diff options
author | Keir Fraser <keir@xensource.com> | 2007-10-03 14:06:06 +0100 |
---|---|---|
committer | Keir Fraser <keir@xensource.com> | 2007-10-03 14:06:06 +0100 |
commit | 905654ba5499f21c698aff01d71ed98fa42c83f5 (patch) | |
tree | 3ea713014a559221ac99f4f73748c0e6c70990fb /tools | |
parent | 8950f5c6ba8e2349de4162af6f09f36c80670cf7 (diff) | |
download | xen-905654ba5499f21c698aff01d71ed98fa42c83f5.tar.gz xen-905654ba5499f21c698aff01d71ed98fa42c83f5.tar.bz2 xen-905654ba5499f21c698aff01d71ed98fa42c83f5.zip |
xend: Check access to the privcmd interface before doing the call to
fetch the currently enforced policy. Assign 'INACCESSIBLE' to the
policy if it cannot be retrieved due to the user not being
privileged.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/python/xen/util/xsm/acm/acm.py | 17 | ||||
-rw-r--r-- | tools/python/xen/xm/labels.py | 6 |
2 files changed, 14 insertions, 9 deletions
diff --git a/tools/python/xen/util/xsm/acm/acm.py b/tools/python/xen/util/xsm/acm/acm.py index 53081f0261..e76947f5dd 100644 --- a/tools/python/xen/util/xsm/acm/acm.py +++ b/tools/python/xen/util/xsm/acm/acm.py @@ -109,10 +109,12 @@ def refresh_security_policy(): """ global active_policy - try: - active_policy = acm.policy() - except: - active_policy = "INACTIVE" + active_policy = 'INACCESSIBLE' + if os.access("/proc/xen/privcmd", os.R_OK|os.W_OK): + try: + active_policy = acm.policy() + except: + active_policy = "INACTIVE" # now set active_policy refresh_security_policy() @@ -295,7 +297,7 @@ def label2ssidref(labelname, policyname, typ): maps current policy to default directory to find mapping file """ - if policyname in ['NULL', 'INACTIVE', 'DEFAULT']: + if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]: err("Cannot translate labels for \'" + policyname + "\' policy.") allowed_types = ['ANY'] @@ -557,7 +559,7 @@ def load_policy(policy_name): def dump_policy(): - if active_policy in ['NULL', 'INACTIVE']: + if active_policy in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]: err("\'" + active_policy + "\' policy. Nothing to dump.") (ret, output) = commands.getstatusoutput(xensec_tool + " getpolicy") @@ -580,7 +582,8 @@ def dump_policy_file(filename, ssidref=None): def list_labels(policy_name, condition): - if (not policy_name) and (active_policy) in ["NULL", "INACTIVE", "DEFAULT"]: + if (not policy_name) and active_policy in \ + [ 'NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]: err("Current policy \'" + active_policy + "\' has no labels defined.\n") (primary, secondary, f, pol_exists) = getmapfile(policy_name) diff --git a/tools/python/xen/xm/labels.py b/tools/python/xen/xm/labels.py index 447f85666c..bce0d22f7e 100644 --- a/tools/python/xen/xm/labels.py +++ b/tools/python/xen/xm/labels.py @@ -62,6 +62,8 @@ def labels(policy, ptype): policy = active_policy if active_policy in ['NULL', 'INACTIVE', 'DEFAULT']: raise OptionError('No policy active, you must specify a <policy>') + if active_policy in ['INACCESSIBLE']: + raise OptionError('Cannot access the policy. Try as root.') if not ptype or ptype == 'dom': condition = vm_label_re @@ -104,9 +106,9 @@ def labels_xapi(policy, ptype): for n in names: print n elif int(policystate['type']) == 0: - print "No policy installed on the system." + err("No policy installed on the system.") else: - print "Unsupported type of policy installed on the system." + err("Unsupported type of policy installed on the system.") if __name__ == '__main__': main(sys.argv) |