WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] [Xm-Test] Additional tests for the xm-tes

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] [Xm-Test] Additional tests for the xm-test suite
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Jul 2007 03:09:15 -0700
Delivery-date: Fri, 27 Jul 2007 03:07:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Date 1184749717 -3600
# Node ID 7ef821ff6d89d43afcbaf7e60e42e9a14306bbc0
# Parent  4197a1aad70bc567278a80a2225c87950d910095
[Xm-Test] Additional tests for the xm-test suite

This adds a couple of test cases exercising the new policy management
functionality to the security tests.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/xm-test/lib/XmTestLib/XenAPIDomain.py                      |    4 
 tools/xm-test/lib/XmTestLib/acm.py                               |   52 +
 tools/xm-test/tests/security-acm/01_security-acm_basic.py        |   24 
 tools/xm-test/tests/security-acm/07_security-acm_pol_update.py   |  303 +++++++
 tools/xm-test/tests/security-acm/08_security-acm_xapi.py         |  354 
++++++++
 tools/xm-test/tests/security-acm/09_security-acm_pol_update.py   |  427 
++++++++++
 tools/xm-test/tests/security-acm/Makefile.am                     |    5 
 tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml |   97 ++
 8 files changed, 1247 insertions(+), 19 deletions(-)

diff -r 4197a1aad70b -r 7ef821ff6d89 tools/xm-test/lib/XmTestLib/XenAPIDomain.py
--- a/tools/xm-test/lib/XmTestLib/XenAPIDomain.py       Wed Jul 18 10:04:46 
2007 +0100
+++ b/tools/xm-test/lib/XmTestLib/XenAPIDomain.py       Wed Jul 18 10:08:37 
2007 +0100
@@ -23,6 +23,7 @@ import sys
 import sys
 from XmTestLib import *
 from types import DictType
+from acm import *
 
 
 class XenAPIConfig:
@@ -38,6 +39,9 @@ class XenAPIConfig:
                            'kernel' : 'PV_kernel',
                            'ramdisk': 'PV_ramdisk',
                            'root'   : 'PV_args'}
+        if isACMEnabled():
+            #A default so every VM can start with ACM enabled
+            self.opts["security_label"] = "ACM:xm-test:red"
 
     def setOpt(self, name, value):
         """Set an option in the config"""
diff -r 4197a1aad70b -r 7ef821ff6d89 tools/xm-test/lib/XmTestLib/acm.py
--- a/tools/xm-test/lib/XmTestLib/acm.py        Wed Jul 18 10:04:46 2007 +0100
+++ b/tools/xm-test/lib/XmTestLib/acm.py        Wed Jul 18 10:08:37 2007 +0100
@@ -19,6 +19,9 @@
 """
 from Test import *
 from xen.util import security
+from xen.xm.main import server
+from xen.util import xsconstants
+import re
 
 try:
     from acm_config import *
@@ -32,16 +35,47 @@ def isACMEnabled():
     return security.on()
 
 
+def getSystemPolicyName():
+    s,o = traceCommand("xm getpolicy")
+    m = re.compile("Policy name[\s]*: ([A-z\-]+)").search(o)
+    if m:
+        polname = m.group(1)
+        return polname
+    return ""
+
+
+def ACMLoadPolicy_XenAPI(policy='xm-test'):
+    polname = getSystemPolicyName()
+    if polname != policy:
+        # Try it, maybe it's not activated
+        traceCommand("xm setpolicy %s %s" %
+                     (xsconstants.XS_POLICY_ACM, policy))
+        polname = getSystemPolicyName()
+        if polname != policy:
+            FAIL("Need to have a system with no or policy '%s' active, "
+                 "not %s" % (policy,polname))
+        else:
+            s, o = traceCommand("xm activatepolicy --load")
+    else:
+        s, o = traceCommand("xm activatepolicy --load")
+        if not re.search("Successfully", o):
+            FAIL("Could not set the policy '%s'." % policy)
+
+
 def ACMLoadPolicy(policy='xm-test'):
-    s, o = traceCommand("xm makepolicy %s" % (policy))
-    if s != 0:
-        FAIL("Need to be able to do 'xm makepolicy %s' but could not" %
-             (policy))
-    s, o = traceCommand("xm loadpolicy %s" % (policy))
-    if s != 0:
-        FAIL("Could not load the required policy '%s'.\n"
-             "Start the system without any policy.\n%s" %
-             (policy, o))
+    from xen.xm import main
+    if main.serverType == main.SERVER_XEN_API:
+        ACMLoadPolicy_XenAPI()
+    else:
+        s, o = traceCommand("xm makepolicy %s" % (policy))
+        if s != 0:
+            FAIL("Need to be able to do 'xm makepolicy %s' but could not" %
+                 (policy))
+        s, o = traceCommand("xm loadpolicy %s" % (policy))
+        if s != 0:
+            FAIL("Could not load the required policy '%s'.\n"
+                 "Start the system without any policy.\n%s" %
+                 (policy, o))
 
 def ACMPrepareSystem(resources):
     if isACMEnabled():
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/01_security-acm_basic.py
--- a/tools/xm-test/tests/security-acm/01_security-acm_basic.py Wed Jul 18 
10:04:46 2007 +0100
+++ b/tools/xm-test/tests/security-acm/01_security-acm_basic.py Wed Jul 18 
10:08:37 2007 +0100
@@ -15,6 +15,7 @@
 
 from XmTestLib import *
 from xen.util import security
+from xen.util import xsconstants
 import commands
 import os
 import re
@@ -28,7 +29,7 @@ if not isACMEnabled():
     SKIP("Not running this test since ACM not enabled.")
 
