ia64/xen-unstable

view tools/python/xen/xm/getlabel.py @ 10720:8922c1fbe684

[XM][ACM] Add xm subcommands to work with security resource labels.

This patch adds new xm subcommands to support working with resource
labels. The new subcommands are 'xm resources', 'xm rmlabel', 'xm
getlabel' and 'xm dry-run'. In addition, the 'xm addlabel' subcommand
now uses an updated syntax to support labeling both domains and
resources. See the xm man page for details on each subcommand.

Beyond the new subcommands, this patch allows users to immediately see
when security checks will fail by pushing some basic security checking
into the beginning of 'xm create' and 'xm block-attach'. ACM security
attributes for block devices are added to XenStore in order to support
the final security enforcement, which will be performed in the kernel
and included in a separate patch.

Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
author kfraser@localhost.localdomain
date Mon Jul 10 17:18:07 2006 +0100 (2006-07-10)
parents
children 956e9aaf88c9
line source
1 #============================================================================
2 # This library is free software; you can redistribute it and/or
3 # modify it under the terms of version 2.1 of the GNU Lesser General Public
4 # License as published by the Free Software Foundation.
5 #
6 # This library is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
9 # Lesser General Public License for more details.
10 #
11 # You should have received a copy of the GNU Lesser General Public
12 # License along with this library; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
14 #============================================================================
15 # Copyright (C) 2006 International Business Machines Corp.
16 # Author: Bryan D. Payne <bdpayne@us.ibm.com>
17 #============================================================================
19 """Show the label for a domain or resoruce.
20 """
21 import sys, os, re
22 import string
23 import traceback
24 from xen.util import dictio
25 from xen.util import security
27 def usage():
28 print "\nUsage: xm getlabel dom <configfile>"
29 print " xm getlabel res <resource>\n"
30 print " This program shows the label for a domain or resource.\n"
33 def get_resource_label(resource):
34 """Gets the resource label
35 """
36 # read in the resource file
37 file = security.res_label_filename
38 try:
39 access_control = dictio.dict_read("resources", file)
40 except:
41 print "Resource label file not found"
42 return
44 # get the entry and print label
45 if access_control.has_key(resource):
46 policy = access_control[resource][0]
47 label = access_control[resource][1]
48 print "policy="+policy+",label="+label
49 else:
50 print "Resource not labeled"
53 def get_domain_label(configfile):
54 # open the domain config file
55 fd = None
56 file = None
57 if configfile[0] == '/':
58 fd = open(configfile, "rb")
59 else:
60 for prefix in [".", "/etc/xen"]:
61 file = prefix + "/" + configfile
62 if os.path.isfile(file):
63 fd = open(file, "rb")
64 break
65 if not fd:
66 print "Configuration file '"+configfile+"' not found."
67 return
69 # read in the domain config file, finding the label line
70 ac_entry_re = re.compile("^access_control\s*=.*", re.IGNORECASE)
71 ac_exit_re = re.compile(".*'\].*")
72 acline = ""
73 record = 0
74 for line in fd.readlines():
75 if ac_entry_re.match(line):
76 record = 1
77 if record:
78 acline = acline + line
79 if record and ac_exit_re.match(line):
80 record = 0
81 fd.close()
83 # send error message if we didn't find anything
84 if acline == "":
85 print "Label does not exist in domain configuration file."
86 return
88 # print out the label
89 (title, data) = acline.split("=", 1)
90 data = data.strip()
91 data = data.lstrip("[\'")
92 data = data.rstrip("\']")
93 print data
96 def main (argv):
97 if len(argv) != 3:
98 usage()
99 return
101 if argv[1].lower() == "dom":
102 configfile = argv[2]
103 get_domain_label(configfile)
104 elif argv[1].lower() == "res":
105 resource = argv[2]
106 get_resource_label(resource)
107 else:
108 usage()
111 if __name__ == '__main__':
112 main(sys.argv)