📄 acmpolicy.py
字号:
#============================================================================# This library is free software; you can redistribute it and/or# modify it under the terms of version 2.1 of the GNU Lesser General Public# License as published by the Free Software Foundation.## This library is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU# Lesser General Public License for more details.## You should have received a copy of the GNU Lesser General Public# License along with this library; if not, write to the Free Software# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA#============================================================================# Copyright (C) 2006,2007 International Business Machines Corp.# Author: Stefan Berger <stefanb@us.ibm.com>#============================================================================import osimport shaimport statimport arrayimport structimport shutilimport commandsfrom xml.dom import minidom, Nodefrom xen.xend.XendLogging import logfrom xen.util import xsconstants, bootloader, mkdirfrom xen.util.xspolicy import XSPolicyfrom xen.xend.XendError import SecurityErrorimport xen.util.xsm.acm.acm as securityfrom xen.util.xsm.xsm import XSMErrorfrom xen.xend import XendOptionsACM_POLICIES_DIR = security.policy_dir_prefix + "/"# Constants needed for generating a binary policy from its XML# representationACM_POLICY_VERSION = 4 # Latest oneACM_CHWALL_VERSION = 1ACM_STE_VERSION = 1ACM_MAGIC = 0x001debc;ACM_NULL_POLICY = 0ACM_CHINESE_WALL_POLICY = 1ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2ACM_POLICY_UNDEFINED = 15ACM_LABEL_UNLABELED = "__UNLABELED__"ACM_LABEL_UNLABELED_DISPLAY = "unlabeled"""" Error codes reported in when trying to test for a new policy These error codes are reported in an array of tuples where each error code is followed by a parameter describing the error more closely, such as a domain id."""ACM_EVTCHN_SHARING_VIOLATION = 0x100ACM_GNTTAB_SHARING_VIOLATION = 0x101ACM_DOMAIN_LOOKUP = 0x102ACM_CHWALL_CONFLICT = 0x103ACM_SSIDREF_IN_USE = 0x104DEFAULT_policy = \"<?xml version=\"1.0\" ?>\n" +\"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">\n" +\" <PolicyHeader>\n" +\" <PolicyName>DEFAULT</PolicyName>\n" +\" <Version>1.0</Version>\n" +\" </PolicyHeader>\n" +\" <SimpleTypeEnforcement>\n" +\" <SimpleTypeEnforcementTypes>\n" +\" <Type>SystemManagement</Type>\n" +\" <Type>__UNLABELED__</Type>\n" +\" </SimpleTypeEnforcementTypes>\n" +\" </SimpleTypeEnforcement>\n" +\" <ChineseWall>\n" +\" <ChineseWallTypes>\n" +\" <Type>SystemManagement</Type>\n" +\" </ChineseWallTypes>\n" +\" </ChineseWall>\n" +\" <SecurityLabelTemplate>\n" +\" <SubjectLabels bootstrap=\"SystemManagement\">\n" +\" <VirtualMachineLabel>\n" +\" <Name%s>SystemManagement</Name>\n" +\" <SimpleTypeEnforcementTypes>\n" +\" <Type>SystemManagement</Type>\n" +\" <Type>__UNLABELED__</Type>\n" +\" </SimpleTypeEnforcementTypes>\n" +\" <ChineseWallTypes>\n" +\" <Type/>\n" +\" </ChineseWallTypes>\n" +\" </VirtualMachineLabel>\n" +\" <VirtualMachineLabel>\n" +\" <Name>__UNLABELED__</Name>\n" +\" <SimpleTypeEnforcementTypes>\n" +\" <Type>__UNLABELED__</Type>\n" +\" </SimpleTypeEnforcementTypes>\n" +\" <ChineseWallTypes>\n" +\" <Type/>\n" +\" </ChineseWallTypes>\n" +\" </VirtualMachineLabel>\n" +\" </SubjectLabels>\n" +\" <ObjectLabels>\n" +\" <ResourceLabel>\n" +\" <Name>__UNLABELED__</Name>\n" +\" <SimpleTypeEnforcementTypes>\n" +\" <Type>__UNLABELED__</Type>\n" +\" </SimpleTypeEnforcementTypes>\n" +\" </ResourceLabel>\n" +\" </ObjectLabels>\n" +\" </SecurityLabelTemplate>\n" +\"</SecurityPolicyDefinition>\n"ACM_SCHEMA="""<?xml version="1.0" encoding="UTF-8"?><!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com --><!-- This file defines the schema, which is used to define --><!