ia64/xen-unstable

changeset 17537:931932f5fc6d

[Xend/ACM] Embed the policy schema in the python file

This patch embeds the ACM policy's schema in the python file where the
schema is being accessed for verifying the policy XML. This way also
programs that cannot access a protected directory where the schema may
be located in can use this class.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu May 01 09:55:06 2008 +0100 (2008-05-01)
parents 2ab9f85f221f
children 2cf9a8736bab
files tools/python/xen/util/acmpolicy.py
line diff
     1.1 --- a/tools/python/xen/util/acmpolicy.py	Thu May 01 09:53:26 2008 +0100
     1.2 +++ b/tools/python/xen/util/acmpolicy.py	Thu May 01 09:55:06 2008 +0100
     1.3 @@ -49,8 +49,6 @@ ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2
     1.4  ACM_POLICY_UNDEFINED = 15
     1.5  
     1.6  
     1.7 -ACM_SCHEMA_FILE = ACM_POLICIES_DIR + "security_policy.xsd"
     1.8 -
     1.9  ACM_LABEL_UNLABELED = "__UNLABELED__"
    1.10  ACM_LABEL_UNLABELED_DISPLAY = "unlabeled"
    1.11  
    1.12 @@ -118,6 +116,153 @@ DEFAULT_policy = \
    1.13  "  </SecurityLabelTemplate>\n" +\
    1.14  "</SecurityPolicyDefinition>\n"
    1.15  
    1.16 +ACM_SCHEMA="""<?xml version="1.0" encoding="UTF-8"?>
    1.17 +<!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com -->
    1.18 +<!--         This file defines the schema, which is used to define -->
    1.19 +<!--         the security policy and the security labels in Xen.    -->
    1.20 +
    1.21 +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.ibm.com" xmlns="http://www.ibm.com" elementFormDefault="qualified">
    1.22 +	<xsd:element name="SecurityPolicyDefinition">
    1.23 +		<xsd:complexType>
    1.24 +			<xsd:sequence>
    1.25 +				<xsd:element ref="PolicyHeader" minOccurs="1" maxOccurs="1"></xsd:element>
    1.26 +				<xsd:element ref="SimpleTypeEnforcement" minOccurs="0" maxOccurs="1"></xsd:element>
    1.27 +				<xsd:element ref="ChineseWall" minOccurs="0" maxOccurs="1"></xsd:element>
    1.28 +				<xsd:element ref="SecurityLabelTemplate" minOccurs="1" maxOccurs="1"></xsd:element>
    1.29 +			</xsd:sequence>
    1.30 +		</xsd:complexType>
    1.31 +	</xsd:element>
    1.32 +	<xsd:element name="PolicyHeader">
    1.33 +		<xsd:complexType>
    1.34 +			<xsd:sequence>
    1.35 +				<xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"></xsd:element>
    1.36 +				<xsd:element name="PolicyUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
    1.37 +				<xsd:element name="Reference" type="xsd:string" minOccurs="0" maxOccurs="1" />
    1.38 +				<xsd:element name="Date" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
    1.39 +				<xsd:element name="NameSpaceUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
    1.40 +				<xsd:element name="Version" minOccurs="1" maxOccurs="1" type="VersionFormat"/>
    1.41 +				<xsd:element ref="FromPolicy" minOccurs="0" maxOccurs="1"/>
    1.42 +			</xsd:sequence>
    1.43 +		</xsd:complexType>
    1.44 +	</xsd:element>
    1.45 +	<xsd:element name="ChineseWall">
    1.46 +		<xsd:complexType>
    1.47 +			<xsd:sequence>
    1.48 +				<xsd:element ref="ChineseWallTypes" minOccurs="1" maxOccurs="1" />
    1.49 +				<xsd:element ref="ConflictSets" minOccurs="0" maxOccurs="1" />
    1.50 +			</xsd:sequence>
    1.51 +			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
    1.52 +		</xsd:complexType>
    1.53 +	</xsd:element>
    1.54 +	<xsd:element name="SimpleTypeEnforcement">
    1.55 +		<xsd:complexType>
    1.56 +			<xsd:sequence>
    1.57 +				<xsd:element ref="SimpleTypeEnforcementTypes" />
    1.58 +			</xsd:sequence>
    1.59 +			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
    1.60 +		</xsd:complexType>
    1.61 +	</xsd:element>
    1.62 +	<xsd:element name="SecurityLabelTemplate">
    1.63 +		<xsd:complexType>
    1.64 +			<xsd:sequence>
    1.65 +				<xsd:element name="SubjectLabels" minOccurs="0" maxOccurs="1">
    1.66 +					<xsd:complexType>
    1.67 +						<xsd:sequence>
    1.68 +							<xsd:element ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
    1.69 +						</xsd:sequence>
    1.70 +						<xsd:attribute name="bootstrap" type="xsd:string" use="required"></xsd:attribute>
    1.71 +					</xsd:complexType>
    1.72 +				</xsd:element>
    1.73 +				<xsd:element name="ObjectLabels" minOccurs="0" maxOccurs="1">
    1.74 +					<xsd:complexType>
    1.75 +						<xsd:sequence>
    1.76 +							<xsd:element ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
    1.77 +						</xsd:sequence>
    1.78 +					</xsd:complexType>
    1.79 +				</xsd:element>
    1.80 +			</xsd:sequence>
    1.81 +		</xsd:complexType>
    1.82 +	</xsd:element>
    1.83 +	<xsd:element name="ChineseWallTypes">
    1.84 +		<xsd:complexType>
    1.85 +			<xsd:sequence>
    1.86 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" />
    1.87 +			</xsd:sequence>
    1.88 +		</xsd:complexType>
    1.89 +	</xsd:element>
    1.90 +	<xsd:element name="ConflictSets">
    1.91 +		<xsd:complexType>
    1.92 +			<xsd:sequence>
    1.93 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Conflict" />
    1.94 +			</xsd:sequence>
    1.95 +		</xsd:complexType>
    1.96 +	</xsd:element>
    1.97 +	<xsd:element name="SimpleTypeEnforcementTypes">
    1.98 +		<xsd:complexType>
    1.99 +			<xsd:sequence>
   1.100 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" />
   1.101 +			</xsd:sequence>
   1.102 +		</xsd:complexType>
   1.103 +	</xsd:element>
   1.104 +	<xsd:element name="Conflict">
   1.105 +		<xsd:complexType>
   1.106 +			<xsd:sequence>
   1.107 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" />
   1.108 +			</xsd:sequence>
   1.109 +			<xsd:attribute name="name" type="xsd:string" use="required"></xsd:attribute>
   1.110 +		</xsd:complexType>
   1.111 +	</xsd:element>
   1.112 +	<xsd:element name="VirtualMachineLabel">
   1.113 +		<xsd:complexType>
   1.114 +			<xsd:sequence>
   1.115 +				<xsd:element name="Name" type="NameWithFrom"></xsd:element>
   1.116 +				<xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" />
   1.117 +				<xsd:element ref="ChineseWallTypes" minOccurs="0" maxOccurs="unbounded" />
   1.118 +			</xsd:sequence>
   1.119 +		</xsd:complexType>
   1.120 +	</xsd:element>
   1.121 +	<xsd:element name="ResourceLabel">
   1.122 +		<xsd:complexType>
   1.123 +			<xsd:sequence>
   1.124 +				<xsd:element name="Name" type="NameWithFrom"></xsd:element>
   1.125 +				<xsd:element name="SimpleTypeEnforcementTypes" type="SingleSimpleTypeEnforcementType" />
   1.126 +			</xsd:sequence>
   1.127 +		</xsd:complexType>
   1.128 +	</xsd:element>
   1.129 +	<xsd:element name="Name" type="xsd:string" />
   1.130 +	<xsd:element name="Type" type="xsd:string" />
   1.131 +	<xsd:simpleType name="PolicyOrder">
   1.132 +		<xsd:restriction base="xsd:string">
   1.133 +			<xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration>
   1.134 +		</xsd:restriction>
   1.135 +	</xsd:simpleType>
   1.136 +	<xsd:element name="FromPolicy">
   1.137 +		<xsd:complexType>
   1.138 +			<xsd:sequence>
   1.139 +				<xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"/>
   1.140 +				<xsd:element name="Version" minOccurs="1" maxOccurs="1" type="VersionFormat"/>
   1.141 +			</xsd:sequence>
   1.142 +		</xsd:complexType>
   1.143 +	</xsd:element>
   1.144 +	<xsd:simpleType name="VersionFormat">
   1.145 +		<xsd:restriction base="xsd:string">
   1.146 +			<xsd:pattern value="[0-9]{1,8}.[0-9]{1,8}"></xsd:pattern>
   1.147 +		</xsd:restriction>
   1.148 +	</xsd:simpleType>
   1.149 +	<xsd:complexType name="NameWithFrom">
   1.150 +		<xsd:simpleContent>
   1.151 +			<xsd:extension base="xsd:string">
   1.152 +				<xsd:attribute name="from" type="xsd:string" use="optional"></xsd:attribute>
   1.153 +			</xsd:extension>
   1.154 +		</xsd:simpleContent>
   1.155 +	</xsd:complexType>
   1.156 +	<xsd:complexType name="SingleSimpleTypeEnforcementType">
   1.157 +		<xsd:sequence>
   1.158 +			<xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
   1.159 +		</xsd:sequence>
   1.160 +	</xsd:complexType>
   1.161 +</xsd:schema>"""
   1.162 +
   1.163  
   1.164  def get_DEFAULT_policy(dom0label=""):
   1.165      fromnode = ""
   1.166 @@ -133,18 +278,7 @@ def initialize():
   1.167  
   1.168      instdir = security.install_policy_dir_prefix
   1.169      DEF_policy_file = "DEFAULT-security_policy.xml"
   1.170 -    xsd_file = "security_policy.xsd"
   1.171  
   1.172 -    files = [ xsd_file ]
   1.173 -
   1.174 -    for file in files:
   1.175 -        if not os.path.isfile(policiesdir + "/" + file ):
   1.176 -            try:
   1.177 -                shutil.copyfile(instdir + "/" + file,
   1.178 -                                policiesdir + "/" + file)
   1.179 -            except Exception, e:
   1.180 -                log.info("could not copy '%s': %s" %
   1.181 -                         (file, str(e)))
   1.182      #Install default policy.
   1.183      f = open(policiesdir + "/" + DEF_policy_file, 'w')
   1.184      if f:
   1.185 @@ -219,7 +353,8 @@ class ACMPolicy(XSPolicy):
   1.186              log.warn("Libxml2 python-wrapper is not installed on the system.")
   1.187              return xsconstants.XSERR_SUCCESS
   1.188          try:
   1.189 -            parserctxt = libxml2.schemaNewParserCtxt(ACM_SCHEMA_FILE)
   1.190 +            parserctxt = libxml2.schemaNewMemParserCtxt(ACM_SCHEMA,
   1.191 +                                                        len(ACM_SCHEMA))
   1.192              schemaparser = parserctxt.schemaParse()
   1.193              valid = schemaparser.schemaNewValidCtxt()
   1.194              doc = libxml2.parseDoc(self.toxml())