debuggers.hg
changeset 17894:49c5d6723e35
[ACM] Enable labeling of resources as inaccessible
Enable the labeling of (disk-type) resources with the special label
__INACCESSIBLE__ to prevent unlabeled domains from accessing them.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Enable the labeling of (disk-type) resources with the special label
__INACCESSIBLE__ to prevent unlabeled domains from accessing them.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
| author | Keir Fraser <keir.fraser@citrix.com> |
|---|---|
| date | Fri Jun 13 13:55:19 2008 +0100 (2008-06-13) |
| parents | 2363cf4ab4cb |
| children | a41d14c3bf19 |
| files | tools/python/xen/util/xsconstants.py tools/python/xen/util/xsm/acm/acm.py |
line diff
1.1 --- a/tools/python/xen/util/xsconstants.py Fri Jun 13 13:50:23 2008 +0100 1.2 +++ b/tools/python/xen/util/xsconstants.py Fri Jun 13 13:55:19 2008 +0100 1.3 @@ -103,8 +103,10 @@ def xserr2string(err): 1.4 return "Unknown XSERR code '%s'." % (hex(err)) 1.5 1.6 # Policy identifiers used in labels 1.7 -ACM_POLICY_ID = "ACM" 1.8 +ACM_POLICY_ID = 'ACM' 1.9 1.10 -INVALID_POLICY_PREFIX = "INV_" 1.11 +INVALID_POLICY_PREFIX = 'INV_' 1.12 1.13 INVALID_SSIDREF = 0xFFFFFFFF 1.14 + 1.15 +XS_INACCESSIBLE_LABEL = '__INACCESSIBLE__'
2.1 --- a/tools/python/xen/util/xsm/acm/acm.py Fri Jun 13 13:50:23 2008 +0100 2.2 +++ b/tools/python/xen/util/xsm/acm/acm.py Fri Jun 13 13:55:19 2008 +0100 2.3 @@ -720,19 +720,24 @@ def list_labels(policy_name, ltype): 2.4 else: 2.5 err("Unknown label type \'" + ltype + "\'") 2.6 2.7 - (primary, secondary, f, pol_exists) = getmapfile(policy_name) 2.8 - if not f: 2.9 - if pol_exists: 2.10 - err("Cannot find mapfile for policy \'" + policy_name + "\'.\n") 2.11 - else: 2.12 - err("Unknown policy \'" + policy_name + "\'") 2.13 + try: 2.14 + mapfile_lock() 2.15 2.16 - labels = [] 2.17 - for line in f: 2.18 - if condition.match(line): 2.19 - label = line.split()[3] 2.20 - if label not in labels: 2.21 - labels.append(label) 2.22 + (primary, secondary, f, pol_exists) = getmapfile(policy_name) 2.23 + if not f: 2.24 + if pol_exists: 2.25 + err("Cannot find mapfile for policy \'" + policy_name + "\'.\n") 2.26 + else: 2.27 + err("Unknown policy \'" + policy_name + "\'") 2.28 + 2.29 + labels = [] 2.30 + for line in f: 2.31 + if condition.match(line): 2.32 + label = line.split()[3] 2.33 + if label not in labels: 2.34 + labels.append(label) 2.35 + finally: 2.36 + mapfile_unlock() 2.37 2.38 if '__NULL_LABEL__' in labels: 2.39 labels.remove('__NULL_LABEL__') 2.40 @@ -778,8 +783,6 @@ def get_res_security_details(resource): 2.41 policy = active_policy 2.42 return (label, ssidref, policy) 2.43 2.44 - (label, ssidref, policy) = default_security_details() 2.45 - 2.46 # find the entry associated with this resource 2.47 (policytype, label, policy) = get_res_label(resource) 2.48 if policy == 'NULL': 2.49 @@ -793,6 +796,8 @@ def get_res_security_details(resource): 2.50 # is this resource label for the running policy? 2.51 if policy == active_policy: 2.52 ssidref = label2ssidref(label, policy, 'res') 2.53 + elif label == xsconstants.XS_INACCESSIBLE_LABEL: 2.54 + ssidref = NULL_SSIDREF 2.55 else: 2.56 log.info("Resource label not for active policy, using DEFAULT.") 2.57 return default_security_details() 2.58 @@ -916,6 +921,8 @@ def res_security_check_xapi(rlabel, rssi 2.59 rtnval = 1 2.60 # if security is on, ask the hypervisor for a decision 2.61 if on(): 2.62 + if rlabel == xsconstants.XS_INACCESSIBLE_LABEL: 2.63 + return 0 2.64 typ, dpolicy, domain_label = xapi_dom_label.split(":") 2.65 if not dpolicy or not domain_label: 2.66 raise VmError("VM security label in wrong format.") 2.67 @@ -973,6 +980,8 @@ def validate_label(policytype, policyref 2.68 if not policytype or not label: 2.69 return -xsconstants.XSERR_BAD_LABEL_FORMAT 2.70 rc = xsconstants.XSERR_SUCCESS 2.71 + if label == xsconstants.XS_INACCESSIBLE_LABEL: 2.72 + return rc 2.73 from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance 2.74 curpol = XSPolicyAdminInstance().get_loaded_policy() 2.75 if not curpol or curpol.get_name() != policyref: 2.76 @@ -1197,20 +1206,23 @@ def set_resource_label(resource, policyt 2.77 @return Success (0) or failure value (< 0) 2.78 """ 2.79 2.80 - if reslabel != "": 2.81 - ssidref = label2ssidref(reslabel, policyref, 'res') 2.82 2.83 try: 2.84 resource = unify_resname(resource, mustexist=False) 2.85 except Exception: 2.86 return -xsconstants.XSERR_BAD_RESOURCE_FORMAT 2.87 2.88 - domains = is_resource_in_use(resource) 2.89 - if len(domains) > 0: 2.90 - return -xsconstants.XSERR_RESOURCE_IN_USE 2.91 - 2.92 try: 2.93 resfile_lock() 2.94 + mapfile_lock() 2.95 + 2.96 + if reslabel not in [ '', xsconstants.XS_INACCESSIBLE_LABEL ]: 2.97 + ssidref = label2ssidref(reslabel, policyref, 'res') 2.98 + 2.99 + domains = is_resource_in_use(resource) 2.100 + if len(domains) > 0: 2.101 + return -xsconstants.XSERR_RESOURCE_IN_USE 2.102 + 2.103 access_control = {} 2.104 try: 2.105 access_control = dictio.dict_read("resources", res_label_filename) 2.106 @@ -1229,6 +1241,11 @@ def set_resource_label(resource, policyt 2.107 if value == tuple([policytype, policyref, reslabel]) and \ 2.108 key.startswith('vlan:'): 2.109 return -xsconstants.XSERR_BAD_LABEL 2.110 + 2.111 + if reslabel == xsconstants.XS_INACCESSIBLE_LABEL: 2.112 + policytype = xsconstants.ACM_POLICY_ID 2.113 + policyref = '*' 2.114 + 2.115 if reslabel != "": 2.116 new_entry = { resource : tuple([policytype, policyref, reslabel])} 2.117 access_control.update(new_entry) 2.118 @@ -1243,6 +1260,7 @@ def set_resource_label(resource, policyt 2.119 dictio.dict_write(access_control, "resources", res_label_filename) 2.120 finally: 2.121 resfile_unlock() 2.122 + mapfile_unlock() 2.123 return xsconstants.XSERR_SUCCESS 2.124 2.125 def rm_resource_label(resource, oldlabel_xapi):