Xen project Mailing List

[Xen-changelog] [xen-unstable] [Xend] More security-related fixes

From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>

Date: Fri, 27 Jul 2007 03:09:37 -0700

Delivery-date: Fri, 27 Jul 2007 03:07:40 -0700

List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch # User kfraser@xxxxxxxxxxxxxxxxxxxxx # Date 1184749746 -3600 # Node ID 9c077fc8ccf132b5e0074e44edda83bf9152675f # Parent 7ef821ff6d89d43afcbaf7e60e42e9a14306bbc0 [Xend] More security-related fixes This patch provides some more fixes related to the recent security-related extensions to xend. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> --- tools/python/xen/util/acmpolicy.py | 17 ++++++++++------- tools/python/xen/util/security.py | 7 ++++--- tools/python/xen/xend/XendAPI.py | 6 ++++-- tools/python/xen/xend/XendVDI.py | 1 + tools/python/xen/xend/XendXSPolicyAdmin.py | 9 ++++++++- tools/python/xen/xm/cfgbootpolicy.py | 5 +++-- 6 files changed, 30 insertions(+), 15 deletions(-) diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/util/acmpolicy.py --- a/tools/python/xen/util/acmpolicy.py Wed Jul 18 10:08:37 2007 +0100 +++ b/tools/python/xen/util/acmpolicy.py Wed Jul 18 10:09:06 2007 +0100 @@ -122,7 +122,8 @@ class ACMPolicy(XSPolicy): rc = -xsconstants.XSERR_GENERAL_FAILURE if rc != xsconstants.XSERR_SUCCESS: log.warn("XML did not validate against schema") - rc = self.__validate_name_and_labels() + if rc == xsconstants.XSERR_SUCCESS: + rc = self.__validate_name_and_labels() return rc def __validate_name_and_labels(self): @@ -626,14 +627,15 @@ class ACMPolicy(XSPolicy): def policy_get_stes_of_vmlabel(self, vmlabel): """ Get a list of all STEs of a given VMlabel """ return self.__policy_get_stes_of_labeltype(vmlabel, - "VirtualMachineLabel") + "/SubjectLabels", "VirtualMachineLabel") def policy_get_stes_of_resource(self, reslabel): """ Get a list of all resources of a given VMlabel """ - return self.__policy_get_stes_of_labeltype(reslabel, "ResourceLabel") - - def __policy_get_stes_of_labeltype(self, label, labeltype): - node = self.dom_get_node("SecurityLabelTemplate/SubjectLabels") + return self.__policy_get_stes_of_labeltype(reslabel, + "/ObjectLabels", "ResourceLabel") + + def __policy_get_stes_of_labeltype(self, label, path, labeltype): + node = self.dom_get_node("SecurityLabelTemplate" + path) if node: i = 0 while i < len(node.childNodes): @@ -661,7 +663,8 @@ class ACMPolicy(XSPolicy): return False for res in resources: res_stes = self.policy_get_stes_of_resource(res) - if len( set(res_stes).union( set(vm_stes) ) ) == 0: + if len(res_stes) == 0 or \ + len( set(res_stes).intersection( set(vm_stes) ) ) == 0: return False return True diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/util/security.py --- a/tools/python/xen/util/security.py Wed Jul 18 10:08:37 2007 +0100 +++ b/tools/python/xen/util/security.py Wed Jul 18 10:09:06 2007 +0100 @@ -799,9 +799,10 @@ def is_resource_in_use(resource): lst.append(dominfo) return lst -def devices_equal(res1, res2): +def devices_equal(res1, res2, mustexist=True): """ Determine whether two devices are equal """ - return (unify_resname(res1) == unify_resname(res2)) + return (unify_resname(res1, mustexist) == + unify_resname(res2, mustexist)) def is_resource_in_use_by_dom(dominfo, resource): """ Determine whether a resources is in use by a given domain @@ -817,7 +818,7 @@ def is_resource_in_use_by_dom(dominfo, r dev = devs[uuid] if len(dev) >= 2 and dev[1].has_key('uname'): # dev[0] is type, i.e. 'vbd' - if devices_equal(dev[1]['uname'], resource): + if devices_equal(dev[1]['uname'], resource, mustexist=False): log.info("RESOURCE IN USE: Domain %d uses %s." % (dominfo.domid, resource)) return True diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xend/XendAPI.py --- a/tools/python/xen/xend/XendAPI.py Wed Jul 18 10:08:37 2007 +0100 +++ b/tools/python/xen/xend/XendAPI.py Wed Jul 18 10:09:06 2007 +0100 @@ -1620,7 +1620,8 @@ class XendAPI(object): (rc, errors, oldlabel, new_ssidref) = \ dom.set_security_label(sec_label, old_label) if rc != xsconstants.XSERR_SUCCESS: - return xen_api_error(['SECURITY_ERROR', rc]) + return xen_api_error(['SECURITY_ERROR', rc, + xsconstants.xserr2string(-rc)]) if rc == 0: rc = new_ssidref return xen_api_success(rc) @@ -2239,7 +2240,8 @@ class XendAPI(object): vdi = XendNode.instance().get_vdi_by_uuid(vdi_ref) rc = vdi.set_security_label(sec_lab, old_lab) if rc < 0: - return xen_api_error(['SECURITY_ERROR', rc]) + return xen_api_error(['SECURITY_ERROR', rc, + xsconstants.xserr2string(-rc)]) return xen_api_success(rc) def VDI_get_security_label(self, session, vdi_ref): diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xend/XendVDI.py --- a/tools/python/xen/xend/XendVDI.py Wed Jul 18 10:08:37 2007 +0100 +++ b/tools/python/xen/xend/XendVDI.py Wed Jul 18 10:09:06 2007 +0100 @@ -24,6 +24,7 @@ from xen.util.xmlrpclib2 import stringif from xen.util.xmlrpclib2 import stringify from xmlrpclib import dumps, loads from xen.util import security, xsconstants +from xen.xend.XendError import SecurityError KB = 1024 MB = 1024 * 1024 diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xend/XendXSPolicyAdmin.py --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Jul 18 10:08:37 2007 +0100 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Wed Jul 18 10:09:06 2007 +0100 @@ -56,7 +56,10 @@ class XSPolicyAdmin: typ = data[1] try: if typ == xsconstants.ACM_POLICY_ID: - self.xsobjs[ref] = ACMPolicy(name=name, ref=ref) + try: + self.xsobjs[ref] = ACMPolicy(name=name, ref=ref) + except Exception, e: + del self.policies[ref] else: del self.policies[ref] except Exception, e: @@ -271,6 +274,10 @@ class XSPolicyAdmin: return pol return None + def get_hv_loaded_policy_name(self): + security.refresh_security_policy() + return security.active_policy + def get_policy_by_name(self, name): for pol in self.xsobjs.values(): if pol.get_name() == name: diff -r 7ef821ff6d89 -r 9c077fc8ccf1 tools/python/xen/xm/cfgbootpolicy.py --- a/tools/python/xen/xm/cfgbootpolicy.py Wed Jul 18 10:08:37 2007 +0100 +++ b/tools/python/xen/xm/cfgbootpolicy.py Wed Jul 18 10:09:06 2007 +0100 @@ -170,8 +170,9 @@ def cfgbootpolicy_xapi(policy, user_titl OptionError("No policy installed on system?") acmpol = ACMPolicy(xml=xml) if acmpol.get_name() != policy: - OptionError("Policy installed on system '%s' does not match the " - "request policy '%s'" % (acmpol.get_name(), policy)) + raise OptionError("Policy installed on system '%s' does not " + "match the requested policy '%s'" % + (acmpol.get_name(), policy)) flags = int(policystate['flags']) | xsconstants.XS_INST_BOOT rc = int(server.xenapi.XSPolicy.activate_xspolicy(xs_ref, flags)) if rc == flags: _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.