ia64/xen-unstable

changeset 15592:23a171f65b15

[ACM-security] Some fixes to tools.

- Allow multiple ChineseWallTypes in a VM labels
- check for surfacing exceptions in the python code
- check for array sizes in the XML DOM in python
- properly display the labels when doing 'xm list --label' in xm's
non-Xen-API mode
- rely on the security checking hooks in xend to check access to the
block interface rather than doing this in xm.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kfraser@localhost.localdomain
date Thu Jul 12 16:07:28 2007 +0100 (2007-07-12)
parents 48c8244c47c7
children 049e4e61644d
files tools/python/xen/util/acmpolicy.py tools/python/xen/util/security.py tools/python/xen/xend/XendConfig.py tools/python/xen/xm/main.py tools/security/policies/security_policy.xsd
line diff
     1.1 --- a/tools/python/xen/util/acmpolicy.py	Thu Jul 12 16:03:41 2007 +0100
     1.2 +++ b/tools/python/xen/util/acmpolicy.py	Thu Jul 12 16:07:28 2007 +0100
     1.3 @@ -57,12 +57,20 @@ class ACMPolicy(XSPolicy):
     1.4      def __init__(self, name=None, dom=None, ref=None, xml=None):
     1.5          if name:
     1.6              self.name = name
     1.7 -            self.dom = minidom.parse(self.path_from_policy_name(name))
     1.8 +            try:
     1.9 +                self.dom = minidom.parse(self.path_from_policy_name(name))
    1.10 +            except Exception, e:
    1.11 +                raise SecurityError(-xsconstants.XSERR_XML_PROCESSING,
    1.12 +                                    str(e))
    1.13          elif dom:
    1.14              self.dom = dom
    1.15              self.name = self.get_name()
    1.16          elif xml:
    1.17 -            self.dom = minidom.parseString(xml)
    1.18 +            try:
    1.19 +                self.dom = minidom.parseString(xml)
    1.20 +            except Exception, e:
    1.21 +                raise SecurityError(-xsconstants.XSERR_XML_PROCESSING,
    1.22 +                                    str(e))
    1.23              self.name = self.get_name()
    1.24          rc = self.validate()
    1.25          if rc != xsconstants.XSERR_SUCCESS:
    1.26 @@ -481,7 +489,8 @@ class ACMPolicy(XSPolicy):
    1.27          strings = []
    1.28          i = 0
    1.29          while i < len(node.childNodes):
    1.30 -            if node.childNodes[i].nodeName == "Type":
    1.31 +            if node.childNodes[i].nodeName == "Type" and \
    1.32 +               len(node.childNodes[i].childNodes) > 0:
    1.33                  strings.append(node.childNodes[i].childNodes[0].nodeValue)
    1.34              i += 1
    1.35          return strings
    1.36 @@ -564,7 +573,8 @@ class ACMPolicy(XSPolicy):
    1.37              while i < len(node.childNodes):
    1.38                  if node.childNodes[i].nodeName == "VirtualMachineLabel":
    1.39                      name = self.policy_dom_get(node.childNodes[i], "Name")
    1.40 -                    strings.append(name.childNodes[0].nodeValue)
    1.41 +                    if len(name.childNodes) > 0:
    1.42 +                        strings.append(name.childNodes[0].nodeValue)
    1.43                  i += 1
    1.44          return strings
    1.45  
    1.46 @@ -592,23 +602,24 @@ class ACMPolicy(XSPolicy):
    1.47              i = 0
    1.48              while i < len(node.childNodes):
    1.49                  if node.childNodes[i].nodeName == "VirtualMachineLabel":
    1.50 -                    _res = {}
    1.51 -                    _res['type'] = xsconstants.ACM_LABEL_VM
    1.52                      name = self.policy_dom_get(node.childNodes[i], "Name")
    1.53 -                    _res['name'] = name.childNodes[0].nodeValue
    1.54 -                    stes = self.policy_dom_get(node.childNodes[i],
    1.55 -                                               "SimpleTypeEnforcementTypes")
    1.56 -                    if stes:
    1.57 -                        _res['stes'] = self.policy_get_types(stes)
    1.58 -                    else:
    1.59 -                        _res['stes'] = []
    1.60 -                    chws = self.policy_dom_get(node.childNodes[i],
    1.61 -                                               "ChineseWallTypes")
    1.62 -                    if chws:
    1.63 -                        _res['chws'] = self.policy_get_types(chws)
    1.64 -                    else:
    1.65 -                        _res['chws'] = []
    1.66 -                    res.append(_res)
    1.67 +                    if len(name.childNodes) > 0:
    1.68 +                        _res = {}
    1.69 +                        _res['type'] = xsconstants.ACM_LABEL_VM
    1.70 +                        _res['name'] = name.childNodes[0].nodeValue
    1.71 +                        stes = self.policy_dom_get(node.childNodes[i],
    1.72 +                                                 "SimpleTypeEnforcementTypes")
    1.73 +                        if stes:
    1.74 +                           _res['stes'] = self.policy_get_types(stes)
    1.75 +                        else:
    1.76 +                            _res['stes'] = []
    1.77 +                        chws = self.policy_dom_get(node.childNodes[i],
    1.78 +                                                   "ChineseWallTypes")
    1.79 +                        if chws:
    1.80 +                            _res['chws'] = self.policy_get_types(chws)
    1.81 +                        else:
    1.82 +                            _res['chws'] = []
    1.83 +                        res.append(_res)
    1.84                  i += 1
    1.85          return res
    1.86  
    1.87 @@ -628,7 +639,8 @@ class ACMPolicy(XSPolicy):
    1.88              while i < len(node.childNodes):
    1.89                  if node.childNodes[i].nodeName == labeltype:
    1.90                      name = self.policy_dom_get(node.childNodes[i], "Name")
    1.91 -                    if name.childNodes[0].nodeValue == label:
    1.92 +                    if len(name.childNodes) > 0 and \
    1.93 +                       name.childNodes[0].nodeValue == label:
    1.94                          stes = self.policy_dom_get(node.childNodes[i],
    1.95                                              "SimpleTypeEnforcementTypes")
    1.96                          if not stes:
    1.97 @@ -662,7 +674,7 @@ class ACMPolicy(XSPolicy):
    1.98                  if node.childNodes[i].nodeName == labeltype:
    1.99                      name = self.policy_dom_get(node.childNodes[i], "Name")
   1.100                      from_name = name.getAttribute("from")
   1.101 -                    if from_name:
   1.102 +                    if from_name and len(name.childNodes) > 0:
   1.103                          res.update({from_name : name.childNodes[0].nodeValue})
   1.104                  i += 1
   1.105          return res
   1.106 @@ -700,7 +712,7 @@ class ACMPolicy(XSPolicy):
   1.107                      name = self.policy_dom_get(node.childNodes[i], "Name")
   1.108                      stes = self.policy_dom_get(node.childNodes[i],
   1.109                                            "SimpleTypeEnforcementTypes")
   1.110 -                    if stes:
   1.111 +                    if stes and len(name.childNodes) > 0:
   1.112                          strings.append(name.childNodes[0].nodeValue)
   1.113                  i += 1
   1.114          return strings
   1.115 @@ -715,18 +727,19 @@ class ACMPolicy(XSPolicy):
   1.116              i = 0
   1.117              while i < len(node.childNodes):
   1.118                  if node.childNodes[i].nodeName == "ResourceLabel":
   1.119 -                    _res = {}
   1.120 -                    _res['type'] = xsconstants.ACM_LABEL_RES
   1.121                      name = self.policy_dom_get(node.childNodes[i], "Name")
   1.122 -                    _res['name'] = name.childNodes[0].nodeValue
   1.123 -                    stes = self.policy_dom_get(node.childNodes[i],
   1.124 -                                               "SimpleTypeEnforcementTypes")
   1.125 -                    if stes:
   1.126 -                        _res['stes'] = self.policy_get_types(stes)
   1.127 -                    else:
   1.128 -                        _res['stes'] = []
   1.129 -                    _res['chws'] = []
   1.130 -                    res.append(_res)
   1.131 +                    if len(name.childNodes) > 0:
   1.132 +                        _res = {}
   1.133 +                        _res['type'] = xsconstants.ACM_LABEL_RES
   1.134 +                        _res['name'] = name.childNodes[0].nodeValue
   1.135 +                        stes = self.policy_dom_get(node.childNodes[i],
   1.136 +                                                   "SimpleTypeEnforcementTypes")
   1.137 +                        if stes:
   1.138 +                            _res['stes'] = self.policy_get_types(stes)
   1.139 +                        else:
   1.140 +                            _res['stes'] = []
   1.141 +                        _res['chws'] = []
   1.142 +                        res.append(_res)
   1.143                  i += 1
   1.144          return res
   1.145  
     2.1 --- a/tools/python/xen/util/security.py	Thu Jul 12 16:03:41 2007 +0100
     2.2 +++ b/tools/python/xen/util/security.py	Thu Jul 12 16:07:28 2007 +0100
     2.3 @@ -155,75 +155,6 @@ def calc_dom_ssidref_from_info(info):
     2.4      raise VmError("security.calc_dom_ssidref_from_info: info of type '%s'"
     2.5                    "not supported." % type(info))
     2.6  
     2.7 -# Assumes a 'security' info  [security access_control ...] [ssidref ...]
     2.8 -def get_security_info(info, field):
     2.9 -    """retrieves security field from self.info['security'])
    2.10 -    allowed search fields: ssidref, label, policy
    2.11 -    """
    2.12 -    if isinstance(info, dict):
    2.13 -        security = info['security']
    2.14 -    elif isinstance(info, list):
    2.15 -        security = sxp.child_value(info, 'security')
    2.16 -    if not security:
    2.17 -        if field == 'ssidref':
    2.18 -            #return default ssid
    2.19 -            return 0
    2.20 -        else:
    2.21 -            err("Security information not found in info struct.")
    2.22 -
    2.23 -    if field == 'ssidref':
    2.24 -        search = 'ssidref'
    2.25 -    elif field in ['policy', 'label']:
    2.26 -            search = 'access_control'
    2.27 -    else:
    2.28 -        err("Illegal field in get_security_info.")
    2.29 -
    2.30 -    for idx in range(0, len(security)):
    2.31 -        if search != security[idx][0]:
    2.32 -            continue
    2.33 -        if search == 'ssidref':
    2.34 -            return int(security[idx][1])
    2.35 -        else:
    2.36 -            for aidx in range(0, len(security[idx])):
    2.37 -                if security[idx][aidx][0] == field:
    2.38 -                    return str(security[idx][aidx][1])
    2.39 -
    2.40 -    if search == 'ssidref':
    2.41 -        return 0
    2.42 -    else:
    2.43 -        return None
    2.44 -
    2.45 -
    2.46 -def get_security_printlabel(info):
    2.47 -    """retrieves printable security label from self.info['security']),
    2.48 -    preferably the label name and otherwise (if label is not specified
    2.49 -    in config and cannot be found in mapping file) a hex string of the
    2.50 -    ssidref or none if both not available
    2.51 -    """
    2.52 -    try:
    2.53 -        if not on():
    2.54 -            return "INACTIVE"
    2.55 -        if active_policy in ["DEFAULT"]:
    2.56 -            return "DEFAULT"
    2.57 -
    2.58 -        printlabel = get_security_info(info, 'label')
    2.59 -        if printlabel:
    2.60 -            return printlabel
    2.61 -        ssidref = get_security_info(info, 'ssidref')
    2.62 -        if not ssidref:
    2.63 -            return None
    2.64 -        #try to translate ssidref to a label
    2.65 -        result = ssidref2label(ssidref)
    2.66 -        if not result:
    2.67 -            printlabel = "0x%08x" % ssidref
    2.68 -        else:
    2.69 -            printlabel = result
    2.70 -        return printlabel
    2.71 -    except ACMError:
    2.72 -        #don't throw an exception in xm list
    2.73 -        return "ERROR"
    2.74 -
    2.75 -
    2.76  
    2.77  def getmapfile(policyname):
    2.78      """
     3.1 --- a/tools/python/xen/xend/XendConfig.py	Thu Jul 12 16:03:41 2007 +0100
     3.2 +++ b/tools/python/xen/xend/XendConfig.py	Thu Jul 12 16:07:28 2007 +0100
     3.3 @@ -636,6 +636,8 @@ class XendConfig(dict):
     3.4                  except ValueError, e:
     3.5                      raise XendConfigError('cpus = %s: %s' % (cfg['cpus'], e))
     3.6  
     3.7 +        if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
     3.8 +            cfg['security'] = sxp.child_value(sxp_cfg, 'security')
     3.9          if 'security' in cfg and not cfg.get('security_label'):
    3.10              secinfo = cfg['security']
    3.11              if isinstance(secinfo, list):
     4.1 --- a/tools/python/xen/xm/main.py	Thu Jul 12 16:03:41 2007 +0100
     4.2 +++ b/tools/python/xen/xm/main.py	Thu Jul 12 16:07:28 2007 +0100
     4.3 @@ -870,17 +870,13 @@ def parse_doms_info(info):
     4.4          'up_time'  : up_time
     4.5          }
     4.6  
     4.7 -    if serverType != SERVER_XEN_API:
     4.8 -        from xen.util import security
     4.9 -        parsed_info['seclabel'] = security.get_security_printlabel(info)
    4.10 +    security_label = get_info('security_label', str, '')
    4.11 +    tmp = security_label.split(":")
    4.12 +    if len(tmp) != 3:
    4.13 +        seclabel = ""
    4.14      else:
    4.15 -        label = get_info('security_label', unicode, '')
    4.16 -        tmp = label.split(":")
    4.17 -        if len(tmp) != 3:
    4.18 -            label = ""
    4.19 -        else:
    4.20 -            label = tmp[2]
    4.21 -        parsed_info['seclabel'] = label
    4.22 +        seclabel = tmp[2]
    4.23 +    parsed_info['seclabel'] = seclabel
    4.24  
    4.25      if serverType == SERVER_XEN_API:
    4.26          parsed_info['mem'] = get_info('memory_actual', int, 0) / 1024
    4.27 @@ -2048,18 +2044,6 @@ def parse_block_configuration(args):
    4.28      if len(args) == 5:
    4.29          vbd.append(['backend', args[4]])
    4.30  
    4.31 -    if serverType != SERVER_XEN_API:
    4.32 -        # verify that policy permits attaching this resource
    4.33 -        from xen.util import security
    4.34 -    
    4.35 -        if security.on():
    4.36 -            dominfo = server.xend.domain(dom)
    4.37 -            label = security.get_security_printlabel(dominfo)
    4.38 -        else:
    4.39 -            label = None
    4.40 -
    4.41 -        security.res_security_check(args[1], label)
    4.42 -
    4.43      return (dom, vbd)
    4.44  
    4.45  
     5.1 --- a/tools/security/policies/security_policy.xsd	Thu Jul 12 16:03:41 2007 +0100
     5.2 +++ b/tools/security/policies/security_policy.xsd	Thu Jul 12 16:07:28 2007 +0100
     5.3 @@ -99,7 +99,7 @@
     5.4  			<xsd:sequence>
     5.5  				<xsd:element name="Name" type="NameWithFrom"></xsd:element>
     5.6  				<xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" />
     5.7 -				<xsd:element name="ChineseWallTypes" type="SingleChineseWallType" />
     5.8 +				<xsd:element ref="ChineseWallTypes" minOccurs="0" maxOccurs="unbounded" />
     5.9  			</xsd:sequence>
    5.10  		</xsd:complexType>
    5.11  	</xsd:element>
    5.12 @@ -143,9 +143,4 @@
    5.13  			<xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
    5.14  		</xsd:sequence>
    5.15  	</xsd:complexType>
    5.16 -	<xsd:complexType name="SingleChineseWallType">
    5.17 -		<xsd:sequence>
    5.18 -			<xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
    5.19 -		</xsd:sequence>
    5.20 -	</xsd:complexType>
    5.21  </xsd:schema>