From: Ewan Mellor <ewan@xensource.com>
Date: Tue, 2 Jan 2007 13:35:25 +0000 (+0000)
Subject: Don't canonicalise the resource inside res_security_check if security is off.
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~15422^2~108
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=535e80fa87648fa5557676a2534134f13fb82960;p=xen.git

Don't canonicalise the resource inside res_security_check if security is off.
This had broken use of relative paths to refer to ISOs etc.

Signed-off-by: Ewan Mellor <ewan@xensource.com>
---

diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py
index 0435608547..2702fd3dbb 100644
--- a/tools/python/xen/util/security.py
+++ b/tools/python/xen/util/security.py
@@ -637,11 +637,11 @@ def res_security_check(resource, domain_label):
     """
     rtnval = 1
 
-    #build canonical resource name
-    resource = unify_resname(resource)
-
     # if security is on, ask the hypervisor for a decision
     if on():
+        #build canonical resource name
+        resource = unify_resname(resource)
+
         (label, ssidref, policy) = get_res_security_details(resource)
         domac = ['access_control']
         domac.append(['policy', active_policy])
@@ -660,6 +660,8 @@ def res_security_check(resource, domain_label):
 
     # security is off, make sure resource isn't labeled
     else:
+        # Note, we can't canonicalise the resource here, because people using
+        # xm without ACM are free to use relative paths.
         (label, policy) = get_res_label(resource)
         if policy != 'NULL':
             raise ACMError("Security is off, but '"+resource+"' is labeled")