ia64/xen-unstable

changeset 16220:c8ef0ae53bba

xend, acm: Put the __UNLABELED__ label into the mapfile if policy specifies it

Put the __UNLABELED__ label into the mapfile if policy specifies this
label rather than keeping the NULL_LABEL there. Also lock the map file
when it's rewritten and propagate the return code from compiling the
policy to callers.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir@xensource.com>
date Thu Oct 25 09:24:28 2007 +0100 (2007-10-25)
parents a2222599b97b
children beb81ee16009
files tools/python/xen/util/acmpolicy.py
line diff
     1.1 --- a/tools/python/xen/util/acmpolicy.py	Thu Oct 25 09:23:27 2007 +0100
     1.2 +++ b/tools/python/xen/util/acmpolicy.py	Thu Oct 25 09:24:28 2007 +0100
     1.3 @@ -46,7 +46,7 @@ ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2
     1.4  ACM_POLICY_UNDEFINED = 15
     1.5  
     1.6  
     1.7 -ACM_SCHEMA_FILE = "/etc/xen/acm-security/policies/security_policy.xsd"
     1.8 +ACM_SCHEMA_FILE = ACM_POLICIES_DIR + "security_policy.xsd"
     1.9  
    1.10  ACM_LABEL_UNLABELED = "__UNLABELED__"
    1.11  ACM_LABEL_UNLABELED_DISPLAY = "unlabeled"
    1.12 @@ -263,7 +263,7 @@ class ACMPolicy(XSPolicy):
    1.13          else:
    1.14              #Not loaded in HV
    1.15              self.dom = acmpol_new.dom
    1.16 -            self.compile()
    1.17 +            rc = self.compile()
    1.18          return rc, errors
    1.19  
    1.20  
    1.21 @@ -842,9 +842,15 @@ class ACMPolicy(XSPolicy):
    1.22              rc, mapfile, bin_pol = self.policy_create_map_and_bin()
    1.23  
    1.24              if rc == 0:
    1.25 -                rc = self.__write_to_file(".map", mapfile)
    1.26 -                if rc != 0:
    1.27 -                    log.error("Error writing map file")
    1.28 +                try:
    1.29 +                    security.mapfile_lock()
    1.30 +
    1.31 +                    rc = self.__write_to_file(".map", mapfile)
    1.32 +                    if rc != 0:
    1.33 +                        log.error("Error writing map file")
    1.34 +
    1.35 +                finally:
    1.36 +                    security.mapfile_unlock()
    1.37  
    1.38              if rc == 0:
    1.39                  rc = self.__write_to_file(".bin", bin_pol)
    1.40 @@ -919,7 +925,7 @@ class ACMPolicy(XSPolicy):
    1.41      def policy_get_domain_label_formatted(self, domid):
    1.42          label = self.policy_get_domain_label(domid)
    1.43          if label == "":
    1.44 -            return ""
    1.45 +            label = ACM_LABEL_UNLABELED
    1.46          return "%s:%s:%s" % (xsconstants.ACM_POLICY_ID, self.get_name(), label)
    1.47  
    1.48      def policy_get_domain_label_by_ssidref_formatted(self, ssidref):
    1.49 @@ -941,6 +947,8 @@ class ACMPolicy(XSPolicy):
    1.50          secpolcode  = ACM_POLICY_UNDEFINED
    1.51          unknown_ste = set()
    1.52          unknown_chw = set()
    1.53 +        unlabeled_ste = "__NULL_LABEL__"
    1.54 +        unlabeled_chw = "__NULL_LABEL__"
    1.55  
    1.56          rc = self.validate()
    1.57          if rc:
    1.58 @@ -979,6 +987,7 @@ class ACMPolicy(XSPolicy):
    1.59              vms_with_chws.sort()
    1.60  
    1.61          if ACM_LABEL_UNLABELED in vms_with_chws:
    1.62 +            unlabeled_chw = ACM_LABEL_UNLABELED
    1.63              vms_with_chws.remove(ACM_LABEL_UNLABELED) ; # @1
    1.64  
    1.65          vms_with_stes = []
    1.66 @@ -996,6 +1005,7 @@ class ACMPolicy(XSPolicy):
    1.67              vms_with_stes.sort()
    1.68  
    1.69          if ACM_LABEL_UNLABELED in vms_with_stes:
    1.70 +            unlabeled_ste = ACM_LABEL_UNLABELED
    1.71              vms_with_stes.remove(ACM_LABEL_UNLABELED) ; # @2
    1.72  
    1.73          resnames = self.policy_get_resourcelabel_names()
    1.74 @@ -1050,7 +1060,8 @@ class ACMPolicy(XSPolicy):
    1.75  
    1.76          if len(vms_with_chws) > 0:
    1.77              mapfile += \
    1.78 -                 "LABEL->SSID ANY CHWALL __NULL_LABEL__       %x\n" % 0
    1.79 +                 "LABEL->SSID ANY CHWALL %-20s %x\n" % \
    1.80 +                 (unlabeled_chw, 0)
    1.81              i = 0
    1.82              for v in vms_with_chws:
    1.83                  mapfile += \
    1.84 @@ -1061,7 +1072,8 @@ class ACMPolicy(XSPolicy):
    1.85  
    1.86          if len(vms_with_stes) > 0 or len(resnames) > 0:
    1.87              mapfile += \
    1.88 -                 "LABEL->SSID ANY STE    __NULL_LABEL__       %08x\n" % 0
    1.89 +                 "LABEL->SSID ANY STE    %-20s %08x\n" % \
    1.90 +                 (unlabeled_ste, 0)
    1.91              i = 0
    1.92              for v in vms_with_stes:
    1.93                  mapfile += \
    1.94 @@ -1260,9 +1272,11 @@ class ACMPolicy(XSPolicy):
    1.95          if len(unknown_ste) > 0:
    1.96              log.info("The following STEs in VM/res labels were unknown:" \
    1.97                       " %s" % list(unknown_ste))
    1.98 +            rc = -xsconstants.XSERR_BAD_LABEL
    1.99          if len(unknown_chw) > 0:
   1.100              log.info("The following Ch. Wall types in labels were unknown:" \
   1.101                       " %s" % list(unknown_chw))
   1.102 +            rc = -xsconstants.XSERR_BAD_LABEL
   1.103          return rc, mapfile, all_bin.tostring()
   1.104  
   1.105      def get_enforced_binary(self):