[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] xend: XSPolicy.can_run xend support



# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1207040883 -3600
# Node ID ff32e4cd61af0b14e402124ea1b2c26842c680b8
# Parent  6a7a61c26b14376820f4b8ec58bc7db37e0452dc
xend: XSPolicy.can_run xend support

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/xsconstants.py  |    8 ++++--
 tools/python/xen/util/xsm/acm/acm.py  |   42 +++++++++++++++++++++++++++++++++-
 tools/python/xen/xend/XendXSPolicy.py |   10 +++++++-
 3 files changed, 56 insertions(+), 4 deletions(-)

diff -r 6a7a61c26b14 -r ff32e4cd61af tools/python/xen/util/xsconstants.py
--- a/tools/python/xen/util/xsconstants.py      Tue Apr 01 10:07:35 2008 +0100
+++ b/tools/python/xen/util/xsconstants.py      Tue Apr 01 10:08:03 2008 +0100
@@ -57,7 +57,9 @@ XSERR_RESOURCE_ACCESS          = 23 + XS
 XSERR_RESOURCE_ACCESS          = 23 + XSERR_BASE
 XSERR_HV_OP_FAILED             = 24 + XSERR_BASE
 XSERR_BOOTPOLICY_INSTALL_ERROR = 25 + XSERR_BASE
-XSERR_LAST                     = 25 + XSERR_BASE ## KEEP LAST
+XSERR_VM_NOT_AUTHORIZED        = 26 + XSERR_BASE
+XSERR_VM_IN_CONFLICT           = 27 + XSERR_BASE
+XSERR_LAST                     = 27 + XSERR_BASE ## KEEP LAST
 
 XSERR_MESSAGES = [
     '',
@@ -85,7 +87,9 @@ XSERR_MESSAGES = [
     'The policy is not loaded',
     'Error accessing resource',
     'Operation failed in hypervisor',
-    'Boot policy installation error'
+    'Boot policy installation error',
+    'VM is not authorized to run',
+    'VM label conflicts with another VM'
 ]
 
 def xserr2string(err):
diff -r 6a7a61c26b14 -r ff32e4cd61af tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Tue Apr 01 10:07:35 2008 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Tue Apr 01 10:08:03 2008 +0100
@@ -68,6 +68,7 @@ policy_name_re = re.compile(".*[chwall|s
 #decision hooks known to the hypervisor
 ACMHOOK_sharing = 1
 ACMHOOK_authorization = 2
+ACMHOOK_conflictset = 3
 
 #other global variables
 NULL_SSIDREF = 0
@@ -373,7 +374,7 @@ def label2ssidref(labelname, policyname,
         else:
             return (sec_ssid[0] << 16) | pri_ssid[0]
     finally:
-       mapfile_unlock()
+        mapfile_unlock()
 
 
 def refresh_ssidref(config):
@@ -550,6 +551,18 @@ def hv_get_policy():
     if len(bin_pol) == 0:
         bin_pol = None
     return rc, bin_pol
+
+
+def is_in_conflict(ssidref):
+    """ Check whether the given ssidref is in conflict with any running
+        domain.
+    """
+    decision = acm.getdecision('ssidref', str(ssidref),
+                               'ssidref', str(ssidref),
+                               ACMHOOK_conflictset)
+    if decision == "DENIED":
+        return True
+    return False
 
 
 def set_policy(xs_type, xml, flags, overwrite):
@@ -1550,6 +1563,33 @@ def get_security_label(self, xspol=None)
     return label
 
 
+def check_can_run(sec_label):
+    """ Check whether a VM could run, given its vm label. A VM can run if
+       - it is authorized
+       - is not in conflict with any running domain
+    """
+    try:
+        mapfile_lock()
+
+        if sec_label == None or sec_label == "":
+            vm_label = ACM_LABEL_UNLABELED
+        else:
+            poltype, policy, vm_label = sec_label.split(':')
+            if policy != get_active_policy_name():
+                return -xsconstants.XSERR_BAD_POLICY_NAME
+        ssidref = label2ssidref(vm_label, policy, 'dom')
+        if ssidref != xsconstants.INVALID_SSIDREF:
+            if not has_authorization(ssidref):
+                return -xsconstants.XSERR_VM_NOT_AUTHORIZED
+            if is_in_conflict(ssidref):
+                return -xsconstants.XSERR_VM_IN_CONFLICT
+            return -xsconstants.XSERR_SUCCESS
+        else:
+            return -xsconstants.XSERR_BAD_LABEL
+    finally:
+        mapfile_unlock()
+
+
 __cond = threading.Condition()
 __script_runner = None
 __orders = []
diff -r 6a7a61c26b14 -r ff32e4cd61af tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py     Tue Apr 01 10:07:35 2008 +0100
+++ b/tools/python/xen/xend/XendXSPolicy.py     Tue Apr 01 10:08:03 2008 +0100
@@ -48,7 +48,8 @@ class XendXSPolicy(XendBase):
                   'rm_xsbootpolicy',
                   'get_resource_label',
                   'set_resource_label',
-                  'get_labeled_resources' ]
+                  'get_labeled_resources',
+                  'can_run' ]
         return XendBase.getFuncs() + funcs
 
     getClass    = classmethod(getClass)
@@ -190,6 +191,12 @@ class XendXSPolicy(XendBase):
         res = security.get_resource_label_xapi(resource)
         return res
 
+    def can_run(self, sec_label):
+        irc = security.validate_label_xapi(sec_label, 'dom')
+        if irc != xsconstants.XSERR_SUCCESS:
+            raise SecurityError(irc)
+        return security.check_can_run(sec_label)
+
     get_xstype      = classmethod(get_xstype)
     get_xspolicy    = classmethod(get_xspolicy)
     set_xspolicy    = classmethod(set_xspolicy)
@@ -198,6 +205,7 @@ class XendXSPolicy(XendBase):
     set_resource_label = classmethod(set_resource_label)
     get_resource_label = classmethod(get_resource_label)
     get_labeled_resources = classmethod(get_labeled_resources)
+    can_run = classmethod(can_run)
 
 
 class XendACMPolicy(XendXSPolicy):

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.