debuggers.hg
changeset 17609:94c6501c4ffe
xend: Refactor security.on() call
I am refactoring the security.on() call to return the actual type of
the security module that is found to be enabled rather than just
returning True or False.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
I am refactoring the security.on() call to return the actual type of
the security module that is found to be enabled rather than just
returning True or False.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
| author | Keir Fraser <keir.fraser@citrix.com> |
|---|---|
| date | Tue May 06 10:05:52 2008 +0100 (2008-05-06) |
| parents | ccbbe6fe5827 |
| children | d5589865bfce |
| files | tools/python/xen/util/xsm/acm/acm.py tools/python/xen/util/xsm/flask/flask.py tools/python/xen/xend/XendConfig.py tools/python/xen/xend/XendDomainInfo.py tools/python/xen/xend/XendXSPolicyAdmin.py tools/python/xen/xend/server/blkif.py tools/python/xen/xend/server/netif.py tools/python/xen/xm/addlabel.py tools/python/xen/xm/dry-run.py |
line diff
1.1 --- a/tools/python/xen/util/xsm/acm/acm.py Mon May 05 10:16:58 2008 +0100 1.2 +++ b/tools/python/xen/util/xsm/acm/acm.py Tue May 06 10:05:52 2008 +0100 1.3 @@ -156,7 +156,9 @@ def on(): 1.4 returns none if security policy is off (not compiled), 1.5 any string otherwise, use it: if not security.on() ... 1.6 """ 1.7 - return (get_active_policy_name() not in ['INACTIVE', 'NULL']) 1.8 + if get_active_policy_name() not in ['INACTIVE', 'NULL', '']: 1.9 + return xsconstants.XS_POLICY_ACM 1.10 + return 0 1.11 1.12 1.13 def calc_dom_ssidref_from_info(info):
2.1 --- a/tools/python/xen/util/xsm/flask/flask.py Mon May 05 10:16:58 2008 +0100 2.2 +++ b/tools/python/xen/util/xsm/flask/flask.py Tue May 06 10:05:52 2008 +0100 2.3 @@ -12,7 +12,7 @@ def err(msg): 2.4 raise XSMError(msg) 2.5 2.6 def on(): 2.7 - return 1 2.8 + return 0 #xsconstants.XS_POLICY_FLASK 2.9 2.10 def ssidref2label(ssidref): 2.11 try:
3.1 --- a/tools/python/xen/xend/XendConfig.py Mon May 05 10:16:58 2008 +0100 3.2 +++ b/tools/python/xen/xend/XendConfig.py Tue May 06 10:05:52 2008 +0100 3.3 @@ -688,7 +688,7 @@ class XendConfig(dict): 3.4 self.parse_cpuid(cfg, 'cpuid_check') 3.5 3.6 import xen.util.xsm.xsm as security 3.7 - if security.on(): 3.8 + if security.on() == xsconstants.XS_POLICY_ACM: 3.9 from xen.util.acmpolicy import ACM_LABEL_UNLABELED 3.10 if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'): 3.11 cfg['security'] = sxp.child_value(sxp_cfg, 'security')
4.1 --- a/tools/python/xen/xend/XendDomainInfo.py Mon May 05 10:16:58 2008 +0100 4.2 +++ b/tools/python/xen/xend/XendDomainInfo.py Tue May 06 10:05:52 2008 +0100 4.3 @@ -37,6 +37,7 @@ import xen.lowlevel.xc 4.4 from xen.util import asserts 4.5 from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype 4.6 import xen.util.xsm.xsm as security 4.7 +from xen.util import xsconstants 4.8 4.9 from xen.xend import balloon, sxp, uuid, image, arch, osdep 4.10 from xen.xend import XendOptions, XendNode, XendConfig 4.11 @@ -1973,7 +1974,7 @@ class XendDomainInfo: 4.12 balloon.free(2*1024) # 2MB should be plenty 4.13 4.14 ssidref = 0 4.15 - if security.on(): 4.16 + if security.on() == xsconstants.XS_POLICY_ACM: 4.17 ssidref = security.calc_dom_ssidref_from_info(self.info) 4.18 if security.has_authorization(ssidref) == False: 4.19 raise VmError("VM is not authorized to run.") 4.20 @@ -1987,7 +1988,7 @@ class XendDomainInfo: 4.21 target = self.info.target()) 4.22 except Exception, e: 4.23 # may get here if due to ACM the operation is not permitted 4.24 - if security.on(): 4.25 + if security.on() == xsconstants.XS_POLICY_ACM: 4.26 raise VmError('Domain in conflict set with running domain?') 4.27 4.28 if self.domid < 0: 4.29 @@ -2853,7 +2854,6 @@ class XendDomainInfo: 4.30 is_policy_update = (xspol_old != None) 4.31 4.32 from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance 4.33 - from xen.util import xsconstants 4.34 4.35 state = self._stateGet() 4.36 # Relabel only HALTED or RUNNING or PAUSED domains
