From: Reiner Sailer <sailer@us.ibm.com>
To: xen-devel@lists.xensource.com
Cc: Stefan Berger <stefanb@us.ibm.com>,
"Bryan D. Payne" <bryan@thepaynes.cc>,
Reiner Sailer <sailer@us.ibm.com>
Subject: [BUGFIX][ACM][Resource Labels] This patch fixes problems with multiple representations of the same labeled resource
Date: Wed, 04 Oct 2006 12:22:30 -0400 [thread overview]
Message-ID: <4523DFC6.4000902@us.ibm.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 708 bytes --]
This patch fixes problems with resource representations in the
resource_label file. Without this patch, multiple representations of the
same resource can co-exist in the resource label file and lead to errors
during operation.
This patch ensures that all resource file names are stored with absolute
path name and are unique. Setting labels of phy-resources, relative
paths will automatically be pre-pended with '/dev/'; labeling
file-resources with relative paths will raise an error.
This patch is tested successfully both manually, with ACM=n and xm-test,
and with ACM=y and xm-test (using our pending ACM extensions to xm-test).
Thanks
Reiner
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
[-- Attachment #2: canonical_reslabels_fix.diff --]
[-- Type: text/plain, Size: 3608 bytes --]
---
tools/python/xen/util/security.py | 22 ++++++++++++++++++++++
tools/python/xen/xm/addlabel.py | 9 ++-------
tools/python/xen/xm/getlabel.py | 3 +++
tools/python/xen/xm/rmlabel.py | 3 +++
4 files changed, 30 insertions(+), 7 deletions(-)
Index: xen-unstable.hg-shype/tools/python/xen/util/security.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/util/security.py
+++ xen-unstable.hg-shype/tools/python/xen/util/security.py
@@ -596,12 +596,34 @@ def get_res_security_details(resource):
return (label, ssidref, policy)
+def unify_resname(resource):
+ """Makes all resource locations absolute. In case of physical
+ resources, '/dev/' is added to local file names"""
+
+ # sanity check on resource name
+ (type, resfile) = resource.split(":")
+ if type == "phy":
+ if not resfile.startswith("/"):
+ resfile = "/dev/" + resfile
+
+ #file: resources must specified with absolute path
+ if (not resfile.startswith("/")) or (not os.path.exists(resfile)):
+ err("Invalid resource.")
+
+ # from here on absolute file names with resources
+ resource = type + ":" + resfile
+ return resource
+
+
def res_security_check(resource, domain_label):
"""Checks if the given resource can be used by the given domain
label. Returns 1 if the resource can be used, otherwise 0.
"""
rtnval = 1
+ #build canonical resource name
+ resource = unify_resname(resource)
+
# if security is on, ask the hypervisor for a decision
if on():
(label, ssidref, policy) = get_res_security_details(resource)
Index: xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/addlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
@@ -72,13 +72,8 @@ def add_resource_label(label, resource,
# sanity check: make sure this label can be instantiated later on
ssidref = security.label2ssidref(label, policyref, 'res')
- # sanity check on resource name
- (type, file) = resource.split(":")
- if type == "phy":
- file = "/dev/" + file
- if not os.path.exists(file):
- print "Invalid resource '"+resource+"'"
- return
+ #build canonical resource name
+ resource = security.unify_resname(resource)
# see if this resource is already in the file
access_control = {}
Index: xen-unstable.hg-shype/tools/python/xen/xm/getlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/getlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/getlabel.py
@@ -33,6 +33,9 @@ def help():
def get_resource_label(resource):
"""Gets the resource label
"""
+ #build canonical resource name
+ resource = security.unify_resname(resource)
+
# read in the resource file
file = security.res_label_filename
try:
Index: xen-unstable.hg-shype/tools/python/xen/xm/rmlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/rmlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/rmlabel.py
@@ -37,6 +37,9 @@ def help():
def rm_resource_label(resource):
"""Removes a resource label from the global resource label file.
"""
+ #build canonical resource name
+ resource = security.unify_resname(resource)
+
# read in the resource file
file = security.res_label_filename
try:
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
reply other threads:[~2006-10-04 16:22 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4523DFC6.4000902@us.ibm.com \
--to=sailer@us.ibm.com \
--cc=bryan@thepaynes.cc \
--cc=stefanb@us.ibm.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.