Index: root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py @@ -48,6 +48,10 @@ class XSPolicyAdmin: self.xsobjs = {} bootloader.init() + if security.on() == xsconstants.XS_POLICY_ACM: + self.__acm_init() + + def __acm_init(self): act_pol_name = self.get_hv_loaded_policy_name() initialize() @@ -74,7 +78,7 @@ class XSPolicyAdmin: This currently only checks for ACM-enablement. """ rc = 0 - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: rc |= xsconstants.XS_POLICY_ACM return rc @@ -104,6 +108,8 @@ class XSPolicyAdmin: def __add_acmpolicy_to_system(self, xmltext, flags, overwrite): errors = "" + if security.on() != xsconstants.XS_POLICY_ACM: + raise SecurityError(-xsconstants.XSERR_POLICY_TYPE_UNSUPPORTED) loadedpol = self.get_loaded_policy() if loadedpol: # This is meant as an update to a currently loaded policy Index: root/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py +++ root/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py @@ -156,7 +156,9 @@ def on(): returns none if security policy is off (not compiled), any string otherwise, use it: if not security.on() ... """ - return (get_active_policy_name() not in ['INACTIVE', 'NULL']) + if get_active_policy_name() not in ['INACTIVE', 'NULL', '']: + return xsconstants.XS_POLICY_ACM + return 0 def calc_dom_ssidref_from_info(info): Index: root/xen-unstable.hg/tools/python/xen/util/xsm/flask/flask.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/util/xsm/flask/flask.py +++ root/xen-unstable.hg/tools/python/xen/util/xsm/flask/flask.py @@ -12,7 +12,7 @@ def err(msg): raise XSMError(msg) def on(): - return 1 + return 0 #xsconstants.XS_POLICY_FLASK def ssidref2label(ssidref): try: Index: root/xen-unstable.hg/tools/python/xen/xend/server/blkif.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/server/blkif.py +++ root/xen-unstable.hg/tools/python/xen/xend/server/blkif.py @@ -23,6 +23,7 @@ from xen.util import blkif import xen.util.xsm.xsm as security from xen.xend.XendError import VmError from xen.xend.server.DevController import DevController +from xen.util import xsconstants class BlkifController(DevController): """Block device interface controller. Handles all block devices @@ -72,7 +73,7 @@ class BlkifController(DevController): if uuid: back['uuid'] = uuid - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: self.do_access_control(config, uname) devid = blkif.blkdev_name_to_number(dev) Index: root/xen-unstable.hg/tools/python/xen/xend/server/netif.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/server/netif.py +++ root/xen-unstable.hg/tools/python/xen/xend/server/netif.py @@ -29,6 +29,7 @@ from xen.xend.server.DevController impor from xen.xend.XendError import VmError from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance import xen.util.xsm.xsm as security +from xen.util import xsconstants from xen.xend.XendLogging import log @@ -155,7 +156,7 @@ class NetifController(DevController): front = { 'handle' : "%i" % devid, 'mac' : mac } - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: self.do_access_control(config) return (devid, back, front) Index: root/xen-unstable.hg/tools/python/xen/xend/XendConfig.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendConfig.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendConfig.py @@ -688,7 +688,7 @@ class XendConfig(dict): self.parse_cpuid(cfg, 'cpuid_check') import xen.util.xsm.xsm as security - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: from xen.util.acmpolicy import ACM_LABEL_UNLABELED if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'): cfg['security'] = sxp.child_value(sxp_cfg, 'security') Index: root/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py +++ root/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py @@ -37,6 +37,7 @@ import xen.lowlevel.xc from xen.util import asserts from xen.util.blkif import blkdev_uname_to_file, blkdev_uname_to_taptype import xen.util.xsm.xsm as security +from xen.util import xsconstants from xen.xend import balloon, sxp, uuid, image, arch, osdep from xen.xend import XendOptions, XendNode, XendConfig @@ -1973,7 +1974,7 @@ class XendDomainInfo: balloon.free(2*1024) # 2MB should be plenty ssidref = 0 - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: ssidref = security.calc_dom_ssidref_from_info(self.info) if security.has_authorization(ssidref) == False: raise VmError("VM is not authorized to run.") @@ -1987,7 +1988,7 @@ class XendDomainInfo: target = self.info.target()) except Exception, e: # may get here if due to ACM the operation is not permitted - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: raise VmError('Domain in conflict set with running domain?') if self.domid < 0: @@ -2853,7 +2854,6 @@ class XendDomainInfo: is_policy_update = (xspol_old != None) from xen.xend.XendXSPolicyAdmin import XSPolicyAdminInstance - from xen.util import xsconstants state = self._stateGet() # Relabel only HALTED or RUNNING or PAUSED domains Index: root/xen-unstable.hg/tools/python/xen/xm/addlabel.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xm/addlabel.py +++ root/xen-unstable.hg/tools/python/xen/xm/addlabel.py @@ -205,17 +205,17 @@ def main(argv): policy_type = "" if len(argv) not in (4, 5): raise OptionError('Needs either 2 or 3 arguments') - + label = argv[1] - + if len(argv) == 5: policyref = argv[4] - elif security.on(): + elif security.on() == xsconstants.XS_POLICY_ACM: policyref = security.active_policy policy_type = xsconstants.ACM_POLICY_ID else: - raise OptionError("No active policy. Must specify policy on the " - "command line.") + raise OptionError("ACM security is not enabled. You must specify "\ + "the policy on the command line.") if argv[2].lower() == "dom": configfile = argv[3] Index: root/xen-unstable.hg/tools/python/xen/xm/dry-run.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/xm/dry-run.py +++ root/xen-unstable.hg/tools/python/xen/xm/dry-run.py @@ -22,6 +22,7 @@ import sys import xen.util.xsm.xsm as security from xen.xm import create from xen.xend import sxp +from xen.util import xsconstants from xen.xm.opts import OptionError def help(): @@ -40,7 +41,7 @@ def check_domain_label(config, verbose): answer = 0 default_label = None secon = 0 - if security.on(): + if security.on() == xsconstants.XS_POLICY_ACM: default_label = security.ssidref2label(security.NULL_SSIDREF) secon = 1 @@ -90,7 +91,7 @@ def config_security_check(config, verbos domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy') # if no domain label, use default - if not domain_label and security.on(): + if not domain_label and security.on() == xsconstants.XS_POLICY_ACM: try: domain_label = security.ssidref2label(security.NULL_SSIDREF) except: