ia64/xen-unstable

view tools/python/xen/xend/server/blkif.py @ 10720:8922c1fbe684

[XM][ACM] Add xm subcommands to work with security resource labels.

This patch adds new xm subcommands to support working with resource
labels. The new subcommands are 'xm resources', 'xm rmlabel', 'xm
getlabel' and 'xm dry-run'. In addition, the 'xm addlabel' subcommand
now uses an updated syntax to support labeling both domains and
resources. See the xm man page for details on each subcommand.

Beyond the new subcommands, this patch allows users to immediately see
when security checks will fail by pushing some basic security checking
into the beginning of 'xm create' and 'xm block-attach'. ACM security
attributes for block devices are added to XenStore in order to support
the final security enforcement, which will be performed in the kernel
and included in a separate patch.

Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
author kfraser@localhost.localdomain
date Mon Jul 10 17:18:07 2006 +0100 (2006-07-10)
parents 25c6ea6d4024
children 9dbcf482f600 4c2fab8f8c34
line source
1 #============================================================================
2 # This library is free software; you can redistribute it and/or
3 # modify it under the terms of version 2.1 of the GNU Lesser General Public
4 # License as published by the Free Software Foundation.
5 #
6 # This library is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9 # Lesser General Public License for more details.
10 #
11 # You should have received a copy of the GNU Lesser General Public
12 # License along with this library; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14 #============================================================================
15 # Copyright (C) 2004, 2005 Mike Wray <mike.wray@hp.com>
16 # Copyright (C) 2005 XenSource Ltd
17 #============================================================================
20 import re
21 import string
23 from xen.util import blkif
24 from xen.util import security
25 from xen.xend import sxp
26 from xen.xend.XendError import VmError
28 from xen.xend.server.DevController import DevController
31 class BlkifController(DevController):
32 """Block device interface controller. Handles all block devices
33 for a domain.
34 """
36 def __init__(self, vm):
37 """Create a block device controller.
38 """
39 DevController.__init__(self, vm)
42 def getDeviceDetails(self, config):
43 """@see DevController.getDeviceDetails"""
44 uname = sxp.child_value(config, 'uname')
46 dev = sxp.child_value(config, 'dev')
48 (typ, params) = string.split(uname, ':', 1)
49 back = { 'dev' : dev,
50 'type' : typ,
51 'params' : params,
52 'mode' : sxp.child_value(config, 'mode', 'r')
53 }
55 if security.on():
56 (label, ssidref, policy) = security.get_res_security_details(uname)
57 back.update({'acm_label' : label,
58 'acm_ssidref': str(ssidref),
59 'acm_policy' : policy})
61 if 'ioemu:' in dev:
62 (dummy, dev1) = string.split(dev, ':', 1)
63 devid = blkif.blkdev_name_to_number(dev1)
64 front = {}
65 else:
66 devid = blkif.blkdev_name_to_number(dev)
67 front = { 'virtual-device' : "%i" % devid }
69 return (devid, back, front)
72 def configuration(self, devid):
73 """@see DevController.configuration"""
75 result = DevController.configuration(self, devid)
77 (dev, typ, params, mode) = self.readBackend(devid,
78 'dev', 'type', 'params',
79 'mode')
81 if dev:
82 result.append(['dev', dev])
83 if typ and params:
84 result.append(['uname', typ + ":" + params])
85 if mode:
86 result.append(['mode', mode])
88 return result
91 def destroyDevice(self, devid):
92 """@see DevController.destroyDevice"""
94 # If we are given a device name, then look up the device ID from it,
95 # and destroy that ID instead. If what we are given is an integer,
96 # then assume it's a device ID and pass it straight through to our
97 # superclass's method.
99 try:
100 DevController.destroyDevice(self, int(devid))
101 except ValueError:
102 devid_end = type(devid) is str and devid.split('/')[-1] or None
104 for i in self.deviceIDs():
105 d = self.readBackend(i, 'dev')
106 if d == devid or (devid_end and d == devid_end):
107 DevController.destroyDevice(self, i)
108 return
109 raise VmError("Device %s not connected" % devid)