diff options
author | Alex Williamson <alex.williamson@hp.com> | 2007-09-06 12:05:15 -0600 |
---|---|---|
committer | Alex Williamson <alex.williamson@hp.com> | 2007-09-06 12:05:15 -0600 |
commit | 813d34b4d07947172c06ef333da6567ea00fc312 (patch) | |
tree | 6db5151588dd71c0b36e1618b2c8edac837b8752 /tools | |
parent | 0f227f8c82d1d7818f227724806bf5f309beb636 (diff) | |
parent | f0a09ab129e5f0a4e6de6610f77eea9005fa5eb2 (diff) | |
download | xen-813d34b4d07947172c06ef333da6567ea00fc312.tar.gz xen-813d34b4d07947172c06ef333da6567ea00fc312.tar.bz2 xen-813d34b4d07947172c06ef333da6567ea00fc312.zip |
merge with xen-unstable.hg (staging)
Diffstat (limited to 'tools')
77 files changed, 1276 insertions, 373 deletions
diff --git a/tools/Makefile b/tools/Makefile index 9d55900d2c..c150dbd984 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -3,6 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk SUBDIRS-y := SUBDIRS-y += libxc +SUBDIRS-y += flask SUBDIRS-y += xenstore SUBDIRS-y += misc SUBDIRS-y += examples diff --git a/tools/Rules.mk b/tools/Rules.mk index 4d0b193a53..aab715989b 100644 --- a/tools/Rules.mk +++ b/tools/Rules.mk @@ -49,6 +49,8 @@ mk-symlinks: ( cd xen/hvm && ln -sf ../../$(XEN_ROOT)/xen/include/public/hvm/*.h . ) mkdir -p xen/io ( cd xen/io && ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . ) + mkdir -p xen/xsm + ( cd xen/xsm && ln -sf ../../$(XEN_ROOT)/xen/include/public/xsm/*.h . ) mkdir -p xen/arch-x86 ( cd xen/arch-x86 && ln -sf ../../$(XEN_ROOT)/xen/include/public/arch-x86/*.h . ) mkdir -p xen/foreign diff --git a/tools/blktap/drivers/tapdisk.c b/tools/blktap/drivers/tapdisk.c index 94a4e48c30..ae1d7d6ccd 100644 --- a/tools/blktap/drivers/tapdisk.c +++ b/tools/blktap/drivers/tapdisk.c @@ -863,11 +863,7 @@ int main(int argc, char *argv[]) ptr = fd_start; while (ptr != NULL) { s = ptr->s; - unmap_disk(s); - free(s->blkif); - free(s->ring_info); - free(s); close(ptr->tap_fd); ptr = ptr->next; } diff --git a/tools/examples/blktap b/tools/examples/blktap index 5a7ee3236b..b3a0b63544 100644 --- a/tools/examples/blktap +++ b/tools/examples/blktap @@ -8,6 +8,57 @@ dir=$(dirname "$0") findCommand "$@" +## +# check_blktap_sharing file mode +# +# Perform the sharing check for the given blktap and mode. +# +check_blktap_sharing() +{ + local file="$1" + local mode="$2" + + local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE" + for dom in $(xenstore-list "$base_path") + do + for dev in $(xenstore-list "$base_path/$dom") + do + params=$(xenstore_read "$base_path/$dom/$dev/params" | cut -d: -f2) + if [ "$file" = "$params" ] + then + + if [ "$mode" = 'w' ] + then + if ! same_vm "$dom" + then + echo 'guest' + return + fi + else + local m=$(xenstore_read "$base_path/$dom/$dev/mode") + m=$(canonicalise_mode "$m") + + if [ "$m" = 'w' ] + then + if ! same_vm "$dom" + then + echo 'guest' + return + fi + fi + fi + fi + done + done + + echo 'ok' +} + +FRONTEND_ID=$(xenstore_read "$XENBUS_PATH/frontend-id") +FRONTEND_UUID=$(xenstore_read "/local/domain/$FRONTEND_ID/vm") +mode=$(xenstore_read "$XENBUS_PATH/mode") +mode=$(canonicalise_mode "$mode") + t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') if [ -n "$t" ] then @@ -18,7 +69,19 @@ then p=${p#*:} fi fi -file=$(readlink -f "$p") || ebusy "$p does not exist." +# some versions of readlink cannot be passed a regular file +if [ -L "$p" ]; then + file=$(readlink -f "$p") || ebusy "$p link does not exist." +else + [ -f "$p" ] || { ebusy "$p file does not exist." } + file="$p" +fi + +if [ "$mode" != '!' ] +then + result=$(check_blktap_sharing "$file" "$mode") + [ "$result" = 'ok' ] || ebusy "$file already in use by other domain" +fi if [ "$command" = 'add' ] then diff --git a/tools/examples/block b/tools/examples/block index 2b6b991125..1cf6fb8fc8 100644 --- a/tools/examples/block +++ b/tools/examples/block @@ -18,32 +18,6 @@ expand_dev() { ## -# canonicalise_mode mode -# -# Takes the given mode, which may be r, w, ro, rw, w!, or rw!, or variations -# thereof, and canonicalises them to one of -# -# 'r': perform checks for a new read-only mount; -# 'w': perform checks for a read-write mount; or -# '!': perform no checks at all. -# -canonicalise_mode() -{ - local mode="$1" - - if ! expr index "$mode" 'w' >/dev/null - then - echo 'r' - elif ! expr index "$mode" '!' >/dev/null - then - echo 'w' - else - echo '!' - fi -} - - -## # check_sharing device mode # # Check whether the device requested is already in use. To use the device in @@ -126,22 +100,6 @@ check_sharing() } -same_vm() -{ - local otherdom="$1" - # Note that othervm can be MISSING here, because Xend will be racing with - # the hotplug scripts -- the entries in /local/domain can be removed by - # Xend before the hotplug scripts have removed the entry in - # /local/domain/0/backend/. In this case, we want to pretend that the - # VM is the same as FRONTEND_UUID, because that way the 'sharing' will be - # allowed. - local othervm=$(xenstore_read_default "/local/domain/$otherdom/vm" \ - "$FRONTEND_UUID") - - [ "$FRONTEND_UUID" = "$othervm" ] -} - - ## # check_device_sharing dev mode # diff --git a/tools/examples/block-common.sh b/tools/examples/block-common.sh index 000b52724f..a0ebc9b12a 100644 --- a/tools/examples/block-common.sh +++ b/tools/examples/block-common.sh @@ -71,3 +71,46 @@ write_dev() { success } + + +## +# canonicalise_mode mode +# +# Takes the given mode, which may be r, w, ro, rw, w!, or rw!, or variations +# thereof, and canonicalises them to one of +# +# 'r': perform checks for a new read-only mount; +# 'w': perform checks for a read-write mount; or +# '!': perform no checks at all. +# +canonicalise_mode() +{ + local mode="$1" + + if ! expr index "$mode" 'w' >/dev/null + then + echo 'r' + elif ! expr index "$mode" '!' >/dev/null + then + echo 'w' + else + echo '!' + fi +} + + +same_vm() +{ + local otherdom="$1" + # Note that othervm can be MISSING here, because Xend will be racing with + # the hotplug scripts -- the entries in /local/domain can be removed by + # Xend before the hotplug scripts have removed the entry in + # /local/domain/0/backend/. In this case, we want to pretend that the + # VM is the same as FRONTEND_UUID, because that way the 'sharing' will be + # allowed. + local othervm=$(xenstore_read_default "/local/domain/$otherdom/vm" \ + "$FRONTEND_UUID") + + [ "$FRONTEND_UUID" = "$othervm" ] +} + diff --git a/tools/examples/network-bridge b/tools/examples/network-bridge index 6b528d8a48..b0b318b7fd 100755 --- a/tools/examples/network-bridge +++ b/tools/examples/network-bridge @@ -259,7 +259,8 @@ add_to_bridge2() { fi done - if [ ${i} -eq ${maxtries} ] ; then echo '(link isnt in running state)' ; fi + if [ ${i} -eq ${maxtries} ] ; then echo -n '(link isnt in running state)' ; fi + echo add_to_bridge ${bridge} ${dev} } diff --git a/tools/firmware/hvmloader/smbios.c b/tools/firmware/hvmloader/smbios.c index fed2df5bfc..07d9e7b848 100644 --- a/tools/firmware/hvmloader/smbios.c +++ b/tools/firmware/hvmloader/smbios.c @@ -159,8 +159,7 @@ get_memsize(void) int hvm_write_smbios_tables(void) { - uint8_t uuid[16]; /* ** This will break if xen_domain_handle_t is - not uint8_t[16]. ** */ + xen_domain_handle_t uuid; uint16_t xen_major_version, xen_minor_version; uint32_t xen_version; char xen_extra_version[XEN_EXTRAVERSION_LEN]; @@ -173,6 +172,7 @@ hvm_write_smbios_tables(void) unsigned tmp_len; /* length of next string to add */ hypercall_xen_version(XENVER_guest_handle, uuid); + BUILD_BUG_ON(sizeof(xen_domain_handle_t) != 16); /* xen_version major and minor */ xen_version = hypercall_xen_version(XENVER_version, NULL); diff --git a/tools/firmware/hvmloader/util.h b/tools/firmware/hvmloader/util.h index 42b20bdf09..6ce796b3cc 100644 --- a/tools/firmware/hvmloader/util.h +++ b/tools/firmware/hvmloader/util.h @@ -17,6 +17,7 @@ extern void __assert_failed(char *assertion, char *file, int line) extern void __bug(char *file, int line) __attribute__((noreturn)); #define BUG() __bug(__FILE__, __LINE__) #define BUG_ON(p) do { if (p) BUG(); } while (0) +#define BUILD_BUG_ON(p) ((void)sizeof(char[1 - 2 * !!(p)])) /* I/O output */ void outb(uint16_t addr, uint8_t val); diff --git a/tools/firmware/rombios/rombios.c b/tools/firmware/rombios/rombios.c index 9a411af09a..fcdf3fb7ff 100644 --- a/tools/firmware/rombios/rombios.c +++ b/tools/firmware/rombios/rombios.c @@ -1057,7 +1057,7 @@ static char CVSID[] = "$Id: rombios.c,v 1.138 2005/05/07 15:55:26 vruppert Exp $ #define UNSUPPORTED_FUNCTION 0x86 #define none 0 -#define MAX_SCAN_CODE 0x53 +#define MAX_SCAN_CODE 0x58 static struct { Bit16u normal; @@ -1149,7 +1149,12 @@ static struct { { 0x5000, 0x5032, none, none, 0x20 }, /* 2 Down */ { 0x5100, 0x5133, 0x7600, none, 0x20 }, /* 3 PgDn */ { 0x5200, 0x5230, none, none, 0x20 }, /* 0 Ins */ - { 0x5300, 0x532e, none, none, 0x20 } /* Del */ + { 0x5300, 0x532e, none, none, 0x20 }, /* Del */ + { none, none, none, none, none }, /* ??? */ + { none, none, none, none, none }, /* ??? */ + { none, none, none, none, none }, /* ??? */ + { 0x8500, 0x8700, 0x8900, 0x8b00, none }, /* F11 */ + { 0x8600, 0x8800, 0x8a00, 0x8c00, none }, /* F12 */ }; Bit8u @@ -4682,7 +4687,7 @@ int09_function(DI, SI, BP, SP, BX, DX, CX, AX) default: if (scancode & 0x80) return; /* toss key releases ... */ if (scancode > MAX_SCAN_CODE) { - BX_INFO("KBD: int09h_handler(): unknown scancode read!\n"); + BX_INFO("KBD: int09h_handler(): unknown scancode (%x) read!\n", scancode); return; } if (shift_flags & 0x08) { /* ALT */ diff --git a/tools/flask/Makefile b/tools/flask/Makefile new file mode 100644 index 0000000000..64fd0940ce --- /dev/null +++ b/tools/flask/Makefile @@ -0,0 +1,26 @@ +XEN_ROOT = ../.. +include $(XEN_ROOT)/tools/Rules.mk + +SUBDIRS := +SUBDIRS += libflask +SUBDIRS += loadpolicy + +.PHONY: all +all: + @set -e; for subdir in $(SUBDIRS); do \ + $(MAKE) -C $$subdir $@; \ + done + +.PHONY: install +install: + @set -e; for subdir in $(SUBDIRS); do \ + $(MAKE) -C $$subdir $@; \ + done + +.PHONY: clean +clean: + @set -e; for subdir in $(SUBDIRS); do \ + $(MAKE) -C $$subdir $@; \ + done + + diff --git a/tools/flask/libflask/Makefile b/tools/flask/libflask/Makefile new file mode 100644 index 0000000000..9c5cb770ff --- /dev/null +++ b/tools/flask/libflask/Makefile @@ -0,0 +1,65 @@ +MAJOR = 1.0 +MINOR = 0 + +XEN_ROOT = ../../.. +include $(XEN_ROOT)/tools/Rules.mk + +XEN_LIBXC = $(XEN_ROOT)/tools/libxc + +SRCS := +SRCS += flask_op.c + +CFLAGS += -Werror +CFLAGS += -fno-strict-aliasing +CFLAGS += $(INCLUDES) -I./include -I$(XEN_LIBXC) + +# Get gcc to generate the dependencies for us. +CFLAGS += -Wp,-MD,.