--- tools/python/xen/util/security.py | 41 ++++++++++---- tools/python/xen/xm/addlabel.py | 2 tools/python/xen/xm/create.py | 2 tools/security/Makefile | 2 tools/security/python/xensec_gen/cgi-bin/policy.cgi | 2 tools/security/python/xensec_tools/acm_getdecision | 55 -------------------- tools/security/secpol_xml2bin.c | 6 +- 7 files changed, 38 insertions(+), 72 deletions(-) Index: xen-unstable.hg-shype/tools/python/xen/util/security.py =================================================================== --- xen-unstable.hg-shype.orig/tools/python/xen/util/security.py +++ xen-unstable.hg-shype/tools/python/xen/util/security.py @@ -52,7 +52,8 @@ empty_line_re = re.compile("^\s*$") binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE) policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE) - +#other global variables +NULL_SSIDREF = 0 log = logging.getLogger("xend.util.security") @@ -255,6 +256,8 @@ def ssidref2label(ssidref_var): #2. get labelnames for both ssidref parts pri_ssid = ssidref & 0xffff sec_ssid = ssidref >> 16 + pri_null_ssid = NULL_SSIDREF & 0xffff + sec_null_ssid = NULL_SSIDREF >> 16 pri_labels = [] sec_labels = [] labels = [] @@ -270,7 +273,11 @@ def ssidref2label(ssidref_var): f.close() #3. get the label that is in both lists (combination must be a single label) - if secondary == "NULL": + if (primary == "CHWALL") and (pri_ssid == pri_null_ssid) and (sec_ssid != sec_null_ssid): + labels = sec_labels + elif (secondary == "CHWALL") and (pri_ssid != pri_null_ssid) and (sec_ssid == sec_null_ssid): + labels = pri_labels + elif secondary == "NULL": labels = pri_labels else: for i in pri_labels: @@ -285,7 +292,7 @@ def ssidref2label(ssidref_var): -def label2ssidref(labelname, policyname): +def label2ssidref(labelname, policyname, type): """ returns ssidref corresponding to labelname; maps current policy to default directory @@ -294,6 +301,14 @@ def label2ssidref(labelname, policyname) if policyname in ['NULL', 'INACTIVE', 'DEFAULT']: err("Cannot translate labels for \'" + policyname + "\' policy.") + allowed_types = ['ANY'] + if type == 'dom': + allowed_types.append('VM') + elif type == 'res': + allowed_types.append('RES') + else: + err("Invalid type. Must specify 'dom' or 'res'.") + (primary, secondary, f, pol_exists) = getmapfile(policyname) #2. get labelnames for ssidref parts and find a common label @@ -303,11 +318,15 @@ def label2ssidref(labelname, policyname) l = line.split() if (len(l) < 5) or (l[0] != "LABEL->SSID"): continue - if primary and (l[2] == primary) and (l[3] == labelname): + if primary and (l[1] in allowed_types) and (l[2] == primary) and (l[3] == labelname): pri_ssid.append(int(l[4], 16)) - if secondary and (l[2] == secondary) and (l[3] == labelname): + if secondary and (l[1] in allowed_types) and (l[2] == secondary) and (l[3] == labelname): sec_ssid.append(int(l[4], 16)) f.close() + if (type == 'res') and (primary == "CHWALL") and (len(pri_ssid) == 0): + pri_ssid.append(NULL_SSIDREF) + elif (type == 'res') and (secondary == "CHWALL") and (len(sec_ssid) == 0): + sec_ssid.append(NULL_SSIDREF) #3. sanity check and composition of ssidref if (len(pri_ssid) == 0) or ((len(sec_ssid) == 0) and (secondary != "NULL")): @@ -360,7 +379,7 @@ def refresh_ssidref(config): err("Policy \'" + policyname + "\' in label does not match active policy \'" + active_policy +"\'!") - new_ssidref = label2ssidref(labelname, policyname) + new_ssidref = label2ssidref(labelname, policyname, 'dom') if not new_ssidref: err("SSIDREF refresh failed!") @@ -409,7 +428,7 @@ def get_decision(arg1, arg2): enables domains to retrieve access control decisions from the hypervisor Access Control Module. IN: args format = ['domid', id] or ['ssidref', ssidref] - or ['access_control', ['policy', policy], ['label', label]] + or ['access_control', ['policy', policy], ['label', label], ['type', type]] """ if not on(): @@ -417,14 +436,14 @@ def get_decision(arg1, arg2): #translate labels before calling low-level function if arg1[0] == 'access_control': - if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') : + if (arg1[1][0] != 'policy') or (arg1[2][0] != 'label') or (arg1[3][0] != 'type'): err("Argument type not supported.") - ssidref = label2ssidref(arg1[2][1], arg1[1][1]) + ssidref = label2ssidref(arg1[2][1], arg1[1][1], arg1[3][1]) arg1 = ['ssidref', str(ssidref)] if arg2[0] == 'access_control': - if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') : + if (arg2[1][0] != 'policy') or (arg2[2][0] != 'label') or (arg2[3][0] != 'type'): err("Argument type not supported.") - ssidref = label2ssidref(arg2[2][1], arg2[1][1]) + ssidref = label2ssidref(arg2[2][1], arg2[1][1], arg2[3][1]) arg2 = ['ssidref', str(ssidref)] # accept only int or string types for domid and ssidref Index: xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py =================================================================== --- xen-unstable.hg-shype.orig/tools/python/xen/xm/addlabel.py +++ xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py @@ -50,7 +50,7 @@ def main(argv): err("No active policy. Policy must be specified in command line.") #sanity checks: make sure this label can be instantiated later on - ssidref = label2ssidref(label, policyref) + ssidref = label2ssidref(label, policyref, 'dom') new_label = "access_control = ['policy=%s,label=%s']\n" % (policyref, label) if not os.path.isfile(configfile): Index: xen-unstable.hg-shype/tools/python/xen/xm/create.py =================================================================== --- xen-unstable.hg-shype.orig/tools/python/xen/xm/create.py +++ xen-unstable.hg-shype/tools/python/xen/xm/create.py @@ -533,7 +533,7 @@ def configure_security(config, vals): if sxp.child_value(config, 'ssidref'): err("ERROR: SSIDREF and access_control are mutually exclusive but both specified!") #else calculate ssidre from label - ssidref = security.label2ssidref(label, policy) + ssidref = security.label2ssidref(label, policy, 'dom') if not ssidref : err("ERROR calculating ssidref from access_control.") security_label = ['security', [ config_access_control, ['ssidref' , ssidref ] ] ] Index: xen-unstable.hg-shype/tools/security/Makefile =================================================================== --- xen-unstable.hg-shype.orig/tools/security/Makefile +++ xen-unstable.hg-shype/tools/security/Makefile @@ -33,7 +33,7 @@ OBJS_XML2BIN := $(patsubst %.c,%.o,$(fil ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD) -ACM_SCRIPTS = python/xensec_tools/acm_getlabel python/xensec_tools/acm_getdecision +ACM_SCRIPTS = python/xensec_tools/acm_getlabel ACM_CONFIG_DIR = /etc/xen/acm-security ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies Index: xen-unstable.hg-shype/tools/security/python/xensec_gen/cgi-bin/policy.cgi =================================================================== --- xen-unstable.hg-shype.orig/tools/security/python/xensec_gen/cgi-bin/policy.cgi +++ xen-unstable.hg-shype/tools/security/python/xensec_gen/cgi-bin/policy.cgi @@ -406,7 +406,7 @@ def parsePolicyXml( ): msg = msg + 'Please validate the Policy file used.' formatXmlError( msg ) - allCSMTypes[csName][1] = csMemberList + allCSMTypes[csName][1] = csMemberList if pOrder != '': formPolicyOrder[1] = pOrder Index: xen-unstable.hg-shype/tools/security/python/xensec_tools/acm_getdecision =================================================================== --- xen-unstable.hg-shype.orig/tools/security/python/xensec_tools/acm_getdecision +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env python -# -*- mode: python; -*- -import sys -import traceback -import getopt - -# add fallback path for non-native python path installs if needed -sys.path.insert(-1, '/usr/lib/python') -sys.path.insert(-1, '/usr/lib64/python') - -from xen.util.security import ACMError, err, get_decision, active_policy - -def usage(): - print "Usage: acm_getdecision -i domainid --label labelname" - print " Test program illustrating the retrieval of" - print " access control decisions from Xen. At this time," - print " only sharing (STE) policy decisions are supported." - print " Arguments are two paramters in any combination:" - print "\t -i domain_id or --domid domain_id" - print "\t -l labelname or --label labelname" - print " Return value:" - print "\t PERMITTED if access is permitted" - print "\t DENIED if access is denied" - print "\t ACMError -- e.g., unknown label or domain id" - err("Usage") - -try: - - if len(sys.argv) != 5: - usage() - - decision_args = [] - - for idx in range(1, len(sys.argv), 2): - if sys.argv[idx] in ['-i', '--domid']: - decision_args.append(['domid', sys.argv[idx+1]]) - elif sys.argv[idx] in ['-l', '--label']: - decision_args.append(['access_control', - ['policy', active_policy], - ['label', sys.argv[idx+1]] - ]) - else: - print "unknown argument %s" % sys.argv[idx] - usage() - - if len(decision_args) != 2: - print "too many arguments" - usage() - - print get_decision(decision_args[0], decision_args[1]) - -except ACMError: - pass -except: - traceback.print_exc(limit=1) Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.c =================================================================== --- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.c +++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.c @@ -44,6 +44,8 @@ #define DEBUG 0 +#define NULL_LABEL_NAME "__NULL_LABEL__" + /* primary / secondary policy component setting */ enum policycomponent { CHWALL, STE, NULLPOLICY } primary = NULLPOLICY, secondary = NULLPOLICY; @@ -467,7 +469,7 @@ int init_ssid_queues(void) return -ENOMEM; /* default chwall ssid */ - default_ssid_chwall->name = "DEFAULT"; + default_ssid_chwall->name = NULL_LABEL_NAME; default_ssid_chwall->num = max_chwall_ssids++; default_ssid_chwall->is_ref = 0; default_ssid_chwall->type = ANY; @@ -484,7 +486,7 @@ int init_ssid_queues(void) max_chwall_labels++; /* default ste ssid */ - default_ssid_ste->name = "DEFAULT"; + default_ssid_ste->name = NULL_LABEL_NAME; default_ssid_ste->num = max_ste_ssids++; default_ssid_ste->is_ref = 0; default_ssid_ste->type = ANY;