XSERR_RESOURCE_ACCESS = 23 + XSERR_BASE
XSERR_HV_OP_FAILED = 24 + XSERR_BASE
XSERR_BOOTPOLICY_INSTALL_ERROR = 25 + XSERR_BASE
-XSERR_LAST = 25 + XSERR_BASE ## KEEP LAST
+XSERR_VM_NOT_AUTHORIZED = 26 + XSERR_BASE
+XSERR_VM_IN_CONFLICT = 27 + XSERR_BASE
+XSERR_LAST = 27 + XSERR_BASE ## KEEP LAST
XSERR_MESSAGES = [
'',
'The policy is not loaded',
'Error accessing resource',
'Operation failed in hypervisor',
- 'Boot policy installation error'
+ 'Boot policy installation error',
+ 'VM is not authorized to run',
+ 'VM label conflicts with another VM'
]
def xserr2string(err):
#decision hooks known to the hypervisor
ACMHOOK_sharing = 1
ACMHOOK_authorization = 2
+ACMHOOK_conflictset = 3
#other global variables
NULL_SSIDREF = 0
else:
return (sec_ssid[0] << 16) | pri_ssid[0]
finally:
- mapfile_unlock()
+ mapfile_unlock()
def refresh_ssidref(config):
return rc, bin_pol
+def is_in_conflict(ssidref):
+ """ Check whether the given ssidref is in conflict with any running
+ domain.
+ """
+ decision = acm.getdecision('ssidref', str(ssidref),
+ 'ssidref', str(ssidref),
+ ACMHOOK_conflictset)
+ if decision == "DENIED":
+ return True
+ return False
+
+
def set_policy(xs_type, xml, flags, overwrite):
"""
Xend exports this function via XML-RPC
return label
+def check_can_run(sec_label):
+ """ Check whether a VM could run, given its vm label. A VM can run if
+ - it is authorized
+ - is not in conflict with any running domain
+ """
+ try:
+ mapfile_lock()
+
+ if sec_label == None or sec_label == "":
+ vm_label = ACM_LABEL_UNLABELED
+ else:
+ poltype, policy, vm_label = sec_label.split(':')
+ if policy != get_active_policy_name():
+ return -xsconstants.XSERR_BAD_POLICY_NAME
+ ssidref = label2ssidref(vm_label, policy, 'dom')
+ if ssidref != xsconstants.INVALID_SSIDREF:
+ if not has_authorization(ssidref):
+ return -xsconstants.XSERR_VM_NOT_AUTHORIZED
+ if is_in_conflict(ssidref):
+ return -xsconstants.XSERR_VM_IN_CONFLICT
+ return -xsconstants.XSERR_SUCCESS
+ else:
+ return -xsconstants.XSERR_BAD_LABEL
+ finally:
+ mapfile_unlock()
+
+
__cond = threading.Condition()
__script_runner = None
__orders = []
'rm_xsbootpolicy',
'get_resource_label',
'set_resource_label',
- 'get_labeled_resources' ]
+ 'get_labeled_resources',
+ 'can_run' ]
return XendBase.getFuncs() + funcs
getClass = classmethod(getClass)
res = security.get_resource_label_xapi(resource)
return res
+ def can_run(self, sec_label):
+ irc = security.validate_label_xapi(sec_label, 'dom')
+ if irc != xsconstants.XSERR_SUCCESS:
+ raise SecurityError(irc)
+ return security.check_can_run(sec_label)
+
get_xstype = classmethod(get_xstype)
get_xspolicy = classmethod(get_xspolicy)
set_xspolicy = classmethod(set_xspolicy)
set_resource_label = classmethod(set_resource_label)
get_resource_label = classmethod(get_resource_label)
get_labeled_resources = classmethod(get_labeled_resources)
+ can_run = classmethod(can_run)
class XendACMPolicy(XendXSPolicy):
projects / xen.git / commitdiff