From cd0ce972887f0487f3279d7aa84a147ba4374b8d Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir.fraser@citrix.com>
Date: Tue, 1 Apr 2008 10:08:03 +0100
Subject: [PATCH] xend: XSPolicy.can_run xend support

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
---
 tools/python/xen/util/xsconstants.py  |  8 +++--
 tools/python/xen/util/xsm/acm/acm.py  | 42 ++++++++++++++++++++++++++-
 tools/python/xen/xend/XendXSPolicy.py | 10 ++++++-
 3 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/tools/python/xen/util/xsconstants.py b/tools/python/xen/util/xsconstants.py
index 856ef43aca..730d66fbf5 100644
--- a/tools/python/xen/util/xsconstants.py
+++ b/tools/python/xen/util/xsconstants.py
@@ -57,7 +57,9 @@ XSERR_POLICY_NOT_LOADED        = 22 + XSERR_BASE
 XSERR_RESOURCE_ACCESS          = 23 + XSERR_BASE
 XSERR_HV_OP_FAILED             = 24 + XSERR_BASE
 XSERR_BOOTPOLICY_INSTALL_ERROR = 25 + XSERR_BASE
-XSERR_LAST                     = 25 + XSERR_BASE ## KEEP LAST
+XSERR_VM_NOT_AUTHORIZED        = 26 + XSERR_BASE
+XSERR_VM_IN_CONFLICT           = 27 + XSERR_BASE
+XSERR_LAST                     = 27 + XSERR_BASE ## KEEP LAST
 
 XSERR_MESSAGES = [
     '',
@@ -85,7 +87,9 @@ XSERR_MESSAGES = [
     'The policy is not loaded',
     'Error accessing resource',
     'Operation failed in hypervisor',
-    'Boot policy installation error'
+    'Boot policy installation error',
+    'VM is not authorized to run',
+    'VM label conflicts with another VM'
 ]
 
 def xserr2string(err):
diff --git a/tools/python/xen/util/xsm/acm/acm.py b/tools/python/xen/util/xsm/acm/acm.py
index 98b6ec1312..e8de0fa60c 100644
--- a/tools/python/xen/util/xsm/acm/acm.py
+++ b/tools/python/xen/util/xsm/acm/acm.py
@@ -68,6 +68,7 @@ policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
 #decision hooks known to the hypervisor
 ACMHOOK_sharing = 1
 ACMHOOK_authorization = 2
+ACMHOOK_conflictset = 3
 
 #other global variables
 NULL_SSIDREF = 0
@@ -373,7 +374,7 @@ def label2ssidref(labelname, policyname, typ):
         else:
             return (sec_ssid[0] << 16) | pri_ssid[0]
     finally:
-       mapfile_unlock()
+        mapfile_unlock()
 
 
 def refresh_ssidref(config):
@@ -552,6 +553,18 @@ def hv_get_policy():
     return rc, bin_pol
 
 
+def is_in_conflict(ssidref):
+    """ Check whether the given ssidref is in conflict with any running
+        domain.
+    """
+    decision = acm.getdecision('ssidref', str(ssidref),
+                               'ssidref', str(ssidref),
+                               ACMHOOK_conflictset)
+    if decision == "DENIED":
+        return True
+    return False
+
+
 def set_policy(xs_type, xml, flags, overwrite):
     """
         Xend exports this function via XML-RPC
@@ -1550,6 +1563,33 @@ def get_security_label(self, xspol=None):
     return label
 
 
+def check_can_run(sec_label):
+    """ Check whether a VM could run, given its vm label. A VM can run if
+       - it is authorized
+       - is not in conflict with any running domain
+    """
+    try:
+        mapfile_lock()
+
+        if sec_label == None or sec_label == "":
+            vm_label = ACM_LABEL_UNLABELED
+        else:
+            poltype, policy, vm_label = sec_label.split(':')
+            if policy != get_active_policy_name():
+                return -xsconstants.XSERR_BAD_POLICY_NAME
+        ssidref = label2ssidref(vm_label, policy, 'dom')
+        if ssidref != xsconstants.INVALID_SSIDREF:
+            if not has_authorization(ssidref):
+                return -xsconstants.XSERR_VM_NOT_AUTHORIZED
+            if is_in_conflict(ssidref):
+                return -xsconstants.XSERR_VM_IN_CONFLICT
+            return -xsconstants.XSERR_SUCCESS
+        else:
+            return -xsconstants.XSERR_BAD_LABEL
+    finally:
+        mapfile_unlock()
+
+
 __cond = threading.Condition()
 __script_runner = None
 __orders = []
diff --git a/tools/python/xen/xend/XendXSPolicy.py b/tools/python/xen/xend/XendXSPolicy.py
index dff029ddde..0b6d5bc388 100644
--- a/tools/python/xen/xend/XendXSPolicy.py
+++ b/tools/python/xen/xend/XendXSPolicy.py
@@ -48,7 +48,8 @@ class XendXSPolicy(XendBase):
                   'rm_xsbootpolicy',
                   'get_resource_label',
                   'set_resource_label',
-                  'get_labeled_resources' ]
+                  'get_labeled_resources',
+                  'can_run' ]
         return XendBase.getFuncs() + funcs
 
     getClass    = classmethod(getClass)
@@ -190,6 +191,12 @@ class XendXSPolicy(XendBase):
         res = security.get_resource_label_xapi(resource)
         return res
 
+    def can_run(self, sec_label):
+        irc = security.validate_label_xapi(sec_label, 'dom')
+        if irc != xsconstants.XSERR_SUCCESS:
+            raise SecurityError(irc)
+        return security.check_can_run(sec_label)
+
     get_xstype      = classmethod(get_xstype)
     get_xspolicy    = classmethod(get_xspolicy)
     set_xspolicy    = classmethod(set_xspolicy)
@@ -198,6 +205,7 @@ class XendXSPolicy(XendBase):
     set_resource_label = classmethod(set_resource_label)
     get_resource_label = classmethod(get_resource_label)
     get_labeled_resources = classmethod(get_labeled_resources)
+    can_run = classmethod(can_run)
 
 
 class XendACMPolicy(XendXSPolicy):
-- 
2.30.2