ia64/xen-unstable

view tools/python/xen/xm/setpolicy.py @ 16522:54482c56e435

Implement legacy XML-RPC interface for ACM commands.

This patch moves the directory of files where xend is writing policies
and resource labels into to /var/lib/xend/security/policies.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 05 09:45:13 2007 +0000 (2007-12-05)
parents 5255eac35270
children
line source
1 #============================================================================
2 # This library is free software; you can redistribute it and/or
3 # modify it under the terms of version 2.1 of the GNU Lesser General Public
4 # License as published by the Free Software Foundation.
5 #
6 # This library is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9 # Lesser General Public License for more details.
10 #
11 # You should have received a copy of the GNU Lesser General Public
12 # License along with this library; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14 #============================================================================
15 # Copyright (C) 2007 International Business Machines Corp.
16 # Author: Stefan Berger <stefanb@us.ibm.com>
17 #============================================================================
19 """Get the managed policy of the system.
20 """
22 import os
23 import sys
24 import base64
25 import struct
26 import xen.util.xsm.xsm as security
27 from xen.util import xsconstants
28 from xen.util.xsm.acm.acm import install_policy_dir_prefix
29 from xen.util.acmpolicy import ACMPolicy, \
30 ACM_EVTCHN_SHARING_VIOLATION,\
31 ACM_GNTTAB_SHARING_VIOLATION, \
32 ACM_DOMAIN_LOOKUP, \
33 ACM_CHWALL_CONFLICT, \
34 ACM_SSIDREF_IN_USE
35 from xen.xm.opts import OptionError
36 from xen.xm import main as xm_main
37 from xen.xm.getpolicy import getpolicy
38 from xen.xm.main import server
40 def help():
41 return """
42 Usage: xm setpolicy <policytype> <policyname>
44 Set the policy managed by xend.
46 The only policytype that is currently supported is 'ACM'.
48 The filename of the policy is the policy name plus the suffic
49 '-security_policy.xml'. The location of the policy file is either
50 the the current directory or '/etc/xen/acm-security/policies'.
52 """
54 def build_hv_error_message(errors):
55 """
56 Build a message from the error codes return by the hypervisor.
57 """
58 txt = "Hypervisor reported errors:"
59 i = 0
60 while i + 7 < len(errors):
61 code, data = struct.unpack("!ii", errors[i:i+8])
62 err_msgs = {
63 ACM_EVTCHN_SHARING_VIOLATION : \
64 ["event channel sharing violation between domains",2],
65 ACM_GNTTAB_SHARING_VIOLATION : \
66 ["grant table sharing violation between domains",2],
67 ACM_DOMAIN_LOOKUP : \
68 ["domain lookup",1],
69 ACM_CHWALL_CONFLICT : \
70 ["Chinese Wall conflict between domains",2],
71 ACM_SSIDREF_IN_USE : \
72 ["A domain used SSIDREF",1],
73 }
74 num = err_msgs[code][1]
75 if num == 1:
76 txt += "%s %d" % (err_msgs[code][0], data)
77 else:
78 txt += "%s %d and %d" % (err_msgs[code][0],
79 data >> 16 , data & 0xffff)
80 i += 8
81 return txt
84 def setpolicy(policytype, policy_name, flags, overwrite):
86 if policytype.upper() == xsconstants.ACM_POLICY_ID:
87 xs_type = xsconstants.XS_POLICY_ACM
89 for prefix in [ './', install_policy_dir_prefix+"/" ]:
90 policy_file = prefix + "/".join(policy_name.split(".")) + \
91 "-security_policy.xml"
93 if os.path.exists(policy_file):
94 break
96 try:
97 f = open(policy_file,"r")
98 xml = f.read()
99 f.close()
100 except:
101 raise OptionError("Could not read policy file from current"
102 " directory or '%s'." %
103 install_policy_dir_prefix)
105 if xm_main.serverType == xm_main.SERVER_XEN_API:
106 if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
107 raise security.XSMError("ACM policy type not supported.")
109 try:
110 policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
111 xml,
112 flags,
113 overwrite)
114 except Exception, e:
115 raise security.XSMError("An error occurred setting the "
116 "policy: %s" % str(e))
117 xserr = int(policystate['xserr'])
118 if xserr != xsconstants.XSERR_SUCCESS:
119 txt = "An error occurred trying to set the policy: %s." % \
120 xsconstants.xserr2string(abs(xserr))
121 errors = policystate['errors']
122 if len(errors) > 0:
123 txt += " " + build_hv_error_message(base64.b64decode(errors))
124 raise security.XSMError(txt)
125 else:
126 print "Successfully set the new policy."
127 getpolicy(False)
128 else:
129 # Non-Xen-API call.
130 if xs_type != server.xend.security.get_xstype():
131 raise security.XSMError("ACM policy type not supported.")
133 rc, errors = server.xend.security.set_policy(xs_type,
134 xml,
135 flags,
136 overwrite)
137 if rc != xsconstants.XSERR_SUCCESS:
138 txt = "An error occurred trying to set the policy: %s." % \
139 xsconstants.xserr2string(abs(rc))
140 if len(errors) > 0:
141 txt += " " + build_hv_error_message(
142 base64.b64decode(errors))
143 raise security.XSMError(txt)
144 else:
145 print "Successfully set the new policy."
146 getpolicy(False)
147 else:
148 raise OptionError("Unsupported policytype '%s'." % policytype)
151 def main(argv):
152 if len(argv) < 3:
153 raise OptionError("Need at least 3 arguments.")
155 if "-?" in argv:
156 help()
157 return
159 policytype = argv[1]
160 policy_name = argv[2]
162 flags = xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT
163 overwrite = True
165 setpolicy(policytype, policy_name, flags, overwrite)
167 if __name__ == '__main__':
168 try:
169 main(sys.argv)
170 except Exception, e:
171 sys.stderr.write('Error: %s\n' % str(e))
172 sys.exit(-1)