* [PATCH 1/3] merge libflask into libxenctrl
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
@ 2010-06-22 9:26 ` Vincent Hanquez
2010-06-22 9:26 ` [PATCH 2/3] remove some duplicated code by having helper add/del functions Vincent Hanquez
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 243 bytes --]
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
---
tools/libxc/xc_flask.c | 496 ++++++++++++++++++++++++++++++++++++++++++++++++
tools/libxc/xenctrl.h | 26 +++
2 files changed, 522 insertions(+), 0 deletions(-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-merge-libflask-into-libxenctrl.patch --]
[-- Type: text/x-patch; name="0001-merge-libflask-into-libxenctrl.patch", Size: 14026 bytes --]
diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c
index 6982445..3b733e5 100644
--- a/tools/libxc/xc_flask.c
+++ b/tools/libxc/xc_flask.c
@@ -8,6 +8,24 @@
*/
#include "xc_private.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/ioctl.h>
+#include <stdint.h>
+
+#define OCON_PIRQ_STR "pirq"
+#define OCON_IOPORT_STR "ioport"
+#define OCON_IOMEM_STR "iomem"
+#define OCON_DEVICE_STR "pcidevice"
+#define INITCONTEXTLEN 256
int xc_flask_op(xc_interface *xch, flask_op_t *op)
{
@@ -35,6 +53,484 @@ int xc_flask_op(xc_interface *xch, flask_op_t *op)
return ret;
}
+int xc_flask_load(xc_interface *xc_handle, char *buf, uint32_t size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_LOAD;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
+int xc_flask_context_to_sid(xc_interface *xc_handle, char *buf, uint32_t size, uint32_t *sid)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_CONTEXT_TO_SID;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%u", sid);
+
+ return 0;
+}
+
+int xc_flask_sid_to_context(xc_interface *xc_handle, int sid, char *buf, uint32_t size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_SID_TO_CONTEXT;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%u", sid);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
+int xc_flask_getenforce(xc_interface *xc_handle)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+ int mode;
+
+ op.cmd = FLASK_GETENFORCE;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%i", &mode);
+
+ return mode;
+}
+
+int xc_flask_setenforce(xc_interface *xc_handle, int mode)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+
+ op.cmd = FLASK_SETENFORCE;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%i", mode);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
+int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *pirq_s = OCON_PIRQ_STR;
+ int size = INITCONTEXTLEN + strlen(pirq_s) + (sizeof(unsigned int)) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %u", pirq_s, scontext, pirq);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *ioport = OCON_IOPORT_STR;
+ int size = INITCONTEXTLEN + strlen(ioport) +
+ (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %lu %lu", ioport, scontext, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *iomem = OCON_IOMEM_STR;
+ int size = INITCONTEXTLEN + strlen(iomem) +
+ (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %lu %lu", iomem, scontext, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *dev = OCON_DEVICE_STR;
+ int size = INITCONTEXTLEN + strlen(dev) + (sizeof(unsigned long)) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %lu", dev, scontext, device);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *pirq_s = OCON_PIRQ_STR;
+ int size = strlen(pirq_s) + (sizeof(unsigned int)) +
+ (sizeof(char) * 2);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %u", pirq_s, pirq);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *ioport = OCON_IOPORT_STR;
+ int size = strlen(ioport) + (sizeof(unsigned long) * 2) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %lu %lu", ioport, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *iomem = OCON_IOMEM_STR;
+ int size = strlen(iomem) + (sizeof(unsigned long) * 2) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %lu %lu", iomem, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_device(xc_interface *xc_handle, unsigned long device)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *dev = OCON_DEVICE_STR;
+ int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %lu", dev, device);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
+ uint16_t tclass, uint32_t req,
+ uint32_t *allowed, uint32_t *decided,
+ uint32_t *auditallow, uint32_t *auditdeny,
+ uint32_t *seqno)
+{
+/* maximum number of digits in a 16-bit decimal number: */
+#define MAX_SHORT_DEC_LEN 5
+
+ char *buf;
+ int bufLen;
+ int err;
+ flask_op_t op;
+ uint32_t dummy_allowed;
+ uint32_t dummy_decided;
+ uint32_t dummy_auditallow;
+ uint32_t dummy_auditdeny;
+ uint32_t dummy_seqno;
+
+ if (!allowed)
+ allowed = &dummy_allowed;
+ if (!decided)
+ decided = &dummy_decided;
+ if (!auditallow)
+ auditallow = &dummy_auditallow;
+ if (!auditdeny)
+ auditdeny = &dummy_auditdeny;
+ if (!seqno)
+ seqno = &dummy_seqno;
+
+ if (!scon)
+ return -EINVAL;
+ if (!tcon)
+ return -EINVAL;
+
+ bufLen = strlen(scon) + 1 + strlen(tcon) + 1 +
+ MAX_SHORT_DEC_LEN + 1 +
+ sizeof(req)*2 + 1;
+ buf = malloc(bufLen);
+ snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req);
+
+ op.cmd = FLASK_ACCESS;
+ op.buf = buf;
+ op.size = strlen(buf)+1;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ if (sscanf(op.buf, "%x %x %x %x %u",
+ allowed, decided,
+ auditallow, auditdeny,
+ seqno) != 5) {
+ err = -EILSEQ;
+ }
+
+ err = ((*allowed & req) == req)? 0 : -EPERM;
+
+ return err;
+
+}
+
+int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_AVC_HASHSTATS;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ return 0;
+}
+
+int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_AVC_CACHESTATS;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ return 0;
+}
+
+int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_POLICYVERS;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ return 0;
+}
+
+int xc_flask_getavc_threshold(xc_interface *xc_handle)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+ int threshold;
+
+ op.cmd = FLASK_GETAVC_THRESHOLD;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%i", &threshold);
+
+ return threshold;
+}
+
+int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+
+ op.cmd = FLASK_SETAVC_THRESHOLD;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%i", threshold);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
/*
* Local variables:
* mode: C
diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h
index 705df1d..b6c0df3 100644
--- a/tools/libxc/xenctrl.h
+++ b/tools/libxc/xenctrl.h
@@ -1517,6 +1517,32 @@ int xc_memshr_debug_gref(xc_interface *xch,
uint32_t domid,
grant_ref_t gref);
+int xc_flask_load(xc_interface *xc_handle, char *buf, uint32_t size);
+int xc_flask_context_to_sid(xc_interface *xc_handle, char *buf, uint32_t size, uint32_t *sid);
+int xc_flask_sid_to_context(xc_interface *xc_handle, int sid, char *buf, uint32_t size);
+int xc_flask_getenforce(xc_interface *xc_handle);
+int xc_flask_setenforce(xc_interface *xc_handle, int mode);
+int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext);
+int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext);
+int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext);
+int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext);
+int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq);
+int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high);
+int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high);
+int xc_flask_del_device(xc_interface *xc_handle, unsigned long device);
+int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
+ uint16_t tclass, uint32_t req,
+ uint32_t *allowed, uint32_t *decided,
+ uint32_t *auditallow, uint32_t *auditdeny,
+ uint32_t *seqno);
+int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size);
+int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size);
+int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size);
+int xc_flask_getavc_threshold(xc_interface *xc_handle);
+int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold);
+
struct elf_binary;
void xc_elf_set_logfile(struct xc_interface *xch, struct elf_binary *elf,
int verbose);
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 2/3] remove some duplicated code by having helper add/del functions
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 1/3] merge libflask into libxenctrl Vincent Hanquez
@ 2010-06-22 9:26 ` Vincent Hanquez
2010-06-22 9:26 ` [PATCH 3/3] add flask capabilities in python xc bindings Vincent Hanquez
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
3 siblings, 0 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
---
tools/libxc/xc_flask.c | 227 +++++++++--------------------------------------
1 files changed, 44 insertions(+), 183 deletions(-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0002-remove-some-duplicated-code-by-having-helper-add-del.patch --]
[-- Type: text/x-patch; name="0002-remove-some-duplicated-code-by-having-helper-add-del.patch", Size: 7669 bytes --]
diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c
index 3b733e5..12cb001 100644
--- a/tools/libxc/xc_flask.c
+++ b/tools/libxc/xc_flask.c
@@ -141,237 +141,98 @@ int xc_flask_setenforce(xc_interface *xc_handle, int mode)
return 0;
}
-int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
+static int xc_flask_add(xc_interface *xc_handle, char *cat, char *arg, char *scontext)
{
- int err;
+ char buf[512];
flask_op_t op;
- char *buf;
- char *pirq_s = OCON_PIRQ_STR;
- int size = INITCONTEXTLEN + strlen(pirq_s) + (sizeof(unsigned int)) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
+ memset(buf, 0, 512);
+ snprintf(buf, 512, "%s %255s %s", cat, scontext, arg);
op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %u", pirq_s, scontext, pirq);
op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
+ op.size = 512;
+
+ return xc_flask_op(xc_handle, &op);
+}
- free(buf);
- return 0;
+int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
+{
+ char arg[16];
+ snprintf(arg, 16, "%u", pirq);
+ return xc_flask_add(xc_handle, OCON_PIRQ_STR, arg, scontext);
}
int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
char *scontext)
{
- int err;
- flask_op_t op;
- char *buf;
- char *ioport = OCON_IOPORT_STR;
- int size = INITCONTEXTLEN + strlen(ioport) +
- (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %lu %lu", ioport, scontext, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_add(xc_handle, OCON_IOPORT_STR, arg, scontext);
}
int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
char *scontext)
{
- int err;
- flask_op_t op;
- char *buf;
- char *iomem = OCON_IOMEM_STR;
- int size = INITCONTEXTLEN + strlen(iomem) +
- (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %lu %lu", iomem, scontext, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_add(xc_handle, OCON_IOMEM_STR, arg, scontext);
}
int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext)
{
- int err;
- flask_op_t op;
- char *buf;
- char *dev = OCON_DEVICE_STR;
- int size = INITCONTEXTLEN + strlen(dev) + (sizeof(unsigned long)) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %lu", dev, scontext, device);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[32];
+ snprintf(arg, 32, "%lu", device);
+ return xc_flask_add(xc_handle, OCON_DEVICE_STR, arg, scontext);
}
-int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
+static int xc_flask_del(xc_interface *xc_handle, char *cat, char *arg)
{
- int err;
+ char buf[256];
flask_op_t op;
- char *buf;
- char *pirq_s = OCON_PIRQ_STR;
- int size = strlen(pirq_s) + (sizeof(unsigned int)) +
- (sizeof(char) * 2);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
+ memset(buf, 0, 256);
+ snprintf(buf, 256, "%s %s", cat, arg);
op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %u", pirq_s, pirq);
op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
+ op.size = 256;
+
+ return xc_flask_op(xc_handle, &op);
+}
- free(buf);
- return 0;
+int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
+{
+ char arg[16];
+ snprintf(arg, 16, "%u", pirq);
+ return xc_flask_del(xc_handle, OCON_PIRQ_STR, arg);
}
int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high)
{
- int err;
- flask_op_t op;
- char *buf;
- char *ioport = OCON_IOPORT_STR;
- int size = strlen(ioport) + (sizeof(unsigned long) * 2) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %lu %lu", ioport, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_del(xc_handle, OCON_IOPORT_STR, arg);
}
int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high)
{
- int err;
- flask_op_t op;
- char *buf;
- char *iomem = OCON_IOMEM_STR;
- int size = strlen(iomem) + (sizeof(unsigned long) * 2) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %lu %lu", iomem, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_del(xc_handle, OCON_IOMEM_STR, arg);
}
int xc_flask_del_device(xc_interface *xc_handle, unsigned long device)
{
- int err;
- flask_op_t op;
- char *buf;
- char *dev = OCON_DEVICE_STR;
- int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %lu", dev, device);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[32];
+ snprintf(arg, 32, "%lu", device);
+ return xc_flask_del(xc_handle, OCON_DEVICE_STR, arg);
}
int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH 3/3] add flask capabilities in python xc bindings
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 1/3] merge libflask into libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 2/3] remove some duplicated code by having helper add/del functions Vincent Hanquez
@ 2010-06-22 9:26 ` Vincent Hanquez
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
3 siblings, 0 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
---
tools/python/xen/lowlevel/xc/xc.c | 251 +++++++++++++++++++++++++++++++++++++
1 files changed, 251 insertions(+), 0 deletions(-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0003-add-flask-capabilities-in-python-xc-bindings.patch --]
[-- Type: text/x-patch; name="0003-add-flask-capabilities-in-python-xc-bindings.patch", Size: 8350 bytes --]
diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
index a7286c4..66d247b 100644
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -34,6 +34,8 @@
#define PKG "xen.lowlevel.xc"
#define CLS "xc"
+#define FLASK_CTX_LEN 1024
+
static PyObject *xc_error_obj, *zero;
typedef struct {
@@ -2077,6 +2079,202 @@ static PyObject *pyxc_cpupool_freeinfo(XcObject *self)
return cpumap_to_cpulist(cpumap);
}
+static PyObject *pyflask_context_to_sid(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ char *ctx;
+ char *buf;
+ uint32_t len;
+ uint32_t sid;
+ int ret;
+
+ static char *kwd_list[] = { "context", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "s", kwd_list,
+ &ctx) )
+ return NULL;
+
+ len = strlen(ctx);
+
+ buf = malloc(len);
+ if (!buf) {
+ errno = -ENOMEM;
+ PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ memcpy(buf, ctx, len);
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ free(buf);
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_context_to_sid(xc_handle, buf, len, &sid);
+
+ xc_interface_close(xc_handle);
+
+ free(buf);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return PyInt_FromLong(sid);
+}
+
+static PyObject *pyflask_sid_to_context(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ uint32_t sid;
+ char ctx[FLASK_CTX_LEN];
+ uint32_t ctx_len = FLASK_CTX_LEN;
+ int ret;
+
+ static char *kwd_list[] = { "sid", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list,
+ &sid) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_sid_to_context(xc_handle, sid, ctx, ctx_len);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("s", ctx, ctx_len);
+}
+
+static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ char *policy;
+ uint32_t len;
+ int ret;
+
+ static char *kwd_list[] = { "policy", NULL };
+
+ if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy, &len) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_load(xc_handle, policy, len);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_getenforce(PyObject *self)
+{
+ xc_interface *xc_handle;
+ int ret;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_getenforce(xc_handle);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret < 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_setenforce(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ int mode;
+ int ret;
+
+ static char *kwd_list[] = { "mode", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list,
+ &mode) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_setenforce(xc_handle, mode);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_access(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ char *tcon, *scon;
+ uint16_t tclass;
+ uint32_t req, allowed, decided, auditallow, auditdeny, seqno;
+ int ret;
+
+ static char *kwd_list[] = { "src_context", "tar_context",
+ "tar_class", "req_permissions",
+ "decided", "auditallow","auditdeny",
+ "seqno", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "ssil|llll", kwd_list,
+ &scon, &tcon, &tclass, &req, &decided,
+ &auditallow, &auditdeny, &seqno) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_access(xc_handle, scon, tcon, tclass, req, &allowed, &decided,
+ &auditallow, &auditdeny, &seqno);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i",ret);
+}
+
static PyMethodDef pyxc_methods[] = {
{ "domain_create",
(PyCFunction)pyxc_domain_create,
@@ -2676,6 +2874,59 @@ static PyMethodDef pyxc_methods[] = {
"Get info about cpus not in any cpupool.\n"
"Returns: [list]: List of CPUs\n" },
+ { "flask_context_to_sid",
+ (PyCFunction)pyflask_context_to_sid,
+ METH_KEYWORDS, "\n"
+ "Convert a context string to a dynamic SID.\n"
+ " context [str]: String specifying context to be converted\n"
+ "Returns: [int]: Numeric SID on success; -1 on error.\n" },
+
+ { "flask_sid_to_context",
+ (PyCFunction)pyflask_sid_to_context,
+ METH_KEYWORDS, "\n"
+ "Convert a dynamic SID to context string.\n"
+ " context [int]: SID to be converted\n"
+ "Returns: [str]: Numeric SID on success; -1 on error.\n" },
+
+ { "flask_load",
+ (PyCFunction)pyflask_load,
+ METH_KEYWORDS, "\n"
+ "Loads a policy into the hypervisor.\n"
+ " policy [str]: policy to be load\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
+
+ { "flask_getenforce",
+ (PyCFunction)pyflask_getenforce,
+ METH_NOARGS, "\n"
+ "Returns the current mode of the Flask XSM module.\n"
+ "Returns: [int]: 0 for permissive; 1 for enforcing; -1 on failure.\n" },
+
+ { "flask_setenforce",
+ (PyCFunction)pyflask_setenforce,
+ METH_KEYWORDS, "\n"
+ "Modifies the current mode for the Flask XSM module.\n"
+ " mode [int]: mode to change to\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
+
+ { "flask_access",
+ (PyCFunction)pyflask_access,
+ METH_KEYWORDS, "\n"
+ "Returns whether a source context has access to target context based on \
+ class and permissions requested.\n"
+ " scon [str]: source context\n"
+ " tcon [str]: target context\n"
+ " tclass [int]: target security class\n"
+ " req [int] requested permissions\n"
+ " allowed [int] permissions allow for the target class between the source \
+ and target context\n"
+ " decided [int] the permissions that were returned in the allowed \
+ parameter\n"
+ " auditallow [int] permissions set to audit on allow\n"
+ " auditdeny [int] permissions set to audit on deny\n"
+ " seqno [int] not used\n"
+ "Returns: [int]: 0 on all permission granted; -1 if any permissions are \
+ denied\n" },
+
{ NULL, NULL, 0, NULL }
};
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH 0/3] libflask merging in libxenctrl
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
` (2 preceding siblings ...)
2010-06-22 9:26 ` [PATCH 3/3] add flask capabilities in python xc bindings Vincent Hanquez
@ 2010-06-22 9:50 ` Tim Deegan
2010-06-22 10:04 ` Tim Deegan
3 siblings, 1 reply; 6+ messages in thread
From: Tim Deegan @ 2010-06-22 9:50 UTC (permalink / raw)
To: Vincent Hanquez; +Cc: Xen Devel
At 10:26 +0100 on 22 Jun (1277202415), Vincent Hanquez wrote:
> The following patch series fold libflask into libxenctrl.
>
> The flask library is small, and putting everything in libxenctrl make
> relying on flask functionalities in libxl easier.
That doesn't sound like a good reason to duplicate a library to me.
If libxl needs flask functions it should link against them.
Are you volunteering to maintain a fork of a security library?
Tim.
> libflask is left for compatibility purpose, but should be considered
> deprecated, and remove in the near future. all flask_ symbols are now
> xc_flask_ symbols in libxenctrl.
>
> also remove some code duplication in the add_ and del_ calls.
>
> Vincent Hanquez (3):
> merge libflask into libxenctrl
> remove some duplicated code by having helper add/del functions
> add flask capabilities in python xc bindings
>
> tools/libxc/xc_flask.c | 357 +++++++++++++++++++++++++++++++++++++
> tools/libxc/xenctrl.h | 26 +++
> tools/python/xen/lowlevel/xc/xc.c | 251 ++++++++++++++++++++++++++
> 3 files changed, 634 insertions(+), 0 deletions(-)
>
Content-Description: ATT00001..txt
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
--
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, XenServer Engineering
Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH 0/3] libflask merging in libxenctrl
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
@ 2010-06-22 10:04 ` Tim Deegan
0 siblings, 0 replies; 6+ messages in thread
From: Tim Deegan @ 2010-06-22 10:04 UTC (permalink / raw)
To: Vincent Hanquez; +Cc: Xen Devel
At 10:50 +0100 on 22 Jun (1277203803), Tim Deegan wrote:
> At 10:26 +0100 on 22 Jun (1277202415), Vincent Hanquez wrote:
> > The following patch series fold libflask into libxenctrl.
> >
> > The flask library is small, and putting everything in libxenctrl make
> > relying on flask functionalities in libxl easier.
>
> That doesn't sound like a good reason to duplicate a library to me.
Oh, ignore that, I'm being an idiot. :)
Tim.
--
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, XenServer Engineering
Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)
^ permalink raw reply [flat|nested] 6+ messages in thread