diff options
author | kfraser@localhost.localdomain <kfraser@localhost.localdomain> | 2007-07-27 09:01:15 +0100 |
---|---|---|
committer | kfraser@localhost.localdomain <kfraser@localhost.localdomain> | 2007-07-27 09:01:15 +0100 |
commit | bf9e4257b392c550afe1c34d1fe38b6a2659dd69 (patch) | |
tree | 2544a327b55a0a389c3d5a7169e7faf6e23458a0 /tools | |
parent | 2abe070373048a47d66851e76593c11f95683059 (diff) | |
download | xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.tar.gz xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.tar.bz2 xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.zip |
[ACM] Check a domain's authorization to run.
A domain is only authorized to run if it has a superset of Simple Type
Enforcement Types in its VM label compared to that of Domain-0, which
itself may not have all STEs available in a policy. This patch adds a
check for this into Xend and the necessary code support into Xen.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/python/xen/lowlevel/acm/acm.c | 7 | ||||
-rw-r--r-- | tools/python/xen/util/security.py | 22 | ||||
-rw-r--r-- | tools/python/xen/xend/XendDomainInfo.py | 10 |
3 files changed, 32 insertions, 7 deletions
diff --git a/tools/python/xen/lowlevel/acm/acm.c b/tools/python/xen/lowlevel/acm/acm.c index f8f024f66f..9b59ea48ed 100644 --- a/tools/python/xen/lowlevel/acm/acm.c +++ b/tools/python/xen/lowlevel/acm/acm.c @@ -148,9 +148,10 @@ static PyObject *getdecision(PyObject * self, PyObject * args) char *arg1_name, *arg1, *arg2_name, *arg2, *decision = NULL; struct acm_getdecision getdecision; int xc_handle, rc; + uint32_t hooktype; - if (!PyArg_ParseTuple(args, "ssss", &arg1_name, - &arg1, &arg2_name, &arg2)) { + if (!PyArg_ParseTuple(args, "ssssi", &arg1_name, + &arg1, &arg2_name, &arg2, &hooktype)) { return NULL; } @@ -163,7 +164,7 @@ static PyObject *getdecision(PyObject * self, PyObject * args) (strcmp(arg2_name, "domid") && strcmp(arg2_name, "ssidref"))) return NULL; - getdecision.hook = ACMHOOK_sharing; + getdecision.hook = hooktype; if (!strcmp(arg1_name, "domid")) { getdecision.get_decision_by1 = ACM_GETBY_domainid; getdecision.id1.domainid = atoi(arg1); diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py index 5183ed2c98..47d51cb20a 100644 --- a/tools/python/xen/util/security.py +++ b/tools/python/xen/util/security.py @@ -62,6 +62,10 @@ empty_line_re = re.compile("^\s*$") binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE) policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE) +#decision hooks known to the hypervisor +ACMHOOK_sharing = 1 +ACMHOOK_authorization = 2 + #other global variables NULL_SSIDREF = 0 @@ -453,7 +457,8 @@ def get_decision(arg1, arg2): err("Invalid id or ssidref type, string or int required") try: - decision = acm.getdecision(arg1[0], arg1[1], arg2[0], arg2[1]) + decision = acm.getdecision(arg1[0], arg1[1], arg2[0], arg2[1], + ACMHOOK_sharing) except: err("Cannot determine decision.") @@ -463,6 +468,21 @@ def get_decision(arg1, arg2): err("Cannot determine decision (Invalid parameter).") +def has_authorization(ssidref): + """ Check if the domain with the given ssidref has authorization to + run on this system. To have authoriztion dom0's STE types must + be a superset of that of the domain's given through its ssidref. + """ + rc = True + dom0_ssidref = int(acm.getssid(0)['ssidref']) + decision = acm.getdecision('ssidref', str(dom0_ssidref), + 'ssidref', str(ssidref), + ACMHOOK_authorization) + if decision == "DENIED": + rc = False + return rc + + def hv_chg_policy(bin_pol, del_array, chg_array): """ Change the binary policy in the hypervisor diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py index 3ce18bc96f..0fe545aa31 100644 --- a/tools/python/xen/xend/XendDomainInfo.py +++ b/tools/python/xen/xend/XendDomainInfo.py @@ -1460,9 +1460,13 @@ class XendDomainInfo: # allocation of 1MB. We free up 2MB here to be on the safe side. balloon.free(2*1024) # 2MB should be plenty - ssidref = security.calc_dom_ssidref_from_info(self.info) - if ssidref == 0 and security.on(): - raise VmError('VM is not properly labeled.') + ssidref = 0 + if security.on(): + ssidref = security.calc_dom_ssidref_from_info(self.info) + if ssidref == 0: + raise VmError('VM is not properly labeled.') + if security.has_authorization(ssidref) == False: + raise VmError("VM is not authorized to run.") try: self.domid = xc.domain_create( |