-- the security policy and the security labels in Xen. --><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.ibm.com" xmlns="http://www.ibm.com" elementFormDefault="qualified"> <xsd:element name="SecurityPolicyDefinition"> <xsd:complexType> <xsd:sequence> <xsd:element ref="PolicyHeader" minOccurs="1" maxOccurs="1"></xsd:element> <xsd:element ref="SimpleTypeEnforcement" minOccurs="0" maxOccurs="1"></xsd:element> <xsd:element ref="ChineseWall" minOccurs="0" maxOccurs="1"></xsd:element> <xsd:element ref="SecurityLabelTemplate" minOccurs="1" maxOccurs="1"></xsd:element> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="PolicyHeader"> <xsd:complexType> <xsd:sequence> <xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"></xsd:element> <xsd:element name="PolicyUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element> <xsd:element name="Reference" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="Date" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element> <xsd:element name="NameSpaceUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element> <xsd:element name="Version" minOccurs="1" maxOccurs="1" type="VersionFormat"/> <xsd:element ref="FromPolicy" minOccurs="0" maxOccurs="1"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="ChineseWall"> <xsd:complexType> <xsd:sequence> <xsd:element ref="ChineseWallTypes" minOccurs="1" maxOccurs="1" /> <xsd:element ref="ConflictSets" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute> </xsd:complexType> </xsd:element> <xsd:element name="SimpleTypeEnforcement"> <xsd:complexType> <xsd:sequence> <xsd:element ref="SimpleTypeEnforcementTypes" /> </xsd:sequence> <xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute> </xsd:complexType> </xsd:element> <xsd:element name="SecurityLabelTemplate"> <xsd:complexType> <xsd:sequence> <xsd:element name="SubjectLabels" minOccurs="0" maxOccurs="1"> <xsd:complexType> <xsd:sequence> <xsd:element ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element> </xsd:sequence> <xsd:attribute name="bootstrap" type="xsd:string" use="required"></xsd:attribute> </xsd:complexType> </xsd:element> <xsd:element name="ObjectLabels" minOccurs="0" maxOccurs="1"> <xsd:complexType> <xsd:sequence> <xsd:element ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="ChineseWallTypes"> <xsd:complexType> <xsd:sequence> <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" /> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="ConflictSets"> <xsd:complexType> <xsd:sequence> <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Conflict" /> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="SimpleTypeEnforcementTypes"> <xsd:complexType> <xsd:sequence> <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" /> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="Conflict"> <xsd:complexType> <xsd:sequence> <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" /> </xsd:sequence> <xsd:attribute name="name" type="xsd:string" use="required"></xsd:attribute> </xsd:complexType> </xsd:element> <xsd:element name="VirtualMachineLabel"> <xsd:complexType> <xsd:sequence> <xsd:element name="Name" type="NameWithFrom"></xsd:element> <xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" /> <xsd:element ref="ChineseWallTypes" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="ResourceLabel"> <xsd:complexType> <xsd:sequence> <xsd:element name="Name" type="NameWithFrom"></xsd:element> <xsd:element name="SimpleTypeEnforcementTypes" type="SingleSimpleTypeEnforcementType" /> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="Name" type="xsd:string" /> <xsd:element name="Type" type="xsd:string" /> <xsd:simpleType name="PolicyOrder"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:element name="FromPolicy"> <xsd:complexType> <xsd:sequence> <xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"/> <xsd:element name="Version" minOccurs="1" maxOccurs="1" type="VersionFormat"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:simpleType name="VersionFormat"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[0-9]{1,8}.[0-9]{1,8}"></xsd:pattern> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="NameWithFrom"> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="from" type="xsd:string" use="optional"></xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="SingleSimpleTypeEnforcementType"> <xsd:sequence> <xsd:element maxOccurs="1" minOccurs="1" ref="Type" /> </xsd:sequence> </xsd:complexType></xsd:schema>"""def get_DEFAULT_policy(dom0label=""): fromnode = "" if dom0label != "": fromnode = " from=\"%s\"" % dom0label return DEFAULT_policy % fromnodedef initialize(): xoptions = XendOptions.instance() basedir = xoptions.get_xend_security_path() policiesdir = basedir + "/policies" mkdir.parents(policiesdir, stat.S_IRWXU) instdir = security.install_policy_dir_prefix DEF_policy_file = "DEFAULT-security_policy.xml" #Install default policy. f = open(policiesdir + "/" + DEF_policy_file, 'w') if f: f.write(get_DEFAULT_policy()) f.close() else: log.error("Could not write the default policy's file.") defpol = ACMPolicy(xml=get_DEFAULT_policy()) defpol.compile()class ACMPolicy(XSPolicy): """ ACMPolicy class. Implements methods for getting information from the XML representation of the policy as well as compilation and loading of a policy into the HV. """ def __init__(self, name=None, dom=None, ref=None, xml=None): if name: self.name = name try: self.dom = minidom.parse(self.path_from_policy_name(name)) except Exception, e: raise SecurityError(-xsconstants.XSERR_XML_PROCESSING, str(e)) elif dom: self.dom = dom self.name = self.get_name() elif xml: try: self.dom = minidom.parseString(xml) except Exception, e: raise SecurityError(-xsconstants.XSERR_XML_PROCESSING, str(e)) self.name = self.get_name() rc = self.validate() if rc != xsconstants.XSERR_SUCCESS: raise SecurityError(rc) if ref: from xen.xend.XendXSPolicy import XendACMPolicy self.xendacmpolicy = XendACMPolicy(self, {}, ref) else: self.xendacmpolicy = None XSPolicy.__init__(self, name=self.name, ref=ref) def get_dom(self): return self.dom def get_name(self): return self.policy_dom_get_hdr_item("PolicyName") def get_type(self): return xsconstants.XS_POLICY_ACM def get_type_name(self): return xsconstants.ACM_POLICY_ID def __str__(self): return self.get_name() def validate(self): """ validate against the policy's schema Does not fail if the libxml2 python lib is not installed """ rc = xsconstants.XSERR_SUCCESS try: import libxml2 except Exception, e: log.warn("Libxml2 python-wrapper is not installed on the system.") return xsconstants.XSERR_SUCCESS try: parserctxt = libxml2.schemaNewMemParserCtxt(ACM_SCHEMA, len(ACM_SCHEMA)) schemaparser = parserctxt.schemaParse() valid = schemaparser.schemaNewValidCtxt() doc = libxml2.parseDoc(self.toxml()) if doc.schemaValidateDoc(valid) != 0: rc = -xsconstants.XSERR_BAD_XML except Exception, e: log.warn("Problem with the schema: %s" % str(e)) rc = -xsconstants.XSERR_GENERAL_FAILURE if rc != xsconstants.XSERR_SUCCESS: log.warn("XML did not validate against schema") if rc == xsconstants.XSERR_SUCCESS: rc = self.__validate_name_and_labels() return rc def __validate_name_and_labels(self): """ no ':' allowed in the policy name and the labels """ if ':' in self.get_name(): return -xsconstants.XSERR_BAD_POLICY_NAME for s in self.policy_get_resourcelabel_names(): if ':' in s: return -xsconstants.XSERR_BAD_LABEL for s in self.policy_get_virtualmachinelabel_names(): if ':' in s: return -xsconstants.XSERR_BAD_LABEL return xsconstants.XSERR_SUCCESS def is_default_policy(self): """ Determine whether this is the default policy """ default = ['SystemManagement', ACM_LABEL_UNLABELED ] if self.policy_get_virtualmachinelabel_names() == default and \ self.policy_get_bootstrap_vmlabel() == default[0] and \ self.policy_get_stetypes_types() == default and \ self.policy_get_stes_of_vmlabel(default[0]) == default and \ self.policy_get_stes_of_vmlabel(default[1]) == [default[1]] and \ self.policy_get_resourcelabel_names() == [default[1]] and \ self.policy_get_chwall_types() == [ default[0] ] and \ self.get_name() == "DEFAULT": return True return False def update(self, xml_new): """ Update the policy with the new XML. The hypervisor decides whether the new policy can be applied.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -