* [PATCH 0/3] libflask merging in libxenctrl
@ 2010-06-22 9:26 Vincent Hanquez
2010-06-22 9:26 ` [PATCH 1/3] merge libflask into libxenctrl Vincent Hanquez
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 852 bytes --]
The following patch series fold libflask into libxenctrl.
The flask library is small, and putting everything in libxenctrl make
relying on flask functionalities in libxl easier.
libflask is left for compatibility purpose, but should be considered
deprecated, and remove in the near future. all flask_ symbols are now
xc_flask_ symbols in libxenctrl.
also remove some code duplication in the add_ and del_ calls.
Vincent Hanquez (3):
merge libflask into libxenctrl
remove some duplicated code by having helper add/del functions
add flask capabilities in python xc bindings
tools/libxc/xc_flask.c | 357 +++++++++++++++++++++++++++++++++++++
tools/libxc/xenctrl.h | 26 +++
tools/python/xen/lowlevel/xc/xc.c | 251 ++++++++++++++++++++++++++
3 files changed, 634 insertions(+), 0 deletions(-)
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/3] merge libflask into libxenctrl
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
@ 2010-06-22 9:26 ` Vincent Hanquez
2010-06-22 9:26 ` [PATCH 2/3] remove some duplicated code by having helper add/del functions Vincent Hanquez
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 243 bytes --]
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
---
tools/libxc/xc_flask.c | 496 ++++++++++++++++++++++++++++++++++++++++++++++++
tools/libxc/xenctrl.h | 26 +++
2 files changed, 522 insertions(+), 0 deletions(-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-merge-libflask-into-libxenctrl.patch --]
[-- Type: text/x-patch; name="0001-merge-libflask-into-libxenctrl.patch", Size: 14026 bytes --]
diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c
index 6982445..3b733e5 100644
--- a/tools/libxc/xc_flask.c
+++ b/tools/libxc/xc_flask.c
@@ -8,6 +8,24 @@
*/
#include "xc_private.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/ioctl.h>
+#include <stdint.h>
+
+#define OCON_PIRQ_STR "pirq"
+#define OCON_IOPORT_STR "ioport"
+#define OCON_IOMEM_STR "iomem"
+#define OCON_DEVICE_STR "pcidevice"
+#define INITCONTEXTLEN 256
int xc_flask_op(xc_interface *xch, flask_op_t *op)
{
@@ -35,6 +53,484 @@ int xc_flask_op(xc_interface *xch, flask_op_t *op)
return ret;
}
+int xc_flask_load(xc_interface *xc_handle, char *buf, uint32_t size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_LOAD;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
+int xc_flask_context_to_sid(xc_interface *xc_handle, char *buf, uint32_t size, uint32_t *sid)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_CONTEXT_TO_SID;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%u", sid);
+
+ return 0;
+}
+
+int xc_flask_sid_to_context(xc_interface *xc_handle, int sid, char *buf, uint32_t size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_SID_TO_CONTEXT;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%u", sid);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
+int xc_flask_getenforce(xc_interface *xc_handle)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+ int mode;
+
+ op.cmd = FLASK_GETENFORCE;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%i", &mode);
+
+ return mode;
+}
+
+int xc_flask_setenforce(xc_interface *xc_handle, int mode)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+
+ op.cmd = FLASK_SETENFORCE;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%i", mode);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
+int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *pirq_s = OCON_PIRQ_STR;
+ int size = INITCONTEXTLEN + strlen(pirq_s) + (sizeof(unsigned int)) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %u", pirq_s, scontext, pirq);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *ioport = OCON_IOPORT_STR;
+ int size = INITCONTEXTLEN + strlen(ioport) +
+ (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %lu %lu", ioport, scontext, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *iomem = OCON_IOMEM_STR;
+ int size = INITCONTEXTLEN + strlen(iomem) +
+ (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %lu %lu", iomem, scontext, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *dev = OCON_DEVICE_STR;
+ int size = INITCONTEXTLEN + strlen(dev) + (sizeof(unsigned long)) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_ADD_OCONTEXT;
+ snprintf(buf, size, "%s %255s %lu", dev, scontext, device);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *pirq_s = OCON_PIRQ_STR;
+ int size = strlen(pirq_s) + (sizeof(unsigned int)) +
+ (sizeof(char) * 2);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %u", pirq_s, pirq);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *ioport = OCON_IOPORT_STR;
+ int size = strlen(ioport) + (sizeof(unsigned long) * 2) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %lu %lu", ioport, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *iomem = OCON_IOMEM_STR;
+ int size = strlen(iomem) + (sizeof(unsigned long) * 2) +
+ (sizeof(char) * 3);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %lu %lu", iomem, low, high);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_del_device(xc_interface *xc_handle, unsigned long device)
+{
+ int err;
+ flask_op_t op;
+ char *buf;
+ char *dev = OCON_DEVICE_STR;
+ int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2);
+
+ if ( (buf = (char *) malloc(size)) == NULL )
+ return -ENOMEM;
+ memset(buf, 0, size);
+
+ op.cmd = FLASK_DEL_OCONTEXT;
+ snprintf(buf, size, "%s %lu", dev, device);
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ free(buf);
+ return 0;
+
+}
+
+int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
+ uint16_t tclass, uint32_t req,
+ uint32_t *allowed, uint32_t *decided,
+ uint32_t *auditallow, uint32_t *auditdeny,
+ uint32_t *seqno)
+{
+/* maximum number of digits in a 16-bit decimal number: */
+#define MAX_SHORT_DEC_LEN 5
+
+ char *buf;
+ int bufLen;
+ int err;
+ flask_op_t op;
+ uint32_t dummy_allowed;
+ uint32_t dummy_decided;
+ uint32_t dummy_auditallow;
+ uint32_t dummy_auditdeny;
+ uint32_t dummy_seqno;
+
+ if (!allowed)
+ allowed = &dummy_allowed;
+ if (!decided)
+ decided = &dummy_decided;
+ if (!auditallow)
+ auditallow = &dummy_auditallow;
+ if (!auditdeny)
+ auditdeny = &dummy_auditdeny;
+ if (!seqno)
+ seqno = &dummy_seqno;
+
+ if (!scon)
+ return -EINVAL;
+ if (!tcon)
+ return -EINVAL;
+
+ bufLen = strlen(scon) + 1 + strlen(tcon) + 1 +
+ MAX_SHORT_DEC_LEN + 1 +
+ sizeof(req)*2 + 1;
+ buf = malloc(bufLen);
+ snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req);
+
+ op.cmd = FLASK_ACCESS;
+ op.buf = buf;
+ op.size = strlen(buf)+1;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ if (sscanf(op.buf, "%x %x %x %x %u",
+ allowed, decided,
+ auditallow, auditdeny,
+ seqno) != 5) {
+ err = -EILSEQ;
+ }
+
+ err = ((*allowed & req) == req)? 0 : -EPERM;
+
+ return err;
+
+}
+
+int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_AVC_HASHSTATS;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ return 0;
+}
+
+int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_AVC_CACHESTATS;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ return 0;
+}
+
+int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size)
+{
+ int err;
+ flask_op_t op;
+
+ op.cmd = FLASK_POLICYVERS;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ {
+ free(buf);
+ return err;
+ }
+
+ return 0;
+}
+
+int xc_flask_getavc_threshold(xc_interface *xc_handle)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+ int threshold;
+
+ op.cmd = FLASK_GETAVC_THRESHOLD;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%i", &threshold);
+
+ return threshold;
+}
+
+int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+
+ op.cmd = FLASK_SETAVC_THRESHOLD;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%i", threshold);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
+
/*
* Local variables:
* mode: C
diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h
index 705df1d..b6c0df3 100644
--- a/tools/libxc/xenctrl.h
+++ b/tools/libxc/xenctrl.h
@@ -1517,6 +1517,32 @@ int xc_memshr_debug_gref(xc_interface *xch,
uint32_t domid,
grant_ref_t gref);
+int xc_flask_load(xc_interface *xc_handle, char *buf, uint32_t size);
+int xc_flask_context_to_sid(xc_interface *xc_handle, char *buf, uint32_t size, uint32_t *sid);
+int xc_flask_sid_to_context(xc_interface *xc_handle, int sid, char *buf, uint32_t size);
+int xc_flask_getenforce(xc_interface *xc_handle);
+int xc_flask_setenforce(xc_interface *xc_handle, int mode);
+int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext);
+int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext);
+int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
+ char *scontext);
+int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext);
+int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq);
+int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high);
+int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high);
+int xc_flask_del_device(xc_interface *xc_handle, unsigned long device);
+int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
+ uint16_t tclass, uint32_t req,
+ uint32_t *allowed, uint32_t *decided,
+ uint32_t *auditallow, uint32_t *auditdeny,
+ uint32_t *seqno);
+int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size);
+int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size);
+int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size);
+int xc_flask_getavc_threshold(xc_interface *xc_handle);
+int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold);
+
struct elf_binary;
void xc_elf_set_logfile(struct xc_interface *xch, struct elf_binary *elf,
int verbose);
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/3] remove some duplicated code by having helper add/del functions
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 1/3] merge libflask into libxenctrl Vincent Hanquez
@ 2010-06-22 9:26 ` Vincent Hanquez
2010-06-22 9:26 ` [PATCH 3/3] add flask capabilities in python xc bindings Vincent Hanquez
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
3 siblings, 0 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
---
tools/libxc/xc_flask.c | 227 +++++++++--------------------------------------
1 files changed, 44 insertions(+), 183 deletions(-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0002-remove-some-duplicated-code-by-having-helper-add-del.patch --]
[-- Type: text/x-patch; name="0002-remove-some-duplicated-code-by-having-helper-add-del.patch", Size: 7669 bytes --]
diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c
index 3b733e5..12cb001 100644
--- a/tools/libxc/xc_flask.c
+++ b/tools/libxc/xc_flask.c
@@ -141,237 +141,98 @@ int xc_flask_setenforce(xc_interface *xc_handle, int mode)
return 0;
}
-int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
+static int xc_flask_add(xc_interface *xc_handle, char *cat, char *arg, char *scontext)
{
- int err;
+ char buf[512];
flask_op_t op;
- char *buf;
- char *pirq_s = OCON_PIRQ_STR;
- int size = INITCONTEXTLEN + strlen(pirq_s) + (sizeof(unsigned int)) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
+ memset(buf, 0, 512);
+ snprintf(buf, 512, "%s %255s %s", cat, scontext, arg);
op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %u", pirq_s, scontext, pirq);
op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
+ op.size = 512;
+
+ return xc_flask_op(xc_handle, &op);
+}
- free(buf);
- return 0;
+int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
+{
+ char arg[16];
+ snprintf(arg, 16, "%u", pirq);
+ return xc_flask_add(xc_handle, OCON_PIRQ_STR, arg, scontext);
}
int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
char *scontext)
{
- int err;
- flask_op_t op;
- char *buf;
- char *ioport = OCON_IOPORT_STR;
- int size = INITCONTEXTLEN + strlen(ioport) +
- (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %lu %lu", ioport, scontext, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_add(xc_handle, OCON_IOPORT_STR, arg, scontext);
}
int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
char *scontext)
{
- int err;
- flask_op_t op;
- char *buf;
- char *iomem = OCON_IOMEM_STR;
- int size = INITCONTEXTLEN + strlen(iomem) +
- (sizeof(unsigned long) * 2) + (sizeof(char) * 4);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %lu %lu", iomem, scontext, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_add(xc_handle, OCON_IOMEM_STR, arg, scontext);
}
int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext)
{
- int err;
- flask_op_t op;
- char *buf;
- char *dev = OCON_DEVICE_STR;
- int size = INITCONTEXTLEN + strlen(dev) + (sizeof(unsigned long)) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_ADD_OCONTEXT;
- snprintf(buf, size, "%s %255s %lu", dev, scontext, device);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[32];
+ snprintf(arg, 32, "%lu", device);
+ return xc_flask_add(xc_handle, OCON_DEVICE_STR, arg, scontext);
}
-int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
+static int xc_flask_del(xc_interface *xc_handle, char *cat, char *arg)
{
- int err;
+ char buf[256];
flask_op_t op;
- char *buf;
- char *pirq_s = OCON_PIRQ_STR;
- int size = strlen(pirq_s) + (sizeof(unsigned int)) +
- (sizeof(char) * 2);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
+ memset(buf, 0, 256);
+ snprintf(buf, 256, "%s %s", cat, arg);
op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %u", pirq_s, pirq);
op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
+ op.size = 256;
+
+ return xc_flask_op(xc_handle, &op);
+}
- free(buf);
- return 0;
+int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
+{
+ char arg[16];
+ snprintf(arg, 16, "%u", pirq);
+ return xc_flask_del(xc_handle, OCON_PIRQ_STR, arg);
}
int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high)
{
- int err;
- flask_op_t op;
- char *buf;
- char *ioport = OCON_IOPORT_STR;
- int size = strlen(ioport) + (sizeof(unsigned long) * 2) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %lu %lu", ioport, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_del(xc_handle, OCON_IOPORT_STR, arg);
}
int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high)
{
- int err;
- flask_op_t op;
- char *buf;
- char *iomem = OCON_IOMEM_STR;
- int size = strlen(iomem) + (sizeof(unsigned long) * 2) +
- (sizeof(char) * 3);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %lu %lu", iomem, low, high);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[64];
+ snprintf(arg, 64, "%lu %lu", low, high);
+ return xc_flask_del(xc_handle, OCON_IOMEM_STR, arg);
}
int xc_flask_del_device(xc_interface *xc_handle, unsigned long device)
{
- int err;
- flask_op_t op;
- char *buf;
- char *dev = OCON_DEVICE_STR;
- int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2);
-
- if ( (buf = (char *) malloc(size)) == NULL )
- return -ENOMEM;
- memset(buf, 0, size);
-
- op.cmd = FLASK_DEL_OCONTEXT;
- snprintf(buf, size, "%s %lu", dev, device);
- op.buf = buf;
- op.size = size;
-
- if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
- {
- free(buf);
- return err;
- }
-
- free(buf);
- return 0;
+ char arg[32];
+ snprintf(arg, 32, "%lu", device);
+ return xc_flask_del(xc_handle, OCON_DEVICE_STR, arg);
}
int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/3] add flask capabilities in python xc bindings
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 1/3] merge libflask into libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 2/3] remove some duplicated code by having helper add/del functions Vincent Hanquez
@ 2010-06-22 9:26 ` Vincent Hanquez
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
3 siblings, 0 replies; 6+ messages in thread
From: Vincent Hanquez @ 2010-06-22 9:26 UTC (permalink / raw)
To: Xen Devel; +Cc: Vincent Hanquez
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
---
tools/python/xen/lowlevel/xc/xc.c | 251 +++++++++++++++++++++++++++++++++++++
1 files changed, 251 insertions(+), 0 deletions(-)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0003-add-flask-capabilities-in-python-xc-bindings.patch --]
[-- Type: text/x-patch; name="0003-add-flask-capabilities-in-python-xc-bindings.patch", Size: 8350 bytes --]
diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
index a7286c4..66d247b 100644
--- a/tools/python/xen/lowlevel/xc/xc.c
+++ b/tools/python/xen/lowlevel/xc/xc.c
@@ -34,6 +34,8 @@
#define PKG "xen.lowlevel.xc"
#define CLS "xc"
+#define FLASK_CTX_LEN 1024
+
static PyObject *xc_error_obj, *zero;
typedef struct {
@@ -2077,6 +2079,202 @@ static PyObject *pyxc_cpupool_freeinfo(XcObject *self)
return cpumap_to_cpulist(cpumap);
}
+static PyObject *pyflask_context_to_sid(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ char *ctx;
+ char *buf;
+ uint32_t len;
+ uint32_t sid;
+ int ret;
+
+ static char *kwd_list[] = { "context", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "s", kwd_list,
+ &ctx) )
+ return NULL;
+
+ len = strlen(ctx);
+
+ buf = malloc(len);
+ if (!buf) {
+ errno = -ENOMEM;
+ PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ memcpy(buf, ctx, len);
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ free(buf);
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_context_to_sid(xc_handle, buf, len, &sid);
+
+ xc_interface_close(xc_handle);
+
+ free(buf);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return PyInt_FromLong(sid);
+}
+
+static PyObject *pyflask_sid_to_context(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ uint32_t sid;
+ char ctx[FLASK_CTX_LEN];
+ uint32_t ctx_len = FLASK_CTX_LEN;
+ int ret;
+
+ static char *kwd_list[] = { "sid", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list,
+ &sid) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_sid_to_context(xc_handle, sid, ctx, ctx_len);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("s", ctx, ctx_len);
+}
+
+static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ char *policy;
+ uint32_t len;
+ int ret;
+
+ static char *kwd_list[] = { "policy", NULL };
+
+ if( !PyArg_ParseTupleAndKeywords(args, kwds, "s#", kwd_list, &policy, &len) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_load(xc_handle, policy, len);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_getenforce(PyObject *self)
+{
+ xc_interface *xc_handle;
+ int ret;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_getenforce(xc_handle);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret < 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_setenforce(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ int mode;
+ int ret;
+
+ static char *kwd_list[] = { "mode", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list,
+ &mode) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_setenforce(xc_handle, mode);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_access(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ xc_interface *xc_handle;
+ char *tcon, *scon;
+ uint16_t tclass;
+ uint32_t req, allowed, decided, auditallow, auditdeny, seqno;
+ int ret;
+
+ static char *kwd_list[] = { "src_context", "tar_context",
+ "tar_class", "req_permissions",
+ "decided", "auditallow","auditdeny",
+ "seqno", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "ssil|llll", kwd_list,
+ &scon, &tcon, &tclass, &req, &decided,
+ &auditallow, &auditdeny, &seqno) )
+ return NULL;
+
+ xc_handle = xc_interface_open(0,0,0);
+ if (!xc_handle) {
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = xc_flask_access(xc_handle, scon, tcon, tclass, req, &allowed, &decided,
+ &auditallow, &auditdeny, &seqno);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i",ret);
+}
+
static PyMethodDef pyxc_methods[] = {
{ "domain_create",
(PyCFunction)pyxc_domain_create,
@@ -2676,6 +2874,59 @@ static PyMethodDef pyxc_methods[] = {
"Get info about cpus not in any cpupool.\n"
"Returns: [list]: List of CPUs\n" },
+ { "flask_context_to_sid",
+ (PyCFunction)pyflask_context_to_sid,
+ METH_KEYWORDS, "\n"
+ "Convert a context string to a dynamic SID.\n"
+ " context [str]: String specifying context to be converted\n"
+ "Returns: [int]: Numeric SID on success; -1 on error.\n" },
+
+ { "flask_sid_to_context",
+ (PyCFunction)pyflask_sid_to_context,
+ METH_KEYWORDS, "\n"
+ "Convert a dynamic SID to context string.\n"
+ " context [int]: SID to be converted\n"
+ "Returns: [str]: Numeric SID on success; -1 on error.\n" },
+
+ { "flask_load",
+ (PyCFunction)pyflask_load,
+ METH_KEYWORDS, "\n"
+ "Loads a policy into the hypervisor.\n"
+ " policy [str]: policy to be load\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
+
+ { "flask_getenforce",
+ (PyCFunction)pyflask_getenforce,
+ METH_NOARGS, "\n"
+ "Returns the current mode of the Flask XSM module.\n"
+ "Returns: [int]: 0 for permissive; 1 for enforcing; -1 on failure.\n" },
+
+ { "flask_setenforce",
+ (PyCFunction)pyflask_setenforce,
+ METH_KEYWORDS, "\n"
+ "Modifies the current mode for the Flask XSM module.\n"
+ " mode [int]: mode to change to\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
+
+ { "flask_access",
+ (PyCFunction)pyflask_access,
+ METH_KEYWORDS, "\n"
+ "Returns whether a source context has access to target context based on \
+ class and permissions requested.\n"
+ " scon [str]: source context\n"
+ " tcon [str]: target context\n"
+ " tclass [int]: target security class\n"
+ " req [int] requested permissions\n"
+ " allowed [int] permissions allow for the target class between the source \
+ and target context\n"
+ " decided [int] the permissions that were returned in the allowed \
+ parameter\n"
+ " auditallow [int] permissions set to audit on allow\n"
+ " auditdeny [int] permissions set to audit on deny\n"
+ " seqno [int] not used\n"
+ "Returns: [int]: 0 on all permission granted; -1 if any permissions are \
+ denied\n" },
+
{ NULL, NULL, 0, NULL }
};
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/3] libflask merging in libxenctrl
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
` (2 preceding siblings ...)
2010-06-22 9:26 ` [PATCH 3/3] add flask capabilities in python xc bindings Vincent Hanquez
@ 2010-06-22 9:50 ` Tim Deegan
2010-06-22 10:04 ` Tim Deegan
3 siblings, 1 reply; 6+ messages in thread
From: Tim Deegan @ 2010-06-22 9:50 UTC (permalink / raw)
To: Vincent Hanquez; +Cc: Xen Devel
At 10:26 +0100 on 22 Jun (1277202415), Vincent Hanquez wrote:
> The following patch series fold libflask into libxenctrl.
>
> The flask library is small, and putting everything in libxenctrl make
> relying on flask functionalities in libxl easier.
That doesn't sound like a good reason to duplicate a library to me.
If libxl needs flask functions it should link against them.
Are you volunteering to maintain a fork of a security library?
Tim.
> libflask is left for compatibility purpose, but should be considered
> deprecated, and remove in the near future. all flask_ symbols are now
> xc_flask_ symbols in libxenctrl.
>
> also remove some code duplication in the add_ and del_ calls.
>
> Vincent Hanquez (3):
> merge libflask into libxenctrl
> remove some duplicated code by having helper add/del functions
> add flask capabilities in python xc bindings
>
> tools/libxc/xc_flask.c | 357 +++++++++++++++++++++++++++++++++++++
> tools/libxc/xenctrl.h | 26 +++
> tools/python/xen/lowlevel/xc/xc.c | 251 ++++++++++++++++++++++++++
> 3 files changed, 634 insertions(+), 0 deletions(-)
>
Content-Description: ATT00001..txt
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
--
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, XenServer Engineering
Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 0/3] libflask merging in libxenctrl
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
@ 2010-06-22 10:04 ` Tim Deegan
0 siblings, 0 replies; 6+ messages in thread
From: Tim Deegan @ 2010-06-22 10:04 UTC (permalink / raw)
To: Vincent Hanquez; +Cc: Xen Devel
At 10:50 +0100 on 22 Jun (1277203803), Tim Deegan wrote:
> At 10:26 +0100 on 22 Jun (1277202415), Vincent Hanquez wrote:
> > The following patch series fold libflask into libxenctrl.
> >
> > The flask library is small, and putting everything in libxenctrl make
> > relying on flask functionalities in libxl easier.
>
> That doesn't sound like a good reason to duplicate a library to me.
Oh, ignore that, I'm being an idiot. :)
Tim.
--
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, XenServer Engineering
Citrix Systems UK Ltd. (Company #02937203, SL9 0BG)
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-06-22 10:04 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-22 9:26 [PATCH 0/3] libflask merging in libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 1/3] merge libflask into libxenctrl Vincent Hanquez
2010-06-22 9:26 ` [PATCH 2/3] remove some duplicated code by having helper add/del functions Vincent Hanquez
2010-06-22 9:26 ` [PATCH 3/3] add flask capabilities in python xc bindings Vincent Hanquez
2010-06-22 9:50 ` [PATCH 0/3] libflask merging in libxenctrl Tim Deegan
2010-06-22 10:04 ` Tim Deegan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).