# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 513acbeac4205209ce48dd39ec6ca06121156be8
# Parent 1895942150a57e2abaa07effcce870fed8186fb7
This patch:
* adds a C-based security policy translation tool to Xen (secpol_xml2bin)
and removes the current Java
security policy translator (Java dependencies). The C-based tool
integrates into the Xen source tree build
and install (using gnome libxml2 for XML parsing). See install.txt.
* introduces security labels and related tools. Users can now use
semantic-rich label names to put security-tags
on domains. See example.txt, policy.txt.
* moves the security configuration (currently ACM_USE_SECURITY_POLICY)
from xen/Rules.mk
into a separate top-level Security.mk file (it is needed by the
tools/security and xen/acm).
Both xen/acm and tools/security are built during the Xen build process
only if ACM_USE_SECURITY_POLICY
is not ACM_NULL_POLICY (which is the default setting).
Signed-off-by Reiner Sailer <sailer@xxxxxxxxxx>
Signed-off by Stefan Berger <stefanb@xxxxxxxxxx>
Signed-off by Ray Valdez <rvaldez@xxxxxxxxxx>
diff -r 1895942150a5 -r 513acbeac420 Config.mk
--- a/Config.mk Fri Aug 19 08:55:03 2005
+++ b/Config.mk Fri Aug 19 09:03:17 2005
@@ -35,3 +35,11 @@
# Choose the best mirror to download linux kernel
KERNEL_REPO = http://www.kernel.org
+
+# ACM_USE_SECURITY_POLICY is set to security policy of Xen
+# Supported models are:
+# ACM_NULL_POLICY (ACM will not be built with this policy)
+# ACM_CHINESE_WALL_POLICY
+# ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
+# ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
diff -r 1895942150a5 -r 513acbeac420 tools/security/Makefile
--- a/tools/security/Makefile Fri Aug 19 08:55:03 2005
+++ b/tools/security/Makefile Fri Aug 19 09:03:17 2005
@@ -2,27 +2,71 @@
include $(XEN_ROOT)/tools/Rules.mk
SRCS = secpol_tool.c
-CFLAGS += -static
CFLAGS += -Wall
CFLAGS += -Werror
CFLAGS += -O3
CFLAGS += -fno-strict-aliasing
-CFLAGS += -I.
+CFLAGS += -I. -I/usr/include/libxml2
+CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
+#if above does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm
+XML2VERSION = $(shell xml2-config --version )
+VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else
echo "-DVALIDATE_SCHEMA"; fi; )
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
+POLICY=null
+endif
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
+POLICY=chwall
+endif
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+POLICY=ste
+endif
+ifeq
($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+POLICY=chwall_ste
+endif
+POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
+
+ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY)
all: build
+
+install:all
+
+default:all
+else
+all:
+
+install:
+
+default:
+endif
+
build: mk-symlinks
$(MAKE) secpol_tool
+ $(MAKE) secpol_xml2bin
+ chmod 700 ./setlabel.sh
+ chmod 700 ./updategrub.sh
-default: all
-
-install: all
-
-secpol_tool : secpol_tool.c
+secpol_tool : secpol_tool.c secpol_compat.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
+secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h secpol_compat.h
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@
$<
+
clean:
- rm -rf secpol_tool xen
+ rm -rf secpol_tool secpol_xml2bin xen
+policy_clean:
+ rm -rf policies/*/*.bin policies/*/*.map
+
+mrproper: clean policy_clean
+
+
+$(POLICYFILE) : build
+ @./secpol_xml2bin $(POLICY) > /dev/null
+
+boot_install: $(POLICYFILE)
+ @cp $(POLICYFILE) /boot
+ @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
mk-symlinks:
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_tool.c Fri Aug 19 09:03:17 2005
@@ -31,18 +31,8 @@
#include <stdlib.h>
#include <sys/ioctl.h>
#include <string.h>
-#include <stdint.h>
#include <netinet/in.h>
-
-typedef uint8_t u8;
-typedef uint16_t u16;
-typedef uint32_t u32;
-typedef uint64_t u64;
-typedef int8_t s8;
-typedef int16_t s16;
-typedef int32_t s32;
-typedef int64_t s64;
-
+#include "secpol_compat.h"
#include <xen/acm.h>
#include <xen/acm_ops.h>
#include <xen/linux/privcmd.h>
@@ -270,171 +260,6 @@
}
}
-/*************************** set policy ****************************/
-
-int acm_domain_set_chwallpolicy(void *bufstart, int buflen)
-{
-#define CWALL_MAX_SSIDREFS 6
-#define CWALL_MAX_TYPES 10
-#define CWALL_MAX_CONFLICTSETS 2
-
- struct acm_chwall_policy_buffer *chwall_bin_pol =
- (struct acm_chwall_policy_buffer *) bufstart;
- domaintype_t *ssidrefs, *conflicts;
- int ret = 0;
- int j;
-
- chwall_bin_pol->chwall_max_types = htonl(CWALL_MAX_TYPES);
- chwall_bin_pol->chwall_max_ssidrefs = htonl(CWALL_MAX_SSIDREFS);
- chwall_bin_pol->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
- chwall_bin_pol->policy_version = htonl(ACM_CHWALL_VERSION);
- chwall_bin_pol->chwall_ssid_offset =
- htonl(sizeof(struct acm_chwall_policy_buffer));
- chwall_bin_pol->chwall_max_conflictsets =
- htonl(CWALL_MAX_CONFLICTSETS);
- chwall_bin_pol->chwall_conflict_sets_offset =
- htonl(ntohl(chwall_bin_pol->chwall_ssid_offset) +
- sizeof(domaintype_t) * CWALL_MAX_SSIDREFS * CWALL_MAX_TYPES);
- chwall_bin_pol->chwall_running_types_offset = 0; /* not set */
- chwall_bin_pol->chwall_conflict_aggregate_offset = 0; /* not set */
- ret += sizeof(struct acm_chwall_policy_buffer);
- /* now push example ssids into the buffer (max_ssidrefs x max_types
entries) */
- /* check buffer size */
- if ((buflen - ret) <
- (CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t)))
- return -1; /* not enough space */
-
- ssidrefs = (domaintype_t *) (bufstart +
- ntohl(chwall_bin_pol->chwall_ssid_offset));
- memset(ssidrefs, 0,
- CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t));
-
- /* now set type j-1 for ssidref i+1 */
- for (j = 0; j <= CWALL_MAX_SSIDREFS; j++)
- if ((0 < j) && (j <= CWALL_MAX_TYPES))
- ssidrefs[j * CWALL_MAX_TYPES + j - 1] = htons(1);
-
- ret += CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t);
- if ((buflen - ret) <
- (CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES * sizeof(domaintype_t)))
- return -1; /* not enough space */
-
- /* now the chinese wall policy conflict sets */
- conflicts = (domaintype_t *) (bufstart +
- ntohl(chwall_bin_pol->
- chwall_conflict_sets_offset));
- memset((void *) conflicts, 0,
- CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES *
- sizeof(domaintype_t));
- /* just 1 conflict set [0]={2,3}, [1]={1,5,6} */
- if (CWALL_MAX_TYPES > 3)
- {
- conflicts[2] = htons(1);
- conflicts[3] = htons(1); /* {2,3} */
- conflicts[CWALL_MAX_TYPES + 1] = htons(1);
- conflicts[CWALL_MAX_TYPES + 5] = htons(1);
- conflicts[CWALL_MAX_TYPES + 6] = htons(1); /* {0,5,6} */
- }
- ret += sizeof(domaintype_t) * CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES;
- return ret;
-}
-
-int acm_domain_set_stepolicy(void *bufstart, int buflen)
-{
-#define STE_MAX_SSIDREFS 6
-#define STE_MAX_TYPES 5
-
- struct acm_ste_policy_buffer *ste_bin_pol =
- (struct acm_ste_policy_buffer *) bufstart;
- domaintype_t *ssidrefs;
- int j, ret = 0;
-
- ste_bin_pol->ste_max_types = htonl(STE_MAX_TYPES);
- ste_bin_pol->ste_max_ssidrefs = htonl(STE_MAX_SSIDREFS);
- ste_bin_pol->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
- ste_bin_pol->policy_version = htonl(ACM_STE_VERSION);
- ste_bin_pol->ste_ssid_offset =
- htonl(sizeof(struct acm_ste_policy_buffer));
- ret += sizeof(struct acm_ste_policy_buffer);
- /* check buffer size */
- if ((buflen - ret) <
- (STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t)))
- return -1; /* not enough space */
-
- ssidrefs =
- (domaintype_t *) (bufstart + ntohl(ste_bin_pol->ste_ssid_offset));
- memset(ssidrefs, 0,
- STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t));
- /* all types 1 for ssidref 1 */
- for (j = 0; j < STE_MAX_TYPES; j++)
- ssidrefs[1 * STE_MAX_TYPES + j] = htons(1);
- /* now set type j-1 for ssidref j */
- for (j = 0; j < STE_MAX_SSIDREFS; j++)
- if ((0 < j) && (j <= STE_MAX_TYPES))
- ssidrefs[j * STE_MAX_TYPES + j - 1] = htons(1);
- ret += STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t);
- return ret;
-}
-
-#define MAX_PUSH_BUFFER 16384
-u8 push_buffer[MAX_PUSH_BUFFER];
-
-int acm_domain_setpolicy(int xc_handle)
-{
- int ret;
- struct acm_policy_buffer *bin_pol;
- acm_op_t op;
-
- /* future: read policy from file and set it */
- bin_pol = (struct acm_policy_buffer *) push_buffer;
- bin_pol->policy_version = htonl(ACM_POLICY_VERSION);
- bin_pol->magic = htonl(ACM_MAGIC);
- bin_pol->primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
- bin_pol->secondary_policy_code =
- htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
-
- bin_pol->len = htonl(sizeof(struct acm_policy_buffer));
- bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len));
- ret =
- acm_domain_set_chwallpolicy(push_buffer +
- ntohl(bin_pol->primary_buffer_offset),
- MAX_PUSH_BUFFER -
- ntohl(bin_pol->primary_buffer_offset));
- if (ret < 0)
- {
- printf("ERROR creating chwallpolicy buffer.\n");
- return -1;
- }
- bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
- bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
- ret = acm_domain_set_stepolicy(push_buffer +
- ntohl(bin_pol->secondary_buffer_offset),
- MAX_PUSH_BUFFER -
- ntohl(bin_pol->secondary_buffer_offset));
- if (ret < 0)
- {
- printf("ERROR creating chwallpolicy buffer.\n");
- return -1;
- }
- bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
-
- /* dump it and then push it down into xen/acm */
- acm_dump_policy_buffer(push_buffer, ntohl(bin_pol->len));
-
- op.cmd = ACM_SETPOLICY;
- op.interface_version = ACM_INTERFACE_VERSION;
- op.u.setpolicy.pushcache = (void *) push_buffer;
- op.u.setpolicy.pushcache_size = ntohl(bin_pol->len);
- ret = do_acm_op(xc_handle, &op);
-
- if (ret)
- printf("ERROR setting policy. Use 'xm dmesg' to see details.\n");
- else
- printf("Successfully changed policy.\n");
-
- return ret;
-}
-
/******************************* get policy ******************************/
#define PULL_CACHE_SIZE 8192
@@ -602,7 +427,6 @@
void usage(char *progname)
{
printf("Use: %s \n"
- "\t setpolicy\n"
"\t getpolicy\n"
"\t dumpstats\n"
"\t loadpolicy <binary policy file>\n", progname);
@@ -623,12 +447,7 @@
exit(-1);
}
- if (!strcmp(argv[1], "setpolicy"))
- {
- if (argc != 2)
- usage(argv[0]);
- ret = acm_domain_setpolicy(acm_cmd_fd);
- } else if (!strcmp(argv[1], "getpolicy")) {
+ if (!strcmp(argv[1], "getpolicy")) {
if (argc != 2)
usage(argv[0]);
ret = acm_domain_getpolicy(acm_cmd_fd);
diff -r 1895942150a5 -r 513acbeac420 xen/Rules.mk
--- a/xen/Rules.mk Fri Aug 19 08:55:03 2005
+++ b/xen/Rules.mk Fri Aug 19 09:03:17 2005
@@ -10,14 +10,6 @@
optimize ?= y
domu_debug ?= n
crash_debug ?= n
-
-# ACM_USE_SECURITY_POLICY is set to security policy of Xen
-# Supported models are:
-# ACM_NULL_POLICY (ACM will not be built with this policy)
-# ACM_CHINESE_WALL_POLICY
-# ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
-# ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
include $(BASEDIR)/../Config.mk
diff -r 1895942150a5 -r 513acbeac420 tools/security/example.txt
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/example.txt Fri Aug 19 09:03:17 2005
@@ -0,0 +1,269 @@
+##
+# example.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file introduces into the tools to manage policies
+# and to label domains and resources.
+##
+
+We will show how to install and use the chwall_ste policy.
+Other policies work similarly. Feedback welcome!
+
+
+
+1. Using secpol_xml2bin to translate the chwall_ste policy:
+===========================================================
+
+#tools/security/secpol_xml2bin chwall_ste
+
+Successful execution should print:
+
+ [root@laptopxn security]# ./secpol_xml2bin chwall_ste
+ Validating label file
policies/chwall_ste/chwall_ste-security_label_template.xml...
+ XML Schema policies/security_policy.xsd valid.
+ Validating policy file
policies/chwall_ste/chwall_ste-security_policy.xml...
+ XML Schema policies/security_policy.xsd valid.
+ Creating ssid mappings ...
+ Creating label mappings ...
+ Max chwall labels: 7
+ Max chwall-types: 4
+ Max chwall-ssids: 5
+ Max ste labels: 14
+ Max ste-types: 6
+ Max ste-ssids: 10
+
+The tool looks in directory policies/chwall_ste for
+the label and policy files.
+
+The default policy directory structure under tools/security looks like:
+
+policies
+|-- security_policy.xsd
+|-- chwall
+| |-- chwall-security_label_template.xml
+| `-- chwall-security_policy.xml
+|-- chwall_ste
+| |-- chwall_ste-security_label_template.xml
+| `-- chwall_ste-security_policy.xml
+|-- null
+| |-- null-security_label_template.xml
+| `-- null-security_policy.xml
+`-- ste
+ |-- ste-security_label_template.xml
+ `-- ste-security_policy.xml
+
+policies/security_policy.xsd contains the schema against which both the
+label-template and the policy files must validate during translation.
+
+policies/chwall_ste/chwall_ste-security_policy.xml defines the
+policies and the types known to the policies.
+
+policies/chwall_ste/chwall_ste-security_label_template.xml contains
+label definitions that group chwall and ste types together and make
+them easier to use for users
+
+After executing the above secpol_xml2bin command, you will find 2 new
+files in the policies/chwall_ste sub-directory:
+
+policies/chwall_ste/chwall_ste.map ... this file includes the mapping
+of names from the xml files into their binary code representation.
+
+policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
+the result of parsing the xml files and using the mapping to extract a
+binary version that can be loaded into the hypervisor.
+
+
+
+2. Loading and activating the policy:
+=====================================
+
+We assume that xen is already configured to use the chwall_ste policy;
+please refer to install.txt for instructions.
+
+To activate the policy from the command line (assuming that the
+currently established policy is the minimal boot-policy that is
+hard-coded into the hypervisor:
+
+# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
+
+To activate the policy at next reboot:
+
+# cp policies/chwall_ste/chwall_ste.bin /boot
+
+Add a module line to your /boot/grub/grub.conf Xen entry.
+My boot entry with chwall_ste enabled looks like this:
+
+ title Xen (2.6.12)
+ root (hd0,5)
+ kernel /boot/xen.gz dom0_mem=1200000 console=vga
+ module /boot/vmlinuz-2.6.12-xen0 ro root=/dev/hda6 rhgb
+ module /boot/initrd-2.6.12-xen0.img
+ module /boot/chwall_ste.bin
+
+This tells the grub boot-loader to load the binary policy, which
+the hypervisor will recognize. The hypervisor will then establish
+this binary policy during boot instead of the minimal policy that
+is hardcoded as default.
+
+If you have any trouble here, maks sure you have the access control
+framework enabled (see: install.txt).
+
+
+
+3. Labeling domains:
+====================
+
+a) Labeling Domain0:
+
+The chwall_ste-security_label_template.xml file includes an attribute
+"bootstrap", which is set to the label name that will be assigned to
+Dom0 (this label will be mapped to ssidref 1/1, the default for Dom0).
+
+b) Labeling User Domains:
+
+Use the script tools/security/setlabel.sh to choose a label and to
+assign labels to user domains.
+
+To show available labels for the chwall_ste policy:
+
+#tools/security/setlabel.sh -l
+
+lists all available labels. For the default chwall_ste it should print
+the following:
+
+ [root@laptopxn security]# ./setlabel.sh -l chwall_ste
+ The following labels are available:
+ dom_SystemManagement
+ dom_HomeBanking
+ dom_Fun
+ dom_BoincClient
+ dom_StorageDomain
+ dom_NetworkDomain
+
+You need to have compiled the policy beforehand so that a .map file
+exists. Setlabel.sh uses the mapping file created throughout the
+policy translation to translate a user-friendly label string into a
+ssidref-number that is eventually used by the Xen hypervisor.
+
+We distinguish two kinds of labels: a) VM labels (for domains) and RES
+Labels (for resources). We are currently working on support for
+resource labeling but will focus here on VM labels.
+
+Setlabel.sh only prints VM labels (which we have prefixed with "dom_")
+since only those are used at this time.
+
+If you would like to assign the dom_HomeBanking label to one of your
+user domains (which you hopefully keep clean), look at an example
+domain configuration homebanking.xm:
+
+ #------HOMEBANKING---------
+ kernel = "/boot/vmlinuz-2.6.12-xenU"
+ ramdisk="/boot/U1_ramdisk.img"
+ memory = 65
+ name = "test34"
+ cpu = -1 # leave to Xen to pick
+ # Number of network interfaces. Default is 1.
+ nics=1
+ dhcp="dhcp"
+ #-------------------------
+
+Now we label this domain
+
+[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking
chwall_ste
+Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
+
+The domain configuration my look now like:
+
+ [root@laptopxn security]# cat homebanking.xm
+ #------HOMEBANKING---------
+ kernel = "/boot/vmlinuz-2.6.12-xenU"
+ ramdisk="/boot/U1_ramdisk.img"
+ memory = 65
+ name = "test34"
+ cpu = -1 # leave to Xen to pick
+ # Number of network interfaces. Default is 1.
+ nics=1
+ dhcp="dhcp"
+ #-------------------------
+ #ACM_POLICY=chwall_ste-security_policy.xml
+ #ACM_LABEL=dom_HomeBanking
+ ssidref = 0x00020002
+
+You can see 3 new entries, two of which are comments. The only value
+that the hypervisor cares about is the ssidref that will reference
+those types assigned to this label. You can look them up in the
+xml label-template file for the chwall_ste policy.
+
+This script will eventually move into the domain management and will
+be called when the domain is instantiated. For now, the setlabel
+script must be run on domains whenever the policy files change since
+the mapping between label names and ssidrefs can change in this case.
+
+
+4. Starting a labeled domain
+============================
+
+Now, start the domain:
+ #xm create -c homebanking.xm
+
+
+If you label another domain configuration as dom_Fun and try to start
+it afterwards, its start will fail. Why?
+
+Because the running homebanking domain has the chinese wall type
+"cw_Sensitive". The new domain dom_Fun has the chinese wall label
+"cw_Distrusted". This domain is not allowed to run simultaneously
+because of the defined conflict set
+
+ <conflictset name="Protection1">
+ <type>cw_Sensitive</type>
+ <type>cw_Distrusted</type>
+ </conflictset>
+
+(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
+that only one of the types cw_sensitive and cw_Distrusted can run at a
+time.
+
+If you save or shutdown the HomeBanking domain, you will be able to
+start the "Fun" domain. You can look into the Xen log to see if a
+domain was denied to start because of the access control framework
+with the command 'xm dmesg'.
+
+It is important (and usually non-trivial) to define the labels in a
+way that the semantics of the labels are enforced and supported by the
+types and the conflict sets.
+
+Note: While the chinese wall policy enforcement is complete, the type
+enforcement is currently enforced in the Xen hypervisor
+only. Therefore, only point-to-point sharing with regard to the type
+enforcement is currently controlled. We are working on enhancements to
+Dom0 that enforce types also for network traffic that is routed
+through Dom0 and on the enforcement of resource labeling when binding
+resources to domains (e.g., enforcing types between domains and
+hardware resources, such as disk partitions).
+
+
+4. Adding your own policies
+===========================
+
+Writing your own policy (e.g. "mypolicy") requires the following:
+
+a) the policy definition (types etc.) file
+b) the label template definition (labels etc.) file
+
+If your policy name is "mypolicy", you need to create a
+subdirectory mypolicy in tools/security/policies.
+
+Then you create
+tools/security/policies/mypolicy/mypolicy-security_policy.xml and
+tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
+
+You need to keep to the schema as defined in
+tools/security/security_policy.xsd since the translation tool
+secpol_xml2bin is written against this schema.
+
+If you keep to the security policy schema, then you can use all the
+tools described above. Refer to install.txt to install it.
diff -r 1895942150a5 -r 513acbeac420 tools/security/install.txt
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/install.txt Fri Aug 19 09:03:17 2005
@@ -0,0 +1,67 @@
+##
+# install.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file shows how to activate and install the access control
+# framework.
+##
+
+
+INSTALLING A SECURITY POLICY IN XEN
+===================================
+
+By default, the access control architecture is disabled in Xen. To
+enable the access control architecture in Xen follow the steps below.
+This description assumes that you want to install the Chinese Wall and
+Simple Type Enforcement policy. Some file names need to be replaced
+below to activate the Chinese Wall OR the Type Enforcement policy
+exclusively (chwall_ste --> {chwall, ste}).
+
+1. enable access control in Xen
+ # cd "xen_root"
+ # edit/xemacs/vi Config.mk
+
+ change the line:
+ ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
+
+ to:
+ ACM_USE_SECURITY_POLICY ?=
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+
+ # make all
+ # ./install.sh
+
+2. compile the policy from xml to a binary format that can be loaded
+ into the hypervisor for enforcement
+ # cd tools/security
+ # make
+
+ manual steps (alternative to make boot_install):
+ #./secpol_xml2bin chwall_ste
+ #cp policies/chwall_ste/chwall_ste.bin /boot
+ #edit /boot/grub/grub.conf
+ add the follwoing line to your xen boot entry:
+ "module chwall_ste.bin"
+
+ alternatively, you can try our automatic translation and
+ installation of the policy:
+ # make boot_install
+
+ [we try hard to do the right thing to the right boot entry but
+ please verify boot entry in /boot/grub/grub.conf afterwards;
+ your xen boot entry should have an additional module line
+ specifying a chwall_ste.bin file with the correct directory
+ (e.g. "/" or "/boot").]
+
+
+3. reboot into the newly compiled hypervisor
+
+ after boot
+ #xm dmesg should show an entry about the policy being loaded
+ during the boot process
+
+ #tools/security/secpol_tool getpolicy
+ should print the new chwall_ste binary policy representation
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/chwall/chwall-security_label_template.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall/chwall-security_label_template.xml Fri Aug
19 09:03:17 2005
@@ -0,0 +1,76 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security labels, which can -->
+<!-- be attached to Domains and resources. Based on -->
+<!-- these labels, the access control module decides -->
+<!-- about sharing between Domains and about access -->
+<!-- of Domains to real resources. -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+ <LabelHeader>
+ <Name>chwall-security_label_template</Name>
+ <Date>2005-08-10</Date>
+ <PolicyName>
+ <Url>chwall-security_policy.xml</Url>
+ <Reference>abcdef123456abcdef</Reference>
+ </PolicyName>
+ </LabelHeader>
+
+ <SubjectLabels bootstrap="dom_SystemManagement">
+ <!-- single ste typed domains -->
+ <!-- ACM enforces that only domains with -->
+ <!-- the same type can share information -->
+ <!-- -->
+ <!-- Bootstrap label is assigned to Dom0 -->
+ <VirtualMachineLabel>
+ <Name>dom_HomeBanking</Name>
+ <ChineseWallTypes>
+ <Type>cw_Sensitive</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <Name>dom_Fun</Name>
+ <ChineseWallTypes>
+ <Type>cw_Distrusted</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- donating some cycles to seti@home -->
+ <Name>dom_BoincClient</Name>
+ <ChineseWallTypes>
+ <Type>cw_Isolated</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <!-- Domains with multiple ste types services; such domains -->
+ <!-- must keep the types inside their domain safely confined. -->
+ <VirtualMachineLabel>
+ <Name>dom_SystemManagement</Name>
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- serves persistent storage to other domains -->
+ <Name>dom_StorageDomain</Name>
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- serves network access to other domains -->
+ <Name>dom_NetworkDomain</Name>
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+ </SubjectLabels>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/chwall/chwall-security_policy.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall/chwall-security_policy.xml Fri Aug 19
09:03:17 2005
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security policies, which -->
+<!-- can be enforced by the Xen Access Control Module. -->
+<!-- Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+ <Name>chwall-security_policy</Name>
+ <Date>2005-08-10</Date>
+</PolicyHeader>
+<!-- -->
+<!-- example of a chinese wall type definition -->
+<!-- along with its conflict sets -->
+<!-- (typse in a confict set are exclusive, i.e. -->
+<!-- once a Domain with one type of a set is -->
+<!-- running, no other Domain with another type -->
+<!-- of the same conflict set can start.) -->
+ <ChineseWall priority="PrimaryPolicyComponent">
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ <Type>cw_Sensitive</Type>
+ <Type>cw_Isolated</Type>
+ <Type>cw_Distrusted</Type>
+ </ChineseWallTypes>
+
+ <ConflictSets>
+ <Conflict name="Protection1">
+ <Type>cw_Sensitive</Type>
+ <Type>cw_Distrusted</Type>
+ </Conflict>
+ </ConflictSets>
+ </ChineseWall>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml
Fri Aug 19 09:03:17 2005
@@ -0,0 +1,167 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security labels, which can -->
+<!-- be attached to Domains and resources. Based on -->
+<!-- these labels, the access control module decides -->
+<!-- about sharing between Domains and about access -->
+<!-- of Domains to real resources. -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+ <LabelHeader>
+ <Name>chwall_ste-security_label_template</Name>
+ <Date>2005-08-10</Date>
+ <PolicyName>
+ <Url>chwall_ste-security_policy.xml</Url>
+ <Reference>abcdef123456abcdef</Reference>
+ </PolicyName>
+ </LabelHeader>
+
+ <SubjectLabels bootstrap="dom_SystemManagement">
+ <!-- single ste typed domains -->
+ <!-- ACM enforces that only domains with -->
+ <!-- the same type can share information -->
+ <!-- -->
+ <!-- Bootstrap label is assigned to Dom0 -->
+ <VirtualMachineLabel>
+ <Name>dom_HomeBanking</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersonalFinances</Type>
+ </SimpleTypeEnforcementTypes>
+
+ <ChineseWallTypes>
+ <Type>cw_Sensitive</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <Name>dom_Fun</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_InternetInsecure</Type>
+ </SimpleTypeEnforcementTypes>
+
+ <ChineseWallTypes>
+ <Type>cw_Distrusted</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- donating some cycles to seti@home -->
+ <Name>dom_BoincClient</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_DonatedCycles</Type>
+ </SimpleTypeEnforcementTypes>
+
+ <ChineseWallTypes>
+ <Type>cw_Isolated</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <!-- Domains with multiple ste types services; such domains -->
+ <!-- must keep the types inside their domain safely confined. -->
+ <VirtualMachineLabel>
+ <Name>dom_SystemManagement</Name>
+ <SimpleTypeEnforcementTypes>
+ <!-- since dom0 needs access to every domain and -->
+ <!-- resource right now ... -->
+ <Type>ste_SystemManagement</Type>
+ <Type>ste_PersonalFinances</Type>
+ <Type>ste_InternetInsecure</Type>
+ <Type>ste_DonatedCycles</Type>
+ <Type>ste_PersistentStorageA</Type>
+ <Type>ste_NetworkAdapter0</Type>
+ </SimpleTypeEnforcementTypes>
+
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- serves persistent storage to other domains -->
+ <Name>dom_StorageDomain</Name>
+ <SimpleTypeEnforcementTypes>
+ <!-- access right to the resource (hard drive a) -->
+ <Type>ste_PersistentStorageA</Type>
+ <!-- can serve following types -->
+ <Type>ste_PersonalFinances</Type>
+ <Type>ste_InternetInsecure</Type>
+ </SimpleTypeEnforcementTypes>
+
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- serves network access to other domains -->
+ <Name>dom_NetworkDomain</Name>
+ <SimpleTypeEnforcementTypes>
+ <!-- access right to the resource (ethernet card) -->
+ <Type>ste_NetworkAdapter0</Type>
+ <!-- can serve following types -->
+ <Type>ste_PersonalFinances</Type>
+ <Type>ste_InternetInsecure</Type>
+ <Type>ste_DonatedCycles</Type>
+ </SimpleTypeEnforcementTypes>
+
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ </ChineseWallTypes>
+ </VirtualMachineLabel>
+ </SubjectLabels>
+
+ <ObjectLabels>
+ <ResourceLabel>
+ <Name>res_ManagementResource</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_SystemManagement</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_HardDrive (hda)</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersistentStorageA</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_LogicalDiskPartition1 (hda1)</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersonalFinances</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_LogicalDiskPartition2 (hda2)</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_InternetInsecure</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_EthernetCard</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_NetworkAdapter0</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_SecurityToken</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersonalFinances</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_GraphicsAdapter</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_SystemManagement</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+ </ObjectLabels>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/chwall_ste/chwall_ste-security_policy.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall_ste/chwall_ste-security_policy.xml Fri Aug
19 09:03:17 2005
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security policies, which -->
+<!-- can be enforced by the Xen Access Control Module. -->
+<!-- Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+ <Name>chwall_ste-security_policy</Name>
+ <Date>2005-08-10</Date>
+</PolicyHeader>
+<!-- -->
+<!-- example of a simple type enforcement policy definition -->
+<!-- -->
+ <SimpleTypeEnforcement>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_SystemManagement</Type> <!-- machine/security
management -->
+ <Type>ste_PersonalFinances</Type> <!-- personal finances -->
+ <Type>ste_InternetInsecure</Type> <!-- games, active X, etc. -->
+ <Type>ste_DonatedCycles</Type> <!-- donation to
BOINC/seti@home -->
+ <Type>ste_PersistentStorageA</Type> <!-- domain managing the
harddrive A-->
+ <Type>ste_NetworkAdapter0</Type> <!-- type of the domain
managing ethernet adapter 0-->
+ </SimpleTypeEnforcementTypes>
+ </SimpleTypeEnforcement>
+<!-- -->
+<!-- example of a chinese wall type definition -->
+<!-- along with its conflict sets -->
+<!-- (typse in a confict set are exclusive, i.e. -->
+<!-- once a Domain with one type of a set is -->
+<!-- running, no other Domain with another type -->
+<!-- of the same conflict set can start.) -->
+ <ChineseWall priority="PrimaryPolicyComponent">
+ <ChineseWallTypes>
+ <Type>cw_SystemManagement</Type>
+ <Type>cw_Sensitive</Type>
+ <Type>cw_Isolated</Type>
+ <Type>cw_Distrusted</Type>
+ </ChineseWallTypes>
+
+ <ConflictSets>
+ <Conflict name="Protection1">
+ <Type>cw_Sensitive</Type>
+ <Type>cw_Distrusted</Type>
+ </Conflict>
+ </ConflictSets>
+ </ChineseWall>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/null/null-security_label_template.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/null/null-security_label_template.xml Fri Aug
19 09:03:17 2005
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security labels, which can -->
+<!-- be attached to Domains and resources. Based on -->
+<!-- these labels, the access control module decides -->
+<!-- about sharing between Domains and about access -->
+<!-- of Domains to real resources. -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+ <LabelHeader>
+ <Name>null-security_label_template</Name>
+
+ <Date>2005-08-10</Date>
+ <PolicyName>
+ <Url>null-security_policy.xml</Url>
+
+ <Reference>abcdef123456abcdef</Reference>
+ </PolicyName>
+ </LabelHeader>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/null/null-security_policy.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/null/null-security_policy.xml Fri Aug 19
09:03:17 2005
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security policies, which -->
+<!-- can be enforced by the Xen Access Control Module. -->
+<!-- Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+ <Name>null-security_policy</Name>
+ <Date>2005-08-10</Date>
+</PolicyHeader>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/policies/security_policy.xsd
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/security_policy.xsd Fri Aug 19 09:03:17 2005
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com -->
+<!-- This file defines the schema, which is used to define -->
+<!-- the security policy and the security labels in Xe. -->
+
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.ibm.com" xmlns="http://www.ibm.com"
elementFormDefault="qualified">
+ <xsd:element name="SecurityPolicyDefinition">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="PolicyHeader" minOccurs="0"
maxOccurs="1"></xsd:element>
+ <xsd:element ref="SimpleTypeEnforcement"
minOccurs="0" maxOccurs="1"></xsd:element>
+ <xsd:element ref="ChineseWall" minOccurs="0"
maxOccurs="1"></xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="SecurityLabelTemplate">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="LabelHeader" minOccurs="1"
maxOccurs="1"></xsd:element>
+ <xsd:element name="SubjectLabels" minOccurs="0"
maxOccurs="1">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element
ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
+ </xsd:sequence>
+ <xsd:attribute name="bootstrap"
type="xsd:string" use="required"></xsd:attribute>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="ObjectLabels" minOccurs="0"
maxOccurs="1">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element
ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="PolicyHeader">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="Name" minOccurs="1"
maxOccurs="1" />
+ <xsd:element ref="Date" minOccurs="1"
maxOccurs="1" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="LabelHeader">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="Name"></xsd:element>
+ <xsd:element ref="Date" minOccurs="1"
maxOccurs="1"></xsd:element>
+ <xsd:element ref="PolicyName" minOccurs="1"
maxOccurs="1"></xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="SimpleTypeEnforcement">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="SimpleTypeEnforcementTypes" />
+ </xsd:sequence>
+ <xsd:attribute name="priority" type="PolicyOrder"
use="optional"></xsd:attribute>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="ChineseWall">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="ChineseWallTypes" />
+ <xsd:element ref="ConflictSets" />
+ </xsd:sequence>
+ <xsd:attribute name="priority" type="PolicyOrder"
use="optional"></xsd:attribute>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="ChineseWallTypes">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element maxOccurs="unbounded"
minOccurs="1" ref="Type" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="ConflictSets">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element maxOccurs="unbounded"
minOccurs="1" ref="Conflict" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="SimpleTypeEnforcementTypes">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element maxOccurs="unbounded"
minOccurs="1" ref="Type" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="Conflict">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element maxOccurs="unbounded"
minOccurs="1" ref="Type" />
+ </xsd:sequence>
+ <xsd:attribute name="name" type="xsd:string"
use="optional"></xsd:attribute>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="VirtualMachineLabel">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="Name"></xsd:element>
+ <xsd:element ref="SimpleTypeEnforcementTypes"
minOccurs="0" maxOccurs="unbounded" />
+ <xsd:element ref="ChineseWallTypes"
minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="ResourceLabel">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="Name"></xsd:element>
+ <xsd:element ref="SimpleTypeEnforcementTypes"
minOccurs="0" maxOccurs="unbounded" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="PolicyName">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element ref="Url" />
+ <xsd:element ref="Reference" />
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:element name="Date" type="xsd:string" />
+ <xsd:element name="Name" type="xsd:string" />
+ <xsd:element name="Type" type="xsd:string" />
+ <xsd:element name="Reference" type="xsd:string" />
+ <xsd:element name="Url"></xsd:element>
+
+ <xsd:simpleType name="PolicyOrder">
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration
value="PrimaryPolicyComponent"></xsd:enumeration>
+ </xsd:restriction>
+ </xsd:simpleType>
+
+</xsd:schema>
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/ste/ste-security_label_template.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/ste/ste-security_label_template.xml Fri Aug
19 09:03:17 2005
@@ -0,0 +1,143 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security labels, which can -->
+<!-- be attached to Domains and resources. Based on -->
+<!-- these labels, the access control module decides -->
+<!-- about sharing between Domains and about access -->
+<!-- of Domains to real resources. -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+ <LabelHeader>
+ <Name>ste-security_label_template</Name>
+ <Date>2005-08-10</Date>
+ <PolicyName>
+ <Url>ste-security_policy.xml</Url>
+ <Reference>abcdef123456abcdef</Reference>
+ </PolicyName>
+ </LabelHeader>
+
+ <SubjectLabels bootstrap="dom_SystemManagement">
+ <!-- single ste typed domains -->
+ <!-- ACM enforces that only domains with -->
+ <!-- the same type can share information -->
+ <!-- -->
+ <!-- Bootstrap label is assigned to Dom0 -->
+ <VirtualMachineLabel>
+ <Name>dom_HomeBanking</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersonalFinances</Type>
+ </SimpleTypeEnforcementTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <Name>dom_Fun</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_InternetInsecure</Type>
+ </SimpleTypeEnforcementTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- donating some cycles to seti@home -->
+ <Name>dom_BoincClient</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_DonatedCycles</Type>
+ </SimpleTypeEnforcementTypes>
+ </VirtualMachineLabel>
+
+ <!-- Domains with multiple ste types services; such domains -->
+ <!-- must keep the types inside their domain safely confined. -->
+ <VirtualMachineLabel>
+ <Name>dom_SystemManagement</Name>
+ <SimpleTypeEnforcementTypes>
+ <!-- since dom0 needs access to every domain and -->
+ <!-- resource right now ... -->
+ <Type>ste_SystemManagement</Type>
+ <Type>ste_PersonalFinances</Type>
+ <Type>ste_InternetInsecure</Type>
+ <Type>ste_DonatedCycles</Type>
+ <Type>ste_PersistentStorageA</Type>
+ <Type>ste_NetworkAdapter0</Type>
+ </SimpleTypeEnforcementTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- serves persistent storage to other domains -->
+ <Name>dom_StorageDomain</Name>
+ <SimpleTypeEnforcementTypes>
+ <!-- access right to the resource (hard drive a) -->
+ <Type>ste_PersistentStorageA</Type>
+ <!-- can serve following types -->
+ <Type>ste_PersonalFinances</Type>
+ <Type>ste_InternetInsecure</Type>
+ </SimpleTypeEnforcementTypes>
+ </VirtualMachineLabel>
+
+ <VirtualMachineLabel>
+ <!-- serves network access to other domains -->
+ <Name>dom_NetworkDomain</Name>
+ <SimpleTypeEnforcementTypes>
+ <!-- access right to the resource (ethernet card) -->
+ <Type>ste_NetworkAdapter0</Type>
+ <!-- can serve following types -->
+ <Type>ste_PersonalFinances</Type>
+ <Type>ste_InternetInsecure</Type>
+ <Type>ste_DonatedCycles</Type>
+ </SimpleTypeEnforcementTypes>
+ </VirtualMachineLabel>
+ </SubjectLabels>
+
+ <ObjectLabels>
+ <ResourceLabel>
+ <Name>res_ManagementResource</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_SystemManagement</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_HardDrive (hda)</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersistentStorageA</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_LogicalDiskPartition1 (hda1)</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersonalFinances</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_LogicalDiskPartition2 (hda2)</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_InternetInsecure</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_EthernetCard</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_NetworkAdapter0</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_SecurityToken</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_PersonalFinances</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+
+ <ResourceLabel>
+ <Name>res_GraphicsAdapter</Name>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_SystemManagement</Type>
+ </SimpleTypeEnforcementTypes>
+ </ResourceLabel>
+ </ObjectLabels>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420
tools/security/policies/ste/ste-security_policy.xml
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/ste/ste-security_policy.xml Fri Aug 19
09:03:17 2005
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
+<!-- This file defines the security policies, which -->
+<!-- can be enforced by the Xen Access Control Module. -->
+<!-- Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+ <Name>ste-security_policy</Name>
+ <Date>2005-08-10</Date>
+</PolicyHeader>
+<!-- -->
+<!-- example of a simple type enforcement policy definition -->
+<!-- -->
+ <SimpleTypeEnforcement>
+ <SimpleTypeEnforcementTypes>
+ <Type>ste_SystemManagement</Type> <!-- machine/security
management -->
+ <Type>ste_PersonalFinances</Type> <!-- personal finances -->
+ <Type>ste_InternetInsecure</Type> <!-- games, active X, etc. -->
+ <Type>ste_DonatedCycles</Type> <!-- donation to
BOINC/seti@home -->
+ <Type>ste_PersistentStorageA</Type> <!-- domain managing the
harddrive A-->
+ <Type>ste_NetworkAdapter0</Type> <!-- type of the domain
managing ethernet adapter 0-->
+ </SimpleTypeEnforcementTypes>
+ </SimpleTypeEnforcement>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/policy.txt
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/policy.txt Fri Aug 19 09:03:17 2005
@@ -0,0 +1,405 @@
+##
+# policy.txt <description to the Xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file gives an overview of the security policies currently
+# provided and also gives some reasoning about how to assign
+# labels to domains.
+##
+
+Xen access control policies
+
+
+General explanation of supported security policies:
+=====================================================
+
+We have implemented the mandatory access control architecture of our
+hypervisor security architecture (sHype) for the Xen hypervisor. It
+controls communication (in Xen: event channels, grant tables) between
+Virtual Machines (from here on called domains) and through this the
+virtual block devices, networking, and shared memory are implemented
+on top of these communication means. While we have implemented the
+described policies and access control architecture for other
+hypervisor systems, we will describe below specifically its
+implementation and use in the Xen hypervisor. The policy enforcement
+is called mandatory regarding user domains since the policy it is
+given by the security administration and enforced independently of the
+user domains by the Xen hypervisor in cooperation with the domain
+management.
+
+The access control architecture consists of three parts:
+
+i) The access control policy determines the "command set" of the ACM
+and the hooks with which they can be configured to constrain the
+sharing of virtual resources. The current access control architecture
+implemented for Xen supports two policies: Chinese Wall and Simple
+Type Enforcement, which we describe in turn below.
+
+
+ii) The actually enforced policy instantiation uses the policy
+language (i) to configure the Xen access control in a way that suits
+the specific application (home desktop environment, company desktop,
+Web server system, etc.). We have defined an exemplary policy
+instantiation for Chinese Wall (chwall policy) and Simple Type
+Enforcement (ste policy) for a desktop system. We offer these policies
+in combination since they are controlling orthogonal events.
+
+
+iii) The access control module (ACM) and related hooks are part of the
+core hypervisor and their controls cannot be bypassed by domains. The
+ACM and hooks are the active security components. We refer to
+publications that describe how access control is enforced in the Xen
+hypervisor using the ACM (access decision) and the hooks (decision
+enforcement) inserted into the setup of event channels and grant
+tables, and into domain operations (create, destroy, save, restore,
+migrate). These controls decide based on the active policy
+configuration (see i. and ii.) if the operation proceeds of if the
+operation is aborted (denied).
+
+
+In general, security policy instantiations in the Xen access control
+framework are defined by two files:
+
+a) a single "policy-name"-security_policy.xml file that defines the
+types known to the ACM and policy rules based on these types
+
+b) a single "policy-name"-security_label_template.xml file that
+defines labels based on known types
+
+Every security policy has its own sub-directory under
+"Xen-root"/tools/security/policies in order to simplify their
+management and the security policy tools. We will describe those files
+for our example policy (Chinese Wall and Simple Type Enforcement) in
+more detail as we go along. Eventually, we will move towards a system
+installation where the policies will reside under /etc.
+
+
+CHINESE WALL
+============
+
+The Chinese Wall policy enables the user to define "which workloads
+(domain payloads) cannot run on a single physical system at the same
+time". Why would we want to prevent workloads from running at the same
+time on the same system? This supports requirements that can (but
+don't have to) be rooted in the measure of trust into the isolation of
+different domains that share the same hardware. Since the access
+control architecture aims at high performance and non-intrusive
+implementation, it currently does not address covert (timing) channels
+and aims at medium assurance. Users can apply the Chinese Wall policy
+to guarantee an air-gap between very sensitive payloads both regarding
+covert information channels and regarding resource starvation.
+
+To enable the CW control, each domain is labeled with a set of Chinese
+Wall types and CW Conflict Sets are defined which include those CW
+types that cannot run simultaneously on the same hardware. This
+interpretation of conflict sets is the only policy rule for the Chines
+Wall policy.
+
+This is enforced by controlling the start of domains according to
+their assigned CW worload types. Domains with Chinese Wall types that
+appear in a common conflict set are running mutually exclusive on a
+platform, i.e., once a domain with one of the cw-types of a conflict
+set is running, no domain with another cw-type of the same conflict
+set can start until the first domain is destroyed, paused, or migrated
+away from the physical system (this assumes that such a partition can
+no longer be observed). The idea is to assign cw-types according to
+the type of payload that a domain runs and to use the Chinese Wall
+policy to ensure that payload types can be differentiated by the
+hypervisor and can be prevented from being executed on the same system
+at the same time. Using the flexible CW policy maintains system
+consolidation and workload-balancing while introducing guaranteed
+constraints where necessary.
+
+
+Example of a Chinese Wall Policy Instantiation
+----------------------------------------------
+
+The file chwall-security_policy.xml defines the Chinese Wall types as
+well as the conflict sets for our example policy (you find it in the
+directory "xen_root"/tools/security/policies/chwall).
+
+It defines four Chinese Wall types (prefixed with cw_) with the
+following meaning:
+
+* cw_SystemsManagement is a type identifying workloads for systems
+management, e.g., domain management, device management, or hypervisor
+management.
+
+* cw_Sensitive is identifying workloads that are critical to the user
+for one reason or another.
+
+* cw_Distrusted is identifying workloads a user does not have much
+confidence in. E.g. a domain used for surfing in the internet without
+protection( i.e., active-X, java, java-script, executing web content)
+or for (Internet) Games should be typed this way.
+
+* cw_Isolated is identifying workloads that are supposedly isolated by
+use of the type enforcement policy (described below). For example, if
+a user wants to donate cycles to seti@home, she can setup a separate
+domain for a Boinc (http://boinc.ssl.berkeley.edu/) client, disable
+this domain from accessing the hard drive and from communicating to
+other local domains, and type it as cw_Isolated. We will look at a
+specific example later.
+
+The example policy uses the defined types to define one conflict set:
+Protection1 = {cw_Sensitive, cw_Distrusted}. This conflict set tells
+the hypervisor that once a domain typed as cw_Sensitive is running, a
+domain typed as cw_Distrusted cannot run concurrently (and the other
+way round). With this policy, a domain typed as cw_Isolated is allowed
+to run simultaneously with domains tagged as cw_Sensitive.
+
+Consequently, the access control module in the Xen hypervisor
+distinguishes in this example policy 4 different workload types in
+this example policy. It is the user's responsibility to type the
+domains in a way that reflects the workloads of these domains and, in
+the case of cw_Isolated, its properties, e.g. by configuring the
+sharing capabilities of the domain accordingly by using the simple
+type enforcement policy.
+
+Users can define their own or change the existing example policy
+according to their working environment and security requirements. To
+do so, replace the file chwall-security_policy.xml with the new
+policy.
+
+
+SIMPLE TYPE ENFORCEMENT
+=======================
+
+The file ste-security_policy.xml defines the simple type enforcement
+types for our example policy (you find it in the directory
+"xen_root"/tools/security/policies/ste). The Simple Type Enforcement
+policy defines which domains can share information with which other
+domains. To this end, it controls
+
+i) inter-domain communication channels (e.g., network traffic, events,
+and shared memory).
+
+ii) access of domains to physical resources (e.g., hard drive, network
+cards, graphics adapter, keyboard).
+
+In order to enable the hypervisor to distinguish different domains and
+the user to express access rules, the simple type enforcement defines
+a set of types (ste_types).
+
+The policy defines that communication between domains is allowed if
+the domains share a common STE type. As with the chwall types, STE
+types should enable the differentiation of workloads. The simple type
+enforcement access control implementation in the hypervisor enforces
+that domains can only communicate (setup event channels, grant tables)
+if they share a common type, i.e., both domains have assigned at least
+on type in common. A domain can access a resource, if the domain and
+the resource share a common type. Hence, assigning STE types to
+domains and resources allows users to define constraints on sharing
+between domains and to keep sensitive data confined from distrusted
+domains.
+
+Domain <--> Domain Sharing
+''''''''''''''''''''''''''
+(implemented but its effective use requires factorization of Dom0)
+
+a) Domains with a single STE type (general user domains): Sharing
+between such domains is enforced entirely by the hypervisor access
+control. It is independent of the domains and does not require their
+co-operation.
+
+b) Domains with multiple STE types: One example is a domain that
+virtualizes a physical resource (e.g., hard drive) and serves it as
+multiple virtual resources (virtual block drives) to other domains of
+different types. The idea is that only a specific device domain has
+assigned the type required to access the physical hard-drive. Logical
+drives are then assigned the types of domains that have access to this
+logical drive. Since the Xen hypervisor cannot distinguish between the
+logical drives, the access control (type enforcement) is delegated to
+the device domain, which has access to the types of domains requesting
+to mount a logical drive as well as the types assigned to the
+different available logical drives.
+
+Currently in Xen, Dom0 controls all hardware, needs to communicate
+with all domains during their setup, and intercepts all communication
+between domains. Consequently, Dom0 needs to be assigned all types
+used and must be completely trusted to maintain the separation of
+informatio ncoming from domains with different STE types. Thus a
+refactoring of Dom0 is recommended for stronger confinement
+guarantees.
+
+Domain --> RESOURCES Access
+'''''''''''''''''''''''''''
+(current work)
+
+We define for each resource that we want to distinguish a separate STE
+type. Each STE type is assigned to the respective resource and to
+those domains that are allowed to access this resource. Type
+enforcement will guarantee that other domains cannot access this
+resource since they don't share the resource's STE type.
+
+Since in the current implementation of Xen, Dom0 controls access to
+all hardware (e.g., disk drives, network), Domain-->Resource access
+control enforcement must be implemented in Dom0. This is possible
+since Dom0 has access to both the domain configuration (including the
+domain STE types) and the resource configuration (including the
+resource STE types).
+
+For purposes of gaining higher assurance in the resulting system, it
+may be desirable to reduce the size of dom0 by adding one or more
+"device domains" (DDs). These DDs, e.g. providing storage or network
+access, can support one or more physical devices, and manage
+enforcement of MAC policy relevant for said devices. Security benefits
+come from the smaller size of these DDs, as they can be more easily
+audited than monolithic device driver domains. DDs can help to obtain
+maximum security benefit from sHype.
+
+
+Example of a Simple Type Enforcement Policy Instantiation
+---------------------------------------------------------
+
+We define the following types:
+
+* ste_SystemManagement identifies workloads (and domains that runs
+them) that must share information to accomplish the management of the
+system
+
+* ste_PersonalFinances identifies workloads that are related to
+sensitive programs such as HomeBanking applications or safely
+configured web browsers for InternetBanking
+
+* ste_InternetInsecure identifies workloads that are very
+function-rich and unrestricted to offer for example an environment
+where internet games can run efficiently
+
+* ste_DonatedCycles identifies workloads that run on behalf of others,
+e.g. a Boinc client
+
+* ste_PersistentStorage identifies workloads that have direct access
+to persistent storage (e.g., hard drive)
+
+* ste_NetworkAccess identifies workload that have direct access to
+network cards and related networks
+
+
+
+SECURITY LABEL TEMPLATES
+========================
+
+We introduce security label templates because it is difficult for
+users to ensure tagging of domains consistently and since there are
+--as we have seen in the case of isolation-- useful dependencies
+between the policies. Security Label Templates define type sets that
+can be addressed by more user-friendly label names,
+e.g. dom_Homebanking describes a typical typeset tagged to domains
+used for sensitive Homebanking work-loads. Labels are defined in the
+file
+
+Using Security Label Templates has multiple advantages:
+a) easy reference of typical sets of type assignments
+b) consistent interpretation of type combinations
+c) meaningful application-level label names
+
+The definition of label templates depends on the combination of
+policies that are used. We will describe some of the labels defined
+for the Chinese Wall and Simple Type Enforcement combination.
+
+In the BoincClient example, the label_template file specifies that
+this Label is assigned the Chinese Wall type cw_Isolated. We do this
+assuming that this BoincClient is isolated against the rest of the
+system infrastructure (no persistent memory, no sharing with local
+domains). Since cw_Isolated is not included in any conflict set, it
+can run at any time concurrently with any other domain. The
+ste_DonatedCycles type assigned to the BoincClient reflect the
+isolation assumption: it is only assigned to the dom_NetworkDomain
+giving the BoincClient domain access to the network to communicate
+with its BoincServer.
+
+The strategy for combining types into Labels is the following: First
+we define a label for each type of general user domain
+(workload-oriented). Then we define a new label for each physical
+resource that shall be shared using a DD domain (e.g., disk) and for
+each logical resource offered through this physical resource (logical
+disk partition). We define then device domain labels (here:
+dom_SystemManagement, dom_StorageDomain, dom_NetworkDomain) which
+include the types of the physical resources (e.g. hda) their domains
+need to connect to. Such physical resources can only be accessed
+directly by device domains types with the respective device's STE
+type. Additionally we assign to such a device domain Label the STE
+types of those user domains that are allowed to access one of the
+logical resources (e.g., hda1, hda2) built on top of this physical
+resource through the device domain.
+
+
+Label Construction Example:
+---------------------------
+
+We define here a storage domain label for a domain that owns a real
+disk drive and creates the logical disk partitions hda1 and hda2 which
+it serves to domains labeled dom_HomeBanking and dom_Fun
+respectively. The labels we refer to are defined in the label template
+file policies/chwall_ste/chwall_ste-security-label-template.xml.
+
+step1: To distinguish different shared disk drives, we create a
+separate Label and STE type for each of them. Here: we create a type
+ste_PersistentStorageA for disk drive hda. If you have another disk
+drive, you may define another persistent storage type
+ste_PersistentStorageB in the chwall_ste-security_policy.xml.
+
+step2: To distinguish different domains, we create multiple domain
+labels including different types. Here: label dom_HomeBanking includes
+STE type ste_PersonalFinances, label dom_Fun includes STE type
+ste_InternetInsecure.
+
+step3: The storage domain in charge of the hard drive A needs access
+to this hard drive. Therefore the storage domain label
+dom_StorageDomain must include the type assigned to the hard drive
+(ste_PersistentStorageA).
+
+step4: In order to serve dom hda1 to domains labeled dom_HomeBanking
+and hda2 to domains labeled dom_Fun, the storage domain label must
+include the types of those domains as well (ste_PersonalFinance,
+ste_InternetInsecure).
+
+step5: In order to keep the data for different types safely apart, the
+different logical disk partitions must be assigned unique labels and
+types, which are used inside the storage domain to extend the ACM
+access enforcement to logical resources served from inside the storage
+domain. We define labels "res_LogicalDiskPartition1 (hda1)" and assign
+it to hda1 and "res_LogicalDiskPartition2 (hda2)" and assign it to
+hda2. These labels must include the STE types of those domains that
+are allowed to use them (e.g., ste_PersonalFinances for hda1).
+
+The overall mandatory access control is then enforced in 3 different
+Xen components and these components use a single consistent policy to
+co-operatively enforce the policy. In the storage domain example, we
+have three components that co-operate:
+
+1. The ACM module inside the hypervisor enforces: communication between
+user domains and the storage domain (only domains including types
+ste_PersonalFinances or ste_InternetInsecure can communicate with the
+storage domain and request access to logical resource). This confines
+the sharing to the types assigned to the storage domain.
+
+2. The domain management will enforce (work in progress): assignment of
+real resources (hda) to domains (storage domain) that share a
+type with the resource.
+
+3. If the storage domain serves multiple STE types (as in our example),
+it enforces (work in progress): that domains can access (mount)
+logical resources only if they share an STE type with the respective
+resource. In our example, domains with the STE type
+ste_PersonalFinances can request access (mount) to logical resource
+hda1 from the storage domain.
+
+If you look at the virtual machine label dom_StorageDomain, you will
+see the minimal set of types assigned to our domain manageing disk
+drive hda for serving logical disk partitions exclusively to
+dom_HomeBanking and dom_Fun.
+
+Similary, network domains can confine access to the network or
+network communication between user domains.
+
+As a result, device domains (e.g., storage domain, network domain)
+must be simple and small to ensure their correct co-operation in the
+type enforcement model. If such trust is not possible, then hardware
+should be assigned exclusively to a single type (or to a single
+partition) in which case the hypervisor ACM enforcement enforces the
+types independently.
diff -r 1895942150a5 -r 513acbeac420 tools/security/readme.txt
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/readme.txt Fri Aug 19 09:03:17 2005
@@ -0,0 +1,29 @@
+
+##
+# readme.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file is a toc for information regarding
+# the access control policy and tools in Xen.
+##
+
+1. policy.txt:
+
+ describes the general reasoning and examples for access
+ control policies in Xen
+
+
+2. install.txt
+
+ describes the activation of the access control framework
+ in Xen
+
+3. example.txt
+
+ describes the available tools for managing security policies
+ in Xen and the tools to label domains
+
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_compat.h
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_compat.h Fri Aug 19 09:03:17 2005
@@ -0,0 +1,14 @@
+/* secpol_compat.h
+ * 'translates' data types necessary to
+ * include <xen/acm.h>
+ */
+#include <stdint.h>
+
+typedef uint8_t u8;
+typedef uint16_t u16;
+typedef uint32_t u32;
+typedef uint64_t u64;
+typedef int8_t s8;
+typedef int16_t s16;
+typedef int32_t s32;
+typedef int64_t s64;
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_xml2bin.c
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_xml2bin.c Fri Aug 19 09:03:17 2005
@@ -0,0 +1,1396 @@
+/****************************************************************
+ * secpol_xml2bin.c
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author: Reiner Sailer <sailer@xxxxxxxxxx>
+ *
+ * Maintained:
+ * Reiner Sailer <sailer@xxxxxxxxxx>
+ * Ray Valdez <rvaldez@xxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype policy translation tool. This tool takes an XML
+ * policy specification as input and produces a binary
+ * policy file that can be loaded into Xen through the
+ * ACM operations (secpol_tool loadpolicy) interface or at
+ * boot time (grub module parameter)
+ *
+ * indent -i4 -kr -nut
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <libgen.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/queue.h>
+#include <netinet/in.h>
+#include <libxml/xmlschemas.h>
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+#include <libxml/xmlreader.h>
+#include "secpol_compat.h"
+#include <xen/acm.h>
+
+#include "secpol_xml2bin.h"
+
+#define DEBUG 0
+
+/* primary / secondary policy component setting */
+enum policycomponent { CHWALL, STE, NULLPOLICY }
+ primary = NULLPOLICY, secondary = NULLPOLICY;
+
+/* general list element for ste and chwall type queues */
+struct type_entry {
+ TAILQ_ENTRY(type_entry) entries;
+ char *name; /* name of type from xml file */
+ type_t mapping; /* type mapping into 16bit */
+};
+
+TAILQ_HEAD(tailhead, type_entry) ste_head, chwall_head;
+
+/* general list element for all label queues */
+enum label_type { VM, RES, ANY };
+struct ssid_entry {
+ TAILQ_ENTRY(ssid_entry) entries;
+ char *name; /* label name */
+ enum label_type type; /* type: VM / RESOURCE LABEL */
+ u_int32_t num; /* ssid or referenced ssid */
+ int is_ref; /* if this entry references earlier ssid
number */
+ unsigned char *row; /* index of types (if not a reference) */
+};
+
+TAILQ_HEAD(tailhead_ssid, ssid_entry) ste_ssid_head, chwall_ssid_head,
+ conflictsets_head;
+struct ssid_entry *current_chwall_ssid_p = NULL;
+struct ssid_entry *current_ste_ssid_p = NULL;
+struct ssid_entry *current_conflictset_p = NULL;
+
+/* which label to assign to dom0 during boot */
+char *bootstrap_label;
+
+u_int32_t max_ste_ssids = 0;
+u_int32_t max_chwall_ssids = 0;
+u_int32_t max_chwall_labels = 0;
+u_int32_t max_ste_labels = 0;
+u_int32_t max_conflictsets = 0;
+
+char *current_ssid_name; /* store name until structure is allocated */
+char *current_conflictset_name; /* store name until structure is allocated */
+
+/* dynamic list of type mappings for STE */
+u_int32_t max_ste_types = 0;
+
+/* dynamic list of type mappings for CHWALL */
+u_int32_t max_chwall_types = 0;
+
+/* dynamic list of conflict sets */
+int max_conflict_set = 0;
+
+/* which policies are defined */
+int have_ste = 0;
+int have_chwall = 0;
+
+/* input/output file names */
+char *policy_filename = NULL,
+ *label_filename = NULL,
+ *binary_filename = NULL, *mapping_filename = NULL;
+
+void usage(char *prg)
+{
+ printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
+ prg);
+ exit(EXIT_FAILURE);
+}
+
+
+/***************** policy-related parsing *********************/
+
+char *type_by_mapping(struct tailhead *head, u_int32_t mapping)
+{
+ struct type_entry *np;
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+ if (np->mapping == mapping)
+ return np->name;
+ return NULL;
+}
+
+
+struct type_entry *lookup(struct tailhead *head, char *name)
+{
+ struct type_entry *np;
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+ if (!(strcmp(np->name, name)))
+ return np;
+ return NULL;
+}
+
+/* enforces single-entry lists */
+int add_entry(struct tailhead *head, char *name, type_t mapping)
+{
+ struct type_entry *e;
+ if (lookup(head, name))
+ {
+ printf("Error: Type >%s< defined more than once.\n", name);
+ return -EFAULT; /* already in the list */
+ }
+ if (!(e = malloc(sizeof(struct type_entry))))
+ return -ENOMEM;
+
+ e->name = name;
+ e->mapping = mapping;
+ TAILQ_INSERT_TAIL(head, e, entries);
+ return 0;
+}
+
+int totoken(char *tok)
+{
+ int i;
+ for (i = 0; token[i] != NULL; i++)
+ if (!strcmp(token[i], tok))
+ return i;
+ return -EFAULT;
+}
+
+/* conflictsets use the same data structure as ssids; since
+ * they are similar in structure (set of types)
+ */
+int init_next_conflictset(void)
+{
+ struct ssid_entry *conflictset = malloc(sizeof(struct ssid_entry));
+
+ if (!conflictset)
+ return -ENOMEM;
+
+ conflictset->name = current_conflictset_name;
+ conflictset->num = max_conflictsets++;
+ conflictset->is_ref = 0; /* n/a for conflictsets */
+ /**
+ * row: allocate one byte per type;
+ * [i] != 0 --> mapped type >i< is part of the conflictset
+ */
+ conflictset->row = malloc(max_chwall_types);
+ if (!conflictset->row)
+ return -ENOMEM;
+
+ memset(conflictset->row, 0, max_chwall_types);
+ TAILQ_INSERT_TAIL(&conflictsets_head, conflictset, entries);
+ current_conflictset_p = conflictset;
+ return 0;
+}
+
+int register_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
+{
+ xmlChar *text;
+ struct type_entry *e;
+
+
+ text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!text)
+ {
+ printf("Error reading type name!\n");
+ return -EFAULT;
+ }
+
+ switch (state) {
+ case XML2BIN_stetype_S:
+ if (add_entry(&ste_head, (char *) text, max_ste_types))
+ {
+ xmlFree(text);
+ return -EFAULT;
+ }
+ max_ste_types++;
+ break;
+
+ case XML2BIN_chwalltype_S:
+ if (add_entry(&chwall_head, (char *) text, max_chwall_types))
+ {
+ xmlFree(text);
+ return -EFAULT;
+ }
+ max_chwall_types++;
+ break;
+
+ case XML2BIN_conflictsettype_S:
+ /* a) search the type in the chwall_type list */
+ e = lookup(&chwall_head, (char *) text);
+ if (e == NULL)
+ {
+ printf("CS type >%s< not a CHWALL type.\n", text);
+ xmlFree(text);
+ return -EFAULT;
+ }
+ /* b) add type entry to the current cs set */
+ if (current_conflictset_p->row[e->mapping])
+ {
+ printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
+ text, current_conflictset_p->num);
+ xmlFree(text);
+ return -EFAULT;
+ }
+ current_conflictset_p->row[e->mapping] = 1;
+ break;
+
+ default:
+ printf("Incorrect type environment (state = %lx, text = %s).\n",
+ state, text);
+ xmlFree(text);
+ return -EFAULT;
+ }
+ return 0;
+}
+
+void set_component_type(xmlNode * cur_node, enum policycomponent pc)
+{
+ xmlChar *order;
+
+ if ((order = xmlGetProp(cur_node, (xmlChar *)
PRIMARY_COMPONENT_ATTR_NAME))) {
+ if (strcmp((char *) order, PRIMARY_COMPONENT))
+ {
+ printf("ERROR: Illegal attribut value >order=%s<.\n",
+ (char *) order);
+ xmlFree(order);
+ exit(EXIT_FAILURE);
+ }
+ if (primary != NULLPOLICY)
+ {
+ printf("ERROR: Primary Policy Component set twice!\n");
+ exit(EXIT_FAILURE);
+ }
+ primary = pc;
+ xmlFree(order);
+ }
+}
+
+void walk_policy(xmlNode * start, xmlDocPtr doc, unsigned long state)
+{
+ xmlNode *cur_node = NULL;
+ int code;
+
+ for (cur_node = start; cur_node; cur_node = cur_node->next)
+ {
+ if ((code = totoken((char *) cur_node->name)) < 0)
+ {
+ printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
+ exit(EXIT_FAILURE);
+ }
+ switch (code) { /* adjust state to new state */
+ case XML2BIN_SECPOL:
+ case XML2BIN_STETYPES:
+ case XML2BIN_CHWALLTYPES:
+ case XML2BIN_CONFLICTSETS:
+ walk_policy(cur_node->children, doc, state | (1 << code));
+ break;
+
+ case XML2BIN_STE:
+ if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
+ {
+ printf("ERROR: This program was written against another STE
version.\n");
+ exit(EXIT_FAILURE);
+ }
+ have_ste = 1;
+ set_component_type(cur_node, STE);
+ walk_policy(cur_node->children, doc, state | (1 << code));
+ break;
+
+ case XML2BIN_CHWALL:
+ if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
+ {
+ printf("ERROR: This program was written against another CHWALL
version.\n");
+ exit(EXIT_FAILURE);
+ }
+ have_chwall = 1;
+ set_component_type(cur_node, CHWALL);
+ walk_policy(cur_node->children, doc, state | (1 << code));
+ break;
+
+ case XML2BIN_CSTYPE:
+ current_conflictset_name =
+ (char *) xmlGetProp(cur_node, (xmlChar *) "name");
+ if (!current_conflictset_name)
+ current_conflictset_name = "";
+
+ if (init_next_conflictset())
+ {
+ printf
+ ("ERROR: creating new conflictset structure failed.\n");
+ exit(EXIT_FAILURE);
+ }
+ walk_policy(cur_node->children, doc, state | (1 << code));
+ break;
+
+ case XML2BIN_TYPE:
+ if (register_type(cur_node, doc, state))
+ exit(EXIT_FAILURE);
+ /* type leaf */
+ break;
+
+ case XML2BIN_TEXT:
+ case XML2BIN_COMMENT:
+ case XML2BIN_POLICYHEADER:
+ /* leaf - nothing to do */
+ break;
+
+ default:
+ printf("Unkonwn token Error (%d)\n", code);
+ exit(EXIT_FAILURE);
+ }
+
+ }
+ return;
+}
+
+int create_type_mapping(xmlDocPtr doc)
+{
+ xmlNode *root_element = xmlDocGetRootElement(doc);
+ struct type_entry *te;
+ struct ssid_entry *se;
+ int i;
+
+ printf("Creating ssid mappings ...\n");
+
+ /* initialize the ste and chwall type lists */
+ TAILQ_INIT(&ste_head);
+ TAILQ_INIT(&chwall_head);
+ TAILQ_INIT(&conflictsets_head);
+
+ walk_policy(root_element, doc, XML2BIN_NULL);
+
+ /* determine primary/secondary policy component orders */
+ if ((primary == NULLPOLICY) && have_chwall)
+ primary = CHWALL; /* default if not set */
+ else if ((primary == NULLPOLICY) && have_ste)
+ primary = STE;
+
+ switch (primary) {
+
+ case CHWALL:
+ if (have_ste)
+ secondary = STE;
+ /* else default = NULLPOLICY */
+ break;
+
+ case STE:
+ if (have_chwall)
+ secondary = CHWALL;
+ /* else default = NULLPOLICY */
+ break;
+
+ default:
+ /* NULL/NULL policy */
+ break;
+ }
+
+ if (!DEBUG)
+ return 0;
+
+ /* print queues */
+ if (have_ste)
+ {
+ printf("STE-Type queue (%s):\n",
+ (primary == STE) ? "PRIMARY" : "SECONDARY");
+ for (te = ste_head.tqh_first; te != NULL;
+ te = te->entries.tqe_next)
+ printf("name=%22s, map=%x\n", te->name, te->mapping);
+ }
+ if (have_chwall)
+ {
+ printf("CHWALL-Type queue (%s):\n",
+ (primary == CHWALL) ? "PRIMARY" : "SECONDARY");
+ for (te = chwall_head.tqh_first; te != NULL;
+ te = te->entries.tqe_next)
+ printf("name=%s, map=%x\n", te->name, te->mapping);
+
+ printf("Conflictset queue (max=%d):\n", max_conflictsets);
+ for (se = conflictsets_head.tqh_first; se != NULL;
+ se = se->entries.tqe_next)
+ {
+ printf("conflictset name >%s<\n",
+ se->name ? se->name : "NONAME");
+ for (i = 0; i < max_chwall_types; i++)
+ if (se->row[i])
+ printf("#%x ", i);
+ printf("\n");
+ }
+ }
+ return 0;
+}
+
+
+/***************** template-related parsing *********************/
+
+/* add default ssid at head of ssid queues */
+int init_ssid_queues(void)
+{
+ struct ssid_entry *default_ssid_chwall, *default_ssid_ste;
+
+ default_ssid_chwall = malloc(sizeof(struct ssid_entry));
+ default_ssid_ste = malloc(sizeof(struct ssid_entry));
+
+ if ((!default_ssid_chwall) || (!default_ssid_ste))
+ return -ENOMEM;
+
+ /* default chwall ssid */
+ default_ssid_chwall->name = "DEFAULT";
+ default_ssid_chwall->num = max_chwall_ssids++;
+ default_ssid_chwall->is_ref = 0;
+ default_ssid_chwall->type = ANY;
+
+ default_ssid_chwall->row = malloc(max_chwall_types);
+
+ if (!default_ssid_chwall->row)
+ return -ENOMEM;
+
+ memset(default_ssid_chwall->row, 0, max_chwall_types);
+
+ TAILQ_INSERT_TAIL(&chwall_ssid_head, default_ssid_chwall, entries);
+ current_chwall_ssid_p = default_ssid_chwall;
+ max_chwall_labels++;
+
+ /* default ste ssid */
+ default_ssid_ste->name = "DEFAULT";
+ default_ssid_ste->num = max_ste_ssids++;
+ default_ssid_ste->is_ref = 0;
+ default_ssid_ste->type = ANY;
+
+ default_ssid_ste->row = malloc(max_ste_types);
+
+ if (!default_ssid_ste->row)
+ return -ENOMEM;
+
+ memset(default_ssid_ste->row, 0, max_ste_types);
+
+ TAILQ_INSERT_TAIL(&ste_ssid_head, default_ssid_ste, entries);
+ current_ste_ssid_p = default_ssid_ste;
+ max_ste_labels++;
+ return 0;
+}
+
+int init_next_chwall_ssid(unsigned long state)
+{
+ struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
+
+ if (!ssid)
+ return -ENOMEM;
+
+ ssid->name = current_ssid_name;
+ ssid->num = max_chwall_ssids++;
+ ssid->is_ref = 0;
+
+ if (state & (1 << XML2BIN_VM))
+ ssid->type = VM;
+ else
+ ssid->type = RES;
+ /**
+ * row: allocate one byte per type;
+ * [i] != 0 --> mapped type >i< is part of the ssid
+ */
+ ssid->row = malloc(max_chwall_types);
+ if (!ssid->row)
+ return -ENOMEM;
+
+ memset(ssid->row, 0, max_chwall_types);
+ TAILQ_INSERT_TAIL(&chwall_ssid_head, ssid, entries);
+ current_chwall_ssid_p = ssid;
+ max_chwall_labels++;
+ return 0;
+}
+
+int init_next_ste_ssid(unsigned long state)
+{
+ struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
+
+ if (!ssid)
+ return -ENOMEM;
+
+ ssid->name = current_ssid_name;
+ ssid->num = max_ste_ssids++;
+ ssid->is_ref = 0;
+
+ if (state & (1 << XML2BIN_VM))
+ ssid->type = VM;
+ else
+ ssid->type = RES;
+
+ /**
+ * row: allocate one byte per type;
+ * [i] != 0 --> mapped type >i< is part of the ssid
+ */
+ ssid->row = malloc(max_ste_types);
+ if (!ssid->row)
+ return -ENOMEM;
+
+ memset(ssid->row, 0, max_ste_types);
+ TAILQ_INSERT_TAIL(&ste_ssid_head, ssid, entries);
+ current_ste_ssid_p = ssid;
+ max_ste_labels++;
+
+ return 0;
+}
+
+
+/* adds a type to the current ssid */
+int add_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
+{
+ xmlChar *text;
+ struct type_entry *e;
+
+ text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!text)
+ {
+ printf("Error reading type name!\n");
+ return -EFAULT;
+ }
+ /* same for all: 1. lookup type mapping, 2. mark type in ssid */
+ switch (state) {
+ case XML2BIN_VM_STE_S:
+ case XML2BIN_RES_STE_S:
+ /* lookup the type mapping and include the type mapping into the array
*/
+ if (!(e = lookup(&ste_head, (char *) text)))
+ {
+ printf("ERROR: unknown VM STE type >%s<.\n", text);
+ exit(EXIT_FAILURE);
+ }
+ if (current_ste_ssid_p->row[e->mapping])
+ printf("Warning: double entry of VM STE type >%s<.\n", text);
+
+ current_ste_ssid_p->row[e->mapping] = 1;
+ break;
+
+ case XML2BIN_VM_CHWALL_S:
+ /* lookup the type mapping and include the type mapping into the array
*/
+ if (!(e = lookup(&chwall_head, (char *) text)))
+ {
+ printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
+ exit(EXIT_FAILURE);
+ }
+ if (current_chwall_ssid_p->row[e->mapping])
+ printf("Warning: double entry of VM CHWALL type >%s<.\n",
+ text);
+
+ current_chwall_ssid_p->row[e->mapping] = 1;
+ break;
+
+ default:
+ printf("Incorrect type environment (state = %lx, text = %s).\n",
+ state, text);
+ xmlFree(text);
+ return -EFAULT;
+ }
+ return 0;
+}
+
+void set_bootstrap_label(xmlNode * cur_node)
+{
+ xmlChar *order;
+
+ if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
+ bootstrap_label = (char *)order;
+ else {
+ printf("ERROR: No bootstrap label defined!\n");
+ exit(EXIT_FAILURE);
+ }
+}
+
+void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state)
+{
+ xmlNode *cur_node = NULL;
+ int code;
+
+ for (cur_node = start; cur_node; cur_node = cur_node->next)
+ {
+ if ((code = totoken((char *) cur_node->name)) < 0)
