xsm, python tools: remove autogenerated xsm.py

- The patch does away with the autogenerated xsm.py file and
introduces a config parameter in xend-config.sxp to determine the
security module. The parameter is (xsm_module_name {acm, dummy,
flask}).  The default setting/option is dummy.  .hgignore is also
updated to stop ignoring xsm.py on commits.

- The patch has created an xsconstant for XS_POLICY_FLASK and updated
  the toolchain to check the instance of XS_POLICY_USE.  XS_POLICY_USE
  evalauates to XS_POLICY_FLASK or XS_POLICY_ACM or XS_POLICY_DUMMY
  depending on configuration.

- Flask relies on the current value of ssidref returned by dominfo to
  ensure that the label to sid mapping is consistent.  ssidref had
  been pop'ed from the dominfo object.  The patch addresses this
  issue.

- Flask python module style cleanups.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>

12 files changed, 47 insertions, 37 deletions

diff --git a/.hgignore b/.hgignore
index 42d980bcb0..13ced87e22 100644
--- a/.hgignore
+++ b/.hgignore
@@ -185,7 +185,6 @@
 ^tools/misc/xenperf$
 ^tools/pygrub/build/.*$
 ^tools/python/build/.*$
-^tools/python/xen/util/xsm/xsm\.py$
 ^tools/security/secpol_tool$
 ^tools/security/xen/.*$
 ^tools/security/xensec_tool$
diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp
index 89f9fcae96..5465c39af3 100644
--- a/tools/examples/xend-config.sxp
+++ b/tools/examples/xend-config.sxp
@@ -14,6 +14,10 @@
 #(logfile /var/log/xen/xend.log)
 #(loglevel DEBUG)
 
+# Uncomment the line below.  Set the value to flask, acm, or dummy to 
+# select a security module.
+
+#(xsm_module_name dummy)
 
 # The Xen-API server configuration.
 #
diff --git a/tools/python/Makefile b/tools/python/Makefile
index 76603f4880..c2e5c9c318 100644
--- a/tools/python/Makefile
+++ b/tools/python/Makefile
@@ -1,14 +1,6 @@
 XEN_ROOT = ../..
 include $(XEN_ROOT)/tools/Rules.mk
 
-XEN_SECURITY_MODULE = dummy
-ifeq ($(FLASK_ENABLE),y)
-XEN_SECURITY_MODULE = flask
-endif
-ifeq ($(ACM_SECURITY),y)
-XEN_SECURITY_MODULE = acm
-endif
-
 .PHONY: all
 all: build
 
@@ -23,8 +15,8 @@ CATALOGS = $(patsubst %,xen/xm/messages/%.mo,$(LINGUAS))
 NLSDIR = /usr/share/locale
 
 .PHONY: build buildpy
-buildpy: xsm.py
-	CC="$(CC)" CFLAGS="$(CFLAGS)" XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build
+buildpy: 
+	CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build
 
 build: buildpy refresh-pot refresh-po $(CATALOGS)
 
@@ -61,18 +53,6 @@ refresh-po: $(POTFILE)
 %.mo: %.po
 	$(MSGFMT) -c -o $@ $<
 
-xsm.py:
-	@(set -e; \
-	  echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \
-	  echo "from xsm_core import *"; \
-	  echo ""; \
-	  echo "import xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \
-	  echo ""; \
-	  echo "xsm_init(xsm_module)"; \
-	  echo "from xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \
-	  echo "del xsm_module"; \
-	  echo "") >xen/util/xsm/$@
-
 .PHONY: install
 ifndef XEN_PYTHON_NATIVE_INSTALL
 install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print auxbin.libpath()")
@@ -104,4 +84,4 @@ test:
 
 .PHONY: clean
 clean:
-	rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py xen/util/auxbin.pyc
+	rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/auxbin.pyc
diff --git a/tools/python/xen/util/xsconstants.py b/tools/python/xen/util/xsconstants.py
index deea17194c..29540f0278 100644
--- a/tools/python/xen/util/xsconstants.py
+++ b/tools/python/xen/util/xsconstants.py
@@ -20,8 +20,10 @@ XS_INST_NONE = 0
 XS_INST_BOOT = (1 << 0)
 XS_INST_LOAD = (1 << 1)
 
-XS_POLICY_NONE  = 0
+XS_POLICY_DUMMY  = 0
 XS_POLICY_ACM = (1 << 0)
+XS_POLICY_FLASK = (1 << 1)
+XS_POLICY_USE = 0
 
 # Some internal variables used by the Xen-API
 ACM_LABEL_VM  = (1 << 0)
diff --git a/tools/python/xen/util/xsm/dummy/dummy.py b/tools/python/xen/util/xsm/dummy/dummy.py
index b82e1b9ff5..5748699ee7 100644
--- a/tools/python/xen/util/xsm/dummy/dummy.py
+++ b/tools/python/xen/util/xsm/dummy/dummy.py
@@ -36,7 +36,7 @@ def err(msg):
     raise XSMError(msg)
 
 def on():
-    return 0
+    return xsconstants.XS_POLICY_DUMMY
 
 def ssidref2label(ssidref):
     return 0
diff --git a/tools/python/xen/util/xsm/flask/flask.py b/tools/python/xen/util/xsm/flask/flask.py
index 61106349f2..fc168f8fde 100644
--- a/tools/python/xen/util/xsm/flask/flask.py
+++ b/tools/python/xen/util/xsm/flask/flask.py
@@ -1,5 +1,6 @@
 import sys
 from xen.lowlevel import flask
+from xen.util import xsconstants
 from xen.xend import sxp
 
