ia64/xen-unstable

changeset 11876:4ecfbf08b449

[TPM] Add tests cases for the ACM security hooks and tools to
the xm test suite. The tests can be run with ACM turned off (not
compiled into Xen; see user doc for this), but most of them will be
skipped then. They can be run with a command like

make -C tests/security-acm check-TESTS

from the xm-test directory. They are also part of the default tests in
the tests suite and part of a new group test 'security'.
Since some of the tests require resources to be labeled, one must
explicitly enable the resources to be allowed to be labeled by the
test
suite by running

./configure --enable-full-labeling

once. To turn it off, the '--enable-full-labeling' parameter should be
omitted.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kfraser@localhost.localdomain
date Wed Oct 18 16:07:55 2006 +0100 (2006-10-18)
parents cbc181eb54fa
children 05bf8693c735
files tools/xm-test/README tools/xm-test/configure.ac tools/xm-test/grouptest/default tools/xm-test/grouptest/security tools/xm-test/lib/XmTestLib/XenDomain.py tools/xm-test/lib/XmTestLib/acm.py tools/xm-test/tests/Makefile.am tools/xm-test/tests/security-acm/01_security-acm_basic.py tools/xm-test/tests/security-acm/02_security-acm_dom_start.py tools/xm-test/tests/security-acm/03_security-acm_dom_conflict.py tools/xm-test/tests/security-acm/04_security-acm_dom_res.py tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py tools/xm-test/tests/security-acm/06_security-acm_dom_block_attach.py tools/xm-test/tests/security-acm/Makefile.am tools/xm-test/tests/security-acm/acm_utils.py tools/xm-test/tests/security-acm/xm-test-security_policy.xml
line diff
     1.1 --- a/tools/xm-test/README	Wed Oct 18 15:26:08 2006 +0100
     1.2 +++ b/tools/xm-test/README	Wed Oct 18 16:07:55 2006 +0100
     1.3 @@ -112,6 +112,38 @@ Xm-test will look for disk.img in the ra
     1.4  default.
     1.5  
     1.6  
     1.7 +BUILDING for ACM Security Testing
     1.8 +=================================
     1.9 +
    1.10 +A number of tests have been added to test the access control module (ACM)
    1.11 +in the Xen hypervisor and the tools for supporting ACM. Those tests are
    1.12 +located in the security-acm directory. If ACM support is compiled into Xen
    1.13 +(see the user guide for how to do this) those tests can be run with the
    1.14 +following command from the xm-test directory
    1.15 +
    1.16 +./runtest.sh [...] -g security <report>
    1.17 +
    1.18 +Some of these tests will work even without support of ACM by Xen.
    1.19 +
    1.20 +Several of these tests require the privilege of being allowed to label
    1.21 +resources and will otherwise be skipped. By default the test suite
    1.22 +is not allowed to automatically label resources since this may affect
    1.23 +existing labels. To enable this, the test suite must be configured with
    1.24 +the following parameter passed to the configure scripts (in addition to
    1.25 +any other desired parameters)
    1.26 +
    1.27 +./configure --enable-full-labeling
    1.28 +
    1.29 +To revoke the privilege at a later time run the configure scripts without
    1.30 +this parameter:
    1.31 +
    1.32 +./configure
    1.33 +
    1.34 +If a 'make' has previously been run for building the test suite, it is not
    1.35 +necessary to run 'make' again just for enabling or disabling the automatic
    1.36 +labeling of resources.
    1.37 +
    1.38 +
    1.39  Running
    1.40  =======
    1.41  
     2.1 --- a/tools/xm-test/configure.ac	Wed Oct 18 15:26:08 2006 +0100
     2.2 +++ b/tools/xm-test/configure.ac	Wed Oct 18 16:07:55 2006 +0100
     2.3 @@ -38,6 +38,20 @@ fi
     2.4  AM_CONDITIONAL(HVM, test x$ENABLE_HVM = xTrue)
     2.5  AC_SUBST(ENABLE_HVM)
     2.6  
     2.7 +AC_ARG_ENABLE(full-labeling,
     2.8 +	[[  --enable-full-labeling         allows the test suite to label all resources]],
     2.9 +	[
    2.10 +		ENABLE_LABELING=True
    2.11 +	],[
    2.12 +		ENABLE_LABELING=False
    2.13 +	])
    2.14 +
    2.15 +if test "x$ENABLE_LABELING" = "xTrue"; then
    2.16 +	echo "ACM_LABEL_RESOURCES = True" > lib/XmTestLib/acm_config.py
    2.17 +else
    2.18 +	rm -f lib/XmTestLib/acm_config.py*
    2.19 +fi
    2.20 +
    2.21  # Network needs to know ips to use: dhcp or a range of IPs in the form
    2.22  # of: 192.168.1.1-192.168.1.100
    2.23  # If not dhcp, a netmask and network address must be supplied. Defaults to
    2.24 @@ -127,6 +141,7 @@ AC_CONFIG_FILES([
    2.25      tests/restore/Makefile
    2.26      tests/save/Makefile
    2.27      tests/sched-credit/Makefile
    2.28 +    tests/security-acm/Makefile
    2.29      tests/sedf/Makefile
    2.30      tests/shutdown/Makefile
    2.31      tests/sysrq/Makefile
     3.1 --- a/tools/xm-test/grouptest/default	Wed Oct 18 15:26:08 2006 +0100
     3.2 +++ b/tools/xm-test/grouptest/default	Wed Oct 18 16:07:55 2006 +0100
     3.3 @@ -22,6 +22,7 @@ reboot
     3.4  restore
     3.5  save
     3.6  sched-credit
     3.7 +security-acm
     3.8  shutdown
     3.9  sysrq
    3.10  unpause
     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/tools/xm-test/grouptest/security	Wed Oct 18 16:07:55 2006 +0100
     4.3 @@ -0,0 +1,1 @@
     4.4 +security-acm
     5.1 --- a/tools/xm-test/lib/XmTestLib/XenDomain.py	Wed Oct 18 15:26:08 2006 +0100
     5.2 +++ b/tools/xm-test/lib/XmTestLib/XenDomain.py	Wed Oct 18 16:07:55 2006 +0100
     5.3 @@ -102,6 +102,8 @@ class XenConfig:
     5.4          self.defaultOpts["disk"] = []
     5.5          self.defaultOpts["vif"]  = []
     5.6          self.defaultOpts["vtpm"] = []
     5.7 +        if isACMEnabled():
     5.8 +            self.defaultOpts["access_control"] = []
     5.9  
    5.10          self.opts = self.defaultOpts
    5.11  
     6.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     6.2 +++ b/tools/xm-test/lib/XmTestLib/acm.py	Wed Oct 18 16:07:55 2006 +0100
     6.3 @@ -0,0 +1,80 @@
     6.4 +#!/usr/bin/python
     6.5 +"""
     6.6 + Copyright (C) International Business Machines Corp., 2006
     6.7 + Author: Stefan Berger <stefanb@us.ibm.com>
     6.8 +
     6.9 + This program is free software; you can redistribute it and/or modify
    6.10 + it under the terms of the GNU General Public License as published by
    6.11 + the Free Software Foundation; under version 2 of the License.
    6.12 +
    6.13 + This program is distributed in the hope that it will be useful,
    6.14 + but WITHOUT ANY WARRANTY; without even the implied warranty of
    6.15 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    6.16 + GNU General Public License for more details.
    6.17 +
    6.18 + You should have received a copy of the GNU General Public License
    6.19 + along with this program; if not, write to the Free Software
    6.20 + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    6.21 +
    6.22 +"""
    6.23 +from Test import *
    6.24 +from xen.util import security
    6.25 +
    6.26 +try:
    6.27 +    from acm_config import *
    6.28 +except:
    6.29 +    ACM_LABEL_RESOURCES = False
    6.30 +
    6.31 +labeled_resources = {}
    6.32 +acm_verbose = False
    6.33 +
    6.34 +def isACMEnabled():
    6.35 +    return security.on()
    6.36 +
    6.37 +
    6.38 +def ACMLoadPolicy(policy='xm-test'):
    6.39 +    s, o = traceCommand("xm makepolicy %s" % (policy))
    6.40 +    if s != 0:
    6.41 +        FAIL("Need to be able to do 'xm makepolicy %s' but could not" %
    6.42 +             (policy))
    6.43 +    s, o = traceCommand("xm loadpolicy %s" % (policy))
    6.44 +    if s != 0:
    6.45 +        FAIL("Could not load the required policy '%s'.\n"
    6.46 +             "Start the system without any policy.\n%s" %
    6.47 +             (policy, o))
    6.48 +
    6.49 +
    6.50 +# Applications may label resources explicitly by calling this function
    6.51 +def ACMLabelResource(resource, label='red'):
    6.52 +    if acm_verbose:
    6.53 +        print "labeling resource %s with label %s" % (resource, label)
