* [PATCH][ACM] Add support for resource labeling
@ 2006-06-06 14:07 Bryan D. Payne
2006-06-07 13:09 ` Keir Fraser
0 siblings, 1 reply; 3+ messages in thread
From: Bryan D. Payne @ 2006-06-06 14:07 UTC (permalink / raw)
To: xen-devel; +Cc: Reiner Sailer, Bryan D. Payne
This patch provides the framework needed for resource labeling.
Subsequent patches will follow in the coming weeks that will enable Xen
ACM to control assignment of resources (e.g., block devices and
networking) to virtual machines based on resource labels and the active
security policy.
Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
---
tools/python/xen/util/security.py | 41 ++++++++++----
tools/python/xen/xm/addlabel.py | 2
tools/python/xen/xm/create.py | 2
tools/security/Makefile | 2
tools/security/python/xensec_gen/cgi-bin/policy.cgi | 2
tools/security/python/xensec_tools/acm_getdecision | 55
--------------------
tools/security/secpol_xml2bin.c | 6 +-
7 files changed, 38 insertions(+), 72 deletions(-)
Index: xen-unstable.hg-shype/tools/python/xen/util/security.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/util/security.py
+++ xen-unstable.hg-shype/tools/python/xen/util/security.py
@@ -52,7 +52,8 @@ empty_line_re = re.compile("^\s*$")
binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin",
re.IGNORECASE)
policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
-
+#other global variables
+NULL_SSIDREF = 0
log = logging.getLogger("xend.util.security")
@@ -255,6 +256,8 @@ def ssidref2label(ssidref_var):
#2. get labelnames for both ssidref parts
pri_ssid = ssidref & 0xffff
sec_ssid = ssidref >> 16
+ pri_null_ssid = NULL_SSIDREF & 0xffff
+ sec_null_ssid = NULL_SSIDREF >> 16
pri_labels = []
sec_labels = []
labels = []
@@ -270,7 +273,11 @@ def ssidref2label(ssidref_var):
f.close()
#3. get the label that is in both lists (combination must be a
single label)
- if secondary == "NULL":
+ if (primary == "CHWALL") and (pri_ssid == pri_null_ssid) and
(sec_ssid != sec_null_ssid):
+ labels = sec_labels
+ elif (secondary == "CHWALL") and (pri_ssid != pri_null_ssid) and
(sec_ssid == sec_null_ssid):
+ labels = pri_labels
+ elif secondary == "NULL":
labels = pri_labels
else:
for i in pri_labels:
@@ -285,7 +292,7 @@ def ssidref2label(ssidref_var):
-def label2ssidref(labelname, policyname):
+def label2ssidref(labelname, policyname, type):
"""
returns ssidref corresponding to labelname;
maps current policy to default directory
@@ -294,6 +301,14 @@ def label2ssidref(labelname, policyname)
if policyname in ['NULL', 'INACTIVE', 'DEFAULT']:
err("Cannot translate labels for \'" + policyname + "\' policy.")
+ allowed_types = ['ANY']
+ if type == 'dom':
+ allowed_types.append('VM')
+ elif type == 'res':
+ allowed_types.append('RES')
+ else:
+ err("Invalid type. Must specify 'dom' or 'res'.")
+
(primary, secondary, f, pol_exists) = getmapfile(policyname)
#2. get labelnames for ssidref parts and find a common label
@@ -303,11 +318,15 @@ def label2ssidref(labelname, policyname)
l = line.split()
if (len(l) < 5) or (l[0] != "LABEL->SSID"):
continue
- if primary and (l[2] == primary) and (l[3] == labelname):
+ if primary and (l[1] in allowed_types) and (l[2] == primary)
and (l[3] == labelname):
pri_ssid.append(int(l[4], 16))
- if secondary and (l[2] == secondary) and (l[3] == labelname):
+ if secondary and (l[1] in allowed_types) and (l[2] ==
secondary) and (l[3] == labelname):
sec_ssid.append(int(l[4], 16))
f.close()
+ if (type == 'res') and (primary == "CHWALL") and (len(pri_ssid) == 0):
+ pri_ssid.append(NULL_SSIDREF)
+ elif (type == 'res') and (secondary == "CHWALL") and (len(sec_ssid)
== 0):
+ sec_ssid.append(NULL_SSIDREF)
#3. sanity check and composition of ssidref
if (len(pri_ssid) == 0) or ((len(sec_ssid) == 0) and (secondary !=
"NULL")):
@@ -360,7 +379,7 @@ def refresh_ssidref(config):
err("Policy \'" + policyname + "\' in label does not match
active policy \'"
+ active_policy +"\'!")
- new_ssidref = label2ssidref(labelname, policyname)
+ new_ssidref = label2ssidref(labelname, policyname, 'dom')
if not new_ssidref:
err("SSIDREF refresh failed!")
@@ -409,7 +428,7 @@ def get_decision(arg1, arg2):
enables domains to retrieve access control decisions from
the hypervisor Access Control Module.
IN: args format = ['domid', id] or ['ssidref', ssidref]
- or ['access_control', ['policy', policy], ['label', label]]
+ or ['access_control', ['policy', policy], ['label', label],
['type', type]]
"""
if not on():
@@ -417,14 +436,14 @@ def get_decision(arg1, arg2):
#translate labels before calling low-level function
if arg1[0] == 'access_control':
- if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') :
+ if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') or
(arg1[3][0] != 'type'):
err("Argument type not supported.")
- ssidref = label2ssidref(arg1[2][1], arg1[1][1])
+ ssidref = label2ssidref(arg1[2][1], arg1[1][1], arg1[3][1])
arg1 = ['ssidref', str(ssidref)]
if arg2[0] == 'access_control':
- if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') :
+ if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') or
(arg2[3][0] != 'type'):
err("Argument type not supported.")
- ssidref = label2ssidref(arg2[2][1], arg2[1][1])
+ ssidref = label2ssidref(arg2[2][1], arg2[1][1], arg2[3][1])
arg2 = ['ssidref', str(ssidref)]
# accept only int or string types for domid and ssidref
Index: xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/addlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
@@ -50,7 +50,7 @@ def main(argv):
err("No active policy. Policy must be specified in command
line.")
#sanity checks: make sure this label can be instantiated later on
- ssidref = label2ssidref(label, policyref)
+ ssidref = label2ssidref(label, policyref, 'dom')
new_label = "access_control = ['policy=%s,label=%s']\n" %
(policyref, label)
if not os.path.isfile(configfile):
Index: xen-unstable.hg-shype/tools/python/xen/xm/create.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/create.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/create.py
@@ -533,7 +533,7 @@ def configure_security(config, vals):
if sxp.child_value(config, 'ssidref'):
err("ERROR: SSIDREF and access_control are mutually
exclusive but both specified!")
#else calculate ssidre from label
- ssidref = security.label2ssidref(label, policy)
+ ssidref = security.label2ssidref(label, policy, 'dom')
if not ssidref :
err("ERROR calculating ssidref from access_control.")
security_label = ['security', [ config_access_control,
['ssidref' , ssidref ] ] ]
Index: xen-unstable.hg-shype/tools/security/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/Makefile
+++ xen-unstable.hg-shype/tools/security/Makefile
@@ -33,7 +33,7 @@ OBJS_XML2BIN := $(patsubst %.c,%.o,$(fil
ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen
ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS = python/xensec_tools/acm_getlabel
python/xensec_tools/acm_getdecision
+ACM_SCRIPTS = python/xensec_tools/acm_getlabel
ACM_CONFIG_DIR = /etc/xen/acm-security
ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies
Index:
xen-unstable.hg-shype/tools/security/python/xensec_gen/cgi-bin/policy.cgi
===================================================================
---
xen-unstable.hg-shype.orig/tools/security/python/xensec_gen/cgi-bin/policy.cgi
+++
xen-unstable.hg-shype/tools/security/python/xensec_gen/cgi-bin/policy.cgi
@@ -406,7 +406,7 @@ def parsePolicyXml( ):
msg = msg + 'Please validate the Policy file used.'
formatXmlError( msg )
- allCSMTypes[csName][1] = csMemberList
+ allCSMTypes[csName][1] = csMemberList
if pOrder != '':
formPolicyOrder[1] = pOrder
Index:
xen-unstable.hg-shype/tools/security/python/xensec_tools/acm_getdecision
===================================================================
---
xen-unstable.hg-shype.orig/tools/security/python/xensec_tools/acm_getdecision
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env python
-# -*- mode: python; -*-
-import sys
-import traceback
-import getopt
-
-# add fallback path for non-native python path installs if needed
-sys.path.insert(-1, '/usr/lib/python')
-sys.path.insert(-1, '/usr/lib64/python')
-
-from xen.util.security import ACMError, err, get_decision, active_policy
-
-def usage():
- print "Usage: acm_getdecision -i domainid --label labelname"
- print " Test program illustrating the retrieval of"
- print " access control decisions from Xen. At this time,"
- print " only sharing (STE) policy decisions are supported."
- print " Arguments are two paramters in any combination:"
- print "\t -i domain_id or --domid domain_id"
- print "\t -l labelname or --label labelname"
- print " Return value:"
- print "\t PERMITTED if access is permitted"
- print "\t DENIED if access is denied"
- print "\t ACMError -- e.g., unknown label or domain id"
- err("Usage")
-
-try:
-
- if len(sys.argv) != 5:
- usage()
-
- decision_args = []
-
- for idx in range(1, len(sys.argv), 2):
- if sys.argv[idx] in ['-i', '--domid']:
- decision_args.append(['domid', sys.argv[idx+1]])
- elif sys.argv[idx] in ['-l', '--label']:
- decision_args.append(['access_control',
- ['policy', active_policy],
- ['label', sys.argv[idx+1]]
- ])
- else:
- print "unknown argument %s" % sys.argv[idx]
- usage()
-
- if len(decision_args) != 2:
- print "too many arguments"
- usage()
-
- print get_decision(decision_args[0], decision_args[1])
-
-except ACMError:
- pass
-except:
- traceback.print_exc(limit=1)
Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.c
+++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
@@ -44,6 +44,8 @@
#define DEBUG 0
+#define NULL_LABEL_NAME "__NULL_LABEL__"
+
/* primary / secondary policy component setting */
enum policycomponent { CHWALL, STE, NULLPOLICY }
primary = NULLPOLICY, secondary = NULLPOLICY;
@@ -467,7 +469,7 @@ int init_ssid_queues(void)
return -ENOMEM;
/* default chwall ssid */
- default_ssid_chwall->name = "DEFAULT";
+ default_ssid_chwall->name = NULL_LABEL_NAME;
default_ssid_chwall->num = max_chwall_ssids++;
default_ssid_chwall->is_ref = 0;
default_ssid_chwall->type = ANY;
@@ -484,7 +486,7 @@ int init_ssid_queues(void)
max_chwall_labels++;
/* default ste ssid */
- default_ssid_ste->name = "DEFAULT";
+ default_ssid_ste->name = NULL_LABEL_NAME;
default_ssid_ste->num = max_ste_ssids++;
default_ssid_ste->is_ref = 0;
default_ssid_ste->type = ANY;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH][ACM] Add support for resource labeling
2006-06-06 14:07 [PATCH][ACM] Add support for resource labeling Bryan D. Payne
@ 2006-06-07 13:09 ` Keir Fraser
2006-06-07 13:32 ` Bryan D Payne
0 siblings, 1 reply; 3+ messages in thread
From: Keir Fraser @ 2006-06-07 13:09 UTC (permalink / raw)
To: Bryan D. Payne; +Cc: xen-devel, Reiner Sailer
On 6 Jun 2006, at 15:07, Bryan D. Payne wrote:
> This patch provides the framework needed for resource labeling.
> Subsequent patches will follow in the coming weeks that will enable
> Xen ACM to control assignment of resources (e.g., block devices and
> networking) to virtual machines based on resource labels and the
> active security policy.
>
> Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
> Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
Patch was chewed by your mail client. Please resend as an attachment.
-- Keir
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH][ACM] Add support for resource labeling
2006-06-07 13:09 ` Keir Fraser
@ 2006-06-07 13:32 ` Bryan D Payne
0 siblings, 0 replies; 3+ messages in thread
From: Bryan D Payne @ 2006-06-07 13:32 UTC (permalink / raw)
To: Keir Fraser; +Cc: xen-devel, Reiner Sailer
[-- Attachment #1: Type: text/plain, Size: 728 bytes --]
Sorry about that. Here it is again...
-bryan
(See attached file: shype-reslabel-4.diff)
Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote on 06/07/2006 09:09:22 AM:
>
> On 6 Jun 2006, at 15:07, Bryan D. Payne wrote:
>
> > This patch provides the framework needed for resource labeling.
> > Subsequent patches will follow in the coming weeks that will enable
> > Xen ACM to control assignment of resources (e.g., block devices and
> > networking) to virtual machines based on resource labels and the
> > active security policy.
> >
> > Signed-off-by: Bryan D. Payne <bdpayne@us.ibm.com>
> > Signed-off-by: Reiner Sailer <sailer@us.ibm.com>
>
> Patch was chewed by your mail client. Please resend as an attachment.
>
> -- Keir
>
[-- Attachment #2: shype-reslabel-4.diff --]
[-- Type: application/octet-stream, Size: 11296 bytes --]
---
tools/python/xen/util/security.py | 41 ++++++++++----
tools/python/xen/xm/addlabel.py | 2
tools/python/xen/xm/create.py | 2
tools/security/Makefile | 2
tools/security/python/xensec_gen/cgi-bin/policy.cgi | 2
tools/security/python/xensec_tools/acm_getdecision | 55 --------------------
tools/security/secpol_xml2bin.c | 6 +-
7 files changed, 38 insertions(+), 72 deletions(-)
Index: xen-unstable.hg-shype/tools/python/xen/util/security.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/util/security.py
+++ xen-unstable.hg-shype/tools/python/xen/util/security.py
@@ -52,7 +52,8 @@ empty_line_re = re.compile("^\s*$")
binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE)
policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
-
+#other global variables
+NULL_SSIDREF = 0
log = logging.getLogger("xend.util.security")
@@ -255,6 +256,8 @@ def ssidref2label(ssidref_var):
#2. get labelnames for both ssidref parts
pri_ssid = ssidref & 0xffff
sec_ssid = ssidref >> 16
+ pri_null_ssid = NULL_SSIDREF & 0xffff
+ sec_null_ssid = NULL_SSIDREF >> 16
pri_labels = []
sec_labels = []
labels = []
@@ -270,7 +273,11 @@ def ssidref2label(ssidref_var):
f.close()
#3. get the label that is in both lists (combination must be a single label)
- if secondary == "NULL":
+ if (primary == "CHWALL") and (pri_ssid == pri_null_ssid) and (sec_ssid != sec_null_ssid):
+ labels = sec_labels
+ elif (secondary == "CHWALL") and (pri_ssid != pri_null_ssid) and (sec_ssid == sec_null_ssid):
+ labels = pri_labels
+ elif secondary == "NULL":
labels = pri_labels
else:
for i in pri_labels:
@@ -285,7 +292,7 @@ def ssidref2label(ssidref_var):
-def label2ssidref(labelname, policyname):
+def label2ssidref(labelname, policyname, type):
"""
returns ssidref corresponding to labelname;
maps current policy to default directory
@@ -294,6 +301,14 @@ def label2ssidref(labelname, policyname)
if policyname in ['NULL', 'INACTIVE', 'DEFAULT']:
err("Cannot translate labels for \'" + policyname + "\' policy.")
+ allowed_types = ['ANY']
+ if type == 'dom':
+ allowed_types.append('VM')
+ elif type == 'res':
+ allowed_types.append('RES')
+ else:
+ err("Invalid type. Must specify 'dom' or 'res'.")
+
(primary, secondary, f, pol_exists) = getmapfile(policyname)
#2. get labelnames for ssidref parts and find a common label
@@ -303,11 +318,15 @@ def label2ssidref(labelname, policyname)
l = line.split()
if (len(l) < 5) or (l[0] != "LABEL->SSID"):
continue
- if primary and (l[2] == primary) and (l[3] == labelname):
+ if primary and (l[1] in allowed_types) and (l[2] == primary) and (l[3] == labelname):
pri_ssid.append(int(l[4], 16))
- if secondary and (l[2] == secondary) and (l[3] == labelname):
+ if secondary and (l[1] in allowed_types) and (l[2] == secondary) and (l[3] == labelname):
sec_ssid.append(int(l[4], 16))
f.close()
+ if (type == 'res') and (primary == "CHWALL") and (len(pri_ssid) == 0):
+ pri_ssid.append(NULL_SSIDREF)
+ elif (type == 'res') and (secondary == "CHWALL") and (len(sec_ssid) == 0):
+ sec_ssid.append(NULL_SSIDREF)
#3. sanity check and composition of ssidref
if (len(pri_ssid) == 0) or ((len(sec_ssid) == 0) and (secondary != "NULL")):
@@ -360,7 +379,7 @@ def refresh_ssidref(config):
err("Policy \'" + policyname + "\' in label does not match active policy \'"
+ active_policy +"\'!")
- new_ssidref = label2ssidref(labelname, policyname)
+ new_ssidref = label2ssidref(labelname, policyname, 'dom')
if not new_ssidref:
err("SSIDREF refresh failed!")
@@ -409,7 +428,7 @@ def get_decision(arg1, arg2):
enables domains to retrieve access control decisions from
the hypervisor Access Control Module.
IN: args format = ['domid', id] or ['ssidref', ssidref]
- or ['access_control', ['policy', policy], ['label', label]]
+ or ['access_control', ['policy', policy], ['label', label], ['type', type]]
"""
if not on():
@@ -417,14 +436,14 @@ def get_decision(arg1, arg2):
#translate labels before calling low-level function
if arg1[0] == 'access_control':
- if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') :
+ if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') or (arg1[3][0] != 'type'):
err("Argument type not supported.")
- ssidref = label2ssidref(arg1[2][1], arg1[1][1])
+ ssidref = label2ssidref(arg1[2][1], arg1[1][1], arg1[3][1])
arg1 = ['ssidref', str(ssidref)]
if arg2[0] == 'access_control':
- if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') :
+ if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') or (arg2[3][0] != 'type'):
err("Argument type not supported.")
- ssidref = label2ssidref(arg2[2][1], arg2[1][1])
+ ssidref = label2ssidref(arg2[2][1], arg2[1][1], arg2[3][1])
arg2 = ['ssidref', str(ssidref)]
# accept only int or string types for domid and ssidref
Index: xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/addlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
@@ -50,7 +50,7 @@ def main(argv):
err("No active policy. Policy must be specified in command line.")
#sanity checks: make sure this label can be instantiated later on
- ssidref = label2ssidref(label, policyref)
+ ssidref = label2ssidref(label, policyref, 'dom')
new_label = "access_control = ['policy=%s,label=%s']\n" % (policyref, label)
if not os.path.isfile(configfile):
Index: xen-unstable.hg-shype/tools/python/xen/xm/create.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/create.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/create.py
@@ -533,7 +533,7 @@ def configure_security(config, vals):
if sxp.child_value(config, 'ssidref'):
err("ERROR: SSIDREF and access_control are mutually exclusive but both specified!")
#else calculate ssidre from label
- ssidref = security.label2ssidref(label, policy)
+ ssidref = security.label2ssidref(label, policy, 'dom')
if not ssidref :
err("ERROR calculating ssidref from access_control.")
security_label = ['security', [ config_access_control, ['ssidref' , ssidref ] ] ]
Index: xen-unstable.hg-shype/tools/security/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/Makefile
+++ xen-unstable.hg-shype/tools/security/Makefile
@@ -33,7 +33,7 @@ OBJS_XML2BIN := $(patsubst %.c,%.o,$(fil
ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen
ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS = python/xensec_tools/acm_getlabel python/xensec_tools/acm_getdecision
+ACM_SCRIPTS = python/xensec_tools/acm_getlabel
ACM_CONFIG_DIR = /etc/xen/acm-security
ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies
Index: xen-unstable.hg-shype/tools/security/python/xensec_gen/cgi-bin/policy.cgi
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/python/xensec_gen/cgi-bin/policy.cgi
+++ xen-unstable.hg-shype/tools/security/python/xensec_gen/cgi-bin/policy.cgi
@@ -406,7 +406,7 @@ def parsePolicyXml( ):
msg = msg + 'Please validate the Policy file used.'
formatXmlError( msg )
- allCSMTypes[csName][1] = csMemberList
+ allCSMTypes[csName][1] = csMemberList
if pOrder != '':
formPolicyOrder[1] = pOrder
Index: xen-unstable.hg-shype/tools/security/python/xensec_tools/acm_getdecision
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/python/xensec_tools/acm_getdecision
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env python
-# -*- mode: python; -*-
-import sys
-import traceback
-import getopt
-
-# add fallback path for non-native python path installs if needed
-sys.path.insert(-1, '/usr/lib/python')
-sys.path.insert(-1, '/usr/lib64/python')
-
-from xen.util.security import ACMError, err, get_decision, active_policy
-
-def usage():
- print "Usage: acm_getdecision -i domainid --label labelname"
- print " Test program illustrating the retrieval of"
- print " access control decisions from Xen. At this time,"
- print " only sharing (STE) policy decisions are supported."
- print " Arguments are two paramters in any combination:"
- print "\t -i domain_id or --domid domain_id"
- print "\t -l labelname or --label labelname"
- print " Return value:"
- print "\t PERMITTED if access is permitted"
- print "\t DENIED if access is denied"
- print "\t ACMError -- e.g., unknown label or domain id"
- err("Usage")
-
-try:
-
- if len(sys.argv) != 5:
- usage()
-
- decision_args = []
-
- for idx in range(1, len(sys.argv), 2):
- if sys.argv[idx] in ['-i', '--domid']:
- decision_args.append(['domid', sys.argv[idx+1]])
- elif sys.argv[idx] in ['-l', '--label']:
- decision_args.append(['access_control',
- ['policy', active_policy],
- ['label', sys.argv[idx+1]]
- ])
- else:
- print "unknown argument %s" % sys.argv[idx]
- usage()
-
- if len(decision_args) != 2:
- print "too many arguments"
- usage()
-
- print get_decision(decision_args[0], decision_args[1])
-
-except ACMError:
- pass
-except:
- traceback.print_exc(limit=1)
Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.c
+++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
@@ -44,6 +44,8 @@
#define DEBUG 0
+#define NULL_LABEL_NAME "__NULL_LABEL__"
+
/* primary / secondary policy component setting */
enum policycomponent { CHWALL, STE, NULLPOLICY }
primary = NULLPOLICY, secondary = NULLPOLICY;
@@ -467,7 +469,7 @@ int init_ssid_queues(void)
return -ENOMEM;
/* default chwall ssid */
- default_ssid_chwall->name = "DEFAULT";
+ default_ssid_chwall->name = NULL_LABEL_NAME;
default_ssid_chwall->num = max_chwall_ssids++;
default_ssid_chwall->is_ref = 0;
default_ssid_chwall->type = ANY;
@@ -484,7 +486,7 @@ int init_ssid_queues(void)
max_chwall_labels++;
/* default ste ssid */
- default_ssid_ste->name = "DEFAULT";
+ default_ssid_ste->name = NULL_LABEL_NAME;
default_ssid_ste->num = max_ste_ssids++;
default_ssid_ste->is_ref = 0;
default_ssid_ste->type = ANY;
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-07 13:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-06 14:07 [PATCH][ACM] Add support for resource labeling Bryan D. Payne
2006-06-07 13:09 ` Keir Fraser
2006-06-07 13:32 ` Bryan D Payne
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.