ia64/xen-unstable

changeset 10589:c77b066f864a

Replace changesets 10521, 10526, and 10527 with this new version that does not
use xml.marshal.

This patch adds new xm subcommands to support working with resource
labels. The new subcommands are 'xm resources', 'xm rmlabel', 'xm
getlabel' and 'xm dry-run'. In addition, the 'xm addlabel' subcommand
now uses an updated syntax to support labeling both domains and
resources. See the xm man page for details on each subcommand.

Beyond the new subcommands, this patch allows users to immediately see
when security checks will fail by pushing some basic security checking
into the beginning of 'xm create' and 'xm block-attach'. ACM security
attributes for block devices are added to XenStore in order to support
the final security enforcement, which will be performed in the kernel
and included in a separate patch.

Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
author emellor@leeni.uk.xensource.com
date Thu Jun 29 11:13:11 2006 +0100 (2006-06-29)
parents cb9443bfdff8
children 3d40e2f509fc
files tools/python/xen/util/dictio.py tools/python/xen/util/security.py tools/python/xen/xm/addlabel.py tools/python/xen/xm/getlabel.py tools/python/xen/xm/resources.py tools/python/xen/xm/rmlabel.py
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/tools/python/xen/util/dictio.py	Thu Jun 29 11:13:11 2006 +0100
     1.3 @@ -0,0 +1,50 @@
     1.4 +#===========================================================================
     1.5 +# This library is free software; you can redistribute it and/or
     1.6 +# modify it under the terms of version 2.1 of the GNU Lesser General Public
     1.7 +# License as published by the Free Software Foundation.
     1.8 +#
     1.9 +# This library is distributed in the hope that it will be useful,
    1.10 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
    1.11 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    1.12 +# Lesser General Public License for more details.
    1.13 +#
    1.14 +# You should have received a copy of the GNU Lesser General Public
    1.15 +# License along with this library; if not, write to the Free Software
    1.16 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    1.17 +#============================================================================
    1.18 +# Copyright (C) 2006 International Business Machines Corp.
    1.19 +# Author: Bryan D. Payne <bdpayne@us.ibm.com>
    1.20 +#============================================================================
    1.21 +
    1.22 +
    1.23 +def dict_read(dictname, filename):
    1.24 +    """Loads <filename> and returns the dictionary named <dictname> from
    1.25 +       the file.
    1.26 +    """
    1.27 +    dict = {}
    1.28 +
    1.29 +    # read in the config file
    1.30 +    globs = {}
    1.31 +    locs = {}
    1.32 +    execfile(filename, globs, locs)
    1.33 +
    1.34 +    for (k, v) in locs.items():
    1.35 +        if k == dictname:
    1.36 +            dict = v
    1.37 +            break
    1.38 +
    1.39 +    return dict
    1.40 +
    1.41 +def dict_write(dict, dictname, filename):
    1.42 +    """Writes <dict> to <filename> using the name <dictname>.  If the file
    1.43 +       contains any other data, it will be overwritten.
    1.44 +    """
    1.45 +    prefix = dictname + " = {\n"
    1.46 +    suffix = "}\n"
    1.47 +    fd = open(filename, "wb")
    1.48 +    fd.write(prefix)
    1.49 +    for key in dict:
    1.50 +        line = "    '" + str(key) + "': " + str(dict[key]) + ",\n"
    1.51 +        fd.write(line)
    1.52 +    fd.write(suffix)
    1.53 +    fd.close()
     2.1 --- a/tools/python/xen/util/security.py	Thu Jun 29 10:48:07 2006 +0100
     2.2 +++ b/tools/python/xen/util/security.py	Thu Jun 29 11:13:11 2006 +0100
     2.3 @@ -22,10 +22,10 @@ import logging
     2.4  import sys, os, string, re
     2.5  import traceback
     2.6  import shutil
     2.7 -#from xml.marshal import generic
     2.8  from xen.lowlevel import acm
     2.9  from xen.xend import sxp
    2.10  from xen.xend.XendLogging import log
    2.11 +from xen.util import dictio
    2.12  
    2.13  #global directories and tools for security management
    2.14  policy_dir_prefix = "/etc/xen/acm-security/policies"
    2.15 @@ -551,20 +551,16 @@ def get_res_label(resource):
    2.16      (label, policy) = default_res_label()
    2.17  
    2.18      # load the resource label file
    2.19 -    configfile = res_label_filename
    2.20 -    if not os.path.isfile(configfile):
    2.21 +    res_label_cache = {}
    2.22 +    try:
    2.23 +        res_label_cache = dictio.dict_read("resources", res_label_filename)
    2.24 +    except:
    2.25          log.info("Resource label file not found.")
    2.26          return default_res_label()
    2.27 -#
    2.28 -# Commented out pending replacement for xml.marshal.generic
    2.29 -#
    2.30 -#     fd = open(configfile, "rb")
    2.31 -#     res_label_cache = generic.load(fd)
    2.32 -#     fd.close()
    2.33  
    2.34 -#     # find the resource information
    2.35 -#     if res_label_cache.has_key(resource):
    2.36 -#         (policy, label) = res_label_cache[resource]
    2.37 +    # find the resource information
    2.38 +    if res_label_cache.has_key(resource):
    2.39 +        (policy, label) = res_label_cache[resource]
    2.40  
    2.41      return (label, policy)
    2.42  
     3.1 --- a/tools/python/xen/xm/addlabel.py	Thu Jun 29 10:48:07 2006 +0100
     3.2 +++ b/tools/python/xen/xm/addlabel.py	Thu Jun 29 11:13:11 2006 +0100
     3.3 @@ -22,7 +22,7 @@
     3.4  import sys, os
     3.5  import string
     3.6  import traceback
     3.7 -#from xml.marshal import generic
     3.8 +from xen.util import dictio
     3.9  from xen.util import security
    3.10  
    3.11  def usage():
    3.12 @@ -79,17 +79,13 @@ def add_resource_label(label, resource, 
    3.13              return
    3.14  
    3.15          # see if this resource is already in the file
    3.16 +        access_control = {}
    3.17          file = security.res_label_filename
    3.18 -        if not os.path.isfile(file):
    3.19 +        try:
    3.20 +            access_control = dictio.dict_read("resources", file)
    3.21 +        except:
    3.22              print "Resource file not found, creating new file at:"
    3.23              print "%s" % (file)
    3.24 -            fd = open(file, "w")
    3.25 -            fd.close();
    3.26 -            access_control = {}
    3.27 -        else:
    3.28 -            fd = open(file, "rb")
    3.29 -#            access_control = generic.load(fd)
    3.30 -            fd.close()
    3.31  
    3.32          if access_control.has_key(resource):
    3.33              security.err("This resource is already labeled.")
    3.34 @@ -97,9 +93,7 @@ def add_resource_label(label, resource, 
    3.35          # write the data to file
    3.36          new_entry = { resource : tuple([policyref, label]) }
    3.37          access_control.update(new_entry)
    3.38 -        fd = open(file, "wb")
    3.39 -#        generic.dump(access_control, fd)
    3.40 -        fd.close()
    3.41 +        dictio.dict_write(access_control, "resources", file)
    3.42  
    3.43      except security.ACMError:
    3.44          pass
     4.1 --- a/tools/python/xen/xm/getlabel.py	Thu Jun 29 10:48:07 2006 +0100
     4.2 +++ b/tools/python/xen/xm/getlabel.py	Thu Jun 29 11:13:11 2006 +0100
     4.3 @@ -21,7 +21,7 @@
     4.4  import sys, os, re
     4.5  import string
     4.6  import traceback
     4.7 -#from xml.marshal import generic
     4.8 +from xen.util import dictio
     4.9  from xen.util import security
    4.10  
    4.11  def usage():
    4.12 @@ -33,17 +33,15 @@ def usage():
    4.13  def get_resource_label(resource):
    4.14      """Gets the resource label
    4.15      """
    4.16 +    # read in the resource file
    4.17 +    file = security.res_label_filename
    4.18      try:
    4.19 -        # read in the resource file
    4.20 -        file = security.res_label_filename
    4.21 -        if os.path.isfile(file):
    4.22 -            fd = open(file, "rb")
