def do_access_control(self, config, uname): (label, ssidref, policy) = \ security.get_res_security_details(uname) domain_label = self.vm.get_security_label() if domain_label: rc = security.res_security_check_xapi(label, ssidref, policy, domain_label) if rc == 0: raise VmError("VM's access to block device '%s' denied" % uname) else: from xen.util.acmpolicy import ACM_LABEL_UNLABELED if label != ACM_LABEL_UNLABELED: raise VmError("VM must have a security label to access " "block device '%s'" % uname)
def do_access_control(self, config): """ do access control checking. Throws a VMError if access is denied """ domain_label = self.vm.get_security_label() stes = XSPolicyAdminInstance().get_stes_of_vmlabel(domain_label) res_label = config.get('security_label') if len(stes) > 1 or res_label: if not res_label: raise VmError("'VIF' must be labeled") (label, ssidref, policy) = \ security.security_label_to_details(res_label) if domain_label: rc = security.res_security_check_xapi(label, ssidref, policy, domain_label) if rc == 0: raise VmError("VM's access to network device denied. " "Check labeling") else: raise VmError("VM must have a security label to access " "network device")