# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1220523788 -3600
# Node ID 5b133625223ad0d95b80467535ff1384d6317f16
# Parent bed1b98b63cc98364b2b5ad04bffc00d588c5ef4
xsm, python tools: remove autogenerated xsm.py
- The patch does away with the autogenerated xsm.py file and
introduces a config parameter in xend-config.sxp to determine the
security module. The parameter is (xsm_module_name {acm, dummy,
flask}). The default setting/option is dummy. .hgignore is also
updated to stop ignoring xsm.py on commits.
- The patch has created an xsconstant for XS_POLICY_FLASK and updated
the toolchain to check the instance of XS_POLICY_USE. XS_POLICY_USE
evalauates to XS_POLICY_FLASK or XS_POLICY_ACM or XS_POLICY_DUMMY
depending on configuration.
- Flask relies on the current value of ssidref returned by dominfo to
ensure that the label to sid mapping is consistent. ssidref had
been pop'ed from the dominfo object. The patch addresses this
issue.
- Flask python module style cleanups.
Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>
---
.hgignore | 1 -
tools/examples/xend-config.sxp | 4 ++++
tools/python/Makefile | 26 +++-----------------------
tools/python/xen/util/xsconstants.py | 4 +++-
tools/python/xen/util/xsm/dummy/dummy.py | 2 +-
tools/python/xen/util/xsm/flask/flask.py | 8 +++++---
tools/python/xen/util/xsm/xsm.py | 19 +++++++++++++++++++
tools/python/xen/xend/XendConfig.py | 2 +-
tools/python/xen/xend/XendDomainInfo.py | 6 +-----
tools/python/xen/xend/XendOptions.py | 8 ++++++++
tools/python/xen/xend/server/blkif.py | 2 +-
tools/python/xen/xend/server/netif.py | 2 +-
12 files changed, 47 insertions(+), 37 deletions(-)
diff -r bed1b98b63cc -r 5b133625223a .hgignore
--- a/.hgignore Thu Sep 04 11:19:17 2008 +0100
+++ b/.hgignore Thu Sep 04 11:23:08 2008 +0100
@@ -185,7 +185,6 @@
^tools/misc/xenperf$
^tools/pygrub/build/.*$
^tools/python/build/.*$
-^tools/python/xen/util/xsm/xsm\.py$
^tools/security/secpol_tool$
^tools/security/xen/.*$
^tools/security/xensec_tool$
diff -r bed1b98b63cc -r 5b133625223a tools/examples/xend-config.sxp
--- a/tools/examples/xend-config.sxp Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/examples/xend-config.sxp Thu Sep 04 11:23:08 2008 +0100
@@ -14,6 +14,10 @@
#(logfile /var/log/xen/xend.log)
#(loglevel DEBUG)
+# Uncomment the line below. Set the value to flask, acm, or dummy to
+# select a security module.
+
+#(xsm_module_name dummy)
# The Xen-API server configuration.
#
diff -r bed1b98b63cc -r 5b133625223a tools/python/Makefile
--- a/tools/python/Makefile Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/Makefile Thu Sep 04 11:23:08 2008 +0100
@@ -1,13 +1,5 @@ XEN_ROOT = ../..
XEN_ROOT = ../..
include $(XEN_ROOT)/tools/Rules.mk
-
-XEN_SECURITY_MODULE = dummy
-ifeq ($(FLASK_ENABLE),y)
-XEN_SECURITY_MODULE = flask
-endif
-ifeq ($(ACM_SECURITY),y)
-XEN_SECURITY_MODULE = acm
-endif
.PHONY: all
all: build
@@ -23,8 +15,8 @@ NLSDIR = /usr/share/locale
NLSDIR = /usr/share/locale
.PHONY: build buildpy
-buildpy: xsm.py
- CC="$(CC)" CFLAGS="$(CFLAGS)"
XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build
+buildpy:
+ CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build
build: buildpy refresh-pot refresh-po $(CATALOGS)
@@ -61,18 +53,6 @@ refresh-po: $(POTFILE)
%.mo: %.po
$(MSGFMT) -c -o $@ $<
-xsm.py:
- @(set -e; \
- echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \
- echo "from xsm_core import *"; \
- echo ""; \
- echo "import
xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \
- echo ""; \
- echo "xsm_init(xsm_module)"; \
- echo "from
xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \
- echo "del xsm_module"; \
- echo "") >xen/util/xsm/$@
-
.PHONY: install
ifndef XEN_PYTHON_NATIVE_INSTALL
install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print
auxbin.libpath()")
@@ -104,4 +84,4 @@ test:
.PHONY: clean
clean:
- rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py
xen/util/auxbin.pyc
+ rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/auxbin.pyc
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/util/xsconstants.py
--- a/tools/python/xen/util/xsconstants.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/util/xsconstants.py Thu Sep 04 11:23:08 2008 +0100
@@ -20,8 +20,10 @@ XS_INST_BOOT = (1 << 0)
XS_INST_BOOT = (1 << 0)
XS_INST_LOAD = (1 << 1)
-XS_POLICY_NONE = 0
+XS_POLICY_DUMMY = 0
XS_POLICY_ACM = (1 << 0)
+XS_POLICY_FLASK = (1 << 1)
+XS_POLICY_USE = 0
# Some internal variables used by the Xen-API
ACM_LABEL_VM = (1 << 0)
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/util/xsm/dummy/dummy.py
--- a/tools/python/xen/util/xsm/dummy/dummy.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/util/xsm/dummy/dummy.py Thu Sep 04 11:23:08 2008 +0100
@@ -36,7 +36,7 @@ def err(msg):
raise XSMError(msg)
def on():
- return 0
+ return xsconstants.XS_POLICY_DUMMY
def ssidref2label(ssidref):
return 0
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py Thu Sep 04 11:23:08 2008 +0100
@@ -1,5 +1,6 @@ import sys
import sys
from xen.lowlevel import flask
+from xen.util import xsconstants
from xen.xend import sxp
#Functions exported through XML-RPC
@@ -12,7 +13,7 @@ def err(msg):
raise XSMError(msg)
def on():
- return 0 #xsconstants.XS_POLICY_FLASK
+ return xsconstants.XS_POLICY_FLASK
def ssidref2label(ssidref):
try:
@@ -37,8 +38,9 @@ def set_security_label(policy, label):
return label
def ssidref2security_label(ssidref):
- return ssidref2label(ssidref)
+ label = ssidref2label(ssidref)
+ return label
def get_security_label(self, xspol=None):
- label = self.info.get('security_label', '')
+ label = self.info['security_label']
return label
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/util/xsm/xsm.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/python/xen/util/xsm/xsm.py Thu Sep 04 11:23:08 2008 +0100
@@ -0,0 +1,19 @@
+import sys
+import string
+from xen.xend import XendOptions
+from xen.util import xsconstants
+from xsm_core import xsm_init
+
+xoptions = XendOptions.instance()
+xsm_module_name = xoptions.get_xsm_module_name()
+
+xsconstants.XS_POLICY_USE =
eval("xsconstants.XS_POLICY_"+string.upper(xsm_module_name))
+
+xsm_module_path = "xen.util.xsm." + xsm_module_name + "." + xsm_module_name
+xsm_module = __import__(xsm_module_path, globals(), locals(), ['*'], -1)
+
+xsm_init(xsm_module)
+
+for op in dir(xsm_module):
+ if not hasattr(sys.modules[__name__], op):
+ setattr(sys.modules[__name__], op, getattr(xsm_module, op, None))
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/xend/XendConfig.py
--- a/tools/python/xen/xend/XendConfig.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/xend/XendConfig.py Thu Sep 04 11:23:08 2008 +0100
@@ -729,7 +729,7 @@ class XendConfig(dict):
self.parse_cpuid(cfg, 'cpuid_check')
import xen.util.xsm.xsm as security
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
from xen.util.acmpolicy import ACM_LABEL_UNLABELED
if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
cfg['security'] = sxp.child_value(sxp_cfg, 'security')
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/xend/XendDomainInfo.py
--- a/tools/python/xen/xend/XendDomainInfo.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/xend/XendDomainInfo.py Thu Sep 04 11:23:08 2008 +0100
@@ -2069,7 +2069,7 @@ class XendDomainInfo:
balloon.free(2*1024) # 2MB should be plenty
ssidref = 0
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
ssidref = security.calc_dom_ssidref_from_info(self.info)
if security.has_authorization(ssidref) == False:
raise VmError("VM is not authorized to run.")
@@ -2855,10 +2855,6 @@ class XendDomainInfo:
info["maxmem_kb"] = XendNode.instance() \
.physinfo_dict()['total_memory'] * 1024
- #ssidref field not used any longer
- if 'ssidref' in info:
- info.pop('ssidref')
-
# make sure state is reset for info
# TODO: we should eventually get rid of old_dom_states
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/xend/XendOptions.py
--- a/tools/python/xen/xend/XendOptions.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/xend/XendOptions.py Thu Sep 04 11:23:08 2008 +0100
@@ -131,6 +131,9 @@ class XendOptions:
"""Default script to configure a backend network interface"""
vif_script = osdep.vif_script
+
+ """Default Xen Security Module"""
+ xsm_module_default = 'dummy'
"""Default rotation count of qemu-dm log file."""
qemu_dm_logrotate_count = 10
@@ -427,6 +430,11 @@ class XendOptionsFile(XendOptions):
return self.get_config_value('xen-api-server',
self.xen_api_server_default)
+ def get_xsm_module_name(self):
+ """Get the Xen Security Module name.
+ """
+ return self.get_config_string('xsm_module_name',
self.xsm_module_default)
+
if os.uname()[0] == 'SunOS':
class XendOptionsSMF(XendOptions):
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/xend/server/blkif.py
--- a/tools/python/xen/xend/server/blkif.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/xend/server/blkif.py Thu Sep 04 11:23:08 2008 +0100
@@ -78,7 +78,7 @@ class BlkifController(DevController):
if uuid:
back['uuid'] = uuid
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
self.do_access_control(config, uname)
(device_path, devid) = blkif.blkdev_name_to_number(dev)
diff -r bed1b98b63cc -r 5b133625223a tools/python/xen/xend/server/netif.py
--- a/tools/python/xen/xend/server/netif.py Thu Sep 04 11:19:17 2008 +0100
+++ b/tools/python/xen/xend/server/netif.py Thu Sep 04 11:23:08 2008 +0100
@@ -156,7 +156,7 @@ class NetifController(DevController):
front = { 'handle' : "%i" % devid,
'mac' : mac }
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
self.do_access_control(config)
return (devid, back, front)
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home