ia64/xen-unstable

diff tools/python/xen/xm/rmlabel.py @ 10720:8922c1fbe684

[XM][ACM] Add xm subcommands to work with security resource labels.

This patch adds new xm subcommands to support working with resource
labels. The new subcommands are 'xm resources', 'xm rmlabel', 'xm
getlabel' and 'xm dry-run'. In addition, the 'xm addlabel' subcommand
now uses an updated syntax to support labeling both domains and
resources. See the xm man page for details on each subcommand.

Beyond the new subcommands, this patch allows users to immediately see
when security checks will fail by pushing some basic security checking
into the beginning of 'xm create' and 'xm block-attach'. ACM security
attributes for block devices are added to XenStore in order to support
the final security enforcement, which will be performed in the kernel
and included in a separate patch.

Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
author kfraser@localhost.localdomain
date Mon Jul 10 17:18:07 2006 +0100 (2006-07-10)
parents
children 956e9aaf88c9
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/tools/python/xen/xm/rmlabel.py	Mon Jul 10 17:18:07 2006 +0100
     1.3 @@ -0,0 +1,118 @@
     1.4 +#============================================================================
     1.5 +# This library is free software; you can redistribute it and/or
     1.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
     1.7 +# License as published by the Free Software Foundation.
     1.8 +#
     1.9 +# This library is distributed in the hope that it will be useful,
    1.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
    1.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    1.12 +# Lesser General Public License for more details.
    1.13 +#
    1.14 +# You should have received a copy of the GNU Lesser General Public
    1.15 +# License along with this library; if not, write to the Free Software
    1.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    1.17 +#============================================================================
    1.18 +# Copyright (C) 2006 International Business Machines Corp.
    1.19 +# Author: Bryan D. Payne <bdpayne@us.ibm.com>
    1.20 +#============================================================================
    1.21 +
    1.22 +"""Remove a label from a domain configuration file or a resoruce.
    1.23 +"""
    1.24 +import sys, os, re
    1.25 +import string
    1.26 +import traceback
    1.27 +from xen.util import dictio
    1.28 +from xen.util import security
    1.29 +
    1.30 +def usage():
    1.31 +    print "\nUsage: xm rmlabel dom <configfile>"
    1.32 +    print "       xm rmlabel res <resource>\n"
    1.33 +    print "  This program removes an acm_label entry from the 'configfile'"
    1.34 +    print "  for a domain or from the global resource label file for a"
    1.35 +    print "  resource. If the label does not exist for the given domain or"
    1.36 +    print "  resource, then rmlabel fails.\n"
    1.37 +
    1.38 +
    1.39 +def rm_resource_label(resource):
    1.40 +    """Removes a resource label from the global resource label file.
    1.41 +    """
    1.42 +    # read in the resource file
    1.43 +    file = security.res_label_filename
    1.44 +    try:
    1.45 +        access_control = dictio.dict_read("resources", file)
    1.46 +    except:
    1.47 +        security.err("Resource file not found, cannot remove label!")
    1.48 +
    1.49 +    # remove the entry and update file
    1.50 +    if access_control.has_key(resource):
    1.51 +        del access_control[resource]
    1.52 +        dictio.dict_write(access_control, "resources", file)
    1.53 +    else:
    1.54 +        security.err("Label does not exist in resource label file.")
    1.55 +
    1.56 +
    1.57 +def rm_domain_label(configfile):
    1.58 +    # open the domain config file
    1.59 +    fd = None
    1.60 +    file = None
    1.61 +    if configfile[0] == '/':
    1.62 +        fd = open(configfile, "rb")
    1.63 +    else:
    1.64 +        for prefix in [".", "/etc/xen"]:
    1.65 +            file = prefix + "/" + configfile
    1.66 +            if os.path.isfile(file):
    1.67 +                fd = open(file, "rb")
    1.68 +                break
    1.69 +    if not fd:
    1.70 +        security.err("Configuration file '"+configfile+"' not found.")
    1.71 +
    1.72 +    # read in the domain config file, removing label
    1.73 +    ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE)
    1.74 +    ac_exit_re = re.compile(".*'\].*")
    1.75 +    file_contents = ""
    1.76 +    comment = 0
    1.77 +    removed = 0
    1.78 +    for line in fd.readlines():
    1.79 +        if ac_entry_re.match(line):
    1.80 +            comment = 1
    1.81 +        if comment:
    1.82 +            removed = 1
    1.83 +            line = "#"+line
    1.84 +        if comment and ac_exit_re.match(line):
    1.85 +            comment = 0
    1.86 +        file_contents = file_contents + line
    1.87 +    fd.close()
    1.88 +
    1.89 +    # send error message if we didn't find anything to remove
    1.90 +    if not removed:
    1.91 +        security.err("Label does not exist in domain configuration file.")
    1.92 +
    1.93 +    # write the data back out to the file
    1.94 +    fd = open(file, "wb")
    1.95 +    fd.writelines(file_contents)
    1.96 +    fd.close()
    1.97 +
    1.98 +
    1.99 +def main (argv):
   1.100 +    try:
   1.101 +        if len(argv) != 3:
   1.102 +            usage()
   1.103 +            return
   1.104 +
   1.105 +        if argv[1].lower() == "dom":
   1.106 +            configfile = argv[2]
   1.107 +            rm_domain_label(configfile)
   1.108 +        elif argv[1].lower() == "res":
   1.109 +            resource = argv[2]
   1.110 +            rm_resource_label(resource)
   1.111 +        else:
   1.112 +            usage()
   1.113 +
   1.114 +    except security.ACMError:
   1.115 +        traceback.print_exc(limit=1)
   1.116 +
   1.117 +
   1.118 +if __name__ == '__main__':
   1.119 +    main(sys.argv)
   1.120 +
   1.121 +