[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xend: Refactor security.on() call
# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1210064752 -3600 # Node ID 94c6501c4ffef716c4445ee2dd8074a497a9a3ce # Parent ccbbe6fe5827b3a262b24f6dd7140de8ae3ec456 xend: Refactor security.on() call I am refactoring the security.on() call to return the actual type of the security module that is found to be enabled rather than just returning True or False. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> --- tools/python/xen/util/xsm/acm/acm.py | 4 +++- tools/python/xen/util/xsm/flask/flask.py | 2 +- tools/python/xen/xend/XendConfig.py | 2 +- tools/python/xen/xend/XendDomainInfo.py | 6 +++--- tools/python/xen/xend/XendXSPolicyAdmin.py | 8 +++++++- tools/python/xen/xend/server/blkif.py | 3 ++- tools/python/xen/xend/server/netif.py | 3 ++- tools/python/xen/xm/addlabel.py | 10 +++++----- tools/python/xen/xm/dry-run.py | 5 +++-- 9 files changed, 27 insertions(+), 16 deletions(-) diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/util/xsm/acm/acm.py --- a/tools/python/xen/util/xsm/acm/acm.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/util/xsm/acm/acm.py Tue May 06 10:05:52 2008 +0100 @@ -156,7 +156,9 @@ def on(): returns none if security policy is off (not compiled), any string otherwise, use it: if not security.on() ... """ - return (get_active_policy_name() not in ['INACTIVE', 'NULL']) + if get_active_policy_name() not in ['INACTIVE', 'NULL', '']: + return xsconstants.XS_POLICY_ACM + return 0 def calc_dom_ssidref_from_info(info): diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/util/xsm/flask/flask.py --- a/tools/python/xen/util/xsm/flask/flask.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/util/xsm/flask/flask.py Tue May 06 10:05:52 2008 +0100 @@ -12,7 +12,7 @@ def err(msg): raise XSMError(msg) def on(): - return 1 + return 0 #xsconstants.XS_POLICY_FLASK def ssidref2label(ssidref): try: diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendConfig.py --- a/tools/python/xen/xend/XendConfig.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xend/XendConfig.py Tue May 06 10:05:52 2008 +0100 @@ -688,7 +688,7 @@ class XendConfig(dict): self.parse_cpuid(cfg, 'cpuid_check') import xen.util.xsm.xsm as security - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: from xen.util.acmpolicy import ACM_LABEL_UNLABELED if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'): cfg['security'] = sxp.child_value(sxp_cfg, 'security') diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendDomainInfo.py --- a/tools/python/xen/xend/XendDomainInfo.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xend/XendDomainInfo.py Tue May 06 10:05:52 2008 +0100 @@ -37,6 +37,7 @@ from xen.util import asserts from xen.util import asserts from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype import xen.util.xsm.xsm as security +from xen.util import xsconstants from xen.xend import balloon, sxp, uuid, image, arch, osdep from xen.xend import XendOptions, XendNode, XendConfig @@ -1973,7 +1974,7 @@ class XendDomainInfo: balloon.free(2*1024) # 2MB should be plenty ssidref = 0 - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: ssidref = security.calc_dom_ssidref_from_info(self.info) if security.has_authorization(ssidref) == False: raise VmError("VM is not authorized to run.") @@ -1987,7 +1988,7 @@ class XendDomainInfo: target = self.info.target()) except Exception, e: # may get here if due to ACM the operation is not permitted - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: raise VmError('Domain in conflict set with running domain?') if self.domid < 0: @@ -2853,7 +2854,6 @@ class XendDomainInfo: is_policy_update = (xspol_old != None) from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance - from xen.util import xsconstants state = self._stateGet() # Relabel only HALTED or RUNNING or PAUSED domains diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/XendXSPolicyAdmin.py --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Tue May 06 10:05:52 2008 +0100 @@ -48,6 +48,10 @@ class XSPolicyAdmin: self.xsobjs = {} bootloader.init() + if security.on() == xsconstants.XS_POLICY_ACM: + self.__acm_init() + + def __acm_init(self): act_pol_name = self.get_hv_loaded_policy_name() initialize() @@ -74,7 +78,7 @@ class XSPolicyAdmin: This currently only checks for ACM-enablement. """ rc = 0 - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: rc |= xsconstants.XS_POLICY_ACM return rc @@ -104,6 +108,8 @@ class XSPolicyAdmin: def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" + if security.on() != xsconstants.XS_POLICY_ACM: + raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/server/blkif.py --- a/tools/python/xen/xend/server/blkif.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xend/server/blkif.py Tue May 06 10:05:52 2008 +0100 @@ -23,6 +23,7 @@ import xen.util.xsm.xsm as security import xen.util.xsm.xsm as security from xen.xend.XendError import VmError from xen.xend.server.DevController import DevController +from xen.util import xsconstants class BlkifController(DevController): """Block device interface controller. Handles all block devices @@ -72,7 +73,7 @@ class BlkifController(DevController): if uuid: back['uuid'] = uuid - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: self.do_access_control(config, uname) devid = blkif.blkdev_name_to_number(dev) diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xend/server/netif.py --- a/tools/python/xen/xend/server/netif.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xend/server/netif.py Tue May 06 10:05:52 2008 +0100 @@ -29,6 +29,7 @@ from xen.xend.XendError import VmError from xen.xend.XendError import VmError from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance import xen.util.xsm.xsm as security +from xen.util import xsconstants from xen.xend.XendLogging import log @@ -155,7 +156,7 @@ class NetifController(DevController): front = { 'handle' : "%i" % devid, 'mac' : mac } - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: self.do_access_control(config) return (devid, back, front) diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xm/addlabel.py --- a/tools/python/xen/xm/addlabel.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xm/addlabel.py Tue May 06 10:05:52 2008 +0100 @@ -205,17 +205,17 @@ def main(argv): policy_type = "" if len(argv) not in (4, 5): raise OptionError('Needs either 2 or 3 arguments') - + label = argv[1] - + if len(argv) == 5: policyref = argv[4] - elif security.on(): + elif security.on() == xsconstants.XS_POLICY_ACM: policyref = security.active_policy policy_type = xsconstants.ACM_POLICY_ID else: - raise OptionError("No active policy. Must specify policy on the " - "command line.") + raise OptionError("ACM security is not enabled. You must specify "\ + "the policy on the command line.") if argv[2].lower() == "dom": configfile = argv[3] diff -r ccbbe6fe5827 -r 94c6501c4ffe tools/python/xen/xm/dry-run.py --- a/tools/python/xen/xm/dry-run.py Mon May 05 10:16:58 2008 +0100 +++ b/tools/python/xen/xm/dry-run.py Tue May 06 10:05:52 2008 +0100 @@ -22,6 +22,7 @@ import xen.util.xsm.xsm as security import xen.util.xsm.xsm as security from xen.xm import create from xen.xend import sxp +from xen.util import xsconstants from xen.xm.opts import OptionError def help(): @@ -40,7 +41,7 @@ def check_domain_label(config, verbose): answer = 0 default_label = None secon = 0 - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: default_label = security.ssidref2label(security.NULL_SSIDREF) secon = 1 @@ -90,7 +91,7 @@ def config_security_check(config, verbos domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy') # if no domain label, use default - if not domain_label and security.on(): + if not domain_label and security.on() == xsconstants.XS_POLICY_ACM: try: domain_label = security.ssidref2label(security.NULL_SSIDREF) except: _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |