ia64/xen-unstable

annotate tools/python/xen/xm/rmlabel.py @ 10720:8922c1fbe684

[XM][ACM] Add xm subcommands to work with security resource labels.

This patch adds new xm subcommands to support working with resource
labels. The new subcommands are 'xm resources', 'xm rmlabel', 'xm
getlabel' and 'xm dry-run'. In addition, the 'xm addlabel' subcommand
now uses an updated syntax to support labeling both domains and
resources. See the xm man page for details on each subcommand.

Beyond the new subcommands, this patch allows users to immediately see
when security checks will fail by pushing some basic security checking
into the beginning of 'xm create' and 'xm block-attach'. ACM security
attributes for block devices are added to XenStore in order to support
the final security enforcement, which will be performed in the kernel
and included in a separate patch.

Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
author kfraser@localhost.localdomain
date Mon Jul 10 17:18:07 2006 +0100 (2006-07-10)
parents
children 956e9aaf88c9
rev   line source
kfraser@10720 1 #============================================================================
kfraser@10720 2 # This library is free software; you can redistribute it and/or
kfraser@10720 3 # modify it under the terms of version 2.1 of the GNU Lesser General Public
kfraser@10720 4 # License as published by the Free Software Foundation.
kfraser@10720 5 #
kfraser@10720 6 # This library is distributed in the hope that it will be useful,
kfraser@10720 7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
kfraser@10720 8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
kfraser@10720 9 # Lesser General Public License for more details.
kfraser@10720 10 #
kfraser@10720 11 # You should have received a copy of the GNU Lesser General Public
kfraser@10720 12 # License along with this library; if not, write to the Free Software
kfraser@10720 13 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
kfraser@10720 14 #============================================================================
kfraser@10720 15 # Copyright (C) 2006 International Business Machines Corp.
kfraser@10720 16 # Author: Bryan D. Payne <bdpayne@us.ibm.com>
kfraser@10720 17 #============================================================================
kfraser@10720 18
kfraser@10720 19 """Remove a label from a domain configuration file or a resoruce.
kfraser@10720 20 """
kfraser@10720 21 import sys, os, re
kfraser@10720 22 import string
kfraser@10720 23 import traceback
kfraser@10720 24 from xen.util import dictio
kfraser@10720 25 from xen.util import security
kfraser@10720 26
kfraser@10720 27 def usage():
kfraser@10720 28 print "\nUsage: xm rmlabel dom <configfile>"
kfraser@10720 29 print " xm rmlabel res <resource>\n"
kfraser@10720 30 print " This program removes an acm_label entry from the 'configfile'"
kfraser@10720 31 print " for a domain or from the global resource label file for a"
kfraser@10720 32 print " resource. If the label does not exist for the given domain or"
kfraser@10720 33 print " resource, then rmlabel fails.\n"
kfraser@10720 34
kfraser@10720 35
kfraser@10720 36 def rm_resource_label(resource):
kfraser@10720 37 """Removes a resource label from the global resource label file.
kfraser@10720 38 """
kfraser@10720 39 # read in the resource file
kfraser@10720 40 file = security.res_label_filename
kfraser@10720 41 try:
kfraser@10720 42 access_control = dictio.dict_read("resources", file)
kfraser@10720 43 except:
kfraser@10720 44 security.err("Resource file not found, cannot remove label!")
kfraser@10720 45
kfraser@10720 46 # remove the entry and update file
kfraser@10720 47 if access_control.has_key(resource):
kfraser@10720 48 del access_control[resource]
kfraser@10720 49 dictio.dict_write(access_control, "resources", file)
kfraser@10720 50 else:
kfraser@10720 51 security.err("Label does not exist in resource label file.")
kfraser@10720 52
kfraser@10720 53
kfraser@10720 54 def rm_domain_label(configfile):
kfraser@10720 55 # open the domain config file
kfraser@10720 56 fd = None
kfraser@10720 57 file = None
kfraser@10720 58 if configfile[0] == '/':
kfraser@10720 59 fd = open(configfile, "rb")
kfraser@10720 60 else:
kfraser@10720 61 for prefix in [".", "/etc/xen"]:
kfraser@10720 62 file = prefix + "/" + configfile
kfraser@10720 63 if os.path.isfile(file):
kfraser@10720 64 fd = open(file, "rb")
kfraser@10720 65 break
kfraser@10720 66 if not fd:
kfraser@10720 67 security.err("Configuration file '"+configfile+"' not found.")
kfraser@10720 68
kfraser@10720 69 # read in the domain config file, removing label
kfraser@10720 70 ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE)
kfraser@10720 71 ac_exit_re = re.compile(".*'\].*")
kfraser@10720 72 file_contents = ""
kfraser@10720 73 comment = 0
kfraser@10720 74 removed = 0
kfraser@10720 75 for line in fd.readlines():
kfraser@10720 76 if ac_entry_re.match(line):
kfraser@10720 77 comment = 1
kfraser@10720 78 if comment:
kfraser@10720 79 removed = 1
kfraser@10720 80 line = "#"+line
kfraser@10720 81 if comment and ac_exit_re.match(line):
kfraser@10720 82 comment = 0
kfraser@10720 83 file_contents = file_contents + line
kfraser@10720 84 fd.close()
kfraser@10720 85
kfraser@10720 86 # send error message if we didn't find anything to remove
kfraser@10720 87 if not removed:
kfraser@10720 88 security.err("Label does not exist in domain configuration file.")
kfraser@10720 89
kfraser@10720 90 # write the data back out to the file
kfraser@10720 91 fd = open(file, "wb")
kfraser@10720 92 fd.writelines(file_contents)
kfraser@10720 93 fd.close()
kfraser@10720 94
kfraser@10720 95
kfraser@10720 96 def main (argv):
kfraser@10720 97 try:
kfraser@10720 98 if len(argv) != 3:
kfraser@10720 99 usage()
kfraser@10720 100 return
kfraser@10720 101
kfraser@10720 102 if argv[1].lower() == "dom":
kfraser@10720 103 configfile = argv[2]
kfraser@10720 104 rm_domain_label(configfile)
kfraser@10720 105 elif argv[1].lower() == "res":
kfraser@10720 106 resource = argv[2]
kfraser@10720 107 rm_resource_label(resource)
kfraser@10720 108 else:
kfraser@10720 109 usage()
kfraser@10720 110
kfraser@10720 111 except security.ACMError:
kfraser@10720 112 traceback.print_exc(limit=1)
kfraser@10720 113
kfraser@10720 114
kfraser@10720 115 if __name__ == '__main__':
kfraser@10720 116 main(sys.argv)
kfraser@10720 117
kfraser@10720 118