[ACM-security] Some fixes to tools.

- Allow multiple ChineseWallTypes in a VM labels
- check for surfacing exceptions in the python code
- check for array sizes in the XML DOM in python
- properly display the labels when doing 'xm list --label' in xm's
non-Xen-API mode
- rely on the security checking hooks in xend to check access to the
block interface rather than doing this in xm.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>

diff --git a/tools/python/xen/util/acmpolicy.py b/tools/python/xen/util/acmpolicy.py
index f5fc292082bf5be74a5dbec6e9ee296fa286feb7..002ad9e932fc997b83071395631c9eb8dcde78e3 100644 (file)
--- a/tools/python/xen/util/acmpolicy.py
+++ b/tools/python/xen/util/acmpolicy.py
@@ -57,12 +57,20 @@ class ACMPolicy(XSPolicy):
     def __init__(self, name=None, dom=None, ref=None, xml=None):
         if name:
             self.name = name
-            self.dom = minidom.parse(self.path_from_policy_name(name))
+            try:
+                self.dom = minidom.parse(self.path_from_policy_name(name))
+            except Exception, e:
+                raise SecurityError(-xsconstants.XSERR_XML_PROCESSING,
+                                    str(e))
         elif dom:
             self.dom = dom
             self.name = self.get_name()
         elif xml:
-            self.dom = minidom.parseString(xml)
+            try:
+                self.dom = minidom.parseString(xml)
+            except Exception, e:
+                raise SecurityError(-xsconstants.XSERR_XML_PROCESSING,
+                                    str(e))
             self.name = self.get_name()
         rc = self.validate()
         if rc != xsconstants.XSERR_SUCCESS:
@@ -481,7 +489,8 @@ class ACMPolicy(XSPolicy):
         strings = []
         i = 0
         while i < len(node.childNodes):
-            if node.childNodes[i].nodeName == "Type":
+            if node.childNodes[i].nodeName == "Type" and \
+               len(node.childNodes[i].childNodes) > 0:
                 strings.append(node.childNodes[i].childNodes[0].nodeValue)
             i += 1
         return strings
@@ -564,7 +573,8 @@ class ACMPolicy(XSPolicy):
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == "VirtualMachineLabel":
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    strings.append(name.childNodes[0].nodeValue)
+                    if len(name.childNodes) > 0:
+                        strings.append(name.childNodes[0].nodeValue)
                 i += 1
         return strings
 
@@ -592,23 +602,24 @@ class ACMPolicy(XSPolicy):
             i = 0
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == "VirtualMachineLabel":
-                    _res = {}
-                    _res['type'] = xsconstants.ACM_LABEL_VM
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    _res['name'] = name.childNodes[0].nodeValue
-                    stes = self.policy_dom_get(node.childNodes[i],
-                                               "SimpleTypeEnforcementTypes")
-                    if stes:
-                        _res['stes'] = self.policy_get_types(stes)
-                    else:
-                        _res['stes'] = []
-                    chws = self.policy_dom_get(node.childNodes[i],
-                                               "ChineseWallTypes")
-                    if chws:
-                        _res['chws'] = self.policy_get_types(chws)
-                    else:
-                        _res['chws'] = []
-                    res.append(_res)
+                    if len(name.childNodes) > 0:
+                        _res = {}
+                        _res['type'] = xsconstants.ACM_LABEL_VM
+                        _res['name'] = name.childNodes[0].nodeValue
+                        stes = self.policy_dom_get(node.childNodes[i],
+                                                 "SimpleTypeEnforcementTypes")
+                        if stes:
+                           _res['stes'] = self.policy_get_types(stes)
+                        else:
+                            _res['stes'] = []
+                        chws = self.policy_dom_get(node.childNodes[i],
+                                                   "ChineseWallTypes")
+                        if chws:
+                            _res['chws'] = self.policy_get_types(chws)
+                        else:
+                            _res['chws'] = []
+                        res.append(_res)
                 i += 1
         return res
 
@@ -628,7 +639,8 @@ class ACMPolicy(XSPolicy):
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == labeltype:
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    if name.childNodes[0].nodeValue == label:
+                    if len(name.childNodes) > 0 and \
+                       name.childNodes[0].nodeValue == label:
                         stes = self.policy_dom_get(node.childNodes[i],
                                             "SimpleTypeEnforcementTypes")
                         if not stes:
@@ -662,7 +674,7 @@ class ACMPolicy(XSPolicy):
                 if node.childNodes[i].nodeName == labeltype:
                     name = self.policy_dom_get(node.childNodes[i], "Name")
                     from_name = name.getAttribute("from")
-                    if from_name:
+                    if from_name and len(name.childNodes) > 0:
                         res.update({from_name : name.childNodes[0].nodeValue})
                 i += 1
         return res
@@ -700,7 +712,7 @@ class ACMPolicy(XSPolicy):
                     name = self.policy_dom_get(node.childNodes[i], "Name")
                     stes = self.policy_dom_get(node.childNodes[i],
                                           "SimpleTypeEnforcementTypes")
-                    if stes:
+                    if stes and len(name.childNodes) > 0:
                         strings.append(name.childNodes[0].nodeValue)
                 i += 1
         return strings
@@ -715,18 +727,19 @@ class ACMPolicy(XSPolicy):
             i = 0
             while i < len(node.childNodes):
                 if node.childNodes[i].nodeName == "ResourceLabel":
-                    _res = {}
-                    _res['type'] = xsconstants.ACM_LABEL_RES
                     name = self.policy_dom_get(node.childNodes[i], "Name")
-                    _res['name'] = name.childNodes[0].nodeValue
-                    stes = self.policy_dom_get(node.childNodes[i],
-                                               "SimpleTypeEnforcementTypes")
-                    if stes:
-                        _res['stes'] = self.policy_get_types(stes)
-                    else:
-                        _res['stes'] = []
-                    _res['chws'] = []
-                    res.append(_res)
+                    if len(name.childNodes) > 0:
+                        _res = {}
+                        _res['type'] = xsconstants.ACM_LABEL_RES
+                        _res['name'] = name.childNodes[0].nodeValue
+                        stes = self.policy_dom_get(node.childNodes[i],
+                                                   "SimpleTypeEnforcementTypes")
+                        if stes:
+                            _res['stes'] = self.policy_get_types(stes)
+                        else:
+                            _res['stes'] = []
+                        _res['chws'] = []
+                        res.append(_res)
                 i += 1
         return res
 

diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py
index 3cf58854ff6a264018b57c80f2b94d2cbe0b6c83..300133d68f7cb1e0cded0c6d2b5342663064e729 100644 (file)
--- a/tools/python/xen/util/security.py
+++ b/tools/python/xen/util/security.py
@@ -155,75 +155,6 @@ def calc_dom_ssidref_from_info(info):
     raise VmError("security.calc_dom_ssidref_from_info: info of type '%s'"
                   "not supported." % type(info))
 
-# Assumes a 'security' info  [security access_control ...] [ssidref ...]
-def get_security_info(info, field):
-    """retrieves security field from self.info['security'])
-    allowed search fields: ssidref, label, policy
-    """
-    if isinstance(info, dict):
-        security = info['security']
-    elif isinstance(info, list):
-        security = sxp.child_value(info, 'security')
-    if not security:
-        if field == 'ssidref':
-            #return default ssid
-            return 0
-        else:
-            err("Security information not found in info struct.")
-
-    if field == 'ssidref':
-        search = 'ssidref'
-    elif field in ['policy', 'label']:
-            search = 'access_control'
-    else:
-        err("Illegal field in get_security_info.")
-
-    for idx in range(0, len(security)):
-        if search != security[idx][0]:
-            continue
-        if search == 'ssidref':
-            return int(security[idx][1])
-        else:
-            for aidx in range(0, len(security[idx])):
-                if security[idx][aidx][0] == field:
-                    return str(security[idx][aidx][1])
-
-    if search == 'ssidref':
-        return 0
-    else:
-        return None
-
-
-def get_security_printlabel(info):
-    """retrieves printable security label from self.info['security']),
-    preferably the label name and otherwise (if label is not specified
-    in config and cannot be found in mapping file) a hex string of the
-    ssidref or none if both not available
-    """
-    try:
-        if not on():
-            return "INACTIVE"
-        if active_policy in ["DEFAULT"]:
-            return "DEFAULT"
-
-        printlabel = get_security_info(info, 'label')
-        if printlabel:
-            return printlabel
-        ssidref = get_security_info(info, 'ssidref')
-        if not ssidref:
-            return None
-        #try to translate ssidref to a label
-        result = ssidref2label(ssidref)
-        if not result:
-            printlabel = "0x%08x" % ssidref
-        else:
-            printlabel = result
-        return printlabel
-    except ACMError:
-        #don't throw an exception in xm list
-        return "ERROR"
-
-
 
