diff options
Diffstat (limited to 'tools')
-rw-r--r-- | tools/python/xen/util/acmpolicy.py | 32 | ||||
-rw-r--r-- | tools/python/xen/util/security.py | 8 | ||||
-rw-r--r-- | tools/python/xen/xend/XendDomainInfo.py | 2 | ||||
-rw-r--r-- | tools/python/xen/xend/server/blkif.py | 27 | ||||
-rw-r--r-- | tools/python/xen/xm/main.py | 3 | ||||
-rw-r--r-- | tools/security/xensec_ezpolicy | 7 |
6 files changed, 53 insertions, 26 deletions
diff --git a/tools/python/xen/util/acmpolicy.py b/tools/python/xen/util/acmpolicy.py index 277e6b49fa..5577193a76 100644 --- a/tools/python/xen/util/acmpolicy.py +++ b/tools/python/xen/util/acmpolicy.py @@ -47,6 +47,9 @@ ACM_POLICY_UNDEFINED = 15 ACM_SCHEMA_FILE = "/etc/xen/acm-security/policies/security_policy.xsd" +ACM_LABEL_UNLABELED = "__UNLABELED__" +ACM_LABEL_UNLABELED_DISPLAY = "unlabeled" + class ACMPolicy(XSPolicy): """ ACMPolicy class. Implements methods for getting information from @@ -925,11 +928,13 @@ class ACMPolicy(XSPolicy): return -xsconstants.XSERR_POLICY_INCONSISTENT, "", "" vms_with_chws = [] - chws_by_vm = {} + chws_by_vm = { ACM_LABEL_UNLABELED : [] } for v in vms: if v.has_key("chws"): vms_with_chws.append(v["name"]) chws_by_vm[v["name"]] = v["chws"] + + if bootstrap in vms_with_chws: vms_with_chws.remove(bootstrap) vms_with_chws.sort() @@ -937,12 +942,16 @@ class ACMPolicy(XSPolicy): else: vms_with_chws.sort() + if ACM_LABEL_UNLABELED in vms_with_chws: + vms_with_chws.remove(ACM_LABEL_UNLABELED) ; # @1 + vms_with_stes = [] - stes_by_vm = {} + stes_by_vm = { ACM_LABEL_UNLABELED : [] } for v in vms: if v.has_key("stes"): vms_with_stes.append(v["name"]) stes_by_vm[v["name"]] = v["stes"] + if bootstrap in vms_with_stes: vms_with_stes.remove(bootstrap) vms_with_stes.sort() @@ -950,6 +959,9 @@ class ACMPolicy(XSPolicy): else: vms_with_stes.sort() + if ACM_LABEL_UNLABELED in vms_with_stes: + vms_with_stes.remove(ACM_LABEL_UNLABELED) ; # @2 + resnames = self.policy_get_resourcelabel_names() resnames.sort() stes_by_res = {} @@ -958,6 +970,9 @@ class ACMPolicy(XSPolicy): if r.has_key("stes"): stes_by_res[r["name"]] = r["stes"] + if ACM_LABEL_UNLABELED in resnames: + resnames.remove(ACM_LABEL_UNLABELED) + max_chw_ssids = 1 + len(vms_with_chws) max_chw_types = 1 + len(vms_with_chws) max_ste_ssids = 1 + len(vms_with_stes) + len(resnames) @@ -1083,6 +1098,8 @@ class ACMPolicy(XSPolicy): pr_bin += "\x00" # Build chinese wall part + vms_with_chws.insert(0, ACM_LABEL_UNLABELED) + cfses_names = self.policy_get_chwall_cfses_names_sorted() cfses = self.policy_get_chwall_cfses() @@ -1105,9 +1122,7 @@ class ACMPolicy(XSPolicy): chw_running_types_offset, chw_conf_agg_offset) chw_bin_body = "" - # simulate __NULL_LABEL__ - for c in chws: - chw_bin_body += struct.pack("!h",0) + # VMs that are listed and their chinese walls for v in vms_with_chws: for c in chws: @@ -1143,6 +1158,8 @@ class ACMPolicy(XSPolicy): chw_bin += "\x00" # Build STE part + vms_with_stes.insert(0, ACM_LABEL_UNLABELED) # Took out in @2 + steformat="!iiiii" ste_bin = struct.pack(steformat, ACM_STE_VERSION, @@ -1152,10 +1169,7 @@ class ACMPolicy(XSPolicy): struct.calcsize(steformat)) ste_bin_body = "" if stes: - # Simulate __NULL_LABEL__ - for s in stes: - ste_bin_body += struct.pack("!h",0) - # VMs that are listed and their chinese walls + # VMs that are listed and their STE types for v in vms_with_stes: unknown_ste |= (set(stes_by_vm[v]) - set(stes)) for s in stes: diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py index 47d51cb20a..9452687336 100644 --- a/tools/python/xen/util/security.py +++ b/tools/python/xen/util/security.py @@ -155,7 +155,7 @@ def calc_dom_ssidref_from_info(info): ssidref = label2ssidref(vmlabel, policyname, "dom") return ssidref else: - return 0 + return 0x0 raise VmError("security.calc_dom_ssidref_from_info: info of type '%s'" "not supported." % type(info)) @@ -232,6 +232,10 @@ def ssidref2label(ssidref_var): else: err("Instance type of ssidref not supported (must be of type 'str' or 'int')") + if ssidref == 0: + from xen.util.acmpolicy import ACM_LABEL_UNLABELED + return ACM_LABEL_UNLABELED + try: mapfile_lock() @@ -867,7 +871,7 @@ def get_domain_resources(dominfo): resources[typ].append("%s:%s:%s" % (xsconstants.ACM_POLICY_ID, active_policy, - "unlabeled")) + ACM_LABEL_UNLABELED)) return resources diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py index 9d57d15b33..0d3a8ea055 100644 --- a/tools/python/xen/xend/XendDomainInfo.py +++ b/tools/python/xen/xend/XendDomainInfo.py @@ -1463,8 +1463,6 @@ class XendDomainInfo: ssidref = 0 if security.on(): ssidref = security.calc_dom_ssidref_from_info(self.info) - if ssidref == 0: - raise VmError('VM is not properly labeled.') if security.has_authorization(ssidref) == False: raise VmError("VM is not authorized to run.") diff --git a/tools/python/xen/xend/server/blkif.py b/tools/python/xen/xend/server/blkif.py index 31089b704c..62512a4cd9 100644 --- a/tools/python/xen/xend/server/blkif.py +++ b/tools/python/xen/xend/server/blkif.py @@ -73,17 +73,7 @@ class BlkifController(DevController): back['uuid'] = uuid if security.on(): - (label, ssidref, policy) = \ - security.get_res_security_details(uname) - domain_label = self.vm.get_security_label() - if domain_label: - rc = security.res_security_check_xapi(label, ssidref, policy, - domain_label) - if rc == 0: - raise VmError("VM's access to block device '%s' denied." % - uname) - else: - raise VmError("VM must have a security label.") + self.do_access_control(config, uname) devid = blkif.blkdev_name_to_number(dev) if devid is None: @@ -95,6 +85,21 @@ class BlkifController(DevController): return (devid, back, front) + def do_access_control(self, config, uname): + (label, ssidref, policy) = \ + security.get_res_security_details(uname) + domain_label = self.vm.get_security_label() + if domain_label: + rc = security.res_security_check_xapi(label, ssidref, policy, + domain_label) + if rc == 0: + raise VmError("VM's access to block device '%s' denied" % + uname) + else: + from xen.util.acmpolicy import ACM_LABEL_UNLABELED + if label != ACM_LABEL_UNLABELED: + raise VmError("VM must have a security label to access " + "block device '%s'" % uname) def reconfigureDevice(self, _, config): """@see DevController.reconfigureDevice""" diff --git a/tools/python/xen/xm/main.py b/tools/python/xen/xm/main.py index 9bd95605c7..59210dc526 100644 --- a/tools/python/xen/xm/main.py +++ b/tools/python/xen/xm/main.py @@ -51,6 +51,7 @@ from xen.xm.opts import OptionError, Opts, wrap, set_true from xen.xm import console from xen.util.xmlrpcclient import ServerProxy from xen.util.security import ACMError +from xen.util.acmpolicy import ACM_LABEL_UNLABELED_DISPLAY import XenAPI @@ -947,7 +948,7 @@ def xm_label_list(doms): d = parse_doms_info(dom) if security.active_policy not in ['INACTIVE', 'NULL', 'DEFAULT']: if not d['seclabel']: - d['seclabel'] = 'ERROR' + d['seclabel'] = ACM_LABEL_UNLABELED_DISPLAY elif security.active_policy in ['DEFAULT']: d['seclabel'] = 'DEFAULT' else: diff --git a/tools/security/xensec_ezpolicy b/tools/security/xensec_ezpolicy index 458ff556f2..550196f774 100644 --- a/tools/security/xensec_ezpolicy +++ b/tools/security/xensec_ezpolicy @@ -36,6 +36,8 @@ conflict_bmp = None realm_icon = None workload_icon = None +ACM_LABEL_UNLABELED = '__UNLABELED__' + class orgTreeCtrl(wx.TreeCtrl): event = None @@ -870,7 +872,8 @@ class ezFrame(wx.Frame): self.realm_menu.Enable(self.ID_ORGDEL, True) self.realm_menu.Enable(self.ID_ORGEDT, True) self.realm_menu.Enable(self.ID_ORGADD, True) - if len(self.orgs.GetSelections()) > 1: + if len(self.orgs.GetSelections()) > 1 or \ + ACM_LABEL_UNLABELED == self.orgs.GetItemText(item): self.realm_menu.Enable(self.ID_ORGEDT, False) self.realm_menu.Enable(self.ID_ORGADD, False) self.PopupMenu(self.realm_menu) @@ -1622,6 +1625,8 @@ def main(): app = ezApp(0) if len(sys.argv) in [2]: app.Load(sys.argv[1]) + else: + dict2org({'orgs' : [[ACM_LABEL_UNLABELED,[]]], 'cons': []}) app.MainLoop() print "Goodbye" |