From: Reiner Sailer <sailer@us.ibm.com>
To: xen-devel@lists.xensource.com
Cc: sailer@us.ibm.com
Subject: [Patch 3 / 8][ACM] - policy translation tools support
Date: Tue, 11 Apr 2006 22:27:46 -0400 [thread overview]
Message-ID: <443C65A2.3080502@us.ibm.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 137 bytes --]
This patch adds support for the simplified policies to the policy
translation tools.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
[-- Attachment #2: patch3_secpol.diff --]
[-- Type: text/plain, Size: 65074 bytes --]
---
tools/security/Makefile | 24 -
tools/security/secpol_tool.c | 199 ++----------
tools/security/secpol_xml2bin.c | 624 +++++++++++++++++++---------------------
tools/security/secpol_xml2bin.h | 179 ++++++-----
4 files changed, 437 insertions(+), 589 deletions(-)
Index: xen-unstable.hg-shype/tools/security/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/Makefile
+++ xen-unstable.hg-shype/tools/security/Makefile
@@ -30,28 +30,23 @@ SRCS_TOOL = secpol_tool.c
OBJS_TOOL := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
SRCS_XML2BIN = secpol_xml2bin.c secpol_xml2bin.h
OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
-SRCS_GETD = get_decision.c
-OBJS_GETD := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen
-ACM_NOINST_TOOLS = get_decision
ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
+ACM_SCRIPTS = python/xensec_tools/acm_getlabel python/xensec_tools/acm_getdecision
ACM_CONFIG_DIR = /etc/xen/acm-security
ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies
ACM_SCRIPT_DIR = $(ACM_CONFIG_DIR)/scripts
ACM_INST_HTML = python/xensec_gen/index.html
-ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi \
- python/xensec_gen/cgi-bin/policylabel.cgi
+ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi
ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen
ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin
ACM_SCHEMA = security_policy.xsd
-ACM_EXAMPLES = null chwall ste chwall_ste
+ACM_EXAMPLES = chwall ste chwall_ste
ACM_POLICY_SUFFIX = security_policy.xml
-ACM_LABEL_SUFFIX = security_label_template.xml
ifeq ($(ACM_SECURITY),y)
.PHONY: all
@@ -64,10 +59,10 @@ install: all $(ACM_CONFIG_FILE)
$(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
$(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example
for i in $(ACM_EXAMPLES); do \
- $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
- $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
- $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
+ $(INSTALL_DATA) -p policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
done
$(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
$(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
@@ -99,9 +94,6 @@ xensec_tool: $(OBJS_TOOL)
xensec_xml2bin: $(OBJS_XML2BIN)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
-get_decision: $(OBJS_GETD)
- $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
-
xensec_gen: xensec_gen.py
cp -f $^ $@
@@ -116,8 +108,4 @@ clean:
.PHONY: mrproper
mrproper: clean
-.PHONY: boot_install
-boot_install: install
- $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
-
-include $(PROG_DEPS)
Index: xen-unstable.hg-shype/tools/security/secpol_tool.c
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_tool.c
+++ xen-unstable.hg-shype/tools/security/secpol_tool.c
@@ -48,9 +48,7 @@ void usage(char *progname)
"ACTION is one of:\n"
"\t getpolicy\n"
"\t dumpstats\n"
- "\t loadpolicy <binary policy file>\n"
- "\t getssid -d <domainid> [-f]\n"
- "\t getssid -s <ssidref> [-f]\n", progname);
+ "\t loadpolicy <binary policy file>\n", progname);
exit(-1);
}
@@ -68,7 +66,7 @@ static inline int do_xen_hypercall(int x
(unsigned long) hypercall);
}
-static inline int do_acm_op(int xc_handle, struct acm_op * op)
+static inline int do_acm_op(int xc_handle, struct acm_op *op)
{
int ret = -1;
privcmd_hypercall_t hypercall;
@@ -78,15 +76,13 @@ static inline int do_acm_op(int xc_handl
hypercall.op = __HYPERVISOR_acm_op;
hypercall.arg[0] = (unsigned long) op;
- if (mlock(op, sizeof(*op)) != 0)
- {
+ if (mlock(op, sizeof(*op)) != 0) {
PERROR("Could not lock memory for Xen policy hypercall");
goto out1;
}
- if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0)
- {
- printf( "ACM operation failed: errno=%d\n", errno );
+ if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
+ printf("ACM operation failed: errno=%d\n", errno);
if (errno == EACCES)
fprintf(stderr, "ACM operation failed -- need to"
" rebuild the user-space tool set?\n");
@@ -108,8 +104,7 @@ void acm_dump_chinesewall_buffer(void *b
int i, j;
- if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY)
- {
+ if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY) {
printf("CHINESE WALL POLICY CODE not found ERROR!!\n");
return;
}
@@ -129,8 +124,7 @@ void acm_dump_chinesewall_buffer(void *b
printf("\nSSID To CHWALL-Type matrix:\n");
ssids = (domaintype_t *) (buf + ntohl(cwbuf->chwall_ssid_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++)
- {
+ for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++) {
printf("\n ssidref%2x: ", i);
for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
printf("%02x ",
@@ -139,8 +133,7 @@ void acm_dump_chinesewall_buffer(void *b
printf("\n\nConfict Sets:\n");
conflicts =
(domaintype_t *) (buf + ntohl(cwbuf->chwall_conflict_sets_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++)
- {
+ for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++) {
printf("\n c-set%2x: ", i);
for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
printf("%02x ",
@@ -150,13 +143,11 @@ void acm_dump_chinesewall_buffer(void *b
printf("\n");
printf("\nRunning\nTypes: ");
- if (ntohl(cwbuf->chwall_running_types_offset))
- {
+ if (ntohl(cwbuf->chwall_running_types_offset)) {
running_types =
(domaintype_t *) (buf +
ntohl(cwbuf->chwall_running_types_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++)
- {
+ for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) {
printf("%02x ", ntohs(running_types[i]));
}
printf("\n");
@@ -164,13 +155,12 @@ void acm_dump_chinesewall_buffer(void *b
printf("Not Reported!\n");
}
printf("\nConflict\nAggregate Set: ");
- if (ntohl(cwbuf->chwall_conflict_aggregate_offset))
- {
+ if (ntohl(cwbuf->chwall_conflict_aggregate_offset)) {
conflict_aggregate =
(domaintype_t *) (buf +
- ntohl(cwbuf->chwall_conflict_aggregate_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++)
- {
+ ntohl(cwbuf->
+ chwall_conflict_aggregate_offset));
+ for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) {
printf("%02x ", ntohs(conflict_aggregate[i]));
}
printf("\n\n");
@@ -201,11 +191,11 @@ void acm_dump_ste_buffer(void *buf, int
printf("\nSSID To STE-Type matrix:\n");
ssids = (domaintype_t *) (buf + ntohl(stebuf->ste_ssid_offset));
- for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++)
- {
+ for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++) {
printf("\n ssidref%2x: ", i);
for (j = 0; j < ntohl(stebuf->ste_max_types); j++)
- printf("%02x ", ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j]));
+ printf("%02x ",
+ ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j]));
}
printf("\n\n");
}
@@ -213,9 +203,12 @@ void acm_dump_ste_buffer(void *buf, int
void acm_dump_policy_buffer(void *buf, int buflen)
{
struct acm_policy_buffer *pol = (struct acm_policy_buffer *) buf;
-
+ char *policy_reference_name =
+ (buf + ntohl(pol->policy_reference_offset) +
+ sizeof(struct acm_policy_reference_buffer));
printf("\nPolicy dump:\n");
printf("============\n");
+ printf("POLICY REFERENCE = %s.\n", policy_reference_name);
printf("PolicyVer = %x.\n", ntohl(pol->policy_version));
printf("Magic = %x.\n", ntohl(pol->magic));
printf("Len = %x.\n", ntohl(pol->len));
@@ -227,8 +220,7 @@ void acm_dump_policy_buffer(void *buf, i
ACM_POLICY_NAME(ntohl(pol->secondary_policy_code)),
ntohl(pol->secondary_policy_code),
ntohl(pol->secondary_buffer_offset));
- switch (ntohl(pol->primary_policy_code))
- {
+ switch (ntohl(pol->primary_policy_code)) {
case ACM_CHINESE_WALL_POLICY:
acm_dump_chinesewall_buffer(buf +
ntohl(pol->primary_buffer_offset),
@@ -250,8 +242,7 @@ void acm_dump_policy_buffer(void *buf, i
printf("UNKNOWN POLICY!\n");
}
- switch (ntohl(pol->secondary_policy_code))
- {
+ switch (ntohl(pol->secondary_policy_code)) {
case ACM_CHINESE_WALL_POLICY:
acm_dump_chinesewall_buffer(buf +
ntohl(pol->secondary_buffer_offset),
@@ -303,26 +294,22 @@ int acm_domain_loadpolicy(int xc_handle,
off_t len;
uint8_t *buffer;
- if ((ret = stat(filename, &mystat)))
- {
+ if ((ret = stat(filename, &mystat))) {
printf("File %s not found.\n", filename);
goto out;
}
len = mystat.st_size;
- if ((buffer = malloc(len)) == NULL)
- {
+ if ((buffer = malloc(len)) == NULL) {
ret = -ENOMEM;
goto out;
}
- if ((fd = open(filename, O_RDONLY)) <= 0)
- {
+ if ((fd = open(filename, O_RDONLY)) <= 0) {
ret = -ENOENT;
printf("File %s not found.\n", filename);
goto free_out;
}
- if (len == read(fd, buffer, len))
- {
+ if (len == read(fd, buffer, len)) {
struct acm_op op;
/* dump it and then push it down into xen/acm */
acm_dump_policy_buffer(buffer, len);
@@ -334,7 +321,7 @@ int acm_domain_loadpolicy(int xc_handle,
if (ret)
printf
- ("ERROR setting policy. Try 'xm dmesg' to see details.\n");
+ ("ERROR setting policy.\n");
else
printf("Successfully changed policy.\n");
@@ -382,9 +369,9 @@ int acm_domain_dumpstats(int xc_handle)
op.u.dumpstats.pullcache_size = sizeof(stats_buffer);
ret = do_acm_op(xc_handle, &op);
- if (ret < 0)
- {
- printf("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n");
+ if (ret < 0) {
+ printf
+ ("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n");
return ret;
}
stats = (struct acm_stats_buffer *) stats_buffer;
@@ -394,8 +381,7 @@ int acm_domain_dumpstats(int xc_handle)
printf("Magic = %x.\n", ntohl(stats->magic));
printf("Len = %x.\n", ntohl(stats->len));
- switch (ntohl(stats->primary_policy_code))
- {
+ switch (ntohl(stats->primary_policy_code)) {
case ACM_NULL_POLICY:
printf("NULL Policy: No statistics apply.\n");
break;
@@ -414,8 +400,7 @@ int acm_domain_dumpstats(int xc_handle)
printf("UNKNOWN PRIMARY POLICY ERROR!\n");
}
- switch (ntohl(stats->secondary_policy_code))
- {
+ switch (ntohl(stats->secondary_policy_code)) {
case ACM_NULL_POLICY:
printf("NULL Policy: No statistics apply.\n");
break;
@@ -435,119 +420,6 @@ int acm_domain_dumpstats(int xc_handle)
}
return ret;
}
-/************************ get ssidref & types ******************************/
-/*
- * the ssid (types) can be looked up either by domain id or by ssidref
- */
-int acm_domain_getssid(int xc_handle, int argc, char * const argv[])
-{
- /* this includes header and a set of types */
- #define MAX_SSIDBUFFER 2000
- int ret, i;
- struct acm_op op;
- struct acm_ssid_buffer *hdr;
- unsigned char *buf;
- int nice_print = 1;
-
- op.cmd = ACM_GETSSID;
- op.interface_version = ACM_INTERFACE_VERSION;
- op.u.getssid.get_ssid_by = UNSET;
- /* arguments
- -d ... domain id to look up
- -s ... ssidref number to look up
- -f ... formatted print (scripts depend on this format)
- */
- while (1)
- {
- int c = getopt(argc, argv, "d:s:f");
- if (c == -1)
- break;
- if (c == 'd')
- {
- if (op.u.getssid.get_ssid_by != UNSET)
- usage(argv[0]);
- op.u.getssid.get_ssid_by = DOMAINID;
- op.u.getssid.id.domainid = strtoul(optarg, NULL, 0);
- }
- else if (c== 's')
- {
- if (op.u.getssid.get_ssid_by != UNSET)
- usage(argv[0]);
- op.u.getssid.get_ssid_by = SSIDREF;
- op.u.getssid.id.ssidref = strtoul(optarg, NULL, 0);
- }
- else if (c== 'f')
- {
- nice_print = 0;
- }
- else
- usage(argv[0]);
- }
- if (op.u.getssid.get_ssid_by == UNSET)
- usage(argv[0]);
-
- buf = malloc(MAX_SSIDBUFFER);
- if (!buf)
- return -ENOMEM;
-
- /* dump it and then push it down into xen/acm */
- op.u.getssid.ssidbuf = buf; /* out */
- op.u.getssid.ssidbuf_size = MAX_SSIDBUFFER;
- ret = do_acm_op(xc_handle, &op);
-
- if (ret)
- {
- printf("ERROR getting ssidref. Try 'xm dmesg' to see details.\n");
- goto out;
- }
- hdr = (struct acm_ssid_buffer *)buf;
- if (hdr->len > MAX_SSIDBUFFER)
- {
- printf("ERROR: Buffer length inconsistent (ret=%d, hdr->len=%d)!\n",
- ret, hdr->len);
- return -EIO;
- }
- if (nice_print)
- {
- printf("SSID: ssidref = 0x%08x \n", hdr->ssidref);
- printf(" P: %s, max_types = %d\n",
- ACM_POLICY_NAME(hdr->primary_policy_code), hdr->primary_max_types);
- printf(" Types: ");
- for (i=0; i< hdr->primary_max_types; i++)
- if (buf[hdr->primary_types_offset + i])
- printf("%02x ", i);
- else
- printf("-- ");
- printf("\n");
-
- printf(" S: %s, max_types = %d\n",
- ACM_POLICY_NAME(hdr->secondary_policy_code), hdr->secondary_max_types);
- printf(" Types: ");
- for (i=0; i< hdr->secondary_max_types; i++)
- if (buf[hdr->secondary_types_offset + i])
- printf("%02x ", i);
- else
- printf("-- ");
- printf("\n");
- }
- else
- {
- /* formatted print for use with scripts (.sh)
- * update scripts when updating here (usually
- * used in combination with -d to determine a
- * running domain's label
- */
- printf("SSID: ssidref = 0x%08x \n", hdr->ssidref);
- }
-
- /* return ste ssidref */
- if (hdr->primary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
- ret = (hdr->ssidref) & 0xffff;
- else if (hdr->secondary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
- ret = (hdr->ssidref) >> 16;
- out:
- return ret;
-}
/***************************** main **************************************/
@@ -559,8 +431,7 @@ int main(int argc, char **argv)
if (argc < 2)
usage(argv[0]);
- if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0)
- {
+ if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
printf("ERROR: Could not open xen privcmd device!\n");
exit(-1);
}
@@ -577,8 +448,6 @@ int main(int argc, char **argv)
if (argc != 2)
usage(argv[0]);
ret = acm_domain_dumpstats(acm_cmd_fd);
- } else if (!strcmp(argv[1], "getssid")) {
- ret = acm_domain_getssid(acm_cmd_fd, argc, argv);
} else
usage(argv[0]);
Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.c
+++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
@@ -101,22 +101,30 @@ int have_chwall = 0;
/* input/output file names */
char *policy_filename = NULL,
- *label_filename = NULL,
- *binary_filename = NULL, *mapping_filename = NULL,
- *schema_filename = NULL;
+ *binary_filename = NULL,
+ *mapping_filename = NULL, *schema_filename = NULL;
+
+char *policy_reference_name = NULL;
+
+void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state);
void usage(char *prg)
{
printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
- printf("POLICYNAME is the directory name within the policy directory\n");
- printf("that contains the policy files. The default policy directory\n");
- printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR);
- printf("The policy files contained in the POLICYNAME directory must be named:\n");
+ printf
+ ("POLICYNAME is the directory name within the policy directory\n");
+ printf
+ ("that contains the policy files. The default policy directory\n");
+ printf("is '%s' (see the '-d' option below to change it)\n",
+ POLICY_DIR);
+ printf
+ ("The policy files contained in the POLICYNAME directory must be named:\n");
printf("\tPOLICYNAME-security_policy.xml\n");
printf("\tPOLICYNAME-security_label_template.xml\n\n");
printf("OPTIONS:\n");
printf("\t-d POLICYDIR\n");
- printf("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
+ printf
+ ("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
printf("\t\tthe policy schema file 'security_policy.xsd'\n");
exit(EXIT_FAILURE);
}
@@ -147,8 +155,7 @@ struct type_entry *lookup(struct tailhea
int add_entry(struct tailhead *head, char *name, type_t mapping)
{
struct type_entry *e;
- if (lookup(head, name))
- {
+ if (lookup(head, name)) {
printf("Error: Type >%s< defined more than once.\n", name);
return -EFAULT; /* already in the list */
}
@@ -204,16 +211,14 @@ int register_type(xmlNode * cur_node, xm
text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
- if (!text)
- {
+ if (!text) {
printf("Error reading type name!\n");
return -EFAULT;
}
switch (state) {
case XML2BIN_stetype_S:
- if (add_entry(&ste_head, (char *) text, max_ste_types))
- {
+ if (add_entry(&ste_head, (char *) text, max_ste_types)) {
xmlFree(text);
return -EFAULT;
}
@@ -221,8 +226,7 @@ int register_type(xmlNode * cur_node, xm
break;
case XML2BIN_chwalltype_S:
- if (add_entry(&chwall_head, (char *) text, max_chwall_types))
- {
+ if (add_entry(&chwall_head, (char *) text, max_chwall_types)) {
xmlFree(text);
return -EFAULT;
}
@@ -232,16 +236,15 @@ int register_type(xmlNode * cur_node, xm
case XML2BIN_conflictsettype_S:
/* a) search the type in the chwall_type list */
e = lookup(&chwall_head, (char *) text);
- if (e == NULL)
- {
+ if (e == NULL) {
printf("CS type >%s< not a CHWALL type.\n", text);
xmlFree(text);
return -EFAULT;
}
/* b) add type entry to the current cs set */
- if (current_conflictset_p->row[e->mapping])
- {
- printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
+ if (current_conflictset_p->row[e->mapping]) {
+ printf
+ ("ERROR: Double entry of type >%s< in conflict set %d.\n",
text, current_conflictset_p->num);
xmlFree(text);
return -EFAULT;
@@ -262,16 +265,15 @@ void set_component_type(xmlNode * cur_no
{
xmlChar *order;
- if ((order = xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) {
- if (strcmp((char *) order, PRIMARY_COMPONENT))
- {
+ if ((order =
+ xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) {
+ if (strcmp((char *) order, PRIMARY_COMPONENT)) {
printf("ERROR: Illegal attribut value >order=%s<.\n",
(char *) order);
xmlFree(order);
exit(EXIT_FAILURE);
}
- if (primary != NULLPOLICY)
- {
+ if (primary != NULLPOLICY) {
printf("ERROR: Primary Policy Component set twice!\n");
exit(EXIT_FAILURE);
}
@@ -285,10 +287,8 @@ void walk_policy(xmlNode * start, xmlDoc
xmlNode *cur_node = NULL;
int code;
- for (cur_node = start; cur_node; cur_node = cur_node->next)
- {
- if ((code = totoken((char *) cur_node->name)) < 0)
- {
+ for (cur_node = start; cur_node; cur_node = cur_node->next) {
+ if ((code = totoken((char *) cur_node->name)) < 0) {
printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
exit(EXIT_FAILURE);
}
@@ -297,13 +297,32 @@ void walk_policy(xmlNode * start, xmlDoc
case XML2BIN_STETYPES:
case XML2BIN_CHWALLTYPES:
case XML2BIN_CONFLICTSETS:
+ case XML2BIN_POLICYHEADER:
walk_policy(cur_node->children, doc, state | (1 << code));
break;
+ case XML2BIN_POLICYNAME: /* get policy reference name .... */
+ if (state != XML2BIN_PN_S) {
+ printf("ERROR: >Url< >%s< out of context.\n",
+ (char *) xmlNodeListGetString(doc,
+ cur_node->
+ xmlChildrenNode, 1));
+ exit(EXIT_FAILURE);
+ }
+ policy_reference_name = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!policy_reference_name) {
+ printf("ERROR: empty >policy reference name (Url)<!\n");
+ exit(EXIT_FAILURE);
+ } else
+ printf("Policy Reference name (Url): %s\n",
+ policy_reference_name);
+ break;
+
case XML2BIN_STE:
- if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
- {
- printf("ERROR: This program was written against another STE version.\n");
+ if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION) {
+ printf
+ ("ERROR: This program was written against another STE version.\n");
exit(EXIT_FAILURE);
}
have_ste = 1;
@@ -312,9 +331,9 @@ void walk_policy(xmlNode * start, xmlDoc
break;
case XML2BIN_CHWALL:
- if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
- {
- printf("ERROR: This program was written against another CHWALL version.\n");
+ if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) {
+ printf
+ ("ERROR: This program was written against another CHWALL version.\n");
exit(EXIT_FAILURE);
}
have_chwall = 1;
@@ -328,8 +347,7 @@ void walk_policy(xmlNode * start, xmlDoc
if (!current_conflictset_name)
current_conflictset_name = "";
- if (init_next_conflictset())
- {
+ if (init_next_conflictset()) {
printf
("ERROR: creating new conflictset structure failed.\n");
exit(EXIT_FAILURE);
@@ -343,14 +361,18 @@ void walk_policy(xmlNode * start, xmlDoc
/* type leaf */
break;
+ case XML2BIN_LABELTEMPLATE: /* handle in second pass */
case XML2BIN_TEXT:
case XML2BIN_COMMENT:
- case XML2BIN_POLICYHEADER:
+ case XML2BIN_DATE:
+ case XML2BIN_REFERENCE:
+ case XML2BIN_NSURL: /* for future use: where to find global label / type name mappings */
+ case XML2BIN_URL: /* for future use: where to find policy */
/* leaf - nothing to do */
break;
default:
- printf("Unkonwn token Error (%d)\n", code);
+ printf("Unkonwn token Error (%d) in Policy\n", code);
exit(EXIT_FAILURE);
}
@@ -358,21 +380,21 @@ void walk_policy(xmlNode * start, xmlDoc
return;
}
-int create_type_mapping(xmlDocPtr doc)
+void init_type_mapping(void)
{
- xmlNode *root_element = xmlDocGetRootElement(doc);
- struct type_entry *te;
- struct ssid_entry *se;
- int i;
-
printf("Creating ssid mappings ...\n");
/* initialize the ste and chwall type lists */
TAILQ_INIT(&ste_head);
TAILQ_INIT(&chwall_head);
TAILQ_INIT(&conflictsets_head);
+}
- walk_policy(root_element, doc, XML2BIN_NULL);
+void post_type_mapping(void)
+{
+ struct type_entry *te;
+ struct ssid_entry *se;
+ int i;
/* determine primary/secondary policy component orders */
if ((primary == NULLPOLICY) && have_chwall)
@@ -400,19 +422,17 @@ int create_type_mapping(xmlDocPtr doc)
}
if (!DEBUG)
- return 0;
+ return;
/* print queues */
- if (have_ste)
- {
+ if (have_ste) {
printf("STE-Type queue (%s):\n",
(primary == STE) ? "PRIMARY" : "SECONDARY");
for (te = ste_head.tqh_first; te != NULL;
te = te->entries.tqe_next)
printf("name=%22s, map=%x\n", te->name, te->mapping);
}
- if (have_chwall)
- {
+ if (have_chwall) {
printf("CHWALL-Type queue (%s):\n",
(primary == CHWALL) ? "PRIMARY" : "SECONDARY");
for (te = chwall_head.tqh_first; te != NULL;
@@ -421,8 +441,7 @@ int create_type_mapping(xmlDocPtr doc)
printf("Conflictset queue (max=%d):\n", max_conflictsets);
for (se = conflictsets_head.tqh_first; se != NULL;
- se = se->entries.tqe_next)
- {
+ se = se->entries.tqe_next) {
printf("conflictset name >%s<\n",
se->name ? se->name : "NONAME");
for (i = 0; i < max_chwall_types; i++)
@@ -431,7 +450,6 @@ int create_type_mapping(xmlDocPtr doc)
printf("\n");
}
}
- return 0;
}
@@ -554,8 +572,7 @@ int add_type(xmlNode * cur_node, xmlDocP
struct type_entry *e;
text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
- if (!text)
- {
+ if (!text) {
printf("Error reading type name!\n");
return -EFAULT;
}
@@ -564,8 +581,7 @@ int add_type(xmlNode * cur_node, xmlDocP
case XML2BIN_VM_STE_S:
case XML2BIN_RES_STE_S:
/* lookup the type mapping and include the type mapping into the array */
- if (!(e = lookup(&ste_head, (char *) text)))
- {
+ if (!(e = lookup(&ste_head, (char *) text))) {
printf("ERROR: unknown VM STE type >%s<.\n", text);
exit(EXIT_FAILURE);
}
@@ -577,8 +593,7 @@ int add_type(xmlNode * cur_node, xmlDocP
case XML2BIN_VM_CHWALL_S:
/* lookup the type mapping and include the type mapping into the array */
- if (!(e = lookup(&chwall_head, (char *) text)))
- {
+ if (!(e = lookup(&chwall_head, (char *) text))) {
printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
exit(EXIT_FAILURE);
}
@@ -602,8 +617,9 @@ void set_bootstrap_label(xmlNode * cur_n
{
xmlChar *order;
- if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
- bootstrap_label = (char *)order;
+ if ((order =
+ xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
+ bootstrap_label = (char *) order;
else {
printf("ERROR: No bootstrap label defined!\n");
exit(EXIT_FAILURE);
@@ -615,45 +631,40 @@ void walk_labels(xmlNode * start, xmlDoc
xmlNode *cur_node = NULL;
int code;
- for (cur_node = start; cur_node; cur_node = cur_node->next)
- {
- if ((code = totoken((char *) cur_node->name)) < 0)
- {
+ for (cur_node = start; cur_node; cur_node = cur_node->next) {
+ if ((code = totoken((char *) cur_node->name)) < 0) {
printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
exit(EXIT_FAILURE);
}
switch (code) { /* adjust state to new state */
-
case XML2BIN_SUBJECTS:
set_bootstrap_label(cur_node);
/* fall through */
+ case XML2BIN_SECPOL:
+ case XML2BIN_LABELTEMPLATE:
case XML2BIN_VM:
case XML2BIN_RES:
- case XML2BIN_SECTEMPLATE:
case XML2BIN_OBJECTS:
walk_labels(cur_node->children, doc, state | (1 << code));
break;
case XML2BIN_STETYPES:
/* create new ssid entry to use and point current to it */
- if (init_next_ste_ssid(state))
- {
+ if (init_next_ste_ssid(state)) {
printf("ERROR: creating new ste ssid structure failed.\n");
exit(EXIT_FAILURE);
}
walk_labels(cur_node->children, doc, state | (1 << code));
-
break;
case XML2BIN_CHWALLTYPES:
/* create new ssid entry to use and point current to it */
- if (init_next_chwall_ssid(state))
- {
- printf("ERROR: creating new chwall ssid structure failed.\n");
+ if (init_next_chwall_ssid(state)) {
+ printf
+ ("ERROR: creating new chwall ssid structure failed.\n");
exit(EXIT_FAILURE);
}
walk_labels(cur_node->children, doc, state | (1 << code));
-
break;
case XML2BIN_TYPE:
@@ -663,115 +674,66 @@ void walk_labels(xmlNode * start, xmlDoc
break;
case XML2BIN_NAME:
- if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
- {
- printf("ERROR: >name< out of VM/RES context.\n");
- exit(EXIT_FAILURE);
- }
- current_ssid_name = (char *)
- xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
-
- if (!current_ssid_name)
- {
- printf("ERROR: empty >name<!\n");
+ if ((state == XML2BIN_VM_S) || (state == XML2BIN_RES_S)) {
+ current_ssid_name = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode,
+ 1);
+ if (!current_ssid_name) {
+ printf("ERROR: empty >vm/res name<!\n");
+ exit(EXIT_FAILURE);
+ }
+ } else {
+ printf
+ ("ERROR: >name< >%s< out of context (state = 0x%lx.\n",
+ (char *) xmlNodeListGetString(doc,
+ cur_node->
+ xmlChildrenNode, 1),
+ state);
exit(EXIT_FAILURE);
}
break;
case XML2BIN_TEXT:
case XML2BIN_COMMENT:
- case XML2BIN_LABELHEADER:
+ case XML2BIN_POLICYHEADER:
+ case XML2BIN_STE:
+ case XML2BIN_CHWALL:
break;
default:
- printf("Unkonwn token Error (%d)\n", code);
+ printf("Unkonwn token Error (%d) in Label Template\n", code);
exit(EXIT_FAILURE);
}
-
}
return;
}
