WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [xen-unstable] [Xend] More security-related fixes

from [Xen patchbot-unstable] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [Xend] More security-related fixes
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Jul 2007 03:09:37 -0700
Delivery-date: Fri, 27 Jul 2007 03:07:40 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Date 1184749746 -3600
# Node ID 9c077fc8ccf132b5e0074e44edda83bf9152675f
# Parent  7ef821ff6d89d43afcbaf7e60e42e9a14306bbc0
[Xend] More security-related fixes

This patch provides some more fixes related to the recent
security-related extensions to xend.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/acmpolicy.py         |   17 ++++++++++-------
 tools/python/xen/util/security.py          |    7 ++++---
 tools/python/xen/xend/XendAPI.py           |    6 ++++--
 tools/python/xen/xend/XendVDI.py           |    1 +
 tools/python/xen/xend/XendXSPolicyAdmin.py |    9 ++++++++-
 tools/python/xen/xm/cfgbootpolicy.py       |    5 +++--
 6 files changed, 30 insertions(+), 15 deletions(-)

diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/util/acmpolicy.py
--- a/tools/python/xen/util/acmpolicy.py        Wed Jul 18 10:08:37 2007 +0100
+++ b/tools/python/xen/util/acmpolicy.py        Wed Jul 18 10:09:06 2007 +0100
@@ -122,7 +122,8 @@ class ACMPolicy(XSPolicy):
             rc = -xsconstants.XSERR_GENERAL_FAILURE
         if rc != xsconstants.XSERR_SUCCESS:
             log.warn("XML did not validate against schema")
-        rc = self.__validate_name_and_labels()
+        if rc == xsconstants.XSERR_SUCCESS:
+            rc = self.__validate_name_and_labels()
         return rc
 
     def __validate_name_and_labels(self):
@@ -626,14 +627,15 @@ class ACMPolicy(XSPolicy):
     def policy_get_stes_of_vmlabel(self, vmlabel):
         """ Get a list of all STEs of a given VMlabel """
         return self.__policy_get_stes_of_labeltype(vmlabel,
-                                                   "VirtualMachineLabel")
+                                        "/SubjectLabels", 
"VirtualMachineLabel")
 
     def policy_get_stes_of_resource(self, reslabel):
         """ Get a list of all resources of a given VMlabel """
-        return self.__policy_get_stes_of_labeltype(reslabel, "ResourceLabel")
-
-    def __policy_get_stes_of_labeltype(self, label, labeltype):
-        node = self.dom_get_node("SecurityLabelTemplate/SubjectLabels")
+        return self.__policy_get_stes_of_labeltype(reslabel,
+                                        "/ObjectLabels", "ResourceLabel")
+
+    def __policy_get_stes_of_labeltype(self, label, path, labeltype):
+        node = self.dom_get_node("SecurityLabelTemplate" + path)
         if node:
             i = 0
             while i < len(node.childNodes):
@@ -661,7 +663,8 @@ class ACMPolicy(XSPolicy):
             return False
         for res in resources:
             res_stes = self.policy_get_stes_of_resource(res)
-            if len( set(res_stes).union( set(vm_stes) ) ) == 0:
+            if len(res_stes) == 0 or \
+               len( set(res_stes).intersection( set(vm_stes) ) ) == 0:
                 return False
         return True
 
diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/util/security.py
--- a/tools/python/xen/util/security.py Wed Jul 18 10:08:37 2007 +0100
+++ b/tools/python/xen/util/security.py Wed Jul 18 10:09:06 2007 +0100
@@ -799,9 +799,10 @@ def is_resource_in_use(resource):
             lst.append(dominfo)
     return lst
 
-def devices_equal(res1, res2):
+def devices_equal(res1, res2, mustexist=True):
     """ Determine whether two devices are equal """
-    return (unify_resname(res1) == unify_resname(res2))
+    return (unify_resname(res1, mustexist) ==
+            unify_resname(res2, mustexist))
 
