ia64/xen-unstable

changeset 15615:9c077fc8ccf1

[Xend] More security-related fixes

This patch provides some more fixes related to the recent
security-related extensions to xend.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kfraser@localhost.localdomain
date Wed Jul 18 10:09:06 2007 +0100 (2007-07-18)
parents 7ef821ff6d89
children 2cbaa58b1311
files tools/python/xen/util/acmpolicy.py tools/python/xen/util/security.py tools/python/xen/xend/XendAPI.py tools/python/xen/xend/XendVDI.py tools/python/xen/xend/XendXSPolicyAdmin.py tools/python/xen/xm/cfgbootpolicy.py
line diff
     1.1 --- a/tools/python/xen/util/acmpolicy.py	Wed Jul 18 10:08:37 2007 +0100
     1.2 +++ b/tools/python/xen/util/acmpolicy.py	Wed Jul 18 10:09:06 2007 +0100
     1.3 @@ -122,7 +122,8 @@ class ACMPolicy(XSPolicy):
     1.4              rc = -xsconstants.XSERR_GENERAL_FAILURE
     1.5          if rc != xsconstants.XSERR_SUCCESS:
     1.6              log.warn("XML did not validate against schema")
     1.7 -        rc = self.__validate_name_and_labels()
     1.8 +        if rc == xsconstants.XSERR_SUCCESS:
     1.9 +            rc = self.__validate_name_and_labels()
    1.10          return rc
    1.11  
    1.12      def __validate_name_and_labels(self):
    1.13 @@ -626,14 +627,15 @@ class ACMPolicy(XSPolicy):
    1.14      def policy_get_stes_of_vmlabel(self, vmlabel):
    1.15          """ Get a list of all STEs of a given VMlabel """
    1.16          return self.__policy_get_stes_of_labeltype(vmlabel,
    1.17 -                                                   "VirtualMachineLabel")
    1.18 +                                        "/SubjectLabels", "VirtualMachineLabel")
    1.19  
    1.20      def policy_get_stes_of_resource(self, reslabel):
    1.21          """ Get a list of all resources of a given VMlabel """
    1.22 -        return self.__policy_get_stes_of_labeltype(reslabel, "ResourceLabel")
    1.23 +        return self.__policy_get_stes_of_labeltype(reslabel,
    1.24 +                                        "/ObjectLabels", "ResourceLabel")
    1.25  
    1.26 -    def __policy_get_stes_of_labeltype(self, label, labeltype):
    1.27 -        node = self.dom_get_node("SecurityLabelTemplate/SubjectLabels")
    1.28 +    def __policy_get_stes_of_labeltype(self, label, path, labeltype):
    1.29 +        node = self.dom_get_node("SecurityLabelTemplate" + path)
    1.30          if node:
    1.31              i = 0
    1.32              while i < len(node.childNodes):
    1.33 @@ -661,7 +663,8 @@ class ACMPolicy(XSPolicy):
    1.34              return False
    1.35          for res in resources:
    1.36              res_stes = self.policy_get_stes_of_resource(res)
    1.37 -            if len( set(res_stes).union( set(vm_stes) ) ) == 0:
    1.38 +            if len(res_stes) == 0 or \
    1.39 +               len( set(res_stes).intersection( set(vm_stes) ) ) == 0:
    1.40                  return False
    1.41          return True
    1.42  
     2.1 --- a/tools/python/xen/util/security.py	Wed Jul 18 10:08:37 2007 +0100
     2.2 +++ b/tools/python/xen/util/security.py	Wed Jul 18 10:09:06 2007 +0100
     2.3 @@ -799,9 +799,10 @@ def is_resource_in_use(resource):
     2.4              lst.append(dominfo)
     2.5      return lst
     2.6  
     2.7 -def devices_equal(res1, res2):
     2.8 +def devices_equal(res1, res2, mustexist=True):
     2.9      """ Determine whether two devices are equal """
    2.10 -    return (unify_resname(res1) == unify_resname(res2))
    2.11 +    return (unify_resname(res1, mustexist) ==
    2.12 +            unify_resname(res2, mustexist))
    2.13  
    2.14  def is_resource_in_use_by_dom(dominfo, resource):
    2.15      """ Determine whether a resources is in use by a given domain
    2.16 @@ -817,7 +818,7 @@ def is_resource_in_use_by_dom(dominfo, r
    2.17          dev = devs[uuid]
    2.18          if len(dev) >= 2 and dev[1].has_key('uname'):
    2.19              # dev[0] is type, i.e. 'vbd'
    2.20 -            if devices_equal(dev[1]['uname'], resource):
    2.21 +            if devices_equal(dev[1]['uname'], resource, mustexist=False):
    2.22                  log.info("RESOURCE IN USE: Domain %d uses %s." %
    2.23                           (dominfo.domid, resource))
    2.24                  return True
     3.1 --- a/tools/python/xen/xend/XendAPI.py	Wed Jul 18 10:08:37 2007 +0100
     3.2 +++ b/tools/python/xen/xend/XendAPI.py	Wed Jul 18 10:09:06 2007 +0100
     3.3 @@ -1620,7 +1620,8 @@ class XendAPI(object):
     3.4          (rc, errors, oldlabel, new_ssidref) = \
     3.5                                   dom.set_security_label(sec_label, old_label)
     3.6          if rc != xsconstants.XSERR_SUCCESS:
     3.7 -            return xen_api_error(['SECURITY_ERROR', rc])
     3.8 +            return xen_api_error(['SECURITY_ERROR', rc,
     3.9 +                                 xsconstants.xserr2string(-rc)])
    3.10          if rc == 0:
    3.11              rc = new_ssidref
    3.12          return xen_api_success(rc)
    3.13 @@ -2239,7 +2240,8 @@ class XendAPI(object):
    3.14          vdi = XendNode.instance().get_vdi_by_uuid(vdi_ref)
    3.15          rc = vdi.set_security_label(sec_lab, old_lab)
    3.16          if rc < 0:
    3.17 -            return xen_api_error(['SECURITY_ERROR', rc])
    3.18 +            return xen_api_error(['SECURITY_ERROR', rc,
    3.19 +                                 xsconstants.xserr2string(-rc)])
    3.20          return xen_api_success(rc)
    3.21  
    3.22      def VDI_get_security_label(self, session, vdi_ref):
     4.1 --- a/tools/python/xen/xend/XendVDI.py	Wed Jul 18 10:08:37 2007 +0100
     4.2 +++ b/tools/python/xen/xend/XendVDI.py	Wed Jul 18 10:09:06 2007 +0100
     4.3 @@ -24,6 +24,7 @@ import os
     4.4  from xen.util.xmlrpclib2 import stringify
     4.5  from xmlrpclib import dumps, loads
     4.6  from xen.util import security, xsconstants
     4.7 +from xen.xend.XendError import SecurityError
     4.8  
     4.9  KB = 1024
    4.10  MB = 1024 * 1024
     5.1 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py	Wed Jul 18 10:08:37 2007 +0100
     5.2 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py	Wed Jul 18 10:09:06 2007 +0100
     5.3 @@ -56,7 +56,10 @@ class XSPolicyAdmin:
     5.4              typ = data[1]
     5.5              try:
     5.6                  if typ == xsconstants.ACM_POLICY_ID:
     5.7 -                    self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
     5.8 +                    try:
     5.9 +                        self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
    5.10 +                    except Exception, e:
    5.11 +                        del self.policies[ref]
    5.12                  else:
    5.13                      del self.policies[ref]
    5.14              except Exception, e:
    5.15 @@ -271,6 +274,10 @@ class XSPolicyAdmin:
    5.16                  return pol
    5.17          return None
    5.18  
    5.19 +    def get_hv_loaded_policy_name(self):
    5.20 +        security.refresh_security_policy()
    5.21 +        return security.active_policy
    5.22 +
    5.23      def get_policy_by_name(self, name):
    5.24          for pol in self.xsobjs.values():
    5.25              if pol.get_name() == name:
     6.1 --- a/tools/python/xen/xm/cfgbootpolicy.py	Wed Jul 18 10:08:37 2007 +0100
     6.2 +++ b/tools/python/xen/xm/cfgbootpolicy.py	Wed Jul 18 10:09:06 2007 +0100
     6.3 @@ -170,8 +170,9 @@ def cfgbootpolicy_xapi(policy, user_titl
     6.4              OptionError("No policy installed on system?")
     6.5          acmpol = ACMPolicy(xml=xml)
     6.6          if acmpol.get_name() != policy:
     6.7 -            OptionError("Policy installed on system '%s' does not match the "
     6.8 -                        "request policy '%s'" % (acmpol.get_name(), policy))
     6.9 +            raise OptionError("Policy installed on system '%s' does not "
    6.10 +                              "match the requested policy '%s'" %
    6.11 +                              (acmpol.get_name(), policy))
    6.12          flags = int(policystate['flags']) | xsconstants.XS_INST_BOOT
    6.13          rc = int(server.xenapi.XSPolicy.activate_xspolicy(xs_ref, flags))
    6.14          if rc == flags: