[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [ACM] Provide the framework needed for resource labeling.



# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 0de8a4a023d05f5468e7e2130d6b29ab5b99faa7
# Parent  88d867661599a0aa05ec81d75ac6954146d269a9
[ACM] Provide the framework needed for resource labeling. 

Subsequent patches will follow in the coming weeks that will enable 
Xen ACM to control assignment of resources (e.g., block devices and 
networking) to virtual machines based on resource labels and the 
active security policy.

Signed-off-by: Bryan D. Payne <bdpayne@xxxxxxxxxx>
Signed-off-by: Reiner Sailer <sailer@xxxxxxxxxx>
---
 tools/security/python/xensec_tools/acm_getdecision  |   55 --------------------
 tools/python/xen/util/security.py                   |   41 ++++++++++----
 tools/python/xen/xm/addlabel.py                     |    2 
 tools/python/xen/xm/create.py                       |    2 
 tools/security/Makefile                             |    2 
 tools/security/python/xensec_gen/cgi-bin/policy.cgi |    2 
 tools/security/secpol_xml2bin.c                     |    6 +-
 7 files changed, 38 insertions(+), 72 deletions(-)

diff -r 88d867661599 -r 0de8a4a023d0 tools/python/xen/util/security.py
--- a/tools/python/xen/util/security.py Tue Jun 13 15:33:10 2006 +0100
+++ b/tools/python/xen/util/security.py Tue Jun 13 15:38:58 2006 +0100
@@ -52,7 +52,8 @@ binary_name_re = re.compile(".*[chwall|s
 binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE)
 policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
 
-
+#other global variables
+NULL_SSIDREF = 0
 
 log = logging.getLogger("xend.util.security")
 
@@ -255,6 +256,8 @@ def ssidref2label(ssidref_var):
     #2. get labelnames for both ssidref parts
     pri_ssid = ssidref & 0xffff
     sec_ssid = ssidref >> 16
+    pri_null_ssid = NULL_SSIDREF & 0xffff
+    sec_null_ssid = NULL_SSIDREF >> 16
     pri_labels = []
     sec_labels = []
     labels = []
@@ -270,7 +273,11 @@ def ssidref2label(ssidref_var):
     f.close()
 
     #3. get the label that is in both lists (combination must be a single 
label)
-    if secondary == "NULL":
+    if (primary == "CHWALL") and (pri_ssid == pri_null_ssid) and (sec_ssid != 
sec_null_ssid):
+        labels = sec_labels
+    elif (secondary == "CHWALL") and (pri_ssid != pri_null_ssid) and (sec_ssid 
== sec_null_ssid):
+        labels = pri_labels
+    elif secondary == "NULL":
         labels = pri_labels
     else:
         for i in pri_labels:
@@ -285,7 +292,7 @@ def ssidref2label(ssidref_var):
 
 
 
-def label2ssidref(labelname, policyname):
+def label2ssidref(labelname, policyname, type):
     """
     returns ssidref corresponding to labelname;
     maps current policy to default directory
@@ -293,6 +300,14 @@ def label2ssidref(labelname, policyname)
 
     if policyname in ['NULL', 'INACTIVE', 'DEFAULT']:
         err("Cannot translate labels for \'" + policyname + "\' policy.")
+
+    allowed_types = ['ANY']
+    if type == 'dom':
+        allowed_types.append('VM')
+    elif type == 'res':
+        allowed_types.append('RES')
+    else:
+        err("Invalid type.  Must specify 'dom' or 'res'.")
 
     (primary, secondary, f, pol_exists) = getmapfile(policyname)
 
@@ -303,11 +318,15 @@ def label2ssidref(labelname, policyname)
         l = line.split()
         if (len(l) < 5) or (l[0] != "LABEL->SSID"):
             continue
-        if primary and (l[2] == primary) and (l[3] == labelname):
+        if primary and (l[1] in allowed_types) and (l[2] == primary) and (l[3] 
== labelname):
             pri_ssid.append(int(l[4], 16))
-        if secondary and (l[2] == secondary) and (l[3] == labelname):
+        if secondary and (l[1] in allowed_types) and (l[2] == secondary) and 
(l[3] == labelname):
             sec_ssid.append(int(l[4], 16))
     f.close()
+    if (type == 'res') and (primary == "CHWALL") and (len(pri_ssid) == 0):
+        pri_ssid.append(NULL_SSIDREF)
+    elif (type == 'res') and (secondary == "CHWALL") and (len(sec_ssid) == 0):
+        sec_ssid.append(NULL_SSIDREF)
 
     #3. sanity check and composition of ssidref
     if (len(pri_ssid) == 0) or ((len(sec_ssid) == 0) and (secondary != 
"NULL")):
@@ -360,7 +379,7 @@ def refresh_ssidref(config):
         err("Policy \'" + policyname + "\' in label does not match active 
policy \'"
             + active_policy +"\'!")
 
-    new_ssidref = label2ssidref(labelname, policyname)
+    new_ssidref = label2ssidref(labelname, policyname, 'dom')
     if not new_ssidref:
         err("SSIDREF refresh failed!")
 
@@ -409,7 +428,7 @@ def get_decision(arg1, arg2):
     enables domains to retrieve access control decisions from
     the hypervisor Access Control Module.
     IN: args format = ['domid', id] or ['ssidref', ssidref]
-    or ['access_control', ['policy', policy], ['label', label]]
+    or ['access_control', ['policy', policy], ['label', label], ['type', type]]
     """
 
     if not on():
@@ -417,14 +436,14 @@ def get_decision(arg1, arg2):
 
     #translate labels before calling low-level function
     if arg1[0] == 'access_control':
-        if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') :
+        if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') or (arg1[3][0] 
!= 'type'):
             err("Argument type not supported.")
-        ssidref = label2ssidref(arg1[2][1], arg1[1][1])
+        ssidref = label2ssidref(arg1[2][1], arg1[1][1], arg1[3][1])
         arg1 = ['ssidref', str(ssidref)]
     if arg2[0] == 'access_control':
-        if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') :
+        if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') or (arg2[3][0] 
!= 'type'):
             err("Argument type not supported.")
-        ssidref = label2ssidref(arg2[2][1], arg2[1][1])
+        ssidref = label2ssidref(arg2[2][1], arg2[1][1], arg2[3][1])
         arg2 = ['ssidref', str(ssidref)]
 
     # accept only int or string types for domid and ssidref
diff -r 88d867661599 -r 0de8a4a023d0 tools/python/xen/xm/addlabel.py
--- a/tools/python/xen/xm/addlabel.py   Tue Jun 13 15:33:10 2006 +0100
+++ b/tools/python/xen/xm/addlabel.py   Tue Jun 13 15:38:58 2006 +0100
@@ -50,7 +50,7 @@ def main(argv):
             err("No active policy. Policy must be specified in command line.")
 
         #sanity checks: make sure this label can be instantiated later on
-        ssidref = label2ssidref(label, policyref)
+        ssidref = label2ssidref(label, policyref, 'dom')
 
         new_label = "access_control = ['policy=%s,label=%s']\n" % (policyref, 
label)
         if not os.path.isfile(configfile):
diff -r 88d867661599 -r 0de8a4a023d0 tools/python/xen/xm/create.py
--- a/tools/python/xen/xm/create.py     Tue Jun 13 15:33:10 2006 +0100
+++ b/tools/python/xen/xm/create.py     Tue Jun 13 15:38:58 2006 +0100
@@ -541,7 +541,7 @@ def configure_security(config, vals):
         if sxp.child_value(config, 'ssidref'):
             err("ERROR: SSIDREF and access_control are mutually exclusive but 
both specified!")
         #else calculate ssidre from label
-        ssidref = security.label2ssidref(label, policy)
+        ssidref = security.label2ssidref(label, policy, 'dom')
         if not ssidref :
             err("ERROR calculating ssidref from access_control.")
         security_label = ['security', [ config_access_control, ['ssidref' , 
ssidref ] ] ]
diff -r 88d867661599 -r 0de8a4a023d0 tools/security/Makefile
--- a/tools/security/Makefile   Tue Jun 13 15:33:10 2006 +0100
+++ b/tools/security/Makefile   Tue Jun 13 15:38:58 2006 +0100
@@ -33,7 +33,7 @@ OBJS_XML2BIN := $(patsubst %.c,%.o,$(fil
 
 ACM_INST_TOOLS    = xensec_tool xensec_xml2bin xensec_gen
 ACM_OBJS          = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS       = python/xensec_tools/acm_getlabel 
python/xensec_tools/acm_getdecision
+ACM_SCRIPTS       = python/xensec_tools/acm_getlabel
 
 ACM_CONFIG_DIR    = /etc/xen/acm-security
 ACM_POLICY_DIR    = $(ACM_CONFIG_DIR)/policies
diff -r 88d867661599 -r 0de8a4a023d0 
tools/security/python/xensec_gen/cgi-bin/policy.cgi
--- a/tools/security/python/xensec_gen/cgi-bin/policy.cgi       Tue Jun 13 
15:33:10 2006 +0100
+++ b/tools/security/python/xensec_gen/cgi-bin/policy.cgi       Tue Jun 13 
15:38:58 2006 +0100
@@ -406,7 +406,7 @@ def parsePolicyXml( ):
                                        msg = msg + 'Please validate the Policy 
file used.'
                                        formatXmlError( msg )
 
-                                       allCSMTypes[csName][1] = csMemberList
+                               allCSMTypes[csName][1] = csMemberList
 
        if pOrder != '':
                formPolicyOrder[1] = pOrder
diff -r 88d867661599 -r 0de8a4a023d0 tools/security/secpol_xml2bin.c
--- a/tools/security/secpol_xml2bin.c   Tue Jun 13 15:33:10 2006 +0100
+++ b/tools/security/secpol_xml2bin.c   Tue Jun 13 15:38:58 2006 +0100
@@ -44,6 +44,8 @@
 
 #define DEBUG    0
 
+#define NULL_LABEL_NAME "__NULL_LABEL__"
+
 /* primary / secondary policy component setting */
 enum policycomponent { CHWALL, STE, NULLPOLICY }
     primary = NULLPOLICY, secondary = NULLPOLICY;
@@ -467,7 +469,7 @@ int init_ssid_queues(void)
         return -ENOMEM;
 
     /* default chwall ssid */
-    default_ssid_chwall->name = "DEFAULT";
+    default_ssid_chwall->name = NULL_LABEL_NAME;
     default_ssid_chwall->num = max_chwall_ssids++;
     default_ssid_chwall->is_ref = 0;
     default_ssid_chwall->type = ANY;
@@ -484,7 +486,7 @@ int init_ssid_queues(void)
     max_chwall_labels++;
 
     /* default ste ssid */
-    default_ssid_ste->name = "DEFAULT";
+    default_ssid_ste->name = NULL_LABEL_NAME;
     default_ssid_ste->num = max_ste_ssids++;
     default_ssid_ste->is_ref = 0;
     default_ssid_ste->type = ANY;
diff -r 88d867661599 -r 0de8a4a023d0 
tools/security/python/xensec_tools/acm_getdecision
--- a/tools/security/python/xensec_tools/acm_getdecision        Tue Jun 13 
15:33:10 2006 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-#!/usr/bin/env python
-#  -*- mode: python; -*-
-import sys
-import traceback
-import getopt
-
-# add fallback path for non-native python path installs if needed
-sys.path.insert(-1, '/usr/lib/python')
-sys.path.insert(-1, '/usr/lib64/python')
-
-from xen.util.security import ACMError, err, get_decision, active_policy
-
-def usage():
-    print "Usage: acm_getdecision -i domainid --label labelname"
-    print "  Test program illustrating the retrieval of"
-    print "  access control decisions from Xen. At this time,"
-    print "  only sharing (STE) policy decisions are supported."
-    print "  Arguments are two paramters in any combination:"
-    print "\t -i domain_id or --domid domain_id"
-    print "\t -l labelname or --label labelname"
-    print "  Return value:"
-    print "\t PERMITTED if access is permitted"
-    print "\t DENIED if access is denied"
-    print "\t ACMError -- e.g., unknown label or domain id"
-    err("Usage")
-
-try:
-
-    if len(sys.argv) != 5:
-        usage()
-
-    decision_args = []
-
-    for idx in range(1, len(sys.argv), 2):
-        if sys.argv[idx] in ['-i', '--domid']:
-            decision_args.append(['domid', sys.argv[idx+1]])
-        elif sys.argv[idx] in ['-l', '--label']:
-            decision_args.append(['access_control',
-                                  ['policy', active_policy],
-                                  ['label', sys.argv[idx+1]]
-                                  ])
-        else:
-            print "unknown argument %s" % sys.argv[idx]
-            usage()
-
-    if len(decision_args) != 2:
-        print "too many arguments"
-        usage()
-
-    print get_decision(decision_args[0], decision_args[1])
-
-except ACMError:
-       pass
-except:
-    traceback.print_exc(limit=1)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.