WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] [xen-unstable] [Xend/security] Refactor the code that re

from [Xen patchbot-unstable] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [Xend/security] Refactor the code that recalculates the label during a policy update
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 May 2008 08:30:29 -0700
Delivery-date: Tue, 13 May 2008 08:31:02 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210679205 -3600
# Node ID 65eec0554f39049eab354abe1ee4c305f6d1e0aa
# Parent  5e1a0dc74a3560376f45e54827fa0eb0f6747bfa
[Xend/security] Refactor the code that recalculates the label during a policy 
update
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/xsm/acm/acm.py |   97 +++++++++++++++++++++++++++--------
 1 files changed, 75 insertions(+), 22 deletions(-)

diff -r 5e1a0dc74a35 -r 65eec0554f39 tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Tue May 13 12:43:24 2008 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Tue May 13 12:46:45 2008 +0100
@@ -1363,6 +1363,45 @@ def relabel_domains(relabel_list):
     return rc, errors
 
 
+def __update_label_policy_change(sec_lab,
+                                 cur_poltype,
+                                 cur_polname,
+                                 new_poltype,
+                                 new_polname,
+                                 polnew_labels,
+                                 label_map):
+    """
+    Determine a new resource label given the new policy's type
+    and name and the new policy's (resource/VM) labels and the
+    (resource/VM) label map that indicates renaming rules for
+    labels.
+    """
+    is_deleted = False
+    policytype, policy, label = sec_lab
+
+    if cur_poltype != policytype or \
+       cur_polname != policy:
+        return sec_lab, is_deleted
+
+    if policytype != xsconstants.ACM_POLICY_ID:
+        return sec_lab, is_deleted
+    elif label_map.has_key(label) and policy == cur_polname:
+        # renaming of an active label; policy may have been renamed
+        label = label_map[label]
+        polname = new_polname
+    elif label not in polnew_labels:
+        # label been removed
+        policytype = xsconstants.INVALID_POLICY_PREFIX + policytype
+        polname = policy
+        is_deleted = True
+    else:
+        # no change to label
+        policytype = xsconstants.ACM_POLICY_ID
+        polname = new_polname
+
+    return tuple( [ policytype, polname, label ] ), is_deleted
+
+
 def change_acm_policy(bin_pol, del_array, chg_array,
                       vmlabel_map, reslabel_map, cur_acmpol, new_acmpol,
                       is_reset):
@@ -1430,30 +1469,21 @@ def change_acm_policy(bin_pol, del_array
             else:
                 return -xsconstants.XSERR_BAD_LABEL_FORMAT, ""
 
-            if policytype != cur_policytype or \
-               policy     != cur_policyname:
-                continue
-
-            # label been renamed or deleted?
-            if policytype != xsconstants.ACM_POLICY_ID:
-                continue
-            elif reslabel_map.has_key(label) and cur_policyname == policy:
-                # renaming of an active label; policy may have been renamed
-                label = reslabel_map[label]
-                polname = new_policyname
-            elif label not in polnew_reslabels:
-                # label been removed
-                policytype = xsconstants.INVALID_POLICY_PREFIX + policytype
+            new_sec_lab, is_deleted = \
+                __update_label_policy_change( tuple([policytype,
+                                                     policy,
+                                                     label]),
+                                             cur_policytype,
+                                             cur_policyname,
+                                             new_policytype,
+                                             new_policyname,
+                                             polnew_reslabels,
+                                             reslabel_map)
+
+            if is_deleted:
                 label_changes.append(key)
-                polname = policy
-            else:
-                # no change to label
-                policytype = xsconstants.ACM_POLICY_ID
-                polname = new_policyname
-
             # Update entry
-            access_control[key] = \
-                   tuple([ policytype, polname, label ])
+            access_control[key] = new_sec_lab
 
         # All resources have new labels in the access_control map
         # There may still be labels in there that are invalid now.
@@ -1509,6 +1539,29 @@ def change_acm_policy(bin_pol, del_array
                          new_acmpol.policy_get_virtualmachinelabel_names())
                 if not compatible:
                     return (-xsconstants.XSERR_RESOURCE_ACCESS, "")
+
+        for dominfo in dominfos:
+            # relabel the VIF interfaces
+            changed = False
+            for vif_uuid in dominfo.get_vifs():
+                sec_lab = dominfo.info['devices'][vif_uuid][1]\
+                                 .get('security_label')
+                if sec_lab:
+                    result, _ = \
+                        __update_label_policy_change(tuple(sec_lab.split(':')),
+                                                     cur_policytype,
+                                                     cur_policyname,
+                                                     new_policytype,
+                                                     new_policyname,
+                                                     polnew_reslabels,
+                                                     reslabel_map)
+                    new_sec_lab = ':'.join(list(result))
+                    if new_sec_lab != sec_lab:
+                        changed = True
+                        dominfo.info['devices'][vif_uuid][1]\
+                                    ['security_label'] = new_sec_lab
+            if changed:
+                XendDomain.instance().managed_config_save(dominfo)
 
         rc, errors = hv_chg_policy(bin_pol, del_array, chg_array)
         if rc == 0:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [Xend/security] Refactor the code that recalculates the label during a policy update, Xen patchbot-unstable <=
Previous by Date:  [Xen-changelog] [xen-unstable] Xend: Fix blkif type check for tap devices., Xen patchbot-unstable
Next by Date:  [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to validate frontend's frame buffer description, Xen patchbot-unstable
Previous by Thread:  [Xen-changelog] [xen-unstable] Xend: Fix blkif type check for tap devices., Xen patchbot-unstable
Next by Thread:  [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to validate frontend's frame buffer description, Xen patchbot-unstable
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy