From 8917832a55d01ea649c7d6a0265ccb3177098280 Mon Sep 17 00:00:00 2001 From: "kfraser@localhost.localdomain" Date: Wed, 18 Oct 2006 16:08:58 +0100 Subject: [PATCH] [TPM] Allow all tests of the xm test suite to be run when ACM security is turned on in hypervisor. This is done by implicitly labeling VMs and resources if they have not been labeled through explicit calls. To allow the xm tests suite to label resources automatically, run ./configure --enable-full-labeling once. To turn it off, the '--enable-full-labeling' parameter should be omitted. Signed-off-by: Stefan Berger --- tools/xm-test/README | 4 ++-- tools/xm-test/lib/XmTestLib/XenDomain.py | 5 ++++- tools/xm-test/lib/XmTestLib/acm.py | 13 ++++++++++++- tools/xm-test/lib/XmTestLib/block_utils.py | 2 ++ tools/xm-test/runtest.sh | 2 ++ 5 files changed, 22 insertions(+), 4 deletions(-) diff --git a/tools/xm-test/README b/tools/xm-test/README index ba6b91e90b..22a07c4012 100644 --- a/tools/xm-test/README +++ b/tools/xm-test/README @@ -125,8 +125,8 @@ following command from the xm-test directory Some of these tests will work even without support of ACM by Xen. -Several of these tests require the privilege of being allowed to label -resources and will otherwise be skipped. By default the test suite +The xm test suite has been extended to support labeling of resources +as required by the existing tests. However, by default the test suite is not allowed to automatically label resources since this may affect existing labels. To enable this, the test suite must be configured with the following parameter passed to the configure scripts (in addition to diff --git a/tools/xm-test/lib/XmTestLib/XenDomain.py b/tools/xm-test/lib/XmTestLib/XenDomain.py index 2f57b10fcf..e78fd7f6c4 100644 --- a/tools/xm-test/lib/XmTestLib/XenDomain.py +++ b/tools/xm-test/lib/XmTestLib/XenDomain.py @@ -29,6 +29,7 @@ from Test import * from config import * from Console import * from XenDevice import * +from acm import * BLOCK_ROOT_DEV = "hda" @@ -103,7 +104,8 @@ class XenConfig: self.defaultOpts["vif"] = [] self.defaultOpts["vtpm"] = [] if isACMEnabled(): - self.defaultOpts["access_control"] = [] + #A default so every VM can start with ACM enabled + self.defaultOpts["access_control"] = ['policy=xm-test,label=red'] self.opts = self.defaultOpts @@ -131,6 +133,7 @@ class XenConfig: output = file(filename, "w") output.write(self.toString()) output.close() + ACMPrepareSystem(self.opts) def __str__(self): """When used as a string, we represent ourself by a config diff --git a/tools/xm-test/lib/XmTestLib/acm.py b/tools/xm-test/lib/XmTestLib/acm.py index 7a49fa3348..dd1e67646d 100644 --- a/tools/xm-test/lib/XmTestLib/acm.py +++ b/tools/xm-test/lib/XmTestLib/acm.py @@ -26,7 +26,7 @@ except: ACM_LABEL_RESOURCES = False labeled_resources = {} -acm_verbose = False +acm_verbose = True def isACMEnabled(): return security.on() @@ -43,6 +43,17 @@ def ACMLoadPolicy(policy='xm-test'): "Start the system without any policy.\n%s" % (policy, o)) +def ACMPrepareSystem(resources): + if isACMEnabled(): + ACMLoadPolicy() + ACMLabelResources(resources) + +def ACMLabelResources(resources): + for k, v in resources.items(): + if k == "disk": + for vv in v: + res = vv.split(',')[0] + ACMLabelResource(res) # Applications may label resources explicitly by calling this function def ACMLabelResource(resource, label='red'): diff --git a/tools/xm-test/lib/XmTestLib/block_utils.py b/tools/xm-test/lib/XmTestLib/block_utils.py index 38c5d20d5f..c315c17bd1 100644 --- a/tools/xm-test/lib/XmTestLib/block_utils.py +++ b/tools/xm-test/lib/XmTestLib/block_utils.py @@ -6,6 +6,7 @@ import time from XmTestLib import * +from acm import * import xen.util.blkif @@ -26,6 +27,7 @@ def get_state(domain, devname): def block_attach(domain, phy, virt): + ACMLabelResource(phy) status, output = traceCommand("xm block-attach %s %s %s w" % (domain.getName(), phy, virt)) if status != 0: diff --git a/tools/xm-test/runtest.sh b/tools/xm-test/runtest.sh index 9e11824b80..2bcc46110f 100755 --- a/tools/xm-test/runtest.sh +++ b/tools/xm-test/runtest.sh @@ -197,6 +197,8 @@ run=yes unsafe=no GROUPENTERED=default +cp -f tests/security-acm/xm-test-security_policy.xml /etc/xen/acm-security/policies + # Resolve options while [ $# -gt 0 ] do -- 2.30.2