 #Functions exported through XML-RPC
@@ -12,7 +13,7 @@ def err(msg):
     raise XSMError(msg)
 
 def on():
-    return 0 #xsconstants.XS_POLICY_FLASK
+    return xsconstants.XS_POLICY_FLASK
 
 def ssidref2label(ssidref):
     try:
@@ -37,8 +38,9 @@ def set_security_label(policy, label):
     return label
 
 def ssidref2security_label(ssidref):
-    return ssidref2label(ssidref)
+    label = ssidref2label(ssidref)
+    return label
 
 def get_security_label(self, xspol=None):
-    label = self.info.get('security_label', '')
+    label = self.info['security_label']
     return label
diff --git a/tools/python/xen/util/xsm/xsm.py b/tools/python/xen/util/xsm/xsm.py
new file mode 100644
index 0000000000..e2639c0d66
--- /dev/null
+++ b/tools/python/xen/util/xsm/xsm.py
@@ -0,0 +1,19 @@
+import sys
+import string
+from xen.xend import XendOptions
+from xen.util import xsconstants
+from xsm_core import xsm_init
+
+xoptions = XendOptions.instance()
+xsm_module_name = xoptions.get_xsm_module_name()
+
+xsconstants.XS_POLICY_USE = eval("xsconstants.XS_POLICY_"+string.upper(xsm_module_name))
+
+xsm_module_path = "xen.util.xsm." + xsm_module_name + "." + xsm_module_name
+xsm_module = __import__(xsm_module_path, globals(), locals(), ['*'], -1)
+
+xsm_init(xsm_module)
+
+for op in dir(xsm_module):
+    if not hasattr(sys.modules[__name__], op):
+        setattr(sys.modules[__name__], op, getattr(xsm_module, op, None))
diff --git a/tools/python/xen/xend/XendConfig.py b/tools/python/xen/xend/XendConfig.py
index f14a94eecf..706d6e6e0b 100644
--- a/tools/python/xen/xend/XendConfig.py
+++ b/tools/python/xen/xend/XendConfig.py
@@ -729,7 +729,7 @@ class XendConfig(dict):
             self.parse_cpuid(cfg, 'cpuid_check')
 
         import xen.util.xsm.xsm as security
-        if security.on() == xsconstants.XS_POLICY_ACM:
+        if security.on() == xsconstants.XS_POLICY_USE:
             from xen.util.acmpolicy import ACM_LABEL_UNLABELED
             if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
                 cfg['security'] = sxp.child_value(sxp_cfg, 'security')
diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py
index 271e8acc94..3cbdc03287 100644
--- a/tools/python/xen/xend/XendDomainInfo.py
+++ b/tools/python/xen/xend/XendDomainInfo.py
@@ -2069,7 +2069,7 @@ class XendDomainInfo:
         balloon.free(2*1024) # 2MB should be plenty
 
         ssidref = 0
-        if security.on() == xsconstants.XS_POLICY_ACM:
+        if security.on() == xsconstants.XS_POLICY_USE:
             ssidref = security.calc_dom_ssidref_from_info(self.info)
             if security.has_authorization(ssidref) == False:
                 raise VmError("VM is not authorized to run.")
@@ -2855,10 +2855,6 @@ class XendDomainInfo:
             info["maxmem_kb"] = XendNode.instance() \
                                 .physinfo_dict()['total_memory'] * 1024
 
-        #ssidref field not used any longer
-        if 'ssidref' in info:
-            info.pop('ssidref')
-
         # make sure state is reset for info
         # TODO: we should eventually get rid of old_dom_states
 
diff --git a/tools/python/xen/xend/XendOptions.py b/tools/python/xen/xend/XendOptions.py
index 707892f90e..350f20736c 100644
--- a/tools/python/xen/xend/XendOptions.py
+++ b/tools/python/xen/xend/XendOptions.py
@@ -132,6 +132,9 @@ class XendOptions:
     """Default script to configure a backend network interface"""
     vif_script = osdep.vif_script
 
+    """Default Xen Security Module"""
+    xsm_module_default = 'dummy'
+
     """Default rotation count of qemu-dm log file."""
     qemu_dm_logrotate_count = 10
 
@@ -427,6 +430,11 @@ class XendOptionsFile(XendOptions):
         return self.get_config_value('xen-api-server',
                                      self.xen_api_server_default)
 
+    def get_xsm_module_name(self):
+        """Get the Xen Security Module name.
+        """
+        return self.get_config_string('xsm_module_name', self.xsm_module_default)
+
 if os.uname()[0] == 'SunOS':
     class XendOptionsSMF(XendOptions):
 
diff --git a/tools/python/xen/xend/server/blkif.py b/tools/python/xen/xend/server/blkif.py
index 87f03d1779..28ddf5f95d 100644
--- a/tools/python/xen/xend/server/blkif.py
+++ b/tools/python/xen/xend/server/blkif.py
@@ -78,7 +78,7 @@ class BlkifController(DevController):
         if uuid:
             back['uuid'] = uuid
 
-        if security.on() == xsconstants.XS_POLICY_ACM:
+        if security.on() == xsconstants.XS_POLICY_USE:
             self.do_access_control(config, uname)
 
         (device_path, devid) = blkif.blkdev_name_to_number(dev)
diff --git a/tools/python/xen/xend/server/netif.py b/tools/python/xen/xend/server/netif.py
index 9aa7503aff..939f127c40 100644
--- a/tools/python/xen/xend/server/netif.py
+++ b/tools/python/xen/xend/server/netif.py
@@ -156,7 +156,7 @@ class NetifController(DevController):
             front = { 'handle' : "%i" % devid,
                       'mac'    : mac }
 
-        if security.on() == xsconstants.XS_POLICY_ACM:
+        if security.on() == xsconstants.XS_POLICY_USE:
             self.do_access_control(config)
 
         return (devid, back, front)