-/* this function walks through a ssid queue
- * and transforms double entries into references
- * of the first definition (we need to keep the
- * entry to map labels but we don't want double
- * ssids in the binary policy
- */
-void
-remove_doubles(struct tailhead_ssid *head,
- u_int32_t max_types, u_int32_t * max_ssids)
-{
- struct ssid_entry *np, *ni;
-
- /* walk once through the list */
- for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
- {
- /* now search from the start until np for the same entry */
- for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
- {
- if (ni->is_ref)
- continue;
- if (memcmp(np->row, ni->row, max_types))
- continue;
- /* found one, set np reference to ni */
- np->is_ref = 1;
- np->num = ni->num;
- (*max_ssids)--;
- }
- }
-
- /* now minimize the ssid numbers used (doubles introduce holes) */
- (*max_ssids) = 0; /* reset */
-
- for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
- {
- if (np->is_ref)
- continue;
-
- if (np->num != (*max_ssids)) {
- /* first reset all later references to the new max_ssid */
- for (ni = np->entries.tqe_next; ni != NULL; ni = ni->entries.tqe_next)
- {
- if (ni->num == np->num)
- ni->num = (*max_ssids);
- }
- /* now reset num */
- np->num = (*max_ssids)++;
- }
- else
- (*max_ssids)++;
- }
-}
-
/*
* will go away as soon as we have non-static bootstrap ssidref for dom0
*/
void fixup_bootstrap_label(struct tailhead_ssid *head,
- u_int32_t max_types, u_int32_t * max_ssids)
+ u_int32_t max_types, u_int32_t * max_ssids)
{
struct ssid_entry *np;
int i;
/* should not happen if xml / xsd checks work */
- if (!bootstrap_label)
- {
+ if (!bootstrap_label) {
printf("ERROR: No bootstrap label defined.\n");
exit(EXIT_FAILURE);
}
/* search bootstrap_label */
- for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
- {
- if (!strcmp(np->name, bootstrap_label))
- {
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) {
+ if (!strcmp(np->name, bootstrap_label)) {
break;
}
}
if (!np) {
/* bootstrap label not found */
- printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
+ printf("ERROR: Bootstrap label >%s< not found.\n",
+ bootstrap_label);
exit(EXIT_FAILURE);
}
@@ -781,16 +743,14 @@ void fixup_bootstrap_label(struct tailhe
TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
/* renumber the ssids (we could also just switch places with 1st element) */
- for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
- np->num = i;
+ for (np = head->tqh_first, i = 0; np != NULL;
+ np = np->entries.tqe_next, i++)
+ np->num = i;
}
-int create_ssid_mapping(xmlDocPtr doc)
+void init_label_mapping(void)
{
- xmlNode *root_element = xmlDocGetRootElement(doc);
- struct ssid_entry *np;
- int i;
printf("Creating label mappings ...\n");
/* initialize the ste and chwall type lists */
@@ -798,14 +758,16 @@ int create_ssid_mapping(xmlDocPtr doc)
TAILQ_INIT(&ste_ssid_head);
/* init with default ssids */
- if (init_ssid_queues())
- {
+ if (init_ssid_queues()) {
printf("ERROR adding default ssids.\n");
exit(EXIT_FAILURE);
}
+}
- /* now walk the template DOM tree and fill in ssids */
- walk_labels(root_element, doc, XML2BIN_NULL);
+void post_label_mapping(void)
+{
+ struct ssid_entry *np;
+ int i;
/*
* now sort bootstrap label to the head of the list
@@ -814,30 +776,20 @@ int create_ssid_mapping(xmlDocPtr doc)
*/
if (have_chwall)
fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
- &max_chwall_ssids);
+ &max_chwall_ssids);
if (have_ste)
fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
- &max_ste_ssids);
-
- /* remove any double entries (insert reference instead) */
- if (have_chwall)
- remove_doubles(&chwall_ssid_head, max_chwall_types,
- &max_chwall_ssids);
- if (have_ste)
- remove_doubles(&ste_ssid_head, max_ste_types,
- &max_ste_ssids);
+ &max_ste_ssids);
if (!DEBUG)
- return 0;
+ return;
/* print queues */
- if (have_chwall)
- {
+ if (have_chwall) {
printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
np = NULL;
for (np = chwall_ssid_head.tqh_first; np != NULL;
- np = np->entries.tqe_next)
- {
+ np = np->entries.tqe_next) {
printf("SSID #%02u (Label=%s)\n", np->num, np->name);
if (np->is_ref)
printf("REFERENCE");
@@ -848,13 +800,11 @@ int create_ssid_mapping(xmlDocPtr doc)
printf("\n\n");
}
}
- if (have_ste)
- {
+ if (have_ste) {
printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
np = NULL;
for (np = ste_ssid_head.tqh_first; np != NULL;
- np = np->entries.tqe_next)
- {
+ np = np->entries.tqe_next) {
printf("SSID #%02u (Label=%s)\n", np->num, np->name);
if (np->is_ref)
printf("REFERENCE");
@@ -865,7 +815,19 @@ int create_ssid_mapping(xmlDocPtr doc)
printf("\n\n");
}
}
- return 0;
+}
+
+void create_mappings(xmlDocPtr doc)
+{
+ xmlNode *doc_root_node = xmlDocGetRootElement(doc);
+
+ /* walk the XML policy tree and fill in types and labels */
+ init_type_mapping();
+ walk_policy(doc_root_node, doc, XML2BIN_NULL); /* first pass: types */
+ post_type_mapping();
+ init_label_mapping();
+ walk_labels(doc_root_node, doc, XML2BIN_NULL); /* second pass: labels */
+ post_label_mapping();
}
/***************** writing the binary policy *********************/
@@ -888,19 +850,16 @@ int write_mapping(char *filename)
if ((file = fopen(filename, "w")) == NULL)
return -EIO;
+ fprintf(file, "POLICYREFERENCENAME %s\n", policy_reference_name);
fprintf(file, "MAGIC %08x\n", ACM_MAGIC);
- fprintf(file, "POLICY %s\n",
- basename(policy_filename));
- fprintf(file, "BINARY %s\n",
- basename(binary_filename));
- if (have_chwall)
- {
+ fprintf(file, "POLICY FILE %s\n", policy_filename);
+ fprintf(file, "BINARY FILE %s\n", binary_filename);
+ if (have_chwall) {
fprintf(file, "MAX-CHWALL-TYPES %08x\n", max_chwall_types);
fprintf(file, "MAX-CHWALL-SSIDS %08x\n", max_chwall_ssids);
fprintf(file, "MAX-CHWALL-LABELS %08x\n", max_chwall_labels);
}
- if (have_ste)
- {
+ if (have_ste) {
fprintf(file, "MAX-STE-TYPES %08x\n", max_ste_types);
fprintf(file, "MAX-STE-SSIDS %08x\n", max_ste_ssids);
fprintf(file, "MAX-STE-LABELS %08x\n", max_ste_labels);
@@ -939,11 +898,9 @@ int write_mapping(char *filename)
fprintf(file, "\n");
/* first labels to ssid mappings */
- if (have_chwall)
- {
+ if (have_chwall) {
for (e = chwall_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
(e->type ==
VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
@@ -951,11 +908,9 @@ int write_mapping(char *filename)
}
fprintf(file, "\n");
}
- if (have_ste)
- {
+ if (have_ste) {
for (e = ste_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
fprintf(file, "LABEL->SSID %s STE %-25s %8x\n",
(e->type ==
VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
@@ -965,11 +920,9 @@ int write_mapping(char *filename)
}
/* second ssid to type mappings */
- if (have_chwall)
- {
+ if (have_chwall) {
for (e = chwall_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -985,8 +938,7 @@ int write_mapping(char *filename)
}
if (have_ste) {
for (e = ste_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -1001,18 +953,15 @@ int write_mapping(char *filename)
fprintf(file, "\n");
}
/* third type mappings */
- if (have_chwall)
- {
- for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
- {
+ if (have_chwall) {
+ for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next) {
fprintf(file, "TYPE CHWALL %-25s %8x\n",
t->name, t->mapping);
}
fprintf(file, "\n");
}
if (have_ste) {
- for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
- {
+ for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next) {
fprintf(file, "TYPE STE %-25s %8x\n",
t->name, t->mapping);
}
@@ -1022,6 +971,38 @@ int write_mapping(char *filename)
return 0;
}
+
+unsigned char *write_policy_reference_binary(u_int32_t * len_pr)
+{
+ unsigned char *buf, *ptr;
+ struct acm_policy_reference_buffer *pr_header;
+ u_int32_t len;
+
+ if (policy_reference_name == NULL) {
+ printf("ERROR: No policy reference name found.\n");
+ exit(EXIT_FAILURE);
+ }
+ len = (sizeof(struct acm_policy_reference_buffer) +
+ strlen(policy_reference_name) + 1);
+ buf = malloc(len);
+ ptr = buf;
+
+ if (!buf) {
+ printf
+ ("ERROR: out of memory allocating label reference buffer.\n");
+ exit(EXIT_FAILURE);
+ }
+ pr_header = (struct acm_policy_reference_buffer *) buf;
+ pr_header->len =
+ htonl(strlen(policy_reference_name) + 1 /* strend \'0' */ );
+ ptr += sizeof(struct acm_policy_reference_buffer);
+ strcpy((char *) ptr, policy_reference_name);
+
+ (*len_pr) = len;
+ return buf;
+}
+
+
unsigned char *write_chwall_binary(u_int32_t * len_chwall)
{
unsigned char *buf, *ptr;
@@ -1040,8 +1021,7 @@ unsigned char *write_chwall_binary(u_int
buf = malloc(len);
ptr = buf;
- if (!buf)
- {
+ if (!buf) {
printf("ERROR: out of memory allocating chwall buffer.\n");
exit(EXIT_FAILURE);
}
@@ -1058,14 +1038,13 @@ unsigned char *write_chwall_binary(u_int
chwall_header->chwall_conflict_sets_offset =
htonl(ntohl(chwall_header->chwall_ssid_offset) +
sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
- chwall_header->chwall_running_types_offset = 0; /* not set, only retrieved */
- chwall_header->chwall_conflict_aggregate_offset = 0; /* not set, only retrieved */
+ chwall_header->chwall_running_types_offset = 0;
+ chwall_header->chwall_conflict_aggregate_offset = 0;
ptr += sizeof(struct acm_chwall_policy_buffer);
/* types */
for (e = chwall_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -1077,16 +1056,14 @@ unsigned char *write_chwall_binary(u_int
/* conflictsets */
for (e = conflictsets_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
for (i = 0; i < max_chwall_types; i++)
((type_t *) ptr)[i] = htons((type_t) e->row[i]);
ptr += sizeof(type_t) * max_chwall_types;
}
- if ((ptr - buf) != len)
- {
+ if ((ptr - buf) != len) {
printf("ERROR: wrong lengths in %s.\n", __func__);
exit(EXIT_FAILURE);
}
@@ -1112,8 +1089,7 @@ unsigned char *write_ste_binary(u_int32_
buf = malloc(len);
ptr = buf;
- if (!buf)
- {
+ if (!buf) {
printf("ERROR: out of memory allocating chwall buffer.\n");
exit(EXIT_FAILURE);
}
@@ -1130,8 +1106,7 @@ unsigned char *write_ste_binary(u_int32_
ptr += sizeof(struct acm_ste_policy_buffer);
/* types */
- for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
- {
+ for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -1141,8 +1116,7 @@ unsigned char *write_ste_binary(u_int32_
ptr += sizeof(type_t) * max_ste_types;
}
- if ((ptr - buf) != len)
- {
+ if ((ptr - buf) != len) {
printf("ERROR: wrong lengths in %s.\n", __func__);
exit(EXIT_FAILURE);
}
@@ -1153,16 +1127,21 @@ unsigned char *write_ste_binary(u_int32_
int write_binary(char *filename)
{
struct acm_policy_buffer header;
- unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
+ unsigned char *ste_buffer = NULL, *chwall_buffer =
+ NULL, *policy_reference_buffer = NULL;
u_int32_t len;
- int fd;
+ int fd, ret = 0;
- u_int32_t len_ste = 0, len_chwall = 0; /* length of policy components */
+ u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0; /* length of policy components */
/* open binary file */
- if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) <= 0)
- return -EIO;
-
+ if ((fd =
+ open(filename, O_WRONLY | O_CREAT | O_TRUNC,
+ S_IRUSR | S_IWUSR)) <= 0) {
+ ret = -EIO;
+ goto out1;
+ }
+ policy_reference_buffer = write_policy_reference_binary(&len_pr);
ste_buffer = write_ste_binary(&len_ste);
chwall_buffer = write_chwall_binary(&len_chwall);
@@ -1175,24 +1154,26 @@ int write_binary(char *filename)
len += len_chwall;
if (have_ste)
len += len_ste;
+ len += len_pr; /* policy reference is mandatory */
header.len = htonl(len);
- header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
- if (primary == CHWALL)
- {
+ header.policy_reference_offset =
+ htonl(sizeof(struct acm_policy_buffer));
+
+ header.primary_buffer_offset =
+ htonl(sizeof(struct acm_policy_buffer) + len_pr);
+ if (primary == CHWALL) {
header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
header.secondary_buffer_offset =
- htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
- }
- else if (primary == STE)
- {
+ htonl((sizeof(struct acm_policy_buffer)) + len_pr +
+ len_chwall);
+ } else if (primary == STE) {
header.primary_policy_code =
htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
header.secondary_buffer_offset =
- htonl((sizeof(struct acm_policy_buffer)) + len_ste);
- }
- else
- {
+ htonl((sizeof(struct acm_policy_buffer)) + len_pr +
+ len_ste);
+ } else {
/* null policy */
header.primary_policy_code = htonl(ACM_NULL_POLICY);
header.secondary_buffer_offset =
@@ -1208,36 +1189,52 @@ int write_binary(char *filename)
header.secondary_policy_code = htonl(ACM_NULL_POLICY);
if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
- != sizeof(struct acm_policy_buffer))
- return -EIO;
+ != sizeof(struct acm_policy_buffer)) {
+ ret = -EIO;
+ goto out1;
+ }
+ /* write label reference name */
+ if (write(fd, policy_reference_buffer, len_pr) != len_pr) {
+ ret = -EIO;
+ goto out1;
+ }
/* write primary policy component */
- if (primary == CHWALL)
- {
- if (write(fd, chwall_buffer, len_chwall) != len_chwall)
- return -EIO;
- }
- else if (primary == STE)
- {
- if (write(fd, ste_buffer, len_ste) != len_ste)
- return -EIO;
- } else
- ; /* NULL POLICY has no policy data */
+ if (primary == CHWALL) {
+ if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
+ ret = -EIO;
+ goto out1;
+ }
+ } else if (primary == STE) {
+ if (write(fd, ste_buffer, len_ste) != len_ste) {
+ ret = -EIO;
+ goto out1;
+ }
+ } else; /* NULL POLICY has no policy data */
/* write secondary policy component */
- if (secondary == CHWALL)
- {
- if (write(fd, chwall_buffer, len_chwall) != len_chwall)
- return -EIO;
- }
- else if (secondary == STE)
- {
- if (write(fd, ste_buffer, len_ste) != len_ste)
- return -EIO;
+ if (secondary == CHWALL) {
+ if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
+ ret = -EIO;
+ goto out1;
+ }
+ } else if (secondary == STE) {
+ if (write(fd, ste_buffer, len_ste) != len_ste) {
+ ret = -EIO;
+ goto out1;
+ }
} else; /* NULL POLICY has no policy data */
+ out1:
+ /* cleanup */
+ if (policy_reference_buffer)
+ free(policy_reference_buffer);
+ if (chwall_buffer)
+ free(chwall_buffer);
+ if (ste_buffer)
+ free(ste_buffer);
close(fd);
- return 0;
+ return ret;
}
int is_valid(xmlDocPtr doc)
@@ -1253,18 +1250,15 @@ int is_valid(xmlDocPtr doc)
#ifdef VALIDATE_SCHEMA
/* only tested to be available from libxml2-2.6.20 upwards */
- if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
- {
+ if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) {
printf("ERROR: Invalid schema file %s (err=%d)\n",
schema_filename, err);
err = -EIO;
goto out;
- }
- else
+ } else
printf("XML Schema %s valid.\n", schema_filename);
#endif
- if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
- {
+ if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) {
err = -EIO;
goto out;
}
@@ -1277,10 +1271,9 @@ int is_valid(xmlDocPtr doc)
int main(int argc, char **argv)
{
- xmlDocPtr labeldoc = NULL;
xmlDocPtr policydoc = NULL;
- int err = EXIT_SUCCESS;
+ int err = EXIT_FAILURE;
char *file_prefix;
int prefix_len;
@@ -1288,16 +1281,18 @@ int main(int argc, char **argv)
int opt_char;
char *policy_dir = POLICY_DIR;
- if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
- {
- printf("ERROR: This program was written against an older ACM version.\n");
+ if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) {
+ printf
+ ("ERROR: This program was written against an older ACM version.\n");
+ printf("ERROR: ACM_POLICY_VERSION=%d, WRITTEN AGAINST= %d.\n",
+ ACM_POLICY_VERSION, WRITTEN_AGAINST_ACM_POLICY_VERSION);
exit(EXIT_FAILURE);
}
while ((opt_char = getopt(argc, argv, "d:")) != -1) {
switch (opt_char) {
case 'd':
- policy_dir = malloc(strlen(optarg) + 2); // null terminator and possibly "/"
+ policy_dir = malloc(strlen(optarg) + 2); /* null terminator and possibly "/" */
if (!policy_dir) {
printf("ERROR allocating directory name memory.\n");
exit(EXIT_FAILURE);
@@ -1315,20 +1310,21 @@ int main(int argc, char **argv)
if ((argc - optind) != 1)
usage(basename(argv[0]));
- prefix_len = strlen(policy_dir) +
- strlen(argv[optind]) + 1 /* "/" */ +
- strlen(argv[optind]) + 1 /* null terminator */ ;
+ printf("arg=%s\n", argv[optind]);
+
+ prefix_len =
+ strlen(policy_dir) + strlen(argv[optind]) +
+ 1 /* null terminator */ ;
file_prefix = malloc(prefix_len);
policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
- label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
- schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
+ schema_filename =
+ malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
- if (!file_prefix || !policy_filename || !label_filename ||
- !binary_filename || !mapping_filename || !schema_filename)
- {
+ if (!file_prefix || !policy_filename ||
+ !binary_filename || !mapping_filename || !schema_filename) {
printf("ERROR allocating file name memory.\n");
goto out2;
}
@@ -1336,85 +1332,56 @@ int main(int argc, char **argv)
/* create input/output filenames out of prefix */
strcpy(file_prefix, policy_dir);
strcat(file_prefix, argv[optind]);
- strcat(file_prefix, "/");
- strcat(file_prefix, argv[optind]);
strcpy(policy_filename, file_prefix);
- strcpy(label_filename, file_prefix);
strcpy(binary_filename, file_prefix);
strcpy(mapping_filename, file_prefix);
strcat(policy_filename, POLICY_EXTENSION);
- strcat(label_filename, LABEL_EXTENSION);
strcat(binary_filename, BINARY_EXTENSION);
strcat(mapping_filename, MAPPING_EXTENSION);
strcpy(schema_filename, policy_dir);
strcat(schema_filename, SCHEMA_FILENAME);
- labeldoc = xmlParseFile(label_filename);
-
- if (labeldoc == NULL)
- {
- printf("Error: could not parse file %s.\n", argv[optind]);
- goto out2;
- }
-
- printf("Validating label file %s...\n", label_filename);
- if (!is_valid(labeldoc))
- {
- printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
- label_filename, err);
- goto out1;
- }
-
policydoc = xmlParseFile(policy_filename);
- if (policydoc == NULL)
- {
+ if (policydoc == NULL) {
printf("Error: could not parse file %s.\n", argv[optind]);
- goto out1;
+ goto out;
}
printf("Validating policy file %s...\n", policy_filename);
- if (!is_valid(policydoc))
- {
+ if (!is_valid(policydoc)) {
printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
policy_filename, err);
goto out;
}
- /* Init queues and parse policy */
- create_type_mapping(policydoc);
-
- /* create ssids */
- create_ssid_mapping(labeldoc);
+ /* create mappings */
+ create_mappings(policydoc);
/* write label mapping file */
- if (write_mapping(mapping_filename))
- {
+ if (write_mapping(mapping_filename)) {
printf("ERROR: writing mapping file %s.\n", mapping_filename);
goto out;
}
/* write binary file */
- if (write_binary(binary_filename))
- {
+ if (write_binary(binary_filename)) {
printf("ERROR: writing binary file %s.\n", binary_filename);
goto out;
}
-
+ err = EXIT_SUCCESS;
/* write stats */
- if (have_chwall)
- {
+ if (have_chwall) {
printf("Max chwall labels: %u\n", max_chwall_labels);
printf("Max chwall-types: %u\n", max_chwall_types);
printf("Max chwall-ssids: %u\n", max_chwall_ssids);
}
- if (have_ste)
- {
+ if (have_ste) {
printf("Max ste labels: %u\n", max_ste_labels);
printf("Max ste-types: %u\n", max_ste_types);
printf("Max ste-ssids: %u\n", max_ste_ssids);
@@ -1422,10 +1389,17 @@ int main(int argc, char **argv)
/* cleanup */
out:
xmlFreeDoc(policydoc);
- out1:
- xmlFreeDoc(labeldoc);
out2:
xmlCleanupParser();
return err;
}
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.h
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.h
+++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.h
@@ -12,37 +12,41 @@
* License.
*
*/
-#define POLICY_DIR "/etc/xen/acm-security/policies/"
-#define POLICY_EXTENSION "-security_policy.xml"
-#define LABEL_EXTENSION "-security_label_template.xml"
-#define BINARY_EXTENSION ".bin"
-#define MAPPING_EXTENSION ".map"
-#define PRIMARY_COMPONENT_ATTR_NAME "order"
-#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap"
-#define PRIMARY_COMPONENT "PrimaryPolicyComponent"
-#define SCHEMA_FILENAME "security_policy.xsd"
+#define POLICY_DIR "/etc/xen/acm-security/policies/"
+#define POLICY_EXTENSION "-security_policy.xml"
+#define BINARY_EXTENSION ".bin"
+#define MAPPING_EXTENSION ".map"
+#define PRIMARY_COMPONENT_ATTR_NAME "order"
+#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap"
+#define PRIMARY_COMPONENT "PrimaryPolicyComponent"
+#define SCHEMA_FILENAME "security_policy.xsd"
/* basic states (used as 1 << X) */
-#define XML2BIN_SECPOL 0 /* policy tokens */
-#define XML2BIN_STE 1
+#define ENDOFLIST_POS 22 /* ADAPT!! this position will be NULL; stay below 32 (bit) */
+#define XML2BIN_SECPOL 0 /* policy tokens */
+#define XML2BIN_STE 1
#define XML2BIN_CHWALL 2
-#define XML2BIN_CONFLICTSETS 3
-#define XML2BIN_CSTYPE 4
-
-#define XML2BIN_SECTEMPLATE 5 /* label tokens */
-#define XML2BIN_POLICYHEADER 6
-#define XML2BIN_LABELHEADER 7
-#define XML2BIN_SUBJECTS 8
-#define XML2BIN_OBJECTS 9
-#define XML2BIN_VM 10
-#define XML2BIN_RES 11
-
-#define XML2BIN_STETYPES 12 /* shared tokens */
-#define XML2BIN_CHWALLTYPES 13
-#define XML2BIN_TYPE 14
-#define XML2BIN_NAME 15
-#define XML2BIN_TEXT 16
-#define XML2BIN_COMMENT 17
+#define XML2BIN_CONFLICTSETS 3
+#define XML2BIN_CSTYPE 4
+#define XML2BIN_POLICYHEADER 5
+#define XML2BIN_NSURL 6
+#define XML2BIN_POLICYNAME 7
+#define XML2BIN_URL 8
+#define XML2BIN_REFERENCE 9
+#define XML2BIN_DATE 10
+
+#define XML2BIN_LABELTEMPLATE 11 /* label tokens */
+#define XML2BIN_SUBJECTS 12
+#define XML2BIN_OBJECTS 13
+#define XML2BIN_VM 14
+#define XML2BIN_RES 15
+#define XML2BIN_NAME 16
+
+#define XML2BIN_STETYPES 17 /* shared tokens */
+#define XML2BIN_CHWALLTYPES 18
+#define XML2BIN_TYPE 19
+#define XML2BIN_TEXT 20
+#define XML2BIN_COMMENT 21
/* type "data type" (currently 16bit) */
typedef u_int16_t type_t;
@@ -51,27 +55,34 @@ typedef u_int16_t type_t;
* state constants and token positions must be *
* in sync for correct state recognition */
-char *token[20] = /* parser triggers */
+char *token[32] = /* parser triggers */
{
- [0] = "SecurityPolicyDefinition", /* policy xml */
- [1] = "SimpleTypeEnforcement",
- [2] = "ChineseWall",
- [3] = "ConflictSets",
- [4] = "Conflict", /* label-template xml */
- [5] = "SecurityLabelTemplate",
- [6] = "PolicyHeader",
- [7] = "LabelHeader",
- [8] = "SubjectLabels",
- [9] = "ObjectLabels",
- [10] = "VirtualMachineLabel",
- [11] = "ResourceLabel",
- [12] = "SimpleTypeEnforcementTypes", /* common tags */
- [13] = "ChineseWallTypes",
- [14] = "Type",
- [15] = "Name",
- [16] = "text",
- [17] = "comment",
- [18] = NULL,
+ [XML2BIN_SECPOL] = "SecurityPolicyDefinition", /* policy xml */
+ [XML2BIN_STE] = "SimpleTypeEnforcement",
+ [XML2BIN_CHWALL] = "ChineseWall",
+ [XML2BIN_CONFLICTSETS] = "ConflictSets",
+ [XML2BIN_CSTYPE] = "Conflict",
+ [XML2BIN_POLICYHEADER] = "PolicyHeader",
+ [XML2BIN_NSURL] = "NameSpaceUrl",
+ [XML2BIN_POLICYNAME] = "PolicyName",
+ [XML2BIN_URL] = "PolicyUrl",
+ [XML2BIN_REFERENCE] = "Reference",
+ [XML2BIN_DATE] = "Date",
+
+ [XML2BIN_LABELTEMPLATE] = "SecurityLabelTemplate", /* label-template xml */
+ [XML2BIN_SUBJECTS] = "SubjectLabels",
+ [XML2BIN_OBJECTS] = "ObjectLabels",
+ [XML2BIN_VM] = "VirtualMachineLabel",
+ [XML2BIN_RES] = "ResourceLabel",
+ [XML2BIN_NAME] = "Name",
+
+ [XML2BIN_STETYPES] = "SimpleTypeEnforcementTypes", /* common tags */
+ [XML2BIN_CHWALLTYPES] = "ChineseWallTypes",
+ [XML2BIN_TYPE] = "Type",
+ [XML2BIN_TEXT] = "text",
+ [XML2BIN_COMMENT] = "comment",
+ [ENDOFLIST_POS] = NULL /* End of LIST, adapt ENDOFLIST_POS
+ when adding entries */
};
/* important combined states */
@@ -82,47 +93,53 @@ char *token[20] =
/* e.g., here we are in a <secpol,ste,stetypes> environment, *
* so when finding a type element, we know where to put it */
#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_STE) | \
- (1 << XML2BIN_STETYPES))
+ (1 << XML2BIN_STE) | \
+ (1 << XML2BIN_STETYPES))
#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_CHWALL) | \
- (1 << XML2BIN_CHWALLTYPES))
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CHWALLTYPES))
#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_CHWALL) | \
- (1 << XML2BIN_CONFLICTSETS))
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CONFLICTSETS))
#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_CHWALL) | \
- (1 << XML2BIN_CONFLICTSETS) | \
- (1 << XML2BIN_CSTYPE))
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CONFLICTSETS) | \
+ (1 << XML2BIN_CSTYPE))
+#define XML2BIN_PN_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_POLICYHEADER))
/* label xml states */
-#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_SUBJECTS) | \
- (1 << XML2BIN_VM))
-
-#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_OBJECTS) | \
- (1 << XML2BIN_RES))
-
-#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_SUBJECTS) | \
- (1 << XML2BIN_VM) | \
- (1 << XML2BIN_STETYPES))
-
-#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_SUBJECTS) | \
- (1 << XML2BIN_VM) | \
- (1 << XML2BIN_CHWALLTYPES))
-
-#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_OBJECTS) | \
- (1 << XML2BIN_RES) | \
- (1 << XML2BIN_STETYPES))
-
+#define XML2BIN_VM_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM))
+
+#define XML2BIN_RES_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_OBJECTS) | \
+ (1 << XML2BIN_RES))
+
+#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM) | \
+ (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM) | \
+ (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_OBJECTS) | \
+ (1 << XML2BIN_RES) | \
+ (1 << XML2BIN_STETYPES))
/* check versions of headers against which the
@@ -130,7 +147,7 @@ char *token[20] =
*/
/* protects from unnoticed changes in struct acm_policy_buffer */
-#define WRITTEN_AGAINST_ACM_POLICY_VERSION 1
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION 2
/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
#define WRITTEN_AGAINST_ACM_CHWALL_VERSION 1
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
reply other threads:[~2006-04-12 2:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=443C65A2.3080502@us.ibm.com \
--to=sailer@us.ibm.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.