$(@F).d +LDFLAGS += -L. +DEPS = .*.d + +LIB_OBJS := $(patsubst %.c,%.o,$(SRCS)) +PIC_OBJS := $(patsubst %.c,%.opic,$(SRCS)) + +LIB := libflask.a +LIB += libflask.so libflask.so.$(MAJOR) libflask.so.$(MAJOR).$(MINOR) + +.PHONY: all +all: build + +.PHONY: build +build: + $(MAKE) $(LIB) + +.PHONY: install +install: build + [ -d $(DESTDIR)/usr/$(LIBDIR) ] || $(INSTALL_DIR) $(DESTDIR)/usr/$(LIBDIR) + [ -d $(DESTDIR)/usr/include ] || $(INSTALL_DIR) $(DESTDIR)/usr/include + $(INSTALL_PROG) libflask.so.$(MAJOR).$(MINOR) $(DESTDIR)/usr/$(LIBDIR) + $(INSTALL_DATA) libflask.a $(DESTDIR)/usr/$(LIBDIR) + ln -sf libflask.so.$(MAJOR).$(MINOR) $(DESTDIR)/usr/$(LIBDIR)/libflask.so.$(MAJOR) + ln -sf libflask.so.$(MAJOR) $(DESTDIR)/usr/$(LIBDIR)/libflask.so + $(INSTALL_DATA) include/flask_op.h $(DESTDIR)/usr/include + +.PHONY: TAGS +TAGS: + etags -t *.c *.h + +.PHONY: clean +clean: + rm -rf *.a *.so* *.o *.opic *.rpm $(LIB) *~ $(DEPS) xen + +# libflask + +libflask.a: $(LIB_OBJS) + $(AR) rc $@ $^ + +libflask.so: libflask.so.$(MAJOR) + ln -sf $< $@ +libflask.so.$(MAJOR): libflask.so.$(MAJOR).$(MINOR) + ln -sf $< $@ + +libflask.so.$(MAJOR).$(MINOR): $(PIC_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-soname -Wl,libflask.so.$(MAJOR) -shared -o $@ $^ + +-include $(DEPS) diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c new file mode 100644 index 0000000000..5ebadb51b7 --- /dev/null +++ b/tools/flask/libflask/flask_op.c @@ -0,0 +1,100 @@ +/* + * + * Authors: Michael LeMay, <mdlemay@epoch.ncsc.mil> + * George Coker, <gscoker@alpha.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <unistd.h> +#include <stdio.h> +#include <errno.h> +#include <fcntl.h> +#include <string.h> +#include <sys/mman.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <stdlib.h> +#include <sys/ioctl.h> + +#include <xc_private.h> + +#include <flask_op.h> + +int flask_load(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_LOAD; + op.buf = buf; + op.size = size; + + if ( (err = do_flask_op(xc_handle, &op)) != 0 ) + return err; + + return 0; +} + +int flask_context_to_sid(int xc_handle, char *buf, int size, uint32_t *sid) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_CONTEXT_TO_SID; + op.buf = buf; + op.size = size; + + if ( (err = do_flask_op(xc_handle, &op)) != 0 ) + return err; + + sscanf(buf, "%u", sid); + + return 0; +} + +int flask_sid_to_context(int xc_handle, int sid, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_SID_TO_CONTEXT; + op.buf = buf; + op.size = size; + + snprintf(buf, size, "%u", sid); + + if ( (err = do_flask_op(xc_handle, &op)) != 0 ) + return err; + + return 0; +} + +int do_flask_op(int xc_handle, flask_op_t *op) +{ + int ret = -1; + DECLARE_HYPERCALL; + + hypercall.op = __HYPERVISOR_xsm_op; + hypercall.arg[0] = (unsigned long)op; + + if ( mlock(op, sizeof(*op)) != 0 ) + { + PERROR("Could not lock memory for Xen hypercall"); + goto out; + } + + if ( (ret = do_xen_hypercall(xc_handle, &hypercall)) < 0 ) + { + if ( errno == EACCES ) + fprintf(stderr, "XSM operation failed!\n"); + } + + safe_munlock(op, sizeof(*op)); + + out: + return ret; +} + diff --git a/tools/flask/libflask/include/flask_op.h b/tools/flask/libflask/include/flask_op.h new file mode 100644 index 0000000000..56cb213d67 --- /dev/null +++ b/tools/flask/libflask/include/flask_op.h @@ -0,0 +1,46 @@ +/* + * + * Authors: Michael LeMay, <mdlemay@epoch.ncsc.mil> + * George Coker, <gscoker@alpha.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#ifndef __FLASK_OP_H +#define __FLASK_OP_H + +#define FLASK_LOAD 1 +#define FLASK_GETENFORCE 2 +#define FLASK_SETENFORCE 3 +#define FLASK_CONTEXT_TO_SID 4 +#define FLASK_SID_TO_CONTEXT 5 +#define FLASK_ACCESS 6 +#define FLASK_CREATE 7 +#define FLASK_RELABEL 8 +#define FLASK_USER 9 +#define FLASK_POLICYVERS 10 +#define FLASK_GETBOOL 11 +#define FLASK_SETBOOL 12 +#define FLASK_COMMITBOOLS 13 +#define FLASK_MLS 14 +#define FLASK_DISABLE 15 +#define FLASK_GETAVC_THRESHOLD 16 +#define FLASK_SETAVC_THRESHOLD 17 +#define FLASK_AVC_HASHSTATS 18 +#define FLASK_AVC_CACHESTATS 19 +#define FLASK_MEMBER 20 + +typedef struct flask_op { + int cmd; + int size; + char *buf; +} flask_op_t; + +int flask_load(int xc_handle, char *buf, int size); +int flask_context_to_sid(int xc_handle, char *buf, int size, u_int32_t *sid); +int flask_sid_to_context(int xc_handle, int sid, char *buf, int size); +int do_flask_op(int xc_handle, flask_op_t *op); + +#endif diff --git a/tools/flask/loadpolicy/Makefile b/tools/flask/loadpolicy/Makefile new file mode 100644 index 0000000000..3cad9a4720 --- /dev/null +++ b/tools/flask/loadpolicy/Makefile @@ -0,0 +1,61 @@ +XEN_ROOT=../../.. +include $(XEN_ROOT)/tools/Rules.mk +XEN_LIBXC = $(XEN_ROOT)/tools/libxc + +INSTALL = install +INSTALL_DATA = $(INSTALL) -m0644 +INSTALL_PROG = $(INSTALL) -m0755 +INSTALL_DIR = $(INSTALL) -d -m0755 + +LIBXC_ROOT = $(XEN_ROOT)/tools/libxc +LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask + +PROFILE=#-pg +BASECFLAGS=-Wall -g -Werror +# Make gcc generate dependencies. +BASECFLAGS += -Wp,-MD,.$(@F).d +PROG_DEP = .*.d +BASECFLAGS+= $(PROFILE) +#BASECFLAGS+= -I$(XEN_ROOT)/tools +BASECFLAGS+= -I$(LIBXC_ROOT) +BASECFLAGS+= -I$(LIBFLASK_ROOT)/include +BASECFLAGS+= -I. + +CFLAGS += $(BASECFLAGS) +LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT) +TESTDIR = testsuite/tmp +TESTFLAGS= -DTESTING +TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR) + +CLIENTS := flask-loadpolicy +CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS)) + +.PHONY: all +all: $(CLIENTS) + +$(CLIENTS): flask-%: %.o + $(LINK.o) $< $(LOADLIBES) $(LDLIBS) -L. -lflask -lxenctrl -o $@ + +.PHONY: clean +clean: + rm -f *.o *.opic *.so + rm -f $(CLIENTS) + $(RM) $(PROG_DEP) + +.PHONY: print-dir +print-dir: + @echo -n tools/flask/loadpolicy: + +.PHONY: print-end +print-end: + @echo + +.PHONY: install +install: all + $(INSTALL_DIR) -p $(DESTDIR)/usr/sbin + $(INSTALL_PROG) $(CLIENTS) $(DESTDIR)/usr/sbin + +-include $(PROG_DEP) + +# never delete any intermediate files. +.SECONDARY: diff --git a/tools/flask/loadpolicy/loadpolicy.c b/tools/flask/loadpolicy/loadpolicy.c new file mode 100644 index 0000000000..285aec4331 --- /dev/null +++ b/tools/flask/loadpolicy/loadpolicy.c @@ -0,0 +1,130 @@ +/* + * + * Authors: Michael LeMay, <mdlemay@epoch.ncsc.mil> + * George Coker, <gscoker@alpha.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> + +#include <flask_op.h> + +#define USE_MMAP + +static void usage (int argCnt, const char *args[]) +{ + fprintf(stderr, "Usage: %s <policy.file>\n", args[0]); + exit(1); +} + +int main (int argCnt, const char *args[]) +{ + const char *polFName; + int polFd = 0; + void *polMem = NULL; + void *polMemCp = NULL; + struct stat info; + int ret; + int xch = 0; + + if (argCnt != 2) + usage(argCnt, args); + + polFName = args[1]; + polFd = open(polFName, O_RDONLY); + if ( polFd < 0 ) + { + fprintf(stderr, "Error occurred opening policy file '%s': %s\n", + polFName, strerror(errno)); + ret = -1; + goto cleanup; + } + + ret = stat(polFName, &info); + if ( ret < 0 ) + { + fprintf(stderr, "Error occurred retrieving information about" + "policy file '%s': %s\n", polFName, strerror(errno)); + goto cleanup; + } + + polMemCp = malloc(info.st_size); + +#ifdef USE_MMAP + polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0); + if ( !polMem ) + { + fprintf(stderr, "Error occurred mapping policy file in memory: %s\n", + strerror(errno)); + ret = -1; + goto cleanup; + } + + xch = xc_interface_open(); + if ( xch < 0 ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + ret = -1; + goto cleanup; + } + + memcpy(polMemCp, polMem, info.st_size); +#else + ret = read(polFd, polMemCp, info.st_size); + if ( ret < 0 ) + { + fprintf(stderr, "Unable to read new Flask policy file: %s\n", + strerror(errno)); + goto cleanup; + } + else + { + printf("Read %d bytes from policy file '%s'.\n", ret, polFName); + } +#endif + + ret = flask_load(xch, polMemCp, info.st_size); + if ( ret < 0 ) + { + errno = -ret; + fprintf(stderr, "Unable to load new Flask policy: %s\n", + strerror(errno)); + ret = -1; + goto cleanup; + } + else + { + printf("Successfully loaded policy.\n"); + } + +done: + if ( polMemCp ) + free(polMemCp); + if ( polMem ) + { + ret = munmap(polMem, info.st_size); + if ( ret < 0 ) + fprintf(stderr, "Unable to unmap policy memory: %s\n", strerror(errno)); + } + if ( polFd ) + close(polFd); + if ( xch ) + xc_interface_close(xch); + + return ret; + +cleanup: + goto done; +} diff --git a/tools/ioemu/Makefile.target b/tools/ioemu/Makefile.target index 6d11dea8e4..33773a4929 100644 --- a/tools/ioemu/Makefile.target +++ b/tools/ioemu/Makefile.target @@ -197,7 +197,6 @@ CPPFLAGS+=-D_GNU_SOURCE LIBS+=-lm LIBS+=-L../../libxc -lxenctrl -lxenguest LIBS+=-L../../xenstore -lxenstore -LIBS+=-lpthread ifndef CONFIG_USER_ONLY LIBS+=-lz endif diff --git a/tools/ioemu/hw/cirrus_vga.c b/tools/ioemu/hw/cirrus_vga.c index fb2f3ae556..cc73390716 100644 --- a/tools/ioemu/hw/cirrus_vga.c +++ b/tools/ioemu/hw/cirrus_vga.c @@ -2559,7 +2559,11 @@ static void *set_vram_mapping(unsigned long begin, unsigned long end) for (i = 0; i < nr_extents; i++) extent_start[i] = (begin + i * TARGET_PAGE_SIZE) >> TARGET_PAGE_BITS; - set_mm_mapping(xc_handle, domid, nr_extents, 0, extent_start); + if (set_mm_mapping(xc_handle, domid, nr_extents, 0, extent_start) < 0) { + fprintf(logfile, "Failed set_mm_mapping\n"); + free(extent_start); + return NULL; + } vram_pointer = xc_map_foreign_batch(xc_handle, domid, PROT_READ|PROT_WRITE, @@ -2567,6 +2571,7 @@ static void *set_vram_mapping(unsigned long begin, unsigned long end) if (vram_pointer == NULL) { fprintf(logfile, "xc_map_foreign_batch vgaram returned error %d\n", errno); + free(extent_start); return NULL; } diff --git a/tools/ioemu/hw/ide.c b/tools/ioemu/hw/ide.c index 3b138c76e4..f5e796171f 100644 --- a/tools/ioemu/hw/ide.c +++ b/tools/ioemu/hw/ide.c @@ -1876,6 +1876,9 @@ static void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val) break; case 0xaa: /* read look-ahead enable */ case 0x55: /* read look-ahead disable */ + case 0x42: /* EN_AAM: enable Automatic Acoustic Mode */ + case 0xc2: /* DIS_AAM: disable Automatic Acoustic Mode */ + case 0x85: /* DIS_APM: disable APM */ s->status = READY_STAT | SEEK_STAT; ide_set_irq(s); break; @@ -1914,8 +1917,15 @@ static void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val) s->status = READY_STAT; ide_set_irq(s); break; - case WIN_STANDBYNOW1: case WIN_IDLEIMMEDIATE: + case WIN_STANDBY: + case WIN_SETIDLE1: + case WIN_STANDBYNOW1: + case WIN_SLEEPNOW1: + case WIN_STANDBY2: + case WIN_SETIDLE2: + case WIN_STANDBYNOW2: + case WIN_SLEEPNOW2: s->status = READY_STAT; ide_set_irq(s); break; diff --git a/tools/ioemu/hw/tpm_tis.c b/tools/ioemu/hw/tpm_tis.c index 39309809ad..c40a33e677 100644 --- a/tools/ioemu/hw/tpm_tis.c +++ b/tools/ioemu/hw/tpm_tis.c @@ -154,16 +154,16 @@ static int has_channel_local_socket(tpmState *s); #define NUM_TRANSPORTS 1 struct vTPM_transmit { - int (*open) (tpmState *s, uint32_t vtpm_instance); - int (*write) (tpmState *s, const tpmBuffer *); - int (*read) (tpmState *s, tpmBuffer *); - int (*close) (tpmState *s, int); + int (*open_fn) (tpmState *s, uint32_t vtpm_instance); + int (*write_fn) (tpmState *s, const tpmBuffer *); + int (*read_fn) (tpmState *s, tpmBuffer *); + int (*close_fn) (tpmState *s, int); int (*has_channel) (tpmState *s); } vTPMTransmit[NUM_TRANSPORTS] = { - { .open = create_local_socket, - .write = write_local_socket, - .read = read_local_socket, - .close = close_local_socket, + { .open_fn = create_local_socket, + .write_fn = write_local_socket, + .read_fn = read_local_socket, + .close_fn = close_local_socket, .has_channel = has_channel_local_socket, } }; @@ -200,7 +200,7 @@ static void open_vtpm_channel(tpmState *s) int idx; /* search a usable transmit layer */ for (idx = 0; idx < NUM_TRANSPORTS; idx++) { - if (1 == vTPMTransmit[idx].open(s, s->vtpm_instance)) { + if (1 == vTPMTransmit[idx].open_fn(s, s->vtpm_instance)) { /* found one */ s->Transmitlayer = idx; break; @@ -213,7 +213,7 @@ static void open_vtpm_channel(tpmState *s) */ static inline void close_vtpm_channel(tpmState *s, int force) { - if (1 == vTPMTransmit[s->Transmitlayer].close(s, force)) { + if (1 == vTPMTransmit[s->Transmitlayer].close_fn(s, force)) { s->Transmitlayer = -1; } } @@ -974,7 +974,7 @@ static int TPM_Send(tpmState *s, tpmBuffer *buffer, uint8_t locty, char *msg) buffer->instance[0] &= 0x1f; buffer->instance[0] |= (locty << 5); - len = vTPMTransmit[s->Transmitlayer].write(s, buffer); + len = vTPMTransmit[s->Transmitlayer].write_fn(s, buffer); if (len < 0) { s->Transmitlayer = -1; } @@ -990,7 +990,7 @@ static int TPM_Receive(tpmState *s, tpmBuffer *buffer) { int off; - off = vTPMTransmit[s->Transmitlayer].read(s, buffer); + off = vTPMTransmit[s->Transmitlayer].read_fn(s, buffer); if (off < 0) { /* EAGAIN is set in errno due to non-blocking mode */ diff --git a/tools/ioemu/target-i386-dm/exec-dm.c b/tools/ioemu/target-i386-dm/exec-dm.c index 6a5eb5eaaa..b67c55414d 100644 --- a/tools/ioemu/target-i386-dm/exec-dm.c +++ b/tools/ioemu/target-i386-dm/exec-dm.c @@ -125,17 +125,10 @@ static int io_mem_nb = 1; FILE *logfile; int loglevel; -#ifdef MAPCACHE -pthread_mutex_t mapcache_mutex; -#endif - void cpu_exec_init(CPUState *env) { CPUState **penv; int cpu_index; -#ifdef MAPCACHE - pthread_mutexattr_t mxattr; -#endif env->next_cpu = NULL; penv = &first_cpu; @@ -149,14 +142,6 @@ void cpu_exec_init(CPUState *env) /* alloc dirty bits array */ phys_ram_dirty = qemu_malloc(phys_ram_size >> TARGET_PAGE_BITS); - -#ifdef MAPCACHE - /* setup memory access mutex to protect mapcache */ - pthread_mutexattr_init(&mxattr); - pthread_mutexattr_settype(&mxattr, PTHREAD_MUTEX_RECURSIVE); - pthread_mutex_init(&mapcache_mutex, &mxattr); - pthread_mutexattr_destroy(&mxattr); -#endif } /* enable or disable low levels log */ @@ -470,6 +455,12 @@ static void memcpy_words(void *dst, void *src, size_t n) #else static void memcpy_words(void *dst, void *src, size_t n) { + /* Some architectures do not like unaligned accesses. */ + if (((unsigned long)dst | (unsigned long)src) & 3) { + memcpy(dst, src, n); + return; + } + while (n >= sizeof(uint32_t)) { *((uint32_t *)dst) = *((uint32_t *)src); dst = ((uint32_t *)dst) + 1; diff --git a/tools/ioemu/vl.h b/tools/ioemu/vl.h index 80b88a50a4..dda595b480 100644 --- a/tools/ioemu/vl.h +++ b/tools/ioemu/vl.h @@ -160,26 +160,16 @@ extern FILE *logfile; #if defined(__i386__) || defined(__x86_64__) - #define MAPCACHE - uint8_t *qemu_map_cache(target_phys_addr_t phys_addr); void qemu_invalidate_map_cache(void); - -#include <pthread.h> -extern pthread_mutex_t mapcache_mutex; -#define mapcache_lock() pthread_mutex_lock(&mapcache_mutex) -#define mapcache_unlock() pthread_mutex_unlock(&mapcache_mutex) - #else - #define qemu_invalidate_map_cache() ((void)0) +#endif #define mapcache_lock() ((void)0) #define mapcache_unlock() ((void)0) -#endif - extern int xc_handle; extern int domid; diff --git a/tools/libxc/xc_acm.c b/tools/libxc/xc_acm.c index baa2002a19..b4d89d015f 100644 --- a/tools/libxc/xc_acm.c +++ b/tools/libxc/xc_acm.c @@ -81,7 +81,7 @@ int xc_acm_op(int xc_handle, int cmd, void *arg, unsigned long arg_size) acmctl.cmd = cmd; acmctl.interface_version = ACM_INTERFACE_VERSION; - hypercall.op = __HYPERVISOR_acm_op; + hypercall.op = __HYPERVISOR_xsm_op; hypercall.arg[0] = (unsigned long)&acmctl; if ( lock_pages(&acmctl, sizeof(acmctl)) != 0) { diff --git a/tools/libxc/xc_core.c b/tools/libxc/xc_core.c index 3c7afbe0ce..b404730800 100644 --- a/tools/libxc/xc_core.c +++ b/tools/libxc/xc_core.c @@ -17,8 +17,8 @@ * | .xen_prstatus | * | .xen_ia64_mmapped_regs if ia64 | * | .xen_shared_info if present | - * | .xen_p2m or .xen_pfn | * | .xen_pages | + * | .xen_p2m or .xen_pfn | * +--------------------------------------------------------+ * |.note.Xen:note section | * | "Xen" is used as note name, | @@ -37,13 +37,13 @@ * +--------------------------------------------------------+ * |.xen_shared_info if possible | * +--------------------------------------------------------+ + * |.xen_pages | + * | page * nr_pages | + * +--------------------------------------------------------+ * |.xen_p2m or .xen_pfn | * | .xen_p2m: struct xen_dumpcore_p2m[nr_pages] | * | .xen_pfn: uint64_t[nr_pages] | * +--------------------------------------------------------+ - * |.xen_pages | - * | page * nr_pages | - * +--------------------------------------------------------+ * |.shstrtab: section header string table | * +--------------------------------------------------------+ * @@ -58,21 +58,6 @@ /* number of pages to write at a time */ #define DUMP_INCREMENT (4 * 1024) -static int -copy_from_domain_page(int xc_handle, - uint32_t domid, - unsigned long mfn, - void *dst_page) -{ - void *vaddr = xc_map_foreign_range( - xc_handle, domid, PAGE_SIZE, PROT_READ, mfn); - if ( vaddr == NULL ) - return -1; - memcpy(dst_page, vaddr, PAGE_SIZE); - munmap(vaddr, PAGE_SIZE); - return 0; -} - /* string table */ struct xc_core_strtab { char *strings; @@ -231,6 +216,35 @@ xc_core_shdr_set(Elf64_Shdr *shdr, return 0; } +static void +xc_core_ehdr_init(Elf64_Ehdr *ehdr) +{ + memset(ehdr, 0, sizeof(*ehdr)); + ehdr->e_ident[EI_MAG0] = ELFMAG0; + ehdr->e_ident[EI_MAG1] = ELFMAG1; + ehdr->e_ident[EI_MAG2] = ELFMAG2; + ehdr->e_ident[EI_MAG3] = ELFMAG3; + ehdr->e_ident[EI_CLASS] = ELFCLASS64; + ehdr->e_ident[EI_DATA] = ELF_ARCH_DATA; + ehdr->e_ident[EI_VERSION] = EV_CURRENT; + ehdr->e_ident[EI_OSABI] = ELFOSABI_SYSV; + ehdr->e_ident[EI_ABIVERSION] = EV_CURRENT; + + ehdr->e_type = ET_CORE; + ehdr->e_machine = ELF_ARCH_MACHINE; + ehdr->e_version = EV_CURRENT; + ehdr->e_entry = 0; + ehdr->e_phoff = 0; + ehdr->e_shoff = sizeof(*ehdr); + ehdr->e_flags = ELF_CORE_EFLAGS; + ehdr->e_ehsize = sizeof(*ehdr); + ehdr->e_phentsize = sizeof(Elf64_Phdr); + ehdr->e_phnum = 0; + ehdr->e_shentsize = sizeof(Elf64_Shdr); + /* ehdr->e_shnum and ehdr->e_shstrndx aren't known here yet. + * fill it later */ +} + static int elfnote_fill_xen_version(int xc_handle, struct xen_dumpcore_elfnote_xen_version_desc @@ -277,12 +291,100 @@ elfnote_fill_xen_version(int xc_handle, return 0; } -static int +static void elfnote_fill_format_version(struct xen_dumpcore_elfnote_format_version_desc *format_version) { format_version->version = XEN_DUMPCORE_FORMAT_VERSION_CURRENT; - return 0; +} + +static void +elfnote_init(struct elfnote *elfnote) +{ + /* elf note section */ + memset(elfnote, 0, sizeof(*elfnote)); + elfnote->namesz = strlen(XEN_DUMPCORE_ELFNOTE_NAME) + 1; + strncpy(elfnote->name, XEN_DUMPCORE_ELFNOTE_NAME, sizeof(elfnote->name)); +} + +static int +elfnote_dump_none(void *args, dumpcore_rtn_t dump_rtn) +{ + int sts; + struct elfnote elfnote; + struct xen_dumpcore_elfnote_none_desc none; + + elfnote_init(&elfnote); + memset(&none, 0, sizeof(none)); + + elfnote.descsz = sizeof(none); + elfnote.type = XEN_ELFNOTE_DUMPCORE_NONE; + sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); + if ( sts != 0 ) + return sts; + return dump_rtn(args, (char*)&none, sizeof(none)); +} + +static int +elfnote_dump_core_header( + void *args, dumpcore_rtn_t dump_rtn, const xc_dominfo_t *info, + int nr_vcpus, unsigned long nr_pages) +{ + int sts; + struct elfnote elfnote; + struct xen_dumpcore_elfnote_header_desc header; + + elfnote_init(&elfnote); + memset(&header, 0, sizeof(header)); + + elfnote.descsz = sizeof(header); + elfnote.type = XEN_ELFNOTE_DUMPCORE_HEADER; + header.xch_magic = info->hvm ? XC_CORE_MAGIC_HVM : XC_CORE_MAGIC; + header.xch_nr_vcpus = nr_vcpus; + header.xch_nr_pages = nr_pages; + header.xch_page_size = PAGE_SIZE; + sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); + if ( sts != 0 ) + return sts; + return dump_rtn(args, (char*)&header, sizeof(header)); +} + +static int +elfnote_dump_xen_version(void *args, dumpcore_rtn_t dump_rtn, int xc_handle) +{ + int sts; + struct elfnote elfnote; + struct xen_dumpcore_elfnote_xen_version_desc xen_version; + + elfnote_init(&elfnote); + memset(&xen_version, 0, sizeof(xen_version)); + + elfnote.descsz = sizeof(xen_version); + elfnote.type = XEN_ELFNOTE_DUMPCORE_XEN_VERSION; + elfnote_fill_xen_version(xc_handle, &xen_version); + sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); + if ( sts != 0 ) + return sts; + return dump_rtn(args, (char*)&xen_version, sizeof(xen_version)); +} + +static int +elfnote_dump_format_version(void *args, dumpcore_rtn_t dump_rtn) +{ + int sts; + struct elfnote elfnote; + struct xen_dumpcore_elfnote_format_version_desc format_version; + + elfnote_init(&elfnote); + memset(&format_version, 0, sizeof(format_version)); + + elfnote.descsz = sizeof(format_version); + elfnote.type = XEN_ELFNOTE_DUMPCORE_FORMAT_VERSION; + elfnote_fill_format_version(&format_version); + sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); + if ( sts != 0 ) + return sts; + return dump_rtn(args, (char*)&format_version, sizeof(format_version)); } int @@ -327,13 +429,6 @@ xc_domain_dumpcore_via_callback(int xc_handle, struct xc_core_section_headers *sheaders = NULL; Elf64_Shdr *shdr; - /* elf notes */ - struct elfnote elfnote; - struct xen_dumpcore_elfnote_none_desc none; - struct xen_dumpcore_elfnote_header_desc header; - struct xen_dumpcore_elfnote_xen_version_desc xen_version; - struct xen_dumpcore_elfnote_format_version_desc format_version; - xc_core_arch_context_init(&arch_ctxt); if ( (dump_mem_start = malloc(DUMP_INCREMENT*PAGE_SIZE)) == NULL ) { @@ -379,8 +474,9 @@ xc_domain_dumpcore_via_callback(int xc_handle, } /* obtain memory map */ - sts = xc_core_arch_memory_map_get(xc_handle, &info, live_shinfo, - &memory_map, &nr_memory_map); + sts = xc_core_arch_memory_map_get(xc_handle, &arch_ctxt, &info, + live_shinfo, &memory_map, + &nr_memory_map); if ( sts != 0 ) goto out; @@ -410,70 +506,8 @@ xc_domain_dumpcore_via_callback(int xc_handle, } } - /* create .xen_p2m or .xen_pfn */ - j = 0; - for ( map_idx = 0; map_idx < nr_memory_map; map_idx++ ) - { - uint64_t pfn_start; - uint64_t pfn_end; - - pfn_start = memory_map[map_idx].addr >> PAGE_SHIFT; - pfn_end = pfn_start + (memory_map[map_idx].size >> PAGE_SHIFT); - for ( i = pfn_start; i < pfn_end; i++ ) - { - if ( !auto_translated_physmap ) - { - if ( p2m[i] == INVALID_P2M_ENTRY ) - continue; - p2m_array[j].pfn = i; - p2m_array[j].gmfn = p2m[i]; - } - else - { - /* try to map page to determin wheter it has underlying page */ - void *vaddr = xc_map_foreign_range(xc_handle, domid, - PAGE_SIZE, PROT_READ, i); - if ( vaddr == NULL ) - continue; - munmap(vaddr, PAGE_SIZE); - pfn_array[j] = i; - } - - j++; - } - } - if ( j != nr_pages ) - { - PERROR("j (%ld) != nr_pages (%ld)", j , nr_pages); - /* When live dump-mode (-L option) is specified, - * guest domain may change its mapping. - */ - nr_pages = j; - } - - memset(&ehdr, 0, sizeof(ehdr)); - ehdr.e_ident[EI_MAG0] = ELFMAG0; - ehdr.e_ident[EI_MAG1] = ELFMAG1; - ehdr.e_ident[EI_MAG2] = ELFMAG2; - ehdr.e_ident[EI_MAG3] = ELFMAG3; - ehdr.e_ident[EI_CLASS] = ELFCLASS64; - ehdr.e_ident[EI_DATA] = ELF_ARCH_DATA; - ehdr.e_ident[EI_VERSION] = EV_CURRENT; - ehdr.e_ident[EI_OSABI] = ELFOSABI_SYSV; - ehdr.e_ident[EI_ABIVERSION] = EV_CURRENT; - - ehdr.e_type = ET_CORE; - ehdr.e_machine = ELF_ARCH_MACHINE; - ehdr.e_version = EV_CURRENT; - ehdr.e_entry = 0; - ehdr.e_phoff = 0; - ehdr.e_shoff = sizeof(ehdr); - ehdr.e_flags = ELF_CORE_EFLAGS; - ehdr.e_ehsize = sizeof(ehdr); - ehdr.e_phentsize = sizeof(Elf64_Phdr); - ehdr.e_phnum = 0; - ehdr.e_shentsize = sizeof(Elf64_Shdr); /* ehdr.e_shnum and ehdr.e_shstrndx aren't known here yet. fill it later*/ + xc_core_ehdr_init(&ehdr); /* create section header */ strtab = xc_core_strtab_init(); @@ -549,7 +583,7 @@ xc_domain_dumpcore_via_callback(int xc_handle, /* arch context */ sts = xc_core_arch_context_get_shdr(&arch_ctxt, sheaders, strtab, &filesz, offset); - if ( sts != 0) + if ( sts != 0 ) goto out; offset += filesz; @@ -571,6 +605,33 @@ xc_domain_dumpcore_via_callback(int xc_handle, offset += filesz; } + /* + * pages and p2m/pfn are the last section to allocate section headers + * so that we know the number of section headers here. + * 2 = pages section and p2m/pfn table section + */ + fixup = (sheaders->num + 2) * sizeof(*shdr); + /* zeroth section should have zero offset */ + for ( i = 1; i < sheaders->num; i++ ) + sheaders->shdrs[i].sh_offset += fixup; + offset += fixup; + dummy_len = ROUNDUP(offset, PAGE_SHIFT) - offset; /* padding length */ + offset += dummy_len; + + /* pages */ + shdr = xc_core_shdr_get(sheaders); + if ( shdr == NULL ) + { + PERROR("could not get section headers for .xen_pages"); + goto out; + } + filesz = nr_pages * PAGE_SIZE; + sts = xc_core_shdr_set(shdr, strtab, XEN_DUMPCORE_SEC_PAGES, SHT_PROGBITS, + offset, filesz, PAGE_SIZE, PAGE_SIZE); + if ( sts != 0 ) + goto out; + offset += filesz; + /* p2m/pfn table */ shdr = xc_core_shdr_get(sheaders); if ( shdr == NULL ) @@ -585,8 +646,6 @@ xc_domain_dumpcore_via_callback(int xc_handle, SHT_PROGBITS, offset, filesz, __alignof__(p2m_array[0]), sizeof(p2m_array[0])); - if ( sts != 0 ) - goto out; } else { @@ -595,34 +654,7 @@ xc_domain_dumpcore_via_callback(int xc_handle, SHT_PROGBITS, offset, filesz, __alignof__(pfn_array[0]), sizeof(pfn_array[0])); - if ( sts != 0 ) - goto out; } - offset += filesz; - - /* pages */ - shdr = xc_core_shdr_get(sheaders); - if ( shdr == NULL ) - { - PERROR("could not get section headers for .xen_pages"); - goto out; - } - - /* - * pages are the last section to allocate section headers - * so that we know the number of section headers here. - */ - fixup = sheaders->num * sizeof(*shdr); - /* zeroth section should have zero offset */ - for ( i = 1; i < sheaders->num; i++ ) - sheaders->shdrs[i].sh_offset += fixup; - offset += fixup; - dummy_len = ROUNDUP(offset, PAGE_SHIFT) - offset; /* padding length */ - offset += dummy_len; - - filesz = nr_pages * PAGE_SIZE; - sts = xc_core_shdr_set(shdr, strtab, XEN_DUMPCORE_SEC_PAGES, SHT_PROGBITS, - offset, filesz, PAGE_SIZE, PAGE_SIZE); if ( sts != 0 ) goto out; offset += filesz; @@ -645,54 +677,23 @@ xc_domain_dumpcore_via_callback(int xc_handle, if ( sts != 0 ) goto out; - /* elf note section */ - memset(&elfnote, 0, sizeof(elfnote)); - elfnote.namesz = strlen(XEN_DUMPCORE_ELFNOTE_NAME) + 1; - strncpy(elfnote.name, XEN_DUMPCORE_ELFNOTE_NAME, sizeof(elfnote.name)); - - /* elf note section:xen core header */ - elfnote.descsz = sizeof(none); - elfnote.type = XEN_ELFNOTE_DUMPCORE_NONE; - sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); - if ( sts != 0 ) - goto out; - sts = dump_rtn(args, (char*)&none, sizeof(none)); + /* elf note section: xen core header */ + sts = elfnote_dump_none(args, dump_rtn); if ( sts != 0 ) goto out; - /* elf note section:xen core header */ - elfnote.descsz = sizeof(header); - elfnote.type = XEN_ELFNOTE_DUMPCORE_HEADER; - header.xch_magic = info.hvm ? XC_CORE_MAGIC_HVM : XC_CORE_MAGIC; - header.xch_nr_vcpus = nr_vcpus; - header.xch_nr_pages = nr_pages; - header.xch_page_size = PAGE_SIZE; - sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); - if ( sts != 0 ) - goto out; - sts = dump_rtn(args, (char*)&header, sizeof(header)); + /* elf note section: xen core header */ + sts = elfnote_dump_core_header(args, dump_rtn, &info, nr_vcpus, nr_pages); if ( sts != 0 ) goto out; /* elf note section: xen version */ - elfnote.descsz = sizeof(xen_version); - elfnote.type = XEN_ELFNOTE_DUMPCORE_XEN_VERSION; - elfnote_fill_xen_version(xc_handle, &xen_version); - sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); - if ( sts != 0 ) - goto out; - sts = dump_rtn(args, (char*)&xen_version, sizeof(xen_version)); + sts = elfnote_dump_xen_version(args, dump_rtn, xc_handle); if ( sts != 0 ) goto out; /* elf note section: format version */ - elfnote.descsz = sizeof(format_version); - elfnote.type = XEN_ELFNOTE_DUMPCORE_FORMAT_VERSION; - elfnote_fill_format_version(&format_version); - sts = dump_rtn(args, (char*)&elfnote, sizeof(elfnote)); - if ( sts != 0 ) - goto out; - sts = dump_rtn(args, (char*)&format_version, sizeof(format_version)); + sts = elfnote_dump_format_version(args, dump_rtn); if ( sts != 0 ) goto out; @@ -714,16 +715,6 @@ xc_domain_dumpcore_via_callback(int xc_handle, if ( sts != 0 ) goto out; - /* p2m/pfn table: .xen_p2m/.xen_pfn */ - if ( !auto_translated_physmap ) - sts = dump_rtn(args, (char *)p2m_array, - sizeof(p2m_array[0]) * nr_pages); - else - sts = dump_rtn(args, (char *)pfn_array, - sizeof(pfn_array[0]) * nr_pages); - if ( sts != 0 ) - goto out; - /* Pad the output data to page alignment. */ memset(dummy, 0, PAGE_SIZE); sts = dump_rtn(args, dummy, dummy_len); @@ -731,25 +722,103 @@ xc_domain_dumpcore_via_callback(int xc_handle, goto out; /* dump pages: .xen_pages */ - for ( dump_mem = dump_mem_start, i = 0; i < nr_pages; i++ ) + j = 0; + dump_mem = dump_mem_start; + for ( map_idx = 0; map_idx < nr_memory_map; map_idx++ ) { - uint64_t gmfn; - if ( !auto_translated_physmap ) - gmfn = p2m_array[i].gmfn; - else - gmfn = pfn_array[i]; - - copy_from_domain_page(xc_handle, domid, gmfn, dump_mem); - dump_mem += PAGE_SIZE; - if ( ((i + 1) % DUMP_INCREMENT == 0) || ((i + 1) == nr_pages) ) + uint64_t pfn_start; + uint64_t pfn_end; + + pfn_start = memory_map[map_idx].addr >> PAGE_SHIFT; + pfn_end = pfn_start + (memory_map[map_idx].size >> PAGE_SHIFT); + for ( i = pfn_start; i < pfn_end; i++ ) { - sts = dump_rtn(args, dump_mem_start, dump_mem - dump_mem_start); + uint64_t gmfn; + void *vaddr; + + if ( j >= nr_pages ) + { + /* + * When live dump-mode (-L option) is specified, + * guest domain may increase memory. + */ + IPRINTF("exceeded nr_pages (%ld) losing pages", nr_pages); + goto copy_done; + } + + if ( !auto_translated_physmap ) + { + gmfn = p2m[i]; + if ( gmfn == INVALID_P2M_ENTRY ) + continue; + + p2m_array[j].pfn = i; + p2m_array[j].gmfn = gmfn; + } + else + { + if ( !xc_core_arch_gpfn_may_present(&arch_ctxt, i) ) + continue; + + gmfn = i; + pfn_array[j] = i; + } + + vaddr = xc_map_foreign_range( + xc_handle, domid, PAGE_SIZE, PROT_READ, gmfn); + if ( vaddr == NULL ) + continue; + memcpy(dump_mem, vaddr, PAGE_SIZE); + munmap(vaddr, PAGE_SIZE); + dump_mem += PAGE_SIZE; + if ( (j + 1) % DUMP_INCREMENT == 0 ) + { + sts = dump_rtn( + args, dump_mem_start, dump_mem - dump_mem_start); + if ( sts != 0 ) + goto out; + dump_mem = dump_mem_start; + } + + j++; + } + } + +copy_done: + sts = dump_rtn(args, dump_mem_start, dump_mem - dump_mem_start); + if ( sts != 0 ) + goto out; + if ( j < nr_pages ) + { + /* When live dump-mode (-L option) is specified, + * guest domain may reduce memory. pad with zero pages. + */ + IPRINTF("j (%ld) != nr_pages (%ld)", j , nr_pages); + memset(dump_mem_start, 0, PAGE_SIZE); + for (; j < nr_pages; j++) { + sts = dump_rtn(args, dump_mem_start, PAGE_SIZE); if ( sts != 0 ) goto out; - dump_mem = dump_mem_start; + if ( !auto_translated_physmap ) + { + p2m_array[j].pfn = XC_CORE_INVALID_PFN; + p2m_array[j].gmfn = XC_CORE_INVALID_GMFN; + } + else + pfn_array[j] = XC_CORE_INVALID_PFN; } } + /* p2m/pfn table: .xen_p2m/.xen_pfn */ + if ( !auto_translated_physmap ) + sts = dump_rtn( + args, (char *)p2m_array, sizeof(p2m_array[0]) * nr_pages); + else + sts = dump_rtn( + args, (char *)pfn_array, sizeof(pfn_array[0]) * nr_pages); + if ( sts != 0 ) + goto out; + /* elf section header string table: .shstrtab */ sts = dump_rtn(args, strtab->strings, strtab->current); if ( sts != 0 ) @@ -758,6 +827,8 @@ xc_domain_dumpcore_via_callback(int xc_handle, sts = 0; out: + if ( memory_map != NULL ) + free(memory_map); if ( p2m != NULL ) munmap(p2m, PAGE_SIZE * P2M_FL_ENTRIES); if ( p2m_array != NULL ) diff --git a/tools/libxc/xc_core.h b/tools/libxc/xc_core.h index 90d333a05a..c15729e5af 100644 --- a/tools/libxc/xc_core.h +++ b/tools/libxc/xc_core.h @@ -107,6 +107,8 @@ struct xen_dumpcore_elfnote_format_version { struct xen_dumpcore_elfnote_format_version_desc format_version; }; +#define XC_CORE_INVALID_PFN (~(uint64_t)0) +#define XC_CORE_INVALID_GMFN (~(uint64_t)0) struct xen_dumpcore_p2m { uint64_t pfn; uint64_t gmfn; @@ -131,8 +133,10 @@ struct xc_core_memory_map { }; typedef struct xc_core_memory_map xc_core_memory_map_t; int xc_core_arch_auto_translated_physmap(const xc_dominfo_t *info); -int xc_core_arch_memory_map_get(int xc_handle, xc_dominfo_t *info, - shared_info_t *live_shinfo, +struct xc_core_arch_context; +int xc_core_arch_memory_map_get(int xc_handle, + struct xc_core_arch_context *arch_ctxt, + xc_dominfo_t *info, shared_info_t *live_shinfo, xc_core_memory_map_t **mapp, unsigned int *nr_entries); int xc_core_arch_map_p2m(int xc_handle, xc_dominfo_t *info, diff --git a/tools/libxc/xc_core_ia64.c b/tools/libxc/xc_core_ia64.c index 89c1053886..e092d6f69f 100644 --- a/tools/libxc/xc_core_ia64.c +++ b/tools/libxc/xc_core_ia64.c @@ -158,8 +158,8 @@ memory_map_get_old(int xc_handle, xc_dominfo_t *info, } int -xc_core_arch_memory_map_get(int xc_handle, xc_dominfo_t *info, - shared_info_t *live_shinfo, +xc_core_arch_memory_map_get(int xc_handle, struct xc_core_arch_context *unused, + xc_dominfo_t *info, shared_info_t *live_shinfo, xc_core_memory_map_t **mapp, unsigned int *nr_entries) { diff --git a/tools/libxc/xc_core_ia64.h b/tools/libxc/xc_core_ia64.h index 6357dfa20e..03cd8e0182 100644 --- a/tools/libxc/xc_core_ia64.h +++ b/tools/libxc/xc_core_ia64.h @@ -46,6 +46,7 @@ xc_core_arch_context_get_shdr(struct xc_core_arch_context* arch_ctxt, int xc_core_arch_context_dump(struct xc_core_arch_context* arch_ctxt, void* args, dumpcore_rtn_t dump_rtn); +#define xc_core_arch_gpfn_may_present(arch_ctxt, i) (1) #endif /* XC_CORE_IA64_H */ diff --git a/tools/libxc/xc_core_powerpc.c b/tools/libxc/xc_core_powerpc.c index a29fdb83b3..dd8f26b371 100644 --- a/tools/libxc/xc_core_powerpc.c +++ b/tools/libxc/xc_core_powerpc.c @@ -43,8 +43,8 @@ xc_core_arch_map_p2m(int xc_handle, xc_dominfo_t *info, } int -xc_core_arch_memory_map_get(int xc_handle, xc_dominfo_t *info, - shared_info_t *live_shinfo, +xc_core_arch_memory_map_get(int xc_handle, struct xc_core_arch_context *unused, + xc_dominfo_t *info, shared_info_t *live_shinfo, xc_core_memory_map_t **mapp, unsigned int *nr_entries) { diff --git a/tools/libxc/xc_core_powerpc.h b/tools/libxc/xc_core_powerpc.h index ce8aaf17c5..2f39413c4d 100644 --- a/tools/libxc/xc_core_powerpc.h +++ b/tools/libxc/xc_core_powerpc.h @@ -33,6 +33,7 @@ struct xc_core_arch_context { #define xc_core_arch_context_get(arch_ctxt, ctxt, xc_handle, domid) \ (0) #define xc_core_arch_context_dump(arch_ctxt, args, dump_rtn) (0) +#define xc_core_arch_gpfn_may_present(arch_ctxt, i) (1) static inline int xc_core_arch_context_get_shdr(struct xc_core_arch_context *arch_ctxt, diff --git a/tools/libxc/xc_core_x86.c b/tools/libxc/xc_core_x86.c index 3932f8e96b..4aa825b87d 100644 --- a/tools/libxc/xc_core_x86.c +++ b/tools/libxc/xc_core_x86.c @@ -33,8 +33,8 @@ xc_core_arch_auto_translated_physmap(const xc_dominfo_t *info) } int -xc_core_arch_memory_map_get(int xc_handle, xc_dominfo_t *info, - shared_info_t *live_shinfo, +xc_core_arch_memory_map_get(int xc_handle, struct xc_core_arch_context *unused, + xc_dominfo_t *info, shared_info_t *live_shinfo, xc_core_memory_map_t **mapp, unsigned int *nr_entries) { diff --git a/tools/libxc/xc_core_x86.h b/tools/libxc/xc_core_x86.h index 53ca48493d..6e3490bb27 100644 --- a/tools/libxc/xc_core_x86.h +++ b/tools/libxc/xc_core_x86.h @@ -40,6 +40,7 @@ struct xc_core_arch_context { #define xc_core_arch_context_get(arch_ctxt, ctxt, xc_handle, domid) \ (0) #define xc_core_arch_context_dump(arch_ctxt, args, dump_rtn) (0) +#define xc_core_arch_gpfn_may_present(arch_ctxt, i) (1) static inline int xc_core_arch_context_get_shdr(struct xc_core_arch_context *arch_ctxt, diff --git a/tools/libxc/xc_domain.c b/tools/libxc/xc_domain.c index 4c02079b6d..fdb87f0bd1 100644 --- a/tools/libxc/xc_domain.c +++ b/tools/libxc/xc_domain.c @@ -55,10 +55,14 @@ int xc_domain_unpause(int xc_handle, int xc_domain_destroy(int xc_handle, uint32_t domid) { + int ret; DECLARE_DOMCTL; domctl.cmd = XEN_DOMCTL_destroydomain; domctl.domain = (domid_t)domid; - return do_domctl(xc_handle, &domctl); + do { + ret = do_domctl(xc_handle, &domctl); + } while ( ret && (errno == EAGAIN) ); + return ret; } int xc_domain_shutdown(int xc_handle, diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h index 73ff16c2cf..591e6c25a3 100644 --- a/tools/libxc/xenctrl.h +++ b/tools/libxc/xenctrl.h @@ -26,8 +26,8 @@ #include <xen/event_channel.h> #include <xen/sched.h> #include <xen/memory.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> +#include <xen/xsm/acm.h> +#include <xen/xsm/acm_ops.h> #ifdef __ia64__ #define XC_PAGE_SHIFT 14 diff --git a/tools/misc/xenperf.c b/tools/misc/xenperf.c index d970204242..06a495181d 100644 --- a/tools/misc/xenperf.c +++ b/tools/misc/xenperf.c @@ -46,7 +46,7 @@ const char *hypercall_name_table[64] = X(vcpu_op), X(set_segment_base), X(mmuext_op), - X(acm_op), + X(xsm_op), X(nmi_op), X(sched_op), X(callback_op), diff --git a/tools/python/Makefile b/tools/python/Makefile index c4eda62b42..880a19c9ff 100644 --- a/tools/python/Makefile +++ b/tools/python/Makefile @@ -1,6 +1,14 @@ XEN_ROOT = ../.. include $(XEN_ROOT)/tools/Rules.mk +XEN_SECURITY_MODULE = dummy +ifeq ($(FLASK_ENABLE),y) +XEN_SECURITY_MODULE = flask +endif +ifeq ($(ACM_SECURITY),y) +XEN_SECURITY_MODULE = acm +endif + .PHONY: all all: build @@ -15,8 +23,8 @@ CATALOGS = $(patsubst %,xen/xm/messages/%.mo,$(LINGUAS)) NLSDIR = /usr/share/locale .PHONY: build buildpy -buildpy: - CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build +buildpy: xsm.py + CC="$(CC)" CFLAGS="$(CFLAGS)" XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build build: buildpy refresh-pot refresh-po $(CATALOGS) @@ -53,6 +61,18 @@ refresh-po: $(POTFILE) %.mo: %.po $(MSGFMT) -c -o $@ $< +xsm.py: + @(set -e; \ + echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \ + echo "from xsm_core import *"; \ + echo ""; \ + echo "import xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \ + echo ""; \ + echo "xsm_init(xsm_module)"; \ + echo "from xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \ + echo "del xsm_module"; \ + echo "") >xen/util/xsm/$@ + .PHONY: install ifndef XEN_PYTHON_NATIVE_INSTALL install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print auxbin.libpath()") @@ -84,4 +104,4 @@ test: .PHONY: clean clean: - rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) + rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py diff --git a/tools/python/setup.py b/tools/python/setup.py index 11ef487203..25c87c3b91 100644 --- a/tools/python/setup.py +++ b/tools/python/setup.py @@ -44,6 +44,14 @@ acm = Extension("acm", libraries = libraries, sources = [ "xen/lowlevel/acm/acm.c" ]) +flask = Extension("flask", + extra_compile_args = extra_compile_args, + include_dirs = include_dirs + [ "xen/lowlevel/flask" ] + + [ "../flask/libflask/include" ], + library_dirs = library_dirs + [ "../flask/libflask" ], + libraries = libraries + [ "flask" ], + sources = [ "xen/lowlevel/flask/flask.c" ]) + ptsname = Extension("ptsname", extra_compile_args = extra_compile_args, include_dirs = include_dirs + [ "ptsname" ], @@ -51,7 +59,7 @@ ptsname = Extension("ptsname", libraries = libraries, sources = [ "ptsname/ptsname.c" ]) -modules = [ xc, xs, acm, ptsname ] +modules = [ xc, xs, ptsname, acm, flask ] if os.uname()[0] == 'SunOS': modules.append(scf) @@ -61,6 +69,10 @@ setup(name = 'xen', packages = ['xen', 'xen.lowlevel', 'xen.util', + 'xen.util.xsm', + 'xen.util.xsm.dummy', + 'xen.util.xsm.flask', + 'xen.util.xsm.acm', 'xen.xend', 'xen.xend.server', 'xen.xend.xenstore', diff --git a/tools/python/xen/lowlevel/acm/acm.c b/tools/python/xen/lowlevel/acm/acm.c index 9b59ea48ed..0a37ba3d92 100644 --- a/tools/python/xen/lowlevel/acm/acm.c +++ b/tools/python/xen/lowlevel/acm/acm.c @@ -18,6 +18,7 @@ * * indent -i4 -kr -nut */ + #include <Python.h> #include <stdio.h> @@ -27,8 +28,8 @@ #include <stdlib.h> #include <sys/ioctl.h> #include <netinet/in.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> +#include <xen/xsm/acm.h> +#include <xen/xsm/acm_ops.h> #include <xenctrl.h> diff --git a/tools/python/xen/lowlevel/flask/flask.c b/tools/python/xen/lowlevel/flask/flask.c new file mode 100644 index 0000000000..d07bc70908 --- /dev/null +++ b/tools/python/xen/lowlevel/flask/flask.c @@ -0,0 +1,139 @@ +/****************************************************************************** + * flask.c + * + * Authors: George Coker, <gscoker@alpha.ncsc.mil> + * Michael LeMay, <mdlemay@epoch.ncsc.mil> + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <Python.h> +#include <xenctrl.h> + +#include <flask_op.h> + +#define PKG "xen.lowlevel.flask" +#define CLS "flask" + +#define CTX_LEN 1024 + +static PyObject *xc_error_obj; + +typedef struct { + PyObject_HEAD; + int xc_handle; +} XcObject; + +static PyObject *pyflask_context_to_sid(PyObject *self, PyObject *args, + PyObject *kwds) +{ + int xc_handle; + char *ctx; + char *buf; + uint32_t len; + uint32_t sid; + int ret; + + static char *kwd_list[] = { "context", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "s", kwd_list, + &ctx) ) + return NULL; + + len = strlen(ctx); + + buf = malloc(len); + if (!buf) { + errno = -ENOMEM; + PyErr_SetFromErrno(xc_error_obj); + } + + memcpy(buf, ctx, len); + + xc_handle = xc_interface_open(); + if (xc_handle < 0) { + errno = xc_handle; + return PyErr_SetFromErrno(xc_error_obj); + } + + ret = flask_context_to_sid(xc_handle, buf, len, &sid); + + xc_interface_close(xc_handle); + + free(buf); + + if ( ret != 0 ) { + errno = -ret; + return PyErr_SetFromErrno(xc_error_obj); + } + + return PyInt_FromLong(sid); +} + +static PyObject *pyflask_sid_to_context(PyObject *self, PyObject *args, + PyObject *kwds) +{ + int xc_handle; + uint32_t sid; + char ctx[CTX_LEN]; + uint32_t ctx_len = CTX_LEN; + int ret; + + static char *kwd_list[] = { "sid", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list, + &sid) ) + return NULL; + + xc_handle = xc_interface_open(); + if (xc_handle < 0) { + errno = xc_handle; + return PyErr_SetFromErrno(xc_error_obj); + } + + ret = flask_sid_to_context(xc_handle, sid, ctx, ctx_len); + + xc_interface_close(xc_handle); + + if ( ret != 0 ) { + errno = -ret; + return PyErr_SetFromErrno(xc_error_obj); + } + + return Py_BuildValue("s", ctx, ctx_len); +} + + +static PyMethodDef pyflask_methods[] = { + { "flask_context_to_sid", + (PyCFunction)pyflask_context_to_sid, + METH_KEYWORDS, "\n" + "Convert a context string to a dynamic SID.\n" + " context [str]: String specifying context to be converted\n" + "Returns: [int]: Numeric SID on success; -1 on error.\n" }, + + { "flask_sid_to_context", + (PyCFunction)pyflask_sid_to_context, + METH_KEYWORDS, "\n" + "Convert a dynamic SID to context string.\n" + " context [int]: SID to be converted\n" + "Returns: [str]: Numeric SID on success; -1 on error.\n" }, + + { NULL, NULL, 0, NULL } +}; + +PyMODINIT_FUNC initflask(void) +{ + Py_InitModule("flask", pyflask_methods); +} + + +/* + * Local variables: + * c-indent-level: 4 + * c-basic-offset: 4 + * End: + */ diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c index 021d7f2a7a..93402b1e5b 100644 --- a/tools/python/xen/lowlevel/xc/xc.c +++ b/tools/python/xen/lowlevel/xc/xc.c @@ -685,7 +685,7 @@ static PyObject *pyxc_physinfo(XcObject *self) char cpu_cap[128], *p=cpu_cap, *q=cpu_cap; int i, j, max_cpu_id; PyObject *ret_obj, *node_to_cpu_obj; - xc_cpu_to_node_t map[MAX_CPU_ID]; + xc_cpu_to_node_t map[MAX_CPU_ID + 1]; set_xen_guest_handle(info.cpu_to_node, map); info.max_cpu_id = MAX_CPU_ID; diff --git a/tools/python/xen/util/acmpolicy.py b/tools/python/xen/util/acmpolicy.py index 3ea1ac5272..36aa88cbd3 100644 --- a/tools/python/xen/util/acmpolicy.py +++ b/tools/python/xen/util/acmpolicy.py @@ -1,4 +1,4 @@ -#============================================================================ + #============================================================================ # This library is free software; you can redistribute it and/or # modify it under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. @@ -23,10 +23,11 @@ import stat import array from xml.dom import minidom, Node from xen.xend.XendLogging import log -from xen.util import security, xsconstants, bootloader, mkdir +from xen.util import xsconstants, bootloader, mkdir from xen.util.xspolicy import XSPolicy -from xen.util.security import ACMError from xen.xend.XendError import SecurityError +import xen.util.xsm.acm.acm as security +from xen.util.xsm.xsm import XSMError ACM_POLICIES_DIR = security.policy_dir_prefix + "/" @@ -1240,8 +1241,8 @@ class ACMPolicy(XSPolicy): (major, minor) = self.getVersionTuple() hdr_bin = struct.pack(headerformat, - ACM_POLICY_VERSION, ACM_MAGIC, + ACM_POLICY_VERSION, totallen_bin, polref_offset, primpolcode, diff --git a/tools/python/xen/util/xsm/__init__.py b/tools/python/xen/util/xsm/__init__.py new file mode 100644 index 0000000000..139597f9cb --- /dev/null +++ b/tools/python/xen/util/xsm/__init__.py @@ -0,0 +1,2 @@ + + diff --git a/tools/python/xen/util/xsm/acm/__init__.py b/tools/python/xen/util/xsm/acm/__init__.py new file mode 100644 index 0000000000..8d1c8b69c3 --- /dev/null +++ b/tools/python/xen/util/xsm/acm/__init__.py @@ -0,0 +1 @@ + diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/xsm/acm/acm.py index 1deaf9d914..b2dff14edd 100644 --- a/tools/python/xen/util/security.py +++ b/tools/python/xen/util/xsm/acm/acm.py @@ -934,7 +934,8 @@ def resources_compatible_with_vmlabel(xspol, dominfo, vmlabel): access_control = dictio.dict_read("resources", res_label_filename) except: - return False + # No labeled resources -> must be compatible + return True return __resources_compatible_with_vmlabel(xspol, dominfo, vmlabel, access_control) finally: @@ -950,6 +951,7 @@ def __resources_compatible_with_vmlabel(xspol, dominfo, vmlabel, given VM label. The access_control parameter provides a dictionary of the resource name to resource label mappings under which the evaluation should be done. + Call this only for a paused or running domain. """ def collect_labels(reslabels, s_label, polname): if len(s_label) != 3 or polname != s_label[1]: @@ -1204,7 +1206,7 @@ def change_acm_policy(bin_pol, del_array, chg_array, access_control = {} try: access_control = dictio.dict_read("resources", res_label_filename) - finally: + except: pass for key, labeldata in access_control.items(): if len(labeldata) == 2: @@ -1297,3 +1299,21 @@ def change_acm_policy(bin_pol, del_array, chg_array, __resfile_lock.release() return rc, errors + +def parse_security_label(security_label): + tmp = security_label.split(":") + if len(tmp) != 3: + return "" + else: + return security_label + +def set_security_label(policy, label): + policytype = xsconstants.ACM_POLICY_ID + if label != "" and policy != "": + return "%s:%s:%s" % (policytype, policy, label) + else: + return "" + +def ssidref2security_label(ssidref): + from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance + return XSPolicyAdminInstance().ssidref_to_vmlabel(ssidref) diff --git a/tools/python/xen/util/xsm/dummy/__init__.py b/tools/python/xen/util/xsm/dummy/__init__.py new file mode 100644 index 0000000000..8d1c8b69c3 --- /dev/null +++ b/tools/python/xen/util/xsm/dummy/__init__.py @@ -0,0 +1 @@ + diff --git a/tools/python/xen/util/xsm/dummy/dummy.py b/tools/python/xen/util/xsm/dummy/dummy.py new file mode 100644 index 0000000000..25e1ed989f --- /dev/null +++ b/tools/python/xen/util/xsm/dummy/dummy.py @@ -0,0 +1,53 @@ +import sys + +class XSMError(Exception): + def __init__(self,value): + self.value = value + def __str__(self): + return repr(self.value) + +policy_dir_prefix = ""; +active_policy = ""; +NULL_SSIDREF = 0; + +def err(msg): + """Raise XSM-dummy exception. + """ + sys.stderr.write("XSM-dummyError: " + msg + "\n") + raise XSMError(msg) + +def on(): + return 0 + +def ssidref2label(ssidref): + return 0 + +def label2ssidref(label, policy, type): + return 0 + +def res_security_check(resource, domain_label): + return 1 + +def get_res_security_details(resource): + return ("","","") + +def get_res_label(resource): + return ("","") + +def res_security_check_xapi(rlabel, rssidref, rpolicy, xapi_dom_label): + return 1 + +def parse_security_label(security_label): + return "" + +def calc_dom_ssidref_from_info(info): + return "" + +def set_security_label(policy, label): + return "" + +def ssidref2security_label(ssidref): + return "" + +def has_authorization(ssidref): + return True diff --git a/tools/python/xen/util/xsm/flask/__init__.py b/tools/python/xen/util/xsm/flask/__init__.py new file mode 100644 index 0000000000..8d1c8b69c3 --- /dev/null +++ b/tools/python/xen/util/xsm/flask/__init__.py @@ -0,0 +1 @@ + diff --git a/tools/python/xen/util/xsm/flask/flask.py b/tools/python/xen/util/xsm/flask/flask.py new file mode 100644 index 0000000000..1854cb46aa --- /dev/null +++ b/tools/python/xen/util/xsm/flask/flask.py @@ -0,0 +1,37 @@ +import sys +from xen.lowlevel import flask +from xen.xend import sxp + +def err(msg): + """Raise XSM-Flask exception. + """ + sys.stderr.write("XSM-FlaskError: " + msg + "\n") + raise XSMError(msg) + +def on(): + return 1 + +def ssidref2label(ssidref): + try: + return flask.flask_sid_to_context(ssidref) + except: + return "" + +def label2ssidref(label, policy, type): + try: + return flask.flask_context_to_sid(label) + except: + return "" + +def parse_security_label(security_label): + return security_label + +def calc_dom_ssidref_from_info(info): + ssidref = label2ssidref(info['security_label'], "", "") + return ssidref + +def set_security_label(policy, label): + return label + +def ssidref2security_label(ssidref): + return ssidref2label(ssidref) diff --git a/tools/python/xen/util/xsm/xsm_core.py b/tools/python/xen/util/xsm/xsm_core.py new file mode 100644 index 0000000000..f40af12edb --- /dev/null +++ b/tools/python/xen/util/xsm/xsm_core.py @@ -0,0 +1,7 @@ +import sys +import xen.util.xsm.dummy.dummy as dummy + +def xsm_init(self): + for op in dir(dummy): + if not hasattr(self, op): + setattr(self, op, getattr(dummy, op, None)) diff --git a/tools/python/xen/xend/XendCheckpoint.py b/tools/python/xen/xend/XendCheckpoint.py index f88d8a8788..ac53e945b1 100644 --- a/tools/python/xen/xend/XendCheckpoint.py +++ b/tools/python/xen/xend/XendCheckpoint.py @@ -16,7 +16,7 @@ from xen.util.xpopen import xPopen3 import xen.util.auxbin import xen.lowlevel.xc -from xen.xend import balloon, sxp +from xen.xend import balloon, sxp, image from xen.xend.XendError import XendError, VmError from xen.xend.XendLogging import log from xen.xend.XendConfig import XendConfig @@ -181,8 +181,6 @@ def restore(xd, fd, dominfo = None, paused = False): assert store_port assert console_port - nr_pfns = (dominfo.getMemoryTarget() + 3) / 4 - # if hvm, pass mem size to calculate the store_mfn image_cfg = dominfo.info.get('image', {}) is_hvm = dominfo.info.is_hvm() @@ -196,18 +194,31 @@ def restore(xd, fd, dominfo = None, paused = False): pae = 0 try: - shadow = dominfo.info['shadow_memory'] + restore_image = image.create(dominfo, dominfo.info) + memory = restore_image.getRequiredAvailableMemory( + dominfo.info['memory_dynamic_max'] / 1024) + maxmem = restore_image.getRequiredAvailableMemory( + dominfo.info['memory_static_max'] / 1024) + shadow = restore_image.getRequiredShadowMemory( + dominfo.info['shadow_memory'] / 1024, + dominfo.info['memory_static_max'] / 1024) + log.debug("restore:shadow=0x%x, _static_max=0x%x, _static_min=0x%x, ", dominfo.info['shadow_memory'], dominfo.info['memory_static_max'], dominfo.info['memory_static_min']) - balloon.free(xc.pages_to_kib(nr_pfns) + shadow * 1024) + # Round shadow up to a multiple of a MiB, as shadow_mem_control + # takes MiB and we must not round down and end up under-providing. + shadow = ((shadow + 1023) / 1024) * 1024 - shadow_cur = xc.shadow_mem_control(dominfo.getDomid(), shadow) - dominfo.info['shadow_memory'] = shadow_cur + # set memory limit + xc.domain_setmaxmem(dominfo.getDomid(), maxmem) - xc.domain_setmaxmem(dominfo.getDomid(), dominfo.getMemoryMaximum()) + balloon.free(memory + shadow) + + shadow_cur = xc.shadow_mem_control(dominfo.getDomid(), shadow / 1024) + dominfo.info['shadow_memory'] = shadow_cur cmd = map(str, [xen.util.auxbin.pathTo(XC_RESTORE), fd, dominfo.getDomid(), @@ -219,7 +230,7 @@ def restore(xd, fd, dominfo = None, paused = False): forkHelper(cmd, fd, handler.handler, True) # We