+ {
+ printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
+ exit(EXIT_FAILURE);
+ }
+ switch (code) { /* adjust state to new state */
+
+ case XML2BIN_SUBJECTS:
+ set_bootstrap_label(cur_node);
+ /* fall through */
+ case XML2BIN_VM:
+ case XML2BIN_RES:
+ case XML2BIN_SECTEMPLATE:
+ case XML2BIN_OBJECTS:
+ walk_labels(cur_node->children, doc, state | (1 << code));
+ break;
+
+ case XML2BIN_STETYPES:
+ /* create new ssid entry to use and point current to it */
+ if (init_next_ste_ssid(state))
+ {
+ printf("ERROR: creating new ste ssid structure failed.\n");
+ exit(EXIT_FAILURE);
+ }
+ walk_labels(cur_node->children, doc, state | (1 << code));
+
+ break;
+
+ case XML2BIN_CHWALLTYPES:
+ /* create new ssid entry to use and point current to it */
+ if (init_next_chwall_ssid(state))
+ {
+ printf("ERROR: creating new chwall ssid structure failed.\n");
+ exit(EXIT_FAILURE);
+ }
+ walk_labels(cur_node->children, doc, state | (1 << code));
+
+ break;
+
+ case XML2BIN_TYPE:
+ /* add type to current ssid */
+ if (add_type(cur_node, doc, state))
+ exit(EXIT_FAILURE);
+ break;
+
+ case XML2BIN_NAME:
+ if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
+ {
+ printf("ERROR: >name< out of VM/RES context.\n");
+ exit(EXIT_FAILURE);
+ }
+ current_ssid_name = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+
+ if (!current_ssid_name)
+ {
+ printf("ERROR: empty >name<!\n");
+ exit(EXIT_FAILURE);
+ }
+ break;
+
+ case XML2BIN_TEXT:
+ case XML2BIN_COMMENT:
+ case XML2BIN_LABELHEADER:
+ break;
+
+ default:
+ printf("Unkonwn token Error (%d)\n", code);
+ exit(EXIT_FAILURE);
+ }
+
+ }
+ return;
+}
+
+/* this function walks through a ssid queue
+ * and transforms double entries into references
+ * of the first definition (we need to keep the
+ * entry to map labels but we don't want double
+ * ssids in the binary policy
+ */
+void
+remove_doubles(struct tailhead_ssid *head,
+ u_int32_t max_types, u_int32_t * max_ssids)
+{
+ struct ssid_entry *np, *ni;
+
+ /* walk once through the list */
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+ {
+ /* now search from the start until np for the same entry */
+ for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
+ {
+ if (ni->is_ref)
+ continue;
+ if (memcmp(np->row, ni->row, max_types))
+ continue;
+ /* found one, set np reference to ni */
+ np->is_ref = 1;
+ np->num = ni->num;
+ (*max_ssids)--;
+ }
+ }
+
+ /* now minimize the ssid numbers used (doubles introduce holes) */
+ (*max_ssids) = 0; /* reset */
+
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+ {
+ if (np->is_ref)
+ continue;
+
+ if (np->num != (*max_ssids)) {
+ /* first reset all later references to the new max_ssid */
+ for (ni = np->entries.tqe_next; ni != NULL; ni =
ni->entries.tqe_next)
+ {
+ if (ni->num == np->num)
+ ni->num = (*max_ssids);
+ }
+ /* now reset num */
+ np->num = (*max_ssids)++;
+ }
+ else
+ (*max_ssids)++;
+ }
+}
+
+/*
+ * will go away as soon as we have non-static bootstrap ssidref for dom0
+ */
+void fixup_bootstrap_label(struct tailhead_ssid *head,
+ u_int32_t max_types, u_int32_t * max_ssids)
+{
+ struct ssid_entry *np;
+ int i;
+
+ /* should not happen if xml / xsd checks work */
+ if (!bootstrap_label)
+ {
+ printf("ERROR: No bootstrap label defined.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ /* search bootstrap_label */
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+ {
+ if (!strcmp(np->name, bootstrap_label))
+ {
+ break;
+ }
+ }
+
+ if (!np) {
+ /* bootstrap label not found */
+ printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
+ exit(EXIT_FAILURE);
+ }
+
+ /* move this entry ahead in the list right after the default entry so it
+ * receives ssidref 1/1 */
+ TAILQ_REMOVE(head, np, entries);
+ TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
+
+ /* renumber the ssids (we could also just switch places with 1st element)
*/
+ for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
+ np->num = i;
+
+}
+
+int create_ssid_mapping(xmlDocPtr doc)
+{
+ xmlNode *root_element = xmlDocGetRootElement(doc);
+ struct ssid_entry *np;
+ int i;
+
+ printf("Creating label mappings ...\n");
+ /* initialize the ste and chwall type lists */
+ TAILQ_INIT(&chwall_ssid_head);
+ TAILQ_INIT(&ste_ssid_head);
+
+ /* init with default ssids */
+ if (init_ssid_queues())
+ {
+ printf("ERROR adding default ssids.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ /* now walk the template DOM tree and fill in ssids */
+ walk_labels(root_element, doc, XML2BIN_NULL);
+
+ /*
+ * now sort bootstrap label to the head of the list
+ * (for now), dom0 assumes its label in the first
+ * defined ssidref (1/1). 0/0 is the default non-Label
+ */
+ if (have_chwall)
+ fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
+ &max_chwall_ssids);
+ if (have_ste)
+ fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
+ &max_ste_ssids);
+
+ /* remove any double entries (insert reference instead) */
+ if (have_chwall)
+ remove_doubles(&chwall_ssid_head, max_chwall_types,
+ &max_chwall_ssids);
+ if (have_ste)
+ remove_doubles(&ste_ssid_head, max_ste_types,
+ &max_ste_ssids);
+
+ if (!DEBUG)
+ return 0;
+
+ /* print queues */
+ if (have_chwall)
+ {
+ printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
+ np = NULL;
+ for (np = chwall_ssid_head.tqh_first; np != NULL;
+ np = np->entries.tqe_next)
+ {
+ printf("SSID #%02u (Label=%s)\n", np->num, np->name);
+ if (np->is_ref)
+ printf("REFERENCE");
+ else
+ for (i = 0; i < max_chwall_types; i++)
+ if (np->row[i])
+ printf("#%02d ", i);
+ printf("\n\n");
+ }
+ }
+ if (have_ste)
+ {
+ printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
+ np = NULL;
+ for (np = ste_ssid_head.tqh_first; np != NULL;
+ np = np->entries.tqe_next)
+ {
+ printf("SSID #%02u (Label=%s)\n", np->num, np->name);
+ if (np->is_ref)
+ printf("REFERENCE");
+ else
+ for (i = 0; i < max_ste_types; i++)
+ if (np->row[i])
+ printf("#%02d ", i);
+ printf("\n\n");
+ }
+ }
+ return 0;
+}
+
+/***************** writing the binary policy *********************/
+
+/*
+ * the mapping file is ascii-based since it will likely be used from
+ * within scripts (using awk, grep, etc.);
+ *
+ * We print from high-level to low-level information so that with one
+ * pass, any symbol can be resolved (e.g. Label -> types)
+ */
+int write_mapping(char *filename)
+{
+
+ struct ssid_entry *e;
+ struct type_entry *t;
+ int i;
+ FILE *file;
+
+ if ((file = fopen(filename, "w")) == NULL)
+ return -EIO;
+
+ fprintf(file, "MAGIC %08x\n", ACM_MAGIC);
+ fprintf(file, "POLICY %s\n",
+ basename(policy_filename));
+ fprintf(file, "BINARY %s\n",
+ basename(binary_filename));
+ if (have_chwall)
+ {
+ fprintf(file, "MAX-CHWALL-TYPES %08x\n", max_chwall_types);
+ fprintf(file, "MAX-CHWALL-SSIDS %08x\n", max_chwall_ssids);
+ fprintf(file, "MAX-CHWALL-LABELS %08x\n", max_chwall_labels);
+ }
+ if (have_ste)
+ {
+ fprintf(file, "MAX-STE-TYPES %08x\n", max_ste_types);
+ fprintf(file, "MAX-STE-SSIDS %08x\n", max_ste_ssids);
+ fprintf(file, "MAX-STE-LABELS %08x\n", max_ste_labels);
+ }
+ fprintf(file, "\n");
+
+ /* primary / secondary order for combined ssid synthesis/analysis
+ * if no primary is named, then chwall is primary */
+ switch (primary) {
+ case CHWALL:
+ fprintf(file, "PRIMARY CHWALL\n");
+ break;
+
+ case STE:
+ fprintf(file, "PRIMARY STE\n");
+ break;
+
+ default:
+ fprintf(file, "PRIMARY NULL\n");
+ break;
+ }
+
+ switch (secondary) {
+ case CHWALL:
+ fprintf(file, "SECONDARY CHWALL\n");
+ break;
+
+ case STE:
+ fprintf(file, "SECONDARY STE\n");
+ break;
+
+ default:
+ fprintf(file, "SECONDARY NULL\n");
+ break;
+ }
+ fprintf(file, "\n");
+
+ /* first labels to ssid mappings */
+ if (have_chwall)
+ {
+ for (e = chwall_ssid_head.tqh_first; e != NULL;
+ e = e->entries.tqe_next)
+ {
+ fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
+ (e->type ==
+ VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
+ e->name, e->num);
+ }
+ fprintf(file, "\n");
+ }
+ if (have_ste)
+ {
+ for (e = ste_ssid_head.tqh_first; e != NULL;
+ e = e->entries.tqe_next)
+ {
+ fprintf(file, "LABEL->SSID %s STE %-25s %8x\n",
+ (e->type ==
+ VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
+ e->name, e->num);
+ }
+ fprintf(file, "\n");
+ }
+
+ /* second ssid to type mappings */
+ if (have_chwall)
+ {
+ for (e = chwall_ssid_head.tqh_first; e != NULL;
+ e = e->entries.tqe_next)
+ {
+ if (e->is_ref)
+ continue;
+
+ fprintf(file, "SSID->TYPE CHWALL %08x", e->num);
+
+ for (i = 0; i < max_chwall_types; i++)
+ if (e->row[i])
+ fprintf(file, " %s", type_by_mapping(&chwall_head, i));
+
+ fprintf(file, "\n");
+ }
+ fprintf(file, "\n");
+ }
+ if (have_ste) {
+ for (e = ste_ssid_head.tqh_first; e != NULL;
+ e = e->entries.tqe_next)
+ {
+ if (e->is_ref)
+ continue;
+
+ fprintf(file, "SSID->TYPE STE %08x", e->num);
+
+ for (i = 0; i < max_ste_types; i++)
+ if (e->row[i])
+ fprintf(file, " %s", type_by_mapping(&ste_head, i));
+
+ fprintf(file, "\n");
+ }
+ fprintf(file, "\n");
+ }
+ /* third type mappings */
+ if (have_chwall)
+ {
+ for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
+ {
+ fprintf(file, "TYPE CHWALL %-25s %8x\n",
+ t->name, t->mapping);
+ }
+ fprintf(file, "\n");
+ }
+ if (have_ste) {
+ for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
+ {
+ fprintf(file, "TYPE STE %-25s %8x\n",
+ t->name, t->mapping);
+ }
+ fprintf(file, "\n");
+ }
+ fclose(file);
+ return 0;
+}
+
+unsigned char *write_chwall_binary(u_int32_t * len_chwall)
+{
+ unsigned char *buf, *ptr;
+ struct acm_chwall_policy_buffer *chwall_header;
+ u_int32_t len;
+ struct ssid_entry *e;
+ int i;
+
+ if (!have_chwall)
+ return NULL;
+
+ len = sizeof(struct acm_chwall_policy_buffer) +
+ sizeof(type_t) * max_chwall_types * max_chwall_ssids +
+ sizeof(type_t) * max_chwall_types * max_conflictsets;
+
+ buf = malloc(len);
+ ptr = buf;
+
+ if (!buf)
+ {
+ printf("ERROR: out of memory allocating chwall buffer.\n");
+ exit(EXIT_FAILURE);
+ }
+ /* chwall has 3 parts : header, types, conflictsets */
+
+ chwall_header = (struct acm_chwall_policy_buffer *) buf;
+ chwall_header->chwall_max_types = htonl(max_chwall_types);
+ chwall_header->chwall_max_ssidrefs = htonl(max_chwall_ssids);
+ chwall_header->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+ chwall_header->policy_version = htonl(ACM_CHWALL_VERSION);
+ chwall_header->chwall_ssid_offset =
+ htonl(sizeof(struct acm_chwall_policy_buffer));
+ chwall_header->chwall_max_conflictsets = htonl(max_conflictsets);
+ chwall_header->chwall_conflict_sets_offset =
+ htonl(ntohl(chwall_header->chwall_ssid_offset) +
+ sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
+ chwall_header->chwall_running_types_offset = 0; /* not set, only
retrieved */
+ chwall_header->chwall_conflict_aggregate_offset = 0; /* not set,
only retrieved */
+ ptr += sizeof(struct acm_chwall_policy_buffer);
+
+ /* types */
+ for (e = chwall_ssid_head.tqh_first; e != NULL;
+ e = e->entries.tqe_next)
+ {
+ if (e->is_ref)
+ continue;
+
+ for (i = 0; i < max_chwall_types; i++)
+ ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+ ptr += sizeof(type_t) * max_chwall_types;
+ }
+
+ /* conflictsets */
+ for (e = conflictsets_head.tqh_first; e != NULL;
+ e = e->entries.tqe_next)
+ {
+ for (i = 0; i < max_chwall_types; i++)
+ ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+ ptr += sizeof(type_t) * max_chwall_types;
+ }
+
+ if ((ptr - buf) != len)
+ {
+ printf("ERROR: wrong lengths in %s.\n", __func__);
+ exit(EXIT_FAILURE);
+ }
+
+ (*len_chwall) = len;
+ return buf;
+}
+
+unsigned char *write_ste_binary(u_int32_t * len_ste)
+{
+ unsigned char *buf, *ptr;
+ struct acm_ste_policy_buffer *ste_header;
+ struct ssid_entry *e;
+ u_int32_t len;
+ int i;
+
+ if (!have_ste)
+ return NULL;
+
+ len = sizeof(struct acm_ste_policy_buffer) +
+ sizeof(type_t) * max_ste_types * max_ste_ssids;
+
+ buf = malloc(len);
+ ptr = buf;
+
+ if (!buf)
+ {
+ printf("ERROR: out of memory allocating chwall buffer.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ /* fill buffer */
+ ste_header = (struct acm_ste_policy_buffer *) buf;
+ ste_header->policy_version = htonl(ACM_STE_VERSION);
+ ste_header->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+ ste_header->ste_max_types = htonl(max_ste_types);
+ ste_header->ste_max_ssidrefs = htonl(max_ste_ssids);
+ ste_header->ste_ssid_offset =
+ htonl(sizeof(struct acm_ste_policy_buffer));
+
+ ptr += sizeof(struct acm_ste_policy_buffer);
+
+ /* types */
+ for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
+ {
+ if (e->is_ref)
+ continue;
+
+ for (i = 0; i < max_ste_types; i++)
+ ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+ ptr += sizeof(type_t) * max_ste_types;
+ }
+
+ if ((ptr - buf) != len)
+ {
+ printf("ERROR: wrong lengths in %s.\n", __func__);
+ exit(EXIT_FAILURE);
+ }
+ (*len_ste) = len;
+ return buf; /* for now */
+}
+
+int write_binary(char *filename)
+{
+ struct acm_policy_buffer header;
+ unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
+ u_int32_t len;
+ int fd;
+
+ u_int32_t len_ste = 0, len_chwall = 0; /* length of policy components
*/
+
+ /* open binary file */
+ if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR))
<= 0)
+ return -EIO;
+
+ ste_buffer = write_ste_binary(&len_ste);
+ chwall_buffer = write_chwall_binary(&len_chwall);
+
+ /* determine primary component (default chwall) */
+ header.policy_version = htonl(ACM_POLICY_VERSION);
+ header.magic = htonl(ACM_MAGIC);
+
+ len = sizeof(struct acm_policy_buffer);
+ if (have_chwall)
+ len += len_chwall;
+ if (have_ste)
+ len += len_ste;
+ header.len = htonl(len);
+
+ header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
+ if (primary == CHWALL)
+ {
+ header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+ header.secondary_buffer_offset =
+ htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
+ }
+ else if (primary == STE)
+ {
+ header.primary_policy_code =
+ htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+ header.secondary_buffer_offset =
+ htonl((sizeof(struct acm_policy_buffer)) + len_ste);
+ }
+ else
+ {
+ /* null policy */
+ header.primary_policy_code = htonl(ACM_NULL_POLICY);
+ header.secondary_buffer_offset =
+ htonl(header.primary_buffer_offset);
+ }
+
+ if (secondary == CHWALL)
+ header.secondary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+ else if (secondary == STE)
+ header.secondary_policy_code =
+ htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+ else
+ header.secondary_policy_code = htonl(ACM_NULL_POLICY);
+
+ if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
+ != sizeof(struct acm_policy_buffer))
+ return -EIO;
+
+ /* write primary policy component */
+ if (primary == CHWALL)
+ {
+ if (write(fd, chwall_buffer, len_chwall) != len_chwall)
+ return -EIO;
+ }
+ else if (primary == STE)
+ {
+ if (write(fd, ste_buffer, len_ste) != len_ste)
+ return -EIO;
+ } else
+ ; /* NULL POLICY has no policy data */
+
+ /* write secondary policy component */
+ if (secondary == CHWALL)
+ {
+ if (write(fd, chwall_buffer, len_chwall) != len_chwall)
+ return -EIO;
+ }
+ else if (secondary == STE)
+ {
+ if (write(fd, ste_buffer, len_ste) != len_ste)
+ return -EIO;
+ } else; /* NULL POLICY has no policy data */
+
+ close(fd);
+ return 0;
+}
+
+int is_valid(xmlDocPtr doc)
+{
+ int err = 0;
+ xmlSchemaPtr schema_ctxt = NULL;
+ xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
+ xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
+
+ schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
+ schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
+ schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
+
+#ifdef VALIDATE_SCHEMA
+ /* only tested to be available from libxml2-2.6.20 upwards */
+ if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
+ {
+ printf("ERROR: Invalid schema file %s (err=%d)\n",
+ SCHEMA_FILENAME, err);
+ err = -EIO;
+ goto out;
+ }
+ else
+ printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
+#endif
+ if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
+ {
+ err = -EIO;
+ goto out;
+ }
+ out:
+ xmlSchemaFreeValidCtxt(schemavalid_ctxt);
+ xmlSchemaFreeParserCtxt(schemaparser_ctxt);
+ xmlSchemaFree(schema_ctxt);
+ return (err != 0) ? 0 : 1;
+}
+
+int main(int argc, char **argv)
+{
+ xmlDocPtr labeldoc = NULL;
+ xmlDocPtr policydoc = NULL;
+
+ int err = EXIT_SUCCESS;
+
+ char *file_prefix;
+ int prefix_len;
+
+ if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
+ {
+ printf("ERROR: This program was written against an older ACM
version.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (argc != 2)
+ usage(basename(argv[0]));
+
+ prefix_len = strlen(POLICY_SUBDIR) +
+ strlen(argv[1]) + 1 /* "/" */ +
+ strlen(argv[1]) + 1 /* "/" */ ;
+
+ file_prefix = malloc(prefix_len);
+ policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
+ label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
+ binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
+ mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
+
+ if (!file_prefix || !policy_filename || !label_filename ||
+ !binary_filename || !mapping_filename)
+ {
+ printf("ERROR allocating file name memory.\n");
+ goto out2;
+ }
+
+ /* create input/output filenames out of prefix */
+ strcat(file_prefix, POLICY_SUBDIR);
+ strcat(file_prefix, argv[1]);
+ strcat(file_prefix, "/");
+ strcat(file_prefix, argv[1]);
+
+ strcpy(policy_filename, file_prefix);
+ strcpy(label_filename, file_prefix);
+ strcpy(binary_filename, file_prefix);
+ strcpy(mapping_filename, file_prefix);
+
+ strcat(policy_filename, POLICY_EXTENSION);
+ strcat(label_filename, LABEL_EXTENSION);
+ strcat(binary_filename, BINARY_EXTENSION);
+ strcat(mapping_filename, MAPPING_EXTENSION);
+
+ labeldoc = xmlParseFile(label_filename);
+
+ if (labeldoc == NULL)
+ {
+ printf("Error: could not parse file %s.\n", argv[1]);
+ goto out2;
+ }
+
+ printf("Validating label file %s...\n", label_filename);
+ if (!is_valid(labeldoc))
+ {
+ printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
+ label_filename, err);
+ goto out1;
+ }
+
+ policydoc = xmlParseFile(policy_filename);
+
+ if (policydoc == NULL)
+ {
+ printf("Error: could not parse file %s.\n", argv[1]);
+ goto out1;
+ }
+
+ printf("Validating policy file %s...\n", policy_filename);
+
+ if (!is_valid(policydoc))
+ {
+ printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
+ policy_filename, err);
+ goto out;
+ }
+
+ /* Init queues and parse policy */
+ create_type_mapping(policydoc);
+
+ /* create ssids */
+ create_ssid_mapping(labeldoc);
+
+ /* write label mapping file */
+ if (write_mapping(mapping_filename))
+ {
+ printf("ERROR: writing mapping file %s.\n", mapping_filename);
+ goto out;
+ }
+
+ /* write binary file */
+ if (write_binary(binary_filename))
+ {
+ printf("ERROR: writing binary file %s.\n", binary_filename);
+ goto out;
+ }
+
+ /* write stats */
+ if (have_chwall)
+ {
+ printf("Max chwall labels: %u\n", max_chwall_labels);
+ printf("Max chwall-types: %u\n", max_chwall_types);
+ printf("Max chwall-ssids: %u\n", max_chwall_ssids);
+ }
+
+ if (have_ste)
+ {
+ printf("Max ste labels: %u\n", max_ste_labels);
+ printf("Max ste-types: %u\n", max_ste_types);
+ printf("Max ste-ssids: %u\n", max_ste_ssids);
+ }
+ /* cleanup */
+ out:
+ xmlFreeDoc(policydoc);
+ out1:
+ xmlFreeDoc(labeldoc);
+ out2:
+ xmlCleanupParser();
+ return err;
+}
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_xml2bin.h
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_xml2bin.h Fri Aug 19 09:03:17 2005
@@ -0,0 +1,139 @@
+/****************************************************************
+ * secpol_xml2bin.h
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ */
+#define POLICY_SUBDIR "policies/"
+#define POLICY_EXTENSION "-security_policy.xml"
+#define LABEL_EXTENSION "-security_label_template.xml"
+#define BINARY_EXTENSION ".bin"
+#define MAPPING_EXTENSION ".map"
+#define PRIMARY_COMPONENT_ATTR_NAME "order"
+#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap"
+#define PRIMARY_COMPONENT "PrimaryPolicyComponent"
+#define SCHEMA_FILENAME "policies/security_policy.xsd"
+
+/* basic states (used as 1 << X) */
+#define XML2BIN_SECPOL 0 /* policy tokens */
+#define XML2BIN_STE 1
+#define XML2BIN_CHWALL 2
+#define XML2BIN_CONFLICTSETS 3
+#define XML2BIN_CSTYPE 4
+
+#define XML2BIN_SECTEMPLATE 5 /* label tokens */
+#define XML2BIN_POLICYHEADER 6
+#define XML2BIN_LABELHEADER 7
+#define XML2BIN_SUBJECTS 8
+#define XML2BIN_OBJECTS 9
+#define XML2BIN_VM 10
+#define XML2BIN_RES 11
+
+#define XML2BIN_STETYPES 12 /* shared tokens */
+#define XML2BIN_CHWALLTYPES 13
+#define XML2BIN_TYPE 14
+#define XML2BIN_NAME 15
+#define XML2BIN_TEXT 16
+#define XML2BIN_COMMENT 17
+
+/* type "data type" (currently 16bit) */
+typedef u_int16_t type_t;
+
+/* list of known elements and token equivalent *
+ * state constants and token positions must be *
+ * in sync for correct state recognition */
+
+char *token[20] = /* parser triggers */
+{
+ [0] = "SecurityPolicyDefinition", /* policy xml */
+ [1] = "SimpleTypeEnforcement",
+ [2] = "ChineseWall",
+ [3] = "ConflictSets",
+ [4] = "Conflict", /* label-template xml */
+ [5] = "SecurityLabelTemplate",
+ [6] = "PolicyHeader",
+ [7] = "LabelHeader",
+ [8] = "SubjectLabels",
+ [9] = "ObjectLabels",
+ [10] = "VirtualMachineLabel",
+ [11] = "ResourceLabel",
+ [12] = "SimpleTypeEnforcementTypes", /* common tags */
+ [13] = "ChineseWallTypes",
+ [14] = "Type",
+ [15] = "Name",
+ [16] = "text",
+ [17] = "comment",
+ [18] = NULL,
+};
+
+/* important combined states */
+#define XML2BIN_NULL 0
+
+/* policy xml parsing states _S */
+
+/* e.g., here we are in a <secpol,ste,stetypes> environment, *
+ * so when finding a type element, we know where to put it */
+#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_STE) | \
+ (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CONFLICTSETS))
+
+#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CONFLICTSETS) | \
+ (1 << XML2BIN_CSTYPE))
+
+
+/* label xml states */
+#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM))
+
+#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
+ (1 << XML2BIN_OBJECTS) | \
+ (1 << XML2BIN_RES))
+
+#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM) | \
+ (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM) | \
+ (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
+ (1 << XML2BIN_OBJECTS) | \
+ (1 << XML2BIN_RES) | \
+ (1 << XML2BIN_STETYPES))
+
+
+
+/* check versions of headers against which the
+ * xml2bin translation tool was written
+ */
+
+/* protects from unnoticed changes in struct acm_policy_buffer */
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION 1
+
+/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
+#define WRITTEN_AGAINST_ACM_CHWALL_VERSION 1
+
+/* protects from unnoticed changes in struct acm_ste_policy_buffer */
+#define WRITTEN_AGAINST_ACM_STE_VERSION 1
diff -r 1895942150a5 -r 513acbeac420 tools/security/setlabel.sh
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/setlabel.sh Fri Aug 19 09:03:17 2005
@@ -0,0 +1,345 @@
+#!/bin/sh
+# *
+# * setlabel
+# *
+# * Copyright (C) 2005 IBM Corporation
+# *
+# * Authors:
+# * Stefan Berger <stefanb@xxxxxxxxxx>
+# *
+# * This program is free software; you can redistribute it and/or
+# * modify it under the terms of the GNU General Public License as
+# * published by the Free Software Foundation, version 2 of the
+# * License.
+# *
+# * 'setlabel' labels virtual machine (domain) configuration files with
+# * security identifiers that can be enforced in Xen.
+# *
+# * 'setlabel -?' shows the usage of the program
+# *
+# * 'setlabel -l vmconfig-file' lists all available labels (only VM
+# * labels are used right now)
+# *
+# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
+# * that corresponds to the security-label under the
+# * current policy (if policy changes, 'label'
+# * must be re-run over the configuration files;
+# * map-file is created during policy translation and
+# * is found in the policy's directory
+#
+
+if [ -z "$runbash" ]; then
+ runbash="1"
+ export runbash
+ exec sh -c "bash $0 $*"
+fi
+
+
+usage ()
+{
+ echo "Usage: $0 [Option] <vmfile> <label> <policy name> "
+ echo " or $0 -l <policy name>"
+ echo ""
+ echo "Valid Options are:"
+ echo "-r : to relabel a file without being prompted"
+ echo ""
+ echo "vmfile : XEN vm configuration file"
+ echo "label : the label to map"
+ echo "policy name : the name of the policy, i.e. 'chwall'"
+ echo ""
+ echo "-l <policy name> is used to show valid labels in the map file"
+ echo ""
+}
+
+
+findMapFile ()
+{
+ mapfile="./$1.map"
+ if [ -r "$mapfile" ]; then
+ return 1
+ fi
+
+ mapfile="./policies/$1/$1.map"
+ if [ -r "$mapfile" ]; then
+ return 1
+ fi
+
+ return 0
+}
+
+showLabels ()
+{
+ mapfile=$1
+ if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
+ echo "Cannot read from vm configuration file $vmfile."
+ return -1
+ fi
+
+ getPrimaryPolicy $mapfile
+ getSecondaryPolicy $mapfile
+
+ echo "The following labels are available:"
+ let line=1
+ while [ 1 ]; do
+ ITEM=`cat $mapfile | \
+ awk -vline=$line \
+ -vprimary=$primary \
+ '{ \
+ if ($1 == "LABEL->SSID" && \
+ $2 == "VM" && \
+ $3 == primary ) { \
+ ctr++; \
+ if (ctr == line) { \
+ print $4; \
+ } \
+ } \
+ } END { \
+ }'`
+
+ if [ "$ITEM" == "" ]; then
+ break
+ fi
+ if [ "$secondary" != "NULL" ]; then
+ LABEL=`cat $mapfile | \
+ awk -vitem=$ITEM \
+ '{
+ if ($1 == "LABEL->SSID" && \
+ $2 == "VM" && \
+ $3 == "CHWALL" && \
+ $4 == item ) { \
+ result = item; \
+ } \
+ } END { \
+ print result \
+ }'`
+ else
+ LABEL=$ITEM
+ fi
+
+ if [ "$LABEL" != "" ]; then
+ echo "$LABEL"
+ found=1
+ fi
+ let line=line+1
+ done
+ if [ "$found" != "1" ]; then
+ echo "No labels found."
+ fi
+}
+
+getPrimaryPolicy ()
+{
+ mapfile=$1
+ primary=`cat $mapfile | \
+ awk ' \
+ { \
+ if ( $1 == "PRIMARY" ) { \
+ res=$2; \
+ } \
+ } END { \
+ print res; \
+ } '`
+}
+
+getSecondaryPolicy ()
+{
+ mapfile=$1
+ secondary=`cat $mapfile | \
+ awk ' \
+ { \
+ if ( $1 == "SECONDARY" ) { \
+ res=$2; \
+ } \
+ } END { \
+ print res; \
+ } '`
+}
+
+
+getDefaultSsid ()
+{
+ mapfile=$1
+ pol=$2
+ RES=`cat $mapfile \
+ awk -vpol=$pol \
+ { \
+ if ($1 == "LABEL->SSID" && \
+ $2 == "ANY" && \
+ $3 == pol && \
+ $4 == "DEFAULT" ) {\
+ res=$5; \
+ } \
+ } END { \
+ printf "%04x", strtonum(res) \
+ }'`
+ echo "default NULL mapping is $RES"
+ defaultssid=$RES
+}
+
+relabel ()
+{
+ vmfile=$1
+ label=$2
+ mapfile=$3
+ mode=$4
+
+ if [ ! -r "$vmfile" ]; then
+ echo "Cannot read from vm configuration file $vmfile."
+ return -1
+ fi
+
+ if [ ! -w "$vmfile" ]; then
+ echo "Cannot write to vm configuration file $vmfile."
+ return -1
+ fi
+
+ if [ ! -r "$mapfile" ] ; then
+ echo "Cannot read mapping file $mapfile."
+ return -1
+ fi
+
+ # Determine which policy is primary, which sec.
+ getPrimaryPolicy $mapfile
+ getSecondaryPolicy $mapfile
+
+ # Calculate the primary policy's SSIDREF
+ if [ "$primary" == "NULL" ]; then
+ SSIDLO="0000"
+ else
+ SSIDLO=`cat $mapfile | \
+ awk -vlabel=$label \
+ -vprimary=$primary \
+ '{ \
+ if ( $1 == "LABEL->SSID" && \
+ $2 == "VM" && \
+ $3 == primary && \
+ $4 == label ) { \
+ result=$5 \
+ } \
+ } END { \
+ if (result != "" ) \
+ {printf "%04x", strtonum(result)}\
+ }'`
+ fi
+
+ # Calculate the secondary policy's SSIDREF
+ if [ "$secondary" == "NULL" ]; then
+ SSIDHI="0000"
+ else
+ SSIDHI=`cat $mapfile | \
+ awk -vlabel=$label \
+ -vsecondary=$secondary \
+ '{ \
+ if ( $1 == "LABEL->SSID" && \
+ $2 == "VM" && \
+ $3 == secondary && \
+ $4 == label ) { \
+ result=$5 \
+ } \
+ } END { \
+ if (result != "" ) \
+ {printf "%04x", strtonum(result)}\
+ }'`
+ fi
+
+ if [ "$SSIDLO" == "" -o \
+ "$SSIDHI" == "" ]; then
+ echo "Could not map the given label '$label'."
+ return -1
+ fi
+
+ ACM_POLICY=`cat $mapfile | \
+ awk ' { if ( $1 == "POLICY" ) { \
+ result=$2 \
+ } \
+ } \
+ END { \
+ if (result != "") { \
+ printf result \
+ } \
+ }'`
+
+ if [ "$ACM_POLICY" == "" ]; then
+ echo "Could not find 'POLICY' entry in map file."
+ return -1
+ fi
+
+ SSIDREF="0x$SSIDHI$SSIDLO"
+
+ if [ "$mode" != "relabel" ]; then
+ RES=`cat $vmfile | \
+ awk '{ \
+ if ( substr($1,0,7) == "ssidref" ) {\
+ print $0; \
+ } \
+ }'`
+ if [ "$RES" != "" ]; then
+ echo "Do you want to overwrite the existing mapping
($RES)? (y/N)"
+ read user
+ if [ "$user" != "y" -a "$user" != "Y" ]; then
+ echo "Aborted."
+ return 0
+ fi
+ fi
+ fi
+
+ #Write the output
+ vmtmp1="/tmp/__setlabel.tmp1"
+ vmtmp2="/tmp/__setlabel.tmp2"
+ touch $vmtmp1
+ touch $vmtmp2
+ if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
+ echo "Cannot create temporary files. Aborting."
+ return -1
+ fi
+ RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
+ RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
+ RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
+ echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
+ echo "#ACM_LABEL=$label" >> $vmtmp1
+ echo "ssidref = $SSIDREF" >> $vmtmp1
+ mv -f $vmtmp1 $vmfile
+ rm -rf $vmtmp1 $vmtmp2
+ echo "Mapped label '$label' to ssidref '$SSIDREF'."
+}
+
+
+
+if [ "$1" == "-r" ]; then
+ mode="relabel"
+ shift
+elif [ "$1" == "-l" ]; then
+ mode="show"
+ shift
+elif [ "$1" == "-?" ]; then
+ mode="usage"
+fi
+
+if [ "$mode" == "show" ]; then
+ if [ "$1" == "" ]; then
+ usage
+ exit -1;
+ fi
+ findMapFile $1
+ res=$?
+ if [ "$res" != "0" ]; then
+ showLabels $mapfile
+ else
+ echo "Could not find map file for policy '$1'."
+ fi
+elif [ "$mode" == "usage" ]; then
+ usage
+else
+ if [ "$3" == "" ]; then
+ usage
+ exit -1;
+ fi
+ findMapFile $3
+ res=$?
+ if [ "$res" != "0" ]; then
+ relabel $1 $2 $mapfile $mode
+ else
+ echo "Could not find map file for policy '$3'."
+ fi
+
+fi
diff -r 1895942150a5 -r 513acbeac420 tools/security/updategrub.sh
--- /dev/null Fri Aug 19 08:55:03 2005
+++ b/tools/security/updategrub.sh Fri Aug 19 09:03:17 2005
@@ -0,0 +1,171 @@
+#!/bin/sh
+# *
+# * updategrub
+# *
+# * Copyright (C) 2005 IBM Corporation
+# *
+# * Authors:
+# * Stefan Berger <stefanb@xxxxxxxxxx>
+# *
+# * This program is free software; you can redistribute it and/or
+# * modify it under the terms of the GNU General Public License as
+# * published by the Free Software Foundation, version 2 of the
+# * License.
+# *
+# *
+#
+
+if [ -z "$runbash" ]; then
+ runbash="1"
+ export runbash
+ exec sh -c "bash $0 $*"
+ exit
+fi
+
+
+# Show usage of this program
+usage ()
+{
+ echo "Usage: $0 <policy name> <root of xen repository>"
+ echo ""
+ echo "<policy name> : The name of the policy, i.e. xen_null"
+ echo "<root of xen repository> : The root of the XEN repositrory."
+ echo ""
+}
+
+# This function sets the global variable 'linux'
+# to the name of the linux kernel that was compiled
+# For now a pattern should do the trick
+getLinuxVersion ()
+{
+ path=$1
+ linux=""
+ for f in $path/linux-*-xen0 ; do
+ versionfile=$f/include/linux/version.h
+ if [ -r $versionfile ]; then
+ lnx=`cat $versionfile | \
+ grep UTS_RELEASE | \
+ awk '{ \
+ len=length($3); \
+ print substr($3,2,len-2) }'`
+ fi
+ if [ "$lnx" != "" ]; then
+ linux="[./0-9a-zA-z]*$lnx"
+ return;
+ fi
+ done
+
+ #Last resort.
+ linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
+}
+
+#Return where the grub.conf file is.
+#I only know of one place it can be.
+findGrubConf()
+{
+ grubconf="/boot/grub/grub.conf"
+ if [ -w $grubconf ]; then
+ return 1
+ fi
+ return 0
+}
+
+
+#Update the grub configuration file.
+#Search for existing entries and replace the current
+#policy entry with the policy passed to this script
+#
+#Arguments passed to this function
+# 1st : the grub configuration file
+# 2nd : the binary policy file name
+# 3rd : the name or pattern of the linux kernel name to match
+#
+# The algorithm here is based on pattern matching
+# and is working correctly if
+# - under a title a line beginning with 'kernel' is found
+# whose following item ends with "xen.gz"
+# Example: kernel /xen.gz dom0_mem=....
+# - a module line matching the 3rd parameter is found
+#
+updateGrub ()
+{
+ grubconf=$1
+ policyfile=$2
+ linux=$3
+
+ tmpfile="/tmp/new_grub.conf"
+
+ cat $grubconf | \
+ awk -vpolicy=$policyfile \
+ -vlinux=$linux '{ \
+ if ( $1 == "title" ) { \
+ kernelfound = 0; \
+ if ( policymaycome == 1 ){ \
+ printf ("\tmodule %s%s\n", path, policy); \
+ } \
+ policymaycome = 0; \
+ } \
+ else if ( $1 == "kernel" ) { \
+ if ( match($2,"xen.gz$") ) { \
+ path=substr($2,1,RSTART-1); \
+ kernelfound = 1; \
+ } \
+ } \
+ else if ( $1 == "module" && \
+ kernelfound == 1 && \
+ match($2,linux) ) { \
+ policymaycome = 1; \
+ } \
+ else if ( $1 == "module" && \
+ kernelfound == 1 && \
+ policymaycome == 1 && \
+ match($2,"[0-9a-zA-Z]*.bin$") ) { \
+ printf ("\tmodule %s%s\n", path, policy); \
+ policymaycome = 0; \
+ kernelfound = 0; \
+ dontprint = 1; \
+ } \
+ else if ( $1 == "" && \
+ kernelfound == 1 && \
+ policymaycome == 1) { \
+ dontprint = 1; \
+ } \
+ if (dontprint == 0) { \
+ printf ("%s\n", $0); \
+ } \
+ dontprint = 0; \
+ } END { \
+ if ( policymaycome == 1 ) { \
+ printf ("\tmodule %s%s\n", path, policy); \
+ } \
+ }' > $tmpfile
+ if [ ! -r $tmpfile ]; then
+ echo "Could not create temporary file! Aborting."
+ exit -1
+ fi
+ mv -f $tmpfile $grubconf
+}
+
+if [ "$1" == "" -o "$2" == "" ]; then
+ usage
+ exit -1
+fi
+
+if [ "$1" == "-?" ]; then
+ usage
+ exit 0
+fi
+
+policy=$1
+policyfile=$policy.bin
+
+getLinuxVersion $2
+
+findGrubConf
+ERR=$?
+if [ $ERR -eq 0 ]; then
+ echo "Could not find grub.conf. Aborting."
+ exit -1
+fi
+
+updateGrub $grubconf $policyfile $linux
diff -r 1895942150a5 -r 513acbeac420 docs/misc/shype4xen_readme.txt
--- a/docs/misc/shype4xen_readme.txt Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,588 +0,0 @@
-Copyright: IBM Corporation (C)
-20 June 2005
-Author: Reiner Sailer
-
-This document is a very short introduction into the sHype access control
-security architecture implementation and how it is perceived by users. It
-is a very preliminary draft for the courageous ones to get "their feet wet"
-and to be able to give feedback (via the xen-devel/xense-devel mailing lists).
-
-Install:
-
-cd into xeno-unstable.bk
-(use --dry-run option if you want to test the patch only)
-patch -p1 -g0 < *tools.diff
-patch -p1 -g0 < *xen.diff
-
-(no rejects, probably some line offsets)
-
-make uninstall; make mrproper; make; ./install.sh should install the default
-sHype into Xen (rebuild your initrd images if necessary). Reboot.
-
-Debug output: there are two triggers for debug output:
-a) General sHype debug:
- xeno-unstable.bk/xen/include/public/acm.h
- undefine ACM_DEBUG to switch this debug off
-
-b) sHype enforcement hook trace: This prints a small trace for each
enforcement
-hook that is executed. The trigger is in
- xeno-unstable.bk/xen/include/acm/acm_hooks.h
- undefine ACM_TRACE_MODE to switch this debug off
-
-1. The default NULL policy
-***************************
-When you apply the patches and startup xen, you should at first not notice any
-difference because the default policy is the "NULL" policy, which as the name
-implies does not enforce anything.
-
-To display the currently enforced policy, use the policy tool under xeno-
-unstable.bk/tools/policy: policy_tool getpolicy. You should see output like
the
-one below.
-
-[root@laptop policy]#./policy_tool getpolicy
-
-Policy dump:
-============
-Magic = 1debc.
-PolVer = aaaa0000.
-Len = 14.
-Primary = NULL policy (c=0, off=14).
-Secondary = NULL policy (c=0, off=14).
-No primary policy (NULL).
-No secondary policy (NULL).
-
-Policy dump End.
-
-Since this is a dump of a binary policy, it's not pretty. The important parts
-are the "Primary" and "Secondary" policy fields set to "NULL policy". sHype
-currently allows to set two independent policies; thus the two SSID-REF parts
-shown in 'xm list'. Right here: primary policy only means this policy is
-checked first, the secondary policy is checked if the primary results in
-"permitted access". The result of the combined policy is "permitted" if both
-policies return permitted (NULL policy always returns permitted). The result
is
-"denied" if at least one of the policies returns "denied". Look into xeno-
-unstable.bk/xen/include/acm/acm_hooks.h for the general hook structure
-integrating the policy decisions (if you like, you won't need it for the rest
-of the Readme file).
-
-2. Setting Chinese Wall and Simple Type Enforcement policies:
-*************************************************************
-
-We'll get fast to the point. However, in order to understand what we are
doing,
-we must at least understand the purpose of the policies that we are going to
-enforce. The two policies presented here are just examples and the
-implementation encourages adding new policies easily.
-
-2.1. Chinese Wall policy: "decides whether a domain can be started based on
-this domain's ssidref and the ssidrefs of the currently running domains".
-Generally, the Chinese wall policy allows specifying certain types (or classes
-or categories, whatever the preferred word) that conflict; we usually assign a
-type to a workload and the set of types of those workloads running in a domain
-make up the type set for this domain. Each domain is assigned a set of types
-through its SSID-REF (we register Chinese Wall as primary policy, so the
-ssidref used for determining the Chinese Wall types is the one annotated with
-"p:" in xm list) since each SSID-REF points at a set of types. We'll see how
-SSIDREFs are represented in Xen later when we will look at the policy. (A good
-read for Chinese Wall is: Brewer/Nash The Chinese Wall Security Policy 1989.)
-
-So let's assume the Chinese Wall policy we are running distinguishes 10 types:
-t0 ... t9. Let us assume further that each SSID-REF points to a set that
-includes exactly one type (attached to domains that run workloads of a single
-type). SSID-REF 0 points to {t0}, ssidref 1 points to {t1} ... 9 points to
-{t9}. [This is actually the example policy we are going to push into xen later]
-
-Now the Chinese Wall policy allows you to define "Conflict type sets" and it
-guarantees that of any conflict set at most one type is "running" at any time.
-As an example, we have defined 2 conflict set: {t2, t3} and {t0, t5, t6}.
-Specifying these conflict sets, sHype ensures that at most one type of each
set
-is running (either t2 or t3 but not both; either t0 or t5 or t6 but not
-multiple of them).
-
-The effect is that administrators can define which workload types cannot run
-simultaneously on a single Xen system. This is useful to limit the covert
-timing channels between such payloads or to ensure that payloads don't
-interfere with each other through existing resource dependencies.
-
-2.2. Simple Type Enforcement (ste) policy: "decides whether two domains can
-share data, e.g., setup event channels or grant tables to each other, based on
-the two domains' ssidref. This, as the name says, is a simple policy. Think of
-each type as of a single color. Each domain has one or more colors, i.e., the
-domains ssid for the ste policy points to a set that has set one or multiple
-types. Let us assume in our example policy we differentiate 5 colors (types)
-and define 5 different ssids referenced by ssidref=0..4. Each ssid shall have
-exactly one type set, i.e., describes a uni-color. Only ssid(0) has all types
-set, i.e., has all defined colors.
-
-Sharing is enforced by the ste policy by requiring that two domains that want
-to establish an event channel or grant pages to each other must have a common
-color. Currently all domains communicate through DOM0 by default; i.e.,
Domain0
-will necessarily have all colors to be able to create domains (thus, we will
-assign ssidref(0) to Domain0 in our example below.
-
-More complex mandatory access control policies governing sharing will follow;
-such policies are more sophisticated than the "color" scheme above by allowing
-more flexible (and complex :_) access control decisions than "share a color"
or
-"don't share a color" and will be able to express finer-grained policies.
-
-
-2.3 Binary Policy:
-In the future, we will have a policy tool that takes as input a more humane
-policy description, using types such as development, home-banking, donated-
-Grid, CorpA-Payload ... and translates the respective policy into what we see
-today as the binary policy using 1s and 0s and sets of them. For now, we must
-live with the binary policy when working with sHype.
-
-
-2.4 Exemplary use of a real sHype policy on Xen. To activate a real policy,
-edit the file (yes, this will soon be a compile option):
- xeno-unstable.bk/xen/include/public/acm.h
- Change: #define ACM_USE_SECURITY_POLICY ACM_NULL_POLICY
- To : #define ACM_USE_SECURITY_POLICY
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
- cd xeno-unstable.bk
- make mrproper
- make uninstall (manually remove /etc/xen.old if necessary)
- make
- ./install.sh (recreate your kernel initrd's if necessary)
- Reboot into new xen.gz
-
-After booting, check out 'xm dmesg'; should show somewhere in the middle:
-
-(XEN) acm_init: Enforcing Primary CHINESE WALL policy, Secondary SIMPLE TYPE
-ENFORCEMENT policy.
-
-Even though you can activate those policies in any combination and also
-independently, the policy tool currently only supports setting the policy for
-the above combination.
-
-Now look at the minimal startup policy with:
- xeno-unstable.bk/tools/policytool getpolicy
-
-You should see something like:
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic = 1debc.
-PolVer = aaaa0000.
-Len = 36.
-Primary = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=2c).
-
-
-Chinese Wall policy:
-====================
-Max Types = 1.
-Max Ssidrefs = 1.
-Max ConfSets = 1.
-Ssidrefs Off = 10.
-Conflicts Off = 12.
-Runing T. Off = 14.
-C. Agg. Off = 16.
-
-SSID To CHWALL-Type matrix:
-
- ssidref 0: 00
-
-Confict Sets:
-
- c-set 0: 00
-
-Running
-Types: 00
-
-Conflict
-Aggregate Set: 00
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types = 1.
-Max Ssidrefs = 1.
-Ssidrefs Off = 8.
-
-SSID To STE-Type matrix:
-
- ssidref 0: 01
-
-
-Policy dump End.
-
-This is a minimal policy (of little use), except it will disable starting any
-domain that does not have ssidref set to 0x0. The Chinese Wall policy has
-nothing to enforce and the ste policy only knows one type, which is set for
the
-only defined ssidref.
-
-The item that defines the ssidref in a domain configuration is:
-
-ssidref = 0x12345678
-
-Where ssidref is interpreted as a 32bit number, where the lower 16bits become
-the ssidref for the primary policy and the higher 16bits become the ssidref
for
-the secondary policy. sHype currently supports two policies but this is an
-implementation decision and can be extended if necessary.
-
-This reference defines the security information of a domain. The meaning of
the
-SSID-REF depends on the policy, so we explain it when we explain the real
-policies.
-
-
-Setting a new Security Policy:
-******************************
-The policy tool with all its current limitations has one usable example policy
-compiled-in. Please try at this time to use the setpolicy command:
- xeno-unstable.bk/tools/policy/policy_tool setpolicy
-
-You should see a dump of the policy you are setting. It should say at the very
-end:
-
-Policy successfully set.
-
-Now try to dump the currently enforced policy, which is the policy we have
just
-set and the dynamic security state information of this policy
-(<<< ... some additional explanations)
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic = 1debc.
-PolVer = aaaa0000.
-Len = 112.
-Primary = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types = a.
-Max Ssidrefs = 5.
-Max ConfSets = 2.
-Ssidrefs Off = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off = b0.
-
-SSID To CHWALL-Type matrix:
-
- ssidref 0: 01 00 00 00 00 00 00 00 00 00 <<< type0 is set for ssidref0
- ssidref 1: 00 01 00 00 00 00 00 00 00 00
- ssidref 2: 00 00 01 00 00 00 00 00 00 00
- ssidref 3: 00 00 00 01 00 00 00 00 00 00
- ssidref 4: 00 00 00 00 01 00 00 00 00 00 <<< type4 is set for ssidref4
- <<< types 5-9 are unused
-Confict Sets:
-
- c-set 0: 00 00 01 01 00 00 00 00 00 00 <<< type2 and type3 never run
together
- c-set 1: 01 00 00 00 00 01 01 00 00 00 <<< only one of types 0, 5 or 6
- <<< can run simultaneously
-Running
-Types: 01 00 00 00 00 00 00 00 00 00 <<< ref-count for types of
running domains
-
-Conflict
-Aggregate Set: 00 00 00 00 00 01 01 00 00 00 <<< aggregated set of types that
- <<< cannot run because they
- <<< are in conflict set 1 and
- <<< (domain 0 is running w t0)
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types = 5.
-Max Ssidrefs = 5.
-Ssidrefs Off = 8.
-
-SSID To STE-Type matrix:
-
- ssidref 0: 01 01 01 01 01 <<< ssidref0 points to a set
that
- <<< has all types set (colors)
- ssidref 1: 00 01 00 00 00 <<< ssidref1 has color1 set
- ssidref 2: 00 00 01 00 00 <<< ...
- ssidref 3: 00 00 00 01 00
- ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-
-This is a small example policy with which we will demonstrate the enforcement.
-
-Starting Domains with policy enforcement
-========================================
-Now let us play with this policy.
-
-Define 3 or 4 domain configurations. I use the following config using a
ramdisk
-only and about 8MBytes of memory for each DomU (test purposes):
-
-#-------configuration xmsec1-------------------------
-kernel = "/boot/vmlinuz-2.6.11-xenU"
-ramdisk="/boot/U1_ramdisk.img"
-#security reference identifier
-ssidref= 0x00010001
-memory = 10
-name = "xmsec1"
-cpu = -1 # leave to Xen to pick
-# Number of network interfaces. Default is 1.
-nics=1
-dhcp="dhcp"
-#-----------------------------------------------------
-
-xmsec2 and xmsec3 look the same except for the name and the ssidref line. Use
-your domain config file and add "ssidref = 0x00010001" to the first (xmsec1),
-"ssidref= 0x00020002" to the second (call it xmsec2), and "ssidref=0x00030003"
-to the third (we will call this one xmsec3).
-
-First start xmsec1: xm create -c xmsec1 (succeeds)
-
-Then
-[root@laptop policy]# xm list
-Name Id Mem(MB) CPU State Time(s) Console
-Domain-0 0 620 0 r---- 42.3 s:00/p:00
-xmnosec 1 9 0 -b--- 0.3 9601 s:00/p:05
-xmsec1 2 9 0 -b--- 0.2 9602 s:01/p:01
-
-Shows a new domain xmsec1 running with primary (here: chinese wall) ssidref 1
-and secondary (here: simple type enforcement) ssidref 1. The ssidrefs are
-independent and can differ for a domain.
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic = 1debc.
-PolVer = aaaa0000.
-Len = 112.
-Primary = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types = a.
-Max Ssidrefs = 5.
-Max ConfSets = 2.
-Ssidrefs Off = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off = b0.
-
-SSID To CHWALL-Type matrix:
-
- ssidref 0: 01 00 00 00 00 00 00 00 00 00
- ssidref 1: 00 01 00 00 00 00 00 00 00 00
- ssidref 2: 00 00 01 00 00 00 00 00 00 00
- ssidref 3: 00 00 00 01 00 00 00 00 00 00
- ssidref 4: 00 00 00 00 01 00 00 00 00 00
-
-Confict Sets:
-
- c-set 0: 00 00 01 01 00 00 00 00 00 00
- c-set 1: 01 00 00 00 00 01 01 00 00 00 <<< t1 is not part of any c-set
-
-Running
-Types: 01 01 00 00 00 00 00 00 00 00 <<< xmsec1 has ssidref 1->type1
- ^^ <<< ref-count at position 1 incr
-Conflict
-Aggregate Set: 00 00 00 00 00 01 01 00 00 00 <<< domain 1 was allowed to
- <<< start since type 1 was not
- <<< in conflict with running
- <<< types
-
-Simple Type Enforcement policy:
-===============================
-Max Types = 5.
-Max Ssidrefs = 5.
-Ssidrefs Off = 8.
-
-SSID To STE-Type matrix:
-
- ssidref 0: 01 01 01 01 01 <<< the ste policy does not maintain; we
- ssidref 1: 00 01 00 00 00 <-- <<< see that domain xmsec1 has ste
- ssidref 2: 00 00 01 00 00 <<< ssidref1->type1 and has this type in
- ssidref 3: 00 00 00 01 00 <<< common with dom0
- ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-Look at sHype output in xen dmesg:
-
-[root@laptop xen]# xm dmesg
-.
-.
-[somewhere near the very end]
-(XEN) chwall_init_domain_ssid: determined chwall_ssidref to 1.
-(XEN) ste_init_domain_ssid.
-(XEN) ste_init_domain_ssid: determined ste_ssidref to 1.
-(XEN) acm_init_domain_ssid: Instantiated individual ssid for domain 0x01.
-(XEN) chwall_post_domain_create.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-(XEN) shype_authorize_domops.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-
-
-You can see that the chinese wall policy does not complain and that the ste
-policy makes three access control decisions for three event-channels setup
-between domain 0 and the new domain 1. Each time, the two domains share the
-type1 and setting up the eventchannel is permitted.
-
-
-Starting up a second domain xmsec2:
-
-[root@laptop xen]# xm create -c xmsec2
-Using config file "xmsec2".
-Started domain xmsec2, console on port 9602
-************ REMOTE CONSOLE: CTRL-] TO QUIT ********
-Linux version 2.6.11-xenU (root@xxxxxxxxxxxxxxx) (gcc version 3.4.2 20041017
-(Red Hat 3.4.2-6.fc3)) #1 Wed Mar 30 13:14:31 EST 2005
-.
-.
-.
-[root@laptop policy]# xm list
-Name Id Mem(MB) CPU State Time(s) Console
-Domain-0 0 620 0 r---- 71.7 s:00/p:00
-xmsec1 1 9 0 -b--- 0.3 9601 s:01/p:01
-xmsec2 2 7 0 -b--- 0.3 9602 s:02/p:02 <<
our domain runs both policies with ssidref 2
-
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic = 1debc.
-PolVer = aaaa0000.
-Len = 112.
-Primary = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types = a.
-Max Ssidrefs = 5.
-Max ConfSets = 2.
-Ssidrefs Off = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off = b0.
-
-SSID To CHWALL-Type matrix:
-
- ssidref 0: 01 00 00 00 00 00 00 00 00 00
- ssidref 1: 00 01 00 00 00 00 00 00 00 00
- ssidref 2: 00 00 01 00 00 00 00 00 00 00 <<< our domain has type 2 set
- ssidref 3: 00 00 00 01 00 00 00 00 00 00
- ssidref 4: 00 00 00 00 01 00 00 00 00 00
-
-Confict Sets:
-
- c-set 0: 00 00 01 01 00 00 00 00 00 00 <<< t2 is in c-set0 with type 3
- c-set 1: 01 00 00 00 00 01 01 00 00 00
-
-Running
-Types: 01 01 01 00 00 00 00 00 00 00 <<< t2 is running since the
- ^^ <<< current aggregate conflict
- <<< set (see above) does not
- <<< include type 2
-Conflict
-Aggregate Set: 00 00 00 01 00 01 01 00 00 00 <<< type 3 is added to the
- <<< conflict aggregate
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types = 5.
-Max Ssidrefs = 5.
-Ssidrefs Off = 8.
-
-SSID To STE-Type matrix:
-
- ssidref 0: 01 01 01 01 01
- ssidref 1: 00 01 00 00 00
- ssidref 2: 00 00 01 00 00
- ssidref 3: 00 00 00 01 00
- ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-
-The sHype xen dmesg output looks similar to the one above when starting the
-first domain.
-
-Now we start xmsec3 and it has ssidref3. Thus, it tries to run as type3 which
-conflicts with running type2 (from xmsec2). As expected, creating this domain
-fails for security policy enforcement reasons.
-
-[root@laptop xen]# xm create -c xmsec3
-Using config file "xmsec3".
-Error: Error creating domain: (22, 'Invalid argument')
-[root@laptop xen]#
-
-[root@laptop xen]# xm dmesg
-.
-.
-[somewhere near the very end]
-(XEN) chwall_pre_domain_create.
-(XEN) chwall_pre_domain_create: CHINESE WALL CONFLICT in type 03.
-
-xmsec3 ssidref3 points to type3, which is in the current conflict aggregate
-set. This domain cannot start until domain xmsec2 is destroyed, at which time
-the aggregate conflict set is reduced and type3 is excluded from it. Then,
-xmsec3 can start. Of course, afterwards, xmsec2 cannot be restarted. Try it.
-
-3. Policy tool
-**************
-toos/policy/policy_tool.c
-
-a) ./policy_tool getpolicy
- prints the currently enforced policy
- (see for example section 1.)
-
-b) ./policy_tool setpolicy
- sets a predefined and hardcoded security
- policy (the one described in section 2.)
-
-c) ./policy_tool dumpstats
- prints some status information about the caching
- of access control decisions (number of cache hits
- and number of policy evaluations for grant_table
- and event channels).
-
-d) ./policy_tool loadpolicy <binary_policy_file>
- sets the policy defined in the <binary_policy_file>
- please use the policy_processor that is posted to this
- mailing list to create such a binary policy from an XML
- policy description
-
-4. Policy interface:
-********************
-The Policy interface is working in "network-byte-order" (big endian). The
reason for this
-is that policy files/management should be portable and independent of the
platforms.
-
-Our policy interface enables managers to create a single binary policy file in
a trusted
-environment and distributed it to multiple systems for enforcement.
-
-5. Booting with a binary policy:
-********************************
-The grub configuration file can be adapted to boot the hypervisor with an
-already active policy. To do this, a binary policy file - this can be
-the same file as used by the policy_tool - should be placed into the boot
-partition. The following entry from the grub configuration file shows how
-a binary policy can be added to the system during boot time. Note that the
-binary policy must be of the same type that the hypervisor was compiled
-for. The policy module line should also only be added as the last module
-line if XEN was compiled with the access control module (ACM).
-
-title XEN0 3.0 Devel
- kernel /xen.gz dom0_mem=400000
- module /vmlinuz-2.6.12-xen0 root=/dev/hda2 ro console=tty0
- module /initrd-2.6.12-xen0.img
- module /xen_sample_policy.bin
-
-
-====================end-of file=======================================
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/Makefile
--- a/tools/misc/policyprocessor/Makefile Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,42 +0,0 @@
-XEN_ROOT = ../../..
-include $(XEN_ROOT)/tools/Rules.mk
-
-CFLAGS += -static
-CFLAGS += -Wall
-CFLAGS += -Werror
-CFLAGS += -O3
-CFLAGS += -fno-strict-aliasing
-CFLAGS += -I.
-
-all: build
-
-build: mk-symlinks
- $(MAKE) xml_to_bin
-
-default: all
-
-install: all
-
-xml_to_bin : make_include XmlToBin.java XmlToBinInterface.java SsidsEntry.java
SecurityLabel.java myHandler.java
- javac XmlToBin.java
-
-make_include : c2j_include
- ./c2j_include
-
-c2j_include: c2j_include.c
- $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
-
-clean:
- rm -rf *.class xen c2j_include policy_version.java *.bin
-
-
-LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
-mk-symlinks:
- [ -e xen/linux ] || mkdir -p xen/linux
- [ -e xen/io ] || mkdir -p xen/io
- ( cd xen >/dev/null ; \
- ln -sf ../$(XEN_ROOT)/xen/include/public/*.h . )
- ( cd xen/io >/dev/null ; \
- ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
- ( cd xen/linux >/dev/null ; \
- ln -sf ../../$(LINUX_ROOT)/include/asm-xen/linux-public/*.h . )
diff -r 1895942150a5 -r 513acbeac420
tools/misc/policyprocessor/SecurityLabel.java
--- a/tools/misc/policyprocessor/SecurityLabel.java Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,34 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: SecurityLabel.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * SecurityLabel Class.
- *
- * <p>
- *
- * Keeps track of types.
- *
- * <p>
- *
- *
- */
-import java.util.*;
-public class SecurityLabel
-{
- Vector ids;
- Vector vlans;
- Vector slots;
- Vector steTypes;
- int steSsidPosition;
- Vector chwIDs;
- Vector chwTypes;
- int chwSsidPosition;
-}
diff -r 1895942150a5 -r 513acbeac420
tools/misc/policyprocessor/SecurityPolicySpec.xsd
--- a/tools/misc/policyprocessor/SecurityPolicySpec.xsd Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,115 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- xml schema definition for xen xml policies -->
-<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-targetNamespace="http://www.ibm.com"
-xmlns="http://www.ibm.com"
-elementFormDefault="qualified">
-
-<xsd:element name="TE" type="xsd:string" />
-<xsd:element name="ChWall" type="xsd:string" />
-
-<xsd:element name="Definition">
- <xsd:complexType>
- <xsd:sequence>
-
- <!-- simple type enforcement -->
- <xsd:element name="Types" minOccurs ="0" maxOccurs="1">
- <xsd:complexType>
- <xsd:sequence>
- <xsd:element ref="TE" minOccurs ="1" maxOccurs
="unbounded"/>
- </xsd:sequence>
- </xsd:complexType>
- </xsd:element>
-
- <!-- chinese wall -->
- <!-- type definition -->
- <xsd:element name="ChWallTypes" minOccurs ="0" maxOccurs="1">
- <xsd:complexType>
- <xsd:sequence>
- <xsd:element ref="ChWall" minOccurs ="1" maxOccurs
="unbounded"/>
-
- </xsd:sequence>
- </xsd:complexType>
- </xsd:element>
-
- <!-- conflict set -->
- <xsd:element name="ConflictSet" minOccurs ="0" maxOccurs="unbounded">
- <xsd:complexType>
- <xsd:sequence>
- <xsd:element ref="ChWall" minOccurs ="2" maxOccurs
="unbounded"/>
- </xsd:sequence>
- </xsd:complexType>
- </xsd:element>
-
- </xsd:sequence>
- </xsd:complexType>
-</xsd:element>
-
-<xsd:element name="Policy">
- <xsd:complexType>
- <xsd:sequence>
-
- <xsd:element name="PolicyHeader">
- <xsd:complexType>
- <xsd:all>
- <xsd:element name = "Name" type="xsd:string"/>
- <xsd:element name = "DateTime" type="xsd:dateTime"/>
- <xsd:element name = "Tag" minOccurs ="1" maxOccurs ="1"
type="xsd:string"/>
- <xsd:element name = "TypeDefinition">
- <xsd:complexType>
- <xsd:all>
- <xsd:element name = "url" type="xsd:string"/>
- <xsd:element name = "hash" minOccurs ="0" maxOccurs
="1" type="xsd:string"/>
- </xsd:all>
- </xsd:complexType>
- </xsd:element>
-
- </xsd:all>
- </xsd:complexType>
- </xsd:element>
-
- <xsd:element name="VM" minOccurs ="1" maxOccurs="unbounded">
- <xsd:complexType>
- <xsd:sequence>
- <xsd:element name="id" type="xsd:integer"/>
- <xsd:element ref="TE" minOccurs="0" maxOccurs="unbounded" />
- <xsd:element ref="ChWall" minOccurs ="0" maxOccurs="unbounded"/>
- </xsd:sequence>
- </xsd:complexType>
- </xsd:element>
-
- <xsd:element name="Vlan" minOccurs ="0" maxOccurs="unbounded">
- <xsd:complexType>
- <xsd:sequence>
- <xsd:element name="vid" type="xsd:integer"/>
- <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
- </xsd:element>
-
- <xsd:element name="Slot" minOccurs ="0" maxOccurs="unbounded">
- <xsd:complexType>
- <xsd:sequence>
- <xsd:element name="bus" type="xsd:integer"/>
- <xsd:element name="slot" type="xsd:integer"/>
- <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
- </xsd:element>
-
-
- </xsd:sequence>
- </xsd:complexType>
-</xsd:element>
-
-<!-- root element -->
-<xsd:element name="SecurityPolicySpec">
- <xsd:complexType>
- <xsd:choice>
- <xsd:element ref="Definition" minOccurs ="1"
maxOccurs="unbounded"/>
- <xsd:element ref="Policy" minOccurs ="1" maxOccurs="unbounded"/>
- </xsd:choice>
- </xsd:complexType>
-</xsd:element>
-</xsd:schema>
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/SsidsEntry.java
--- a/tools/misc/policyprocessor/SsidsEntry.java Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,29 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: SsidsEntry.java,v 1.2 2005/06/17 20:02:40 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * SsidsEntry Class.
- * <p>
- *
- * Holds ssid information.
- *
- * <p>
- *
- *
- */
-public class SsidsEntry
- {
- int id; /* used for partition and vlan */
- int bus; /* used for slots */
- int slot;
- int ste = 0xffffffff;
- int chw = 0xffffffff;
- }
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/XmlToBin.java
--- a/tools/misc/policyprocessor/XmlToBin.java Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,1570 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: XmlToBin.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * Contributors:
- * Reiner Sailer - adjust type-lengths
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * XmlToBin Class.
- * <p>
- *
- * Translates a xml representation of a SHYPE policy into a binary
- * format. The class processes an xml policy file based on elment tags
- * defined in a schema definition files: SecurityPolicySpec.xsd.
- *
- * XmlToBin Command line Options:
- *
- * -i inputFile: name of policyfile (.xml)
- * -o outputFile: name of binary policy file (Big Endian)
- * -xssid SsidFile: xen ssids to types text file
- * -xssidconf SsidConf: xen conflict ssids to types text file
- * -debug turn on debug messages
- * -help help. This printout
- *
- * <p>
- *
- *
- */
-import java.util.*;
-import java.io.*;
-import java.io.IOException;
-import java.io.FileNotFoundException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.Attr;
-import org.w3c.dom.NodeList;
-import org.w3c.dom.NamedNodeMap;
-import org.xml.sax.*;
-import javax.xml.parsers.*;
-import org.xml.sax.helpers.*;
-
-public class XmlToBin
- implements XmlToBinInterface
-{
- class SlotInfo {
- String bus;
- String slot;
- }
-
- boolean LittleEndian = false;
- boolean debug = false;
-
- static final String JAXP_SCHEMA_LANGUAGE =
"http://java.sun.com/xml/jaxp/properties/schemaLanguage";
-
- static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";
-
- public static void printUsage()
- {
- System.out.println("XmlToBin Command line Options: ");
- System.out.println("\t-i\t\tinputFile:\tname of policyfile (.xml)");
- System.out.println("\t-o\t\toutputFile:\tname of binary policy file (Big
Endian)");
- System.out.println("\t-xssid\t\tSsidFile:\tXen ssids to named types text
file");
- System.out.println("\t-xssidconf\tSsidConfFile:\tXen conflict ssids to named
types text file");
- System.out.println("\t-debug\t\t\t\tturn on debug messages");
- System.out.println("\t-help\t\t\t\thelp. This printout");
- return;
- }
-
- public void printDebug(String message)
- {
- if (debug)
- System.out.println(message);
- }
-
- public void writeBinPolicy(byte[] binPolicy, String outputFileName)
- throws Exception
- {
- if (debug)
- printHex(binPolicy,binPolicy.length);
-
- DataOutputStream writeObj = new DataOutputStream(
- new FileOutputStream(outputFileName));
-
- writeObj.write(binPolicy);
- writeObj.flush();
- writeObj.close();
- System.out.println(" wBP:: wrote outputfile: " + outputFileName);
-
- return;
- }
-
- public void writeXenTypeVectorFile(Vector list, String outputFileName)
- throws Exception
- {
- PrintWriter out;
-
- if (0 == list.size())
- {
- printDebug(" wSTF : size of input is zero when writing :" +
outputFileName);
- return;
- }
- out = new PrintWriter(
- new BufferedWriter(
- new FileWriter(outputFileName)));
-
-
- for (int i = 0; i < list.size(); i++)
- {
- Vector ee = (Vector) list.elementAt(i);
- out.println(i + " " +ee.toString());
- }
- out.close();
-
- return;
- }
-
- public void writeXenTypeFile(Vector list, String outputFileName, boolean
slabel)
- throws Exception
- {
- Vector entry;
- String strTypes = "";
- SecurityLabel ee;
- PrintWriter out;
-
- if (0 == list.size())
- {
- printDebug(" wSTF : size of input is zero when writing :" +
outputFileName);
- return;
- }
- out = new PrintWriter(
- new BufferedWriter(
- new FileWriter(outputFileName)));
-
- for (int i = 0; i < list.size(); i++)
- {
- ee = (SecurityLabel) list.elementAt(i);
-
- if (slabel)
- {
- entry = ee.steTypes;
- } else {
-
- entry = ee.chwTypes;
- }
- if (null == entry) continue;
-
- Enumeration e = entry.elements();
- while (e.hasMoreElements())
- {
- String typeName = (String) e.nextElement();
- strTypes = strTypes + " " + typeName;
- }
- printDebug(" WXTF:: ssid : "+i +" :"+strTypes);
- out.println(i +" "+strTypes);
- strTypes = "";
- }
- out.close();
-
- return;
- }
-
- public void setDebug(boolean value)
- {
- debug=value;
- }
-
- public void setEndian(boolean value)
- {
- LittleEndian = value;
- }
-
- public byte[] generateVlanSsids(Vector bagOfSsids)
- throws Exception
- {
- /**
- typedef struct {
- u16 vlan;
- u16 ssid_ste;
- } acm_vlan_entry_t;
- **/
-
- Hashtable vlanSsid = new Hashtable();
- printDebug(" gVS::Size of bagOfSsids: "+ bagOfSsids.size());
-
- /* Get the number of partitions */
- for (int i = 0; i < bagOfSsids.size(); i++)
- {
- SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
- if (null == entry.vlans)
- continue;
-
- Enumeration e = entry.vlans.elements();
- while (e.hasMoreElements())
- {
- String id = (String) e.nextElement();
- printDebug(" gVS:: vlan: " + id + "has ste ssid: " +
entry.steSsidPosition);
- if (-1 == entry.steSsidPosition)
- continue;
-
- /* Only use ste for vlan */
- SsidsEntry ssidsObj = new SsidsEntry();
-
- ssidsObj.id = Integer.parseInt(id);
- ssidsObj.ste = entry.steSsidPosition;
-
- if (vlanSsid.contains(id))
- printDebug(" gVS:: Error already in the Hash part:" +
ssidsObj.id);
- else
- vlanSsid.put(id, ssidsObj);
- printDebug(" gVS:: added part: " + id + "has ste ssid: " +
entry.steSsidPosition);
- }
- }
-
- /* allocate array */
- int numOfVlan = vlanSsid.size();
- int totalSize = (numOfVlan * vlanEntrySz);
-
- if (0 == numOfVlan)
- {
- printDebug(" gVS:: vlan: binary ==> zero");
- return new byte[0];
- }
-
- byte[] vlanArray = new byte[totalSize];
-
- int index = 0;
-
- Enumeration e = vlanSsid.elements();
- while (e.hasMoreElements())
- {
- SsidsEntry entry = (SsidsEntry) e.nextElement();
- printDebug(" gVS:: part: " + entry.id + " ste ssid: " + entry.ste);
-
- /* Write id */
- writeShortToStream(vlanArray,(short)entry.id,index);
- index = index + u16Size;
-
- /* write ste ssid */
- writeShortToStream(vlanArray,(short) entry.ste,index);
- index = index + u16Size;
- }
-
- printDebug(" gVS:: vlan: num of vlans " + numOfVlan);
- printDebug(" gVS:: vlan: binary ==> Length "+ vlanArray.length);
-
- if (debug)
- printHex(vlanArray,vlanArray.length);
- printDebug("\n");
-
- return vlanArray;
- }
-
- public byte[] generateSlotSsids(Vector bagOfSsids)
- throws Exception
- {
- /**
- typedef struct {
- u16 slot_max;
- u16 slot_offset;
- } acm_slot_buffer_t;
-
- typedef struct {
- u16 bus;
- u16 slot;
- u16 ssid_ste;
- } acm_slot_entry_t;
- **/
- Hashtable slotSsid = new Hashtable();
- printDebug(" gSS::Size of bagOfSsids: "+ bagOfSsids.size());
-
- /* Find the number of VMs */
- for (int i = 0; i < bagOfSsids.size(); i++)
- {
- SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
- if (null == entry.slots)
- continue;
-
- Enumeration e = entry.slots.elements();
- while (e.hasMoreElements())
- {
- SlotInfo item = (SlotInfo) e.nextElement();
- printDebug(" gSS:: bus slot: " + item.bus + " "+ item.slot + " " +
entry.steSsidPosition);
- if (-1 == entry.steSsidPosition)
- continue;
-
- SsidsEntry ssidsObj = new SsidsEntry();
-
- String id = item.bus +" "+item.slot;
- ssidsObj.bus = Integer.parseInt(item.bus);
- ssidsObj.slot = Integer.parseInt(item.slot);
- /* set ste ssid */
- ssidsObj.ste = entry.steSsidPosition;
-
- if (slotSsid.contains(id))
- printDebug(" gSS:: Error already in the Hash part:" + id);
- else
- slotSsid.put(id, ssidsObj);
-
- printDebug(" gSS:: added slot: " + id + "has ste ssid: " +
entry.steSsidPosition);
- }
- }
-
- /* allocate array */
- int numOfSlot = slotSsid.size();
-
- if (0 == numOfSlot)
- {
- printDebug(" gVS:: slot: binary ==> zero");
- return new byte[0];
- }
-
- int totalSize = (numOfSlot * slotEntrySz);
-
- byte[] slotArray = new byte[totalSize];
-
- int index = 0;
-
- Enumeration e = slotSsid.elements();
- while (e.hasMoreElements())
- {
- SsidsEntry entry = (SsidsEntry) e.nextElement();
- System.out.println(" gSS:: bus slot: " + entry.bus + " " + entry.slot +
" ste ssid: " + entry.ste);
-
- /* Write bus */
- writeShortToStream(slotArray,(short)entry.bus,index);
- index = index + u16Size;
-
- /* Write slot */
- writeShortToStream(slotArray,(short)entry.slot,index);
- index = index + u16Size;
-
- /* Write ste ssid */
- writeShortToStream(slotArray,(short) entry.ste,index);
- index = index + u16Size;
-
- }
-
- printDebug(" gSS:: slot: num of vlans " + numOfSlot);
- printDebug(" gSS:: slot: binary ==> Length "+ slotArray.length);
-
- if (debug)
- printHex(slotArray,slotArray.length);
- printDebug("\n");
-
- return slotArray;
-
- }
-
- public byte[] generatePartSsids(Vector bagOfSsids, Vector bagOfChwSsids)
- throws Exception
- {
- /**
- typedef struct {
- u16 id;
- u16 ssid_ste;
- u16 ssid_chwall;
- } acm_partition_entry_t;
-
- **/
- Hashtable partSsid = new Hashtable();
- printDebug(" gPS::Size of bagOfSsids: "+ bagOfSsids.size());
-
- /* Find the number of VMs */
- for (int i = 0; i < bagOfSsids.size(); i++)
- {
- SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
- if (null == entry.ids)
- continue;
-
- Enumeration e = entry.ids.elements();
- while (e.hasMoreElements())
- {
- String id = (String) e.nextElement();
- printDebug(" gPS:: part: " + id + "has ste ssid: " +
entry.steSsidPosition);
- if (-1 == entry.steSsidPosition)
- continue;
-
- SsidsEntry ssidsObj = new SsidsEntry();
-
- ssidsObj.id = Integer.parseInt(id);
- ssidsObj.ste = entry.steSsidPosition;
-
- if (partSsid.contains(id))
- printDebug(" gPS:: Error already in the Hash part:" +
ssidsObj.id);
- else
- partSsid.put(id, ssidsObj);
- printDebug(" gPS:: added part: " + id + "has ste ssid: " +
entry.steSsidPosition);
- }
-
- }
-
- for (int i = 0; i < bagOfChwSsids.size(); i++)
- {
- SecurityLabel entry = (SecurityLabel) bagOfChwSsids.elementAt(i);
-
- Enumeration e = entry.chwIDs.elements();
- while (e.hasMoreElements())
- {
- String id = (String) e.nextElement();
- printDebug(" gPS:: part: " + id + "has chw ssid: " +
entry.chwSsidPosition);
- if (partSsid.containsKey(id))
- {
- SsidsEntry item = (SsidsEntry) partSsid.get(id);
- item.chw = entry.chwSsidPosition;
- printDebug(" gPS:: added :" + item.id +" chw: " + item.chw);
- }
- else
- {
- printDebug(" gPS:: creating :" + id +" chw: " +
entry.chwSsidPosition);
- SsidsEntry ssidsObj = new SsidsEntry();
- ssidsObj.id = Integer.parseInt(id);
- ssidsObj.chw = entry.chwSsidPosition;
- partSsid.put(id, ssidsObj);
-
- }
- }
- }
-
- /* Allocate array */
- int numOfPar = partSsid.size();
- int totalSize = (numOfPar * partitionEntrySz);
-
- if (0 == numOfPar)
- {
- printDebug(" gPS:: part: binary ==> zero");
- return new byte[0];
- }
-
- byte[] partArray = new byte[totalSize];
-
- int index = 0;
-
- Enumeration e = partSsid.elements();
- while (e.hasMoreElements())
- {
- SsidsEntry entry = (SsidsEntry) e.nextElement();
- printDebug(" gPS:: part: " + entry.id + " ste ssid: " + entry.ste + "
chw ssid: "+ entry.chw);
-
- /* Write id */
- writeShortToStream(partArray,(short)entry.id,index);
- index = index + u16Size;
-
- /* Write ste ssid */
- writeShortToStream(partArray,(short) entry.ste,index);
- index = index + u16Size;
-
- /* Write chw ssid */
- writeShortToStream(partArray,(short) entry.chw,index);
- index = index + u16Size;
- }
-
- printDebug(" gPS:: part: num of partitions " + numOfPar);
- printDebug(" gPS:: part: binary ==> Length " + partArray.length);
-
- if (debug)
- printHex(partArray,partArray.length);
- printDebug("\n");
-
- return partArray;
- }
-
- public byte[] GenBinaryPolicyBuffer(byte[] chwPolicy, byte[] stePolicy, byte
[] partMap, byte[] vlanMap, byte[] slotMap)
- {
- byte[] binBuffer;
- short chwSize =0;
- short steSize =0;
- int index = 0;
-
- /* Builds data structure acm_policy_buffer_t */
- /* Get number of colorTypes */
- if (null != chwPolicy)
- chwSize = (short) chwPolicy.length;
-
- if (null != stePolicy)
- steSize = (short) stePolicy.length;
-
- int totalDataSize = chwSize + steSize + resourceOffsetSz + 3 *(2 * u16Size);
-
- /* Add vlan and slot */
- totalDataSize = totalDataSize +partMap.length + vlanMap.length +
slotMap.length;
- binBuffer = new byte[binaryBufferHeaderSz +totalDataSize];
-
-
- try {
- index = 0;
- /* fill in General Policy Version */
- writeIntToStream(binBuffer, ACM_POLICY_VERSION, index);
- index += u32Size;
-
- /* Write magic */
- writeIntToStream(binBuffer, ACM_MAGIC, index);
- index += u32Size;
-
- /* write len */
- writeIntToStream(binBuffer, binBuffer.length, index);
- index += u32Size;
-
- } catch (IOException ee) {
- System.out.println(" GBPB:: got exception : " + ee);
- return null;
- }
-
- int offset, address;
- address = index;
-
- if (null != partMap)
- offset = binaryBufferHeaderSz + resourceOffsetSz;
- else
- offset = binaryBufferHeaderSz;
-
- try {
- int skip = 0;
-
- /* init with NULL policy setting */
- writeIntToStream(binBuffer, ACM_NULL_POLICY, index);
- writeIntToStream(binBuffer, 0, index + u32Size);
- writeIntToStream(binBuffer, ACM_NULL_POLICY, index + 2*u32Size);
- writeIntToStream(binBuffer, 0, index + 3*u32Size);
-
- index = address;
- if (null != chwPolicy) {
-
- /* Write policy name */
- writeIntToStream(binBuffer, ACM_CHINESE_WALL_POLICY, index);
- index += u32Size;
-
- /* Write offset */
- writeIntToStream(binBuffer, offset, index);
- index += u32Size;
-
- /* Write payload. No need increment index */
- address = offset;
- System.arraycopy(chwPolicy, 0, binBuffer,address,
chwPolicy.length);
- address = address + chwPolicy.length;
- } else
- skip += 2*u32Size;
-
- if (null != stePolicy)
- {
- /* Write policy name */
- writeIntToStream(binBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY,
index);
- index += u32Size;
-
- /* Write offset */
- writeIntToStream(binBuffer, address, index);
- index += u32Size;
-
- /* Copy array */
- System.arraycopy(stePolicy, 0, binBuffer,address,
stePolicy.length);
- /* Update address */
- address = address + stePolicy.length;
- } else
- skip += 2*u32Size;
-
- /* Skip writing policy name and offset for each null policy*/
- index += skip;
-
- int size;
- /* Assumes that you will always have a partition defined in policy */
- if ( 0 < partMap.length) {
- writeIntToStream(binBuffer, address, index);
- index = address;
-
- /* Compute num of VMs */
- size = partMap.length / (3 * u16Size);
-
- writeShortToStream(binBuffer, (short)size,index);
- index = index + u16Size;
-
- /* part, vlan and slot: each one consists of two entries */
- offset = 3 * (2 * u16Size);
- writeShortToStream(binBuffer, (short) offset,index);
-
- /* Write partition array at offset */
- System.arraycopy(partMap, 0, binBuffer,(offset + address),
partMap.length);
- index = index + u16Size;
- offset = offset + partMap.length;
- }
-
- if ( 0 < vlanMap.length) {
- size = vlanMap.length / (2 * u16Size);
- writeShortToStream(binBuffer, (short) size,index);
- index = index + u16Size;
-
- writeShortToStream(binBuffer, (short) offset,index);
- index = index + u16Size;
- System.arraycopy(vlanMap, 0, binBuffer,(offset + address),
vlanMap.length);
- } else {
- /* Write vlan max */
- writeShortToStream(binBuffer, (short) 0,index);
- index = index + u16Size;
-
- /* Write vlan offset */
- writeShortToStream(binBuffer, (short) 0,index);
- index = index + u16Size;
- }
-
- offset = offset + vlanMap.length;
- if ( 0 < slotMap.length) {
- size = slotMap.length / (3 * u16Size);
- writeShortToStream(binBuffer, (short) size,index);
- index = index + u16Size;
-
- writeShortToStream(binBuffer, (short) offset,index);
- index = index + u16Size;
- System.arraycopy(slotMap, 0, binBuffer,(offset + address),
slotMap.length);
- }
- } catch (IOException ee) {
- System.out.println(" GBPB:: got exception : " + ee);
- return null;
- }
-
- printDebug(" GBP:: Binary Policy ==> length " + binBuffer.length);
- if (debug)
- printHex(binBuffer,binBuffer.length);
-
- return binBuffer;
- }
-
- public byte[] generateChwBuffer(Vector Ssids, Vector ConflictSsids, Vector
ColorTypes)
- {
- byte[] chwBuffer;
- int index = 0;
- int position = 0;
-
- /* Get number of rTypes */
- int maxTypes = ColorTypes.size();
-
- /* Get number of SSids entry */
- int maxSsids = Ssids.size();
-
- /* Get number of conflict sets */
- int maxConflict = ConflictSsids.size();
-
-
- if (maxTypes * maxSsids == 0)
- return null;
- /*
- data structure acm_chwall_policy_buffer
- se XmlToBinInterface.java
- */
- int totalBytes = chwHeaderSize + u16Size *(maxTypes * (maxSsids +
maxConflict));
-
- chwBuffer = new byte[ totalBytes ];
- int address = chwHeaderSize + (u16Size * maxTypes * maxSsids );
-
- printDebug(" gCB:: chwall totalbytes : "+totalBytes);
-
- try {
- index = 0;
- /* fill in General Policy Version */
- writeIntToStream(chwBuffer, ACM_CHWALL_VERSION, index);
- index += u32Size;
-
- writeIntToStream(chwBuffer, ACM_CHINESE_WALL_POLICY, index);
- index += u32Size;
-
- writeIntToStream(chwBuffer, maxTypes, index);
- index += u32Size;
-
- writeIntToStream(chwBuffer, maxSsids, index);
- index += u32Size;
-
- writeIntToStream(chwBuffer, maxConflict, index);
- index += u32Size;
-
- /* Write chwall_ssid_offset */
- writeIntToStream(chwBuffer, chwHeaderSize, index);
- index += u32Size;
-
- /* Write chwall_conflict_sets_offset */
- writeIntToStream(chwBuffer, address, index);
- index += u32Size;
-
- /* Write chwall_running_types_offset */
- writeIntToStream(chwBuffer, 0, index);
- index += u32Size;
-
- /* Write chwall_conflict_aggregate_offset */
- writeIntToStream(chwBuffer, 0, index);
- index += u32Size;
-
- } catch (IOException ee) {
- System.out.println(" gCB:: got exception : " + ee);
- return null;
- }
- int markPos = 0;
-
- /* Create the SSids entry */
- for (int i = 0; i < maxSsids; i++)
- {
- SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
- /* Get chwall types */
- ssidEntry.chwSsidPosition = i;
- Enumeration e = ssidEntry.chwTypes.elements();
- while (e.hasMoreElements())
- {
- String typeName = (String) e.nextElement();
- printDebug(" gCB:: Ssid "+ i+ ": has type : " + typeName);
- position = ColorTypes.indexOf(typeName);
-
- if (position < 0)
- {
- System.out.println (" gCB:: Error type : " + typeName + " not
found in ColorTypes");
- return null;
- }
- printDebug(" GCB:: type : " + typeName + " found in ColorTypes at
position: " + position);
- markPos = ((i * maxTypes + position) * u16Size) + index;
-
- try {
- writeShortToStream(chwBuffer,markSymbol,markPos);
- } catch (IOException ee) {
- System.out.println(" gCB:: got exception : ");
- return null;
- }
- }
- }
-
- if (debug)
- printHex(chwBuffer,chwBuffer.length);
-
- /* Add conflict set */
- index = address;
- for (int i = 0; i < maxConflict; i++)
- {
- /* Get ste types */
- Vector entry = (Vector) ConflictSsids.elementAt(i);
- Enumeration e = entry.elements();
- while (e.hasMoreElements())
- {
- String typeName = (String) e.nextElement();
- printDebug (" GCB:: conflict Ssid "+ i+ ": has type : " + typeName);
- position = ColorTypes.indexOf(typeName);
-
- if (position < 0)
- {
- System.out.println (" GCB:: Error type : " + typeName + " not
found in ColorTypes");
- return null;
- }
- printDebug(" GCB:: type : " + typeName + " found in ColorTypes at
position: " + position);
- markPos = ((i * maxTypes + position) * u16Size) + index;
-
- try {
- writeShortToStream(chwBuffer,markSymbol,markPos);
- } catch (IOException ee) {
- System.out.println(" GCB:: got exception : ");
- return null;
- }
- }
-
- }
- printDebug(" gSB:: chw binary ==> Length " + chwBuffer.length);
- if (debug)
- printHex(chwBuffer,chwBuffer.length);
- printDebug("\n");
-
- return chwBuffer;
- }
-
-/**********************************************************************
- Generate byte representation of policy using type information
- <p>
- @param Ssids Vector
- @param ColorTypes Vector
- <p>
- @return bytes represenation of simple type enforcement policy
-**********************************************************************/
- public byte[] generateSteBuffer(Vector Ssids, Vector ColorTypes)
- {
- byte[] steBuffer;
- int index = 0;
- int position = 0;
-
- /* Get number of colorTypes */
- int numColorTypes = ColorTypes.size();
-
- /* Get number of SSids entry */
- int numSsids = Ssids.size();
-
- if (numColorTypes * numSsids == 0)
- return null;
-
- /* data structure: acm_ste_policy_buffer
- * see XmlToBinInterface.java
- * total bytes: steHeaderSize * 2B + colorTypes(size) * Ssids(size)
- *
- */
- steBuffer = new byte[ steHeaderSize + (numColorTypes * numSsids) * 2];
-
- try {
-
- index = 0;
- writeIntToStream(steBuffer, ACM_STE_VERSION, index);
- index += u32Size;
-
- writeIntToStream(steBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY,
index);
- index += u32Size;
-
- writeIntToStream(steBuffer, numColorTypes, index);
- index += u32Size;
-
- writeIntToStream(steBuffer, numSsids, index);
- index += u32Size;
-
- writeIntToStream(steBuffer, steHeaderSize, index);
- index += u32Size;
-
-
- } catch (IOException ee) {
- System.out.println(" gSB:: got exception : " + ee);
- return null;
- }
- int markPos = 0;
- for (int i = 0; i < numSsids; i++)
- {
-
- SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
- ssidEntry.steSsidPosition = i;
- /* Get ste types */
- Enumeration e = ssidEntry.steTypes.elements();
- while (e.hasMoreElements())
- {
- String typeName = (String) e.nextElement();
- printDebug (" gSB:: Ssid "+ i+ ": has type : " + typeName);
- position = ColorTypes.indexOf(typeName);
-
- if (position < 0)
- {
- printDebug(" gSB:: Error type : " + typeName + " not found in
ColorTypes");
- return null;
- }
- printDebug(" gSB:: type : " + typeName + " found in ColorTypes at
position: " + position);
- markPos = ((i * numColorTypes + position) * u16Size) + index;
-
- try {
- writeShortToStream(steBuffer,markSymbol,markPos);
- } catch (IOException ee)
- {
- System.out.println(" gSB:: got exception : ");
- return null;
- }
- }
-
- }
-
- printDebug(" gSB:: ste binary ==> Length " + steBuffer.length);
- if (debug)
- printHex(steBuffer,steBuffer.length);
- printDebug("\n");
-
- return steBuffer;
- }
-
- public static void printHex(byte [] dataArray, int length)
- {
- char[] hexChars = {'0', '1', '2', '3', '4', '5', '6', '7',
- '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
- int hexIndex;
- int value;
- int arraylength;
-
- arraylength = length;
-
- if (dataArray == null)
- {
- System.err.print("printHex: input byte array is null");
- }
-
- if (length > dataArray.length || length < 0)
- arraylength = dataArray.length;
-
- System.out.print("\n\t");
-
- int i;
- for(i = 0; i < arraylength; )
- {
- value = dataArray[i] & 0xFF;
- hexIndex = (value >>> 4);
- System.out.print(hexChars[hexIndex]);
- hexIndex = (value & 0x0F);
- System.out.print(hexChars[hexIndex]);
-
- i++;
- /* if done, print a final newline */
- if (i == arraylength) {
- if (arraylength < dataArray.length) {
- System.out.print("...");
- }
- System.out.println();
- }
- else if ((i % 24) == 0) {
- System.out.print("\n\t");
- }
- else if ((i % 4) == 0) {
- System.out.print(" ");
- }
- }
-
- return;
- }
-
-
- private void writeShortToStream(byte[] stream, short value, int index)
- throws IOException
- {
- int littleEndian = 0;
- int byteVal;
-
- if (index + 2 > stream.length)
- {
- throw new IOException("Writing beyond stream length: " +
- stream.length + " writing at locations from: " +
index + " to " + (index + 4));
- }
-
- if (!LittleEndian)
- {
-
- byteVal = value >> 8;
- stream[index ] = (byte) byteVal;
-
- byteVal = value;
- stream[index + 1] = (byte) byteVal;
- } else {
- stream[index] = (byte) ((value & 0x00ff) );
- stream[index + 1] = (byte) ((value & 0xff00) >> 8);
- }
- return;
- }
-
- private void writeIntToStream(byte[] stream, int value, int index)
- throws IOException
- {
- int littleEndian = 0;
- int byteVal;
-
- if (4 > stream.length)
- {
- throw new IOException("writeIntToStream: stream length less than 4 bytes
" +
- stream.length);
- }
-
- /* Do not Write beyond range */
- if (index + 4 > stream.length)
- {
- throw new IOException("writeIntToStream: writing beyond stream length: "
+
- stream.length + " writing at locations from: " +
index + " to " + (index + 4));
- }
- if (!LittleEndian)
- {
- byteVal = value >>> 24;
- stream[index] = (byte) byteVal;
-
- byteVal = value >> 16;
- stream[index + 1] = (byte) byteVal;
-
- byteVal = value >> 8;
- stream[index + 2] = (byte) byteVal;
-
- byteVal = value;
- stream[index + 3] = (byte) byteVal;
- } else {
- stream[index] = (byte) value;
- stream[index + 1] = (byte) ((value & 0x0000ff00) >> 8);
- stream[index + 2] = (byte) ((value & 0x00ff0000) >> 16);
- stream[index + 3] = (byte) ( value >>> 24);
- }
- return;
- }
-
- public Document getDomTree(String xmlFileName)
- throws Exception, SAXException, ParserConfigurationException
- {
- javax.xml.parsers.DocumentBuilderFactory dbf =
- javax.xml.parsers.DocumentBuilderFactory.newInstance();
-
- /* Turn on namespace aware and validation */
- dbf.setNamespaceAware(true);
- dbf.setValidating(true);
- dbf.setAttribute(JAXP_SCHEMA_LANGUAGE,W3C_XML_SCHEMA);
-
- /* Checks that the document is well-formed */
- javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
-
- myHandler errHandler= new myHandler();
- db.setErrorHandler(errHandler);
- Document doc = db.parse(xmlFileName);
-
- /* Checks for validation errors */
- if (errHandler.isValid)
- printDebug(" gDT:: Xml file: " + xmlFileName + " is valid");
- else
- throw new Exception("Xml file: " + xmlFileName + " is NOT valid");
-
- return doc;
- }
-
- public void processDomTree(
- Document doc,
- Vector bagOfSsids,
- Vector bagOfTypes,
- Vector bagOfChwSsids,
- Vector bagOfChwTypes,
- Vector bagOfConflictSsids)
- throws Exception, SAXException, ParserConfigurationException
- {
- boolean found;
-
- /* print the root Element */
- Element root = doc.getDocumentElement();
- printDebug ("\n pDT:: Document Element: Name = " + root.getNodeName() +
",Value = " + root.getNodeValue());
-
- /* Go through the list of the root Element's Attributes */
- NamedNodeMap nnm = root.getAttributes();
- printDebug (" pDT:: # of Attributes: " + nnm.getLength());
- for (int i = 0; i < nnm.getLength(); i++)
- {
- Node n = nnm.item (i);
- printDebug (" pDT:: Attribute: Name = " + n.getNodeName() + ", Value =
"
- + n.getNodeValue());
- }
-
- /* Retrieve the policy definition */
- NodeList elementList = root.getElementsByTagName ("url");
- String definitionFileName =
elementList.item(0).getFirstChild().getNodeValue();
-
- String definitionHash = null;
-
- /* Note that SecurityPolicySpec.xsd allows for 0 hash value! */
- elementList = root.getElementsByTagName ("hash");
- if (0 != elementList.getLength())
- definitionHash = elementList.item(0).getFirstChild().getNodeValue();
-
- Document definitionDoc =
pGetDomDefinition(definitionFileName,definitionHash);
- pGetTypes(definitionDoc,bagOfTypes, bagOfChwTypes, bagOfConflictSsids);
-
-
- /* Get VM security information */
- elementList = root.getElementsByTagName ("VM");
- printDebug ("\n pDT:: partition length of NodeList:" +
elementList.getLength());
- /* Add default Ssid to Ste and Chw bags */
- SecurityLabel defEntry = new SecurityLabel();
-
- defEntry.chwTypes = new Vector();
- defEntry.steTypes = new Vector();
- defEntry.chwIDs = new Vector();
- defEntry.ids = new Vector();
-
- defEntry.steSsidPosition =0;
- defEntry.chwSsidPosition =0;
- bagOfChwSsids.add(defEntry);
- bagOfSsids.add(defEntry);
-
- for (int x = 0; x < elementList.getLength(); x++)
- {
- found = false;
-
- Node node = elementList.item (x);
-
- if (node.getNodeType() == Node.ELEMENT_NODE)
- {
- printDebug (" pDT:: child: " + x + " is an element node" );
- Element e1 = (Element) node;
-
- /* Get id */
- NodeList elist = e1.getElementsByTagName ("id");
- String idStr = elist.item(0).getFirstChild().getNodeValue();
- printDebug (" pDT:: id:" + idStr);
-
- /* Get TE */
- Vector colorTypes = new Vector();
- pConflictEntries(e1, "TE", bagOfTypes, colorTypes);
-
- Enumeration e = bagOfSsids.elements();
- while (e.hasMoreElements())
- {
- SecurityLabel elem = (SecurityLabel) e.nextElement();
- if ( elem.steTypes.size() == colorTypes.size() &&
elem.steTypes.containsAll(colorTypes))
- {
- found = true;
- elem.ids.add(idStr);
- }
-
- }
- if (!found && (0 < colorTypes.size()))
- {
- SecurityLabel entry = new SecurityLabel();
- entry.steTypes = colorTypes;
- entry.ids = new Vector();
- entry.ids.add(idStr);
- bagOfSsids.add(entry);
- }
-
- /* Get Chinese wall type */
- Vector chwTypes = new Vector();
- pConflictEntries(e1, "ChWall", bagOfChwTypes, chwTypes);
-
- found = false;
- e = bagOfChwSsids.elements();
-
- while (e.hasMoreElements())
- {
- SecurityLabel elem = (SecurityLabel) e.nextElement();
- if ( elem.chwTypes.size() == chwTypes.size() &&
elem.chwTypes.containsAll(chwTypes))
- {
- found = true;
- elem.chwIDs.add(idStr);
- }
-
- }
-
- if (!found && (0 < chwTypes.size()))
- {
- SecurityLabel entry = new SecurityLabel();
- entry.chwTypes = chwTypes;
- entry.chwIDs = new Vector();
- entry.chwIDs.add(idStr);
- bagOfChwSsids.add(entry);
- }
- }
- }
- return;
- }
-
- public Document pGetDomDefinition(
- String definitionFileName,
- String definitionHash)
- throws Exception, SAXException, ParserConfigurationException
- {
- printDebug("\n pGDD:: definition file name: " + definitionFileName);
- printDebug("\n pGDD:: definition file hash: " + definitionHash);
-
- Document doc = getDomTree(definitionFileName);
- return doc;
- }
-
- public void pGetTypes(
- Document defDoc,
- Vector bagOfTypes,
- Vector bagOfChwTypes,
- Vector bagOfConflictSsids)
- throws Exception
- {
-
-
- if (null == defDoc)
- throw new Exception(" pGT:: definition file DOM is null ");
-
- Element root = defDoc.getDocumentElement();
-
- /* Get list of TE types */
- NodeList elementList = root.getElementsByTagName ("Types");
- printDebug ("\n pGT:: Types length of NodeList:" + elementList.getLength());
- Element e1 = (Element) elementList.item (0);
- pGetEntries(e1,"TE",bagOfTypes);
-
- /* Get list of Chinese types */
- elementList = root.getElementsByTagName ("ChWallTypes");
- printDebug ("\n pGT:: ChwTypes length of NodeList:" +
elementList.getLength());
- if (0 == elementList.getLength())
- {
- printDebug ("\n pGT:: ChWallTypes has zero length: :" +
elementList.getLength());
- } else {
- e1 = (Element) elementList.item (0);
- pGetEntries(e1,"ChWall",bagOfChwTypes);
- }
- printDebug (" pGT:: Total number of unique chw types: " +
bagOfChwTypes.size());
-
- /* Get Chinese type conflict sets */
- elementList = root.getElementsByTagName ("ConflictSet");
- printDebug ("\n pGT:: Conflict sets length of NodeList:" +
elementList.getLength());
- for (int x = 0; x < elementList.getLength(); x++)
- {
- Vector conflictEntry = new Vector();
- e1 = (Element) elementList.item (x);
- printDebug ("\n pGT:: Conflict sets : " + x);
-
- pConflictEntries(e1, "ChWall", bagOfChwTypes, conflictEntry);
-
- if (conflictEntry.size() > 0)
- {
- boolean found = false;
- Enumeration e = bagOfConflictSsids.elements();
-
- while (e.hasMoreElements())
- {
- Vector elem = (Vector) e.nextElement();
- if (elem.size() == conflictEntry.size() &&
elem.containsAll(conflictEntry))
- {
- found = true;
- }
-
- }
- if (!found)
- {
- bagOfConflictSsids.add(conflictEntry);
- }
- }
- }
-
- }
-
- public void pGetEntries(Element doc, String tag, Vector typeBag)
- throws Exception
- {
-
- if (null == doc)
- throw new Exception(" pGE:: Element doc is null");
-
- if (null == typeBag)
- throw new Exception(" pGE:: typeBag is null");
-
- NodeList elist = doc.getElementsByTagName (tag);
- for (int j = 0; j < elist.getLength(); j++)
- {
- Node knode = elist.item (j);
- Node childNode = knode.getFirstChild();
- String value = childNode.getNodeValue();
-
- printDebug (" pGT:: "+ tag +" type: " + value);
-
- /* Check if value is known */
- if (!typeBag.contains(value))
- typeBag.addElement(value);
- }
- }
-
- public void pConflictEntries(Element doc, String tag, Vector typeBag, Vector
conflictEntry)
- throws Exception
- {
-
- if (null == doc)
- throw new Exception(" pGE:: Element doc is null");
-
- if (null == typeBag)
- throw new Exception(" pGE:: typeBag is null");
-
- if (null == conflictEntry)
- throw new Exception(" pGE:: typeBag is null");
-
-
- NodeList elist = doc.getElementsByTagName (tag);
-
- for (int j = 0; j < elist.getLength(); j++)
- {
- Node knode = elist.item (j);
- Node childNode = knode.getFirstChild();
- String value = childNode.getNodeValue();
-
- printDebug (" pGE:: "+ tag +" type: " + value);
-
- /* Check if value is known */
- if (!typeBag.contains(value))
- throw new Exception(" pCE:: found undefined type set " + value);
-
- if (!conflictEntry.contains(value))
- conflictEntry.addElement(value);
-
- }
- }
-
- public void processDomTreeVlanSlot(
- Document doc,
- Vector bagOfSsids,
- Vector bagOfTypes)
- throws Exception
- {
- boolean found;
-
- printDebug(" pDTVS::Size of bagOfSsids: "+ bagOfSsids.size());
- Element root = doc.getDocumentElement();
-
- NodeList elementList = root.getElementsByTagName ("Vlan");
- printDebug("\n pDTVS:: Vlan length of NodeList:" + elementList.getLength());
-
- for (int x = 0; x < elementList.getLength(); x++)
- {
- found = false;
-
- Node node = elementList.item (x);
-
- if (node.getNodeType() == Node.ELEMENT_NODE)
- {
- printDebug(" pDTVS:: child: " + x + " is an element node" );
- Element e1 = (Element) node;
-
- /* Get vid */
- NodeList elist = e1.getElementsByTagName ("vid");
- String idStr = elist.item(0).getFirstChild().getNodeValue();
- printDebug (" pDTVS:: vid:" + idStr);
-
- /* Get TE */
- elist = e1.getElementsByTagName ("TE");
- printDebug (" pDTVS:: Total ste types: " + elist.getLength());
-
- Vector colorTypes = new Vector();
- for (int j = 0; j < elist.getLength(); j++)
- {
- Node knode = elist.item (j);
- Node childNode = knode.getFirstChild();
- String value = childNode.getNodeValue();
-
- printDebug (" pDT:: My color is: " + value);
- if (!bagOfTypes.contains(value))
- {
- throw new IOException("pDT:: Vlan: " + idStr+ " has unknown
type : "+ value);
- }
-
- if (!colorTypes.contains(value))
- colorTypes.addElement(value);
- }
- Enumeration e = bagOfSsids.elements();
- while (e.hasMoreElements())
- {
- SecurityLabel elem = (SecurityLabel) e.nextElement();
- if ( elem.steTypes.size() == colorTypes.size() &&
elem.steTypes.containsAll(colorTypes))
- {
- found = true;
- if (null == elem.vlans)
- elem.vlans = new Vector();
- elem.vlans.add(idStr);
- }
-
- }
- if (!found && (0 < colorTypes.size()))
- {
- SecurityLabel entry = new SecurityLabel();
- entry.steTypes = colorTypes;
- entry.vlans = new Vector();
- entry.vlans.add(idStr);
- bagOfSsids.add(entry);
- }
-
- }
- }
- printDebug(" pDTVS::After slot Size of bagOfSsids: "+ bagOfSsids.size());
-
- elementList = root.getElementsByTagName ("Slot");
- printDebug ("\n pDTVS:: Slot length of NodeList:" + elementList.getLength());
-
- for (int x = 0; x < elementList.getLength(); x++)
- {
- found = false;
-
- Node node = elementList.item (x);
-
- if (node.getNodeType() == Node.ELEMENT_NODE)
- {
- printDebug(" pDT:: child: " + x + " is an element node" );
- Element e1 = (Element) node;
-
-
- /* Get slot and bus */
- SlotInfo item = new SlotInfo();
-
- NodeList elist = e1.getElementsByTagName ("bus");
- item.bus = elist.item(0).getFirstChild().getNodeValue();
- elist = e1.getElementsByTagName ("slot");
- item.slot = elist.item(0).getFirstChild().getNodeValue();
- printDebug (" pDT:: bus and slot:" + item.bus + " "+ item.slot);
-
- /* Get TE */
- elist = e1.getElementsByTagName ("TE");
- printDebug (" pDT:: Total ste types: " + elist.getLength());
-
- Vector colorTypes = new Vector();
- for (int j = 0; j < elist.getLength(); j++)
- {
- Node knode = elist.item (j);
- Node childNode = knode.getFirstChild();
- String value = childNode.getNodeValue();
-
- printDebug (" pDT:: My color is: " + value);
- if (!bagOfTypes.contains(value))
- {
- throw new IOException("pDT:: bus: " + item.bus + " slot: "+
item.slot + " has unknown type : "+ value);
- }
-
- if (!colorTypes.contains(value))
- colorTypes.addElement(value);
- }
-
- Enumeration e = bagOfSsids.elements();
- while (e.hasMoreElements())
- {
- SecurityLabel elem = (SecurityLabel) e.nextElement();
- if ( elem.steTypes.size() == colorTypes.size() &&
elem.steTypes.containsAll(colorTypes))
- {
- found = true;
- if (null == elem.slots)
- elem.slots = new Vector();
- elem.slots.add(item);
-
- }
-
- }
-
- if (!found && (0 < colorTypes.size()))
- {
- SecurityLabel entry = new SecurityLabel();
- entry.steTypes = colorTypes;
- entry.slots = new Vector();
- entry.slots.add(item);
- bagOfSsids.add(entry);
- }
-
- }
- }
- return;
- }
-
- public static void main (String[] args)
- {
- String xmlFileName = null; /* policy file */
- String outputFileName = null; /* binary policy file */
- String xenSsidOutputFileName = null; /* outputfile ssid to named
types */
- /* outputfile conflicts ssid to named
types */
- String xenSsidConfOutputFileName = null;
-
- XmlToBin genObj = new XmlToBin();
-
- policy_version active_policy = new policy_version();
-
- if ((active_policy.ACM_POLICY_VERSION != ACM_POLICY_VERSION) ||
- (active_policy.ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) ||
- (active_policy.ACM_STE_VERSION != ACM_STE_VERSION)) {
- System.out.println("ACM policy versions differ.");
- System.out.println("Please verify that data structures are correct");
- System.out.println("and then adjust the version numbers in
XmlToBinInterface.java.");
- return;
- }
-
-
- for (int i = 0 ; i < args.length ; i++) {
-
- if ( args[i].equals("-help")) {
- printUsage();
- System.exit(1);
-
- } else if ( args[i].equals("-i")) {
- i++;
- if (i < args.length) {
- xmlFileName = args[i];
- } else {
- System.out.println("-i argument needs parameter");
- System.exit(1);
- }
-
- } else if ( args[i].equals("-o")) {
- i++;
- if (i < args.length) {
- outputFileName = args[i];
- } else {
- System.out.println("-o argument needs parameter");
- System.exit(1);
- }
-
- } else if ( args[i].equals("-xssid")) {
- i++;
- if (i < args.length) {
- xenSsidOutputFileName = args[i];
- } else {
- System.out.println("-xssid argument needs parameter");
- System.exit(1);
- }
-
- } else if ( args[i].equals("-xssidconf")) {
- i++;
- if (i < args.length) {
- xenSsidConfOutputFileName = args[i];
- } else {
- System.out.println("-xssidconf argument needs parameter");
- System.exit(1);
- }
- } else if ( args[i].equals("-debug")) { /* turn on debug msg */
- genObj.setDebug(true);
- } else {
- System.out.println("bad command line argument: " + args[i]);
- printUsage();
- System.exit(1);
- }
-
- }
-
- if (xmlFileName == null)
- {
- System.out.println("Need to specify input file -i option");
- printUsage();
- System.exit(1);
- }
-
-
- try
- {
- /* Parse and validate */
- Document doc = genObj.getDomTree(xmlFileName);
-
- /* Vectors to hold sets of types */
- Vector bagOfSsids = new Vector();
- Vector bagOfTypes = new Vector();
- Vector bagOfChwSsids = new Vector();
- Vector bagOfChwTypes = new Vector();
- Vector bagOfConflictSsids = new Vector();
-
- Vector vlanMapSsids = new Vector();
- Vector slotMapSsids = new Vector();
-
- genObj.processDomTree(doc, bagOfSsids, bagOfTypes, bagOfChwSsids,
bagOfChwTypes, bagOfConflictSsids);
-
- genObj.processDomTreeVlanSlot(doc, bagOfSsids, bagOfTypes);
-
- /* Get binary representation of policies */
- byte[] stePolicy = genObj.generateSteBuffer(bagOfSsids, bagOfTypes);
- byte[] chwPolicy = genObj.generateChwBuffer(bagOfChwSsids,
bagOfConflictSsids,bagOfChwTypes);
-
- byte[] binPolicy = null;
- byte[] binaryPartionSsid = null;
- byte[] binaryVlanSsid = null;
- byte[] binarySlotSsid = null;
-
- /* Get binary representation of partition to ssid mapping */
- binaryPartionSsid = genObj.generatePartSsids(bagOfSsids,bagOfChwSsids);
-
- /* Get binary representation of vlan to ssid mapping */
- binaryVlanSsid = genObj.generateVlanSsids(bagOfSsids);
-
- /* Get binary representation of slot to ssid mapping */
- binarySlotSsid = genObj.generateSlotSsids(bagOfSsids);
-
- /* Generate binary representation: policy, partition, slot and vlan */
- binPolicy = genObj.GenBinaryPolicyBuffer(chwPolicy,stePolicy,
binaryPartionSsid, binaryVlanSsid, binarySlotSsid);
-
-
- /* Write binary policy into file */
- if (null != outputFileName)
- {
- genObj.writeBinPolicy(binPolicy, outputFileName);
- } else {
- System.out.println (" No binary policy generated,
outputFileName: " + outputFileName);
- }
-
- /* Print total number of types */
- System.out.println (" Total number of unique ste types: " +
bagOfTypes.size());
- System.out.println (" Total number of Ssids : " + bagOfSsids.size());
- System.out.println (" Total number of unique chw types: " +
bagOfChwTypes.size());
- System.out.println (" Total number of conflict ssids : " +
bagOfConflictSsids.size());
- System.out.println (" Total number of chw Ssids : " +
bagOfChwSsids.size());
-
- if (null != xenSsidOutputFileName)
- genObj.writeXenTypeFile(bagOfSsids, xenSsidOutputFileName,
true);
-
- if (null != xenSsidConfOutputFileName)
- genObj.writeXenTypeFile(bagOfChwSsids,
xenSsidConfOutputFileName, false);
- }
- catch (Exception e)
- {
- e.printStackTrace();
- }
- }
-}
diff -r 1895942150a5 -r 513acbeac420
tools/misc/policyprocessor/XmlToBinInterface.java
--- a/tools/misc/policyprocessor/XmlToBinInterface.java Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,138 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: XmlToBinInterface.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * XmlToBinInterface Class.
- * <p>
- *
- * Defines constants used by XmToBin.
- *
- * <p>
- *
- * policy binary structures
- *
- * struct acm_policy_buffer {
- * u32 policy_version; * ACM_POLICY_VERSION *
- * u32 magic;
- * u32 len;
- * u32 primary_policy_code;
- * u32 primary_buffer_offset;
- * u32 secondary_policy_code;
- * u32 secondary_buffer_offset;
- * +u32 resource offset (not used yet in Xen)
- * };
- *
- *
- * struct acm_ste_policy_buffer {
- * u32 policy_version; * ACM_STE_VERSION *
- * u32 policy_code;
- * u32 ste_max_types;
- * u32 ste_max_ssidrefs;
- * u32 ste_ssid_offset;
- * };
- *
- * struct acm_chwall_policy_buffer {
- * u32 policy_version; * ACM_CHWALL_VERSION *
- * u32 policy_code;
- * u32 chwall_max_types;
- * u32 chwall_max_ssidrefs;
- * u32 chwall_max_conflictsets;
- * u32 chwall_ssid_offset;
- * u32 chwall_conflict_sets_offset;
- * u32 chwall_running_types_offset;
- * u32 chwall_conflict_aggregate_offset;
- * };
- *
- * typedef struct {
- * u16 partition_max;
- * u16 partition_offset;
- * u16 vlan_max;
- * u16 vlan_offset;
- * u16 slot_max;
- * u16 slot_offset;
- * } acm_resource_buffer_t;
- *
- * typedef struct {
- * u16 id;
- * u16 ssid_ste;
- * u16 ssid_chwall;
- * } acm_partition_entry_t;
- *
- * typedef struct {
- * u16 vlan;
- * u16 ssid_ste;
- * } acm_vlan_entry_t;
- *
- * typedef struct {
- * u16 bus;
- * u16 slot;
- * u16 ssid_ste;
- * } acm_slot_entry_t;
- *
- *
- *
- */
-public interface XmlToBinInterface
-{
- /* policy code (uint16) */
- final int policyCodeSize = 2;
-
- /* max_types (uint16) */
- final int maxTypesSize = 2;
-
- /* max_ssidrefs (uint16) */
- final int maxSsidrefSize = 2;
-
- /* ssid_offset (uint32) */
- final int ssidOffsetSize = 2;
-
- final short markSymbol = 0x0001;
-
- final int u32Size = 4;
- final int u16Size = 2;
-
- /* num of bytes for acm_ste_policy_buffer_t */
- final int steHeaderSize = (5 * u32Size);
-
- /* byte for acm_chinese_wall_policy_buffer_t */
- final int chwHeaderSize = (9 * u32Size);
-
- final int primaryPolicyCodeSize = u32Size;
- final int primaryBufferOffsetSize = u32Size ;
-
- final int secondaryPolicyCodeSz = u32Size;
- final int secondaryBufferOffsetSz = u32Size;
- final int resourceOffsetSz = u32Size;
-
- final short partitionBufferSz = (2 * u16Size);
- final short partitionEntrySz = (3 * u16Size);
-
- final short slotBufferSz = (2 * u16Size);
- final short slotEntrySz = (3 * u16Size);
-
- final short vlanBufferSz = (2 * u16Size);
- final short vlanEntrySz = (2 * u16Size);
-
- final int binaryBufferHeaderSz = (8 * u32Size); /* 8th not used in Xen */
-
- /* copied directly from acm.h */
- final int ACM_MAGIC = 0x0001debc;
- final int ACM_NULL_POLICY = 0;
- final int ACM_CHINESE_WALL_POLICY = 1;
- final int ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2;
- final int ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY = 3;
- final int ACM_EMPTY_POLICY = 4;
-
- /* version for compatibility check */
- final int ACM_POLICY_VERSION = 1;
- final int ACM_STE_VERSION = 1;
- final int ACM_CHWALL_VERSION = 1;
-}
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/c2j_include.c
--- a/tools/misc/policyprocessor/c2j_include.c Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,57 +0,0 @@
-/****************************************************************
- * c2j_include.c
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Authors:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * This tool makes some constants from acm.h available to the
- * java policyprocessor for version checking.
- */
-#include <stdio.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdint.h>
-
-typedef uint8_t u8;
-typedef uint16_t u16;
-typedef uint32_t u32;
-typedef uint64_t u64;
-typedef int8_t s8;
-typedef int16_t s16;
-typedef int32_t s32;
-typedef int64_t s64;
-
-#include <xen/acm.h>
-
-char *filename = "policy_version.java";
-
-int main(int argc, char **argv)
-{
-
- FILE *fd;
- if ((fd = fopen(filename, "w")) <= 0)
- {
- printf("File %s not found.\n", filename);
- exit(-ENOENT);
- }
-
- fprintf(fd, "/*\n * This file was automatically generated\n");
- fprintf(fd, " * Do not change it manually!\n */\n");
- fprintf(fd, "public class policy_version {\n");
- fprintf(fd, " final int ACM_POLICY_VERSION = %x;\n",
- ACM_POLICY_VERSION);
- fprintf(fd, " final int ACM_CHWALL_VERSION = %x;\n",
- ACM_CHWALL_VERSION);
- fprintf(fd, " final int ACM_STE_VERSION = %x;\n",
- ACM_STE_VERSION);
- fprintf(fd, "}\n");
- fclose(fd);
- return 0;
-}
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/myHandler.java
--- a/tools/misc/policyprocessor/myHandler.java Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,47 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: myHandler.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * myHandler Class.
- *
- * <p>
- *
- * A dummy class used for detecting XML validating/parsing errors.
- *
- * <p>
- *
- *
- */
-import org.xml.sax.helpers.*;
-import org.xml.sax.SAXParseException;
-
-class myHandler extends DefaultHandler
-{
- public boolean isValid = true;
-
- /* Notification of a recoverable error. */
- public void error(SAXParseException se)
- {
- isValid = false;
- }
-
- /* Notification of a non-recoverable error. */
- public void fatalError(SAXParseException se)
- {
- isValid = false;
- }
-
- /* Notification of a warning. */
- public void warning(SAXParseException se)
- {
- isValid = false;
- }
-}
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/readme.install
--- a/tools/misc/policyprocessor/readme.install Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,33 +0,0 @@
-# Author: Ray Valdez, rvaldez@xxxxxxxxxx
-# Version: 1.0
-#
-# install readme
-#
-PREREQUISITES:
-
-Prior to installation of the policy processor tool (XmlToBin) you must have...
-
- 1. Java version 1.4.2
- 2. xmlParserAPIs.jar and xercesImpl.jar
-
-The above can be obtained from the Sun Developer Network web site at
-http://java.sun.com/j2se/1.4.2/download.html.
-
-XmlParserAPIs and xercesImpl jars can be obtained from
-http://www.apache.org/dist/xml/xerces-j (Xerces-J-bin.2.6.2.tar.gz,
-for example).
-
-The tool has been tested with J2SE v1.4.2_08 JRE on Linux (32-bit
-INTEL).
-
-INSTALLATION
-
-1. Set PATH to include $HOME_JAVA/bin and $HOME_JAVA/jre/bin
- where $HOME_JAVA is your java installation directory
-
-2. Compile XmlToBin:
- javac XmlToBin.java
-
-USAGE
-
- See readme.xen
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/readme.xen
--- a/tools/misc/policyprocessor/readme.xen Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,65 +0,0 @@
-# Author: Ray Valdez, rvaldez@xxxxxxxxxx
-# Version: 1.0
-#
-# This readme describes the policy processor tool for sHype.
-#
-
-Java program:
-
- java XmlToBin -i [file.xml] -o <file.bin> -xssid <SsidFile> -xssidconf
<SsidConf>
-
- Command line options:
-
- -i inputFile: name of policyfile (.xml)
- -o outputFile: name of binary policy file (Big Endian)
- -xssid SsidFile: xen ssids to named types text file
- -xssidconf SsidConf: xen conflict ssids to types text file
- -debug turn on debug messages
- -help help. This printout
-
-Where:
-
-file.xml is the (input) xml policy file to be parsed and validated.
-The syntax for file.xml is defined in the SecurityPolicySpec.xsd file.
-file.bin is the (output) binary policy file generated by XmlToBin.
-This binary policy can be activated in sHype. The binary policy file
-is laid out in network byte order (i.e., big endian). The SsidFile
-file contains the mapping of type enforcement (TE) ssids to the "named
-types". Similarly, the SsidConf file contains the mapping of Chinese
-Wall (ChWall) ssids to conflict named types. The ssidFile and SsidConf
-files are used by Xen.
-
-Xml Schema and policy:
-
-The SecurityPolicySpec.xsd defines the syntax of a policy file. It
-declares the tags that are used by XmlToBin to generate the binary
-policy file. The tags that XmlToBin keys on are TE, ChWall, id, vid,
-etc. The xml files that describe a policy are simple. Semantic
-checking of a policy is performed mostly by XmlToBin. A type, for
-example, is a string. No fixed values are defined for types in Xml.
-
-A policy consists of two Xml files: definition and policy. The
-definition Xml declares the types that are permitted in the policy
-Xml. The policy Xml contains the assignment of labels to
-subject/object (e.g., vm). This Xml file contains an explicit
-reference to the definition Xml (e.g., <url>xen_sample_def.xml</url>).
-The policy Xml is the one provided as a command line argument.
-
-
-Files:
-
-*.java - policy processor source
-xen_sample_policy.xml - sample xml policy file
-xen_sample_def.xml - sample user defined types
-SecurityPolicySpec.xsd - schema definition file
-
-
-To generate the sample binary policy:
-
-export CLASSPATH=$XERCES_HOME/xercesImpl.jar:$XERCES_HOME/xmlParserAPIs.jar:.
-
-java XmlToBin -i xen_sample_policy.xml -o xen_sample_policy.bin
-
-where $XERCES_HOME is the installation directory of the Apache Xerces-J
-
-
diff -r 1895942150a5 -r 513acbeac420
tools/misc/policyprocessor/xen_sample_def.xml
--- a/tools/misc/policyprocessor/xen_sample_def.xml Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,46 +0,0 @@
-<?xml version="1.0"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- example policy type definition -->
-<SecurityPolicySpec
-xmlns="http://www.ibm.com"
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
-
-<Definition>
-<!-- an example of a simple type enforcement type definition -->
- <Types>
- <TE>LOCAL-management</TE>
- <TE>R-Company-development</TE>
- <TE>S-Company-order</TE>
- <TE>T-Company-advertising</TE>
- <TE>U-Company-computing</TE>
- <!-- TE nondevelopment -->
- </Types>
-
-<!-- an example of a chinese wall type definition along with conflict sets-->
- <ChWallTypes>
- <ChWall>Q-Company</ChWall>
- <ChWall>R-Company</ChWall>
- <ChWall>S-Company</ChWall>
- <ChWall>T-Company</ChWall>
- <ChWall>U-Company</ChWall>
- <ChWall>V-Company</ChWall>
- <ChWall>W-Company</ChWall>
- <ChWall>X-Company</ChWall>
- <ChWall>Y-Company</ChWall>
- <ChWall>Z-Company</ChWall>
- </ChWallTypes>
-
- <ConflictSet>
- <ChWall>T-Company</ChWall>
- <ChWall>S-Company</ChWall>
- </ConflictSet>
-
- <ConflictSet>
- <ChWall>R-Company</ChWall>
- <ChWall>V-Company</ChWall>
- <ChWall>W-Company</ChWall>
- </ConflictSet>
-
-</Definition>
-</SecurityPolicySpec>
diff -r 1895942150a5 -r 513acbeac420
tools/misc/policyprocessor/xen_sample_policy.xml
--- a/tools/misc/policyprocessor/xen_sample_policy.xml Fri Aug 19 08:55:03 2005
+++ /dev/null Fri Aug 19 09:03:17 2005
@@ -1,58 +0,0 @@
-<?xml version="1.0"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- example xen policy file -->
-
-<SecurityPolicySpec
-xmlns="http://www.ibm.com"
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
-<Policy>
- <PolicyHeader>
- <Name>xen sample policy</Name>
- <DateTime>2005-05-20T16:56:00</DateTime>
- <Tag>foobar</Tag>
- <TypeDefinition>
- <url>xen_sample_def.xml</url>
- <hash>abcdef123456abcdef</hash>
- </TypeDefinition>
- </PolicyHeader>
-
- <VM>
- <id> 0 </id>
- <TE>LOCAL-management</TE>
- <TE>R-Company-development</TE>
- <TE>S-Company-order</TE>
- <TE>T-Company-advertising</TE>
- <TE>U-Company-computing</TE>
- <ChWall>Q-Company</ChWall>
- </VM>
-
- <VM>
- <id> 1 </id>
- <TE>R-Company-development</TE>
- <ChWall>R-Company</ChWall>
- </VM>
-
- <VM>
- <id> 2 </id>
- <TE>S-Company-order</TE>
- <ChWall>S-Company</ChWall>
-
- </VM>
-
- <VM>
- <id> 3 </id>
- <TE>T-Company-advertising</TE>
- <ChWall>T-Company</ChWall>
- </VM>
-
-
- <VM>
- <id> 4 </id>
- <TE>U-Company-computing</TE>
- <ChWall>U-Company</ChWall>
- </VM>
-
-
-</Policy>
-</SecurityPolicySpec>
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|