ia64/xen-unstable

changeset 18435:5b133625223a

xsm, python tools: remove autogenerated xsm.py

- The patch does away with the autogenerated xsm.py file and
introduces a config parameter in xend-config.sxp to determine the
security module. The parameter is (xsm_module_name {acm, dummy,
flask}). The default setting/option is dummy. .hgignore is also
updated to stop ignoring xsm.py on commits.

- The patch has created an xsconstant for XS_POLICY_FLASK and updated
the toolchain to check the instance of XS_POLICY_USE. XS_POLICY_USE
evalauates to XS_POLICY_FLASK or XS_POLICY_ACM or XS_POLICY_DUMMY
depending on configuration.

- Flask relies on the current value of ssidref returned by dominfo to
ensure that the label to sid mapping is consistent. ssidref had
been pop'ed from the dominfo object. The patch addresses this
issue.

- Flask python module style cleanups.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
author Keir Fraser <keir.fraser@citrix.com>
date Thu Sep 04 11:23:08 2008 +0100 (2008-09-04)
parents bed1b98b63cc
children 44f039c4aee4
files .hgignore tools/examples/xend-config.sxp tools/python/Makefile tools/python/xen/util/xsconstants.py tools/python/xen/util/xsm/dummy/dummy.py tools/python/xen/util/xsm/flask/flask.py tools/python/xen/util/xsm/xsm.py tools/python/xen/xend/XendConfig.py tools/python/xen/xend/XendDomainInfo.py tools/python/xen/xend/XendOptions.py tools/python/xen/xend/server/blkif.py tools/python/xen/xend/server/netif.py
line diff
     1.1 --- a/.hgignore	Thu Sep 04 11:19:17 2008 +0100
     1.2 +++ b/.hgignore	Thu Sep 04 11:23:08 2008 +0100
     1.3 @@ -185,7 +185,6 @@
     1.4  ^tools/misc/xenperf$
     1.5  ^tools/pygrub/build/.*$
     1.6  ^tools/python/build/.*$
     1.7 -^tools/python/xen/util/xsm/xsm\.py$
     1.8  ^tools/security/secpol_tool$
     1.9  ^tools/security/xen/.*$
    1.10  ^tools/security/xensec_tool$
     2.1 --- a/tools/examples/xend-config.sxp	Thu Sep 04 11:19:17 2008 +0100
     2.2 +++ b/tools/examples/xend-config.sxp	Thu Sep 04 11:23:08 2008 +0100
     2.3 @@ -14,6 +14,10 @@
     2.4  #(logfile /var/log/xen/xend.log)
     2.5  #(loglevel DEBUG)
     2.6  
     2.7 +# Uncomment the line below.  Set the value to flask, acm, or dummy to 
     2.8 +# select a security module.
     2.9 +
    2.10 +#(xsm_module_name dummy)
    2.11  
    2.12  # The Xen-API server configuration.
    2.13  #
     3.1 --- a/tools/python/Makefile	Thu Sep 04 11:19:17 2008 +0100
     3.2 +++ b/tools/python/Makefile	Thu Sep 04 11:23:08 2008 +0100
     3.3 @@ -1,14 +1,6 @@
     3.4  XEN_ROOT = ../..
     3.5  include $(XEN_ROOT)/tools/Rules.mk
     3.6  
     3.7 -XEN_SECURITY_MODULE = dummy
     3.8 -ifeq ($(FLASK_ENABLE),y)
     3.9 -XEN_SECURITY_MODULE = flask
    3.10 -endif
    3.11 -ifeq ($(ACM_SECURITY),y)
    3.12 -XEN_SECURITY_MODULE = acm
    3.13 -endif
    3.14 -
    3.15  .PHONY: all
    3.16  all: build
    3.17  
    3.18 @@ -23,8 +15,8 @@ CATALOGS = $(patsubst %,xen/xm/messages/
    3.19  NLSDIR = /usr/share/locale
    3.20  
    3.21  .PHONY: build buildpy
    3.22 -buildpy: xsm.py
    3.23 -	CC="$(CC)" CFLAGS="$(CFLAGS)" XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build
    3.24 +buildpy: 
    3.25 +	CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build
    3.26  
    3.27  build: buildpy refresh-pot refresh-po $(CATALOGS)
    3.28  
    3.29 @@ -61,18 +53,6 @@ refresh-po: $(POTFILE)
    3.30  %.mo: %.po
    3.31  	$(MSGFMT) -c -o $@ $<
    3.32  
    3.33 -xsm.py:
    3.34 -	@(set -e; \
    3.35 -	  echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \
    3.36 -	  echo "from xsm_core import *"; \
    3.37 -	  echo ""; \
    3.38 -	  echo "import xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \
    3.39 -	  echo ""; \
    3.40 -	  echo "xsm_init(xsm_module)"; \
    3.41 -	  echo "from xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \
    3.42 -	  echo "del xsm_module"; \
    3.43 -	  echo "") >xen/util/xsm/$@
    3.44 -
    3.45  .PHONY: install
    3.46  ifndef XEN_PYTHON_NATIVE_INSTALL
    3.47  install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print auxbin.libpath()")
    3.48 @@ -104,4 +84,4 @@ test:
    3.49  
    3.50  .PHONY: clean
    3.51  clean:
    3.52 -	rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py xen/util/auxbin.pyc
    3.53 +	rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/auxbin.pyc
     4.1 --- a/tools/python/xen/util/xsconstants.py	Thu Sep 04 11:19:17 2008 +0100
     4.2 +++ b/tools/python/xen/util/xsconstants.py	Thu Sep 04 11:23:08 2008 +0100
     4.3 @@ -20,8 +20,10 @@ XS_INST_NONE = 0
     4.4  XS_INST_BOOT = (1 << 0)
     4.5  XS_INST_LOAD = (1 << 1)
     4.6  
     4.7 -XS_POLICY_NONE  = 0
     4.8 +XS_POLICY_DUMMY  = 0
     4.9  XS_POLICY_ACM = (1 << 0)
    4.10 +XS_POLICY_FLASK = (1 << 1)
    4.11 +XS_POLICY_USE = 0
    4.12  
    4.13  # Some internal variables used by the Xen-API
    4.14  ACM_LABEL_VM  = (1 << 0)
     5.1 --- a/tools/python/xen/util/xsm/dummy/dummy.py	Thu Sep 04 11:19:17 2008 +0100
     5.2 +++ b/tools/python/xen/util/xsm/dummy/dummy.py	Thu Sep 04 11:23:08 2008 +0100
     5.3 @@ -36,7 +36,7 @@ def err(msg):
     5.4      raise XSMError(msg)
     5.5  
     5.6  def on():
     5.7 -    return 0
     5.8 +    return xsconstants.XS_POLICY_DUMMY
     5.9  
    5.10  def ssidref2label(ssidref):
    5.11      return 0
     6.1 --- a/tools/python/xen/util/xsm/flask/flask.py	Thu Sep 04 11:19:17 2008 +0100
     6.2 +++ b/tools/python/xen/util/xsm/flask/flask.py	Thu Sep 04 11:23:08 2008 +0100
     6.3 @@ -1,5 +1,6 @@
     6.4  import sys
     6.5  from xen.lowlevel import flask
     6.6 +from xen.util import xsconstants
     6.7  from xen.xend import sxp
     6.8  
     6.9  #Functions exported through XML-RPC
    6.10 @@ -12,7 +13,7 @@ def err(msg):
    6.11      raise XSMError(msg)
    6.12  
    6.13  def on():
    6.14 -    return 0 #xsconstants.XS_POLICY_FLASK
    6.15 +    return xsconstants.XS_POLICY_FLASK
    6.16  
    6.17  def ssidref2label(ssidref):
    6.18      try:
    6.19 @@ -37,8 +38,9 @@ def set_security_label(policy, label):
    6.20      return label
    6.21  
    6.22  def ssidref2security_label(ssidref):
    6.23 -    return ssidref2label(ssidref)
    6.24 +    label = ssidref2label(ssidref)
    6.25 +    return label
    6.26  
    6.27  def get_security_label(self, xspol=None):
    6.28 -    label = self.info.get('security_label', '')
    6.29 +    label = self.info['security_label']
    6.30      return label
     7.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     7.2 +++ b/tools/python/xen/util/xsm/xsm.py	Thu Sep 04 11:23:08 2008 +0100
     7.3 @@ -0,0 +1,19 @@
     7.4 +import sys
     7.5 +import string
     7.6 +from xen.xend import XendOptions
     7.7 +from xen.util import xsconstants
     7.8 +from xsm_core import xsm_init
     7.9 +
    7.10 +xoptions = XendOptions.instance()
    7.11 +xsm_module_name = xoptions.get_xsm_module_name()
    7.12 +
    7.13 +xsconstants.XS_POLICY_USE = eval("xsconstants.XS_POLICY_"+string.upper(xsm_module_name))
    7.14 +
    7.15 +xsm_module_path = "xen.util.xsm." + xsm_module_name + "." + xsm_module_name
    7.16 +xsm_module = __import__(xsm_module_path, globals(), locals(), ['*'], -1)
    7.17 +
    7.18 +xsm_init(xsm_module)
    7.19 +
    7.20 +for op in dir(xsm_module):
    7.21 +    if not hasattr(sys.modules[__name__], op):
    7.22 +        setattr(sys.modules[__name__], op, getattr(xsm_module, op, None))
     8.1 --- a/tools/python/xen/xend/XendConfig.py	Thu Sep 04 11:19:17 2008 +0100
     8.2 +++ b/tools/python/xen/xend/XendConfig.py	Thu Sep 04 11:23:08 2008 +0100
     8.3 @@ -729,7 +729,7 @@ class XendConfig(dict):
     8.4              self.parse_cpuid(cfg, 'cpuid_check')
     8.5  
     8.6          import xen.util.xsm.xsm as security
     8.7 -        if security.on() == xsconstants.XS_POLICY_ACM:
     8.8 +        if security.on() == xsconstants.XS_POLICY_USE:
     8.9              from xen.util.acmpolicy import ACM_LABEL_UNLABELED
    8.10              if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
    8.11                  cfg['security'] = sxp.child_value(sxp_cfg, 'security')
     9.1 --- a/tools/python/xen/xend/XendDomainInfo.py	Thu Sep 04 11:19:17 2008 +0100
     9.2 +++ b/tools/python/xen/xend/XendDomainInfo.py	Thu Sep 04 11:23:08 2008 +0100
     9.3 @@ -2069,7 +2069,7 @@ class XendDomainInfo:
     9.4          balloon.free(2*1024) # 2MB should be plenty
     9.5  
     9.6          ssidref = 0
     9.7 -        if security.on() == xsconstants.XS_POLICY_ACM:
     9.8 +        if security.on() == xsconstants.XS_POLICY_USE:
     9.9              ssidref = security.calc_dom_ssidref_from_info(self.info)
    9.10              if security.has_authorization(ssidref) == False:
    9.11                  raise VmError("VM is not authorized to run.")
    9.12 @@ -2855,10 +2855,6 @@ class XendDomainInfo:
    9.13              info["maxmem_kb"] = XendNode.instance() \
    9.14                                  .physinfo_dict()['total_memory'] * 1024
    9.15  
    9.16 -        #ssidref field not used any longer
    9.17 -        if 'ssidref' in info:
    9.18 -            info.pop('ssidref')
    9.19 -
    9.20          # make sure state is reset for info
    9.21          # TODO: we should eventually get rid of old_dom_states
    9.22  
    10.1 --- a/tools/python/xen/xend/XendOptions.py	Thu Sep 04 11:19:17 2008 +0100
    10.2 +++ b/tools/python/xen/xend/XendOptions.py	Thu Sep 04 11:23:08 2008 +0100
    10.3 @@ -132,6 +132,9 @@ class XendOptions:
    10.4      """Default script to configure a backend network interface"""
    10.5      vif_script = osdep.vif_script
    10.6  
    10.7 +    """Default Xen Security Module"""
    10.8 +    xsm_module_default = 'dummy'
    10.9 +
   10.10      """Default rotation count of qemu-dm log file."""
   10.11      qemu_dm_logrotate_count = 10
   10.12  
   10.13 @@ -427,6 +430,11 @@ class XendOptionsFile(XendOptions):
   10.14          return self.get_config_value('xen-api-server',
   10.15                                       self.xen_api_server_default)
   10.16  
   10.17 +    def get_xsm_module_name(self):
   10.18 +        """Get the Xen Security Module name.
   10.19 +        """
   10.20 +        return self.get_config_string('xsm_module_name', self.xsm_module_default)
   10.21 +
   10.22  if os.uname()[0] == 'SunOS':
   10.23      class XendOptionsSMF(XendOptions):
   10.24  
    11.1 --- a/tools/python/xen/xend/server/blkif.py	Thu Sep 04 11:19:17 2008 +0100
    11.2 +++ b/tools/python/xen/xend/server/blkif.py	Thu Sep 04 11:23:08 2008 +0100
    11.3 @@ -78,7 +78,7 @@ class BlkifController(DevController):
    11.4          if uuid:
    11.5              back['uuid'] = uuid
    11.6  
    11.7 -        if security.on() == xsconstants.XS_POLICY_ACM:
    11.8 +        if security.on() == xsconstants.XS_POLICY_USE:
    11.9              self.do_access_control(config, uname)
   11.10  
   11.11          (device_path, devid) = blkif.blkdev_name_to_number(dev)
    12.1 --- a/tools/python/xen/xend/server/netif.py	Thu Sep 04 11:19:17 2008 +0100
    12.2 +++ b/tools/python/xen/xend/server/netif.py	Thu Sep 04 11:23:08 2008 +0100
    12.3 @@ -156,7 +156,7 @@ class NetifController(DevController):
    12.4              front = { 'handle' : "%i" % devid,
    12.5                        'mac'    : mac }
    12.6  
    12.7 -        if security.on() == xsconstants.XS_POLICY_ACM:
    12.8 +        if security.on() == xsconstants.XS_POLICY_USE:
    12.9              self.do_access_control(config)
   12.10  
   12.11          return (devid, back, front)