ia64/xen-unstable
changeset 15975:ad339d88639d
[Xend/ACM] Automatic loading of policy after xend has started.
On systems where the grub bootloader is not available or active the
to-be-activated policy is written a simple textfile. Once xend has
started the contents can be read. Using 'xm setpolicy' the policy can
be activated and the Domain-0 label set (using 'xm addlabel').
I fixed some bugs in the grub bootloader handler on the way and
removed some dead functions.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
On systems where the grub bootloader is not available or active the
to-be-activated policy is written a simple textfile. Once xend has
started the contents can be read. Using 'xm setpolicy' the policy can
be activated and the Domain-0 label set (using 'xm addlabel').
I fixed some bugs in the grub bootloader handler on the way and
removed some dead functions.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
| author | Keir Fraser <keir@xensource.com> |
|---|---|
| date | Mon Sep 24 21:52:10 2007 +0100 (2007-09-24) |
| parents | 66fa2bc70e2a |
| children | 55c45361bbe3 |
| files | tools/python/xen/util/bootloader.py tools/python/xen/util/xsm/acm/acm.py |
line diff
1.1 --- a/tools/python/xen/util/bootloader.py Mon Sep 24 21:41:46 2007 +0100 1.2 +++ b/tools/python/xen/util/bootloader.py Mon Sep 24 21:52:10 2007 +0100 1.3 @@ -21,7 +21,9 @@ import os, stat 1.4 import tempfile 1.5 import shutil 1.6 import threading 1.7 + 1.8 from xen.xend.XendLogging import log 1.9 +from xen.util import mkdir, security 1.10 1.11 __bootloader = None 1.12 1.13 @@ -70,8 +72,9 @@ def set_boot_policy(title_idx, filename) 1.14 1.15 def loads_default_policy(filename): 1.16 """ Determine whether the given policy is loaded by the default boot title """ 1.17 - polfile = get_default_policy() 1.18 - if polfile != None: 1.19 + policy = get_default_policy() 1.20 + if policy: 1.21 + polfile = policy + ".bin" 1.22 if polfile == filename or \ 1.23 "/"+polfile == filename: 1.24 return True 1.25 @@ -220,28 +223,6 @@ class Grub(Bootloader): 1.26 return boot_file 1.27 1.28 1.29 - def __get_titles(self): 1.30 - """ Get the names of all boot titles in the grub config file 1.31 - @rtype: list 1.32 - @return: list of names of available boot titles 1.33 - """ 1.34 - titles = [] 1.35 - try: 1.36 - boot_file = self.__get_bootfile() 1.37 - except: 1.38 - return [] 1.39 - try: 1.40 - self.__bootfile_lock.acquire() 1.41 - grub_fd = open(boot_file) 1.42 - for line in grub_fd: 1.43 - if self.title_re.match(line): 1.44 - line = line.rstrip().lstrip() 1.45 - titles.append(line.lstrip('title').lstrip()) 1.46 - finally: 1.47 - self.__bootfile_lock.release() 1.48 - return titles 1.49 - 1.50 - 1.51 def get_default_title(self): 1.52 """ Get the index (starting with 0) of the default boot title 1.53 This number is read from the grub configuration file. 1.54 @@ -261,8 +242,8 @@ class Grub(Bootloader): 1.55 for line in grub_fd: 1.56 line = line.rstrip() 1.57 if def_re.match(line): 1.58 - line = line.rstrip() 1.59 - line = line.lstrip("default=") 1.60 + #remove 'default=' 1.61 + line = line.lstrip()[8:] 1.62 default = int(line) 1.63 break 1.64 finally: 1.65 @@ -295,11 +276,13 @@ class Grub(Bootloader): 1.66 if self.policy_re.match(line): 1.67 start = line.find("module") 1.68 pol = line[start+6:] 1.69 - pol = pol.lstrip().rstrip() 1.70 + pol = pol.strip() 1.71 if pol[0] == '/': 1.72 pol = pol[1:] 1.73 if pol[0:5] == "boot/": 1.74 pol = pol[5:] 1.75 + if pol.endswith(".bin"): 1.76 + pol = pol[:-4] 1.77 policies[idx] = pol 1.78 finally: 1.79 self.__bootfile_lock.release() 1.80 @@ -399,7 +382,7 @@ class Grub(Bootloader): 1.81 if self.policy_re.match(line): 1.82 start = line.find("module") 1.83 pol = line[start+6:len(line)] 1.84 - pol = pol.lstrip().rstrip() 1.85 + pol = pol.strip() 1.86 if pol in namelist: 1.87 omit_line = True 1.88 found = True 1.89 @@ -499,7 +482,7 @@ class Grub(Bootloader): 1.90 within_title = 0 1.91 ctr = ctr + 1 1.92 if within_title and self.kernel_re.match(line): 1.93 - line = line.rstrip().lstrip() 1.94 + line = line.strip() 1.95 items = line.split(" ") 1.96 i = 0 1.97 while i < len(items): 1.98 @@ -513,9 +496,123 @@ class Grub(Bootloader): 1.99 self.