 def is_resource_in_use_by_dom(dominfo, resource):
     """ Determine whether a resources is in use by a given domain
@@ -817,7 +818,7 @@ def is_resource_in_use_by_dom(dominfo, r
         dev = devs[uuid]
         if len(dev) >= 2 and dev[1].has_key('uname'):
             # dev[0] is type, i.e. 'vbd'
-            if devices_equal(dev[1]['uname'], resource):
+            if devices_equal(dev[1]['uname'], resource, mustexist=False):
                 log.info("RESOURCE IN USE: Domain %d uses %s." %
                          (dominfo.domid, resource))
                 return True
diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xend/XendAPI.py
--- a/tools/python/xen/xend/XendAPI.py  Wed Jul 18 10:08:37 2007 +0100
+++ b/tools/python/xen/xend/XendAPI.py  Wed Jul 18 10:09:06 2007 +0100
@@ -1620,7 +1620,8 @@ class XendAPI(object):
         (rc, errors, oldlabel, new_ssidref) = \
                                  dom.set_security_label(sec_label, old_label)
         if rc != xsconstants.XSERR_SUCCESS:
-            return xen_api_error(['SECURITY_ERROR', rc])
+            return xen_api_error(['SECURITY_ERROR', rc,
+                                 xsconstants.xserr2string(-rc)])
         if rc == 0:
             rc = new_ssidref
         return xen_api_success(rc)
@@ -2239,7 +2240,8 @@ class XendAPI(object):
         vdi = XendNode.instance().get_vdi_by_uuid(vdi_ref)
         rc = vdi.set_security_label(sec_lab, old_lab)
         if rc < 0:
-            return xen_api_error(['SECURITY_ERROR', rc])
+            return xen_api_error(['SECURITY_ERROR', rc,
+                                 xsconstants.xserr2string(-rc)])
         return xen_api_success(rc)
 
     def VDI_get_security_label(self, session, vdi_ref):
diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xend/XendVDI.py
--- a/tools/python/xen/xend/XendVDI.py  Wed Jul 18 10:08:37 2007 +0100
+++ b/tools/python/xen/xend/XendVDI.py  Wed Jul 18 10:09:06 2007 +0100
@@ -24,6 +24,7 @@ from xen.util.xmlrpclib2 import stringif
 from xen.util.xmlrpclib2 import stringify
 from xmlrpclib import dumps, loads
 from xen.util import security, xsconstants
+from xen.xend.XendError import SecurityError
 
 KB = 1024
 MB = 1024 * 1024
diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py        Wed Jul 18 10:08:37 
2007 +0100
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py        Wed Jul 18 10:09:06 
2007 +0100
@@ -56,7 +56,10 @@ class XSPolicyAdmin:
             typ = data[1]
             try:
                 if typ == xsconstants.ACM_POLICY_ID:
-                    self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
+                    try:
+                        self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
+                    except Exception, e:
+                        del self.policies[ref]
                 else:
                     del self.policies[ref]
             except Exception, e:
@@ -271,6 +274,10 @@ class XSPolicyAdmin:
                 return pol
         return None
 
+    def get_hv_loaded_policy_name(self):
+        security.refresh_security_policy()
+        return security.active_policy
+
     def get_policy_by_name(self, name):
         for pol in self.xsobjs.values():
             if pol.get_name() == name:
diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xm/cfgbootpolicy.py
--- a/tools/python/xen/xm/cfgbootpolicy.py      Wed Jul 18 10:08:37 2007 +0100
+++ b/tools/python/xen/xm/cfgbootpolicy.py      Wed Jul 18 10:09:06 2007 +0100
@@ -170,8 +170,9 @@ def cfgbootpolicy_xapi(policy, user_titl
             OptionError("No policy installed on system?")
         acmpol = ACMPolicy(xml=xml)
         if acmpol.get_name() != policy:
-            OptionError("Policy installed on system '%s' does not match the "
-                        "request policy '%s'" % (acmpol.get_name(), policy))
+            raise OptionError("Policy installed on system '%s' does not "
+                              "match the requested policy '%s'" %
+                              (acmpol.get_name(), policy))
         flags = int(policystate['flags']) | xsconstants.XS_INST_BOOT
         rc = int(server.xenapi.XSPolicy.activate_xspolicy(xs_ref, flags))
         if rc == flags:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [Xend] More security-related fixes, Xen patchbot-unstable <=
Previous by Date:  [Xen-changelog] [xen-unstable] [Xm-Test] Additional tests for the xm-test suite, Xen patchbot-unstable
Next by Date:  [Xen-changelog] [xen-unstable] [xend][xen-api] Save new memory values in domain config when calling, Xen patchbot-unstable
Previous by Thread:  [Xen-changelog] [xen-unstable] [Xm-Test] Additional tests for the xm-test suite, Xen patchbot-unstable
Next by Thread:  [Xen-changelog] [xen-unstable] [xend][xen-api] Save new memory values in domain config when calling, Xen patchbot-unstable
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy