[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] xend: Refactor security.on() call



# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210064752 -3600
# Node ID 94c6501c4ffef716c4445ee2dd8074a497a9a3ce
# Parent  ccbbe6fe5827b3a262b24f6dd7140de8ae3ec456
xend: Refactor security.on() call

I am refactoring the security.on() call to return the actual type of
the security module that is found to be enabled rather than just
returning True or False.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/xsm/acm/acm.py       |    4 +++-
 tools/python/xen/util/xsm/flask/flask.py   |    2 +-
 tools/python/xen/xend/XendConfig.py        |    2 +-
 tools/python/xen/xend/XendDomainInfo.py    |    6 +++---
 tools/python/xen/xend/XendXSPolicyAdmin.py |    8 +++++++-
 tools/python/xen/xend/server/blkif.py      |    3 ++-
 tools/python/xen/xend/server/netif.py      |    3 ++-
 tools/python/xen/xm/addlabel.py            |   10 +++++-----
 tools/python/xen/xm/dry-run.py             |    5 +++--
 9 files changed, 27 insertions(+), 16 deletions(-)

diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/util/xsm/acm/acm.py
--- a/tools/python/xen/util/xsm/acm/acm.py      Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/util/xsm/acm/acm.py      Tue May 06 10:05:52 2008 +0100
@@ -156,7 +156,9 @@ def on():
     returns none if security policy is off (not compiled),
     any string otherwise, use it: if not security.on() ...
     """
-    return (get_active_policy_name() not in ['INACTIVE', 'NULL'])
+    if get_active_policy_name() not in ['INACTIVE', 'NULL', '']:
+        return xsconstants.XS_POLICY_ACM
+    return 0
 
 
 def calc_dom_ssidref_from_info(info):
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py  Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py  Tue May 06 10:05:52 2008 +0100
@@ -12,7 +12,7 @@ def err(msg):
     raise XSMError(msg)
 
 def on():
-    return 1
+    return 0 #xsconstants.XS_POLICY_FLASK
 
 def ssidref2label(ssidref):
     try:
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendConfig.py
--- a/tools/python/xen/xend/XendConfig.py       Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/XendConfig.py       Tue May 06 10:05:52 2008 +0100
@@ -688,7 +688,7 @@ class XendConfig(dict):
             self.parse_cpuid(cfg, 'cpuid_check')
 
         import xen.util.xsm.xsm as security
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             from xen.util.acmpolicy import ACM_LABEL_UNLABELED
             if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
                 cfg['security'] = sxp.child_value(sxp_cfg, 'security')
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendDomainInfo.py
--- a/tools/python/xen/xend/XendDomainInfo.py   Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/XendDomainInfo.py   Tue May 06 10:05:52 2008 +0100
@@ -37,6 +37,7 @@ from xen.util import asserts
 from xen.util import asserts
 from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype
 import xen.util.xsm.xsm as security
+from xen.util import xsconstants
 
 from xen.xend import balloon, sxp, uuid, image, arch, osdep
 from xen.xend import XendOptions, XendNode, XendConfig
@@ -1973,7 +1974,7 @@ class XendDomainInfo:
         balloon.free(2*1024) # 2MB should be plenty
 
         ssidref = 0
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             ssidref = security.calc_dom_ssidref_from_info(self.info)
             if security.has_authorization(ssidref) == False:
                 raise VmError("VM is not authorized to run.")
@@ -1987,7 +1988,7 @@ class XendDomainInfo:
                 target = self.info.target())
         except Exception, e:
             # may get here if due to ACM the operation is not permitted
-            if security.on():
+            if security.on() == xsconstants.XS_POLICY_ACM:
                 raise VmError('Domain in conflict set with running domain?')
 
         if self.domid < 0:
@@ -2853,7 +2854,6 @@ class XendDomainInfo:
         is_policy_update = (xspol_old != None)
 
         from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
-        from xen.util import xsconstants
 
         state = self._stateGet()
         # Relabel only HALTED or RUNNING or PAUSED domains
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendXSPolicyAdmin.py
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py        Mon May 05 10:16:58 
2008 +0100
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py        Tue May 06 10:05:52 
2008 +0100
@@ -48,6 +48,10 @@ class XSPolicyAdmin:
         self.xsobjs = {}
         bootloader.init()
 