    6.54 +    if not ACM_LABEL_RESOURCES:
    6.55 +        SKIP("Skipping test since not allowed to label resources in "
    6.56 +             "test suite")
    6.57 +    if not isACMResourceLabeled(resource):
    6.58 +        ACMUnlabelResource(resource)
    6.59 +        s, o = traceCommand("xm addlabel %s res %s" % (label, resource))
    6.60 +        if s != 0:
    6.61 +            FAIL("Could not add label to resource")
    6.62 +        else:
    6.63 +            labeled_resources["%s" % resource] = 1
    6.64 +
    6.65 +
    6.66 +# Application may remove a label from a resource. It has to call this
    6.67 +# function and must do so once a resource for re-labeling a resource
    6.68 +def ACMUnlabelResource(resource):
    6.69 +    s, o = traceCommand("xm rmlabel res %s" % (resource))
    6.70 +    labeled_resources["%s" % resource] = 0
    6.71 +
    6.72 +
    6.73 +def isACMResourceLabeled(resource):
    6.74 +    """ Check whether a resource has been labeled using this API
    6.75 +        and while running the application """
    6.76 +    try:
    6.77 +        if labeled_resources["%s" % resource] == 1:
    6.78 +            if acm_verbose:
    6.79 +                print "resource %s already labeled!" % resource
    6.80 +            return True
    6.81 +    except:
    6.82 +        return False
    6.83 +    return False
     7.1 --- a/tools/xm-test/tests/Makefile.am	Wed Oct 18 15:26:08 2006 +0100
     7.2 +++ b/tools/xm-test/tests/Makefile.am	Wed Oct 18 16:07:55 2006 +0100
     7.3 @@ -19,6 +19,7 @@ SUBDIRS = 	               	\
     7.4  		pause		\
     7.5  		reboot 		\
     7.6  		sched-credit	\
     7.7 +		security-acm    \
     7.8  		sedf		\
     7.9  		shutdown	\
    7.10  		sysrq		\
     8.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     8.2 +++ b/tools/xm-test/tests/security-acm/01_security-acm_basic.py	Wed Oct 18 16:07:55 2006 +0100
     8.3 @@ -0,0 +1,118 @@
     8.4 +#!/usr/bin/python
     8.5 +
     8.6 +# Copyright (C) International Business Machines Corp., 2006
     8.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
     8.8 +#
     8.9 +# A couple of simple tests that test ACM security extensions
    8.10 +# for the xm tool. The following xm subcommands are tested:
    8.11 +#
    8.12 +# - makepolicy
    8.13 +# - labels
    8.14 +# - rmlabel
    8.15 +# - addlabel
    8.16 +# - getlabel
    8.17 +# - resources
    8.18 +
    8.19 +from XmTestLib import *
    8.20 +from xen.util import security
    8.21 +import commands
    8.22 +import os
    8.23 +import re
    8.24 +
    8.25 +testpolicy = "xm-test"
    8.26 +testlabel = "blue"
    8.27 +vmconfigfile = "/tmp/xm-test.conf"
    8.28 +testresource = "phy:ram0"
    8.29 +
    8.30 +status, output = traceCommand("xm makepolicy %s" % (testpolicy))
    8.31 +if status != 0 or output != "":
    8.32 +    FAIL("'xm makepolicy' failed with status %d and output\n%s" %
    8.33 +         (status,output));
    8.34 +
    8.35 +status, output = traceCommand("xm labels %s" % (testpolicy))
    8.36 +if status != 0:
    8.37 +    FAIL("'xm labels' failed with status %d.\n" % status)
    8.38 +
    8.39 +#Need to get a vm config file - just have it written to a file
    8.40 +domain = XmTestDomain()
    8.41 +domain.config.write(vmconfigfile)
    8.42 +
    8.43 +#Whatever label it might have - remove it
    8.44 +status, output = traceCommand("xm rmlabel dom %s" %
    8.45 +                              (vmconfigfile))
    8.46 +
    8.47 +status, output = traceCommand("xm addlabel %s dom %s %s" %
    8.48 +                              (testlabel, vmconfigfile, testpolicy))
    8.49 +if status != 0:
    8.50 +    FAIL("'xm addlabel' failed with status %d.\n" % status)
    8.51 +
    8.52 +status, output = traceCommand("xm getlabel dom %s" %
    8.53 +                              (vmconfigfile))
    8.54 +
    8.55 +if status != 0:
    8.56 +    FAIL("'xm getlabel' failed with status %d, output:\n%s" %
    8.57 +         (status, output))
    8.58 +if output != "policy=%s,label=%s" % (testpolicy,testlabel):
    8.59 +    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
    8.60 +         (output))
    8.61 +
    8.62 +
    8.63 +status, output = traceCommand("xm rmlabel dom %s" %
    8.64 +                              (vmconfigfile))
    8.65 +
    8.66 +if status != 0:
    8.67 +    FAIL("'xm rmlabel' failed with status %d, output: \n%s" %
    8.68 +         (status,output))
    8.69 +if output != "":
    8.70 +    FAIL("Received unexpected output from 'xm rmlabel': \n%s" %
    8.71 +         (output))
    8.72 +
    8.73 +status, output = traceCommand("xm getlabel dom %s" %
    8.74 +                              (vmconfigfile))
    8.75 +
    8.76 +if output != "Error: 'Domain not labeled'":
    8.77 +    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
    8.78 +         (output))
    8.79 +
    8.80 +#Whatever label the resource might have, remove it
    8.81 +status, output = traceCommand("xm rmlabel res %s" %
    8.82 +                              (testresource))
    8.83 +
    8.84 +status, output = traceCommand("xm addlabel %s res %s %s" %
    8.85 +                              (testlabel, testresource, testpolicy))
    8.86 +if status != 0:
    8.87 +    FAIL("'xm addlabel' on resource failed with status %d.\n" % status)
    8.88 +
    8.89 +status, output = traceCommand("xm getlabel res %s" % (testresource))
    8.90 +
    8.91 +if status != 0:
    8.92 +    FAIL("'xm getlabel' on resource failed with status %d, output:\n%s" %
    8.93 +         (status, output))
    8.94 +if output != "policy=%s,label=%s" % (testpolicy,testlabel):
    8.95 +    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
    8.96 +         (output))
    8.97 +
    8.98 +status, output = traceCommand("xm resources")
    8.99 +
   8.100 +if status != 0:
   8.101 +    FAIL("'xm resources' did not run properly")
   8.102 +if not re.search(security.unify_resname(testresource), output):
   8.103 +    FAIL("'xm resources' did not show the tested resource '%s'." %
   8.104 +         testresource)
   8.105 +
   8.106 +status, output = traceCommand("xm rmlabel res %s" %
   8.107 +                              (testresource))
   8.108 +
   8.109 +if status != 0:
   8.110 +    FAIL("'xm rmlabel' on resource failed with status %d, output: \n%s" %
   8.111 +         (status,output))
   8.112 +if output != "":
   8.113 +    FAIL("Received unexpected output from 'xm rmlabel': \n%s" %
   8.114 +         (output))
   8.115 +
   8.116 +status, output = traceCommand("xm getlabel res %s" %
   8.117 +                              (testresource))
   8.118 +
   8.119 +if output != "Error: 'Resource not labeled'":
   8.120 +    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
   8.121 +         (output))
     9.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     9.2 +++ b/tools/xm-test/tests/security-acm/02_security-acm_dom_start.py	Wed Oct 18 16:07:55 2006 +0100
     9.3 @@ -0,0 +1,64 @@
     9.4 +#!/usr/bin/python
     9.5 +
     9.6 +# Copyright (C) International Business Machines Corp., 2006
     9.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
     9.8 +#
     9.9 +# Simple test that starts two labeled domains; both domains should start
    9.10 +#
    9.11 +# The following xm subcommands are tested:
    9.12 +# - dumppolicy
    9.13 +# - labels
    9.14 +
    9.15 +from XmTestLib import *
    9.16 +from acm_utils import *
    9.17 +import commands
    9.18 +import os
    9.19 +
    9.20 +testlabel1 = "green"
    9.21 +testlabel2 = "red"
    9.22 +
    9.23 +status, output = traceCommand("xm labels")
    9.24 +
    9.25 +labels = ["SystemManagement", "blue", "red", "green"]
    9.26 +for l in labels:
    9.27 +    if not re.search(l, output):
    9.28 +        FAIL("Label '%s' not found in current policy!", l)
    9.29 +
    9.30 +status, output = traceCommand("xm dumppolicy")
    9.31 +if status != 0:
    9.32 +    FAIL("'xm dumppolicy' returned an error code.")
    9.33 +lines = ["ssidref 0:  00 00 00 00",
    9.34 +         "ssidref 1:  01 00 00 00",
    9.35 +         "ssidref 2:  00 01 00 00",
    9.36 +         "ssidref 3:  00 00 01 00",
    9.37 +         "ssidref 4:  00 00 00 01"]
    9.38 +for l in lines:
    9.39 +    if not re.search(l, output):
    9.40 +        FAIL("Could not find '%s' in output of 'xm dumppolicy'" % l)
    9.41 +
    9.42 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
    9.43 +verbose = True
    9.44 +domain1 = XmTestDomain(name="domain-%s" % testlabel1,
    9.45 +                       extraConfig=config)
    9.46 +
    9.47 +try:
    9.48 +    domain1.start(noConsole=True)
    9.49 +except DomainError, e:
    9.50 +    if verbose:
    9.51 +        print e.extra
    9.52 +    FAIL("Unable to start 1st labeled test domain.")
    9.53 +
    9.54 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel2)}
    9.55 +
    9.56 +domain2 = XmTestDomain(name="domain-%s" % testlabel2,
    9.57 +                       extraConfig=config)
    9.58 +
    9.59 +try:
    9.60 +    domain2.start(noConsole=True)
    9.61 +except DomainError, e:
    9.62 +    if verbose:
    9.63 +        print e.extra
    9.64 +    FAIL("Unable to start 2nd labeled test domain.")
    9.65 +
    9.66 +domain2.destroy()
    9.67 +domain1.destroy()
    10.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    10.2 +++ b/tools/xm-test/tests/security-acm/03_security-acm_dom_conflict.py	Wed Oct 18 16:07:55 2006 +0100
    10.3 @@ -0,0 +1,60 @@
    10.4 +#!/usr/bin/python
    10.5 +
    10.6 +# Copyright (C) International Business Machines Corp., 2006
    10.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
    10.8 +#
    10.9 +# A test that exercises the conflict set of the chinese wall policy.
   10.10 +# Start a first domain and then a second one. The second one is
   10.11 +# expected NOT to be starteable.
   10.12 +
   10.13 +from XmTestLib import *
   10.14 +from acm_utils import *
   10.15 +import commands
   10.16 +import os
   10.17 +
   10.18 +testlabel1 = "blue"
   10.19 +testlabel2 = "red"
   10.20 +
   10.21 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
   10.22 +
   10.23 +domain1 = XmTestDomain(name="domain-%s" % testlabel1,
   10.24 +                       extraConfig=config)
   10.25 +
   10.26 +try:
   10.27 +    domain1.start(noConsole=True)
   10.28 +except DomainError, e:
   10.29 +    if verbose:
   10.30 +        print e.extra
   10.31 +    FAIL("Unable to start 1st labeled test domain")
   10.32 +
   10.33 +# Verify with xm dry-run
   10.34 +status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
   10.35 +                              "grep -v \"Dry Run\"")
   10.36 +if status != 0:
   10.37 +    FAIL("'xm dry-run' failed")
   10.38 +if not re.search("PERMITTED", output):
   10.39 +    FAIL("'xm dry-run' did not succeed.")
   10.40 +
   10.41 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel2)}
   10.42 +
   10.43 +domain2 = XmTestDomain(name="domain-%s" % testlabel2,
   10.44 +                       extraConfig=config)
   10.45 +
   10.46 +try:
   10.47 +    domain2.start(noConsole=True)
   10.48 +    # Should never get here!
   10.49 +    FAIL("Could start a domain in a conflict set - "
   10.50 +         "this should not be possible")
   10.51 +except DomainError, e:
   10.52 +    #This is exactly what we want in this case
   10.53 +    status = 0
   10.54 +
   10.55 +# Verify with xm dry-run
   10.56 +status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
   10.57 +                              "grep -v \"Dry Run\"")
   10.58 +if status != 0:
   10.59 +    FAIL("'xm dry-run' failed.")
   10.60 +if not re.search("PERMITTED", output):
   10.61 +    FAIL("'xm dry-run' did not show that operation was permitted.")
   10.62 +
   10.63 +domain1.destroy()
    11.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    11.2 +++ b/tools/xm-test/tests/security-acm/04_security-acm_dom_res.py	Wed Oct 18 16:07:55 2006 +0100
    11.3 @@ -0,0 +1,69 @@
    11.4 +#!/usr/bin/python
    11.5 +
    11.6 +# Copyright (C) International Business Machines Corp., 2006
    11.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
    11.8 +#
    11.9 +# Simple test that starts two labeled domains using labeled resources each
   11.10 +#
   11.11 +
   11.12 +from XmTestLib import *
   11.13 +from acm_utils import *
   11.14 +import commands
   11.15 +import os
   11.16 +
   11.17 +testlabel1 = "green"
   11.18 +resource1  = "phy:ram0"
   11.19 +testlabel2 = "red"
   11.20 +resource2  = "phy:/dev/ram1"
   11.21 +
   11.22 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1),
   11.23 +          "disk"          :"%s,hda1,w" % (resource1)}
   11.24 +domain1 = XmTestDomain(name="domain-%s" % testlabel1,
   11.25 +                       extraConfig=config)
   11.26 +
   11.27 +# Explicity label the resource
   11.28 +ACMLabelResource(resource1, testlabel1)
   11.29 +
   11.30 +try:
   11.31 +    domain1.start(noConsole=True)
   11.32 +except DomainError, e:
   11.33 +    if verbose:
   11.34 +        print e.extra
   11.35 +    FAIL("Unable to start 1st labeled test domain.")
   11.36 +
   11.37 +# Verify with xm dry-run
   11.38 +status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
   11.39 +                              "grep -v \"Dry Run\"")
   11.40 +
   11.41 +if status != 0:
   11.42 +    FAIL("'xm dry-run' failed")
   11.43 +if not re.search("%s: PERMITTED" % resource1, output):
   11.44 +    FAIL("'xm dry-run' did not succeed.")
   11.45 +
   11.46 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel2),
   11.47 +          "disk"          :"%s,hda1,w" % (resource2)}
   11.48 +
   11.49 +domain2 = XmTestDomain(name="domain-%s" % testlabel2,
   11.50 +                       extraConfig=config)
   11.51 +
   11.52 +# Explicity label the resource
   11.53 +ACMLabelResource(resource2, testlabel2)
   11.54 +
   11.55 +try:
   11.56 +    domain2.start(noConsole=True)
   11.57 +except DomainError, e:
   11.58 +    if verbose:
   11.59 +        print e.extra
   11.60 +    FAIL("Unable to start 2nd labeled test domain.")
   11.61 +
   11.62 +# Verify with xm dry-run
   11.63 +status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
   11.64 +                              "grep -v \"Dry Run\"")
   11.65 +
   11.66 +if status != 0:
   11.67 +    FAIL("'xm dry-run' failed")
   11.68 +if not re.search("%s: PERMITTED" % resource2, output):
   11.69 +    FAIL("'xm dry-run' did not succeed.")
   11.70 +
   11.71 +domain2.destroy()
   11.72 +domain1.destroy()
    12.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    12.2 +++ b/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py	Wed Oct 18 16:07:55 2006 +0100
    12.3 @@ -0,0 +1,38 @@
    12.4 +#!/usr/bin/python
    12.5 +
    12.6 +# Copyright (C) International Business Machines Corp., 2006
    12.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
    12.8 +#
    12.9 +# A test that tries to start a domain using a resource that it is
   12.10 +# not supposed to be able to use due to its labeling
   12.11 +
   12.12 +from XmTestLib import *
   12.13 +from acm_utils import *
   12.14 +import commands
   12.15 +import os
   12.16 +
   12.17 +testlabel1 = "blue"
   12.18 +resource1  = "phy:ram0"
   12.19 +
   12.20 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1),
   12.21 +          "disk"          :"%s,hda1,w" % (resource1)}
   12.22 +
   12.23 +domain1 = XmTestDomain(name="domain-%s" % testlabel1,
   12.24 +                       extraConfig=config)
   12.25 +
   12.26 +ACMLabelResource(resource1,"red")
   12.27 +
   12.28 +try:
   12.29 +    domain1.start(noConsole=True)
   12.30 +    # Should never get here
   12.31 +    FAIL("Could start domain with resource that it is not supposed to access.")
   12.32 +except DomainError, e:
   12.33 +    #That's exactly what we want to have in this case
   12.34 +    dummy = 0
   12.35 +
   12.36 +# Verify via dry-run
   12.37 +status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
   12.38 +                              "grep -v \"Dry Run\"")
   12.39 +if not re.search("%s: DENIED" %resource1, output):
   12.40 +    FAIL("'xm dry-run' did not show expected result that operation was NOT "
   12.41 +         "permitted: \n%s" % output)
    13.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    13.2 +++ b/tools/xm-test/tests/security-acm/06_security-acm_dom_block_attach.py	Wed Oct 18 16:07:55 2006 +0100
    13.3 @@ -0,0 +1,82 @@
    13.4 +#!/usr/bin/python
    13.5 +
    13.6 +# Copyright (C) International Business Machines Corp., 2005
    13.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
    13.8 +# Based on block-create/01_block_attach_device_pos.py
    13.9 +#
   13.10 +# Create a domain and attach 2 resources to it. The first resource
   13.11 +# should be attacheable, the 2nd one should not be due to the label it has.
   13.12 +
   13.13 +import re
   13.14 +from XmTestLib import *
   13.15 +from XmTestLib import block_utils
   13.16 +from acm_utils import *
   13.17 +
   13.18 +testlabel1 = "blue"
   13.19 +resource1 = "phy:ram1"
   13.20 +resourcelabel1 = "blue"
   13.21 +resource2 = "phy:/dev/ram0"
   13.22 +resourcelabel2 = "red"
   13.23 +
   13.24 +if ENABLE_HVM_SUPPORT:
   13.25 +    SKIP("Block-attach not supported for HVM domains")
   13.26 +
   13.27 +# Create a domain (default XmTestDomain, with our ramdisk)
   13.28 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
   13.29 +
   13.30 +domain = XmTestDomain(extraConfig=config)
   13.31 +
   13.32 +try:
   13.33 +    console = domain.start()
   13.34 +except DomainError, e:
   13.35 +    FAIL(str(e))
   13.36 +
   13.37 +# Attach a console to it
   13.38 +try:
   13.39 +    console.setHistorySaveCmds(value=True)
   13.40 +    # Run 'ls'
   13.41 +    run = console.runCmd("ls")
   13.42 +except ConsoleError, e:
   13.43 +    saveLog(console.getHistory())
   13.44 +    FAIL(str(e))
   13.45 +
   13.46 +
   13.47 +# Explicitly label the 1st resource
   13.48 +ACMLabelResource(resource1, resourcelabel1)
   13.49 +block_utils.block_attach(domain, resource1, "sdb1")
   13.50 +
   13.51 +try:
   13.52 +	run1 = console.runCmd("cat /proc/partitions")
   13.53 +except ConsoleError, e:
   13.54 +	FAIL(str(e))
   13.55 +
   13.56 +#Explicitly label the 2nd resource
   13.57 +ACMLabelResource(resource2, resourcelabel2)
   13.58 +#Cannot call block_attach here since we legally may fail the command
   13.59 +status, output = traceCommand("xm block-attach %s %s %s w" %
   13.60 +                               (domain.getName(), resource2, "sdb2" ))
   13.61 +
   13.62 +for i in range(10):
   13.63 +    if block_utils.get_state(domain, "sdb2") == 4:
   13.64 +        break
   13.65 +    time.sleep(1)
   13.66 +
   13.67 +try:
   13.68 +	run2 = console.runCmd("cat /proc/partitions")
   13.69 +except ConsoleError, e:
   13.70 +	FAIL(str(e))
   13.71 +
   13.72 +# Close the console
   13.73 +domain.closeConsole()
   13.74 +
   13.75 +# Stop the domain (nice shutdown)
   13.76 +domain.stop()
   13.77 +
   13.78 +if not re.search("sdb1",run1["output"]):
   13.79 +    FAIL("Labeled device 'sdb1' is not actually connected to the domU")
   13.80 +
   13.81 +if not re.search("sdb1",run2["output"]):
   13.82 +    FAIL("Labeled device 'sdb1' has disappeared?!")
   13.83 +
   13.84 +if re.search("sdb2",run2["output"]):
   13.85 +    FAIL("Labeled device 'sdb2' is connected to the domU but should not be")
    14.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    14.2 +++ b/tools/xm-test/tests/security-acm/Makefile.am	Wed Oct 18 16:07:55 2006 +0100
    14.3 @@ -0,0 +1,25 @@
    14.4 +SUBDIRS =
    14.5 +
    14.6 +TESTS = 01_security-acm_basic.test \
    14.7 +        02_security-acm_dom_start.test \
    14.8 +        03_security-acm_dom_conflict.test \
    14.9 +        04_security-acm_dom_res.test \
   14.10 +        05_security-acm_dom_res_conf.test \
   14.11 +        06_security-acm_dom_block_attach.test
   14.12 +
   14.13 +XFAIL_TESTS =
   14.14 +
   14.15 +EXTRA_DIST = $(TESTS) $(XFAIL_TESTS) acm_utils.py
   14.16 +TESTS_ENVIRONMENT=@TENV@
   14.17 +
   14.18 +%.test: %.py
   14.19 +	cp $< $@
   14.20 +	chmod +x $@
   14.21 +	@cp -f xm-test-security_policy.xml /etc/xen/acm-security/policies
   14.22 +
   14.23 +clean-local: am_config_clean-local
   14.24 +
   14.25 +am_config_clean-local:
   14.26 +	rm -f *test
   14.27 +	rm -f *log
   14.28 +	rm -f *~
    15.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    15.2 +++ b/tools/xm-test/tests/security-acm/acm_utils.py	Wed Oct 18 16:07:55 2006 +0100
    15.3 @@ -0,0 +1,15 @@
    15.4 +#!/usr/bin/python
    15.5 +
    15.6 +# Copyright (C) International Business Machines Corp., 2006
    15.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
    15.8 +
    15.9 +from XmTestLib import *
   15.10 +from XmTestLib.acm import *
   15.11 +
   15.12 +testpolicy = "xm-test"
   15.13 +vmconfigfile = "/tmp/xm-test.conf"
   15.14 +
   15.15 +if not isACMEnabled():
   15.16 +    SKIP("Not running this test since ACM not enabled.")
   15.17 +
   15.18 +ACMLoadPolicy(testpolicy)
    16.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    16.2 +++ b/tools/xm-test/tests/security-acm/xm-test-security_policy.xml	Wed Oct 18 16:07:55 2006 +0100
    16.3 @@ -0,0 +1,110 @@
    16.4 +<?xml version="1.0" encoding="UTF-8"?>
    16.5 +<!-- Auto-generated by ezPolicy        -->
    16.6 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
    16.7 +    <PolicyHeader>
    16.8 +        <PolicyName>xm-test</PolicyName>
    16.9 +        <Date>Fri Sep 29 14:44:38 2006</Date>
   16.10 +    </PolicyHeader>
   16.11 +
   16.12 +    <SimpleTypeEnforcement>
   16.13 +        <SimpleTypeEnforcementTypes>
   16.14 +            <Type>SystemManagement</Type>
   16.15 +            <Type>green</Type>
   16.16 +            <Type>red</Type>
   16.17 +            <Type>blue</Type>
   16.18 +        </SimpleTypeEnforcementTypes>
   16.19 +    </SimpleTypeEnforcement>
   16.20 +
   16.21 +    <ChineseWall priority="PrimaryPolicyComponent">
   16.22 +        <ChineseWallTypes>
   16.23 +            <Type>SystemManagement</Type>
   16.24 +            <Type>green</Type>
   16.25 +            <Type>red</Type>
   16.26 +            <Type>blue</Type>
   16.27 +        </ChineseWallTypes>
   16.28 +
   16.29 +        <ConflictSets>
   16.30 +            <Conflict name="RER">
   16.31 +                <Type>blue</Type>
   16.32 +                <Type>red</Type>
   16.33 +            </Conflict>
   16.34 +       </ConflictSets>
   16.35 +    </ChineseWall>
   16.36 +
   16.37 +    <SecurityLabelTemplate>
   16.38 +        <SubjectLabels bootstrap="SystemManagement">
   16.39 +            <VirtualMachineLabel>
   16.40 +                <Name>SystemManagement</Name>
   16.41 +                <SimpleTypeEnforcementTypes>
   16.42 +                    <Type>SystemManagement</Type>
   16.43 +                    <Type>green</Type>
   16.44 +                    <Type>red</Type>
   16.45 +                    <Type>blue</Type>
   16.46 +                </SimpleTypeEnforcementTypes>
   16.47 +                <ChineseWallTypes>
   16.48 +                    <Type>SystemManagement</Type>
   16.49 +                </ChineseWallTypes>
   16.50 +            </VirtualMachineLabel>
   16.51 +
   16.52 +            <VirtualMachineLabel>
   16.53 +                <Name>green</Name>
   16.54 +                <SimpleTypeEnforcementTypes>
   16.55 +                    <Type>green</Type>
   16.56 +                </SimpleTypeEnforcementTypes>
   16.57 +                <ChineseWallTypes>
   16.58 +                    <Type>green</Type>
   16.59 +                </ChineseWallTypes>
   16.60 +            </VirtualMachineLabel>
   16.61 +
   16.62 +            <VirtualMachineLabel>
   16.63 +                <Name>red</Name>
   16.64 +                <SimpleTypeEnforcementTypes>
   16.65 +                    <Type>red</Type>
   16.66 +                </SimpleTypeEnforcementTypes>
   16.67 +                <ChineseWallTypes>
   16.68 +                    <Type>red</Type>
   16.69 +                </ChineseWallTypes>
   16.70 +            </VirtualMachineLabel>
   16.71 +
   16.72 +            <VirtualMachineLabel>
   16.73 +                <Name>blue</Name>
   16.74 +                <SimpleTypeEnforcementTypes>
   16.75 +                    <Type>blue</Type>
   16.76 +                </SimpleTypeEnforcementTypes>
   16.77 +                <ChineseWallTypes>
   16.78 +                    <Type>blue</Type>
   16.79 +                </ChineseWallTypes>
   16.80 +            </VirtualMachineLabel>
   16.81 +        </SubjectLabels>
   16.82 +
   16.83 +        <ObjectLabels>
   16.84 +            <ResourceLabel>
   16.85 +                <Name>SystemManagement</Name>
   16.86 +                <SimpleTypeEnforcementTypes>
   16.87 +                    <Type>SystemManagement</Type>
   16.88 +                </SimpleTypeEnforcementTypes>
   16.89 +            </ResourceLabel>
   16.90 +
   16.91 +            <ResourceLabel>
   16.92 +                <Name>green</Name>
   16.93 +                <SimpleTypeEnforcementTypes>
   16.94 +                    <Type>green</Type>
   16.95 +                </SimpleTypeEnforcementTypes>
   16.96 +            </ResourceLabel>
   16.97 +
   16.98 +            <ResourceLabel>
   16.99 +                <Name>red</Name>
  16.100 +                <SimpleTypeEnforcementTypes>
  16.101 +                    <Type>red</Type>
  16.102 +                </SimpleTypeEnforcementTypes>
  16.103 +            </ResourceLabel>
  16.104 +
  16.105 +            <ResourceLabel>
  16.106 +                <Name>blue</Name>
  16.107 +                <SimpleTypeEnforcementTypes>
  16.108 +                    <Type>blue</Type>
  16.109 +                </SimpleTypeEnforcementTypes>
  16.110 +            </ResourceLabel>
  16.111 +        </ObjectLabels>
  16.112 +    </SecurityLabelTemplate>
  16.113 +</SecurityPolicyDefinition>