    4.23 -#            access_control = generic.load(fd)
    4.24 -            fd.close()
    4.25 -        else:
    4.26 -            print "Resource label file not found"
    4.27 -            return
    4.28 +        access_control = dictio.dict_read("resources", file)
    4.29 +    except:
    4.30 +        print "Resource label file not found"
    4.31 +        return
    4.32  
    4.33 +    try:
    4.34          # get the entry and print label
    4.35          if access_control.has_key(resource):
    4.36              policy = access_control[resource][0]
    4.37 @@ -100,7 +98,6 @@ def get_domain_label(configfile):
    4.38          data = data.strip()
    4.39          data = data.lstrip("[\'")
    4.40          data = data.rstrip("\']")
    4.41 -        (p, l) = data.split(",")
    4.42          print data
    4.43  
    4.44      except security.ACMError:
     5.1 --- a/tools/python/xen/xm/resources.py	Thu Jun 29 10:48:07 2006 +0100
     5.2 +++ b/tools/python/xen/xm/resources.py	Thu Jun 29 11:13:11 2006 +0100
     5.3 @@ -21,7 +21,7 @@
     5.4  import sys, os
     5.5  import string
     5.6  import traceback
     5.7 -#from xml.marshal import generic
     5.8 +from xen.util import dictio
     5.9  from xen.util import security
    5.10  
    5.11  def usage():
    5.12 @@ -40,24 +40,15 @@ def print_resource_data(access_control):
    5.13          print "    label:  "+label
    5.14  
    5.15  
    5.16 -def get_resource_data():
    5.17 -    """Returns the resource dictionary.
    5.18 -    """
    5.19 -    file = security.res_label_filename
    5.20 -    if not os.path.isfile(file):
    5.21 +def main (argv):
    5.22 +    try:
    5.23 +        file = security.res_label_filename
    5.24 +        access_control = dictio.dict_read("resources", file)
    5.25 +    except:
    5.26          security.err("Resource file not found.")
    5.27  
    5.28 -    fd = open(file, "rb")
    5.29 -#    access_control = generic.load(fd)
    5.30 -    fd.close()
    5.31 -    return access_control
    5.32 -
    5.33 -
    5.34 -def main (argv):
    5.35      try:
    5.36 -        access_control = get_resource_data()
    5.37          print_resource_data(access_control)
    5.38 -
    5.39      except security.ACMError:
    5.40          pass
    5.41      except:
     6.1 --- a/tools/python/xen/xm/rmlabel.py	Thu Jun 29 10:48:07 2006 +0100
     6.2 +++ b/tools/python/xen/xm/rmlabel.py	Thu Jun 29 11:13:11 2006 +0100
     6.3 @@ -21,7 +21,7 @@
     6.4  import sys, os, re
     6.5  import string
     6.6  import traceback
     6.7 -#from xml.marshal import generic
     6.8 +from xen.util import dictio
     6.9  from xen.util import security
    6.10  
    6.11  def usage():
    6.12 @@ -36,22 +36,18 @@ def usage():
    6.13  def rm_resource_label(resource):
    6.14      """Removes a resource label from the global resource label file.
    6.15      """
    6.16 +    # read in the resource file
    6.17 +    file = security.res_label_filename
    6.18      try:
    6.19 -        # read in the resource file
    6.20 -        file = security.res_label_filename
    6.21 -        if os.path.isfile(file):
    6.22 -            fd = open(file, "rb")
    6.23 -#            access_control = generic.load(fd)
    6.24 -            fd.close()
    6.25 -        else:
    6.26 -            security.err("Resource file not found, cannot remove label!")
    6.27 +        access_control = dictio.dict_read("resources", file)
    6.28 +    except:
    6.29 +        security.err("Resource file not found, cannot remove label!")
    6.30  
    6.31 +    try:
    6.32          # remove the entry and update file
    6.33          if access_control.has_key(resource):
    6.34              del access_control[resource]
    6.35 -            fd = open(file, "wb")
    6.36 -#            generic.dump(access_control, fd)
    6.37 -            fd.close()
    6.38 +            dictio.dict_write(access_control, "resources", file)
    6.39          else:
    6.40              security.err("Label does not exist in resource label file.")
    6.41