__bootfile_lock.release() 1.100 return None # Not found 1.101 1.102 +class LatePolicyLoader(Bootloader): 1.103 + """ A fake bootloader file that holds the policy to load automatically 1.104 + once xend has started up and the Domain-0 label to set. """ 1.105 + def __init__(self): 1.106 + self.__bootfile_lock = threading.RLock() 1.107 + self.PATH = security.security_dir_prefix 1.108 + self.FILENAME = self.PATH + "/xen_boot_policy" 1.109 + self.DEFAULT_TITLE = "ANY" 1.110 + self.POLICY_ATTR = "POLICY" 1.111 + Bootloader.__init__(self) 1.112 + 1.113 + def probe(self): 1.114 + _dir=os.path.dirname(self.FILENAME) 1.115 + mkdir.parents(_dir, stat.S_IRWXU) 1.116 + return True 1.117 + 1.118 + def get_default_title(self): 1.119 + return self.DEFAULT_TITLE 1.120 + 1.121 + def get_boot_policies(self): 1.122 + policies = {} 1.123 + try: 1.124 + self.__bootfile_lock.acquire() 1.125 + 1.126 + res = self.__loadcontent() 1.127 + 1.128 + pol = res.get( self.POLICY_ATTR ) 1.129 + if pol: 1.130 + policies.update({ self.DEFAULT_TITLE : pol }) 1.131 + 1.132 + finally: 1.133 + self.__bootfile_lock.release() 1.134 + 1.135 + return policies 1.136 + 1.137 + def add_boot_policy(self, index, binpolname): 1.138 + try: 1.139 + self.__bootfile_lock.acquire() 1.140 + 1.141 + res = self.__loadcontent() 1.142 + if binpolname.endswith(".bin"): 1.143 + binpolname = binpolname[0:-4] 1.144 + res[ self.POLICY_ATTR ] = binpolname 1.145 + self.__writecontent(res) 1.146 + finally: 1.147 + self.__bootfile_lock.release() 1.148 + 1.149 + return True 1.150 + 1.151 + def rm_policy_from_boottitle(self, index, unamelist): 1.152 + try: 1.153 + self.__bootfile_lock.acquire() 1.154 + 1.155 + res = self.__loadcontent() 1.156 + if self.POLICY_ATTR in res: 1.157 + del(res[self.POLICY_ATTR]) 1.158 + self.__writecontent(res) 1.159 + finally: 1.160 + self.__bootfile_lock.release() 1.161 + 1.162 + return True 1.163 + 1.164 + def set_kernel_attval(self, index, att, val): 1.165 + try: 1.166 + self.__bootfile_lock.acquire() 1.167 + 1.168 + res = self.__loadcontent() 1.169 + res[att] = val 1.170 + self.__writecontent(res) 1.171 + finally: 1.172 + self.__bootfile_lock.release() 1.173 + 1.174 + return True 1.175 + 1.176 + def get_kernel_val(self, index, att): 1.177 + try: 1.178 + self.__bootfile_lock.acquire() 1.179 + 1.180 + res = self.__loadcontent() 1.181 + return res.get(att) 1.182 + finally: 1.183 + self.__bootfile_lock.release() 1.184 + 1.185 + def __loadcontent(self): 1.186 + res={} 1.187 + try: 1.188 + file = open(self.FILENAME) 1.189 + for line in file: 1.190 + tmp = line.split("=",1) 1.191 + if len(tmp) == 2: 1.192 + res[tmp[0]] = tmp[1].strip() 1.193 + file.close() 1.194 + except: 1.195 + pass 1.196 + 1.197 + return res 1.198 + 1.199 + def __writecontent(self, items): 1.200 + rc = True 1.201 + try: 1.202 + file = open(self.FILENAME,"w") 1.203 + if file: 1.204 + for key, value in items.items(): 1.205 + file.write("%s=%s\n" % (str(key),str(value))) 1.206 + file.close() 1.207 + except: 1.208 + rc = False 1.209 + 1.210 + return rc 1.211 + 1.212 1.213 __bootloader = Bootloader() 1.214 1.215 grub = Grub() 1.216 if grub.probe() == True: 1.217 __bootloader = grub 1.218 +else: 1.219 + late = LatePolicyLoader() 1.220 + if late.probe() == True: 1.221 + __bootloader = late
2.1 --- a/tools/python/xen/util/xsm/acm/acm.py Mon Sep 24 21:41:46 2007 +0100 2.2 +++ b/tools/python/xen/util/xsm/acm/acm.py Mon Sep 24 21:52:10 2007 +0100 2.3 @@ -33,7 +33,8 @@ from xen.util import dictio, xsconstants 2.4 from xen.xend.XendConstants import * 2.5 2.6 #global directories and tools for security management 2.7 -policy_dir_prefix = "/etc/xen/acm-security/policies" 2.8 +security_dir_prefix = "/etc/xen/acm-security" 2.9 +policy_dir_prefix = security_dir_prefix + "/policies" 2.10 res_label_filename = policy_dir_prefix + "/resource_labels" 2.11 boot_filename = "/boot/grub/menu.lst" 2.12 altboot_filename = "/boot/grub/grub.conf"