5.1 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py Mon May 05 10:16:58 2008 +0100 5.2 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py Tue May 06 10:05:52 2008 +0100 5.3 @@ -48,6 +48,10 @@ class XSPolicyAdmin: 5.4 self.xsobjs = {} 5.5 bootloader.init() 5.6 5.7 + if security.on() == xsconstants.XS_POLICY_ACM: 5.8 + self.__acm_init() 5.9 + 5.10 + def __acm_init(self): 5.11 act_pol_name = self.get_hv_loaded_policy_name() 5.12 initialize() 5.13 5.14 @@ -74,7 +78,7 @@ class XSPolicyAdmin: 5.15 This currently only checks for ACM-enablement. 5.16 """ 5.17 rc = 0 5.18 - if security.on(): 5.19 + if security.on() == xsconstants.XS_POLICY_ACM: 5.20 rc |= xsconstants.XS_POLICY_ACM 5.21 return rc 5.22 5.23 @@ -104,6 +108,8 @@ class XSPolicyAdmin: 5.24 5.25 def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): 5.26 errors = "" 5.27 + if security.on() != xsconstants.XS_POLICY_ACM: 5.28 + raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) 5.29 loadedpol = self.get_loaded_policy() 5.30 if loadedpol: 5.31 # This is meant as an update to a currently loaded policy
6.1 --- a/tools/python/xen/xend/server/blkif.py Mon May 05 10:16:58 2008 +0100 6.2 +++ b/tools/python/xen/xend/server/blkif.py Tue May 06 10:05:52 2008 +0100 6.3 @@ -23,6 +23,7 @@ from xen.util import blkif 6.4 import xen.util.xsm.xsm as security 6.5 from xen.xend.XendError import VmError 6.6 from xen.xend.server.DevController import DevController 6.7 +from xen.util import xsconstants 6.8 6.9 class BlkifController(DevController): 6.10 """Block device interface controller. Handles all block devices 6.11 @@ -72,7 +73,7 @@ class BlkifController(DevController): 6.12 if uuid: 6.13 back['uuid'] = uuid 6.14 6.15 - if security.on(): 6.16 + if security.on() == xsconstants.XS_POLICY_ACM: 6.17 self.do_access_control(config, uname) 6.18 6.19 devid = blkif.blkdev_name_to_number(dev)
7.1 --- a/tools/python/xen/xend/server/netif.py Mon May 05 10:16:58 2008 +0100 7.2 +++ b/tools/python/xen/xend/server/netif.py Tue May 06 10:05:52 2008 +0100 7.3 @@ -29,6 +29,7 @@ from xen.xend.server.DevController impor 7.4 from xen.xend.XendError import VmError 7.5 from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance 7.6 import xen.util.xsm.xsm as security 7.7 +from xen.util import xsconstants 7.8 7.9 from xen.xend.XendLogging import log 7.10 7.11 @@ -155,7 +156,7 @@ class NetifController(DevController): 7.12 front = { 'handle' : "%i" % devid, 7.13 'mac' : mac } 7.14 7.15 - if security.on(): 7.16 + if security.on() == xsconstants.XS_POLICY_ACM: 7.17 self.do_access_control(config) 7.18 7.19 return (devid, back, front)
8.1 --- a/tools/python/xen/xm/addlabel.py Mon May 05 10:16:58 2008 +0100 8.2 +++ b/tools/python/xen/xm/addlabel.py Tue May 06 10:05:52 2008 +0100 8.3 @@ -205,17 +205,17 @@ def main(argv): 8.4 policy_type = "" 8.5 if len(argv) not in (4, 5): 8.6 raise OptionError('Needs either 2 or 3 arguments') 8.7 - 8.8 + 8.9 label = argv[1] 8.10 - 8.11 + 8.12 if len(argv) == 5: 8.13 policyref = argv[4] 8.14 - elif security.on(): 8.15 + elif security.on() == xsconstants.XS_POLICY_ACM: 8.16 policyref = security.active_policy 8.17 policy_type = xsconstants.ACM_POLICY_ID 8.18 else: 8.19 - raise OptionError("No active policy. Must specify policy on the " 8.20 - "command line.") 8.21 + raise OptionError("ACM security is not enabled. You must specify "\ 8.22 + "the policy on the command line.") 8.23 8.24 if argv[2].lower() == "dom": 8.25 configfile = argv[3]
9.1 --- a/tools/python/xen/xm/dry-run.py Mon May 05 10:16:58 2008 +0100 9.2 +++ b/tools/python/xen/xm/dry-run.py Tue May 06 10:05:52 2008 +0100 9.3 @@ -22,6 +22,7 @@ import sys 9.4 import xen.util.xsm.xsm as security 9.5 from xen.xm import create 9.6 from xen.xend import sxp 9.7 +from xen.util import xsconstants 9.8 from xen.xm.opts import OptionError 9.9 9.10 def help(): 9.11 @@ -40,7 +41,7 @@ def check_domain_label(config, verbose): 9.12 answer = 0 9.13 default_label = None 9.14 secon = 0 9.15 - if security.on(): 9.16 + if security.on() == xsconstants.XS_POLICY_ACM: 9.17 default_label = security.ssidref2label(security.NULL_SSIDREF) 9.18 secon = 1 9.19 9.20 @@ -90,7 +91,7 @@ def config_security_check(config, verbos 9.21 domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy') 9.22 9.23 # if no domain label, use default 9.24 - if not domain_label and security.on(): 9.25 + if not domain_label and security.on() == xsconstants.XS_POLICY_ACM: 9.26 try: 9.27 domain_label = security.ssidref2label(security.NULL_SSIDREF) 9.28 except: