returns none if security policy is off (not compiled),
any string otherwise, use it: if not security.on() ...
"""
- return (get_active_policy_name() not in ['INACTIVE', 'NULL'])
+ if get_active_policy_name() not in ['INACTIVE', 'NULL', '']:
+ return xsconstants.XS_POLICY_ACM
+ return 0
def calc_dom_ssidref_from_info(info):
raise XSMError(msg)
def on():
- return 1
+ return 0 #xsconstants.XS_POLICY_FLASK
def ssidref2label(ssidref):
try:
self.parse_cpuid(cfg, 'cpuid_check')
import xen.util.xsm.xsm as security
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
from xen.util.acmpolicy import ACM_LABEL_UNLABELED
if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
cfg['security'] = sxp.child_value(sxp_cfg, 'security')
from xen.util import asserts
from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype
import xen.util.xsm.xsm as security
+from xen.util import xsconstants
from xen.xend import balloon, sxp, uuid, image, arch, osdep
from xen.xend import XendOptions, XendNode, XendConfig
balloon.free(2*1024) # 2MB should be plenty
ssidref = 0
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
ssidref = security.calc_dom_ssidref_from_info(self.info)
if security.has_authorization(ssidref) == False:
raise VmError("VM is not authorized to run.")
target = self.info.target())
except Exception, e:
# may get here if due to ACM the operation is not permitted
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
raise VmError('Domain in conflict set with running domain?')
if self.domid < 0:
is_policy_update = (xspol_old != None)
from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
- from xen.util import xsconstants
state = self._stateGet()
# Relabel only HALTED or RUNNING or PAUSED domains
self.xsobjs = {}
bootloader.init()
+ if security.on() == xsconstants.XS_POLICY_ACM:
+ self.__acm_init()
+
+ def __acm_init(self):
act_pol_name = self.get_hv_loaded_policy_name()
initialize()
This currently only checks for ACM-enablement.
"""
rc = 0
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
rc |= xsconstants.XS_POLICY_ACM
return rc
def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
errors = ""
+ if security.on() != xsconstants.XS_POLICY_ACM:
+ raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
loadedpol = self.get_loaded_policy()
if loadedpol:
# This is meant as an update to a currently loaded policy
import xen.util.xsm.xsm as security
from xen.xend.XendError import VmError
from xen.xend.server.DevController import DevController
+from xen.util import xsconstants
class BlkifController(DevController):
"""Block device interface controller. Handles all block devices
if uuid:
back['uuid'] = uuid
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
self.do_access_control(config, uname)
devid = blkif.blkdev_name_to_number(dev)
from xen.xend.XendError import VmError
from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
import xen.util.xsm.xsm as security
+from xen.util import xsconstants
from xen.xend.XendLogging import log
front = { 'handle' : "%i" % devid,
'mac' : mac }
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
self.do_access_control(config)
return (devid, back, front)
policy_type = ""
if len(argv) not in (4, 5):
raise OptionError('Needs either 2 or 3 arguments')
-
+
label = argv[1]
-
+
if len(argv) == 5:
policyref = argv[4]
- elif security.on():
+ elif security.on() == xsconstants.XS_POLICY_ACM:
policyref = security.active_policy
policy_type = xsconstants.ACM_POLICY_ID
else:
- raise OptionError("No active policy. Must specify policy on the "
- "command line.")
+ raise OptionError("ACM security is not enabled. You must specify "\
+ "the policy on the command line.")
if argv[2].lower() == "dom":
configfile = argv[3]
import xen.util.xsm.xsm as security
from xen.xm import create
from xen.xend import sxp
+from xen.util import xsconstants
from xen.xm.opts import OptionError
def help():
answer = 0
default_label = None
secon = 0
- if security.on():
+ if security.on() == xsconstants.XS_POLICY_ACM:
default_label = security.ssidref2label(security.NULL_SSIDREF)
secon = 1
domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
# if no domain label, use default
- if not domain_label and security.on():
+ if not domain_label and security.on() == xsconstants.XS_POLICY_ACM:
try:
domain_label = security.ssidref2label(security.NULL_SSIDREF)
except:
projects / xen.git / commitdiff