WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] [ACM-security] Some fixes to tools.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [ACM-security] Some fixes to tools.
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Jul 2007 03:01:20 -0700
Delivery-date: Fri, 27 Jul 2007 02:59:25 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Date 1184252848 -3600
# Node ID 23a171f65b158eb54095808c935e6dad9e3cb290
# Parent  48c8244c47c7506f68b5fba02ca82bf3fbd35553
[ACM-security] Some fixes to tools.

- Allow multiple ChineseWallTypes in a VM labels
- check for surfacing exceptions in the python code
- check for array sizes in the XML DOM in python
- properly display the labels when doing 'xm list --label' in xm's
non-Xen-API mode
- rely on the security checking hooks in xend to check access to the
block interface rather than doing this in xm.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/python/xen/util/acmpolicy.py          |   81 ++++++++++++++++------------
 tools/python/xen/util/security.py           |   69 -----------------------
 tools/python/xen/xend/XendConfig.py         |    2 
 tools/python/xen/xm/main.py                 |   30 ++--------
 tools/security/policies/security_policy.xsd |    7 --
 5 files changed, 57 insertions(+), 132 deletions(-)

diff -r 48c8244c47c7 -r 23a171f65b15 tools/python/xen/util/acmpolicy.py
--- a/tools/python/xen/util/acmpolicy.py        Thu Jul 12 16:03:41 2007 +0100
+++ b/tools/python/xen/util/acmpolicy.py        Thu Jul 12 16:07:28 2007 +0100
@@ -57,12 +57,20 @@ class ACMPolicy(XSPolicy):
     def __init__(self, name=None, dom=None, ref=None, xml=None):
         if name:
             self.name = name
-            self.dom = minidom.parse(self.path_from_policy_name(name))
+            try:
+                self.dom = minidom.parse(self.path_from_policy_name(name))
+            except Exception, e:
+                raise SecurityError(-xsconstants.XSERR_XML_PROCESSING,
+                                    str(e))
         elif dom:
             self.dom = dom
             self.name = self.get_name()
         elif xml:
-            self.dom = minidom.parseString(xml)
+            try:
+                self.dom = minidom.parseString(xml)
+            except Exception, e:
+                raise SecurityError(-xsconstants.XSERR_XML_PROCESSING,
+                                    str(e))
             self.name = self.get_name()
         rc = self.validate()
         if rc != xsconstants.XSERR_SUCCESS:
@@ -481,7 +489,8 @@ class ACMPolicy(XSPolicy):
         strings = []
         i = 0
         while i < len(node.childNodes):
-            if node.childNodes[i].nodeName == "Type":
+            if node.childNodes[i].nodeName == "Type" and \
+               len(node.childNodes[i].childNodes) > 0:
                 strings.append(node.childNodes[i].childNodes[0].nodeValue)
             i += 1
         return strings
@@ -564,7 +573,8 @@ class ACMPolicy(XSPolicy):
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == "VirtualMachineLabel":
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    strings.append(name.childNodes[0].nodeValue)
+                    if len(name.childNodes) > 0:
+                        strings.append(name.childNodes[0].nodeValue)
                 i += 1
         return strings
 
@@ -592,23 +602,24 @@ class ACMPolicy(XSPolicy):
             i = 0
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == "VirtualMachineLabel":
-                    _res = {}
-                    _res['type'] = xsconstants.ACM_LABEL_VM
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    _res['name'] = name.childNodes[0].nodeValue
-                    stes = self.policy_dom_get(node.childNodes[i],
-                                               "SimpleTypeEnforcementTypes")
-                    if stes:
-                        _res['stes'] = self.policy_get_types(stes)
-                    else:
-                        _res['stes'] = []
-                    chws = self.policy_dom_get(node.childNodes[i],
-                                               "ChineseWallTypes")
-                    if chws:
-                        _res['chws'] = self.policy_get_types(chws)
-                    else:
-                        _res['chws'] = []
-                    res.append(_res)
+                    if len(name.childNodes) > 0:
+                        _res = {}
+                        _res['type'] = xsconstants.ACM_LABEL_VM
+                        _res['name'] = name.childNodes[0].nodeValue
+                        stes = self.policy_dom_get(node.childNodes[i],
+                                                 "SimpleTypeEnforcementTypes")
+                        if stes:
+                           _res['stes'] = self.policy_get_types(stes)
+                        else:
+                            _res['stes'] = []
+                        chws = self.policy_dom_get(node.childNodes[i],
+                                                   "ChineseWallTypes")
+                        if chws:
+                            _res['chws'] = self.policy_get_types(chws)
+                        else:
+                            _res['chws'] = []
+                        res.append(_res)
                 i += 1
         return res
 
@@ -628,7 +639,8 @@ class ACMPolicy(XSPolicy):
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == labeltype:
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    if name.childNodes[0].nodeValue == label:
+                    if len(name.childNodes) > 0 and \
+                       name.childNodes[0].nodeValue == label:
                         stes = self.policy_dom_get(node.childNodes[i],
                                             "SimpleTypeEnforcementTypes")
                         if not stes:
@@ -662,7 +674,7 @@ class ACMPolicy(XSPolicy):
                 if node.childNodes[i].nodeName == labeltype:
                     name = self.policy_dom_get(node.childNodes[i], "Name")
                     from_name = name.getAttribute("from")
-                    if from_name:
+                    if from_name and len(name.childNodes) > 0:
                         res.update({from_name : name.childNodes[0].nodeValue})
                 i += 1
         return res
@@ -700,7 +712,7 @@ class ACMPolicy(XSPolicy):
                     name = self.policy_dom_get(node.childNodes[i], "Name")
                     stes = self.policy_dom_get(node.childNodes[i],
                                           "SimpleTypeEnforcementTypes")
-                    if stes:
+                    if stes and len(name.childNodes) > 0:
                         strings.append(name.childNodes[0].nodeValue)
                 i += 1
         return strings
@@ -715,18 +727,19 @@ class ACMPolicy(XSPolicy):
             i = 0
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == "ResourceLabel":
-                    _res = {}
-                    _res['type'] = xsconstants.ACM_LABEL_RES
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    _res['name'] = name.childNodes[0].nodeValue
-                    stes = self.policy_dom_get(node.childNodes[i],
-                                               "SimpleTypeEnforcementTypes")
-                    if stes:
-                        _res['stes'] = self.policy_get_types(stes)
-                    else:
-                        _res['stes'] = []
-                    _res['chws'] = []
-                    res.append(_res)
+                    if len(name.childNodes) > 0:
+                        _res = {}
+                        _res['type'] = xsconstants.ACM_LABEL_RES
+                        _res['name'] = name.childNodes[0].nodeValue
+                        stes = self.policy_dom_get(node.childNodes[i],
+                                                   
"SimpleTypeEnforcementTypes")
+                        if stes:
+                            _res['stes'] = self.policy_get_types(stes)
+                        else:
+                            _res['stes'] = []
+                        _res['chws'] = []
+                        res.append(_res)
                 i += 1
         return res
 
diff -r 48c8244c47c7 -r 23a171f65b15 tools/python/xen/util/security.py
--- a/tools/python/xen/util/security.py Thu Jul 12 16:03:41 2007 +0100
+++ b/tools/python/xen/util/security.py Thu Jul 12 16:07:28 2007 +0100
@@ -154,75 +154,6 @@ def calc_dom_ssidref_from_info(info):
             return 0
     raise VmError("security.calc_dom_ssidref_from_info: info of type '%s'"
                   "not supported." % type(info))
-
-# Assumes a 'security' info  [security access_control ...] [ssidref ...]
-def get_security_info(info, field):
-    """retrieves security field from self.info['security'])
-    allowed search fields: ssidref, label, policy
-    """
-    if isinstance(info, dict):
-        security = info['security']
-    elif isinstance(info, list):
-        security = sxp.child_value(info, 'security')
-    if not security:
-        if field == 'ssidref':
-            #return default ssid
-            return 0
-        else:
-            err("Security information not found in info struct.")
-
-    if field == 'ssidref':
-        search = 'ssidref'
-    elif field in ['policy', 'label']:
-            search = 'access_control'
-    else:
-        err("Illegal field in get_security_info.")
-
-    for idx in range(0, len(security)):
-        if search != security[idx][0]:
-            continue
-        if search == 'ssidref':
-            return int(security[idx][1])
-        else:
-            for aidx in range(0, len(security[idx])):
-                if security[idx][aidx][0] == field:
-                    return str(security[idx][aidx][1])
-
-    if search == 'ssidref':
-        return 0
-    else:
-        return None
-
-
-def get_security_printlabel(info):
-    """retrieves printable security label from self.info['security']),
-    preferably the label name and otherwise (if label is not specified
-    in config and cannot be found in mapping file) a hex string of the
-    ssidref or none if both not available
-    """
-    try:
-        if not on():
-            return "INACTIVE"
-        if active_policy in ["DEFAULT"]:
-            return "DEFAULT"
-
-        printlabel = get_security_info(info, 'label')
-        if printlabel:
-            return printlabel
-        ssidref = get_security_info(info, 'ssidref')
-        if not ssidref:
-            return None
-        #try to translate ssidref to a label
-        result = ssidref2label(ssidref)
-        if not result:
-            printlabel = "0x%08x" % ssidref
-        else:
-            printlabel = result
-        return printlabel
-    except ACMError:
-        #don't throw an exception in xm list
-        return "ERROR"
-
 
 
 def getmapfile(policyname):
diff -r 48c8244c47c7 -r 23a171f65b15 tools/python/xen/xend/XendConfig.py
--- a/tools/python/xen/xend/XendConfig.py       Thu Jul 12 16:03:41 2007 +0100
+++ b/tools/python/xen/xend/XendConfig.py       Thu Jul 12 16:07:28 2007 +0100
@@ -636,6 +636,8 @@ class XendConfig(dict):
                 except ValueError, e:
                     raise XendConfigError('cpus = %s: %s' % (cfg['cpus'], e))
 
+        if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
+            cfg['security'] = sxp.child_value(sxp_cfg, 'security')
         if 'security' in cfg and not cfg.get('security_label'):
             secinfo = cfg['security']
             if isinstance(secinfo, list):
diff -r 48c8244c47c7 -r 23a171f65b15 tools/python/xen/xm/main.py
--- a/tools/python/xen/xm/main.py       Thu Jul 12 16:03:41 2007 +0100
+++ b/tools/python/xen/xm/main.py       Thu Jul 12 16:07:28 2007 +0100
@@ -870,17 +870,13 @@ def parse_doms_info(info):
         'up_time'  : up_time
         }
 
-    if serverType != SERVER_XEN_API:
-        from xen.util import security
-        parsed_info['seclabel'] = security.get_security_printlabel(info)
-    else:
-        label = get_info('security_label', unicode, '')
-        tmp = label.split(":")
-        if len(tmp) != 3:
-            label = ""
-        else:
-            label = tmp[2]
-        parsed_info['seclabel'] = label
+    security_label = get_info('security_label', str, '')
+    tmp = security_label.split(":")
+    if len(tmp) != 3:
+        seclabel = ""
+    else:
+        seclabel = tmp[2]
+    parsed_info['seclabel'] = seclabel
 
     if serverType == SERVER_XEN_API:
         parsed_info['mem'] = get_info('memory_actual', int, 0) / 1024
@@ -2047,18 +2043,6 @@ def parse_block_configuration(args):
            ['mode',  args[3]]]
     if len(args) == 5:
         vbd.append(['backend', args[4]])
-
-    if serverType != SERVER_XEN_API:
-        # verify that policy permits attaching this resource
-        from xen.util import security
-    
-        if security.on():
-            dominfo = server.xend.domain(dom)
-            label = security.get_security_printlabel(dominfo)
-        else:
-            label = None
-
-        security.res_security_check(args[1], label)
 
     return (dom, vbd)
 
diff -r 48c8244c47c7 -r 23a171f65b15 tools/security/policies/security_policy.xsd
--- a/tools/security/policies/security_policy.xsd       Thu Jul 12 16:03:41 
2007 +0100
+++ b/tools/security/policies/security_policy.xsd       Thu Jul 12 16:07:28 
2007 +0100
@@ -99,7 +99,7 @@
                        <xsd:sequence>
                                <xsd:element name="Name" 
type="NameWithFrom"></xsd:element>
                                <xsd:element ref="SimpleTypeEnforcementTypes" 
minOccurs="0" maxOccurs="unbounded" />
-                               <xsd:element name="ChineseWallTypes" 
type="SingleChineseWallType" />
+                               <xsd:element ref="ChineseWallTypes" 
minOccurs="0" maxOccurs="unbounded" />
                        </xsd:sequence>
                </xsd:complexType>
        </xsd:element>
@@ -143,9 +143,4 @@
                        <xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
                </xsd:sequence>
        </xsd:complexType>
-       <xsd:complexType name="SingleChineseWallType">
-               <xsd:sequence>
-                       <xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
-               </xsd:sequence>
-       </xsd:complexType>
 </xsd:schema>

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [ACM-security] Some fixes to tools., Xen patchbot-unstable <=