 def getmapfile(policyname):
     """

diff --git a/tools/python/xen/xend/XendConfig.py b/tools/python/xen/xend/XendConfig.py
index c84f75df1ab6ddfd512ec784c3a058ded34e63c2..4dac85061b8568b9e9817f343859e735f32b4c45 100644 (file)
--- a/tools/python/xen/xend/XendConfig.py
+++ b/tools/python/xen/xend/XendConfig.py
@@ -636,6 +636,8 @@ class XendConfig(dict):
                 except ValueError, e:
                     raise XendConfigError('cpus = %s: %s' % (cfg['cpus'], e))
 
+        if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
+            cfg['security'] = sxp.child_value(sxp_cfg, 'security')
         if 'security' in cfg and not cfg.get('security_label'):
             secinfo = cfg['security']
             if isinstance(secinfo, list):

diff --git a/tools/python/xen/xm/main.py b/tools/python/xen/xm/main.py
index 59b5cd92b616bc7fc1c7b2c8635ed3bd582c98c3..4f2e08b01a3b75310db4dc12dcf2faa069934061 100644 (file)
--- a/tools/python/xen/xm/main.py
+++ b/tools/python/xen/xm/main.py
@@ -870,17 +870,13 @@ def parse_doms_info(info):
         'up_time'  : up_time
         }
 
-    if serverType != SERVER_XEN_API:
-        from xen.util import security
-        parsed_info['seclabel'] = security.get_security_printlabel(info)
+    security_label = get_info('security_label', str, '')
+    tmp = security_label.split(":")
+    if len(tmp) != 3:
+        seclabel = ""
     else:
-        label = get_info('security_label', unicode, '')
-        tmp = label.split(":")
-        if len(tmp) != 3:
-            label = ""
-        else:
-            label = tmp[2]
-        parsed_info['seclabel'] = label
+        seclabel = tmp[2]
+    parsed_info['seclabel'] = seclabel
 
     if serverType == SERVER_XEN_API:
         parsed_info['mem'] = get_info('memory_actual', int, 0) / 1024
@@ -2048,18 +2044,6 @@ def parse_block_configuration(args):
     if len(args) == 5:
         vbd.append(['backend', args[4]])
 
-    if serverType != SERVER_XEN_API:
-        # verify that policy permits attaching this resource
-        from xen.util import security
-    
-        if security.on():
-            dominfo = server.xend.domain(dom)
-            label = security.get_security_printlabel(dominfo)
-        else:
-            label = None
-
-        security.res_security_check(args[1], label)
-
     return (dom, vbd)
 
 

diff --git a/tools/security/policies/security_policy.xsd b/tools/security/policies/security_policy.xsd
index f797cdda7746141a6689d9de172458651f875885..4391a77253fa9efbdc11943cf574df384013e251 100644 (file)
--- a/tools/security/policies/security_policy.xsd
+++ b/tools/security/policies/security_policy.xsd
@@ -99,7 +99,7 @@
                        <xsd:sequence>
                                <xsd:element name="Name" type="NameWithFrom"></xsd:element>
                                <xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" />
-                               <xsd:element name="ChineseWallTypes" type="SingleChineseWallType" />
+                               <xsd:element ref="ChineseWallTypes" minOccurs="0" maxOccurs="unbounded" />
                        </xsd:sequence>
                </xsd:complexType>
        </xsd:element>
@@ -143,9 +143,4 @@
                        <xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
                </xsd:sequence>
        </xsd:complexType>
-       <xsd:complexType name="SingleChineseWallType">
-               <xsd:sequence>
-                       <xsd:element maxOccurs="1" minOccurs="1" ref="Type" />
-               </xsd:sequence>
-       </xsd:complexType>
 </xsd:schema>