ia64/xen-unstable

changeset 17578:94c6501c4ffe

xend: Refactor security.on() call

I am refactoring the security.on() call to return the actual type of
the security module that is found to be enabled rather than just
returning True or False.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue May 06 10:05:52 2008 +0100 (2008-05-06)
parents ccbbe6fe5827
children d5589865bfce
files tools/python/xen/util/xsm/acm/acm.py tools/python/xen/util/xsm/flask/flask.py tools/python/xen/xend/XendConfig.py tools/python/xen/xend/XendDomainInfo.py tools/python/xen/xend/XendXSPolicyAdmin.py tools/python/xen/xend/server/blkif.py tools/python/xen/xend/server/netif.py tools/python/xen/xm/addlabel.py tools/python/xen/xm/dry-run.py
line diff
     1.1 --- a/tools/python/xen/util/xsm/acm/acm.py	Mon May 05 10:16:58 2008 +0100
     1.2 +++ b/tools/python/xen/util/xsm/acm/acm.py	Tue May 06 10:05:52 2008 +0100
     1.3 @@ -156,7 +156,9 @@ def on():
     1.4      returns none if security policy is off (not compiled),
     1.5      any string otherwise, use it: if not security.on() ...
     1.6      """
     1.7 -    return (get_active_policy_name() not in ['INACTIVE', 'NULL'])
     1.8 +    if get_active_policy_name() not in ['INACTIVE', 'NULL', '']:
     1.9 +        return xsconstants.XS_POLICY_ACM
    1.10 +    return 0
    1.11  
    1.12  
    1.13  def calc_dom_ssidref_from_info(info):
     2.1 --- a/tools/python/xen/util/xsm/flask/flask.py	Mon May 05 10:16:58 2008 +0100
     2.2 +++ b/tools/python/xen/util/xsm/flask/flask.py	Tue May 06 10:05:52 2008 +0100
     2.3 @@ -12,7 +12,7 @@ def err(msg):
     2.4      raise XSMError(msg)
     2.5  
     2.6  def on():
     2.7 -    return 1
     2.8 +    return 0 #xsconstants.XS_POLICY_FLASK
     2.9  
    2.10  def ssidref2label(ssidref):
    2.11      try:
     3.1 --- a/tools/python/xen/xend/XendConfig.py	Mon May 05 10:16:58 2008 +0100
     3.2 +++ b/tools/python/xen/xend/XendConfig.py	Tue May 06 10:05:52 2008 +0100
     3.3 @@ -688,7 +688,7 @@ class XendConfig(dict):
     3.4              self.parse_cpuid(cfg, 'cpuid_check')
     3.5  
     3.6          import xen.util.xsm.xsm as security
     3.7 -        if security.on():
     3.8 +        if security.on() == xsconstants.XS_POLICY_ACM:
     3.9              from xen.util.acmpolicy import ACM_LABEL_UNLABELED
    3.10              if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
    3.11                  cfg['security'] = sxp.child_value(sxp_cfg, 'security')
     4.1 --- a/tools/python/xen/xend/XendDomainInfo.py	Mon May 05 10:16:58 2008 +0100
     4.2 +++ b/tools/python/xen/xend/XendDomainInfo.py	Tue May 06 10:05:52 2008 +0100
     4.3 @@ -37,6 +37,7 @@ import xen.lowlevel.xc
     4.4  from xen.util import asserts
     4.5  from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype
     4.6  import xen.util.xsm.xsm as security
     4.7 +from xen.util import xsconstants
     4.8  
     4.9  from xen.xend import balloon, sxp, uuid, image, arch, osdep
    4.10  from xen.xend import XendOptions, XendNode, XendConfig
    4.11 @@ -1973,7 +1974,7 @@ class XendDomainInfo:
    4.12          balloon.free(2*1024) # 2MB should be plenty
    4.13  
    4.14          ssidref = 0
    4.15 -        if security.on():
    4.16 +        if security.on() == xsconstants.XS_POLICY_ACM:
    4.17              ssidref = security.calc_dom_ssidref_from_info(self.info)
    4.18              if security.has_authorization(ssidref) == False:
    4.19                  raise VmError("VM is not authorized to run.")
    4.20 @@ -1987,7 +1988,7 @@ class XendDomainInfo:
    4.21                  target = self.info.target())
    4.22          except Exception, e:
    4.23              # may get here if due to ACM the operation is not permitted
    4.24 -            if security.on():
    4.25 +            if security.on() == xsconstants.XS_POLICY_ACM:
    4.26                  raise VmError('Domain in conflict set with running domain?')
    4.27  
    4.28          if self.domid < 0:
    4.29 @@ -2853,7 +2854,6 @@ class XendDomainInfo:
    4.30          is_policy_update = (xspol_old != None)
    4.31  
    4.32          from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
    4.33 -        from xen.util import xsconstants
    4.34  
    4.35          state = self._stateGet()
    4.36          # Relabel only HALTED or RUNNING or PAUSED domains
     5.1 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py	Mon May 05 10:16:58 2008 +0100
     5.2 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py	Tue May 06 10:05:52 2008 +0100
     5.3 @@ -48,6 +48,10 @@ class XSPolicyAdmin:
     5.4          self.xsobjs = {}
     5.5          bootloader.init()
     5.6  
     5.7 +        if security.on() == xsconstants.XS_POLICY_ACM:
     5.8 +            self.__acm_init()
     5.9 +
    5.10 +    def __acm_init(self):
    5.11          act_pol_name = self.get_hv_loaded_policy_name()
    5.12          initialize()
    5.13  
    5.14 @@ -74,7 +78,7 @@ class XSPolicyAdmin:
    5.15              This currently only checks for ACM-enablement.
    5.16          """
    5.17          rc = 0
    5.18 -        if security.on():
    5.19 +        if security.on() == xsconstants.XS_POLICY_ACM:
    5.20              rc |= xsconstants.XS_POLICY_ACM
    5.21          return rc
    5.22  
    5.23 @@ -104,6 +108,8 @@ class XSPolicyAdmin:
    5.24  
    5.25      def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
    5.26          errors = ""
    5.27 +        if security.on() != xsconstants.XS_POLICY_ACM:
    5.28 +            raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED)
    5.29          loadedpol = self.get_loaded_policy()
    5.30          if loadedpol:
    5.31              # This is meant as an update to a currently loaded policy
     6.1 --- a/tools/python/xen/xend/server/blkif.py	Mon May 05 10:16:58 2008 +0100
     6.2 +++ b/tools/python/xen/xend/server/blkif.py	Tue May 06 10:05:52 2008 +0100
     6.3 @@ -23,6 +23,7 @@ from xen.util import blkif
     6.4  import xen.util.xsm.xsm as security
     6.5  from xen.xend.XendError import VmError
     6.6  from xen.xend.server.DevController import DevController
     6.7 +from xen.util import xsconstants
     6.8  
     6.9  class BlkifController(DevController):
    6.10      """Block device interface controller. Handles all block devices
    6.11 @@ -72,7 +73,7 @@ class BlkifController(DevController):
    6.12          if uuid:
    6.13              back['uuid'] = uuid
    6.14  
    6.15 -        if security.on():
    6.16 +        if security.on() == xsconstants.XS_POLICY_ACM:
    6.17              self.do_access_control(config, uname)
    6.18  
    6.19          devid = blkif.blkdev_name_to_number(dev)
     7.1 --- a/tools/python/xen/xend/server/netif.py	Mon May 05 10:16:58 2008 +0100
     7.2 +++ b/tools/python/xen/xend/server/netif.py	Tue May 06 10:05:52 2008 +0100
     7.3 @@ -29,6 +29,7 @@ from xen.xend.server.DevController impor
     7.4  from xen.xend.XendError import VmError
     7.5  from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance
     7.6  import xen.util.xsm.xsm as security
     7.7 +from xen.util import xsconstants
     7.8  
     7.9  from xen.xend.XendLogging import log
    7.10  
    7.11 @@ -155,7 +156,7 @@ class NetifController(DevController):
    7.12              front = { 'handle' : "%i" % devid,
    7.13                        'mac'    : mac }
    7.14  
    7.15 -        if security.on():
    7.16 +        if security.on() == xsconstants.XS_POLICY_ACM:
    7.17              self.do_access_control(config)
    7.18  
    7.19          return (devid, back, front)
     8.1 --- a/tools/python/xen/xm/addlabel.py	Mon May 05 10:16:58 2008 +0100
     8.2 +++ b/tools/python/xen/xm/addlabel.py	Tue May 06 10:05:52 2008 +0100
     8.3 @@ -205,17 +205,17 @@ def main(argv):
     8.4      policy_type = ""
     8.5      if len(argv) not in (4, 5):
     8.6          raise OptionError('Needs either 2 or 3 arguments')
     8.7 -    
     8.8 +
     8.9      label = argv[1]
    8.10 -    
    8.11 +
    8.12      if len(argv) == 5:
    8.13          policyref = argv[4]
    8.14 -    elif security.on():
    8.15 +    elif security.on() == xsconstants.XS_POLICY_ACM:
    8.16          policyref = security.active_policy
    8.17          policy_type = xsconstants.ACM_POLICY_ID
    8.18      else:
    8.19 -        raise OptionError("No active policy. Must specify policy on the "
    8.20 -                          "command line.")
    8.21 +        raise OptionError("ACM security is not enabled. You must specify "\
    8.22 +                          "the policy on the command line.")
    8.23  
    8.24      if argv[2].lower() == "dom":
    8.25          configfile = argv[3]
     9.1 --- a/tools/python/xen/xm/dry-run.py	Mon May 05 10:16:58 2008 +0100
     9.2 +++ b/tools/python/xen/xm/dry-run.py	Tue May 06 10:05:52 2008 +0100
     9.3 @@ -22,6 +22,7 @@ import sys
     9.4  import xen.util.xsm.xsm as security
     9.5  from xen.xm import create
     9.6  from xen.xend import sxp
     9.7 +from xen.util import xsconstants
     9.8  from xen.xm.opts import OptionError
     9.9  
    9.10  def help():
    9.11 @@ -40,7 +41,7 @@ def check_domain_label(config, verbose):
    9.12      answer = 0
    9.13      default_label = None
    9.14      secon = 0
    9.15 -    if security.on():
    9.16 +    if security.on() == xsconstants.XS_POLICY_ACM:
    9.17          default_label = security.ssidref2label(security.NULL_SSIDREF)
    9.18          secon = 1
    9.19  
    9.20 @@ -90,7 +91,7 @@ def config_security_check(config, verbos
    9.21              domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
    9.22  
    9.23      # if no domain label, use default
    9.24 -    if not domain_label and security.on():
    9.25 +    if not domain_label and security.on() == xsconstants.XS_POLICY_ACM:
    9.26          try:
    9.27              domain_label = security.ssidref2label(security.NULL_SSIDREF)
    9.28          except: