binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE)
policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
-
+#other global variables
+NULL_SSIDREF = 0
log = logging.getLogger("xend.util.security")
#2. get labelnames for both ssidref parts
pri_ssid = ssidref & 0xffff
sec_ssid = ssidref >> 16
+ pri_null_ssid = NULL_SSIDREF & 0xffff
+ sec_null_ssid = NULL_SSIDREF >> 16
pri_labels = []
sec_labels = []
labels = []
f.close()
#3. get the label that is in both lists (combination must be a single label)
- if secondary == "NULL":
+ if (primary == "CHWALL") and (pri_ssid == pri_null_ssid) and (sec_ssid != sec_null_ssid):
+ labels = sec_labels
+ elif (secondary == "CHWALL") and (pri_ssid != pri_null_ssid) and (sec_ssid == sec_null_ssid):
+ labels = pri_labels
+ elif secondary == "NULL":
labels = pri_labels
else:
for i in pri_labels:
-def label2ssidref(labelname, policyname):
+def label2ssidref(labelname, policyname, type):
"""
returns ssidref corresponding to labelname;
maps current policy to default directory
if policyname in ['NULL', 'INACTIVE', 'DEFAULT']:
err("Cannot translate labels for \'" + policyname + "\' policy.")
+ allowed_types = ['ANY']
+ if type == 'dom':
+ allowed_types.append('VM')
+ elif type == 'res':
+ allowed_types.append('RES')
+ else:
+ err("Invalid type. Must specify 'dom' or 'res'.")
+
(primary, secondary, f, pol_exists) = getmapfile(policyname)
#2. get labelnames for ssidref parts and find a common label
l = line.split()
if (len(l) < 5) or (l[0] != "LABEL->SSID"):
continue
- if primary and (l[2] == primary) and (l[3] == labelname):
+ if primary and (l[1] in allowed_types) and (l[2] == primary) and (l[3] == labelname):
pri_ssid.append(int(l[4], 16))
- if secondary and (l[2] == secondary) and (l[3] == labelname):
+ if secondary and (l[1] in allowed_types) and (l[2] == secondary) and (l[3] == labelname):
sec_ssid.append(int(l[4], 16))
f.close()
+ if (type == 'res') and (primary == "CHWALL") and (len(pri_ssid) == 0):
+ pri_ssid.append(NULL_SSIDREF)
+ elif (type == 'res') and (secondary == "CHWALL") and (len(sec_ssid) == 0):
+ sec_ssid.append(NULL_SSIDREF)
#3. sanity check and composition of ssidref
if (len(pri_ssid) == 0) or ((len(sec_ssid) == 0) and (secondary != "NULL")):
err("Policy \'" + policyname + "\' in label does not match active policy \'"
+ active_policy +"\'!")
- new_ssidref = label2ssidref(labelname, policyname)
+ new_ssidref = label2ssidref(labelname, policyname, 'dom')
if not new_ssidref:
err("SSIDREF refresh failed!")
enables domains to retrieve access control decisions from
the hypervisor Access Control Module.
IN: args format = ['domid', id] or ['ssidref', ssidref]
- or ['access_control', ['policy', policy], ['label', label]]
+ or ['access_control', ['policy', policy], ['label', label], ['type', type]]
"""
if not on():
#translate labels before calling low-level function
if arg1[0] == 'access_control':
- if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') :
+ if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') or (arg1[3][0] != 'type'):
err("Argument type not supported.")
- ssidref = label2ssidref(arg1[2][1], arg1[1][1])
+ ssidref = label2ssidref(arg1[2][1], arg1[1][1], arg1[3][1])
arg1 = ['ssidref', str(ssidref)]
if arg2[0] == 'access_control':
- if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') :
+ if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') or (arg2[3][0] != 'type'):
err("Argument type not supported.")
- ssidref = label2ssidref(arg2[2][1], arg2[1][1])
+ ssidref = label2ssidref(arg2[2][1], arg2[1][1], arg2[3][1])
arg2 = ['ssidref', str(ssidref)]
# accept only int or string types for domid and ssidref
+++ /dev/null
-#!/usr/bin/env python
-# -*- mode: python; -*-
-import sys
-import traceback
-import getopt
-
-# add fallback path for non-native python path installs if needed
-sys.path.insert(-1, '/usr/lib/python')
-sys.path.insert(-1, '/usr/lib64/python')
-
-from xen.util.security import ACMError, err, get_decision, active_policy
-
-def usage():
- print "Usage: acm_getdecision -i domainid --label labelname"
- print " Test program illustrating the retrieval of"
- print " access control decisions from Xen. At this time,"
- print " only sharing (STE) policy decisions are supported."
- print " Arguments are two paramters in any combination:"
- print "\t -i domain_id or --domid domain_id"
- print "\t -l labelname or --label labelname"
- print " Return value:"
- print "\t PERMITTED if access is permitted"
- print "\t DENIED if access is denied"
- print "\t ACMError -- e.g., unknown label or domain id"
- err("Usage")
-
-try:
-
- if len(sys.argv) != 5:
- usage()
-
- decision_args = []
-
- for idx in range(1, len(sys.argv), 2):
- if sys.argv[idx] in ['-i', '--domid']:
- decision_args.append(['domid', sys.argv[idx+1]])
- elif sys.argv[idx] in ['-l', '--label']:
- decision_args.append(['access_control',
- ['policy', active_policy],
- ['label', sys.argv[idx+1]]
- ])
- else:
- print "unknown argument %s" % sys.argv[idx]
- usage()
-
- if len(decision_args) != 2:
- print "too many arguments"
- usage()
-
- print get_decision(decision_args[0], decision_args[1])
-
-except ACMError:
- pass
-except:
- traceback.print_exc(limit=1)
#define DEBUG 0
+#define NULL_LABEL_NAME "__NULL_LABEL__"
+
/* primary / secondary policy component setting */
enum policycomponent { CHWALL, STE, NULLPOLICY }
primary = NULLPOLICY, secondary = NULLPOLICY;
return -ENOMEM;
/* default chwall ssid */
- default_ssid_chwall->name = "DEFAULT";
+ default_ssid_chwall->name = NULL_LABEL_NAME;
default_ssid_chwall->num = max_chwall_ssids++;
default_ssid_chwall->is_ref = 0;
default_ssid_chwall->type = ANY;
max_chwall_labels++;
/* default ste ssid */
- default_ssid_ste->name = "DEFAULT";
+ default_ssid_ste->name = NULL_LABEL_NAME;
default_ssid_ste->num = max_ste_ssids++;
default_ssid_ste->is_ref = 0;
default_ssid_ste->type = ANY;
projects / xen.git / commitdiff