 status, output = traceCommand("xm makepolicy %s" % (testpolicy))
-if status != 0 or output != "":
+if status != 0:
     FAIL("'xm makepolicy' failed with status %d and output\n%s" %
          (status,output));
 
@@ -47,7 +48,7 @@ status, output = traceCommand("xm addlab
 status, output = traceCommand("xm addlabel %s dom %s %s" %
                               (testlabel, vmconfigfile, testpolicy))
 if status != 0:
-    FAIL("'xm addlabel' failed with status %d.\n" % status)
+    FAIL("(1) 'xm addlabel' failed with status %d.\n" % status)
 
 status, output = traceCommand("xm getlabel dom %s" %
                               (vmconfigfile))
@@ -55,8 +56,9 @@ if status != 0:
 if status != 0:
     FAIL("'xm getlabel' failed with status %d, output:\n%s" %
          (status, output))
-if output != "policy=%s,label=%s" % (testpolicy,testlabel):
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+if output != "policytype=%s,policy=%s,label=%s" % \
+             (xsconstants.ACM_POLICY_ID, testpolicy, testlabel):
+    FAIL("(1) Received unexpected output from 'xm getlabel dom': \n%s" %
          (output))
 
 
@@ -74,30 +76,34 @@ status, output = traceCommand("xm getlab
                               (vmconfigfile))
 
 if output != "Error: 'Domain not labeled'":
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+    FAIL("(2) Received unexpected output from 'xm getlabel dom': \n%s" %
          (output))
 
 #Whatever label the resource might have, remove it
 status, output = traceCommand("xm rmlabel res %s" %
                               (testresource))
+if status != 0:
+    FAIL("'xm rmlabel' on resource failed with status %d.\n" % status)
 
 status, output = traceCommand("xm addlabel %s res %s %s" %
                               (testlabel, testresource, testpolicy))
 if status != 0:
-    FAIL("'xm addlabel' on resource failed with status %d.\n" % status)
+    FAIL("(2) 'xm addlabel' on resource failed with status %d.\n" % status)
 
 status, output = traceCommand("xm getlabel res %s" % (testresource))
 
 if status != 0:
     FAIL("'xm getlabel' on resource failed with status %d, output:\n%s" %
          (status, output))
-if output != "policy=%s,label=%s" % (testpolicy,testlabel):
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+if output != "%s:%s:%s" % (xsconstants.ACM_POLICY_ID,\
+                           testpolicy,testlabel):
+    FAIL("Received unexpected output from 'xm getlabel res': \n%s" %
          (output))
 
 status, output = traceCommand("xm resources")
 
 if status != 0:
+    print "status = %s" % str(status)
     FAIL("'xm resources' did not run properly")
 if not re.search(security.unify_resname(testresource), output):
     FAIL("'xm resources' did not show the tested resource '%s'." %
@@ -117,5 +123,5 @@ status, output = traceCommand("xm getlab
                               (testresource))
 
 if output != "Error: 'Resource not labeled'":
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+    FAIL("Received unexpected output from 'xm getlabel res': \n%s" %
          (output))
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/07_security-acm_pol_update.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py    Wed Jul 
18 10:08:37 2007 +0100
@@ -0,0 +1,303 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2006
+# Author: Stefan Berger <stefanb@xxxxxxxxxx>
+
+# Test to exercise the xspolicy class
+
+from XmTestLib import xapi
+from XmTestLib.XenAPIDomain import XmTestAPIDomain
+from XmTestLib import *
+from xen.xend import XendAPIConstants
+from xen.util import acmpolicy, security, xsconstants
+from xen.util.acmpolicy import ACMPolicy
+from xen.xend.XendDomain import DOM0_UUID
+
+import commands
+import os
+import base64
+
+xm_test = {}
+xm_test['policyname'] = "xm-test"
+xm_test['date'] = "Fri Sep 29 14:44:38 2006"
+xm_test['url']  = None
+
+vm_label_red   = "%s:xm-test:red" % xsconstants.ACM_POLICY_ID
+vm_label_green = "%s:xm-test:green" % xsconstants.ACM_POLICY_ID
+vm_label_blue  = "%s:xm-test:blue" % xsconstants.ACM_POLICY_ID
+vm_label_sys   = "%s:xm-test:SystemManagement" % xsconstants.ACM_POLICY_ID
+
+vm_label_black = "%s:xm-test:black"
+
+session = xapi.connect()
+
+oldlabel = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys,
+                                               oldlabel)
+if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
+    FAIL("(0) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_sys, int(ssidref)))
+print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
+
+
+xstype = session.xenapi.XSPolicy.get_xstype()
+if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
+    SKIP("ACM not enabled/compiled in Xen")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+if not policystate.has_key('xs_ref'):
+    FAIL("get_xspolicy must return member 'xs_ref'")
+
+xs_ref = policystate['xs_ref']
+if xs_ref != "":
+    origpolicyxml = session.xenapi.ACMPolicy.get_xml(xs_ref)
+else:
+    origpolicyxml = ""
+
+f = open("xm-test-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test' policy")
+
+try:
+    os.unlink("/boot/xm-test.bin")
+except:
+    pass
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+if int(policystate['type']) == 0:
+    policystate = session.xenapi.XSPolicy.set_xspolicy(
+                          xsconstants.XS_POLICY_ACM,
+                          newpolicyxml,
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
+                          1)
+    if int(policystate['flags']) == -1:
+        FAIL("Could not set the new policy.")
+
+print "state of policy = %s " % policystate
+
+rc = session.xenapi.XSPolicy.activate_xspolicy(
+                          policystate['xs_ref'],
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT)
+if int(rc) != xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT:
+    FAIL("Could not activate the current policy: rc = %08x" % int(rc))
+
+if not os.path.exists("/boot/xm-test.bin"):
+    FAIL("Binary policy was not installed. Check grub config file.")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+if int(policystate['flags']) != xsconstants.XS_INST_BOOT | \
+                                xsconstants.XS_INST_LOAD:
+    FAIL("Flags (%x) are not indicating the correct state of the policy.",
+         int(policystate['flags']))
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+xs_ref = policystate['xs_ref']
+
+newpolicyxml = None
+f = open("xm-test-new-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test-new' policy")
+
+cur_acmpol = ACMPolicy(xml = policystate['repr'])
+new_acmpol = ACMPolicy(xml = newpolicyxml)
+
+new_acmpol.update_frompolicy(cur_acmpol)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                          new_acmpol.toxml(),
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
+                          1)
+
+f = open("xm-test-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test-new' policy")
+
+cur_acmpol = new_acmpol
+new_acmpol = ACMPolicy(xml = newpolicyxml)
+
+new_acmpol.update_frompolicy(cur_acmpol)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                          new_acmpol.toxml(),
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
+                          1)
+
+dom0_lab = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys, dom0_lab)
+if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
+    FAIL("(1) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_sys, int(ssidref)))
+print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
+
+try:
+    ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                                   vm_label_black,
+                                                   vm_label_sys)
+    FAIL("Could set label '%s', although it's not in the policy. "
+         "ssidref=%s" % (vm_label_black, ssidref))
+except:
+    pass
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_red,
+                                               vm_label_sys)
+if int(ssidref) <= 0:
+    FAIL("(2) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_red, int(ssidref)))
+print "ssidref for '%s' is 0x%08x" % (vm_label_red, int(ssidref))
+
+label = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+if label != vm_label_red:
+    FAIL("Dom0 label '%s' not as expected '%s'" % (label, vm_label_red))
+
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys,
+                                               vm_label_red)
+if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
+    FAIL("(3) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_sys, int(ssidref)))
+
+label = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+if label != vm_label_sys:
+    FAIL("Dom0 label '%s' not as expected '%s'" % label, dom0_label)
+
+header = session.xenapi.ACMPolicy.get_header(xs_ref)
+
+if header['policyname'] != xm_test['policyname']:
+    FAIL("Name in header is '%s', expected is '%s'." %
+         (header['policyname'],xm_test['policyname']))
+if header['date'] != xm_test['date']:
+    FAIL("Date in header is '%s', expected is '%s'." %
+         (header['date'],xm_test['date']))
+if header.has_key("url") and header['url' ] != xm_test['url' ]:
+    FAIL("URL  in header is '%s', expected is '%s'." %
+         (header['url' ],xm_test['url' ]))
+
+# Create another domain
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_blue })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+
+vm_uuid = domain.get_uuid()
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_blue:
+    FAIL("VM has security label '%s', expected is '%s'" %
+         (res, vm_label_blue))
+
+try:
+    domain.start(noConsole=True)
+except:
+    FAIL("Could not create domain")
+
+
+# Attempt to relabel the running domain
+ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                               vm_label_red,
+                                               vm_label_blue)
+if int(ssidref) <= 0:
+    FAIL("Could not relabel running domain to '%s'." % vm_label_red)
+
+# user domain is 'red', dom0 is current 'SystemManagement'.
+# Try to move domain-0 to 'red' first, then to 'blue'.
+
+# Moving domain-0 to 'red' should work
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_red,
+                                               vm_label_sys)
+if int(ssidref) <= 0:
+    FAIL("Could not label domain-0 '%s'" % vm_label_red)
+
+# Moving the guest domain to 'blue' should not work due to conflict set
+try:
+    ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                                   vm_label_blue,
+                                                   vm_label_red)
+    FAIL("Could label guest domain with '%s', although this is in a conflict "
+         "set. ssidref=%x" % (vm_label_blue,int(ssidref)))
+except:
+    pass
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_red:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_red))
+
+label = session.xenapi.VM.get_security_label(DOM0_UUID)
+if label != vm_label_red:
+    FAIL("Domain-0 has wrong label '%s'; expected '%s'." %
+         (label, vm_label_red))
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys,
+                                               vm_label_red)
+if int(ssidref) < 0:
+    FAIL("Could not set the domain-0 security label to '%s'." %
+         (vm_label_sys))
+
+# pause the domain and relabel it...
+session.xenapi.VM.pause(vm_uuid)
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_red:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_red))
+
+ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                               vm_label_blue,
+                                               vm_label_red)
+print "guest domain new label '%s'; ssidref is 0x%08x" % \
+      (vm_label_blue, int(ssidref))
+if int(ssidref) <= 0:
+    FAIL("Could not label guest domain with '%s'" % (vm_label_blue))
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_blue:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_blue))
+
+session.xenapi.VM.unpause(vm_uuid)
+
+rc = session.xenapi.VM.suspend(vm_uuid)
+
+ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                               vm_label_green,
+                                               vm_label_blue)
+print "guest domain new label '%s'; ssidref is 0x%08x" % \
+      (vm_label_green, int(ssidref))
+if int(ssidref) < 0:
+    FAIL("Could not label suspended guest domain with '%s'" % (vm_label_blue))
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_green:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_green))
+
+
+rc = session.xenapi.VM.resume(vm_uuid, False)
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_green:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_green))
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/08_security-acm_xapi.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/08_security-acm_xapi.py  Wed Jul 18 
10:08:37 2007 +0100
@@ -0,0 +1,354 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2007
+# Author: Stefan Berger <stefanb@xxxxxxxxxx>
+
+# VM creation test with labeled VM and labeled VDI
+
+from XmTestLib import xapi
+from XmTestLib.XenAPIDomain import XmTestAPIDomain
+from XmTestLib import *
+from xen.xend import XendAPIConstants
+from xen.util import acmpolicy, security, xsconstants
+import commands
+import os
+
+vm_label_red    = xsconstants.ACM_POLICY_ID + ":xm-test:red"
+vm_label_green  = xsconstants.ACM_POLICY_ID + ":xm-test:green"
+vdi_label_red   = xsconstants.ACM_POLICY_ID + ":xm-test:red"
+vdi_label_green = xsconstants.ACM_POLICY_ID + ":xm-test:green"
+
+vdi_file = "/dev/ram0"
+vdi_path = "phy:" + vdi_file
+
+#Note:
+# If during the suspend/resume operations 'red' instead of 'green' is
+# used, the Chinese Wall policy goes into effect and disallows the
+# suspended VM from being resumed...
+
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_red })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+vm_uuid = domain.get_uuid()
+
+session = xapi.connect()
+xstype = session.xenapi.XSPolicy.get_xstype()
+if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
+    SKIP("ACM not enabled/compiled in Xen")
+
+f = open("xm-test-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test' policy")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+if int(policystate['type']) == 0:
+    policystate = session.xenapi.XSPolicy.set_xspolicy(
+                         xsconstants.XS_POLICY_ACM,
+                         newpolicyxml,
+                         xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD,
+                         True)
+    if int(policystate['flags']) == -1:
+        FAIL("Could not set the new policy.")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+print "policystate = %s" % policystate
+acm_ref = policystate['xs_ref']
+
+
+#
+# Some tests with labeling of resources
+#
+labels = session.xenapi.XSPolicy.get_labeled_resources()
+print "labeled resources are:\n%s" % labels
+
+oldlabel = session.xenapi.XSPolicy.get_resource_label("phy:/dev/ram0")
+
+rc  = session.xenapi.XSPolicy.set_resource_label("phy:/dev/ram0", "",
+                                                 oldlabel)
+
+rc  = session.xenapi.XSPolicy.set_resource_label("phy:/dev/ram0",
+                                                 vdi_label_green,
+                                                 "")
+
+res = session.xenapi.XSPolicy.get_resource_label("phy:/dev/ram0")
+if res != vdi_label_green:
+    FAIL("(1) get_resource_label returned unexpected result %s, wanted %s" %
+         (res, vdi_label_green))
+
+
+#
+# Some test with labeling of VMs
+#
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+
+if res != vm_label_red:
+    FAIL("VM.get_security_label returned wrong security label '%s'." % res)
+
+res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
+                                                    vm_label_red)
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_green:
+     FAIL("VM does not show expected label '%s' but '%s'." %
+          (vm_label_green, res))
+
+res = session.xenapi.VM.set_security_label(vm_uuid, "", vm_label_green)
+if int(res) != 0:
+    FAIL("Should be able to unlabel the domain while it's halted.")
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != "":
+    FAIL("Unexpected VM security label after removal: %s" % res)
+
+res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_red, res)
+if int(res) != 0:
+    FAIL("Could not label the VM to '%s'" % vm_label_red)
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_red:
+    FAIL("VM has wrong label '%s', expected '%s'." % (res, vm_label_red))
+
+sr_uuid = session.xenapi.SR.get_by_name_label("Local")
+if len(sr_uuid) == 0:
+    FAIL("Could not get a handle on SR 'Local'")
+
+
+vdi_rec = { 'name_label'  : "My disk",
+            'SR'          : sr_uuid[0],
+            'virtual_size': 0,
+            'sector_size' : 512,
+            'parent'      : '',
+            'SR_name'     : 'Local',
+            'type'        : 'system',
+            'shareable'   : False,
+            'read-only'   : False,
+            'other_config': {'location': vdi_path}
+}
+
+vdi_ref = session.xenapi.VDI.create(vdi_rec)
+
+res = session.xenapi.VDI.get_name_label(vdi_ref)
+if res != vdi_rec['name_label']:
+    print "Destroying VDI now"
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("VDI_get_name_label return wrong information")
+
+res = session.xenapi.VDI.get_record(vdi_ref)
+print "vdi_record : %s" % res
+
+oldlabel = session.xenapi.XSPolicy.get_resource_label(vdi_path)
+
+#Remove label from VDI device
+rc  = session.xenapi.XSPolicy.set_resource_label(vdi_path,
+                                                 "",
+                                                 oldlabel)
+
+
+# Attach a VBD to the VM
+
+vbd_rec = { 'VM'      : vm_uuid,
+            'VDI'     : vdi_ref,
+            'device'  : "xvda1",
+            'mode'    : 1,
+            'bootable': 0,
+}
+
+vbd_ref = session.xenapi.VBD.create(vbd_rec)
+
+res = session.xenapi.VBD.get_record(vbd_ref)
+
+try:
+    domain.start(noConsole=True)
+    # Should not get here.
+    print "Destroying VDI now"
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could start VM with a VBD that it is not allowed to access.")
+except:
+    pass
+    print "Could not create domain -- that's good"
+
+
+#
+# Label the VDI now
+#
+
+rc    = session.xenapi.VDI.set_security_label(vdi_ref, vdi_label_red, "")
+if int(rc) != 0:
+    FAIL("Could not set the VDI label to '%s'" % vdi_label_red)
+
+label = session.xenapi.VDI.get_security_label(vdi_ref)
+if label != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Unexpected label '%s' on VDI, wanted '%s'" %
+         (label, vdi_label_red))
+
+rc    = session.xenapi.VDI.set_security_label(vdi_ref, "", label)
+if int(rc) != 0:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Should be able to unlabel VDI.")
+
+rc    = session.xenapi.VDI.set_security_label(vdi_ref, vdi_label_red, "")
+if int(rc) != 0:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Should be able to label VDI with label '%s'" % vid_label_red)
+
+res   = session.xenapi.XSPolicy.get_resource_label(vdi_path)
+if res != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("(2) get_resource_label on %s returned unexpected result %s, wanted 
'%s'" %
+         (vdi_path, res, vdi_label_red))
+
+res = session.xenapi.VDI.get_security_label(vdi_ref)
+if res != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("get_security_label returned unexpected result %s, wanted '%s'" %
+         (res, vdi_label_red))
+
+domain.start(noConsole=True)
+
+console = domain.getConsole()
+
+domName = domain.getName()
+
+try:
+    run = console.runCmd("cat /proc/interrupts")
+except ConsoleError, e:
+    saveLog(console.getHistory())
+    FAIL("Could not access proc-filesystem")
+
+# Try to relabel while VM is running
+try:
+    res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
+                                               vm_label_red)
+except:
+    pass
+
+lab = session.xenapi.VM.get_security_label(vm_uuid)
+if lab == vm_label_green:
+    FAIL("Should not be able to reset the security label while running."
+         "tried to set to %s, got %s, old: %s" %(vm_label_green, lab,
+         vm_label_red))
+
+
+#
+# Suspend the domain and relabel it
+#
+
+try:
+    status, output = traceCommand("xm suspend %s" % domName,
+                                  timeout=30)
+except TimeoutError, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Failure from suspending VM: %s." % str(e))
+
+# Try to relabel while VM is suspended -- this should work
+
+rc  = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
+                                           vm_label_red)
+if int(rc) != 0:
+    FAIL("VM security label could not be set to %s" % vm_label_green)
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_green:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("VM (suspended) has label '%s', expected '%s'." %
+         (res, vm_label_green))
+
+status, output = traceCommand("xm list")
+
+#Try to resume now -- should fail due to denied access to block device
+try:
+    status, output = traceCommand("xm resume %s" % domName,
+                                  timeout=30)
+    if status == 0:
+        session.xenapi.VDI.destroy(vdi_ref)
+        FAIL("Could resume re-labeled VM: %s" % output)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("1. Error resuming the VM: %s." % str(e))
+
+# Relabel VM so it would resume
+res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_red,
+                                           vm_label_green)
+if int(res) != 0:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not relabel VM to have it resume.")
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("VM (suspended) has label '%s', expected '%s'." %
+         (res, vm_label_red))
+
+
+# Relabel the resource so VM should not resume
+try:
+    session.xenapi.XSPolicy.set_resource_label(vdi_path,
+                                               vdi_label_green,
+                                               "")
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not label the VDI to '%s': %x" %
+         (vdi_label_green, int(rc)))
+
+#Try to resume now -- should fail due to denied access to block device
+try:
+    status, output = traceCommand("xm resume %s" % domName,
+                                  timeout=30)
+    if status == 0:
+        session.xenapi.VDI.destroy(vdi_ref)
+        FAIL("Could resume re-labeled VM: %s" % output)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("2. Error resuming the VM: %s." % str(e))
+
+
+status, output = traceCommand("xm list")
+
+# Relabel the resource so VM can resume
+try:
+    session.xenapi.XSPolicy.set_resource_label(vdi_path,
+                                               vdi_label_red,
+                                               vdi_label_green)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not label the resource to '%s'" % vid_label_red)
+
+res = session.xenapi.XSPolicy.get_resource_label(vdi_path)
+if res != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("'%s' has label '%s', expected '%s'." %
+         (vdi_path, res, vdi_label_red))
+
+#Try to resume now -- should work
+try:
+    status, output = traceCommand("xm resume %s" % domName,
+                                  timeout=30)
+    if status != 0:
+        session.xenapi.VDI.destroy(vdi_ref)
+        FAIL("Could not resume re-labeled VM: %s" % output)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("3. Error resuming the VM: %s." % str(e))
+
+
+status, output = traceCommand("xm list")
+
+console = domain.getConsole()
+
+try:
+    run = console.runCmd("cat /proc/interrupts")
+except ConsoleError, e:
+    saveLog(console.getHistory())
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not access proc-filesystem")
+
+domain.stop()
+domain.destroy()
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/09_security-acm_pol_update.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py    Wed Jul 
18 10:08:37 2007 +0100
@@ -0,0 +1,427 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2007
+# Author: Stefan Berger <stefanb@xxxxxxxxxx>
+
+# Test to exercise the xspolicy and acmpolicy classes
+
+from XmTestLib import xapi
+from XmTestLib.XenAPIDomain import XmTestAPIDomain
+from XmTestLib import *
+from xen.xend import XendAPIConstants
+from xen.util import security, xsconstants
+from xen.util.acmpolicy import ACMPolicy
+from xen.xend.XendDomain import DOM0_UUID
+import base64
+import struct
+import time
+
+def typestoxml(types):
+    res = ""
+    for t in types:
+        res += "<Type>" + t + "</Type>\n"
+    return res
+
+def cfstoxml(cfss):
+    res = ""
+    for cfs in cfss:
+        res += "<Conflict name=\"" + cfs['name'] + "\">\n" + \
+               typestoxml(cfs['chws']) + \
+               "</Conflict>\n"
+    return res
+
+def vmlabelstoxml(vmlabels, vmfrommap):
+    res = ""
+    for vmlabel in vmlabels:
+        res += "<VirtualMachineLabel>\n"
+        if vmlabel['name'] in vmfrommap:
+            res += "<Name from=\""+ vmfrommap[vmlabel['name']] +"\">"
+        else:
+            res += "<Name>"
+        res += vmlabel['name'] + "</Name>\n"
+        res += "<SimpleTypeEnforcementTypes>\n" + \
+                  typestoxml(vmlabel['stes']) + \
+               "</SimpleTypeEnforcementTypes>\n"
+        if vmlabel.has_key('chws'):
+            res += "<ChineseWallTypes>\n" + \
+                     typestoxml(vmlabel['chws']) + \
+                   "</ChineseWallTypes>\n"
+        res += "</VirtualMachineLabel>\n"
+    return res
+
+
+def reslabelstoxml(reslabels, resfrommap):
+    res = ""
+    for reslabel in reslabels:
+        res += "<ResourceLabel>\n"
+        if resfrommap.has_key(reslabel['name']):
+            res += "<Name from=\""+ resfrommap[reslabel['name']] +"\">"
+        else:
+            res += "<Name>"
+        res += reslabel['name'] + "</Name>\n"
+        res += "<SimpleTypeEnforcementTypes>\n" + \
+                  typestoxml(reslabel['stes']) + \
+               "</SimpleTypeEnforcementTypes>\n"
+        res += "</ResourceLabel>\n"
+    return res
+
+def create_xml_policy(hdr, stes, chws,
+                      vmlabels, vmfrommap, bootstrap,
+                      reslabels, resfrommap,
+                      cfss):
+    hdr_xml ="<PolicyHeader>\n" + \
+             "  <PolicyName>" + hdr['name'] + "</PolicyName>\n" + \
+             "  <Version>"    + hdr['version'] + "</Version>\n" + \
+             "  <FromPolicy>\n" + \
+             "    <PolicyName>" + hdr['oldname'] + "</PolicyName>\n" + \
+             "    <Version>"    + hdr['oldversion'] + "</Version>\n" + \
+             "  </FromPolicy>\n" + \
+               "</PolicyHeader>\n"
+
+    stes_xml = "<SimpleTypeEnforcement>\n" + \
+               "  <SimpleTypeEnforcementTypes>\n" + \
+                typestoxml(stes) + \
+               "  </SimpleTypeEnforcementTypes>\n" + \
+               "</SimpleTypeEnforcement>\n"
+
+    chws_xml = "<ChineseWall>\n" + \
+               "  <ChineseWallTypes>\n" + \
+               typestoxml(chws) + \
+               "  </ChineseWallTypes>\n" + \
+               "  <ConflictSets>\n" + \
+               cfstoxml(cfss) + \
+               "  </ConflictSets>\n" + \
+               "</ChineseWall>\n"
+
+    subjlabel_xml = "<SubjectLabels bootstrap=\""+ bootstrap +"\">\n" + \
+                     vmlabelstoxml(vmlabels, vmfrommap) + \
+                    "</SubjectLabels>\n"
+    objlabel_xml  = "<ObjectLabels>\n" + \
+                      reslabelstoxml(reslabels, resfrommap) + \
+                    "</ObjectLabels>\n"
+
+    policyxml = "<?xml version=\"1.0\" ?>\n" + \
+                "<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\"; 
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"; 
xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd \">\n" + \
+                hdr_xml + \
+                stes_xml + \
+                chws_xml + \
+                "<SecurityLabelTemplate>\n" + \
+                  subjlabel_xml + \
+                  objlabel_xml + \
+                "</SecurityLabelTemplate>\n" + \
+                "</SecurityPolicyDefinition>\n"
+    return policyxml
+
+
+def update_hdr(hdr):
+    """ Update the version information in the header """
+    hdr['oldversion'] = hdr['version']
+    hdr['oldname']    = hdr['name']
+    vers = hdr['version']
+    tmp = vers.split('.')
+    if len(tmp) == 1:
+        rev = 1
+    else:
+        rev = int(tmp[1]) + 1
+    hdr['version'] = "%s.%s" % (tmp[0],rev)
+    return hdr
+
+session = xapi.connect()
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+if policystate['repr'] != "":
+    print "%s" % policystate['repr']
+    try:
+        acmpol = ACMPolicy(xml=policystate['repr'])
+    except Exception, e:
+        FAIL("Failure from creating ACMPolicy object: %s" % str(e))
+    oldname = acmpol.policy_dom_get_hdr_item("PolicyName")
+    oldvers = acmpol.policy_dom_get_hdr_item("Version")
+    tmp = oldvers.split(".")
+    if len(tmp) == 1:
+        rev = 1
+    else:
+        rev = int(tmp[1]) + 1
+    newvers = "%s.%s" % (tmp[0], str(rev))
+    print "old name/version = %s/%s" % (oldname, oldvers)
+else:
+    oldname = None
+    oldvers = None
+    newvers = "1.0"
+
+# Initialize the header of the policy
+hdr = {}
+hdr['name'] = "xm-test"
+hdr['version'] = newvers
+
+if oldname:
+    hdr['oldname']    = oldname
+    if oldvers and oldvers != "":
+        hdr['oldversion'] = oldvers
+
+stes = [ "SystemManagement", "red", "green", "blue" ]
+
+chws = [ "SystemManagement", "red", "green", "blue" ]
+
+bootstrap = "SystemManagement"
+
+vm_sysmgt = { 'name' : bootstrap,
+              'stes' : stes,
+              'chws' : [ "SystemManagement" ] }
+
+vm_red   = { 'name' : "red" ,
+             'stes' : ["red"] ,
+             'chws' : ["red"] }
+
+vm_green = { 'name' : "green" ,
+             'stes' : ["green"] ,
+             'chws' : ["green"] }
+
+vm_blue  = { 'name' : "blue" ,
+             'stes' : ["blue"] ,
+             'chws' : ["blue"] }
+
+res_red   = { 'name' : "red" ,
+              'stes' : ["red"] }
+
+res_green = { 'name' : "green" ,
+              'stes' : ["green"] }
+
+res_blue  = { 'name' : "blue" ,
+              'stes' : ["blue"] }
+
+cfs_1 = { 'name' : "CFS1",
+          'chws' : [ "red" , "blue" ] }
+
+vmlabels = [ vm_sysmgt, vm_red, vm_green, vm_blue ]
+vmfrommap = {}
+reslabels = [ res_red, res_green, res_blue ]
+resfrommap = {}
+cfss = [ cfs_1 ]
+
+vm_label_red    = xsconstants.ACM_POLICY_ID + ":xm-test:red"
+vm_label_green  = xsconstants.ACM_POLICY_ID + ":xm-test:green"
+vm_label_blue   = xsconstants.ACM_POLICY_ID + ":xm-test:blue"
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+xml_good = xml
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "\n\npolicystate = %s" % policystate
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+#
+# Create two non-conflicting domains and start them
+#
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain1 = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_red })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+
+vm1_uuid = domain1.get_uuid()
+
+try:
+    domain1.start(noConsole=True)
+except:
+    FAIL("Could not start domain1")
+
+print "Domain 1 started"
+
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain2 = XmTestAPIDomain(extraConfig={'security_label': vm_label_green })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+vm2_uuid = domain2.get_uuid()
+
+try:
+    domain2.start(noConsole=True)
+except:
+    FAIL("Could not start domain1")
+
+
+print "Domain 2 started"
+
+# Try a policy that would put the two domains into conflict
+cfs_2 = { 'name' : "CFS1",
+          'chws' : [ "red" , "green" ] }
+cfss = [ cfs_2 ]
+
+hdr = update_hdr(hdr)
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(1) Should not have been able to set this policy.")
+
+if len(policystate['errors']) == 0:
+    FAIL("Hypervisor should have reported errros.")
+
+errors = base64.b64decode(policystate['errors'])
+
+print "Length of errors: %d" % len(errors)
+a,b = struct.unpack("!ii",errors)
+
+print "%08x , %08x" % (a,b)
+
+#
+# Create a faulty policy with 'red' STE missing
+#
+
+cfss = [ cfs_1 ]
+stes = [ "SystemManagement", "green", "blue" ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "Result from setting faulty(!) policy with STE 'red' missing:"
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(2) Should not have been able to set this policy.")
+
+#
+# Create a policy with 'red' VMLabel missing -- should not work since it is
+# in use.
+#
+stes = [ "SystemManagement", "red", "green", "blue" ]
+
+vmlabels = [ vm_sysmgt, vm_green, vm_blue ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+print "Result from setting faulty(!) policy with VMlabel 'red' missing:"
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(3) Should not have been able to set this policy.")
+
+#
+# Create a policy with 'blue' VMLabel missing -- should work since it is NOT
+# in use.
+#
+vmlabels = [ vm_sysmgt, vm_red, vm_green ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "Result from setting (good) policy with VMlabel 'blue' missing:"
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) != 0:
+    FAIL("(4) Should have been able to set this policy: %s" % xml)
+
+#
+# Move the green VMLabel towards blue which should put the running
+# domain with label blue into a conflict set
+#
+vmlabels = [ vm_sysmgt, vm_red, vm_blue ]
+
+vmfrommap = { "blue" : "green" }  #  new : old
+
+hdr = update_hdr(hdr)  #Needed, since last update was successful
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(5) Should not have been able to set this policy.")
+
+#
+# Try to install a policy where a VM label has a faulty VM label name
+#
+vmfrommap = {}
+
+vm_blue_bad = { 'name' : "blue:x" ,   # ':' no allowed
+                'stes' : ["blue"],
+                'chws' : ["blue"] }
+
+vmlabels = [ vm_sysmgt, vm_red, vm_green, vm_blue_bad ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(6) Should not have been able to set this policy.")
+
+#
+# End the test by installing the initial policy again
+#
+
+cur_version = hdr['version']
+(maj, min) = cur_version.split(".")
+cur_version = "%s.%s" % (maj, str(int(min)-1) )
+
+orig_acmpol = ACMPolicy(xml=xml_good)
+orig_acmpol.set_frompolicy_version(cur_version)
+orig_acmpol.set_policy_version(hdr['version'])
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   orig_acmpol.toxml(),
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+if int(policystate['xserr']) != 0:
+    FAIL("(END) Should have been able to set this policy.")
+
+domain1.stop()
+domain2.stop()
+domain1.destroy()
+domain2.destroy()
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/Makefile.am
--- a/tools/xm-test/tests/security-acm/Makefile.am      Wed Jul 18 10:04:46 
2007 +0100
+++ b/tools/xm-test/tests/security-acm/Makefile.am      Wed Jul 18 10:08:37 
2007 +0100
@@ -5,7 +5,10 @@ TESTS = 01_security-acm_basic.test \
         03_security-acm_dom_conflict.test \
         04_security-acm_dom_res.test \
         05_security-acm_dom_res_conf.test \
-        06_security-acm_dom_block_attach.test
+        06_security-acm_dom_block_attach.test \
+        07_security-acm_pol_update.test \
+        08_security-acm_xapi.test \
+        09_security-acm_pol_update.test
 
 XFAIL_TESTS =
 
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml  Wed Jul 
18 10:08:37 2007 +0100
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Auto-generated by ezPolicy        -->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
+    <PolicyHeader>
+        <PolicyName>xm-test</PolicyName>
+        <Date>Fri Sep 29 14:44:38 2006</Date>
+        <Version>1.1</Version>
+        <FromPolicy>
+            <PolicyName>xm-test</PolicyName>
+            <Version>1.0</Version>
+        </FromPolicy>
+    </PolicyHeader>
+
+    <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>SystemManagement</Type>
+            <Type>green</Type>
+            <Type>red</Type>
+        </SimpleTypeEnforcementTypes>
+    </SimpleTypeEnforcement>
+
+    <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>SystemManagement</Type>
+            <Type>green</Type>
+            <Type>red</Type>
+        </ChineseWallTypes>
+
+        <ConflictSets>
+            <Conflict name="RER">
+                <Type>green</Type>
+                <Type>red</Type>
+            </Conflict>
+       </ConflictSets>
+    </ChineseWall>
+
+    <SecurityLabelTemplate>
+        <SubjectLabels bootstrap="SystemManagement">
+            <VirtualMachineLabel>
+                <Name>SystemManagement</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>SystemManagement</Type>
+                    <Type>green</Type>
+                    <Type>red</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>SystemManagement</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>green</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>green</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>green</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>red</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>red</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>red</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+        </SubjectLabels>
+
+        <ObjectLabels>
+            <ResourceLabel>
+                <Name>SystemManagement</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>SystemManagement</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+            <ResourceLabel>
+                <Name>green</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>green</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+            <ResourceLabel>
+                <Name>red</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>red</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+        </ObjectLabels>
+    </SecurityLabelTemplate>
+</SecurityPolicyDefinition>

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] [Xm-Test] Additional tests for the xm-test suite, Xen patchbot-unstable <=