[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xend: Check access to the privcmd interface before doing the call to
# HG changeset patch # User Keir Fraser <keir@xxxxxxxxxxxxx> # Date 1191416766 -3600 # Node ID aa8944bc4987ee181ca2539bb10112f6b6d1bccb # Parent 2e5e948bf69d6e59751020bff44c63828862b532 xend: Check access to the privcmd interface before doing the call to fetch the currently enforced policy. Assign 'INACCESSIBLE' to the policy if it cannot be retrieved due to the user not being privileged. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> --- tools/python/xen/util/xsm/acm/acm.py | 17 ++++++++++------- tools/python/xen/xm/labels.py | 6 ++++-- 2 files changed, 14 insertions(+), 9 deletions(-) diff -r 2e5e948bf69d -r aa8944bc4987 tools/python/xen/util/xsm/acm/acm.py --- a/tools/python/xen/util/xsm/acm/acm.py Wed Oct 03 14:04:51 2007 +0100 +++ b/tools/python/xen/util/xsm/acm/acm.py Wed Oct 03 14:06:06 2007 +0100 @@ -109,10 +109,12 @@ def refresh_security_policy(): """ global active_policy - try: - active_policy = acm.policy() - except: - active_policy = "INACTIVE" + active_policy = 'INACCESSIBLE' + if os.access("/proc/xen/privcmd", os.R_OK|os.W_OK): + try: + active_policy = acm.policy() + except: + active_policy = "INACTIVE" # now set active_policy refresh_security_policy() @@ -295,7 +297,7 @@ def label2ssidref(labelname, policyname, maps current policy to default directory to find mapping file """ - if policyname in ['NULL', 'INACTIVE', 'DEFAULT']: + if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]: err("Cannot translate labels for \'" + policyname + "\' policy.") allowed_types = ['ANY'] @@ -557,7 +559,7 @@ def load_policy(policy_name): def dump_policy(): - if active_policy in ['NULL', 'INACTIVE']: + if active_policy in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]: err("\'" + active_policy + "\' policy. Nothing to dump.") (ret, output) = commands.getstatusoutput(xensec_tool + " getpolicy") @@ -580,7 +582,8 @@ def dump_policy_file(filename, ssidref=N def list_labels(policy_name, condition): - if (not policy_name) and (active_policy) in ["NULL", "INACTIVE", "DEFAULT"]: + if (not policy_name) and active_policy in \ + [ 'NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]: err("Current policy \'" + active_policy + "\' has no labels defined.\n") (primary, secondary, f, pol_exists) = getmapfile(policy_name) diff -r 2e5e948bf69d -r aa8944bc4987 tools/python/xen/xm/labels.py --- a/tools/python/xen/xm/labels.py Wed Oct 03 14:04:51 2007 +0100 +++ b/tools/python/xen/xm/labels.py Wed Oct 03 14:06:06 2007 +0100 @@ -62,6 +62,8 @@ def labels(policy, ptype): policy = active_policy if active_policy in ['NULL', 'INACTIVE', 'DEFAULT']: raise OptionError('No policy active, you must specify a <policy>') + if active_policy in ['INACCESSIBLE']: + raise OptionError('Cannot access the policy. Try as root.') if not ptype or ptype == 'dom': condition = vm_label_re @@ -104,9 +106,9 @@ def labels_xapi(policy, ptype): for n in names: print n elif int(policystate['type']) == 0: - print "No policy installed on the system." + err("No policy installed on the system.") else: - print "Unsupported type of policy installed on the system." + err("Unsupported type of policy installed on the system.") if __name__ == '__main__': main(sys.argv) _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |