From c50b989b44b97671e45129c008ec68573685f5fc Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir.fraser@citrix.com>
Date: Wed, 26 Aug 2009 15:35:14 +0100
Subject: [PATCH] xend: Flask MLS security label handling

Changed the way security labels are handled to allow domains to be
labeled with Flask MLS security labels.  Changed the error message
generated when an invalid context is submitted to be more useful.

Signed-off-by: Machon B. Gregory <mbgrego@tycho.ncsc.mil>
Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil>
---
 tools/python/xen/util/xsm/flask/flask.py |  2 +-
 tools/python/xen/xend/XendConfig.py      |  5 -----
 tools/python/xen/xm/create.py            | 16 +++++-----------
 3 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/tools/python/xen/util/xsm/flask/flask.py b/tools/python/xen/util/xsm/flask/flask.py
index 04dc3913c4..754961cede 100644
--- a/tools/python/xen/util/xsm/flask/flask.py
+++ b/tools/python/xen/util/xsm/flask/flask.py
@@ -25,7 +25,7 @@ def label2ssidref(label, policy, type):
     try:
         return flask.flask_context_to_sid(label)
     except:
-        return ""
+       raise XSMError('Invalid context %s' % label)
 
 def parse_security_label(security_label):
     return security_label
diff --git a/tools/python/xen/xend/XendConfig.py b/tools/python/xen/xend/XendConfig.py
index 20ecca8b01..6f39e7ed1a 100644
--- a/tools/python/xen/xend/XendConfig.py
+++ b/tools/python/xen/xend/XendConfig.py
@@ -802,11 +802,6 @@ class XendConfig(dict):
                 if not sxp.child_value(sxp_cfg, 'security_label'):
                     del cfg['security']
 
-            sec_lab = cfg['security_label'].split(":")
-            if len(sec_lab) != 3:
-                raise XendConfigError("Badly formatted security label: %s"
-                                      % cfg['security_label'])
-
         old_state = sxp.child_value(sxp_cfg, 'state')
         if old_state:
             for i in range(len(CONFIG_OLD_DOM_STATES)):
diff --git a/tools/python/xen/xm/create.py b/tools/python/xen/xm/create.py
index d2ea7ecf35..92ab12b0fa 100644
--- a/tools/python/xen/xm/create.py
+++ b/tools/python/xen/xm/create.py
@@ -1163,17 +1163,11 @@ def preprocess_access_control(vals):
     num = len(vals.access_control)
     if num == 1:
         access_control = (vals.access_control)[0]
-        d = {}
-        a = access_control.split(',')
-        if len(a) > 2:
-            err('Too many elements in access_control specifier: ' + access_control)
-        for b in a:
-            (k, v) = b.strip().split('=', 1)
-            k = k.strip()
-            v = v.strip()
-            if k not in ['policy','label']:
-                err('Invalid access_control specifier: ' + access_control)
-            d[k] = v
+        acc_re = 'policy=(?P<policy>.*),label=(?P<label>.*)'
+        acc_match = re.match(acc_re,access_control)
+        if acc_match == None:
+            err('Invalid access_control specifier: ' + access_control)
+        d = acc_match.groupdict();
         access_controls.append(d)
         vals.access_control = access_controls
     elif num > 1:
-- 
2.30.2