WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] This patch:

# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 513acbeac4205209ce48dd39ec6ca06121156be8
# Parent  1895942150a57e2abaa07effcce870fed8186fb7
This patch:

* adds a C-based security policy translation tool to Xen (secpol_xml2bin) 
and removes the current Java 
security policy translator (Java dependencies).  The C-based tool 
integrates into the Xen source tree build 
and install (using gnome libxml2 for XML parsing). See install.txt.

* introduces security labels and related tools. Users can now use 
semantic-rich label names to put security-tags 
on domains. See example.txt, policy.txt.

* moves the security configuration (currently ACM_USE_SECURITY_POLICY) 
from xen/Rules.mk 
into a separate top-level Security.mk file  (it is needed by the 
tools/security and xen/acm).

Both xen/acm and tools/security are built during the Xen build process 
only if ACM_USE_SECURITY_POLICY 
is not ACM_NULL_POLICY (which is the default setting).

Signed-off-by Reiner Sailer <sailer@xxxxxxxxxx>
Signed-off by Stefan Berger <stefanb@xxxxxxxxxx>
Signed-off by Ray Valdez <rvaldez@xxxxxxxxxx>

diff -r 1895942150a5 -r 513acbeac420 Config.mk
--- a/Config.mk Fri Aug 19 08:55:03 2005
+++ b/Config.mk Fri Aug 19 09:03:17 2005
@@ -35,3 +35,11 @@
 
 # Choose the best mirror to download linux kernel
 KERNEL_REPO = http://www.kernel.org
+
+# ACM_USE_SECURITY_POLICY is set to security policy of Xen
+# Supported models are:
+#      ACM_NULL_POLICY (ACM will not be built with this policy)
+#      ACM_CHINESE_WALL_POLICY
+#      ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
+#      ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
diff -r 1895942150a5 -r 513acbeac420 tools/security/Makefile
--- a/tools/security/Makefile   Fri Aug 19 08:55:03 2005
+++ b/tools/security/Makefile   Fri Aug 19 09:03:17 2005
@@ -2,27 +2,71 @@
 include $(XEN_ROOT)/tools/Rules.mk
 
 SRCS     = secpol_tool.c
-CFLAGS   += -static
 CFLAGS   += -Wall
 CFLAGS   += -Werror
 CFLAGS   += -O3
 CFLAGS   += -fno-strict-aliasing
-CFLAGS   += -I.
+CFLAGS   += -I. -I/usr/include/libxml2
+CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
+#if above does not work, try  -L/usr/lib -lxml2 -lz -lpthread -lm
+XML2VERSION = $(shell xml2-config --version )
+VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else 
echo "-DVALIDATE_SCHEMA"; fi; )
 
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
+POLICY=null
+endif
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
+POLICY=chwall
+endif
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+POLICY=ste
+endif
+ifeq 
($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+POLICY=chwall_ste
+endif
+POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
+
+ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY)
 all: build
+
+install:all
+
+default:all
+else
+all:
+
+install:
+
+default:
+endif
+
 build: mk-symlinks
        $(MAKE) secpol_tool
+       $(MAKE) secpol_xml2bin
+       chmod 700 ./setlabel.sh
+       chmod 700 ./updategrub.sh
 
-default: all
-
-install: all
-
-secpol_tool : secpol_tool.c
+secpol_tool : secpol_tool.c secpol_compat.h
        $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
 
+secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h secpol_compat.h
+       $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ 
$<
+
 clean:
-       rm -rf secpol_tool xen
+       rm -rf secpol_tool secpol_xml2bin xen
 
+policy_clean:
+       rm -rf policies/*/*.bin policies/*/*.map
+
+mrproper: clean policy_clean
+
+
+$(POLICYFILE) : build
+       @./secpol_xml2bin $(POLICY) > /dev/null
+
+boot_install: $(POLICYFILE)
+       @cp $(POLICYFILE) /boot
+       @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
 
 LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
 mk-symlinks:
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c      Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_tool.c      Fri Aug 19 09:03:17 2005
@@ -31,18 +31,8 @@
 #include <stdlib.h>
 #include <sys/ioctl.h>
 #include <string.h>
-#include <stdint.h>
 #include <netinet/in.h>
-
-typedef uint8_t u8;
-typedef uint16_t u16;
-typedef uint32_t u32;
-typedef uint64_t u64;
-typedef int8_t s8;
-typedef int16_t s16;
-typedef int32_t s32;
-typedef int64_t s64;
-
+#include "secpol_compat.h"
 #include <xen/acm.h>
 #include <xen/acm_ops.h>
 #include <xen/linux/privcmd.h>
@@ -270,171 +260,6 @@
     }
 }
 
-/*************************** set policy ****************************/
-
-int acm_domain_set_chwallpolicy(void *bufstart, int buflen)
-{
-#define CWALL_MAX_SSIDREFS             6
-#define CWALL_MAX_TYPES             10
-#define CWALL_MAX_CONFLICTSETS         2
-
-    struct acm_chwall_policy_buffer *chwall_bin_pol =
-        (struct acm_chwall_policy_buffer *) bufstart;
-    domaintype_t *ssidrefs, *conflicts;
-    int ret = 0;
-    int j;
-
-    chwall_bin_pol->chwall_max_types = htonl(CWALL_MAX_TYPES);
-    chwall_bin_pol->chwall_max_ssidrefs = htonl(CWALL_MAX_SSIDREFS);
-    chwall_bin_pol->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
-    chwall_bin_pol->policy_version = htonl(ACM_CHWALL_VERSION);
-    chwall_bin_pol->chwall_ssid_offset =
-        htonl(sizeof(struct acm_chwall_policy_buffer));
-    chwall_bin_pol->chwall_max_conflictsets =
-        htonl(CWALL_MAX_CONFLICTSETS);
-    chwall_bin_pol->chwall_conflict_sets_offset =
-        htonl(ntohl(chwall_bin_pol->chwall_ssid_offset) +
-              sizeof(domaintype_t) * CWALL_MAX_SSIDREFS * CWALL_MAX_TYPES);
-    chwall_bin_pol->chwall_running_types_offset = 0;    /* not set */
-    chwall_bin_pol->chwall_conflict_aggregate_offset = 0;       /* not set */
-    ret += sizeof(struct acm_chwall_policy_buffer);
-    /* now push example ssids into the buffer (max_ssidrefs x max_types 
entries) */
-    /* check buffer size */
-    if ((buflen - ret) <
-        (CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t)))
-        return -1;              /* not enough space */
-
-    ssidrefs = (domaintype_t *) (bufstart +
-                          ntohl(chwall_bin_pol->chwall_ssid_offset));
-    memset(ssidrefs, 0,
-           CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t));
-
-    /* now set type j-1 for ssidref i+1 */
-    for (j = 0; j <= CWALL_MAX_SSIDREFS; j++)
-        if ((0 < j) && (j <= CWALL_MAX_TYPES))
-            ssidrefs[j * CWALL_MAX_TYPES + j - 1] = htons(1);
-
-    ret += CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t);
-    if ((buflen - ret) <
-        (CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES * sizeof(domaintype_t)))
-        return -1;              /* not enough space */
-
-    /* now the chinese wall policy conflict sets */
-    conflicts = (domaintype_t *) (bufstart +
-                                  ntohl(chwall_bin_pol->
-                                        chwall_conflict_sets_offset));
-    memset((void *) conflicts, 0,
-           CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES *
-           sizeof(domaintype_t));
-    /* just 1 conflict set [0]={2,3}, [1]={1,5,6} */
-    if (CWALL_MAX_TYPES > 3)
-    {
-        conflicts[2] = htons(1);
-        conflicts[3] = htons(1);        /* {2,3} */
-        conflicts[CWALL_MAX_TYPES + 1] = htons(1);
-        conflicts[CWALL_MAX_TYPES + 5] = htons(1);
-        conflicts[CWALL_MAX_TYPES + 6] = htons(1);      /* {0,5,6} */
-    }
-    ret += sizeof(domaintype_t) * CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES;
-    return ret;
-}
-
-int acm_domain_set_stepolicy(void *bufstart, int buflen)
-{
-#define STE_MAX_SSIDREFS        6
-#define STE_MAX_TYPES                  5
-
-    struct acm_ste_policy_buffer *ste_bin_pol =
-        (struct acm_ste_policy_buffer *) bufstart;
-    domaintype_t *ssidrefs;
-    int j, ret = 0;
-
-    ste_bin_pol->ste_max_types = htonl(STE_MAX_TYPES);
-    ste_bin_pol->ste_max_ssidrefs = htonl(STE_MAX_SSIDREFS);
-    ste_bin_pol->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
-    ste_bin_pol->policy_version = htonl(ACM_STE_VERSION);
-    ste_bin_pol->ste_ssid_offset =
-        htonl(sizeof(struct acm_ste_policy_buffer));
-    ret += sizeof(struct acm_ste_policy_buffer);
-    /* check buffer size */
-    if ((buflen - ret) <
-        (STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t)))
-        return -1;              /* not enough space */
-
-    ssidrefs =
-        (domaintype_t *) (bufstart + ntohl(ste_bin_pol->ste_ssid_offset));
-    memset(ssidrefs, 0,
-           STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t));
-    /* all types 1 for ssidref 1 */
-    for (j = 0; j < STE_MAX_TYPES; j++)
-        ssidrefs[1 * STE_MAX_TYPES + j] = htons(1);
-    /* now set type j-1 for ssidref j */
-    for (j = 0; j < STE_MAX_SSIDREFS; j++)
-        if ((0 < j) && (j <= STE_MAX_TYPES))
-            ssidrefs[j * STE_MAX_TYPES + j - 1] = htons(1);
-    ret += STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t);
-    return ret;
-}
-
-#define MAX_PUSH_BUFFER        16384
-u8 push_buffer[MAX_PUSH_BUFFER];
-
-int acm_domain_setpolicy(int xc_handle)
-{
-    int ret;
-    struct acm_policy_buffer *bin_pol;
-    acm_op_t op;
-
-    /* future: read policy from file and set it */
-    bin_pol = (struct acm_policy_buffer *) push_buffer;
-    bin_pol->policy_version = htonl(ACM_POLICY_VERSION);
-    bin_pol->magic = htonl(ACM_MAGIC);
-    bin_pol->primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
-    bin_pol->secondary_policy_code =
-        htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
-
-    bin_pol->len = htonl(sizeof(struct acm_policy_buffer));
-    bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len));
-    ret =
-        acm_domain_set_chwallpolicy(push_buffer +
-                                    ntohl(bin_pol->primary_buffer_offset),
-                                    MAX_PUSH_BUFFER -
-                                    ntohl(bin_pol->primary_buffer_offset));
-    if (ret < 0)
-    {
-        printf("ERROR creating chwallpolicy buffer.\n");
-        return -1;
-    }
-    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
-    bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
-    ret = acm_domain_set_stepolicy(push_buffer +
-                                 ntohl(bin_pol->secondary_buffer_offset),
-                                 MAX_PUSH_BUFFER -
-                                 ntohl(bin_pol->secondary_buffer_offset));
-    if (ret < 0)
-    {
-        printf("ERROR creating chwallpolicy buffer.\n");
-        return -1;
-    }
-    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
-
-    /* dump it and then push it down into xen/acm */
-    acm_dump_policy_buffer(push_buffer, ntohl(bin_pol->len));
-
-    op.cmd = ACM_SETPOLICY;
-    op.interface_version = ACM_INTERFACE_VERSION;
-    op.u.setpolicy.pushcache = (void *) push_buffer;
-    op.u.setpolicy.pushcache_size = ntohl(bin_pol->len);
-    ret = do_acm_op(xc_handle, &op);
-
-    if (ret)
-        printf("ERROR setting policy. Use 'xm dmesg' to see details.\n");
-    else
-        printf("Successfully changed policy.\n");
-
-    return ret;
-}
-
 /******************************* get policy ******************************/
 
 #define PULL_CACHE_SIZE                8192
@@ -602,7 +427,6 @@
 void usage(char *progname)
 {
     printf("Use: %s \n"
-           "\t setpolicy\n"
            "\t getpolicy\n"
            "\t dumpstats\n"
            "\t loadpolicy <binary policy file>\n", progname);
@@ -623,12 +447,7 @@
         exit(-1);
     }
 
-    if (!strcmp(argv[1], "setpolicy"))
-    {
-        if (argc != 2)
-            usage(argv[0]);
-        ret = acm_domain_setpolicy(acm_cmd_fd);
-    } else if (!strcmp(argv[1], "getpolicy")) {
+    if (!strcmp(argv[1], "getpolicy")) {
         if (argc != 2)
             usage(argv[0]);
         ret = acm_domain_getpolicy(acm_cmd_fd);
diff -r 1895942150a5 -r 513acbeac420 xen/Rules.mk
--- a/xen/Rules.mk      Fri Aug 19 08:55:03 2005
+++ b/xen/Rules.mk      Fri Aug 19 09:03:17 2005
@@ -10,14 +10,6 @@
 optimize    ?= y
 domu_debug  ?= n
 crash_debug ?= n
-
-# ACM_USE_SECURITY_POLICY is set to security policy of Xen
-# Supported models are:
-#      ACM_NULL_POLICY (ACM will not be built with this policy)
-#      ACM_CHINESE_WALL_POLICY
-#      ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
-#      ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
 
 include $(BASEDIR)/../Config.mk
 
diff -r 1895942150a5 -r 513acbeac420 tools/security/example.txt
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/example.txt        Fri Aug 19 09:03:17 2005
@@ -0,0 +1,269 @@
+##
+# example.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file introduces into the tools to manage policies
+# and to label domains and resources.
+##
+
+We will show how to install and use the chwall_ste policy.
+Other policies work similarly. Feedback welcome!
+
+
+
+1. Using secpol_xml2bin to translate the chwall_ste policy:
+===========================================================
+
+#tools/security/secpol_xml2bin chwall_ste
+
+Successful execution should print:
+
+    [root@laptopxn security]# ./secpol_xml2bin chwall_ste
+    Validating label file 
policies/chwall_ste/chwall_ste-security_label_template.xml...
+    XML Schema policies/security_policy.xsd valid.
+    Validating policy file 
policies/chwall_ste/chwall_ste-security_policy.xml...
+    XML Schema policies/security_policy.xsd valid.
+    Creating ssid mappings ...
+    Creating label mappings ...
+    Max chwall labels:  7
+    Max chwall-types:   4
+    Max chwall-ssids:   5
+    Max ste labels:     14
+    Max ste-types:      6
+    Max ste-ssids:      10
+
+The tool looks in directory policies/chwall_ste for
+the label and policy files.
+
+The default policy directory structure under tools/security looks like:
+
+policies
+|-- security_policy.xsd
+|-- chwall
+|   |-- chwall-security_label_template.xml
+|   `-- chwall-security_policy.xml
+|-- chwall_ste
+|   |-- chwall_ste-security_label_template.xml
+|   `-- chwall_ste-security_policy.xml
+|-- null
+|   |-- null-security_label_template.xml
+|   `-- null-security_policy.xml
+`-- ste
+    |-- ste-security_label_template.xml
+    `-- ste-security_policy.xml
+
+policies/security_policy.xsd contains the schema against which both the
+label-template and the policy files must validate during translation.
+
+policies/chwall_ste/chwall_ste-security_policy.xml defines the
+policies and the types known to the policies.
+
+policies/chwall_ste/chwall_ste-security_label_template.xml contains
+label definitions that group chwall and ste types together and make
+them easier to use for users
+
+After executing the above secpol_xml2bin command, you will find 2 new
+files in the policies/chwall_ste sub-directory:
+
+policies/chwall_ste/chwall_ste.map ... this file includes the mapping
+of names from the xml files into their binary code representation.
+
+policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
+the result of parsing the xml files and using the mapping to extract a
+binary version that can be loaded into the hypervisor.
+
+
+
+2. Loading and activating the policy:
+=====================================
+
+We assume that xen is already configured to use the chwall_ste policy;
+please refer to install.txt for instructions.
+
+To activate the policy from the command line (assuming that the
+currently established policy is the minimal boot-policy that is
+hard-coded into the hypervisor:
+
+# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
+
+To activate the policy at next reboot:
+
+# cp policies/chwall_ste/chwall_ste.bin /boot
+
+Add a module line to your /boot/grub/grub.conf Xen entry.
+My boot entry with chwall_ste enabled looks like this:
+
+    title Xen (2.6.12)
+        root (hd0,5)
+        kernel /boot/xen.gz dom0_mem=1200000 console=vga
+        module /boot/vmlinuz-2.6.12-xen0 ro root=/dev/hda6 rhgb
+        module /boot/initrd-2.6.12-xen0.img
+        module /boot/chwall_ste.bin
+
+This tells the grub boot-loader to load the binary policy, which
+the hypervisor will recognize. The hypervisor will then establish
+this binary policy during boot instead of the minimal policy that
+is hardcoded as default.
+
+If you have any trouble here, maks sure you have the access control
+framework enabled (see: install.txt).
+
+
+
+3. Labeling domains:
+====================
+
+a) Labeling Domain0:
+
+The chwall_ste-security_label_template.xml file includes an attribute
+"bootstrap", which is set to the label name that will be assigned to
+Dom0 (this label will be mapped to ssidref 1/1, the default for Dom0).
+
+b) Labeling User Domains:
+
+Use the script tools/security/setlabel.sh to choose a label and to
+assign labels to user domains.
+
+To show available labels for the chwall_ste policy:
+
+#tools/security/setlabel.sh -l
+
+lists all available labels. For the default chwall_ste it should print
+the following:
+
+    [root@laptopxn security]# ./setlabel.sh -l chwall_ste
+    The following labels are available:
+    dom_SystemManagement
+    dom_HomeBanking
+    dom_Fun
+    dom_BoincClient
+    dom_StorageDomain
+    dom_NetworkDomain
+
+You need to have compiled the policy beforehand so that a .map file
+exists. Setlabel.sh uses the mapping file created throughout the
+policy translation to translate a user-friendly label string into a
+ssidref-number that is eventually used by the Xen hypervisor.
+
+We distinguish two kinds of labels: a) VM labels (for domains) and RES
+Labels (for resources). We are currently working on support for
+resource labeling but will focus here on VM labels.
+
+Setlabel.sh only prints VM labels (which we have prefixed with "dom_")
+since only those are used at this time.
+
+If you would like to assign the dom_HomeBanking label to one of your
+user domains (which you hopefully keep clean), look at an example
+domain configuration homebanking.xm:
+
+    #------HOMEBANKING---------
+    kernel = "/boot/vmlinuz-2.6.12-xenU"
+    ramdisk="/boot/U1_ramdisk.img"
+    memory = 65
+    name = "test34"
+    cpu = -1   # leave to Xen to pick
+    # Number of network interfaces. Default is 1.
+    nics=1
+    dhcp="dhcp"
+    #-------------------------
+
+Now we label this domain
+
+[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking 
chwall_ste
+Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
+
+The domain configuration my look now like:
+
+    [root@laptopxn security]# cat homebanking.xm
+    #------HOMEBANKING---------
+    kernel = "/boot/vmlinuz-2.6.12-xenU"
+    ramdisk="/boot/U1_ramdisk.img"
+    memory = 65
+    name = "test34"
+    cpu = -1   # leave to Xen to pick
+    # Number of network interfaces. Default is 1.
+    nics=1
+    dhcp="dhcp"
+    #-------------------------
+    #ACM_POLICY=chwall_ste-security_policy.xml
+    #ACM_LABEL=dom_HomeBanking
+    ssidref = 0x00020002
+
+You can see 3 new entries, two of which are comments.  The only value
+that the hypervisor cares about is the ssidref that will reference
+those types assigned to this label. You can look them up in the
+xml label-template file for the chwall_ste policy.
+
+This script will eventually move into the domain management and will
+be called when the domain is instantiated. For now, the setlabel
+script must be run on domains whenever the policy files change since
+the mapping between label names and ssidrefs can change in this case.
+
+
+4. Starting a labeled domain
+============================
+
+Now, start the domain:
+    #xm create -c homebanking.xm
+
+
+If you label another domain configuration as dom_Fun and try to start
+it afterwards, its start will fail. Why?
+
+Because the running homebanking domain has the chinese wall type
+"cw_Sensitive". The new domain dom_Fun has the chinese wall label
+"cw_Distrusted". This domain is not allowed to run simultaneously
+because of the defined conflict set
+
+                       <conflictset name="Protection1">
+                               <type>cw_Sensitive</type>
+                               <type>cw_Distrusted</type>
+                       </conflictset>
+
+(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
+that only one of the types cw_sensitive and cw_Distrusted can run at a
+time.
+
+If you save or shutdown the HomeBanking domain, you will be able to
+start the "Fun" domain. You can look into the Xen log to see if a
+domain was denied to start because of the access control framework
+with the command 'xm dmesg'.
+
+It is important (and usually non-trivial) to define the labels in a
+way that the semantics of the labels are enforced and supported by the
+types and the conflict sets.
+
+Note: While the chinese wall policy enforcement is complete, the type
+enforcement is currently enforced in the Xen hypervisor
+only. Therefore, only point-to-point sharing with regard to the type
+enforcement is currently controlled. We are working on enhancements to
+Dom0 that enforce types also for network traffic that is routed
+through Dom0 and on the enforcement of resource labeling when binding
+resources to domains (e.g., enforcing types between domains and
+hardware resources, such as disk partitions).
+
+
+4. Adding your own policies
+===========================
+
+Writing your own policy (e.g. "mypolicy") requires the following:
+
+a) the policy definition (types etc.) file
+b) the label template definition (labels etc.) file
+
+If your policy name is "mypolicy", you need to create a
+subdirectory mypolicy in tools/security/policies.
+
+Then you create
+tools/security/policies/mypolicy/mypolicy-security_policy.xml and
+tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
+
+You need to keep to the schema as defined in
+tools/security/security_policy.xsd since the translation tool
+secpol_xml2bin is written against this schema.
+
+If you keep to the security policy schema, then you can use all the
+tools described above. Refer to install.txt to install it.
diff -r 1895942150a5 -r 513acbeac420 tools/security/install.txt
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/install.txt        Fri Aug 19 09:03:17 2005
@@ -0,0 +1,67 @@
+##
+# install.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file shows how to activate and install the access control
+# framework.
+##
+
+
+INSTALLING A SECURITY POLICY IN XEN
+===================================
+
+By default, the access control architecture is disabled in Xen. To
+enable the access control architecture in Xen follow the steps below.
+This description assumes that you want to install the Chinese Wall and
+Simple Type Enforcement policy. Some file names need to be replaced
+below to activate the Chinese Wall OR the Type Enforcement policy
+exclusively (chwall_ste --> {chwall, ste}).
+
+1. enable access control in Xen
+       # cd "xen_root"
+       # edit/xemacs/vi Config.mk
+
+       change the line:
+       ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
+
+       to:
+       ACM_USE_SECURITY_POLICY ?= 
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+
+       # make all
+       # ./install.sh
+
+2. compile the policy from xml to a binary format that can be loaded
+   into the hypervisor for enforcement
+       # cd tools/security
+       # make
+
+       manual steps (alternative to make boot_install):
+       #./secpol_xml2bin chwall_ste
+       #cp policies/chwall_ste/chwall_ste.bin /boot
+       #edit /boot/grub/grub.conf
+        add the follwoing line to your xen boot entry:
+       "module chwall_ste.bin"
+
+       alternatively, you can try our automatic translation and
+       installation of the policy:
+       # make boot_install
+
+       [we try hard to do the right thing to the right boot entry but
+        please verify boot entry in /boot/grub/grub.conf afterwards;
+        your xen boot entry should have an additional module line
+        specifying a chwall_ste.bin file with the correct directory
+        (e.g. "/" or "/boot").]
+
+
+3. reboot into the newly compiled hypervisor
+
+        after boot
+       #xm dmesg should show an entry about the policy being loaded
+            during the boot process
+
+        #tools/security/secpol_tool getpolicy
+            should print the new chwall_ste binary policy representation
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/chwall/chwall-security_label_template.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall/chwall-security_label_template.xml Fri Aug 
19 09:03:17 2005
@@ -0,0 +1,76 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>chwall-security_label_template</Name>
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>chwall-security_policy.xml</Url>
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+
+   <SubjectLabels bootstrap="dom_SystemManagement">
+      <!-- single ste typed domains            -->
+      <!-- ACM enforces that only domains with -->
+      <!-- the same type can share information -->
+      <!--                                     -->
+      <!-- Bootstrap label is assigned to Dom0 -->
+      <VirtualMachineLabel>
+       <Name>dom_HomeBanking</Name>
+         <ChineseWallTypes>
+            <Type>cw_Sensitive</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+       <Name>dom_Fun</Name>
+         <ChineseWallTypes>
+            <Type>cw_Distrusted</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- donating some cycles to seti@home -->
+       <Name>dom_BoincClient</Name>
+         <ChineseWallTypes>
+            <Type>cw_Isolated</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <!-- Domains with multiple ste types services; such domains   -->
+      <!-- must keep the types inside their domain safely confined. -->
+      <VirtualMachineLabel>
+       <Name>dom_SystemManagement</Name>
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves persistent storage to other domains -->
+       <Name>dom_StorageDomain</Name>
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves network access to other domains -->
+       <Name>dom_NetworkDomain</Name>
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+   </SubjectLabels>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/chwall/chwall-security_policy.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall/chwall-security_policy.xml Fri Aug 19 
09:03:17 2005
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>chwall-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+<!--                                             -->
+<!-- example of a chinese wall type definition   -->
+<!-- along with its conflict sets                -->
+<!-- (typse in a confict set are exclusive, i.e. -->
+<!--  once a Domain with one type of a set is    -->
+<!--  running, no other Domain with another type -->
+<!--  of the same conflict set can start.)       -->
+       <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Isolated</Type>
+            <Type>cw_Distrusted</Type>
+        </ChineseWallTypes>
+
+        <ConflictSets>
+        <Conflict name="Protection1">
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Distrusted</Type>
+        </Conflict>
+        </ConflictSets>
+       </ChineseWall>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml 
Fri Aug 19 09:03:17 2005
@@ -0,0 +1,167 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>chwall_ste-security_label_template</Name>
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>chwall_ste-security_policy.xml</Url>
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+
+   <SubjectLabels bootstrap="dom_SystemManagement">
+      <!-- single ste typed domains            -->
+      <!-- ACM enforces that only domains with -->
+      <!-- the same type can share information -->
+      <!--                                     -->
+      <!-- Bootstrap label is assigned to Dom0 -->
+      <VirtualMachineLabel>
+       <Name>dom_HomeBanking</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_Sensitive</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+       <Name>dom_Fun</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_Distrusted</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- donating some cycles to seti@home -->
+       <Name>dom_BoincClient</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_Isolated</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <!-- Domains with multiple ste types services; such domains   -->
+      <!-- must keep the types inside their domain safely confined. -->
+      <VirtualMachineLabel>
+       <Name>dom_SystemManagement</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- since dom0 needs access to every domain and -->
+            <!-- resource right now ... -->
+            <Type>ste_SystemManagement</Type>
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+            <Type>ste_PersistentStorageA</Type>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves persistent storage to other domains -->
+       <Name>dom_StorageDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (hard drive a) -->
+            <Type>ste_PersistentStorageA</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves network access to other domains -->
+       <Name>dom_NetworkDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (ethernet card) -->
+            <Type>ste_NetworkAdapter0</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+   </SubjectLabels>
+
+   <ObjectLabels>
+      <ResourceLabel>
+       <Name>res_ManagementResource</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_HardDrive (hda)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersistentStorageA</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition1 (hda1)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition2 (hda2)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_EthernetCard</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_SecurityToken</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_GraphicsAdapter</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+   </ObjectLabels>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/chwall_ste/chwall_ste-security_policy.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/chwall_ste/chwall_ste-security_policy.xml Fri Aug 
19 09:03:17 2005
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>chwall_ste-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+<!--                                                        -->
+<!-- example of a simple type enforcement policy definition -->
+<!--                                                        -->
+       <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>   <!-- machine/security 
management -->
+            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
+            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
+            <Type>ste_DonatedCycles</Type>      <!-- donation to 
BOINC/seti@home -->
+            <Type>ste_PersistentStorageA</Type> <!-- domain managing the 
harddrive A-->
+            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain 
managing ethernet adapter 0-->
+        </SimpleTypeEnforcementTypes>
+       </SimpleTypeEnforcement>
+<!--                                             -->
+<!-- example of a chinese wall type definition   -->
+<!-- along with its conflict sets                -->
+<!-- (typse in a confict set are exclusive, i.e. -->
+<!--  once a Domain with one type of a set is    -->
+<!--  running, no other Domain with another type -->
+<!--  of the same conflict set can start.)       -->
+       <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Isolated</Type>
+            <Type>cw_Distrusted</Type>
+        </ChineseWallTypes>
+
+        <ConflictSets>
+        <Conflict name="Protection1">
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Distrusted</Type>
+        </Conflict>
+        </ConflictSets>
+       </ChineseWall>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/null/null-security_label_template.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/null/null-security_label_template.xml     Fri Aug 
19 09:03:17 2005
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>null-security_label_template</Name>
+
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>null-security_policy.xml</Url>
+
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/null/null-security_policy.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/null/null-security_policy.xml     Fri Aug 19 
09:03:17 2005
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>null-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/policies/security_policy.xsd
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/security_policy.xsd       Fri Aug 19 09:03:17 2005
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com -->
+<!--         This file defines the schema, which is used to define -->
+<!--         the security policy and the security labels in Xe.    -->
+
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
targetNamespace="http://www.ibm.com"; xmlns="http://www.ibm.com"; 
elementFormDefault="qualified">
+       <xsd:element name="SecurityPolicyDefinition">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="PolicyHeader" minOccurs="0" 
maxOccurs="1"></xsd:element>
+                               <xsd:element ref="SimpleTypeEnforcement" 
minOccurs="0" maxOccurs="1"></xsd:element>
+                               <xsd:element ref="ChineseWall" minOccurs="0" 
maxOccurs="1"></xsd:element>
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="SecurityLabelTemplate">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="LabelHeader" minOccurs="1" 
maxOccurs="1"></xsd:element>
+                               <xsd:element name="SubjectLabels" minOccurs="0" 
maxOccurs="1">
+                                       <xsd:complexType>
+                                               <xsd:sequence>
+                                                       <xsd:element 
ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
+                                               </xsd:sequence>
+                                               <xsd:attribute name="bootstrap" 
type="xsd:string" use="required"></xsd:attribute>
+                                       </xsd:complexType>
+                               </xsd:element>
+                               <xsd:element name="ObjectLabels" minOccurs="0" 
maxOccurs="1">
+                                       <xsd:complexType>
+                                               <xsd:sequence>
+                                                       <xsd:element 
ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
+                                               </xsd:sequence>
+                                       </xsd:complexType>
+                               </xsd:element>
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="PolicyHeader">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name" minOccurs="1" 
maxOccurs="1" />
+                               <xsd:element ref="Date" minOccurs="1" 
maxOccurs="1" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="LabelHeader">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name"></xsd:element>
+                               <xsd:element ref="Date" minOccurs="1" 
maxOccurs="1"></xsd:element>
+                               <xsd:element ref="PolicyName" minOccurs="1" 
maxOccurs="1"></xsd:element>
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="SimpleTypeEnforcement">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="SimpleTypeEnforcementTypes" />
+                       </xsd:sequence>
+                       <xsd:attribute name="priority" type="PolicyOrder" 
use="optional"></xsd:attribute>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ChineseWall">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="ChineseWallTypes" />
+                               <xsd:element ref="ConflictSets" />
+                       </xsd:sequence>
+                       <xsd:attribute name="priority" type="PolicyOrder" 
use="optional"></xsd:attribute>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ChineseWallTypes">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Type" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ConflictSets">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Conflict" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="SimpleTypeEnforcementTypes">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Type" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="Conflict">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Type" />
+                       </xsd:sequence>
+                       <xsd:attribute name="name" type="xsd:string" 
use="optional"></xsd:attribute>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="VirtualMachineLabel">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name"></xsd:element>
+                               <xsd:element ref="SimpleTypeEnforcementTypes" 
minOccurs="0" maxOccurs="unbounded" />
+                               <xsd:element ref="ChineseWallTypes" 
minOccurs="0" maxOccurs="unbounded" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ResourceLabel">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name"></xsd:element>
+                               <xsd:element ref="SimpleTypeEnforcementTypes" 
minOccurs="0" maxOccurs="unbounded" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="PolicyName">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Url" />
+                               <xsd:element ref="Reference" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="Date" type="xsd:string" />
+       <xsd:element name="Name" type="xsd:string" />
+       <xsd:element name="Type" type="xsd:string" />
+       <xsd:element name="Reference" type="xsd:string" />
+       <xsd:element name="Url"></xsd:element>
+
+       <xsd:simpleType name="PolicyOrder">
+               <xsd:restriction base="xsd:string">
+                       <xsd:enumeration 
value="PrimaryPolicyComponent"></xsd:enumeration>
+               </xsd:restriction>
+       </xsd:simpleType>
+
+</xsd:schema>
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/ste/ste-security_label_template.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/ste/ste-security_label_template.xml       Fri Aug 
19 09:03:17 2005
@@ -0,0 +1,143 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>ste-security_label_template</Name>
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>ste-security_policy.xml</Url>
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+
+   <SubjectLabels bootstrap="dom_SystemManagement">
+      <!-- single ste typed domains            -->
+      <!-- ACM enforces that only domains with -->
+      <!-- the same type can share information -->
+      <!--                                     -->
+      <!-- Bootstrap label is assigned to Dom0 -->
+      <VirtualMachineLabel>
+       <Name>dom_HomeBanking</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+       <Name>dom_Fun</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- donating some cycles to seti@home -->
+       <Name>dom_BoincClient</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <!-- Domains with multiple ste types services; such domains   -->
+      <!-- must keep the types inside their domain safely confined. -->
+      <VirtualMachineLabel>
+       <Name>dom_SystemManagement</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- since dom0 needs access to every domain and -->
+            <!-- resource right now ... -->
+            <Type>ste_SystemManagement</Type>
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+            <Type>ste_PersistentStorageA</Type>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves persistent storage to other domains -->
+       <Name>dom_StorageDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (hard drive a) -->
+            <Type>ste_PersistentStorageA</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves network access to other domains -->
+       <Name>dom_NetworkDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (ethernet card) -->
+            <Type>ste_NetworkAdapter0</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+   </SubjectLabels>
+
+   <ObjectLabels>
+      <ResourceLabel>
+       <Name>res_ManagementResource</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_HardDrive (hda)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersistentStorageA</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition1 (hda1)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition2 (hda2)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_EthernetCard</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_SecurityToken</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_GraphicsAdapter</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+   </ObjectLabels>
+</SecurityLabelTemplate>
+
diff -r 1895942150a5 -r 513acbeac420 
tools/security/policies/ste/ste-security_policy.xml
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policies/ste/ste-security_policy.xml       Fri Aug 19 
09:03:17 2005
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>ste-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+<!--                                                        -->
+<!-- example of a simple type enforcement policy definition -->
+<!--                                                        -->
+       <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>   <!-- machine/security 
management -->
+            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
+            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
+            <Type>ste_DonatedCycles</Type>      <!-- donation to 
BOINC/seti@home -->
+            <Type>ste_PersistentStorageA</Type> <!-- domain managing the 
harddrive A-->
+            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain 
managing ethernet adapter 0-->
+        </SimpleTypeEnforcementTypes>
+       </SimpleTypeEnforcement>
+</SecurityPolicyDefinition>
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/policy.txt
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/policy.txt Fri Aug 19 09:03:17 2005
@@ -0,0 +1,405 @@
+##
+# policy.txt <description to the Xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file gives an overview of the security policies currently
+# provided and also gives some reasoning about how to assign
+# labels to domains.
+##
+
+Xen access control policies
+
+
+General explanation of supported security policies:
+=====================================================
+
+We have implemented the mandatory access control architecture of our
+hypervisor security architecture (sHype) for the Xen hypervisor. It
+controls communication (in Xen: event channels, grant tables) between
+Virtual Machines (from here on called domains) and through this the
+virtual block devices, networking, and shared memory are implemented
+on top of these communication means. While we have implemented the
+described policies and access control architecture for other
+hypervisor systems, we will describe below specifically its
+implementation and use in the Xen hypervisor. The policy enforcement