don't want to pass this fd to any other children -- we - # might need to recover ths disk space that backs it. + # might need to recover the disk space that backs it. try: flags = fcntl.fcntl(fd, fcntl.F_GETFD) flags |= fcntl.FD_CLOEXEC diff --git a/tools/python/xen/xend/XendConfig.py b/tools/python/xen/xend/XendConfig.py index ccc57dade9..6db58f52d9 100644 --- a/tools/python/xen/xend/XendConfig.py +++ b/tools/python/xen/xend/XendConfig.py @@ -28,9 +28,9 @@ from xen.xend.XendError import VmError from xen.xend.XendDevices import XendDevices from xen.xend.PrettyPrint import prettyprintstring from xen.xend.XendConstants import DOM_STATE_HALTED +from xen.xend.server.BlktapController import blktap_disk_types from xen.xend.server.netif import randomMAC from xen.util.blkif import blkdev_name_to_number -from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance from xen.util import xsconstants log = logging.getLogger("xend.XendConfig") @@ -433,7 +433,8 @@ class XendConfig(dict): self['cpu_time'] = dominfo['cpu_time']/1e9 if dominfo.get('ssidref'): ssidref = int(dominfo.get('ssidref')) - self['security_label'] = XSPolicyAdminInstance().ssidref_to_vmlabel(ssidref) + import xen.util.xsm.xsm as security + self['security_label'] = security.ssidref2security_label(ssidref) self['shutdown_reason'] = dominfo['shutdown_reason'] @@ -651,7 +652,6 @@ class XendConfig(dict): # ['ssidref', 196611]] policy = "" label = "" - policytype = xsconstants.ACM_POLICY_ID for idx in range(0, len(secinfo)): if secinfo[idx][0] == "access_control": for aidx in range(1, len(secinfo[idx])): @@ -659,9 +659,10 @@ class XendConfig(dict): policy = secinfo[idx][aidx][1] if secinfo[idx][aidx][0] == "label": label = secinfo[idx][aidx][1] - if label != "" and policy != "": - cfg['security_label'] = "%s:%s:%s" % \ - (policytype, policy, label) + import xen.util.xsm.xsm as security + cfg['security_label'] = \ + security.set_security_label(policy, label) + if not sxp.child_value(sxp_cfg, 'security_label'): del cfg['security'] old_state = sxp.child_value(sxp_cfg, 'state') @@ -1084,6 +1085,11 @@ class XendConfig(dict): else: dev_info['driver'] = 'paravirtualised' + if dev_type == 'tap': + if dev_info['uname'].split(':')[1] not in blktap_disk_types: + raise XendConfigError("tap:%s not a valid disk type" % + dev_info['uname'].split(':')[1]) + if dev_type == 'vif': if not dev_info.get('mac'): dev_info['mac'] = randomMAC() diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py index 3ca3f506d0..39388f1b48 100644 --- a/tools/python/xen/xend/XendDomainInfo.py +++ b/tools/python/xen/xend/XendDomainInfo.py @@ -36,7 +36,7 @@ from types import StringTypes import xen.lowlevel.xc from xen.util import asserts from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype -from xen.util import security +import xen.util.xsm.xsm as security from xen.xend import balloon, sxp, uuid, image, arch, osdep from xen.xend import XendOptions, XendNode, XendConfig @@ -607,6 +607,9 @@ class XendDomainInfo: _, dev_info = sxprs[dev] else: # 'vbd' or 'tap' dev_info = self.getDeviceInfo_vbd(dev) + # To remove the UUID of the device from refs, + # deviceClass must be always 'vbd'. + deviceClass = 'vbd' if dev_info is None: return rc @@ -981,7 +984,7 @@ class XendDomainInfo: changed = True # Check if the rtc offset has changes - if vm_details.get("rtc/timeoffset", 0) != self.info["platform"].get("rtc_timeoffset", 0): + if vm_details.get("rtc/timeoffset", "0") != self.info["platform"].get("rtc_timeoffset", "0"): self.info["platform"]["rtc_timeoffset"] = vm_details.get("rtc/timeoffset", 0) changed = True @@ -1770,7 +1773,8 @@ class XendDomainInfo: self._cleanupVm() if self.dompath is not None: - xc.domain_destroy_hook(self.domid) + if self.domid is not None: + xc.domain_destroy_hook(self.domid) self.destroyDomain() self._cleanup_phantom_devs(paths) diff --git a/tools/python/xen/xend/XendVDI.py b/tools/python/xen/xend/XendVDI.py index 863a4e0e17..0ef432b303 100644 --- a/tools/python/xen/xend/XendVDI.py +++ b/tools/python/xen/xend/XendVDI.py @@ -23,7 +23,8 @@ import os from xen.util.xmlrpclib2 import stringify from xmlrpclib import dumps, loads -from xen.util import security, xsconstants +from xen.util import xsconstants +import xen.util.xsm.xsm as security from xen.xend.XendError import SecurityError KB = 1024 diff --git a/tools/python/xen/xend/XendXSPolicy.py b/tools/python/xen/xend/XendXSPolicy.py index 493b68e199..de30fd7caa 100644 --- a/tools/python/xen/xend/XendXSPolicy.py +++ b/tools/python/xen/xend/XendXSPolicy.py @@ -20,7 +20,8 @@ import logging from xen.xend.XendBase import XendBase from xen.xend.XendError import * from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance -from xen.util import xsconstants, security +from xen.util import xsconstants +import xen.util.xsm.xsm as security import base64 log = logging.getLogger("xend.XendXSPolicy") diff --git a/tools/python/xen/xend/XendXSPolicyAdmin.py b/tools/python/xen/xend/XendXSPolicyAdmin.py index b3d7c2a9f1..c97e085dd0 100644 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py @@ -22,7 +22,8 @@ from xml.dom import minidom, Node from xen.xend.XendLogging import log from xen.xend import uuid -from xen.util import security, xsconstants, dictio, bootloader +from xen.util import xsconstants, dictio, bootloader +import xen.util.xsm.acm.acm as security from xen.util.xspolicy import XSPolicy from xen.util.acmpolicy import ACMPolicy from xen.xend.XendError import SecurityError diff --git a/tools/python/xen/xend/server/BlktapController.py b/tools/python/xen/xend/server/BlktapController.py index 420a4bdbe6..3226e81011 100644 --- a/tools/python/xen/xend/server/BlktapController.py +++ b/tools/python/xen/xend/server/BlktapController.py @@ -7,6 +7,14 @@ from xen.xend.XendLogging import log phantomDev = 0; phantomId = 0; +blktap_disk_types = [ + 'aio', + 'sync', + 'vmdk', + 'ram', + 'qcow' + ] + class BlktapController(BlkifController): def __init__(self, vm): BlkifController.__init__(self, vm) diff --git a/tools/python/xen/xend/server/blkif.py b/tools/python/xen/xend/server/blkif.py index 24879ab38a..5992d52b2f 100644 --- a/tools/python/xen/xend/server/blkif.py +++ b/tools/python/xen/xend/server/blkif.py @@ -20,7 +20,7 @@ import re import string from xen.util import blkif -from xen.util import security +import xen.util.xsm.xsm as security from xen.xend.XendError import VmError from xen.xend.server.DevController import DevController diff --git a/tools/python/xen/xend/server/netif.py b/tools/python/xen/xend/server/netif.py index 3d4b598b91..fbf059b9fb 100644 --- a/tools/python/xen/xend/server/netif.py +++ b/tools/python/xen/xend/server/netif.py @@ -27,8 +27,8 @@ import re from xen.xend import XendOptions from xen.xend.server.DevController import DevController from xen.xend.XendError import VmError -from xen.util import security from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance +import xen.util.xsm.xsm as security from xen.xend.XendLogging import log diff --git a/tools/python/xen/xm/addlabel.py b/tools/python/xen/xm/addlabel.py index bb27d30331..9af4f06754 100644 --- a/tools/python/xen/xm/addlabel.py +++ b/tools/python/xen/xm/addlabel.py @@ -23,7 +23,7 @@ import os import sys from xen.util import dictio -from xen.util import security +import xen.util.xsm.xsm as security from xen.xm.opts import OptionError from xen.util import xsconstants from xen.xm import main as xm_main diff --git a/tools/python/xen/xm/cfgbootpolicy.py b/tools/python/xen/xm/cfgbootpolicy.py index 7fd181e06d..2436f2501b 100644 --- a/tools/python/xen/xm/cfgbootpolicy.py +++ b/tools/python/xen/xm/cfgbootpolicy.py @@ -26,11 +26,11 @@ import os, stat import shutil import string import re -from xen.util.security import err -from xen.util.security import policy_dir_prefix, xen_title_re -from xen.util.security import boot_filename, altboot_filename -from xen.util.security import any_title_re, xen_kernel_re, any_module_re -from xen.util.security import empty_line_re, binary_name_re, policy_name_re +from xen.util.xsm.xsm import err +from xen.util.xsm.xsm import policy_dir_prefix, xen_title_re +from xen.util.xsm.xsm import boot_filename, altboot_filename +from xen.util.xsm.xsm import any_title_re, xen_kernel_re, any_module_re +from xen.util.xsm.xsm import empty_line_re, binary_name_re, policy_name_re from xen.util import xsconstants from xen.xm.opts import OptionError from xen.xm import main as xm_main diff --git a/tools/python/xen/xm/create.py b/tools/python/xen/xm/create.py index f4d056608b..a6d24b8b69 100644 --- a/tools/python/xen/xm/create.py +++ b/tools/python/xen/xm/create.py @@ -33,7 +33,7 @@ from xen.xend import osdep import xen.xend.XendClient from xen.xend.XendBootloader import bootloader from xen.util import blkif -from xen.util import security +import xen.util.xsm.xsm as security from xen.xm.main import serverType, SERVER_XEN_API, get_single_vm from xen.xm.opts import * @@ -725,7 +725,8 @@ def configure_hvm(config_image, vals): for a in args: if a in vals.__dict__ and vals.__dict__[a] is not None: config_image.append([a, vals.__dict__[a]]) - config_image.append(['vncpasswd', vals.vncpasswd]) + if vals.vncpasswd is not None: + config_image.append(['vncpasswd', vals.vncpasswd]) def make_config(vals): @@ -1220,7 +1221,7 @@ def config_security_check(config, verbose): if verbose: print " %s: PERMITTED" % (resource) - except security.ACMError: + except security.XSMError: print " %s: DENIED" % (resource) (poltype, res_label, res_policy) = security.get_res_label(resource) if not res_label: @@ -1242,7 +1243,7 @@ def create_security_check(config): passed = 1 else: print "Checking resources: (skipped)" - except security.ACMError: + except security.XSMError: sys.exit(-1) return passed @@ -1299,7 +1300,7 @@ def main(argv): map(lambda vm_ref: server.xenapi.VM.start(vm_ref, 0), vm_refs) elif not opts.is_xml: if not create_security_check(config): - raise security.ACMError( + raise security.XSMError( 'Security Configuration prevents domain from starting') dom = make_domain(opts, config) diff --git a/tools/python/xen/xm/dry-run.py b/tools/python/xen/xm/dry-run.py index 9aa56d2f94..a0b2c84c03 100644 --- a/tools/python/xen/xm/dry-run.py +++ b/tools/python/xen/xm/dry-run.py @@ -19,7 +19,7 @@ """Tests the security settings for a domain and its resources. """ import sys -from xen.util import security +import xen.util.xsm.xsm as security from xen.xm import create from xen.xend import sxp from xen.xm.opts import OptionError diff --git a/tools/python/xen/xm/dumppolicy.py b/tools/python/xen/xm/dumppolicy.py index c57e8e4ad5..77c4151beb 100644 --- a/tools/python/xen/xm/dumppolicy.py +++ b/tools/python/xen/xm/dumppolicy.py @@ -18,7 +18,7 @@ """Display currently enforced policy (low-level hypervisor representation). """ import sys -from xen.util.security import ACMError, err, dump_policy +from xen.util.xsm.xsm import XSMError, err, dump_policy from xen.xm.opts import OptionError def help(): diff --git a/tools/python/xen/xm/getlabel.py b/tools/python/xen/xm/getlabel.py index cf7033d7d4..d54e54f25b 100644 --- a/tools/python/xen/xm/getlabel.py +++ b/tools/python/xen/xm/getlabel.py @@ -20,7 +20,7 @@ """ import sys, os, re from xen.util import dictio -from xen.util import security +import xen.util.xsm.xsm as security from xen.util import xsconstants from xen.xm.opts import OptionError from xen.xm import main as xm_main @@ -62,7 +62,7 @@ def get_resource_label(resource): "Please relabel the resource.") print policytype+":"+policy+":"+label else: - raise security.ACMError("Resource not labeled") + raise security.XSMError("Resource not labeled") def get_domain_label(configfile): @@ -95,7 +95,7 @@ def get_domain_label(configfile): # send error message if we didn't find anything if acline == "": - raise security.ACMError("Domain not labeled") + raise security.XSMError("Domain not labeled") # print out the label (title, data) = acline.split("=", 1) diff --git a/tools/python/xen/xm/labels.py b/tools/python/xen/xm/labels.py index dbfe07db27..447f85666c 100644 --- a/tools/python/xen/xm/labels.py +++ b/tools/python/xen/xm/labels.py @@ -21,8 +21,8 @@ import sys import traceback import string -from xen.util.security import ACMError, err, list_labels, active_policy -from xen.util.security import vm_label_re, res_label_re, all_label_re +from xen.util.xsm.xsm import XSMError, err, list_labels, active_policy +from xen.util.xsm.xsm import vm_label_re, res_label_re, all_label_re from xen.xm.opts import OptionError from xen.util.acmpolicy import ACMPolicy from xen.util import xsconstants @@ -78,7 +78,7 @@ def labels(policy, ptype): for label in labels: print label - except ACMError: + except XSMError: sys.exit(-1) except: traceback.print_exc(limit = 1) diff --git a/tools/python/xen/xm/loadpolicy.py b/tools/python/xen/xm/loadpolicy.py index d17a0e7d70..4104a6eec5 100644 --- a/tools/python/xen/xm/loadpolicy.py +++ b/tools/python/xen/xm/loadpolicy.py @@ -20,7 +20,7 @@ """ import sys import traceback -from xen.util.security import ACMError, err, load_policy +from xen.util.xsm.xsm import XSMError, err, load_policy from xen.xm.opts import OptionError from xen.xm import main as xm_main from xen.util import xsconstants diff --git a/tools/python/xen/xm/main.py b/tools/python/xen/xm/main.py index 03a1f0820b..3f83e65d05 100644 --- a/tools/python/xen/xm/main.py +++ b/tools/python/xen/xm/main.py @@ -49,7 +49,8 @@ from xen.xend.XendConstants import * from xen.xm.opts import OptionError, Opts, wrap, set_true from xen.xm import console from xen.util.xmlrpcclient import ServerProxy -from xen.util.security import ACMError +import xen.util.xsm.xsm as security +from xen.util.xsm.xsm import XSMError from xen.util.acmpolicy import ACM_LABEL_UNLABELED_DISPLAY import XenAPI @@ -872,12 +873,7 @@ def parse_doms_info(info): } security_label = get_info('security_label', str, '') - tmp = security_label.split(":") - if len(tmp) != 3: - seclabel = "" - else: - seclabel = security_label - parsed_info['seclabel'] = seclabel + parsed_info['seclabel'] = security.parse_security_label(security_label) if serverType == SERVER_XEN_API: parsed_info['mem'] = get_info('memory_actual', int, 0) / 1024 @@ -935,14 +931,14 @@ def xm_brief_list(doms): print format % d def xm_label_list(doms): - print '%-32s %5s %5s %5s %10s %9s %-8s' % \ + print '%-40s %3s %5s %5s %10s %9s %-10s' % \ ('Name', 'ID', 'Mem', 'VCPUs', 'State', 'Time(s)', 'Label') - + output = [] - format = '%(name)-32s %(domid)5s %(mem)5d %(vcpus)5d %(state)10s ' \ - '%(cpu_time)8.1f %(seclabel)9s' + format = '%(name)-40s %(domid)3s %(mem)5d %(vcpus)5d %(state)10s ' \ + '%(cpu_time)8.1f %(seclabel)10s' - from xen.util import security + import xen.util.xsm.xsm as security for dom in doms: d = parse_doms_info(dom) @@ -2580,12 +2576,12 @@ def _run_cmd(cmd, cmd_name, args): print e.usage except XenAPIUnsupportedException, e: err(str(e)) - except ACMError, e: + except XSMError, e: err(str(e)) except Exception, e: if serverType != SERVER_XEN_API: - from xen.util import security - if isinstance(e, security.ACMError): + import xen.util.xsm.xsm as security + if isinstance(e, security.XSMError): err(str(e)) return False, 1 print "Unexpected error:", sys.exc_info()[0] diff --git a/tools/python/xen/xm/makepolicy.py b/tools/python/xen/xm/makepolicy.py index c2cac26bd4..2a208b0a68 100644 --- a/tools/python/xen/xm/makepolicy.py +++ b/tools/python/xen/xm/makepolicy.py @@ -19,7 +19,7 @@ """ import sys import traceback -from xen.util.security import ACMError, err, make_policy +from xen.util.xsm.xsm import ACMError, err, make_policy from xen.util import xsconstants from xen.xm.opts import OptionError from xen.xm import main as xm_main diff --git a/tools/python/xen/xm/resources.py b/tools/python/xen/xm/resources.py index a51df974e4..51e1c48858 100644 --- a/tools/python/xen/xm/resources.py +++ b/tools/python/xen/xm/resources.py @@ -20,7 +20,7 @@ """ import sys from xen.util import dictio -from xen.util import security +import xen.util.xsm.xsm as security from xen.util import xsconstants from xen.xm.opts import OptionError from xen.xm import main as xm_main diff --git a/tools/python/xen/xm/rmlabel.py b/tools/python/xen/xm/rmlabel.py index c3c488fc5b..c407a16076 100644 --- a/tools/python/xen/xm/rmlabel.py +++ b/tools/python/xen/xm/rmlabel.py @@ -20,7 +20,7 @@ """ import sys, os, re from xen.util import dictio -from xen.util import security +import xen.util.xsm.xsm as security from xen.xm.opts import OptionError from xen.xm import main as xm_main from xen.xm.main import server @@ -108,7 +108,7 @@ def rm_domain_label(configfile): # send error message if we didn't find anything to remove if not removed: - raise security.ACMError('Domain not labeled') + raise security.XSMError('Domain not labeled') # write the data back out to the file fd = open(fil, "wb") diff --git a/tools/python/xen/xm/setpolicy.py b/tools/python/xen/xm/setpolicy.py index b1c58d4ac0..6aa6996616 100644 --- a/tools/python/xen/xm/setpolicy.py +++ b/tools/python/xen/xm/setpolicy.py @@ -26,7 +26,7 @@ import string from xen.util import xsconstants from xen.util.acmpolicy import ACMPolicy from xen.xm.opts import OptionError -from xen.util.security import policy_dir_prefix +from xen.util.xsm.acm.acm import policy_dir_prefix from xen.xm import main as xm_main from xen.xm.main import server diff --git a/tools/security/secpol_tool.c b/tools/security/secpol_tool.c index 9845ef6bb4..14b4bcc73d 100644 --- a/tools/security/secpol_tool.c +++ b/tools/security/secpol_tool.c @@ -34,8 +34,8 @@ #include <string.h> #include <netinet/in.h> #include <stdint.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> +#include <xen/xsm/acm.h> +#include <xen/xsm/acm_ops.h> #include <xenctrl.h> diff --git a/tools/security/secpol_xml2bin.c b/tools/security/secpol_xml2bin.c index 98ef3e1af3..0fbe8efcbd 100644 --- a/tools/security/secpol_xml2bin.c +++ b/tools/security/secpol_xml2bin.c @@ -22,6 +22,7 @@ * * indent -i4 -kr -nut */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -38,7 +39,7 @@ #include <libxml/tree.h> #include <libxml/xmlreader.h> #include <stdint.h> -#include <xen/acm.h> +#include <xen/xsm/acm.h> #include "secpol_xml2bin.h" diff --git a/tools/xm-test/lib/XmTestLib/acm.py b/tools/xm-test/lib/XmTestLib/acm.py index 021aec048f..5456da6453 100644 --- a/tools/xm-test/lib/XmTestLib/acm.py +++ b/tools/xm-test/lib/XmTestLib/acm.py @@ -18,7 +18,7 @@ """ from Test import * -from xen.util import security +import xen.util.xsm.xsm as security from xen.xm.main import server from xen.util import xsconstants import re diff --git a/tools/xm-test/tests/security-acm/01_security-acm_basic.py b/tools/xm-test/tests/security-acm/01_security-acm_basic.py index a6af767faf..26666f1faa 100644 --- a/tools/xm-test/tests/security-acm/01_security-acm_basic.py +++ b/tools/xm-test/tests/security-acm/01_security-acm_basic.py @@ -14,7 +14,7 @@ # - resources from XmTestLib import * -from xen.util import security +import xen.util.xsm.xsm as security from xen.util import xsconstants import commands import os diff --git a/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py b/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py index d4d5eafdf7..a9e19a2153 100644 --- a/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py +++ b/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py @@ -9,7 +9,8 @@ from XmTestLib import xapi from XmTestLib.XenAPIDomain import XmTestAPIDomain from XmTestLib import * from xen.xend import XendAPIConstants -from xen.util import acmpolicy, security, xsconstants +import xen.util.xsm.xsm as security +from xen.util import acmpolicy, xsconstants from xen.util.acmpolicy import ACMPolicy from xen.xend.XendDomain import DOM0_UUID from XmTestLib.acm import * diff --git a/tools/xm-test/tests/security-acm/08_security-acm_xapi.py b/tools/xm-test/tests/security-acm/08_security-acm_xapi.py index 7eafc3607b..44e2fce008 100644 --- a/tools/xm-test/tests/security-acm/08_security-acm_xapi.py +++ b/tools/xm-test/tests/security-acm/08_security-acm_xapi.py @@ -9,7 +9,8 @@ from XmTestLib import xapi from XmTestLib.XenAPIDomain import XmTestAPIDomain from XmTestLib import * from xen.xend import XendAPIConstants -from xen.util import acmpolicy, security, xsconstants +import xen.util.xsm.xsm as security +from xen.util import acmpolicy, xsconstants import commands import os diff --git a/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py b/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py index fc3dab7664..cc53baf2b9 100644 --- a/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py +++ b/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py @@ -10,7 +10,8 @@ from XmTestLib.XenAPIDomain import XmTestAPIDomain from XmTestLib.acm import * from XmTestLib import * from xen.xend import XendAPIConstants -from xen.util import security, xsconstants +import xen.util.xsm.xsm as security +from xen.util import xsconstants from xen.util.acmpolicy import ACMPolicy from xen.xend.XendDomain import DOM0_UUID import base64 |