+        if security.on() == xsconstants.XS_POLICY_ACM:
+            self.__acm_init()
+
+    def __acm_init(self):
         act_pol_name = self.get_hv_loaded_policy_name()
         initialize()
 
@@ -74,7 +78,7 @@ class XSPolicyAdmin:
             This currently only checks for ACM-enablement.
         """
         rc = 0
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             rc |= xsconstants.XS_POLICY_ACM
         return rc
 
@@ -104,6 +108,8 @@ class XSPolicyAdmin:
 
     def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
         errors = ""
+        if security.on() != xsconstants.XS_POLICY_ACM:
+            raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
         loadedpol = self.get_loaded_policy()
         if loadedpol:
             # This is meant as an update to a currently loaded policy
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/server/blkif.py
--- a/tools/python/xen/xend/server/blkif.py     Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/server/blkif.py     Tue May 06 10:05:52 2008 +0100
@@ -23,6 +23,7 @@ import xen.util.xsm.xsm as security
 import xen.util.xsm.xsm as security
 from xen.xend.XendError import VmError
 from xen.xend.server.DevController import DevController
+from xen.util import xsconstants
 
 class BlkifController(DevController):
     """Block device interface controller. Handles all block devices
@@ -72,7 +73,7 @@ class BlkifController(DevController):
         if uuid:
             back['uuid'] = uuid
 
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             self.do_access_control(config, uname)
 
         devid = blkif.blkdev_name_to_number(dev)
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/server/netif.py
--- a/tools/python/xen/xend/server/netif.py     Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xend/server/netif.py     Tue May 06 10:05:52 2008 +0100
@@ -29,6 +29,7 @@ from xen.xend.XendError import VmError
 from xen.xend.XendError import VmError
 from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
 import xen.util.xsm.xsm as security
+from xen.util import xsconstants
 
 from xen.xend.XendLogging import log
 
@@ -155,7 +156,7 @@ class NetifController(DevController):
             front = { 'handle' : "%i" % devid,
                       'mac'    : mac }
 
-        if security.on():
+        if security.on() == xsconstants.XS_POLICY_ACM:
             self.do_access_control(config)
 
         return (devid, back, front)
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xm/addlabel.py
--- a/tools/python/xen/xm/addlabel.py   Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xm/addlabel.py   Tue May 06 10:05:52 2008 +0100
@@ -205,17 +205,17 @@ def main(argv):
     policy_type = ""
     if len(argv) not in (4, 5):
         raise OptionError('Needs either 2 or 3 arguments')
-    
+
     label = argv[1]
-    
+
     if len(argv) == 5:
         policyref = argv[4]
-    elif security.on():
+    elif security.on() == xsconstants.XS_POLICY_ACM:
         policyref = security.active_policy
         policy_type = xsconstants.ACM_POLICY_ID
     else:
-        raise OptionError("No active policy. Must specify policy on the "
-                          "command line.")
+        raise OptionError("ACM security is not enabled. You must specify "\
+                          "the policy on the command line.")
 
     if argv[2].lower() == "dom":
         configfile = argv[3]
diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xm/dry-run.py
--- a/tools/python/xen/xm/dry-run.py    Mon May 05 10:16:58 2008 +0100
+++ b/tools/python/xen/xm/dry-run.py    Tue May 06 10:05:52 2008 +0100
@@ -22,6 +22,7 @@ import xen.util.xsm.xsm as security
 import xen.util.xsm.xsm as security
 from xen.xm import create
 from xen.xend import sxp
+from xen.util import xsconstants
 from xen.xm.opts import OptionError
 
 def help():
@@ -40,7 +41,7 @@ def check_domain_label(config, verbose):
     answer = 0
     default_label = None
     secon = 0
-    if security.on():
+    if security.on() == xsconstants.XS_POLICY_ACM:
         default_label = security.ssidref2label(security.NULL_SSIDREF)
         secon = 1
 
@@ -90,7 +91,7 @@ def config_security_check(config, verbos
             domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
 
     # if no domain label, use default
-    if not domain_label and security.on():
+    if not domain_label and security.on() == xsconstants.XS_POLICY_ACM:
         try:
             domain_label = security.ssidref2label(security.NULL_SSIDREF)
         except:

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.