[Xend] More security-related fixes

This patch provides some more fixes related to the recent
security-related extensions to xend.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>

diff --git a/tools/python/xen/util/acmpolicy.py b/tools/python/xen/util/acmpolicy.py
index 002ad9e932fc997b83071395631c9eb8dcde78e3..bc2569e657919be231ea1f8f69a2c56eda8a2409 100644 (file)
--- a/tools/python/xen/util/acmpolicy.py
+++ b/tools/python/xen/util/acmpolicy.py
@@ -122,7 +122,8 @@ class ACMPolicy(XSPolicy):
             rc = -xsconstants.XSERR_GENERAL_FAILURE
         if rc != xsconstants.XSERR_SUCCESS:
             log.warn("XML did not validate against schema")
-        rc = self.__validate_name_and_labels()
+        if rc == xsconstants.XSERR_SUCCESS:
+            rc = self.__validate_name_and_labels()
         return rc
 
     def __validate_name_and_labels(self):
@@ -626,14 +627,15 @@ class ACMPolicy(XSPolicy):
     def policy_get_stes_of_vmlabel(self, vmlabel):
         """ Get a list of all STEs of a given VMlabel """
         return self.__policy_get_stes_of_labeltype(vmlabel,
-                                                   "VirtualMachineLabel")
+                                        "/SubjectLabels", "VirtualMachineLabel")
 
     def policy_get_stes_of_resource(self, reslabel):
         """ Get a list of all resources of a given VMlabel """
-        return self.__policy_get_stes_of_labeltype(reslabel, "ResourceLabel")
+        return self.__policy_get_stes_of_labeltype(reslabel,
+                                        "/ObjectLabels", "ResourceLabel")
 
-    def __policy_get_stes_of_labeltype(self, label, labeltype):
-        node = self.dom_get_node("SecurityLabelTemplate/SubjectLabels")
+    def __policy_get_stes_of_labeltype(self, label, path, labeltype):
+        node = self.dom_get_node("SecurityLabelTemplate" + path)
         if node:
             i = 0
             while i < len(node.childNodes):
@@ -661,7 +663,8 @@ class ACMPolicy(XSPolicy):
             return False
         for res in resources:
             res_stes = self.policy_get_stes_of_resource(res)
-            if len( set(res_stes).union( set(vm_stes) ) ) == 0:
+            if len(res_stes) == 0 or \
+               len( set(res_stes).intersection( set(vm_stes) ) ) == 0:
                 return False
         return True
 

diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py
index 300133d68f7cb1e0cded0c6d2b5342663064e729..608ed463f2181c20c0dd509c9e1dfac985abc2a6 100644 (file)
--- a/tools/python/xen/util/security.py
+++ b/tools/python/xen/util/security.py
@@ -799,9 +799,10 @@ def is_resource_in_use(resource):
             lst.append(dominfo)
     return lst
 
-def devices_equal(res1, res2):
+def devices_equal(res1, res2, mustexist=True):
     """ Determine whether two devices are equal """
-    return (unify_resname(res1) == unify_resname(res2))
+    return (unify_resname(res1, mustexist) ==
+            unify_resname(res2, mustexist))
 
 def is_resource_in_use_by_dom(dominfo, resource):
     """ Determine whether a resources is in use by a given domain
@@ -817,7 +818,7 @@ def is_resource_in_use_by_dom(dominfo, resource):
         dev = devs[uuid]
         if len(dev) >= 2 and dev[1].has_key('uname'):
             # dev[0] is type, i.e. 'vbd'
-            if devices_equal(dev[1]['uname'], resource):
+            if devices_equal(dev[1]['uname'], resource, mustexist=False):
                 log.info("RESOURCE IN USE: Domain %d uses %s." %
                          (dominfo.domid, resource))
                 return True

diff --git a/tools/python/xen/xend/XendAPI.py b/tools/python/xen/xend/XendAPI.py
index 7c335454920ce127ba76eeeddc9b64f6b0124c8c..dcc5f8f05e4dddf7981bf381ddd3aa970756102a 100644 (file)
--- a/tools/python/xen/xend/XendAPI.py
+++ b/tools/python/xen/xend/XendAPI.py
@@ -1620,7 +1620,8 @@ class XendAPI(object):
         (rc, errors, oldlabel, new_ssidref) = \
                                  dom.set_security_label(sec_label, old_label)
         if rc != xsconstants.XSERR_SUCCESS:
-            return xen_api_error(['SECURITY_ERROR', rc])
+            return xen_api_error(['SECURITY_ERROR', rc,
+                                 xsconstants.xserr2string(-rc)])
         if rc == 0:
             rc = new_ssidref
         return xen_api_success(rc)
@@ -2239,7 +2240,8 @@ class XendAPI(object):
         vdi = XendNode.instance().get_vdi_by_uuid(vdi_ref)
         rc = vdi.set_security_label(sec_lab, old_lab)
         if rc < 0:
-            return xen_api_error(['SECURITY_ERROR', rc])
+            return xen_api_error(['SECURITY_ERROR', rc,
+                                 xsconstants.xserr2string(-rc)])
         return xen_api_success(rc)
 
     def VDI_get_security_label(self, session, vdi_ref):

diff --git a/tools/python/xen/xend/XendVDI.py b/tools/python/xen/xend/XendVDI.py
index 10bdee43d327d606e37ff897c990cee6921cbe9e..863a4e0e17961cbfd4a7c376b1410b56fd912dd2 100644 (file)
--- a/tools/python/xen/xend/XendVDI.py
+++ b/tools/python/xen/xend/XendVDI.py
@@ -24,6 +24,7 @@ import os
 from xen.util.xmlrpclib2 import stringify
 from xmlrpclib import dumps, loads
 from xen.util import security, xsconstants
+from xen.xend.XendError import SecurityError
 
 KB = 1024
 MB = 1024 * 1024

diff --git a/tools/python/xen/xend/XendXSPolicyAdmin.py b/tools/python/xen/xend/XendXSPolicyAdmin.py
index d3e99c39381b9be1534c4dffcc2c7b6a70f4ed93..727cae664aabe28e087646389699138b225fe961 100644 (file)
--- a/tools/python/xen/xend/XendXSPolicyAdmin.py
+++ b/tools/python/xen/xend/XendXSPolicyAdmin.py
@@ -56,7 +56,10 @@ class XSPolicyAdmin:
             typ = data[1]
             try:
                 if typ == xsconstants.ACM_POLICY_ID:
-                    self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
+                    try:
+                        self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
+                    except Exception, e:
+                        del self.policies[ref]
                 else:
                     del self.policies[ref]
             except Exception, e:
@@ -271,6 +274,10 @@ class XSPolicyAdmin:
                 return pol
         return None
 
+    def get_hv_loaded_policy_name(self):
+        security.refresh_security_policy()
+        return security.active_policy
+
     def get_policy_by_name(self, name):
         for pol in self.xsobjs.values():
             if pol.get_name() == name:

diff --git a/tools/python/xen/xm/cfgbootpolicy.py b/tools/python/xen/xm/cfgbootpolicy.py
index 9723a1fa6daca5d47b8ac55e9117421cb53247c6..7fd181e06db646d87efdb2bd4c87422f77b8e686 100644 (file)
--- a/tools/python/xen/xm/cfgbootpolicy.py
+++ b/tools/python/xen/xm/cfgbootpolicy.py
@@ -170,8 +170,9 @@ def cfgbootpolicy_xapi(policy, user_title=None):
             OptionError("No policy installed on system?")
         acmpol = ACMPolicy(xml=xml)
         if acmpol.get_name() != policy:
-            OptionError("Policy installed on system '%s' does not match the "
-                        "request policy '%s'" % (acmpol.get_name(), policy))
+            raise OptionError("Policy installed on system '%s' does not "
+                              "match the requested policy '%s'" %
+                              (acmpol.get_name(), policy))
         flags = int(policystate['flags']) | xsconstants.XS_INST_BOOT
         rc = int(server.xenapi.XSPolicy.activate_xspolicy(xs_ref, flags))
         if rc == flags: