From aec48f2d9d9087a49e9000e9f6541efa1069e9c3 Mon Sep 17 00:00:00 2001 From: "kfraser@localhost.localdomain" Date: Wed, 18 Oct 2006 17:54:58 +0100 Subject: [PATCH] [ACM] Fix the resource representations in the resource_label file. Without this patch, multiple representations of the same resource can co-exist in the resource label file and lead to errors during operation. Ensures that all resource file names are stored with absolute path name and are unique. Setting labels of phy-resources, relative paths will automatically be pre-pended with '/dev/'; labeling file-resources with relative paths will raise an error. Signed-off by: Reiner Sailer --- tools/python/xen/util/security.py | 22 ++++++++++++++++++++++ tools/python/xen/xm/addlabel.py | 9 ++------- tools/python/xen/xm/getlabel.py | 3 +++ tools/python/xen/xm/rmlabel.py | 3 +++ 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py index 015de985b1..0b23303e53 100644 --- a/tools/python/xen/util/security.py +++ b/tools/python/xen/util/security.py @@ -596,12 +596,34 @@ def get_res_security_details(resource): return (label, ssidref, policy) +def unify_resname(resource): + """Makes all resource locations absolute. In case of physical + resources, '/dev/' is added to local file names""" + + # sanity check on resource name + (type, resfile) = resource.split(":") + if type == "phy": + if not resfile.startswith("/"): + resfile = "/dev/" + resfile + + #file: resources must specified with absolute path + if (not resfile.startswith("/")) or (not os.path.exists(resfile)): + err("Invalid resource.") + + # from here on absolute file names with resources + resource = type + ":" + resfile + return resource + + def res_security_check(resource, domain_label): """Checks if the given resource can be used by the given domain label. Returns 1 if the resource can be used, otherwise 0. """ rtnval = 1 + #build canonical resource name + resource = unify_resname(resource) + # if security is on, ask the hypervisor for a decision if on(): (label, ssidref, policy) = get_res_security_details(resource) diff --git a/tools/python/xen/xm/addlabel.py b/tools/python/xen/xm/addlabel.py index 86e4ff7b74..af176da433 100644 --- a/tools/python/xen/xm/addlabel.py +++ b/tools/python/xen/xm/addlabel.py @@ -72,13 +72,8 @@ def add_resource_label(label, resource, policyref): # sanity check: make sure this label can be instantiated later on ssidref = security.label2ssidref(label, policyref, 'res') - # sanity check on resource name - (type, file) = resource.split(":") - if type == "phy": - file = "/dev/" + file - if not os.path.exists(file): - print "Invalid resource '"+resource+"'" - return + #build canonical resource name + resource = security.unify_resname(resource) # see if this resource is already in the file access_control = {} diff --git a/tools/python/xen/xm/getlabel.py b/tools/python/xen/xm/getlabel.py index f86b798771..3be98e82c3 100644 --- a/tools/python/xen/xm/getlabel.py +++ b/tools/python/xen/xm/getlabel.py @@ -33,6 +33,9 @@ def help(): def get_resource_label(resource): """Gets the resource label """ + #build canonical resource name + resource = security.unify_resname(resource) + # read in the resource file file = security.res_label_filename try: diff --git a/tools/python/xen/xm/rmlabel.py b/tools/python/xen/xm/rmlabel.py index 997a4f04f3..0869c6c874 100644 --- a/tools/python/xen/xm/rmlabel.py +++ b/tools/python/xen/xm/rmlabel.py @@ -37,6 +37,9 @@ def help(): def rm_resource_label(resource): """Removes a resource label from the global resource label file. """ + #build canonical resource name + resource = security.unify_resname(resource) + # read in the resource file file = security.res_label_filename try: -- 2.30.2