[Xen-changelog] [xen-unstable] xend: Check access to the privcmd interface before doing the call to

[Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>]

# HG changeset patch
# User Keir Fraser <keir@xxxxxxxxxxxxx>
# Date 1191416766 -3600
# Node ID aa8944bc4987ee181ca2539bb10112f6b6d1bccb
# Parent  2e5e948bf69d6e59751020bff44c63828862b532
xend: Check access to the privcmd interface before doing the call to
fetch the currently enforced policy. Assign 'INACCESSIBLE' to the
policy if it cannot be retrieved due to the user not being
privileged.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/xsm/acm/acm.py |   17 ++++++++++-------
 tools/python/xen/xm/labels.py        |    6 ++++--
 2 files changed, 14 insertions(+), 9 deletions(-)

diff -r 2e5e948bf69d -r aa8944bc4987 tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Wed Oct 03 14:04:51 2007 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Wed Oct 03 14:06:06 2007 +0100
@@ -109,10 +109,12 @@ def refresh_security_policy():
     """
     global active_policy
 
-    try:
-        active_policy = acm.policy()
-    except:
-        active_policy = "INACTIVE"
+    active_policy = 'INACCESSIBLE'
+    if os.access("/proc/xen/privcmd", os.R_OK|os.W_OK):
+        try:
+            active_policy = acm.policy()
+        except:
+            active_policy = "INACTIVE"
 
 # now set active_policy
 refresh_security_policy()
@@ -295,7 +297,7 @@ def label2ssidref(labelname, policyname,
     maps current policy to default directory
     to find mapping file    """
 
-    if policyname in ['NULL', 'INACTIVE', 'DEFAULT']:
+    if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]:
         err("Cannot translate labels for \'" + policyname + "\' policy.")
 
     allowed_types = ['ANY']
@@ -557,7 +559,7 @@ def load_policy(policy_name):
 
 
 def dump_policy():
-    if active_policy in ['NULL', 'INACTIVE']:
+    if active_policy in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]:
         err("\'" + active_policy + "\' policy. Nothing to dump.")
 
     (ret, output) = commands.getstatusoutput(xensec_tool + " getpolicy")
@@ -580,7 +582,8 @@ def dump_policy_file(filename, ssidref=N
 
 
 def list_labels(policy_name, condition):
-    if (not policy_name) and (active_policy) in ["NULL", "INACTIVE", 
"DEFAULT"]:
+    if (not policy_name) and active_policy in \
+              [ 'NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]:
         err("Current policy \'" + active_policy + "\' has no labels 
defined.\n")
 
     (primary, secondary, f, pol_exists) = getmapfile(policy_name)
diff -r 2e5e948bf69d -r aa8944bc4987 tools/python/xen/xm/labels.py
--- a/tools/python/xen/xm/labels.py     Wed Oct 03 14:04:51 2007 +0100
+++ b/tools/python/xen/xm/labels.py     Wed Oct 03 14:06:06 2007 +0100
@@ -62,6 +62,8 @@ def labels(policy, ptype):
         policy = active_policy
         if active_policy in ['NULL', 'INACTIVE', 'DEFAULT']:
             raise OptionError('No policy active, you must specify a <policy>')
+        if active_policy in ['INACCESSIBLE']:
+            raise OptionError('Cannot access the policy. Try as root.')
 
     if not ptype or ptype == 'dom':
         condition = vm_label_re
@@ -104,9 +106,9 @@ def labels_xapi(policy, ptype):
         for n in names:
             print n
     elif int(policystate['type']) == 0:
-        print "No policy installed on the system."
+        err("No policy installed on the system.")
     else:
-        print "Unsupported type of policy installed on the system."
+        err("Unsupported type of policy installed on the system.")
 
 if __name__ == '__main__':
     main(sys.argv)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog