ia64/xen-unstable

changeset 17862:49c5d6723e35

[ACM] Enable labeling of resources as inaccessible

Enable the labeling of (disk-type) resources with the special label
__INACCESSIBLE__ to prevent unlabeled domains from accessing them.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Jun 13 13:55:19 2008 +0100 (2008-06-13)
parents 2363cf4ab4cb
children a41d14c3bf19
files tools/python/xen/util/xsconstants.py tools/python/xen/util/xsm/acm/acm.py
line diff
     1.1 --- a/tools/python/xen/util/xsconstants.py	Fri Jun 13 13:50:23 2008 +0100
     1.2 +++ b/tools/python/xen/util/xsconstants.py	Fri Jun 13 13:55:19 2008 +0100
     1.3 @@ -103,8 +103,10 @@ def xserr2string(err):
     1.4      return "Unknown XSERR code '%s'." % (hex(err))
     1.5  
     1.6  # Policy identifiers used in labels
     1.7 -ACM_POLICY_ID = "ACM"
     1.8 +ACM_POLICY_ID = 'ACM'
     1.9  
    1.10 -INVALID_POLICY_PREFIX = "INV_"
    1.11 +INVALID_POLICY_PREFIX = 'INV_'
    1.12  
    1.13  INVALID_SSIDREF = 0xFFFFFFFF
    1.14 +
    1.15 +XS_INACCESSIBLE_LABEL = '__INACCESSIBLE__'
     2.1 --- a/tools/python/xen/util/xsm/acm/acm.py	Fri Jun 13 13:50:23 2008 +0100
     2.2 +++ b/tools/python/xen/util/xsm/acm/acm.py	Fri Jun 13 13:55:19 2008 +0100
     2.3 @@ -720,19 +720,24 @@ def list_labels(policy_name, ltype):
     2.4      else:
     2.5          err("Unknown label type \'" + ltype + "\'")
     2.6  
     2.7 -    (primary, secondary, f, pol_exists) = getmapfile(policy_name)
     2.8 -    if not f:
     2.9 -        if pol_exists:
    2.10 -            err("Cannot find mapfile for policy \'" + policy_name + "\'.\n")
    2.11 -        else:
    2.12 -            err("Unknown policy \'" + policy_name + "\'")
    2.13 +    try:
    2.14 +        mapfile_lock()
    2.15  
    2.16 -    labels = []
    2.17 -    for line in f:
    2.18 -        if condition.match(line):
    2.19 -            label = line.split()[3]
    2.20 -            if label not in labels:
    2.21 -                labels.append(label)
    2.22 +        (primary, secondary, f, pol_exists) = getmapfile(policy_name)
    2.23 +        if not f:
    2.24 +            if pol_exists:
    2.25 +                err("Cannot find mapfile for policy \'" + policy_name + "\'.\n")
    2.26 +            else:
    2.27 +                err("Unknown policy \'" + policy_name + "\'")
    2.28 +
    2.29 +        labels = []
    2.30 +        for line in f:
    2.31 +            if condition.match(line):
    2.32 +                label = line.split()[3]
    2.33 +                if label not in labels:
    2.34 +                    labels.append(label)
    2.35 +    finally:
    2.36 +        mapfile_unlock()
    2.37  
    2.38      if '__NULL_LABEL__' in labels:
    2.39          labels.remove('__NULL_LABEL__')
    2.40 @@ -778,8 +783,6 @@ def get_res_security_details(resource):
    2.41          policy = active_policy
    2.42          return (label, ssidref, policy)
    2.43  
    2.44 -    (label, ssidref, policy) = default_security_details()
    2.45 -
    2.46      # find the entry associated with this resource
    2.47      (policytype, label, policy) = get_res_label(resource)
    2.48      if policy == 'NULL':
    2.49 @@ -793,6 +796,8 @@ def get_res_security_details(resource):
    2.50      # is this resource label for the running policy?
    2.51      if policy == active_policy:
    2.52          ssidref = label2ssidref(label, policy, 'res')
    2.53 +    elif label == xsconstants.XS_INACCESSIBLE_LABEL:
    2.54 +        ssidref = NULL_SSIDREF
    2.55      else:
    2.56          log.info("Resource label not for active policy, using DEFAULT.")
    2.57          return default_security_details()
    2.58 @@ -916,6 +921,8 @@ def res_security_check_xapi(rlabel, rssi
    2.59      rtnval = 1
    2.60      # if security is on, ask the hypervisor for a decision
    2.61      if on():
    2.62 +        if rlabel == xsconstants.XS_INACCESSIBLE_LABEL:
    2.63 +            return 0
    2.64          typ, dpolicy, domain_label = xapi_dom_label.split(":")
    2.65          if not dpolicy or not domain_label:
    2.66              raise VmError("VM security label in wrong format.")
    2.67 @@ -973,6 +980,8 @@ def validate_label(policytype, policyref
    2.68      if not policytype or not label:
    2.69          return -xsconstants.XSERR_BAD_LABEL_FORMAT
    2.70      rc = xsconstants.XSERR_SUCCESS
    2.71 +    if label == xsconstants.XS_INACCESSIBLE_LABEL:
    2.72 +        return rc
    2.73      from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
    2.74      curpol = XSPolicyAdminInstance().get_loaded_policy()
    2.75      if not curpol or curpol.get_name() != policyref:
    2.76 @@ -1197,20 +1206,23 @@ def set_resource_label(resource, policyt
    2.77      @return Success (0) or failure value (< 0)
    2.78      """
    2.79  
    2.80 -    if reslabel != "":
    2.81 -        ssidref = label2ssidref(reslabel, policyref, 'res')
    2.82  
    2.83      try:
    2.84          resource = unify_resname(resource, mustexist=False)
    2.85      except Exception:
    2.86          return -xsconstants.XSERR_BAD_RESOURCE_FORMAT
    2.87  
    2.88 -    domains = is_resource_in_use(resource)
    2.89 -    if len(domains) > 0:
    2.90 -        return -xsconstants.XSERR_RESOURCE_IN_USE
    2.91 -
    2.92      try:
    2.93          resfile_lock()
    2.94 +        mapfile_lock()
    2.95 +
    2.96 +        if reslabel not in [ '', xsconstants.XS_INACCESSIBLE_LABEL ]:
    2.97 +            ssidref = label2ssidref(reslabel, policyref, 'res')
    2.98 +
    2.99 +        domains = is_resource_in_use(resource)
   2.100 +        if len(domains) > 0:
   2.101 +            return -xsconstants.XSERR_RESOURCE_IN_USE
   2.102 +
   2.103          access_control = {}
   2.104          try:
   2.105               access_control = dictio.dict_read("resources", res_label_filename)
   2.106 @@ -1229,6 +1241,11 @@ def set_resource_label(resource, policyt
   2.107                  if value == tuple([policytype, policyref, reslabel]) and \
   2.108                     key.startswith('vlan:'):
   2.109                      return -xsconstants.XSERR_BAD_LABEL
   2.110 +
   2.111 +        if reslabel == xsconstants.XS_INACCESSIBLE_LABEL:
   2.112 +            policytype = xsconstants.ACM_POLICY_ID
   2.113 +            policyref  = '*'
   2.114 +
   2.115          if reslabel != "":
   2.116              new_entry = { resource : tuple([policytype, policyref, reslabel])}
   2.117              access_control.update(new_entry)
   2.118 @@ -1243,6 +1260,7 @@ def set_resource_label(resource, policyt
   2.119          dictio.dict_write(access_control, "resources", res_label_filename)
   2.120      finally:
   2.121          resfile_unlock()
   2.122 +        mapfile_unlock()
   2.123      return xsconstants.XSERR_SUCCESS
   2.124  
   2.125  def rm_resource_label(resource, oldlabel_xapi):