^tools/misc/xenperf$
^tools/pygrub/build/.*$
^tools/python/build/.*$
-^tools/python/xen/util/xsm/xsm\.py$
^tools/security/secpol_tool$
^tools/security/xen/.*$
^tools/security/xensec_tool$
#(logfile /var/log/xen/xend.log)
#(loglevel DEBUG)
+# Uncomment the line below. Set the value to flask, acm, or dummy to
+# select a security module.
+
+#(xsm_module_name dummy)
# The Xen-API server configuration.
#
XEN_ROOT = ../..
include $(XEN_ROOT)/tools/Rules.mk
-XEN_SECURITY_MODULE = dummy
-ifeq ($(FLASK_ENABLE),y)
-XEN_SECURITY_MODULE = flask
-endif
-ifeq ($(ACM_SECURITY),y)
-XEN_SECURITY_MODULE = acm
-endif
-
.PHONY: all
all: build
NLSDIR = /usr/share/locale
.PHONY: build buildpy
-buildpy: xsm.py
- CC="$(CC)" CFLAGS="$(CFLAGS)" XEN_SECURITY_MODULE="$(XEN_SECURITY_MODULE)" python setup.py build
+buildpy:
+ CC="$(CC)" CFLAGS="$(CFLAGS)" python setup.py build
build: buildpy refresh-pot refresh-po $(CATALOGS)
%.mo: %.po
$(MSGFMT) -c -o $@ $<
-xsm.py:
- @(set -e; \
- echo "XEN_SECURITY_MODULE = \""$(XEN_SECURITY_MODULE)"\""; \
- echo "from xsm_core import *"; \
- echo ""; \
- echo "import xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" as xsm_module"; \
- echo ""; \
- echo "xsm_init(xsm_module)"; \
- echo "from xen.util.xsm."$(XEN_SECURITY_MODULE)"."$(XEN_SECURITY_MODULE)" import *"; \
- echo "del xsm_module"; \
- echo "") >xen/util/xsm/$@
-
.PHONY: install
ifndef XEN_PYTHON_NATIVE_INSTALL
install: LIBPATH=$(shell PYTHONPATH=xen/util python -c "import auxbin; print auxbin.libpath()")
.PHONY: clean
clean:
- rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/xsm/xsm.py xen/util/auxbin.pyc
+ rm -rf build *.pyc *.pyo *.o *.a *~ $(CATALOGS) xen/util/auxbin.pyc
XS_INST_BOOT = (1 << 0)
XS_INST_LOAD = (1 << 1)
-XS_POLICY_NONE = 0
+XS_POLICY_DUMMY = 0
XS_POLICY_ACM = (1 << 0)
+XS_POLICY_FLASK = (1 << 1)
+XS_POLICY_USE = 0
# Some internal variables used by the Xen-API
ACM_LABEL_VM = (1 << 0)
raise XSMError(msg)
def on():
- return 0
+ return xsconstants.XS_POLICY_DUMMY
def ssidref2label(ssidref):
return 0
import sys
from xen.lowlevel import flask
+from xen.util import xsconstants
from xen.xend import sxp
#Functions exported through XML-RPC
raise XSMError(msg)
def on():
- return 0 #xsconstants.XS_POLICY_FLASK
+ return xsconstants.XS_POLICY_FLASK
def ssidref2label(ssidref):
try:
return label
def ssidref2security_label(ssidref):
- return ssidref2label(ssidref)
+ label = ssidref2label(ssidref)
+ return label
def get_security_label(self, xspol=None):
- label = self.info.get('security_label', '')
+ label = self.info['security_label']
return label
--- /dev/null
+import sys
+import string
+from xen.xend import XendOptions
+from xen.util import xsconstants
+from xsm_core import xsm_init
+
+xoptions = XendOptions.instance()
+xsm_module_name = xoptions.get_xsm_module_name()
+
+xsconstants.XS_POLICY_USE = eval("xsconstants.XS_POLICY_"+string.upper(xsm_module_name))
+
+xsm_module_path = "xen.util.xsm." + xsm_module_name + "." + xsm_module_name
+xsm_module = __import__(xsm_module_path, globals(), locals(), ['*'], -1)
+
+xsm_init(xsm_module)
+
+for op in dir(xsm_module):
+ if not hasattr(sys.modules[__name__], op):
+ setattr(sys.modules[__name__], op, getattr(xsm_module, op, None))
self.parse_cpuid(cfg, 'cpuid_check')
import xen.util.xsm.xsm as security
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
from xen.util.acmpolicy import ACM_LABEL_UNLABELED
if not 'security' in cfg and sxp.child_value(sxp_cfg, 'security'):
cfg['security'] = sxp.child_value(sxp_cfg, 'security')
balloon.free(2*1024) # 2MB should be plenty
ssidref = 0
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
ssidref = security.calc_dom_ssidref_from_info(self.info)
if security.has_authorization(ssidref) == False:
raise VmError("VM is not authorized to run.")
info["maxmem_kb"] = XendNode.instance() \
.physinfo_dict()['total_memory'] * 1024
- #ssidref field not used any longer
- if 'ssidref' in info:
- info.pop('ssidref')
-
# make sure state is reset for info
# TODO: we should eventually get rid of old_dom_states
"""Default script to configure a backend network interface"""
vif_script = osdep.vif_script
+ """Default Xen Security Module"""
+ xsm_module_default = 'dummy'
+
"""Default rotation count of qemu-dm log file."""
qemu_dm_logrotate_count = 10
return self.get_config_value('xen-api-server',
self.xen_api_server_default)
+ def get_xsm_module_name(self):
+ """Get the Xen Security Module name.
+ """
+ return self.get_config_string('xsm_module_name', self.xsm_module_default)
+
if os.uname()[0] == 'SunOS':
class XendOptionsSMF(XendOptions):
if uuid:
back['uuid'] = uuid
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
self.do_access_control(config, uname)
(device_path, devid) = blkif.blkdev_name_to_number(dev)
front = { 'handle' : "%i" % devid,
'mac' : mac }
- if security.on() == xsconstants.XS_POLICY_ACM:
+ if security.on() == xsconstants.XS_POLICY_USE:
self.do_access_control(config)
return (devid, back, front)
projects / xen.git / commitdiff