WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] xend: Refactor security.on() call

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] xend: Refactor security.on() call
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 06 May 2008 06:00:07 -0700
Delivery-date: Tue, 06 May 2008 06:00:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210064752 -3600
# Node ID 94c6501c4ffef716c4445ee2dd8074a497a9a3ce
# Parent  ccbbe6fe5827b3a262b24f6dd7140de8ae3ec456
xend: Refactor security.on() call

I am refactoring the security.on() call to return the actual type of
the security module that is found to be enabled rather than just
returning True or False.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/xsm/acm/acm.py       |    4 +++-
 tools/python/xen/util/xsm/flask/flask.py   |    2 +-
 tools/python/xen/xend/XendConfig.py        |    2 +-
 tools/python/xen/xend/XendDomainInfo.py    |    6 +++---
 tools/python/xen/xend/XendXSPolicyAdmin.py |    8 +++++++-
 tools/python/xen/xend/server/blkif.py      |    3 ++-
 tools/python/xen/xend/server/netif.py      |    3 ++-
 tools/python/xen/xm/addlabel.py            |   10 +++++-----
 tools/python/xen/xm/dry-run.py             |    5 +++--
 9 files changed, 27 insertions(+), 16 deletions(-)

diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Tue May 06 10:05:52 2008 +0100
@@ -156,7 +156,9 @@ def on():
     returns none if security policy is off (not compiled),
     any string otherwise, use it: if not security.on() ...
     """
-    return (get_active_policy_name() not in ['INACTIVE', 'NULL'])
+    if get_active_policy_name() not in ['INACTIVE', 'NULL', '']:
+        return xsconstants.XS_POLICY_ACM
+    return 0
 
 
 def calc_dom_ssidref_from_info(info):
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py  Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py  Tue May 06 10:05:52 2008 +0100
@@ -12,7 +12,7 @@ def err(msg):
     raise XSMError(msg)
 
 def on():
-    return 1
+    return 0 #xsconstants.XS_POLICY_FLASK
 
 def ssidref2label(ssidref):
     try:
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendConfig.py
--- a/tools/python/xen/xend/XendConfig.py       Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/XendConfig.py       Tue May 06 10:05:52 2008 +0100
@@ -688,7 +688,7 @@ class XendConfig(dict):
             self.parse_cpuid(cfg, 'cpuid_check')
 
         import xen.util.xsm.xsm as security
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             from xen.util.acmpolicy import ACM_LABEL_UNLABELED
             if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
                 cfg['security'] = sxp.child_value(sxp_cfg, 'security')
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendDomainInfo.py
--- a/tools/python/xen/xend/XendDomainInfo.py   Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/XendDomainInfo.py   Tue May 06 10:05:52 2008 +0100
@@ -37,6 +37,7 @@ from xen.util import asserts
 from xen.util import asserts
 from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype
 import xen.util.xsm.xsm as security
+from xen.util import xsconstants
 
 from xen.xend import balloon, sxp, uuid, image, arch, osdep
 from xen.xend import XendOptions, XendNode, XendConfig
@@ -1973,7 +1974,7 @@ class XendDomainInfo:
         balloon.free(2*1024) # 2MB should be plenty
 
         ssidref = 0
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             ssidref = security.calc_dom_ssidref_from_info(self.info)
             if security.has_authorization(ssidref) == False:
                 raise VmError("VM is not authorized to run.")
@@ -1987,7 +1988,7 @@ class XendDomainInfo:
                 target = self.info.target())
         except Exception, e:
             # may get here if due to ACM the operation is not permitted
-            if security.on():
+            if security.on() == xsconstants.XS_POLICY_ACM:
                 raise VmError('Domain in conflict set with running domain?')
 
         if self.domid < 0:
@@ -2853,7 +2854,6 @@ class XendDomainInfo:
         is_policy_update = (xspol_old != None)
 
         from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
-        from xen.util import xsconstants
 
         state = self._stateGet()
         # Relabel only HALTED or RUNNING or PAUSED domains
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py        Mon May 05 10:16:58 
2008 +0100
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py        Tue May 06 10:05:52 
2008 +0100
@@ -48,6 +48,10 @@ class XSPolicyAdmin:
         self.xsobjs = {}
         bootloader.init()
 
+        if security.on() == xsconstants.XS_POLICY_ACM:
+            self.__acm_init()
+
+    def __acm_init(self):
         act_pol_name = self.get_hv_loaded_policy_name()
         initialize()
 
@@ -74,7 +78,7 @@ class XSPolicyAdmin:
             This currently only checks for ACM-enablement.
         """
         rc = 0
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             rc |= xsconstants.XS_POLICY_ACM
         return rc
 
@@ -104,6 +108,8 @@ class XSPolicyAdmin:
 
     def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
         errors = ""
+        if security.on() != xsconstants.XS_POLICY_ACM:
+            raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
         loadedpol = self.get_loaded_policy()
         if loadedpol:
             # This is meant as an update to a currently loaded policy
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/server/blkif.py
--- a/tools/python/xen/xend/server/blkif.py     Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/server/blkif.py     Tue May 06 10:05:52 2008 +0100
@@ -23,6 +23,7 @@ import xen.util.xsm.xsm as security
 import xen.util.xsm.xsm as security
 from xen.xend.XendError import VmError
 from xen.xend.server.DevController import DevController
+from xen.util import xsconstants
 
 class BlkifController(DevController):
     """Block device interface controller. Handles all block devices
@@ -72,7 +73,7 @@ class BlkifController(DevController):
         if uuid:
             back['uuid'] = uuid
 
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             self.do_access_control(config, uname)
 
         devid = blkif.blkdev_name_to_number(dev)
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/server/netif.py
--- a/tools/python/xen/xend/server/netif.py     Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/server/netif.py     Tue May 06 10:05:52 2008 +0100
@@ -29,6 +29,7 @@ from xen.xend.XendError import VmError
 from xen.xend.XendError import VmError
 from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
 import xen.util.xsm.xsm as security
+from xen.util import xsconstants
 
 from xen.xend.XendLogging import log
 
@@ -155,7 +156,7 @@ class NetifController(DevController):
             front = { 'handle' : "%i" % devid,
                       'mac'    : mac }
 
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             self.do_access_control(config)
 
         return (devid, back, front)
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xm/addlabel.py
--- a/tools/python/xen/xm/addlabel.py   Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xm/addlabel.py   Tue May 06 10:05:52 2008 +0100
@@ -205,17 +205,17 @@ def main(argv):
     policy_type = ""
     if len(argv) not in (4, 5):
         raise OptionError('Needs either 2 or 3 arguments')
-    
+
     label = argv[1]
-    
+
     if len(argv) == 5:
         policyref = argv[4]
-    elif security.on():
+    elif security.on() == xsconstants.XS_POLICY_ACM:
         policyref = security.active_policy
         policy_type = xsconstants.ACM_POLICY_ID
     else:
-        raise OptionError("No active policy. Must specify policy on the "
-                          "command line.")
+        raise OptionError("ACM security is not enabled. You must specify "\
+                          "the policy on the command line.")
 
     if argv[2].lower() == "dom":
         configfile = argv[3]
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xm/dry-run.py
--- a/tools/python/xen/xm/dry-run.py    Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xm/dry-run.py    Tue May 06 10:05:52 2008 +0100
@@ -22,6 +22,7 @@ import xen.util.xsm.xsm as security
 import xen.util.xsm.xsm as security
 from xen.xm import create
 from xen.xend import sxp
+from xen.util import xsconstants
 from xen.xm.opts import OptionError
 
 def help():
@@ -40,7 +41,7 @@ def check_domain_label(config, verbose):
     answer = 0
     default_label = None
     secon = 0
-    if security.on():
+    if security.on() == xsconstants.XS_POLICY_ACM:
         default_label = security.ssidref2label(security.NULL_SSIDREF)
         secon = 1
 
@@ -90,7 +91,7 @@ def config_security_check(config, verbos
             domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
 
     # if no domain label, use default
-    if not domain_label and security.on():
+    if not domain_label and security.on() == xsconstants.XS_POLICY_ACM:
         try:
             domain_label = security.ssidref2label(security.NULL_SSIDREF)
         except:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] xend: Refactor security.on() call, Xen patchbot-unstable <=