[TPM] Allow all tests of the xm test suite to be run when ACM

security is turned on in hypervisor. This is done by implicitly
labeling VMs and resources if they have not been labeled through
explicit calls.
To allow the xm tests suite to label resources automatically, run

./configure --enable-full-labeling

once. To turn it off, the '--enable-full-labeling' parameter should be
omitted.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>

diff --git a/tools/xm-test/README b/tools/xm-test/README
index ba6b91e90b30fa1616d65b33ae11518561ac67f1..22a07c40126e8f91f6448b51f84b06c7167e7692 100644 (file)
--- a/tools/xm-test/README
+++ b/tools/xm-test/README
@@ -125,8 +125,8 @@ following command from the xm-test directory
 
 Some of these tests will work even without support of ACM by Xen.
 
-Several of these tests require the privilege of being allowed to label
-resources and will otherwise be skipped. By default the test suite
+The xm test suite has been extended to support labeling of resources
+as required by the existing tests. However, by default the test suite
 is not allowed to automatically label resources since this may affect
 existing labels. To enable this, the test suite must be configured with
 the following parameter passed to the configure scripts (in addition to

diff --git a/tools/xm-test/lib/XmTestLib/XenDomain.py b/tools/xm-test/lib/XmTestLib/XenDomain.py
index 2f57b10fcff521db747352f5cbc6d6d36f075774..e78fd7f6c4e42ad1fa1ef86235a894d4e45c8eb8 100644 (file)
--- a/tools/xm-test/lib/XmTestLib/XenDomain.py
+++ b/tools/xm-test/lib/XmTestLib/XenDomain.py
@@ -29,6 +29,7 @@ from Test import *
 from config import *
 from Console import *
 from XenDevice import *
+from acm import *
 
 BLOCK_ROOT_DEV = "hda"
 
@@ -103,7 +104,8 @@ class XenConfig:
         self.defaultOpts["vif"]  = []
         self.defaultOpts["vtpm"] = []
         if isACMEnabled():
-            self.defaultOpts["access_control"] = []
+            #A default so every VM can start with ACM enabled
+            self.defaultOpts["access_control"] = ['policy=xm-test,label=red']
 
         self.opts = self.defaultOpts
 
@@ -131,6 +133,7 @@ class XenConfig:
         output = file(filename, "w")
         output.write(self.toString())
         output.close()
+        ACMPrepareSystem(self.opts)
 
     def __str__(self):
         """When used as a string, we represent ourself by a config

diff --git a/tools/xm-test/lib/XmTestLib/acm.py b/tools/xm-test/lib/XmTestLib/acm.py
index 7a49fa3348d71a41c06db9b7750581b9fd111b31..dd1e67646d21a30ff267792d2bfa8df13c9cca82 100644 (file)
--- a/tools/xm-test/lib/XmTestLib/acm.py
+++ b/tools/xm-test/lib/XmTestLib/acm.py
@@ -26,7 +26,7 @@ except:
     ACM_LABEL_RESOURCES = False
 
 labeled_resources = {}
-acm_verbose = False
+acm_verbose = True
 
 def isACMEnabled():
     return security.on()
@@ -43,6 +43,17 @@ def ACMLoadPolicy(policy='xm-test'):
              "Start the system without any policy.\n%s" %
              (policy, o))
 
+def ACMPrepareSystem(resources):
+    if isACMEnabled():
+        ACMLoadPolicy()
+        ACMLabelResources(resources)
+
+def ACMLabelResources(resources):
+    for k, v in resources.items():
+        if k == "disk":
+            for vv in v:
+                res = vv.split(',')[0]
+                ACMLabelResource(res)
 
 # Applications may label resources explicitly by calling this function
 def ACMLabelResource(resource, label='red'):

diff --git a/tools/xm-test/lib/XmTestLib/block_utils.py b/tools/xm-test/lib/XmTestLib/block_utils.py
index 38c5d20d5fe28d4017da2b6c6169ae4f9ac690a6..c315c17bd16719f0da977afdee8be6acbb71bdb9 100644 (file)
--- a/tools/xm-test/lib/XmTestLib/block_utils.py
+++ b/tools/xm-test/lib/XmTestLib/block_utils.py
@@ -6,6 +6,7 @@
 import time
 
 from XmTestLib import *
+from acm import *
 
 import xen.util.blkif
 
@@ -26,6 +27,7 @@ def get_state(domain, devname):
 
 
 def block_attach(domain, phy, virt):
+    ACMLabelResource(phy)
     status, output = traceCommand("xm block-attach %s %s %s w" %
                                   (domain.getName(), phy, virt))
     if status != 0:

diff --git a/tools/xm-test/runtest.sh b/tools/xm-test/runtest.sh
index 9e11824b8073221fa0ad4867852df41bb5f9e223..2bcc46110fdc246e2e06f28cadfb1774fb31fb1d 100755 (executable)
--- a/tools/xm-test/runtest.sh
+++ b/tools/xm-test/runtest.sh
@@ -197,6 +197,8 @@ run=yes
 unsafe=no
 GROUPENTERED=default
 
+cp -f tests/security-acm/xm-test-security_policy.xml /etc/xen/acm-security/policies
+
 # Resolve options
 while [ $# -gt 0 ]
   do