# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID 58144f4b102c284324d55d82d1c1c4cefcf76f42
# Parent bae52f5cc421496e7e293d3fa3f6165a7c7780a5
[ACM] Fix the resource representations in the resource_label
file. Without this patch, multiple representations of the same
resource can co-exist in the resource label file and lead to errors
during operation.
Ensures that all resource file names are stored with absolute
path name and are unique. Setting labels of phy-resources, relative
paths will automatically be pre-pended with '/dev/'; labeling
file-resources with relative paths will raise an error.
Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
---
tools/python/xen/util/security.py | 22 ++++++++++++++++++++++
tools/python/xen/xm/addlabel.py | 9 ++-------
tools/python/xen/xm/getlabel.py | 3 +++
tools/python/xen/xm/rmlabel.py | 3 +++
4 files changed, 30 insertions(+), 7 deletions(-)
diff -r bae52f5cc421 -r 58144f4b102c tools/python/xen/util/security.py
--- a/tools/python/xen/util/security.py Wed Oct 18 17:54:06 2006 +0100
+++ b/tools/python/xen/util/security.py Wed Oct 18 17:54:58 2006 +0100
@@ -596,11 +596,33 @@ def get_res_security_details(resource):
return (label, ssidref, policy)
+def unify_resname(resource):
+ """Makes all resource locations absolute. In case of physical
+ resources, '/dev/' is added to local file names"""
+
+ # sanity check on resource name
+ (type, resfile) = resource.split(":")
+ if type == "phy":
+ if not resfile.startswith("/"):
+ resfile = "/dev/" + resfile
+
+ #file: resources must specified with absolute path
+ if (not resfile.startswith("/")) or (not os.path.exists(resfile)):
+ err("Invalid resource.")
+
+ # from here on absolute file names with resources
+ resource = type + ":" + resfile
+ return resource
+
+
def res_security_check(resource, domain_label):
"""Checks if the given resource can be used by the given domain
label. Returns 1 if the resource can be used, otherwise 0.
"""
rtnval = 1
+
+ #build canonical resource name
+ resource = unify_resname(resource)
# if security is on, ask the hypervisor for a decision
if on():
diff -r bae52f5cc421 -r 58144f4b102c tools/python/xen/xm/addlabel.py
--- a/tools/python/xen/xm/addlabel.py Wed Oct 18 17:54:06 2006 +0100
+++ b/tools/python/xen/xm/addlabel.py Wed Oct 18 17:54:58 2006 +0100
@@ -72,13 +72,8 @@ def add_resource_label(label, resource,
# sanity check: make sure this label can be instantiated later on
ssidref = security.label2ssidref(label, policyref, 'res')
- # sanity check on resource name
- (type, file) = resource.split(":")
- if type == "phy":
- file = "/dev/" + file
- if not os.path.exists(file):
- print "Invalid resource '"+resource+"'"
- return
+ #build canonical resource name
+ resource = security.unify_resname(resource)
# see if this resource is already in the file
access_control = {}
diff -r bae52f5cc421 -r 58144f4b102c tools/python/xen/xm/getlabel.py
--- a/tools/python/xen/xm/getlabel.py Wed Oct 18 17:54:06 2006 +0100
+++ b/tools/python/xen/xm/getlabel.py Wed Oct 18 17:54:58 2006 +0100
@@ -33,6 +33,9 @@ def get_resource_label(resource):
def get_resource_label(resource):
"""Gets the resource label
"""
+ #build canonical resource name
+ resource = security.unify_resname(resource)
+
# read in the resource file
file = security.res_label_filename
try:
diff -r bae52f5cc421 -r 58144f4b102c tools/python/xen/xm/rmlabel.py
--- a/tools/python/xen/xm/rmlabel.py Wed Oct 18 17:54:06 2006 +0100
+++ b/tools/python/xen/xm/rmlabel.py Wed Oct 18 17:54:58 2006 +0100
@@ -37,6 +37,9 @@ def rm_resource_label(resource):
def rm_resource_label(resource):
"""Removes a resource label from the global resource label file.
"""
+ #build canonical resource name
+ resource = security.unify_resname(resource)
+
# read in the resource file
file = security.res_label_filename
try:
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home