diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2008-09-04 11:23:08 +0100 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2008-09-04 11:23:08 +0100 |
commit | 06cfe5df7bdadd1972619d26127bd18a56a1db04 (patch) | |
tree | ccec33b0596f66e36e9fb824909438ba124b67cb | |
parent | e4e909d6e2ce5884133b3aaef13dc65fa9d244ba (diff) | |
download | xen-06cfe5df7bdadd1972619d26127bd18a56a1db04.tar.gz xen-06cfe5df7bdadd1972619d26127bd18a56a1db04.tar.bz2 xen-06cfe5df7bdadd1972619d26127bd18a56a1db04.zip |
xsm, python tools: remove autogenerated xsm.py
- The patch does away with the autogenerated xsm.py file and
introduces a config parameter in xend-config.sxp to determine the
security module. The parameter is (xsm_module_name {acm, dummy,
flask}). The default setting/option is dummy. .hgignore is also
updated to stop ignoring xsm.py on commits.
- The patch has created an xsconstant for XS_POLICY_FLASK and updated
the toolchain to check the instance of XS_POLICY_USE. XS_POLICY_USE
evalauates to XS_POLICY_FLASK or XS_POLICY_ACM or XS_POLICY_DUMMY
depending on configuration.
- Flask relies on the current value of ssidref returned by dominfo to
ensure that the label to sid mapping is consistent. ssidref had
been pop'ed from the dominfo object. The patch addresses this
issue.
- Flask python module style cleanups.
Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
-rw-r--r-- | .hgignore | 1 | ||||
-rw-r--r-- | tools/examples/xend-config.sxp | 4 | ||||
-rw-r--r-- | tools/python/Makefile | 26 | ||||
-rw-r--r-- | tools/python/xen/util/xsconstants.py | 4 | ||||
-rw-r--r-- | tools/python/xen/util/xsm/dummy/dummy.py | 2 | ||||
-rw-r--r-- | tools/python/xen/util/xsm/flask/flask.py | 8 | ||||
-rw-r--r-- | tools/python/xen/util/xsm/xsm.py | 19 | ||||
-rw-r--r-- | tools/python/xen/xend/XendConfig.py | 2 | ||||
-rw-r--r-- | tools/python/xen/xend/XendDomainInfo.py | 6 | ||||
-rw-r--r-- | tools/python/xen/xend/XendOptions.py | 8 | ||||
-rw-r--r-- | tools/python/xen/xend/server/blkif.py | 2 | ||||
-rw-r--r-- | tools/python/xen/xend/server/netif.py | 2 |
12 files changed, 47 insertions, 37 deletions
@@ -185,7 +185,6 @@ ^tools/misc/xenperf$ ^tools/pygrub/build/.*$ ^tools/python/build/.*$ -^tools/python/xen/util/xsm/xsm\.py$ ^tools/security/secpol_tool$ ^tools/security/xen/.*$ ^tools/security/xensec_tool$ diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp index 89f9fcae96..5465c39af3 100644 --- a/tools/examples/xend-config.sxp +++ b/tools/examples/xend-config.sxp @@ -14,6 +14,10 @@ #(logfile /var/log/xen/xend.log) #(loglevel DEBUG) +# Uncomment the line below. Set the value to flask, acm, or dummy to +# select a security module. + +#(xsm_module_name dummy) # The Xen-API server configuration. # diff --git a/tools/python/Makefile b/tools/python/Makefile index 76603f4880..c2e5c9c318 100644 --- a/tools/python/Makefile +++ b/tools/python/Makefile @@ -1,14 +1,6 @@ XEN_ROOT = ../.. include $(XEN_ROOT)/tools/Rules.mk -XEN_SECURITY_MODULE = dummy -ifeq ($(FLASK_ENABLE),y) -XEN_SECURITY_MODULE = flask -endif -ifeq ($(ACM_SECURITY),y) -XEN_SECURITY_MODULE = acm -endif - .PHONY: all all: build @@ -23,8 +15,8 @@ CATALOGS = $(patsubst %,xen/xm/messages/%.mo,$(LINGUAS)) NLSDIR = /usr/share/locale .PHONY: build buildpy -buildpy: xsm.py - CC="$(CC)" CFLAGS="$(CFLAGS)" XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build +buildpy: + CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build build: buildpy refresh-pot refresh-po $(CATALOGS) @@ -61,18 +53,6 @@ refresh-po: $(POTFILE) %.mo: %.po $(MSGFMT) -c -o $@ $< -xsm.py: - @(set -e; \ - echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \ - echo "from xsm_core import *"; \ - echo ""; \ - echo "import xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \ - echo ""; \ - echo "xsm_init(xsm_module)"; \ - echo "from xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \ - echo "del xsm_module"; \ - echo "") >xen/util/xsm/$@ - .PHONY: install ifndef XEN_PYTHON_NATIVE_INSTALL install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print auxbin.libpath()") @@ -104,4 +84,4 @@ test: .PHONY: clean clean: - rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py xen/util/auxbin.pyc + rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/auxbin.pyc diff --git a/tools/python/xen/util/xsconstants.py b/tools/python/xen/util/xsconstants.py index deea17194c..29540f0278 100644 --- a/tools/python/xen/util/xsconstants.py +++ b/tools/python/xen/util/xsconstants.py @@ -20,8 +20,10 @@ XS_INST_NONE = 0 XS_INST_BOOT = (1 << 0) XS_INST_LOAD = (1 << 1) -XS_POLICY_NONE = 0 +XS_POLICY_DUMMY = 0 XS_POLICY_ACM = (1 << 0) +XS_POLICY_FLASK = (1 << 1) +XS_POLICY_USE = 0 # Some internal variables used by the Xen-API ACM_LABEL_VM = (1 << 0) diff --git a/tools/python/xen/util/xsm/dummy/dummy.py b/tools/python/xen/util/xsm/dummy/dummy.py index b82e1b9ff5..5748699ee7 100644 --- a/tools/python/xen/util/xsm/dummy/dummy.py +++ b/tools/python/xen/util/xsm/dummy/dummy.py @@ -36,7 +36,7 @@ def err(msg): raise XSMError(msg) def on(): - return 0 + return xsconstants.XS_POLICY_DUMMY def ssidref2label(ssidref): return 0 diff --git a/tools/python/xen/util/xsm/flask/flask.py b/tools/python/xen/util/xsm/flask/flask.py index 61106349f2..fc168f8fde 100644 --- a/tools/python/xen/util/xsm/flask/flask.py +++ b/tools/python/xen/util/xsm/flask/flask.py @@ -1,5 +1,6 @@ import sys from xen.lowlevel import flask +from xen.util import xsconstants from xen.xend import sxp #Functions exported through XML-RPC @@ -12,7 +13,7 @@ def err(msg): raise XSMError(msg) def on(): - return 0 #xsconstants.XS_POLICY_FLASK + return xsconstants.XS_POLICY_FLASK def ssidref2label(ssidref): try: @@ -37,8 +38,9 @@ def set_security_label(policy, label): return label def ssidref2security_label(ssidref): - return ssidref2label(ssidref) + label = ssidref2label(ssidref) + return label def get_security_label(self, xspol=None): - label = self.info.get('security_label', '') + label = self.info['security_label'] return label diff --git a/tools/python/xen/util/xsm/xsm.py b/tools/python/xen/util/xsm/xsm.py new file mode 100644 index 0000000000..e2639c0d66 --- /dev/null +++ b/tools/python/xen/util/xsm/xsm.py @@ -0,0 +1,19 @@ +import sys +import string +from xen.xend import XendOptions +from xen.util import xsconstants +from xsm_core import xsm_init + +xoptions = XendOptions.instance() +xsm_module_name = xoptions.get_xsm_module_name() + +xsconstants.XS_POLICY_USE = eval("xsconstants.XS_POLICY_"+string.upper(xsm_module_name)) + +xsm_module_path = "xen.util.xsm." + xsm_module_name + "." + xsm_module_name +xsm_module = __import__(xsm_module_path, globals(), locals(), ['*'], -1) + +xsm_init(xsm_module) + +for op in dir(xsm_module): + if not hasattr(sys.modules[__name__], op): + setattr(sys.modules[__name__], op, getattr(xsm_module, op, None)) diff --git a/tools/python/xen/xend/XendConfig.py b/tools/python/xen/xend/XendConfig.py index f14a94eecf..706d6e6e0b 100644 --- a/tools/python/xen/xend/XendConfig.py +++ b/tools/python/xen/xend/XendConfig.py @@ -729,7 +729,7 @@ class XendConfig(dict): self.parse_cpuid(cfg, 'cpuid_check') import xen.util.xsm.xsm as security - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: from xen.util.acmpolicy import ACM_LABEL_UNLABELED if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'): cfg['security'] = sxp.child_value(sxp_cfg, 'security') diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py index 271e8acc94..3cbdc03287 100644 --- a/tools/python/xen/xend/XendDomainInfo.py +++ b/tools/python/xen/xend/XendDomainInfo.py @@ -2069,7 +2069,7 @@ class XendDomainInfo: balloon.free(2*1024) # 2MB should be plenty ssidref = 0 - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: ssidref = security.calc_dom_ssidref_from_info(self.info) if security.has_authorization(ssidref) == False: raise VmError("VM is not authorized to run.") @@ -2855,10 +2855,6 @@ class XendDomainInfo: info["maxmem_kb"] = XendNode.instance() \ .physinfo_dict()['total_memory'] * 1024 - #ssidref field not used any longer - if 'ssidref' in info: - info.pop('ssidref') - # make sure state is reset for info # TODO: we should eventually get rid of old_dom_states diff --git a/tools/python/xen/xend/XendOptions.py b/tools/python/xen/xend/XendOptions.py index 707892f90e..350f20736c 100644 --- a/tools/python/xen/xend/XendOptions.py +++ b/tools/python/xen/xend/XendOptions.py @@ -132,6 +132,9 @@ class XendOptions: """Default script to configure a backend network interface""" vif_script = osdep.vif_script + """Default Xen Security Module""" + xsm_module_default = 'dummy' + """Default rotation count of qemu-dm log file.""" qemu_dm_logrotate_count = 10 @@ -427,6 +430,11 @@ class XendOptionsFile(XendOptions): return self.get_config_value('xen-api-server', self.xen_api_server_default) + def get_xsm_module_name(self): + """Get the Xen Security Module name. + """ + return self.get_config_string('xsm_module_name', self.xsm_module_default) + if os.uname()[0] == 'SunOS': class XendOptionsSMF(XendOptions): diff --git a/tools/python/xen/xend/server/blkif.py b/tools/python/xen/xend/server/blkif.py index 87f03d1779..28ddf5f95d 100644 --- a/tools/python/xen/xend/server/blkif.py +++ b/tools/python/xen/xend/server/blkif.py @@ -78,7 +78,7 @@ class BlkifController(DevController): if uuid: back['uuid'] = uuid - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: self.do_access_control(config, uname) (device_path, devid) = blkif.blkdev_name_to_number(dev) diff --git a/tools/python/xen/xend/server/netif.py b/tools/python/xen/xend/server/netif.py index 9aa7503aff..939f127c40 100644 --- a/tools/python/xen/xend/server/netif.py +++ b/tools/python/xen/xend/server/netif.py @@ -156,7 +156,7 @@ class NetifController(DevController): front = { 'handle' : "%i" % devid, 'mac' : mac } - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: self.do_access_control(config) return (devid, back, front) |