x07\x00\xe8\x0f\x99\xb3\xb3\xd0\
1359 \xca\xca\x17\x97\x2b\x75\x7a\x8a\xf1\xf9\x77\xea\xeb\xe5\x3a\xdd\
1360 \x83\xe1\xe1\x6a\x85\xa2\x58\xc3\x2b\x08\x5c\x3e\x1f\x98\x9a\xfa\
1361 \xb0\xb0\x80\xf3\xf9\x72\x9d\xae\x56\xa5\xe2\x58\x36\x13\x8b\x9d\
1362 \xb8\xdd\x3f\x2f\x2e\x1e\x8e\x8c\x3c\x9a\x9d\xc5\xab\xaa\x10\x42\
1363 \x08\x00\x38\x96\x75\xf6\xf4\x58\x78\xbc\x37\x46\x23\x9d\x4e\x43\
1364 \x09\x57\x34\xfd\x7e\x6e\x6e\x4e\x28\xb4\x6b\xb5\x2c\xc3\x00\x00\
1365 \x02\x80\x77\x93\x93\xd3\x08\x51\x04\x71\xec\x74\x42\x25\xbe\xfa\
1366 \x7c\xf3\x24\xb9\x63\x30\x00\x00\x4a\x45\x22\x33\x02\x81\xd7\x64\
1367 \x5a\x69\x6e\x9e\xe1\xf3\x8f\x1c\x8e\x8a\xce\xc7\xe5\x65\x0b\x86\
1368 \x7d\xdb\xdf\x47\xfe\x89\x89\xa7\x22\xd1\xaf\xcb\xcb\x6c\x22\x61\
1369 \x55\x2a\x29\x82\x08\x6f\x6d\x95\x0b\x1c\xcb\x3e\x57\x28\x3c\x43\
1370 \x43\x68\x5d\xa3\x71\x74\x77\x17\xd2\x5c\x32\x69\x55\xa9\x28\x82\
1371 \x38\xdc\xdc\x2c\x77\xbc\x26\xd3\xb3\xba\x3a\xec\xfb\xf1\xb1\xb8\
1372 \xa1\xa1\x30\x32\xa1\x44\xa2\xdf\xdd\xbd\xdb\xd2\xf2\xba\xbf\xff\
1373 \xd0\x6e\x47\xff\x22\x69\x6a\xfa\x11\x8f\x63\x1c\xcb\xb2\x0c\x53\
1374 \x4c\x85\xd5\xd5\x7a\xbf\xbf\x56\xa9\x74\x0f\x0c\x7c\xde\xd8\x28\
1375 \x15\x80\xe3\x80\xe3\xb0\xdb\x32\x59\x26\x1a\x2d\x7d\xb8\x21\x16\
1376 \x3f\xf1\xf9\xa4\xad\xad\x9e\xc1\xc1\x4f\x36\x5b\x31\x4f\x47\xa3\
1377 \xa4\x54\x8a\x7c\xe3\xe3\xf3\x24\x99\x4b\x26\xff\xfb\x31\x9d\x4a\
1378 \xad\x6b\x34\x14\x8e\x1f\xac\xad\x15\x9a\x5e\x6a\x6c\x74\xf5\xf5\
1379 \xa1\x44\x38\x4c\xe1\xf8\xdb\xd1\xd1\xf2\x2e\xe9\x74\xfa\x45\x7b\
1380 \xbb\x05\xc3\x42\x56\x6b\x70\x69\xc9\xc2\xe3\x9d\x05\x02\x08\x00\
1381 \x76\x0c\x06\x8a\x20\xc2\xdb\xdb\x15\x9c\x4c\xc6\xd6\xd1\x61\xc1\
1382 \xb0\x79\x92\x7c\xa5\xd7\x5f\x6f\x9a\x65\x98\x97\x9d\x9d\x14\x8e\
1383 \xef\x99\xcd\x57\x34\x5d\x2a\xb0\x0c\xb3\x67\x36\x4f\x23\xb4\xae\
1384 \x56\xe7\x73\x39\x00\xb8\x3e\xbe\x7c\x2e\xe7\x1b\x1b\x3b\x58\x5d\
1385 \xbd\x59\x53\x23\xef\xea\x2a\x0c\x3a\x13\x8b\x45\xbc\xde\x6c\x3c\
1386 \x7e\xbf\xb7\xf7\xf1\xe2\xa2\x40\x24\xfa\x7b\xad\x05\xe2\xc1\x60\
1387 \xc8\x6a\x3d\xf1\x78\xb2\xe7\xe7\x88\xe3\x6e\x49\xa5\x32\xad\x56\
1388 \x6d\x34\xde\x6b\x6b\x2b\xd6\xfc\x06\xb3\xcb\xb3\xdb\x2f\x3f\x31\
1389 \xa9\x00\x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82'
1391 #=============== help texts
1393 NewRealmButtonHelp = \
1394 "Use this button to add a new top-level REALM type. \n\n\
1395 You can refine an existing realm by right-clicking it \
1396 and selecting \"Add workload\" from the pop-up menu.\n\n<Ctrl>-h for help"
1398 RealmWorkloadPanelHelp = \
1399 "\
1400 Use this panel to define names for types of workloads that \
1401 shall be confined against each other.\n\n<Ctrl>-h for help"
1403 RunTimeExclusionPanelHelp = \
1404 "\
1405 The run-time exclusion rules restrict which workload types \
1406 can run simultaneously on the same platform. At most one \
1407 type in an exclusion rule can run. If a domain starts, its \
1408 workload type is looked up and if it is in any exclusion rule \
1409 of which another type is already running, then it is denied \
1410 to start.\n\n<Ctrl>-h for help"
1412 CreateRunTimeButtonHelp = \
1413 "\
1414 This button creates a new run-time exclusion rule using the \
1415 selection from the left side workload definition panel.\n\n<Ctrl>-h for help"
1417 AddToExclusionButtonHelp = \
1418 "\
1419 This button adds the current selection in the left side \
1420 workload definition panel to the associated exclusion rule.\n\n<Ctrl>-h for help"
1422 DelFromExclusionButtonHelp = \
1423 "\
1424 This button deletes the current selection of the associated \
1425 exclusion rule from the associated exclusion rule.\n\n<Ctrl>-h for help"
1427 ManageExclusionButtonHelp = \
1428 "\
1429 This button allows to rename or delete the associated exclusion \
1430 rule. Left-click the button for the menu.\n\n<Ctrl>-h for help"
1432 ExclusionSetHelp = \
1433 "\
1434 Of the workload types specified in an exclusion rule, \
1435 only one can run at a time on the same platform.\n\n<Ctrl>-h for help"
1437 GetHelp = \
1438 "\
1439 Use <CTRL>-h to open the help window. Use the context help on buttons."
1441 #================ html help page =================
1442 # for ez use included in a single file, one could also
1443 # optionally try to fetch the page from a public location
1444 import wx.html as html
1446 class HelpHtmlWindow(html.HtmlWindow):
1447 def __init__(self, parent, id):
1448 html.HtmlWindow.__init__(self, parent, id, style=wx.NO_FULL_REPAINT_ON_RESIZE)
1449 if "gtk2" in wx.PlatformInfo:
1450 self.SetStandardFonts()
1451 self.SetPage(helptext)
1453 helptext = """
1454 <HTML>
1455 <HEAD>
1456 <META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
1457 <META name="GENERATOR" content="IBM WebSphere Studio Homepage Builder V6.0.2 for Windows">
1458 <META http-equiv="Content-Style-Type" content="text/css">
1459 <TITLE>Overview</TITLE>
1460 </HEAD>
1461 <BODY bgcolor="#dfdfdf" text="#000000">
1462 <H3><FONT color="#000000" face="Palatino Linotype">Creating A Xen Workload-Protection Security Policy</FONT></H3>
1463 <FONT face="Palatino Linotype">The purpose of this tool is to create a Xen security policy that understands
1464 the workload types that you want to confine against each other. For this
1465 purpose you enter the names of workload types that you want to assign to
1466 domains and resources. You can also define groups of workload types that
1467 should not run on the same system simultaneously for any reason; such groups
1468 are called Runtime Exclusion Sets. Please refer to the Xen User Guide for
1469 more information.<BR>
1470 <BR>
1471 This tool will create a unique security label for each workload type. Every
1472 domain and resource must be labeled so that the hypervisor system can correctly
1473 identify the associated workload type and control the sharing among domains
1474 in a way that keeps different workload types confined from each other.
1475 This tool ensures two things:<BR>
1476 <BR>
1477 1. The created security policy includes a distinctive label for each workload
1478 type defined in step 1 below. These labels must later be assigned to Domains
1479 and Resources to enable Xen to enforce the confinement.<BR>
1480 <BR>
1481 2. The created security policy includes access control rules that are enforced
1482 by the Xen Hypervisor (independently of the guest Domains) and guarantee
1483 that:</FONT>
1484 <BLOCKQUOTE><FONT face="Palatino Linotype">(i) Domains that are assigned the same workload type label can
1485 share (communicate,
1486 use common resources) without restriction through the hypervisor. Their
1487 interoperation can still be constraint by the domains (domain-internal
1488 means).</FONT></BLOCKQUOTE>
1489 <BLOCKQUOTE><FONT face="Palatino Linotype">(ii) Domains that are assigned different workload type labels cannot share,
1490 i.e., cannot communicate or use common resources. Independently enforced
1491 by the hypervisor, the domains cannot overrule this decision.</FONT></BLOCKQUOTE>
1492 <BLOCKQUOTE><FONT face="Palatino Linotype">(iii) Once a Domain labeled with a workload type of a Runtime Exclusion
1493 Rule is running, no other domain labeled with another workload type of
1494 the same Runtime Exclusion Rule can start. This holds for all Runtime Exclusion
1495 Rules.</FONT></BLOCKQUOTE>
1496 <FONT face="Palatino Linotype">While all workloads share common hardware resources, the core hypervisor
1497 isolation and virtualization in combination with the Xen access control
1498 policy ensure that, e.g., viruses in one workload type cannot infect other
1499 workload types and that secrets used within one workload type cannot leak
1500 into another workload type. Currently the Xen access control enforcement
1501 covers domains, local storage resources, and the local virtual network
1502 interfaces. Protecting sharing through the open network is subject of ongoing
1503 work; such protection must currently be setup manually using IP filtering
1504 rules in Domain0.
1505 <BR>
1506 </FONT>
1507 <H2><FONT color="#000000" face="Palatino Linotype">Step 1</FONT></H2>
1508 <FONT face="Palatino Linotype">The first step of creating a workload protection policy is to determine
1509 names for the different workload types. The left panel offers the means
1510 to define and and manage workload type definitions.<BR>
1511 <BR>
1512 A workload can be an organization name (coarse-grained type), e.g. a corporate
1513 realm such as IBM or PepsiCo. An organization can be refined to describe
1514 independent functional groupings within the organization, such as IBM.Financing
1515 or Pepsi.Payroll. Use the<B><I> &lt;New Org&gt;</I></B> button on the left panel
1516 to create a new organization workload. To refine such a workload, right-click the
1517 organization and chose <B><I>&lt;Add Department&gt;</I></B>. You can add multiple
1518 departments to an organization but you do not have to add any.<BR>
1519 <BR>
1520 This tool will create a separate label name for each organization and for
1521 each department workload. The policy will be computed so that there is
1522 no sharing between organizations or departments by default. IBM, IBM.Financing,
1523 Pepsi, and Pepsi.Payroll will by default not be able to share in this simple
1524 policy example. You can introduce controlled sharing by refining the policy,
1525 which is beyond the scope of this help.<BR>
1526 <BR>
1527 As an example, define the four organizations PepsiCo, CocaCola, Avis, Hertz.
1528 Define department workloads Payroll, HumanResources and Financing for Avis
1529 and CocaCola, and PepsiCo.<BR>
1530 </FONT>
1531 <H2><FONT color="#000000" face="Palatino Linotype">Step 2</FONT></H2>
1532 <FONT face="Palatino Linotype">In this second step, we enter those workload types that should not run
1533 simultaneously on the same hardware platform. There might be multiple reasons
1534 for this, e.g., imperfect resource control.<BR>
1535 <BR>
1536 As an example, we will create a policy that guarantees that PepsiCo workloads
1537 and CocaCola workloads never run simultaneously on the same platform: <BR>
1538 <BR>
1539 1. Select the PepsiCo organization on the left panel by left-clicking it..<BR>
1540 <BR>
1541 2. Press the &lt;Ctrl&gt;-Key and then select CocaCola organization by
1542 left-clicking it while keeping the &lt;Ctrl&gt;-Key pressed..<BR>
1543 <BR>
1544 3. Click the <B><I>&lt;Create run-time exclusion rule from selection&gt;</I></B>
1545 button and enter a name for this Run-time Exclusion rule (e.g., RER1). The name is
1546 for your reference only. It has no impact on the policy. On the right panel, a run-time
1547 exclusion rule with the chosen name appears. <BR>
1548 <BR>
1549 The interpretation of the rule is as follows: If a domain labeled PepsiCo
1550 is running, then another domain labeled CocaCola cannot start on the same
1551 system and the other way round. This also holds for departments of PepsiCo
1552 and CocaCola (organizations dominate their departments). If PepsiCo or
1553 PepsiCo.Payroll etc. are running, then a domain with label CocaCola or
1554 CocaCola.Payroll etc. cannot start. If you want to restrict concurrency
1555 between specific subtypes, then you must create a Run-time Exclusion rule
1556 that specifies the department workload types. To exclude only CocaCola.Payroll
1557 and PepsiCo.Payroll from running simultaneously the Run-time Exclusion
1558 rule must be formed using Coca.Cola.Payroll and PepsiCo.Payroll, not their
1559 organizations. Consequently it does not make sense to add both an organization
1560 and any of its departments to the same Run-time Exclusion rule because
1561 any department is already covered by its organization (this tool will not
1562 allow it).<BR>
1563 <BR>
1564 You can create multiple Run-time Exclusion rules, all of which will be
1565 enforced simultaneously by the hypervisor. You do not need to define any
1566 Run-time Exclusion rule if you do not find it necessary. You can add or
1567 delete workload types from Run-time Exclusion rules using the <B><I>&lt;Add&gt;</I></B>
1568 and <I><B>&lt;Del&gt;</B></I> buttons associated with the rule. The <I><B>&lt;Add&gt;</B></I>
1569 button adds the workload types selected in the left panel to the Run-time
1570 Exclusion rule. The <I><B>&lt;Del&gt;</B></I> button deletes the workload types selected
1571 in the associated Run-time Exclusion rule from the rule. <BR>
1572 </FONT>
1573 <H2><FONT color="#000000" face="Palatino Linotype">Step 3</FONT></H2>
1574 <FONT face="Palatino Linotype">Now that we have defined the workloads and Run-time Exclusion rules, we
1575 can save the workload definition for later reference or refinement. Select
1576 the <I><B>File-&gt;Save Workload
1577 Definition as..</B></I> menu entry and choose a file name.<BR>
1578 <BR>
1579 Please use the <B><I>File-&gt;Save as Xen ACM Security Policy..</I></B> menu entry and choose a policy
1580 name to create a Xen Workload Protection
1581 security policy from the current workload definition. To simplify the succeeding
1582 steps, please use a name of the form &quot;example.chwall_ste.NAME&quot;
1583 where you merely replace &quot;NAME&quot; with a policy name of your choice.
1584 Save the policy under the name proposed by the tool in the proposed directory
1585 if you are using this tool in your Xen environment. Otherwise, you need
1586 to copy the resulting file into your Xen environment to the directory
1587 &quot;/etc/xen/acm-security/policies/example/chwall_ste/&quot;.<BR>
1588 <BR>
1589 This tool creates policies for the Xen Chinese Wall and Simple Type Enforcement
1590 policy. The Xen access control policy in general is more expressive and
1591 this tool only uses a small subset of the possible configurations. <B><BR>
1592 <BR>
1593 Where to go from here.</B> <BR>
1594 <BR>
1595 Before the new policy can be activated, we need to translate the policy into a representation that
1596 Xen and the Xen-tools can work with. To this end, in your Xen environment, please issue the command
1597 <B><I>xm makepolicy example.chwall_ste.NAME</I></B> where NAME must be replaced by the name you chose
1598 for your policy in step 3 above. Then, we need to make the policy available to the Xen hypervisor. In
1599 your Xen environment, please issue the command <B><I>xm cfgbootpolicy example.chwall_ste.NAME</I></B>
1600 to install the policy for the next reboot. If the command cannot find the correct boot title, then you
1601 can manually install it as described in the xm man page.<BR>
1602 <BR>
1603 Finally, reboot your security-enabled Xen environment. Please refer to the xm man page for how to enable
1604 Xen security. After reboot, you can use <I><B>xm labels type=any</B></I> to list all the created workload l
1605 abels. Use the <I><B>xm addlabel</B></I> command to assign workload type labels to the associated domains
1606 and resources.<BR>
1607 <BR>
1608 From here, please check the Xen user guide.<BR>
1609 </FONT></BODY>
1610 </HTML>
1611 """
1613 #=============== main =====
1615 def main():
1616 global app
1617 app = ezApp(0)
1618 if len(sys.argv) in [2]:
1619 app.Load(sys.argv[1])
1620 app.MainLoop()
1621 print "Goodbye"
1623 if __name__ == '__main__':
1624 main()
1626 #==== end of file