xend, xsm: Lock domain access while modifying policy.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>

diff --git a/tools/python/xen/util/xsm/acm/acm.py b/tools/python/xen/util/xsm/acm/acm.py
index e76947f5ddbcb908d7d48b243687d52d519e6a53..15026d347aae6c1969b9d4dd6972fa554b561474 100644 (file)
--- a/tools/python/xen/util/xsm/acm/acm.py
+++ b/tools/python/xen/util/xsm/acm/acm.py
@@ -103,6 +103,13 @@ def mapfile_unlock():
     __mapfile_lock.release()
 
 
+def resfile_lock():
+    __resfile_lock.acquire()
+
+def resfile_unlock():
+    __resfile_lock.release()
+
+
 def refresh_security_policy():
     """
     retrieves security policy
@@ -961,7 +968,7 @@ def resources_compatible_with_vmlabel(xspol, dominfo, vmlabel):
         return False
 
     try:
-        __resfile_lock.acquire()
+        resfile_lock()
         try:
             access_control = dictio.dict_read("resources",
                                               res_label_filename)
@@ -971,7 +978,7 @@ def resources_compatible_with_vmlabel(xspol, dominfo, vmlabel):
         return __resources_compatible_with_vmlabel(xspol, dominfo, vmlabel,
                                                    access_control)
     finally:
-        __resfile_lock.release()
+        resfile_unlock()
     return False
 
 
@@ -1053,7 +1060,7 @@ def set_resource_label(resource, policytype, policyref, reslabel, \
         return -xsconstants.XSERR_RESOURCE_IN_USE
 
     try:
-        __resfile_lock.acquire()
+        resfile_lock()
         access_control = {}
         try:
              access_control = dictio.dict_read("resources", res_label_filename)
@@ -1075,7 +1082,7 @@ def set_resource_label(resource, policytype, policyref, reslabel, \
                 del access_control[resource]
         dictio.dict_write(access_control, "resources", res_label_filename)
     finally:
-        __resfile_lock.release()
+        resfile_unlock()
     return xsconstants.XSERR_SUCCESS
 
 def rm_resource_label(resource, oldlabel_xapi):
@@ -1158,13 +1165,13 @@ def get_labeled_resources():
     @return list of labeled resources
     """
     try:
-        __resfile_lock.acquire()
+        resfile_lock()
         try:
             access_control = dictio.dict_read("resources", res_label_filename)
         except:
             return {}
     finally:
-        __resfile_lock.release()
+        resfile_unlock()
     return access_control
 
 
@@ -1213,6 +1220,9 @@ def change_acm_policy(bin_pol, del_array, chg_array,
         - Attempt changes in the hypervisor; if this step fails,
           roll back the relabeling of resources and VMs
         - Make the relabeling of resources and VMs permanent
+
+       This function should be called with the lock to the domains
+       held (XendDomain.instance().domains_lock)
     """
     rc = xsconstants.XSERR_SUCCESS
 
@@ -1225,7 +1235,7 @@ def change_acm_policy(bin_pol, del_array, chg_array,
     errors=""
 
     try:
-        __resfile_lock.acquire()
+        resfile_lock()
         mapfile_lock()
 
         # Get all domains' dominfo.
@@ -1240,6 +1250,7 @@ def change_acm_policy(bin_pol, del_array, chg_array,
             access_control = dictio.dict_read("resources", res_label_filename)
         except:
             pass
+
         for key, labeldata in access_control.items():
             if len(labeldata) == 2:
                 policy, label = labeldata
@@ -1328,7 +1339,7 @@ def change_acm_policy(bin_pol, del_array, chg_array,
     finally:
         log.info("----------------------------------------------")
         mapfile_unlock()
-        __resfile_lock.release()
+        resfile_unlock()
 
     return rc, errors
 

diff --git a/tools/python/xen/xend/XendXSPolicy.py b/tools/python/xen/xend/XendXSPolicy.py
index 11c1a1b63fd22bccded3da61ccb4b01bfae5f7d1..834857e40fa1a240e5d78ce0bd170d3c56ee3295 100644 (file)
--- a/tools/python/xen/xend/XendXSPolicy.py
+++ b/tools/python/xen/xend/XendXSPolicy.py
@@ -130,9 +130,7 @@ class XendXSPolicy(XendBase):
         if refs and len(refs) > 0:
             ref = refs[0]
             xspol = XSPolicyAdminInstance().policy_from_ref(ref)
-            try:
-                xspol.grab_lock()
-
+            if xspol:
                 polstate = {
                   'xs_ref' : ref,
                   'repr'   : xspol.toxml(),
@@ -142,9 +140,6 @@ class XendXSPolicy(XendBase):
                   'errors' : "",
                   'xserr'  : 0,
                 }
-            finally:
-                if xspol:
-                    xspol.unlock()
         return polstate
 
     def rm_xsbootpolicy(self):

diff --git a/tools/python/xen/xend/XendXSPolicyAdmin.py b/tools/python/xen/xend/XendXSPolicyAdmin.py
index c8f70b9242a3afb39ceb75b8aad9f2a4121fde81..fe0892a71eeadfa55976ff3aff58a193ad740bbe 100644 (file)
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py
@@ -94,6 +94,15 @@ class XSPolicyAdmin:
           If flags is True, then any existing policy will be removed from
           the system and the new one will be installed
         """
+        from xen.xend import XendDomain
+        domains = XendDomain.instance()
+        try:
+            domains.domains_lock.acquire()
+            return self.__add_acmpolicy_to_system(xmltext, flags, overwrite)
+        finally:
+            domains.domains_lock.release()
+
+    def __add_acmpolicy_to_system(self, xmltext, flags, overwrite):
         errors = ""
         loadedpol = self.get_loaded_policy()
         if loadedpol:
@@ -182,6 +191,15 @@ class XSPolicyAdmin:
         return xsconstants.XSERR_SUCCESS
 
     def activate_xspolicy(self, xspol, flags):
+        from xen.xend import XendDomain
+        domains = XendDomain.instance()
+        try:
+            domains.domains_lock.acquire()
+            return self.__activate_xspolicy(xspol, flags)
+        finally:
+            domains.domains_lock.release()
+
+    def __activate_xspolicy(self, xspol, flags):
         rc = xsconstants.XSERR_SUCCESS
         if flags & xsconstants.XS_INST_LOAD:
             rc = xspol.loadintohv()