WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] [RESEND][BUGFIX][ACM][Resource Labels] This patch fixes prob

To: xen-devel@xxxxxxxxxxxxxxxxxxx, Reiner Sailer <sailer@xxxxxxxxxx>
Subject: [Xen-devel] [RESEND][BUGFIX][ACM][Resource Labels] This patch fixes problems with multiple representations of the same labeled resource
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Tue, 10 Oct 2006 19:46:35 -0400
Delivery-date: Tue, 10 Oct 2006 16:47:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
This is a resend of the original patch. It fixes the resource representations in the resource_label file. Without this patch, multiple representations of the same resource can co-exist in the resource label file and lead to errors during operation.

This patch ensures that all resource file names are stored with absolute path name and are unique. Setting labels of phy-resources, relative paths will automatically be pre-pended with '/dev/'; labeling file-resources with relative paths will raise an error.

This patch is tested successfully both manually, with ACM=n and xm-test, and with ACM=y and xm-test (using our pending ACM extensions to xm-test).

Thanks
Reiner

Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
---
 tools/python/xen/util/security.py |   22 ++++++++++++++++++++++
 tools/python/xen/xm/addlabel.py   |    9 ++-------
 tools/python/xen/xm/getlabel.py   |    3 +++
 tools/python/xen/xm/rmlabel.py    |    3 +++
 4 files changed, 30 insertions(+), 7 deletions(-)

Index: xen-unstable.hg-shype/tools/python/xen/util/security.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/util/security.py
+++ xen-unstable.hg-shype/tools/python/xen/util/security.py
@@ -596,12 +596,34 @@ def get_res_security_details(resource):
     return (label, ssidref, policy)
 
 
+def unify_resname(resource):
+    """Makes all resource locations absolute. In case of physical
+    resources, '/dev/' is added to local file names"""
+
+    # sanity check on resource name
+    (type, resfile) = resource.split(":")
+    if type == "phy":
+        if not resfile.startswith("/"):
+            resfile = "/dev/" + resfile
+
+    #file: resources must specified with absolute path
+    if (not resfile.startswith("/")) or (not os.path.exists(resfile)):
+        err("Invalid resource.")
+
+    # from here on absolute file names with resources
+    resource = type + ":" + resfile
+    return resource
+
+
 def res_security_check(resource, domain_label):
     """Checks if the given resource can be used by the given domain
        label.  Returns 1 if the resource can be used, otherwise 0.
     """
     rtnval = 1
 
+    #build canonical resource name
+    resource = unify_resname(resource)
+
     # if security is on, ask the hypervisor for a decision
     if on():
         (label, ssidref, policy) = get_res_security_details(resource)
Index: xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/addlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
@@ -72,13 +72,8 @@ def add_resource_label(label, resource, 
     # sanity check: make sure this label can be instantiated later on
     ssidref = security.label2ssidref(label, policyref, 'res')
 
-    # sanity check on resource name
-    (type, file) = resource.split(":")
-    if type == "phy":
-        file = "/dev/" + file
-    if not os.path.exists(file):
-        print "Invalid resource '"+resource+"'"
-        return
+    #build canonical resource name
+    resource = security.unify_resname(resource)
 
     # see if this resource is already in the file
     access_control = {}
Index: xen-unstable.hg-shype/tools/python/xen/xm/getlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/getlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/getlabel.py
@@ -33,6 +33,9 @@ def help():
 def get_resource_label(resource):
     """Gets the resource label
     """
+    #build canonical resource name
+    resource = security.unify_resname(resource)
+
     # read in the resource file
     file = security.res_label_filename
     try:
Index: xen-unstable.hg-shype/tools/python/xen/xm/rmlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/rmlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/rmlabel.py
@@ -37,6 +37,9 @@ def help():
 def rm_resource_label(resource):
     """Removes a resource label from the global resource label file.
     """
+    #build canonical resource name
+    resource = security.unify_resname(resource)
+
     # read in the resource file
     file = security.res_label_filename
     try:
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [RESEND][BUGFIX][ACM][Resource Labels] This patch fixes problems with multiple representations of the same labeled resource, Reiner Sailer <=