ia64/xen-unstable

changeset 17647:65eec0554f39

[Xend/security] Refactor the code that recalculates the label during a policy update
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue May 13 12:46:45 2008 +0100 (2008-05-13)
parents 5e1a0dc74a35
children 53195719f762
files tools/python/xen/util/xsm/acm/acm.py
line diff
     1.1 --- a/tools/python/xen/util/xsm/acm/acm.py	Tue May 13 12:43:24 2008 +0100
     1.2 +++ b/tools/python/xen/util/xsm/acm/acm.py	Tue May 13 12:46:45 2008 +0100
     1.3 @@ -1363,6 +1363,45 @@ def relabel_domains(relabel_list):
     1.4      return rc, errors
     1.5  
     1.6  
     1.7 +def __update_label_policy_change(sec_lab,
     1.8 +                                 cur_poltype,
     1.9 +                                 cur_polname,
    1.10 +                                 new_poltype,
    1.11 +                                 new_polname,
    1.12 +                                 polnew_labels,
    1.13 +                                 label_map):
    1.14 +    """
    1.15 +    Determine a new resource label given the new policy's type
    1.16 +    and name and the new policy's (resource/VM) labels and the
    1.17 +    (resource/VM) label map that indicates renaming rules for
    1.18 +    labels.
    1.19 +    """
    1.20 +    is_deleted = False
    1.21 +    policytype, policy, label = sec_lab
    1.22 +
    1.23 +    if cur_poltype != policytype or \
    1.24 +       cur_polname != policy:
    1.25 +        return sec_lab, is_deleted
    1.26 +
    1.27 +    if policytype != xsconstants.ACM_POLICY_ID:
    1.28 +        return sec_lab, is_deleted
    1.29 +    elif label_map.has_key(label) and policy == cur_polname:
    1.30 +        # renaming of an active label; policy may have been renamed
    1.31 +        label = label_map[label]
    1.32 +        polname = new_polname
    1.33 +    elif label not in polnew_labels:
    1.34 +        # label been removed
    1.35 +        policytype = xsconstants.INVALID_POLICY_PREFIX + policytype
    1.36 +        polname = policy
    1.37 +        is_deleted = True
    1.38 +    else:
    1.39 +        # no change to label
    1.40 +        policytype = xsconstants.ACM_POLICY_ID
    1.41 +        polname = new_polname
    1.42 +
    1.43 +    return tuple( [ policytype, polname, label ] ), is_deleted
    1.44 +
    1.45 +
    1.46  def change_acm_policy(bin_pol, del_array, chg_array,
    1.47                        vmlabel_map, reslabel_map, cur_acmpol, new_acmpol,
    1.48                        is_reset):
    1.49 @@ -1430,30 +1469,21 @@ def change_acm_policy(bin_pol, del_array
    1.50              else:
    1.51                  return -xsconstants.XSERR_BAD_LABEL_FORMAT, ""
    1.52  
    1.53 -            if policytype != cur_policytype or \
    1.54 -               policy     != cur_policyname:
    1.55 -                continue
    1.56 +            new_sec_lab, is_deleted = \
    1.57 +                __update_label_policy_change( tuple([policytype,
    1.58 +                                                     policy,
    1.59 +                                                     label]),
    1.60 +                                             cur_policytype,
    1.61 +                                             cur_policyname,
    1.62 +                                             new_policytype,
    1.63 +                                             new_policyname,
    1.64 +                                             polnew_reslabels,
    1.65 +                                             reslabel_map)
    1.66  
    1.67 -            # label been renamed or deleted?
    1.68 -            if policytype != xsconstants.ACM_POLICY_ID:
    1.69 -                continue
    1.70 -            elif reslabel_map.has_key(label) and cur_policyname == policy:
    1.71 -                # renaming of an active label; policy may have been renamed
    1.72 -                label = reslabel_map[label]
    1.73 -                polname = new_policyname
    1.74 -            elif label not in polnew_reslabels:
    1.75 -                # label been removed
    1.76 -                policytype = xsconstants.INVALID_POLICY_PREFIX + policytype
    1.77 +            if is_deleted:
    1.78                  label_changes.append(key)
    1.79 -                polname = policy
    1.80 -            else:
    1.81 -                # no change to label
    1.82 -                policytype = xsconstants.ACM_POLICY_ID
    1.83 -                polname = new_policyname
    1.84 -
    1.85              # Update entry
    1.86 -            access_control[key] = \
    1.87 -                   tuple([ policytype, polname, label ])
    1.88 +            access_control[key] = new_sec_lab
    1.89  
    1.90          # All resources have new labels in the access_control map
    1.91          # There may still be labels in there that are invalid now.
    1.92 @@ -1510,6 +1540,29 @@ def change_acm_policy(bin_pol, del_array
    1.93                  if not compatible:
    1.94                      return (-xsconstants.XSERR_RESOURCE_ACCESS, "")
    1.95  
    1.96 +        for dominfo in dominfos:
    1.97 +            # relabel the VIF interfaces
    1.98 +            changed = False
    1.99 +            for vif_uuid in dominfo.get_vifs():
   1.100 +                sec_lab = dominfo.info['devices'][vif_uuid][1]\
   1.101 +                                 .get('security_label')
   1.102 +                if sec_lab:
   1.103 +                    result, _ = \
   1.104 +                        __update_label_policy_change(tuple(sec_lab.split(':')),
   1.105 +                                                     cur_policytype,
   1.106 +                                                     cur_policyname,
   1.107 +                                                     new_policytype,
   1.108 +                                                     new_policyname,
   1.109 +                                                     polnew_reslabels,
   1.110 +                                                     reslabel_map)
   1.111 +                    new_sec_lab = ':'.join(list(result))
   1.112 +                    if new_sec_lab != sec_lab:
   1.113 +                        changed = True
   1.114 +                        dominfo.info['devices'][vif_uuid][1]\
   1.115 +                                    ['security_label'] = new_sec_lab
   1.116 +            if changed:
   1.117 +                XendDomain.instance().managed_config_save(dominfo)
   1.118 +
   1.119          rc, errors = hv_chg_policy(bin_pol, del_array, chg_array)
   1.120          if rc == 0:
   1.121              for key in label_changes: