[ACM] Fix the resource representations in the resource_label

file. Without this patch, multiple representations of the same
resource can co-exist in the resource label file and lead to errors
during operation.

Ensures that all resource file names are stored with absolute
path name and are unique. Setting labels of phy-resources, relative
paths will automatically be pre-pended with '/dev/'; labeling
file-resources with relative paths will raise an error.

Signed-off by: Reiner Sailer <sailer@us.ibm.com>

diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py
index 015de985b106c3ab49a07044b14c4002684267e9..0b23303e53a3be5cd2d8b86eec6e503f5be84945 100644 (file)
--- a/tools/python/xen/util/security.py
+++ b/tools/python/xen/util/security.py
@@ -596,12 +596,34 @@ def get_res_security_details(resource):
     return (label, ssidref, policy)
 
 
+def unify_resname(resource):
+    """Makes all resource locations absolute. In case of physical
+    resources, '/dev/' is added to local file names"""
+
+    # sanity check on resource name
+    (type, resfile) = resource.split(":")
+    if type == "phy":
+        if not resfile.startswith("/"):
+            resfile = "/dev/" + resfile
+
+    #file: resources must specified with absolute path
+    if (not resfile.startswith("/")) or (not os.path.exists(resfile)):
+        err("Invalid resource.")
+
+    # from here on absolute file names with resources
+    resource = type + ":" + resfile
+    return resource
+
+
 def res_security_check(resource, domain_label):
     """Checks if the given resource can be used by the given domain
        label.  Returns 1 if the resource can be used, otherwise 0.
     """
     rtnval = 1
 
+    #build canonical resource name
+    resource = unify_resname(resource)
+
     # if security is on, ask the hypervisor for a decision
     if on():
         (label, ssidref, policy) = get_res_security_details(resource)

diff --git a/tools/python/xen/xm/addlabel.py b/tools/python/xen/xm/addlabel.py
index 86e4ff7b74c7390a17b604045309ba6b47c2a404..af176da4331cc671321e52dbf98aabc78c925e26 100644 (file)
--- a/tools/python/xen/xm/addlabel.py
+++ b/tools/python/xen/xm/addlabel.py
@@ -72,13 +72,8 @@ def add_resource_label(label, resource, policyref):
     # sanity check: make sure this label can be instantiated later on
     ssidref = security.label2ssidref(label, policyref, 'res')
 
-    # sanity check on resource name
-    (type, file) = resource.split(":")
-    if type == "phy":
-        file = "/dev/" + file
-    if not os.path.exists(file):
-        print "Invalid resource '"+resource+"'"
-        return
+    #build canonical resource name
+    resource = security.unify_resname(resource)
 
     # see if this resource is already in the file
     access_control = {}

diff --git a/tools/python/xen/xm/getlabel.py b/tools/python/xen/xm/getlabel.py
index f86b798771aaa61e0a3ac3ea004ab78a8c96fc9e..3be98e82c3af832df3d4296408b781ea852f8884 100644 (file)
--- a/tools/python/xen/xm/getlabel.py
+++ b/tools/python/xen/xm/getlabel.py
@@ -33,6 +33,9 @@ def help():
 def get_resource_label(resource):
     """Gets the resource label
     """
+    #build canonical resource name
+    resource = security.unify_resname(resource)
+
     # read in the resource file
     file = security.res_label_filename
     try:

diff --git a/tools/python/xen/xm/rmlabel.py b/tools/python/xen/xm/rmlabel.py
index 997a4f04f3c8b95d6e5a13430f6d6570b12b9f1b..0869c6c874a0cf1e36e87e32188c307f6938e6fc 100644 (file)
--- a/tools/python/xen/xm/rmlabel.py
+++ b/tools/python/xen/xm/rmlabel.py
@@ -37,6 +37,9 @@ def help():
 def rm_resource_label(resource):
     """Removes a resource label from the global resource label file.
     """
+    #build canonical resource name
+    resource = security.unify_resname(resource)
+
     # read in the resource file
     file = security.res_label_filename
     try: