diff options
| -rw-r--r-- | .hgignore | 1 | ||||
| -rw-r--r-- | tools/examples/xend-config.sxp | 4 | ||||
| -rw-r--r-- | tools/python/Makefile | 26 | ||||
| -rw-r--r-- | tools/python/xen/util/xsconstants.py | 4 | ||||
| -rw-r--r-- | tools/python/xen/util/xsm/dummy/dummy.py | 2 | ||||
| -rw-r--r-- | tools/python/xen/util/xsm/flask/flask.py | 8 | ||||
| -rw-r--r-- | tools/python/xen/util/xsm/xsm.py | 19 | ||||
| -rw-r--r-- | tools/python/xen/xend/XendConfig.py | 2 | ||||
| -rw-r--r-- | tools/python/xen/xend/XendDomainInfo.py | 6 | ||||
| -rw-r--r-- | tools/python/xen/xend/XendOptions.py | 8 | ||||
| -rw-r--r-- | tools/python/xen/xend/server/blkif.py | 2 | ||||
| -rw-r--r-- | tools/python/xen/xend/server/netif.py | 2 |
12 files changed, 47 insertions, 37 deletions
@@ -185,7 +185,6 @@ ^tools/misc/xenperf$ ^tools/pygrub/build/.*$ ^tools/python/build/.*$ -^tools/python/xen/util/xsm/xsm\.py$ ^tools/security/secpol_tool$ ^tools/security/xen/.*$ ^tools/security/xensec_tool$ diff --git a/tools/examples/xend-config.sxp b/tools/examples/xend-config.sxp index 89f9fcae96..5465c39af3 100644 --- a/tools/examples/xend-config.sxp +++ b/tools/examples/xend-config.sxp @@ -14,6 +14,10 @@ #(logfile /var/log/xen/xend.log) #(loglevel DEBUG) +# Uncomment the line below. Set the value to flask, acm, or dummy to +# select a security module. + +#(xsm_module_name dummy) # The Xen-API server configuration. # diff --git a/tools/python/Makefile b/tools/python/Makefile index 76603f4880..c2e5c9c318 100644 --- a/tools/python/Makefile +++ b/tools/python/Makefile @@ -1,14 +1,6 @@ XEN_ROOT = ../.. include $(XEN_ROOT)/tools/Rules.mk -XEN_SECURITY_MODULE = dummy -ifeq ($(FLASK_ENABLE),y) -XEN_SECURITY_MODULE = flask -endif -ifeq ($(ACM_SECURITY),y) -XEN_SECURITY_MODULE = acm -endif - .PHONY: all all: build @@ -23,8 +15,8 @@ CATALOGS = $(patsubst %,xen/xm/messages/%.mo,$(LINGUAS)) NLSDIR = /usr/share/locale .PHONY: build buildpy -buildpy: xsm.py - CC="$(CC)" CFLAGS="$(CFLAGS)" XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build +buildpy: + CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build build: buildpy refresh-pot refresh-po $(CATALOGS) @@ -61,18 +53,6 @@ refresh-po: $(POTFILE) %.mo: %.po $(MSGFMT) -c -o $@ $< -xsm.py: - @(set -e; \ - echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \ - echo "from xsm_core import *"; \ - echo ""; \ - echo "import xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \ - echo ""; \ - echo "xsm_init(xsm_module)"; \ - echo "from xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \ - echo "del xsm_module"; \ - echo "") >xen/util/xsm/$@ - .PHONY: install ifndef XEN_PYTHON_NATIVE_INSTALL install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print auxbin.libpath()") @@ -104,4 +84,4 @@ test: .PHONY: clean clean: - rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py xen/util/auxbin.pyc + rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/auxbin.pyc diff --git a/tools/python/xen/util/xsconstants.py b/tools/python/xen/util/xsconstants.py index deea17194c..29540f0278 100644 --- a/tools/python/xen/util/xsconstants.py +++ b/tools/python/xen/util/xsconstants.py @@ -20,8 +20,10 @@ XS_INST_NONE = 0 XS_INST_BOOT = (1 << 0) XS_INST_LOAD = (1 << 1) -XS_POLICY_NONE = 0 +XS_POLICY_DUMMY = 0 XS_POLICY_ACM = (1 << 0) +XS_POLICY_FLASK = (1 << 1) +XS_POLICY_USE = 0 # Some internal variables used by the Xen-API ACM_LABEL_VM = (1 << 0) diff --git a/tools/python/xen/util/xsm/dummy/dummy.py b/tools/python/xen/util/xsm/dummy/dummy.py index b82e1b9ff5..5748699ee7 100644 --- a/tools/python/xen/util/xsm/dummy/dummy.py +++ b/tools/python/xen/util/xsm/dummy/dummy.py @@ -36,7 +36,7 @@ def err(msg): raise XSMError(msg) def on(): - return 0 + return xsconstants.XS_POLICY_DUMMY def ssidref2label(ssidref): return 0 diff --git a/tools/python/xen/util/xsm/flask/flask.py b/tools/python/xen/util/xsm/flask/flask.py index 61106349f2..fc168f8fde 100644 --- a/tools/python/xen/util/xsm/flask/flask.py +++ b/tools/python/xen/util/xsm/flask/flask.py @@ -1,5 +1,6 @@ import sys from xen.lowlevel import flask +from xen.util import xsconstants from xen.xend import sxp #Functions exported through XML-RPC @@ -12,7 +13,7 @@ def err(msg): raise XSMError(msg) def on(): - return 0 #xsconstants.XS_POLICY_FLASK + return xsconstants.XS_POLICY_FLASK def ssidref2label(ssidref): try: @@ -37,8 +38,9 @@ def set_security_label(policy, label): return label def ssidref2security_label(ssidref): - return ssidref2label(ssidref) + label = ssidref2label(ssidref) + return label def get_security_label(self, xspol=None): - label = self.info.get('security_label', '') + label = self.info['security_label'] return label diff --git a/tools/python/xen/util/xsm/xsm.py b/tools/python/xen/util/xsm/xsm.py new file mode 100644 index 0000000000..e2639c0d66 --- /dev/null +++ b/tools/python/xen/util/xsm/xsm.py @@ -0,0 +1,19 @@ +import sys +import string +from xen.xend import XendOptions +from xen.util import xsconstants +from xsm_core import xsm_init + +xoptions = XendOptions.instance() +xsm_module_name = xoptions.get_xsm_module_name() + +xsconstants.XS_POLICY_USE = eval("xsconstants.XS_POLICY_"+string.upper(xsm_module_name)) + +xsm_module_path = "xen.util.xsm." + xsm_module_name + "." + xsm_module_name +xsm_module = __import__(xsm_module_path, globals(), locals(), ['*'], -1) + +xsm_init(xsm_module) + +for op in dir(xsm_module): + if not hasattr(sys.modules[__name__], op): + setattr(sys.modules[__name__], op, getattr(xsm_module, op, None)) diff --git a/tools/python/xen/xend/XendConfig.py b/tools/python/xen/xend/XendConfig.py index f14a94eecf..706d6e6e0b 100644 --- a/tools/python/xen/xend/XendConfig.py +++ b/tools/python/xen/xend/XendConfig.py @@ -729,7 +729,7 @@ class XendConfig(dict): self.parse_cpuid(cfg, 'cpuid_check') import xen.util.xsm.xsm as security - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: from xen.util.acmpolicy import ACM_LABEL_UNLABELED if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'): cfg['security'] = sxp.child_value(sxp_cfg, 'security') diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py index 271e8acc94..3cbdc03287 100644 --- a/tools/python/xen/xend/XendDomainInfo.py +++ b/tools/python/xen/xend/XendDomainInfo.py @@ -2069,7 +2069,7 @@ class XendDomainInfo: balloon.free(2*1024) # 2MB should be plenty ssidref = 0 - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: ssidref = security.calc_dom_ssidref_from_info(self.info) if security.has_authorization(ssidref) == False: raise VmError("VM is not authorized to run.") @@ -2855,10 +2855,6 @@ class XendDomainInfo: info["maxmem_kb"] = XendNode.instance() \ .physinfo_dict()['total_memory'] * 1024 - #ssidref field not used any longer - if 'ssidref' in info: - info.pop('ssidref') - # make sure state is reset for info # TODO: we should eventually get rid of old_dom_states diff --git a/tools/python/xen/xend/XendOptions.py b/tools/python/xen/xend/XendOptions.py index 707892f90e..350f20736c 100644 --- a/tools/python/xen/xend/XendOptions.py +++ b/tools/python/xen/xend/XendOptions.py @@ -132,6 +132,9 @@ class XendOptions: """Default script to configure a backend network interface""" vif_script = osdep.vif_script + """Default Xen Security Module""" + xsm_module_default = 'dummy' + """Default rotation count of qemu-dm log file.""" qemu_dm_logrotate_count = 10 @@ -427,6 +430,11 @@ class XendOptionsFile(XendOptions): return self.get_config_value('xen-api-server', self.xen_api_server_default) + def get_xsm_module_name(self): + """Get the Xen Security Module name. + """ + return self.get_config_string('xsm_module_name', self.xsm_module_default) + if os.uname()[0] == 'SunOS': class XendOptionsSMF(XendOptions): diff --git a/tools/python/xen/xend/server/blkif.py b/tools/python/xen/xend/server/blkif.py index 87f03d1779..28ddf5f95d 100644 --- a/tools/python/xen/xend/server/blkif.py +++ b/tools/python/xen/xend/server/blkif.py @@ -78,7 +78,7 @@ class BlkifController(DevController): if uuid: back['uuid'] = uuid - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: self.do_access_control(config, uname) (device_path, devid) = blkif.blkdev_name_to_number(dev) diff --git a/tools/python/xen/xend/server/netif.py b/tools/python/xen/xend/server/netif.py index 9aa7503aff..939f127c40 100644 --- a/tools/python/xen/xend/server/netif.py +++ b/tools/python/xen/xend/server/netif.py @@ -156,7 +156,7 @@ class NetifController(DevController): front = { 'handle' : "%i" % devid, 'mac' : mac } - if security.on() == xsconstants.XS_POLICY_ACM: + if security.on() == xsconstants.XS_POLICY_USE: self.do_access_control(config) return (devid, back, front) |