[ACM] Provide the framework needed for resource labeling.

Subsequent patches will follow in the coming weeks that will enable 
Xen ACM to control assignment of resources (e.g., block devices and 
networking) to virtual machines based on resource labels and the 
active security policy.

Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>

4 files changed, 6 insertions, 59 deletions

diff --git a/tools/security/Makefile b/tools/security/Makefile
index 7316599aa6..824135f5f7 100644
--- a/tools/security/Makefile
+++ b/tools/security/Makefile
@@ -33,7 +33,7 @@ OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
 
 ACM_INST_TOOLS    = xensec_tool xensec_xml2bin xensec_gen
 ACM_OBJS          = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS       = python/xensec_tools/acm_getlabel python/xensec_tools/acm_getdecision
+ACM_SCRIPTS       = python/xensec_tools/acm_getlabel
 
 ACM_CONFIG_DIR    = /etc/xen/acm-security
 ACM_POLICY_DIR    = $(ACM_CONFIG_DIR)/policies
diff --git a/tools/security/python/xensec_gen/cgi-bin/policy.cgi b/tools/security/python/xensec_gen/cgi-bin/policy.cgi
index fa655c76c7..5916e35ac4 100644
--- a/tools/security/python/xensec_gen/cgi-bin/policy.cgi
+++ b/tools/security/python/xensec_gen/cgi-bin/policy.cgi
@@ -406,7 +406,7 @@ def parsePolicyXml( ):
 					msg = msg + 'Please validate the Policy file used.'
 					formatXmlError( msg )
 
-					allCSMTypes[csName][1] = csMemberList
+				allCSMTypes[csName][1] = csMemberList
 
 	if pOrder != '':
 		formPolicyOrder[1] = pOrder
diff --git a/tools/security/python/xensec_tools/acm_getdecision b/tools/security/python/xensec_tools/acm_getdecision
deleted file mode 100644
index ec554405ab..0000000000
--- a/tools/security/python/xensec_tools/acm_getdecision
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env python
-#  -*- mode: python; -*-
-import sys
-import traceback
-import getopt
-
-# add fallback path for non-native python path installs if needed
-sys.path.insert(-1, '/usr/lib/python')
-sys.path.insert(-1, '/usr/lib64/python')
-
-from xen.util.security import ACMError, err, get_decision, active_policy
-
-def usage():
-    print "Usage: acm_getdecision -i domainid --label labelname"
-    print "  Test program illustrating the retrieval of"
-    print "  access control decisions from Xen. At this time,"
-    print "  only sharing (STE) policy decisions are supported."
-    print "  Arguments are two paramters in any combination:"
-    print "\t -i domain_id or --domid domain_id"
-    print "\t -l labelname or --label labelname"
-    print "  Return value:"
-    print "\t PERMITTED if access is permitted"
-    print "\t DENIED if access is denied"
-    print "\t ACMError -- e.g., unknown label or domain id"
-    err("Usage")
-
-try:
-
-    if len(sys.argv) != 5:
-        usage()
-
-    decision_args = []
-
-    for idx in range(1, len(sys.argv), 2):
-        if sys.argv[idx] in ['-i', '--domid']:
-            decision_args.append(['domid', sys.argv[idx+1]])
-        elif sys.argv[idx] in ['-l', '--label']:
-            decision_args.append(['access_control',
-                                  ['policy', active_policy],
-                                  ['label', sys.argv[idx+1]]
-                                  ])
-        else:
-            print "unknown argument %s" % sys.argv[idx]
-            usage()
-
-    if len(decision_args) != 2:
-        print "too many arguments"
-        usage()
-
-    print get_decision(decision_args[0], decision_args[1])
-
-except ACMError:
-	pass
-except:
-    traceback.print_exc(limit=1)
diff --git a/tools/security/secpol_xml2bin.c b/tools/security/secpol_xml2bin.c
index 61cb869359..477991f28c 100644
--- a/tools/security/secpol_xml2bin.c
+++ b/tools/security/secpol_xml2bin.c
@@ -44,6 +44,8 @@
 
 #define DEBUG    0
 
+#define NULL_LABEL_NAME "__NULL_LABEL__"
+
 /* primary / secondary policy component setting */
 enum policycomponent { CHWALL, STE, NULLPOLICY }
     primary = NULLPOLICY, secondary = NULLPOLICY;
@@ -467,7 +469,7 @@ int init_ssid_queues(void)
         return -ENOMEM;
 
     /* default chwall ssid */
-    default_ssid_chwall->name = "DEFAULT";
+    default_ssid_chwall->name = NULL_LABEL_NAME;
     default_ssid_chwall->num = max_chwall_ssids++;
     default_ssid_chwall->is_ref = 0;
     default_ssid_chwall->type = ANY;
@@ -484,7 +486,7 @@ int init_ssid_queues(void)
     max_chwall_labels++;
 
     /* default ste ssid */
-    default_ssid_ste->name = "DEFAULT";
+    default_ssid_ste->name = NULL_LABEL_NAME;
     default_ssid_ste->num = max_ste_ssids++;
     default_ssid_ste->is_ref = 0;
     default_ssid_ste->type = ANY;