+is called mandatory regarding user domains since the policy it is
+given by the security administration and enforced independently of the
+user domains by the Xen hypervisor in cooperation with the domain
+management.
+
+The access control architecture consists of three parts:
+
+i) The access control policy determines the "command set" of the ACM
+and the hooks with which they can be configured to constrain the
+sharing of virtual resources. The current access control architecture
+implemented for Xen supports two policies: Chinese Wall and Simple
+Type Enforcement, which we describe in turn below.
+
+
+ii) The actually enforced policy instantiation uses the policy
+language (i) to configure the Xen access control in a way that suits
+the specific application (home desktop environment, company desktop,
+Web server system, etc.). We have defined an exemplary policy
+instantiation for Chinese Wall (chwall policy) and Simple Type
+Enforcement (ste policy) for a desktop system. We offer these policies
+in combination since they are controlling orthogonal events.
+
+
+iii) The access control module (ACM) and related hooks are part of the
+core hypervisor and their controls cannot be bypassed by domains. The
+ACM and hooks are the active security components. We refer to
+publications that describe how access control is enforced in the Xen
+hypervisor using the ACM (access decision) and the hooks (decision
+enforcement) inserted into the setup of event channels and grant
+tables, and into domain operations (create, destroy, save, restore,
+migrate). These controls decide based on the active policy
+configuration (see i. and ii.) if the operation proceeds of if the
+operation is aborted (denied).
+
+
+In general, security policy instantiations in the Xen access control
+framework are defined by two files:
+
+a) a single "policy-name"-security_policy.xml file that defines the
+types known to the ACM and policy rules based on these types
+
+b) a single "policy-name"-security_label_template.xml file that
+defines labels based on known types
+
+Every security policy has its own sub-directory under
+"Xen-root"/tools/security/policies in order to simplify their
+management and the security policy tools. We will describe those files
+for our example policy (Chinese Wall and Simple Type Enforcement) in
+more detail as we go along. Eventually, we will move towards a system
+installation where the policies will reside under /etc.
+
+
+CHINESE WALL
+============
+
+The Chinese Wall policy enables the user to define "which workloads
+(domain payloads) cannot run on a single physical system at the same
+time". Why would we want to prevent workloads from running at the same
+time on the same system? This supports requirements that can (but
+don't have to) be rooted in the measure of trust into the isolation of
+different domains that share the same hardware. Since the access
+control architecture aims at high performance and non-intrusive
+implementation, it currently does not address covert (timing) channels
+and aims at medium assurance. Users can apply the Chinese Wall policy
+to guarantee an air-gap between very sensitive payloads both regarding
+covert information channels and regarding resource starvation.
+
+To enable the CW control, each domain is labeled with a set of Chinese
+Wall types and CW Conflict Sets are defined which include those CW
+types that cannot run simultaneously on the same hardware. This
+interpretation of conflict sets is the only policy rule for the Chines
+Wall policy.
+
+This is enforced by controlling the start of domains according to
+their assigned CW worload types. Domains with Chinese Wall types that
+appear in a common conflict set are running mutually exclusive on a
+platform, i.e., once a domain with one of the cw-types of a conflict
+set is running, no domain with another cw-type of the same conflict
+set can start until the first domain is destroyed, paused, or migrated
+away from the physical system (this assumes that such a partition can
+no longer be observed). The idea is to assign cw-types according to
+the type of payload that a domain runs and to use the Chinese Wall
+policy to ensure that payload types can be differentiated by the
+hypervisor and can be prevented from being executed on the same system
+at the same time. Using the flexible CW policy maintains system
+consolidation and workload-balancing while introducing guaranteed
+constraints where necessary.
+
+
+Example of a Chinese Wall Policy Instantiation
+----------------------------------------------
+
+The file chwall-security_policy.xml defines the Chinese Wall types as
+well as the conflict sets for our example policy (you find it in the
+directory "xen_root"/tools/security/policies/chwall).
+
+It defines four Chinese Wall types (prefixed with cw_) with the
+following meaning:
+
+* cw_SystemsManagement is a type identifying workloads for systems
+management, e.g., domain management, device management, or hypervisor
+management.
+
+* cw_Sensitive is identifying workloads that are critical to the user
+for one reason or another.
+
+* cw_Distrusted is identifying workloads a user does not have much
+confidence in. E.g. a domain used for surfing in the internet without
+protection( i.e., active-X, java, java-script, executing web content)
+or for (Internet) Games should be typed this way.
+
+* cw_Isolated is identifying workloads that are supposedly isolated by
+use of the type enforcement policy (described below). For example, if
+a user wants to donate cycles to seti@home, she can setup a separate
+domain for a Boinc (http://boinc.ssl.berkeley.edu/) client, disable
+this domain from accessing the hard drive and from communicating to
+other local domains, and type it as cw_Isolated. We will look at a
+specific example later.
+
+The example policy uses the defined types to define one conflict set:
+Protection1 = {cw_Sensitive, cw_Distrusted}. This conflict set tells
+the hypervisor that once a domain typed as cw_Sensitive is running, a
+domain typed as cw_Distrusted cannot run concurrently (and the other
+way round). With this policy, a domain typed as cw_Isolated is allowed
+to run simultaneously with domains tagged as cw_Sensitive.
+
+Consequently, the access control module in the Xen hypervisor
+distinguishes in this example policy 4 different workload types in
+this example policy. It is the user's responsibility to type the
+domains in a way that reflects the workloads of these domains and, in
+the case of cw_Isolated, its properties, e.g. by configuring the
+sharing capabilities of the domain accordingly by using the simple
+type enforcement policy.
+
+Users can define their own or change the existing example policy
+according to their working environment and security requirements. To
+do so, replace the file chwall-security_policy.xml with the new
+policy.
+
+
+SIMPLE TYPE ENFORCEMENT
+=======================
+
+The file ste-security_policy.xml defines the simple type enforcement
+types for our example policy (you find it in the directory
+"xen_root"/tools/security/policies/ste). The Simple Type Enforcement
+policy defines which domains can share information with which other
+domains. To this end, it controls
+
+i) inter-domain communication channels (e.g., network traffic, events,
+and shared memory).
+
+ii) access of domains to physical resources (e.g., hard drive, network
+cards, graphics adapter, keyboard).
+
+In order to enable the hypervisor to distinguish different domains and
+the user to express access rules, the simple type enforcement defines
+a set of types (ste_types).
+
+The policy defines that communication between domains is allowed if
+the domains share a common STE type. As with the chwall types, STE
+types should enable the differentiation of workloads. The simple type
+enforcement access control implementation in the hypervisor enforces
+that domains can only communicate (setup event channels, grant tables)
+if they share a common type, i.e., both domains have assigned at least
+on type in common. A domain can access a resource, if the domain and
+the resource share a common type. Hence, assigning STE types to
+domains and resources allows users to define constraints on sharing
+between domains and to keep sensitive data confined from distrusted
+domains.
+
+Domain <--> Domain Sharing
+''''''''''''''''''''''''''
+(implemented but its effective use requires factorization of Dom0)
+
+a) Domains with a single STE type (general user domains): Sharing
+between such domains is enforced entirely by the hypervisor access
+control. It is independent of the domains and does not require their
+co-operation.
+
+b) Domains with multiple STE types: One example is a domain that
+virtualizes a physical resource (e.g., hard drive) and serves it as
+multiple virtual resources (virtual block drives) to other domains of
+different types. The idea is that only a specific device domain has
+assigned the type required to access the physical hard-drive. Logical
+drives are then assigned the types of domains that have access to this
+logical drive. Since the Xen hypervisor cannot distinguish between the
+logical drives, the access control (type enforcement) is delegated to
+the device domain, which has access to the types of domains requesting
+to mount a logical drive as well as the types assigned to the
+different available logical drives.
+
+Currently in Xen, Dom0 controls all hardware, needs to communicate
+with all domains during their setup, and intercepts all communication
+between domains. Consequently, Dom0 needs to be assigned all types
+used and must be completely trusted to maintain the separation of
+informatio ncoming from domains with different STE types. Thus a
+refactoring of Dom0 is recommended for stronger confinement
+guarantees.
+
+Domain --> RESOURCES Access
+'''''''''''''''''''''''''''
+(current work)
+
+We define for each resource that we want to distinguish a separate STE
+type. Each STE type is assigned to the respective resource and to
+those domains that are allowed to access this resource. Type
+enforcement will guarantee that other domains cannot access this
+resource since they don't share the resource's STE type.
+
+Since in the current implementation of Xen, Dom0 controls access to
+all hardware (e.g., disk drives, network), Domain-->Resource access
+control enforcement must be implemented in Dom0. This is possible
+since Dom0 has access to both the domain configuration (including the
+domain STE types) and the resource configuration (including the
+resource STE types).
+
+For purposes of gaining higher assurance in the resulting system, it
+may be desirable to reduce the size of dom0 by adding one or more
+"device domains" (DDs). These DDs, e.g. providing storage or network
+access, can support one or more physical devices, and manage
+enforcement of MAC policy relevant for said devices. Security benefits
+come from the smaller size of these DDs, as they can be more easily
+audited than monolithic device driver domains. DDs can help to obtain
+maximum security benefit from sHype.
+
+
+Example of a Simple Type Enforcement Policy Instantiation
+---------------------------------------------------------
+
+We define the following types:
+
+* ste_SystemManagement identifies workloads (and domains that runs
+them) that must share information to accomplish the management of the
+system
+
+* ste_PersonalFinances identifies workloads that are related to
+sensitive programs such as HomeBanking applications or safely
+configured web browsers for InternetBanking
+
+* ste_InternetInsecure identifies workloads that are very
+function-rich and unrestricted to offer for example an environment
+where internet games can run efficiently
+
+* ste_DonatedCycles identifies workloads that run on behalf of others,
+e.g. a Boinc client
+
+* ste_PersistentStorage identifies workloads that have direct access
+to persistent storage (e.g., hard drive)
+
+* ste_NetworkAccess identifies workload that have direct access to
+network cards and related networks
+
+
+
+SECURITY LABEL TEMPLATES
+========================
+
+We introduce security label templates because it is difficult for
+users to ensure tagging of domains consistently and since there are
+--as we have seen in the case of isolation-- useful dependencies
+between the policies. Security Label Templates define type sets that
+can be addressed by more user-friendly label names,
+e.g. dom_Homebanking describes a typical typeset tagged to domains
+used for sensitive Homebanking work-loads. Labels are defined in the
+file
+
+Using Security Label Templates has multiple advantages:
+a) easy reference of typical sets of type assignments
+b) consistent interpretation of type combinations
+c) meaningful application-level label names
+
+The definition of label templates depends on the combination of
+policies that are used. We will describe some of the labels defined
+for the Chinese Wall and Simple Type Enforcement combination.
+
+In the BoincClient example, the label_template file specifies that
+this Label is assigned the Chinese Wall type cw_Isolated. We do this
+assuming that this BoincClient is isolated against the rest of the
+system infrastructure (no persistent memory, no sharing with local
+domains). Since cw_Isolated is not included in any conflict set, it
+can run at any time concurrently with any other domain. The
+ste_DonatedCycles type assigned to the BoincClient reflect the
+isolation assumption: it is only assigned to the dom_NetworkDomain
+giving the BoincClient domain access to the network to communicate
+with its BoincServer.
+
+The strategy for combining types into Labels is the following: First
+we define a label for each type of general user domain
+(workload-oriented). Then we define a new label for each physical
+resource that shall be shared using a DD domain (e.g., disk) and for
+each logical resource offered through this physical resource (logical
+disk partition). We define then device domain labels (here:
+dom_SystemManagement, dom_StorageDomain, dom_NetworkDomain) which
+include the types of the physical resources (e.g. hda) their domains
+need to connect to. Such physical resources can only be accessed
+directly by device domains types with the respective device's STE
+type. Additionally we assign to such a device domain Label the STE
+types of those user domains that are allowed to access one of the
+logical resources (e.g., hda1, hda2) built on top of this physical
+resource through the device domain.
+
+
+Label Construction Example:
+---------------------------
+
+We define here a storage domain label for a domain that owns a real
+disk drive and creates the logical disk partitions hda1 and hda2 which
+it serves to domains labeled dom_HomeBanking and dom_Fun
+respectively. The labels we refer to are defined in the label template
+file policies/chwall_ste/chwall_ste-security-label-template.xml.
+
+step1: To distinguish different shared disk drives, we create a
+separate Label and STE type for each of them. Here: we create a type
+ste_PersistentStorageA for disk drive hda. If you have another disk
+drive, you may define another persistent storage type
+ste_PersistentStorageB in the chwall_ste-security_policy.xml.
+
+step2: To distinguish different domains, we create multiple domain
+labels including different types. Here: label dom_HomeBanking includes
+STE type ste_PersonalFinances, label dom_Fun includes STE type
+ste_InternetInsecure.
+
+step3: The storage domain in charge of the hard drive A needs access
+to this hard drive. Therefore the storage domain label
+dom_StorageDomain must include the type assigned to the hard drive
+(ste_PersistentStorageA).
+
+step4: In order to serve dom hda1 to domains labeled dom_HomeBanking
+and hda2 to domains labeled dom_Fun, the storage domain label must
+include the types of those domains as well (ste_PersonalFinance,
+ste_InternetInsecure).
+
+step5: In order to keep the data for different types safely apart, the
+different logical disk partitions must be assigned unique labels and
+types, which are used inside the storage domain to extend the ACM
+access enforcement to logical resources served from inside the storage
+domain. We define labels "res_LogicalDiskPartition1 (hda1)" and assign
+it to hda1 and "res_LogicalDiskPartition2 (hda2)" and assign it to
+hda2. These labels must include the STE types of those domains that
+are allowed to use them (e.g., ste_PersonalFinances for hda1).
+
+The overall mandatory access control is then enforced in 3 different
+Xen components and these components use a single consistent policy to
+co-operatively enforce the policy. In the storage domain example, we
+have three components that co-operate:
+
+1. The ACM module inside the hypervisor enforces: communication between
+user domains and the storage domain (only domains including types
+ste_PersonalFinances or ste_InternetInsecure can communicate with the
+storage domain and request access to logical resource). This confines
+the sharing to the types assigned to the storage domain.
+
+2. The domain management will enforce (work in progress): assignment of
+real resources (hda) to domains (storage domain) that share a
+type with the resource.
+
+3. If the storage domain serves multiple STE types (as in our example),
+it enforces (work in progress): that domains can access (mount)
+logical resources only if they share an STE type with the respective
+resource. In our example, domains with the STE type
+ste_PersonalFinances can request access (mount) to logical resource
+hda1 from the storage domain.
+
+If you look at the virtual machine label dom_StorageDomain, you will
+see the minimal set of types assigned to our domain manageing disk
+drive hda for serving logical disk partitions exclusively to
+dom_HomeBanking and dom_Fun.
+
+Similary, network domains can confine access to the network or
+network communication between user domains.
+
+As a result, device domains (e.g., storage domain, network domain)
+must be simple and small to ensure their correct co-operation in the
+type enforcement model. If such trust is not possible, then hardware
+should be assigned exclusively to a single type (or to a single
+partition) in which case the hypervisor ACM enforcement enforces the
+types independently.
diff -r 1895942150a5 -r 513acbeac420 tools/security/readme.txt
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/readme.txt Fri Aug 19 09:03:17 2005
@@ -0,0 +1,29 @@
+
+##
+# readme.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file is a toc for information regarding
+# the access control policy and tools in Xen.
+##
+
+1. policy.txt:
+
+   describes the general reasoning and examples for access
+   control policies in Xen
+
+
+2. install.txt
+
+   describes the activation of the access control framework
+   in Xen
+
+3. example.txt
+
+   describes the available tools for managing security policies
+   in Xen and the tools to label domains
+
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_compat.h
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_compat.h    Fri Aug 19 09:03:17 2005
@@ -0,0 +1,14 @@
+/* secpol_compat.h
+ *     'translates' data types necessary to
+ *     include <xen/acm.h>
+ */
+#include <stdint.h>
+
+typedef uint8_t  u8;
+typedef uint16_t u16;
+typedef uint32_t u32;
+typedef uint64_t u64;
+typedef int8_t   s8;
+typedef int16_t  s16;
+typedef int32_t  s32;
+typedef int64_t  s64;
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_xml2bin.c
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_xml2bin.c   Fri Aug 19 09:03:17 2005
@@ -0,0 +1,1396 @@
+/****************************************************************
+ * secpol_xml2bin.c
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author: Reiner Sailer <sailer@xxxxxxxxxx>
+ *
+ * Maintained:
+ * Reiner Sailer <sailer@xxxxxxxxxx>
+ * Ray Valdez <rvaldez@xxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype policy translation tool. This tool takes an XML
+ * policy specification as input and produces a binary
+ * policy file that can be loaded into Xen through the
+ * ACM operations (secpol_tool loadpolicy) interface or at
+ * boot time (grub module parameter)
+ *
+ * indent -i4 -kr -nut
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <libgen.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/queue.h>
+#include <netinet/in.h>
+#include <libxml/xmlschemas.h>
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+#include <libxml/xmlreader.h>
+#include "secpol_compat.h"
+#include <xen/acm.h>
+
+#include "secpol_xml2bin.h"
+
+#define DEBUG    0
+
+/* primary / secondary policy component setting */
+enum policycomponent { CHWALL, STE, NULLPOLICY }
+    primary = NULLPOLICY, secondary = NULLPOLICY;
+
+/* general list element for ste and chwall type queues */
+struct type_entry {
+    TAILQ_ENTRY(type_entry) entries;
+    char *name;                 /* name of type from xml file */
+    type_t mapping;             /* type mapping into 16bit */
+};
+
+TAILQ_HEAD(tailhead, type_entry) ste_head, chwall_head;
+
+/* general list element for all label queues */
+enum label_type { VM, RES, ANY };
+struct ssid_entry {
+    TAILQ_ENTRY(ssid_entry) entries;
+    char *name;                 /* label name */
+    enum label_type type;       /* type: VM / RESOURCE LABEL */
+    u_int32_t num;              /* ssid or referenced ssid */
+    int is_ref;                 /* if this entry references earlier ssid 
number */
+    unsigned char *row;         /* index of types (if not a reference) */
+};
+
+TAILQ_HEAD(tailhead_ssid, ssid_entry) ste_ssid_head, chwall_ssid_head,
+    conflictsets_head;
+struct ssid_entry *current_chwall_ssid_p = NULL;
+struct ssid_entry *current_ste_ssid_p = NULL;
+struct ssid_entry *current_conflictset_p = NULL;
+
+/* which label to assign to dom0 during boot */
+char *bootstrap_label;
+
+u_int32_t max_ste_ssids = 0;
+u_int32_t max_chwall_ssids = 0;
+u_int32_t max_chwall_labels = 0;
+u_int32_t max_ste_labels = 0;
+u_int32_t max_conflictsets = 0;
+
+char *current_ssid_name;        /* store name until structure is allocated */
+char *current_conflictset_name; /* store name until structure is allocated */
+
+/* dynamic list of type mappings for STE */
+u_int32_t max_ste_types = 0;
+
+/* dynamic list of type mappings for CHWALL */
+u_int32_t max_chwall_types = 0;
+
+/* dynamic list of conflict sets */
+int max_conflict_set = 0;
+
+/* which policies are defined */
+int have_ste = 0;
+int have_chwall = 0;
+
+/* input/output file names */
+char *policy_filename = NULL,
+    *label_filename = NULL,
+    *binary_filename = NULL, *mapping_filename = NULL;
+
+void usage(char *prg)
+{
+    printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
+         prg);
+    exit(EXIT_FAILURE);
+}
+
+
+/***************** policy-related parsing *********************/
+
+char *type_by_mapping(struct tailhead *head, u_int32_t mapping)
+{
+    struct type_entry *np;
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+        if (np->mapping == mapping)
+            return np->name;
+    return NULL;
+}
+
+
+struct type_entry *lookup(struct tailhead *head, char *name)
+{
+    struct type_entry *np;
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+        if (!(strcmp(np->name, name)))
+            return np;
+    return NULL;
+}
+
+/* enforces single-entry lists */
+int add_entry(struct tailhead *head, char *name, type_t mapping)
+{
+    struct type_entry *e;
+    if (lookup(head, name))
+    {
+        printf("Error: Type >%s< defined more than once.\n", name);
+        return -EFAULT;         /* already in the list */
+    }
+    if (!(e = malloc(sizeof(struct type_entry))))
+        return -ENOMEM;
+
+    e->name = name;
+    e->mapping = mapping;
+    TAILQ_INSERT_TAIL(head, e, entries);
+    return 0;
+}
+
+int totoken(char *tok)
+{
+    int i;
+    for (i = 0; token[i] != NULL; i++)
+        if (!strcmp(token[i], tok))
+            return i;
+    return -EFAULT;
+}
+
+/* conflictsets use the same data structure as ssids; since
+ * they are similar in structure (set of types)
+ */
+int init_next_conflictset(void)
+{
+    struct ssid_entry *conflictset = malloc(sizeof(struct ssid_entry));
+
+    if (!conflictset)
+        return -ENOMEM;
+
+    conflictset->name = current_conflictset_name;
+    conflictset->num = max_conflictsets++;
+    conflictset->is_ref = 0;    /* n/a for conflictsets */
+        /**
+         *  row: allocate one byte per type;
+         *  [i] != 0 --> mapped type >i< is part of the conflictset
+         */
+    conflictset->row = malloc(max_chwall_types);
+    if (!conflictset->row)
+        return -ENOMEM;
+
+    memset(conflictset->row, 0, max_chwall_types);
+    TAILQ_INSERT_TAIL(&conflictsets_head, conflictset, entries);
+    current_conflictset_p = conflictset;
+    return 0;
+}
+
+int register_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
+{
+    xmlChar *text;
+    struct type_entry *e;
+
+
+    text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+    if (!text)
+    {
+        printf("Error reading type name!\n");
+        return -EFAULT;
+    }
+
+    switch (state) {
+    case XML2BIN_stetype_S:
+        if (add_entry(&ste_head, (char *) text, max_ste_types))
+        {
+            xmlFree(text);
+            return -EFAULT;
+        }
+        max_ste_types++;
+        break;
+
+    case XML2BIN_chwalltype_S:
+        if (add_entry(&chwall_head, (char *) text, max_chwall_types))
+        {
+            xmlFree(text);
+            return -EFAULT;
+        }
+        max_chwall_types++;
+        break;
+
+    case XML2BIN_conflictsettype_S:
+        /* a) search the type in the chwall_type list */
+        e = lookup(&chwall_head, (char *) text);
+        if (e == NULL)
+        {
+            printf("CS type >%s< not a CHWALL type.\n", text);
+            xmlFree(text);
+            return -EFAULT;
+        }
+        /* b) add type entry to the current cs set */
+        if (current_conflictset_p->row[e->mapping])
+        {
+            printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
+                 text, current_conflictset_p->num);
+            xmlFree(text);
+            return -EFAULT;
+        }
+        current_conflictset_p->row[e->mapping] = 1;
+        break;
+
+    default:
+        printf("Incorrect type environment (state = %lx, text = %s).\n",
+               state, text);
+        xmlFree(text);
+        return -EFAULT;
+    }
+    return 0;
+}
+
+void set_component_type(xmlNode * cur_node, enum policycomponent pc)
+{
+    xmlChar *order;
+
+    if ((order = xmlGetProp(cur_node, (xmlChar *) 
PRIMARY_COMPONENT_ATTR_NAME))) {
+        if (strcmp((char *) order, PRIMARY_COMPONENT))
+        {
+            printf("ERROR: Illegal attribut value >order=%s<.\n",
+                   (char *) order);
+            xmlFree(order);
+            exit(EXIT_FAILURE);
+        }
+        if (primary != NULLPOLICY)
+        {
+            printf("ERROR: Primary Policy Component set twice!\n");
+            exit(EXIT_FAILURE);
+        }
+        primary = pc;
+        xmlFree(order);
+    }
+}
+
+void walk_policy(xmlNode * start, xmlDocPtr doc, unsigned long state)
+{
+    xmlNode *cur_node = NULL;
+    int code;
+
+    for (cur_node = start; cur_node; cur_node = cur_node->next)
+    {
+        if ((code = totoken((char *) cur_node->name)) < 0)
+        {
+            printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
+            exit(EXIT_FAILURE);
+        }
+        switch (code) {         /* adjust state to new state */
+        case XML2BIN_SECPOL:
+        case XML2BIN_STETYPES:
+        case XML2BIN_CHWALLTYPES:
+        case XML2BIN_CONFLICTSETS:
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_STE:
+            if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
+            {
+                printf("ERROR: This program was written against another STE 
version.\n");
+                exit(EXIT_FAILURE);
+            }
+            have_ste = 1;
+            set_component_type(cur_node, STE);
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_CHWALL:
+            if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
+            {
+                printf("ERROR: This program was written against another CHWALL 
version.\n");
+                exit(EXIT_FAILURE);
+            }
+            have_chwall = 1;
+            set_component_type(cur_node, CHWALL);
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_CSTYPE:
+            current_conflictset_name =
+                (char *) xmlGetProp(cur_node, (xmlChar *) "name");
+            if (!current_conflictset_name)
+                current_conflictset_name = "";
+
+            if (init_next_conflictset())
+            {
+                printf
+                    ("ERROR: creating new conflictset structure failed.\n");
+                exit(EXIT_FAILURE);
+            }
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_TYPE:
+            if (register_type(cur_node, doc, state))
+                exit(EXIT_FAILURE);
+            /* type leaf */
+            break;
+
+        case XML2BIN_TEXT:
+        case XML2BIN_COMMENT:
+        case XML2BIN_POLICYHEADER:
+            /* leaf - nothing to do */
+            break;
+
+        default:
+            printf("Unkonwn token Error (%d)\n", code);
+            exit(EXIT_FAILURE);
+        }
+
+    }
+    return;
+}
+
+int create_type_mapping(xmlDocPtr doc)
+{
+    xmlNode *root_element = xmlDocGetRootElement(doc);
+    struct type_entry *te;
+    struct ssid_entry *se;
+    int i;
+
+    printf("Creating ssid mappings ...\n");
+
+    /* initialize the ste and chwall type lists */
+    TAILQ_INIT(&ste_head);
+    TAILQ_INIT(&chwall_head);
+    TAILQ_INIT(&conflictsets_head);
+
+    walk_policy(root_element, doc, XML2BIN_NULL);
+
+    /* determine primary/secondary policy component orders */
+    if ((primary == NULLPOLICY) && have_chwall)
+        primary = CHWALL;       /* default if not set */
+    else if ((primary == NULLPOLICY) && have_ste)
+        primary = STE;
+
+    switch (primary) {
+
+    case CHWALL:
+        if (have_ste)
+            secondary = STE;
+        /* else default = NULLPOLICY */
+        break;
+
+    case STE:
+        if (have_chwall)
+            secondary = CHWALL;
+        /* else default = NULLPOLICY */
+        break;
+
+    default:
+        /* NULL/NULL policy */
+        break;
+    }
+
+    if (!DEBUG)
+        return 0;
+
+    /* print queues */
+    if (have_ste)
+    {
+        printf("STE-Type queue (%s):\n",
+               (primary == STE) ? "PRIMARY" : "SECONDARY");
+        for (te = ste_head.tqh_first; te != NULL;
+             te = te->entries.tqe_next)
+            printf("name=%22s, map=%x\n", te->name, te->mapping);
+    }
+    if (have_chwall)
+    {
+        printf("CHWALL-Type queue (%s):\n",
+               (primary == CHWALL) ? "PRIMARY" : "SECONDARY");
+        for (te = chwall_head.tqh_first; te != NULL;
+             te = te->entries.tqe_next)
+            printf("name=%s, map=%x\n", te->name, te->mapping);
+
+        printf("Conflictset queue (max=%d):\n", max_conflictsets);
+        for (se = conflictsets_head.tqh_first; se != NULL;
+             se = se->entries.tqe_next)
+        {
+            printf("conflictset name >%s<\n",
+                   se->name ? se->name : "NONAME");
+            for (i = 0; i < max_chwall_types; i++)
+                if (se->row[i])
+                    printf("#%x ", i);
+            printf("\n");
+        }
+    }
+    return 0;
+}
+
+
+/***************** template-related parsing *********************/
+
+/* add default ssid at head of ssid queues */
+int init_ssid_queues(void)
+{
+    struct ssid_entry *default_ssid_chwall, *default_ssid_ste;
+
+    default_ssid_chwall = malloc(sizeof(struct ssid_entry));
+    default_ssid_ste = malloc(sizeof(struct ssid_entry));
+
+    if ((!default_ssid_chwall) || (!default_ssid_ste))
+        return -ENOMEM;
+
+    /* default chwall ssid */
+    default_ssid_chwall->name = "DEFAULT";
+    default_ssid_chwall->num = max_chwall_ssids++;
+    default_ssid_chwall->is_ref = 0;
+    default_ssid_chwall->type = ANY;
+
+    default_ssid_chwall->row = malloc(max_chwall_types);
+
+    if (!default_ssid_chwall->row)
+        return -ENOMEM;
+
+    memset(default_ssid_chwall->row, 0, max_chwall_types);
+
+    TAILQ_INSERT_TAIL(&chwall_ssid_head, default_ssid_chwall, entries);
+    current_chwall_ssid_p = default_ssid_chwall;
+    max_chwall_labels++;
+
+    /* default ste ssid */
+    default_ssid_ste->name = "DEFAULT";
+    default_ssid_ste->num = max_ste_ssids++;
+    default_ssid_ste->is_ref = 0;
+    default_ssid_ste->type = ANY;
+
+    default_ssid_ste->row = malloc(max_ste_types);
+
+    if (!default_ssid_ste->row)
+        return -ENOMEM;
+
+    memset(default_ssid_ste->row, 0, max_ste_types);
+
+    TAILQ_INSERT_TAIL(&ste_ssid_head, default_ssid_ste, entries);
+    current_ste_ssid_p = default_ssid_ste;
+    max_ste_labels++;
+    return 0;
+}
+
+int init_next_chwall_ssid(unsigned long state)
+{
+    struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
+
+    if (!ssid)
+        return -ENOMEM;
+
+    ssid->name = current_ssid_name;
+    ssid->num = max_chwall_ssids++;
+    ssid->is_ref = 0;
+
+    if (state & (1 << XML2BIN_VM))
+        ssid->type = VM;
+    else
+        ssid->type = RES;
+        /**
+         *  row: allocate one byte per type;
+         *  [i] != 0 --> mapped type >i< is part of the ssid
+         */
+    ssid->row = malloc(max_chwall_types);
+    if (!ssid->row)
+        return -ENOMEM;
+
+    memset(ssid->row, 0, max_chwall_types);
+    TAILQ_INSERT_TAIL(&chwall_ssid_head, ssid, entries);
+    current_chwall_ssid_p = ssid;
+    max_chwall_labels++;
+    return 0;
+}
+
+int init_next_ste_ssid(unsigned long state)
+{
+    struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
+
+    if (!ssid)
+        return -ENOMEM;
+
+    ssid->name = current_ssid_name;
+    ssid->num = max_ste_ssids++;
+    ssid->is_ref = 0;
+
+    if (state & (1 << XML2BIN_VM))
+        ssid->type = VM;
+    else
+        ssid->type = RES;
+
+        /**
+         *  row: allocate one byte per type;
+         *  [i] != 0 --> mapped type >i< is part of the ssid
+         */
+    ssid->row = malloc(max_ste_types);
+    if (!ssid->row)
+        return -ENOMEM;
+
+    memset(ssid->row, 0, max_ste_types);
+    TAILQ_INSERT_TAIL(&ste_ssid_head, ssid, entries);
+    current_ste_ssid_p = ssid;
+    max_ste_labels++;
+
+    return 0;
+}
+
+
+/* adds a type to the current ssid */
+int add_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
+{
+    xmlChar *text;
+    struct type_entry *e;
+
+    text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+    if (!text)
+    {
+        printf("Error reading type name!\n");
+        return -EFAULT;
+    }
+    /* same for all: 1. lookup type mapping, 2. mark type in ssid */
+    switch (state) {
+    case XML2BIN_VM_STE_S:
+    case XML2BIN_RES_STE_S:
+        /* lookup the type mapping and include the type mapping into the array 
*/
+        if (!(e = lookup(&ste_head, (char *) text)))
+        {
+            printf("ERROR: unknown VM STE type >%s<.\n", text);
+            exit(EXIT_FAILURE);
+        }
+        if (current_ste_ssid_p->row[e->mapping])
+            printf("Warning: double entry of VM STE type >%s<.\n", text);
+
+        current_ste_ssid_p->row[e->mapping] = 1;
+        break;
+
+    case XML2BIN_VM_CHWALL_S:
+        /* lookup the type mapping and include the type mapping into the array 
*/
+        if (!(e = lookup(&chwall_head, (char *) text)))
+        {
+            printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
+            exit(EXIT_FAILURE);
+        }
+        if (current_chwall_ssid_p->row[e->mapping])
+            printf("Warning: double entry of VM CHWALL type >%s<.\n",
+                   text);
+
+        current_chwall_ssid_p->row[e->mapping] = 1;
+        break;
+
+    default:
+        printf("Incorrect type environment (state = %lx, text = %s).\n",
+               state, text);
+        xmlFree(text);
+        return -EFAULT;
+    }
+    return 0;
+}
+
+void set_bootstrap_label(xmlNode * cur_node)
+{
+    xmlChar *order;
+
+    if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
+        bootstrap_label = (char *)order;
+    else {
+        printf("ERROR: No bootstrap label defined!\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state)
+{
+    xmlNode *cur_node = NULL;
+    int code;
+
+    for (cur_node = start; cur_node; cur_node = cur_node->next)
+    {
+        if ((code = totoken((char *) cur_node->name)) < 0)
+        {
+            printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
+            exit(EXIT_FAILURE);
+        }
+        switch (code) {         /* adjust state to new state */
+
+        case XML2BIN_SUBJECTS:
+            set_bootstrap_label(cur_node);
+            /* fall through */
+        case XML2BIN_VM:
+        case XML2BIN_RES:
+        case XML2BIN_SECTEMPLATE:
+        case XML2BIN_OBJECTS:
+            walk_labels(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_STETYPES:
+            /* create new ssid entry to use and point current to it */
+            if (init_next_ste_ssid(state))
+            {
+                printf("ERROR: creating new ste ssid structure failed.\n");
+                exit(EXIT_FAILURE);
+            }
+            walk_labels(cur_node->children, doc, state | (1 << code));
+
+            break;
+
+        case XML2BIN_CHWALLTYPES:
+            /* create new ssid entry to use and point current to it */
+            if (init_next_chwall_ssid(state))
+            {
+                printf("ERROR: creating new chwall ssid structure failed.\n");
+                exit(EXIT_FAILURE);
+            }
+            walk_labels(cur_node->children, doc, state | (1 << code));
+
+            break;
+
+        case XML2BIN_TYPE:
+            /* add type to current ssid */
+            if (add_type(cur_node, doc, state))
+                exit(EXIT_FAILURE);
+            break;
+
+        case XML2BIN_NAME:
+            if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
+            {
+                printf("ERROR: >name< out of VM/RES context.\n");
+                exit(EXIT_FAILURE);
+            }
+            current_ssid_name = (char *)
+                xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+
+            if (!current_ssid_name)
+            {
+                printf("ERROR: empty >name<!\n");
+                exit(EXIT_FAILURE);
+            }
+            break;
+
+        case XML2BIN_TEXT:
+        case XML2BIN_COMMENT:
+        case XML2BIN_LABELHEADER:
+            break;
+
+        default:
+            printf("Unkonwn token Error (%d)\n", code);
+            exit(EXIT_FAILURE);
+        }
+
+    }
+    return;
+}
+
+/* this function walks through a ssid queue
+ * and transforms double entries into references
+ * of the first definition (we need to keep the
+ * entry to map labels but we don't want double
+ * ssids in the binary policy
+ */
+void
+remove_doubles(struct tailhead_ssid *head,
+                        u_int32_t max_types, u_int32_t * max_ssids)
+{
+    struct ssid_entry *np, *ni;
+
+    /* walk once through the list */
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+    {
+        /* now search from the start until np for the same entry */
+        for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
+        {
+            if (ni->is_ref)
+                continue;
+            if (memcmp(np->row, ni->row, max_types))
+                continue;
+            /* found one, set np reference to ni */
+            np->is_ref = 1;
+            np->num = ni->num;
+            (*max_ssids)--;
+        }
+    }
+
+    /* now minimize the ssid numbers used (doubles introduce holes) */
+    (*max_ssids) = 0; /* reset */
+
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+    {
+        if (np->is_ref)
+            continue;
+
+        if (np->num != (*max_ssids)) {
+                /* first reset all later references to the new max_ssid */
+                for (ni = np->entries.tqe_next; ni != NULL; ni = 
ni->entries.tqe_next)
+                {
+                    if (ni->num == np->num)
+                        ni->num = (*max_ssids);
+                }
+                /* now reset num */
+                np->num = (*max_ssids)++;
+        }
+        else
+            (*max_ssids)++;
+    }
+}
+
+/*
+ * will go away as soon as we have non-static bootstrap ssidref for dom0
+ */
+void fixup_bootstrap_label(struct tailhead_ssid *head,
+                         u_int32_t max_types, u_int32_t * max_ssids)
+{
+    struct ssid_entry *np;
+    int i;
+
+    /* should not happen if xml / xsd checks work */
+    if (!bootstrap_label)
+    {
+        printf("ERROR: No bootstrap label defined.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    /* search bootstrap_label */
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+    {
+        if (!strcmp(np->name, bootstrap_label))
+        {
+            break;
+        }
+    }
+
+    if (!np) {
+        /* bootstrap label not found */
+        printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
+        exit(EXIT_FAILURE);
+    }
+
+    /* move this entry ahead in the list right after the default entry so it
+     * receives ssidref 1/1 */
+    TAILQ_REMOVE(head, np, entries);
+    TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
+
+    /* renumber the ssids (we could also just switch places with 1st element) 
*/
+    for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
+        np->num   = i;
+
+}
+
+int create_ssid_mapping(xmlDocPtr doc)
+{
+    xmlNode *root_element = xmlDocGetRootElement(doc);
+    struct ssid_entry *np;
+    int i;
+
+    printf("Creating label mappings ...\n");
+    /* initialize the ste and chwall type lists */
+    TAILQ_INIT(&chwall_ssid_head);
+    TAILQ_INIT(&ste_ssid_head);
+
+    /* init with default ssids */
+    if (init_ssid_queues())
+    {
+        printf("ERROR adding default ssids.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    /* now walk the template DOM tree and fill in ssids */
+    walk_labels(root_element, doc, XML2BIN_NULL);
+
+    /*
+     * now sort bootstrap label to the head of the list
+     * (for now), dom0 assumes its label in the first
+     * defined ssidref (1/1). 0/0 is the default non-Label
+     */
+    if (have_chwall)
+        fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
+                                &max_chwall_ssids);
+    if (have_ste)
+        fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
+                                &max_ste_ssids);
+
+    /* remove any double entries (insert reference instead) */
+    if (have_chwall)
+        remove_doubles(&chwall_ssid_head, max_chwall_types,
+                       &max_chwall_ssids);
+    if (have_ste)
+        remove_doubles(&ste_ssid_head, max_ste_types,
+                       &max_ste_ssids);
+
+    if (!DEBUG)
+        return 0;
+
+    /* print queues */
+    if (have_chwall)
+    {
+        printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
+        np = NULL;
+        for (np = chwall_ssid_head.tqh_first; np != NULL;
+             np = np->entries.tqe_next)
+        {
+            printf("SSID #%02u (Label=%s)\n", np->num, np->name);
+            if (np->is_ref)
+                printf("REFERENCE");
+            else
+                for (i = 0; i < max_chwall_types; i++)
+                    if (np->row[i])
+                        printf("#%02d ", i);
+            printf("\n\n");
+        }
+    }
+    if (have_ste)
+    {
+        printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
+        np = NULL;
+        for (np = ste_ssid_head.tqh_first; np != NULL;
+             np = np->entries.tqe_next)
+        {
+            printf("SSID #%02u (Label=%s)\n", np->num, np->name);
+            if (np->is_ref)
+                printf("REFERENCE");
+            else
+                for (i = 0; i < max_ste_types; i++)
+                    if (np->row[i])
+                        printf("#%02d ", i);
+            printf("\n\n");
+        }
+    }
+    return 0;
+}
+
+/***************** writing the binary policy *********************/
+
+/*
+ * the mapping file is ascii-based since it will likely be used from
+ * within scripts (using awk, grep, etc.);
+ *
+ * We print from high-level to low-level information so that with one
+ * pass, any symbol can be resolved (e.g. Label -> types)
+ */
+int write_mapping(char *filename)
+{
+
+    struct ssid_entry *e;
+    struct type_entry *t;
+    int i;
+    FILE *file;
+
+    if ((file = fopen(filename, "w")) == NULL)
+        return -EIO;
+
+    fprintf(file, "MAGIC                  %08x\n", ACM_MAGIC);
+    fprintf(file, "POLICY                 %s\n",
+            basename(policy_filename));
+    fprintf(file, "BINARY                 %s\n",
+            basename(binary_filename));
+    if (have_chwall)
+    {
+        fprintf(file, "MAX-CHWALL-TYPES       %08x\n", max_chwall_types);
+        fprintf(file, "MAX-CHWALL-SSIDS       %08x\n", max_chwall_ssids);
+        fprintf(file, "MAX-CHWALL-LABELS      %08x\n", max_chwall_labels);
+    }
+    if (have_ste)
+    {
+        fprintf(file, "MAX-STE-TYPES          %08x\n", max_ste_types);
+        fprintf(file, "MAX-STE-SSIDS          %08x\n", max_ste_ssids);
+        fprintf(file, "MAX-STE-LABELS         %08x\n", max_ste_labels);
+    }
+    fprintf(file, "\n");
+
+    /* primary / secondary order for combined ssid synthesis/analysis
+     * if no primary is named, then chwall is primary */
+    switch (primary) {
+    case CHWALL:
+        fprintf(file, "PRIMARY                CHWALL\n");
+        break;
+
+    case STE:
+        fprintf(file, "PRIMARY                STE\n");
+        break;
+
+    default:
+        fprintf(file, "PRIMARY                NULL\n");
+        break;
+    }
+
+    switch (secondary) {
+    case CHWALL:
+        fprintf(file, "SECONDARY              CHWALL\n");
+        break;
+
+    case STE:
+        fprintf(file, "SECONDARY              STE\n");
+        break;
+
+    default:
+        fprintf(file, "SECONDARY              NULL\n");
+        break;
+    }
+    fprintf(file, "\n");
+
+    /* first labels to ssid mappings */
+    if (have_chwall)
+    {
+        for (e = chwall_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
+                    (e->type ==
+                     VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
+                    e->name, e->num);
+        }
+        fprintf(file, "\n");
+    }
+    if (have_ste)
+    {
+        for (e = ste_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            fprintf(file, "LABEL->SSID %s STE    %-25s %8x\n",
+                    (e->type ==
+                     VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
+                    e->name, e->num);
+        }
+        fprintf(file, "\n");
+    }
+
+    /* second ssid to type mappings */
+    if (have_chwall)
+    {
+        for (e = chwall_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            if (e->is_ref)
+                continue;
+
+            fprintf(file, "SSID->TYPE CHWALL      %08x", e->num);
+
+            for (i = 0; i < max_chwall_types; i++)
+                if (e->row[i])
+                    fprintf(file, " %s", type_by_mapping(&chwall_head, i));
+
+            fprintf(file, "\n");
+        }
+        fprintf(file, "\n");
+    }
+    if (have_ste) {
+        for (e = ste_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            if (e->is_ref)
+                continue;
+
+            fprintf(file, "SSID->TYPE STE         %08x", e->num);
+
+            for (i = 0; i < max_ste_types; i++)
+                if (e->row[i])
+                    fprintf(file, " %s", type_by_mapping(&ste_head, i));
+
+            fprintf(file, "\n");
+        }
+        fprintf(file, "\n");
+    }
+    /* third type mappings */
+    if (have_chwall)
+    {
+        for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
+        {
+            fprintf(file, "TYPE CHWALL            %-25s %8x\n",
+                    t->name, t->mapping);
+        }
+        fprintf(file, "\n");
+    }
+    if (have_ste) {
+        for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
+        {
+            fprintf(file, "TYPE STE               %-25s %8x\n",
+                    t->name, t->mapping);
+        }
+        fprintf(file, "\n");
+    }
+    fclose(file);
+    return 0;
+}
+
+unsigned char *write_chwall_binary(u_int32_t * len_chwall)
+{
+    unsigned char *buf, *ptr;
+    struct acm_chwall_policy_buffer *chwall_header;
+    u_int32_t len;
+    struct ssid_entry *e;
+    int i;
+
+    if (!have_chwall)
+        return NULL;
+
+    len = sizeof(struct acm_chwall_policy_buffer) +
+        sizeof(type_t) * max_chwall_types * max_chwall_ssids +
+        sizeof(type_t) * max_chwall_types * max_conflictsets;
+
+    buf = malloc(len);
+    ptr = buf;
+
+    if (!buf)
+    {
+        printf("ERROR: out of memory allocating chwall buffer.\n");
+        exit(EXIT_FAILURE);
+    }
+    /* chwall has 3 parts : header, types, conflictsets */
+
+    chwall_header = (struct acm_chwall_policy_buffer *) buf;
+    chwall_header->chwall_max_types = htonl(max_chwall_types);
+    chwall_header->chwall_max_ssidrefs = htonl(max_chwall_ssids);
+    chwall_header->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+    chwall_header->policy_version = htonl(ACM_CHWALL_VERSION);
+    chwall_header->chwall_ssid_offset =
+        htonl(sizeof(struct acm_chwall_policy_buffer));
+    chwall_header->chwall_max_conflictsets = htonl(max_conflictsets);
+    chwall_header->chwall_conflict_sets_offset =
+        htonl(ntohl(chwall_header->chwall_ssid_offset) +
+              sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
+    chwall_header->chwall_running_types_offset = 0;     /* not set, only 
retrieved */
+    chwall_header->chwall_conflict_aggregate_offset = 0;        /* not set, 
only retrieved */
+    ptr += sizeof(struct acm_chwall_policy_buffer);
+
+    /* types */
+    for (e = chwall_ssid_head.tqh_first; e != NULL;
+         e = e->entries.tqe_next)
+    {
+        if (e->is_ref)
+            continue;
+
+        for (i = 0; i < max_chwall_types; i++)
+            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+        ptr += sizeof(type_t) * max_chwall_types;
+    }
+
+    /* conflictsets */
+    for (e = conflictsets_head.tqh_first; e != NULL;
+         e = e->entries.tqe_next)
+    {
+        for (i = 0; i < max_chwall_types; i++)
+            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+        ptr += sizeof(type_t) * max_chwall_types;
+    }
+
+    if ((ptr - buf) != len)
+    {
+        printf("ERROR: wrong lengths in %s.\n", __func__);
+        exit(EXIT_FAILURE);
+    }
+
+    (*len_chwall) = len;
+    return buf;
+}
+
+unsigned char *write_ste_binary(u_int32_t * len_ste)
+{
+    unsigned char *buf, *ptr;
+    struct acm_ste_policy_buffer *ste_header;
+    struct ssid_entry *e;
+    u_int32_t len;
+    int i;
+
+    if (!have_ste)
+        return NULL;
+
+    len = sizeof(struct acm_ste_policy_buffer) +
+        sizeof(type_t) * max_ste_types * max_ste_ssids;
+
+    buf = malloc(len);
+    ptr = buf;
+
+    if (!buf)
+    {
+        printf("ERROR: out of memory allocating chwall buffer.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    /* fill buffer */
+    ste_header = (struct acm_ste_policy_buffer *) buf;
+    ste_header->policy_version = htonl(ACM_STE_VERSION);
+    ste_header->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+    ste_header->ste_max_types = htonl(max_ste_types);
+    ste_header->ste_max_ssidrefs = htonl(max_ste_ssids);
+    ste_header->ste_ssid_offset =
+        htonl(sizeof(struct acm_ste_policy_buffer));
+
+    ptr += sizeof(struct acm_ste_policy_buffer);
+
+    /* types */
+    for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
+    {
+        if (e->is_ref)
+            continue;
+
+        for (i = 0; i < max_ste_types; i++)
+            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+        ptr += sizeof(type_t) * max_ste_types;
+    }
+
+    if ((ptr - buf) != len)
+    {
+        printf("ERROR: wrong lengths in %s.\n", __func__);
+        exit(EXIT_FAILURE);
+    }
+    (*len_ste) = len;
+    return buf;                 /* for now */
+}
+
+int write_binary(char *filename)
+{
+    struct acm_policy_buffer header;
+    unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
+    u_int32_t len;
+    int fd;
+
+    u_int32_t len_ste = 0, len_chwall = 0;      /* length of policy components 
*/
+
+    /* open binary file */
+    if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) 
<= 0)
+        return -EIO;
+
+    ste_buffer = write_ste_binary(&len_ste);
+    chwall_buffer = write_chwall_binary(&len_chwall);
+
+    /* determine primary component (default chwall) */
+    header.policy_version = htonl(ACM_POLICY_VERSION);
+    header.magic = htonl(ACM_MAGIC);
+
+    len = sizeof(struct acm_policy_buffer);
+    if (have_chwall)
+        len += len_chwall;
+    if (have_ste)
+        len += len_ste;
+    header.len = htonl(len);
+
+    header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
+    if (primary == CHWALL)
+    {
+        header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+        header.secondary_buffer_offset =
+            htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
+    }
+    else if (primary == STE)
+    {
+        header.primary_policy_code =
+            htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+        header.secondary_buffer_offset =
+            htonl((sizeof(struct acm_policy_buffer)) + len_ste);
+    }
+    else
+    {
+        /* null policy */
+        header.primary_policy_code = htonl(ACM_NULL_POLICY);
+        header.secondary_buffer_offset =
+            htonl(header.primary_buffer_offset);
+    }
+
+    if (secondary == CHWALL)
+        header.secondary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+    else if (secondary == STE)
+        header.secondary_policy_code =
+            htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+    else
+        header.secondary_policy_code = htonl(ACM_NULL_POLICY);
+
+    if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
+        != sizeof(struct acm_policy_buffer))
+        return -EIO;
+
+    /* write primary policy component */
+    if (primary == CHWALL)
+    {
+        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
+            return -EIO;
+    }
+    else if (primary == STE)
+    {
+        if (write(fd, ste_buffer, len_ste) != len_ste)
+            return -EIO;
+    } else
+        ;                     /* NULL POLICY has no policy data */
+
+    /* write secondary policy component */
+    if (secondary == CHWALL)
+    {
+        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
+            return -EIO;
+    }
+    else if (secondary == STE)
+    {
+        if (write(fd, ste_buffer, len_ste) != len_ste)
+            return -EIO;
+    } else;                     /* NULL POLICY has no policy data */
+
+    close(fd);
+    return 0;
+}
+
+int is_valid(xmlDocPtr doc)
+{
+    int err = 0;
+    xmlSchemaPtr schema_ctxt = NULL;
+    xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
+    xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
+
+    schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
+    schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
+    schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
+
+#ifdef VALIDATE_SCHEMA
+    /* only tested to be available from libxml2-2.6.20 upwards */
+    if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
+    {
+        printf("ERROR: Invalid schema file %s (err=%d)\n",
+               SCHEMA_FILENAME, err);
+        err = -EIO;
+        goto out;
+    }
+    else
+        printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
+#endif
+    if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
+    {
+        err = -EIO;
+        goto out;
+    }
+  out:
+    xmlSchemaFreeValidCtxt(schemavalid_ctxt);
+    xmlSchemaFreeParserCtxt(schemaparser_ctxt);
+    xmlSchemaFree(schema_ctxt);
+    return (err != 0) ? 0 : 1;
+}
+
+int main(int argc, char **argv)
+{
+    xmlDocPtr labeldoc = NULL;
+    xmlDocPtr policydoc = NULL;
+
+    int err = EXIT_SUCCESS;
+
+    char *file_prefix;
+    int prefix_len;
+
+    if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
+    {
+        printf("ERROR: This program was written against an older ACM 
version.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (argc != 2)
+        usage(basename(argv[0]));
+
+    prefix_len = strlen(POLICY_SUBDIR) +
+        strlen(argv[1]) + 1 /* "/" */  +
+        strlen(argv[1]) + 1 /* "/" */ ;
+
+    file_prefix = malloc(prefix_len);
+    policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
+    label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
+    binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
+    mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
+
+    if (!file_prefix || !policy_filename || !label_filename ||
+        !binary_filename || !mapping_filename)
+    {
+        printf("ERROR allocating file name memory.\n");
+        goto out2;
+    }
+
+    /* create input/output filenames out of prefix */
+    strcat(file_prefix, POLICY_SUBDIR);
+    strcat(file_prefix, argv[1]);
+    strcat(file_prefix, "/");
+    strcat(file_prefix, argv[1]);
+
+    strcpy(policy_filename, file_prefix);
+    strcpy(label_filename, file_prefix);
+    strcpy(binary_filename, file_prefix);
+    strcpy(mapping_filename, file_prefix);
+
+    strcat(policy_filename, POLICY_EXTENSION);
+    strcat(label_filename, LABEL_EXTENSION);
+    strcat(binary_filename, BINARY_EXTENSION);
+    strcat(mapping_filename, MAPPING_EXTENSION);
+
+    labeldoc = xmlParseFile(label_filename);
+
+    if (labeldoc == NULL)
+    {
+        printf("Error: could not parse file %s.\n", argv[1]);
+        goto out2;
+    }
+
+    printf("Validating label file %s...\n", label_filename);
+    if (!is_valid(labeldoc))
+    {
+        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
+               label_filename, err);
+        goto out1;
+    }
+
+    policydoc = xmlParseFile(policy_filename);
+
+    if (policydoc == NULL)
+    {
+        printf("Error: could not parse file %s.\n", argv[1]);
+        goto out1;
+    }
+
+    printf("Validating policy file %s...\n", policy_filename);
+
+    if (!is_valid(policydoc))
+    {
+        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
+               policy_filename, err);
+        goto out;
+    }
+
+    /* Init queues and parse policy */
+    create_type_mapping(policydoc);
+
+    /* create ssids */
+    create_ssid_mapping(labeldoc);
+
+    /* write label mapping file */
+    if (write_mapping(mapping_filename))
+    {
+        printf("ERROR: writing mapping file %s.\n", mapping_filename);
+        goto out;
+    }
+
+    /* write binary file */
+    if (write_binary(binary_filename))
+    {
+        printf("ERROR: writing binary file %s.\n", binary_filename);
+        goto out;
+    }
+
+    /* write stats */
+    if (have_chwall)
+    {
+        printf("Max chwall labels:  %u\n", max_chwall_labels);
+        printf("Max chwall-types:   %u\n", max_chwall_types);
+        printf("Max chwall-ssids:   %u\n", max_chwall_ssids);
+    }
+
+    if (have_ste)
+    {
+        printf("Max ste labels:     %u\n", max_ste_labels);
+        printf("Max ste-types:      %u\n", max_ste_types);
+        printf("Max ste-ssids:      %u\n", max_ste_ssids);
+    }
+    /* cleanup */
+  out:
+    xmlFreeDoc(policydoc);
+  out1:
+    xmlFreeDoc(labeldoc);
+  out2:
+    xmlCleanupParser();
+    return err;
+}
+
diff -r 1895942150a5 -r 513acbeac420 tools/security/secpol_xml2bin.h
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/secpol_xml2bin.h   Fri Aug 19 09:03:17 2005
@@ -0,0 +1,139 @@
+/****************************************************************
+ * secpol_xml2bin.h
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ */
+#define POLICY_SUBDIR       "policies/"
+#define POLICY_EXTENSION    "-security_policy.xml"
+#define LABEL_EXTENSION     "-security_label_template.xml"
+#define BINARY_EXTENSION    ".bin"
+#define MAPPING_EXTENSION   ".map"
+#define PRIMARY_COMPONENT_ATTR_NAME "order"
+#define BOOTSTRAP_LABEL_ATTR_NAME   "bootstrap"
+#define PRIMARY_COMPONENT   "PrimaryPolicyComponent"
+#define SCHEMA_FILENAME     "policies/security_policy.xsd"
+
+/* basic states (used as 1 << X) */
+#define XML2BIN_SECPOL             0   /* policy tokens */
+#define XML2BIN_STE                    1
+#define XML2BIN_CHWALL          2
+#define XML2BIN_CONFLICTSETS           3
+#define XML2BIN_CSTYPE         4
+
+#define XML2BIN_SECTEMPLATE        5   /* label tokens */
+#define XML2BIN_POLICYHEADER           6
+#define XML2BIN_LABELHEADER     7
+#define XML2BIN_SUBJECTS        8
+#define XML2BIN_OBJECTS            9
+#define XML2BIN_VM                 10
+#define XML2BIN_RES            11
+
+#define XML2BIN_STETYPES           12  /* shared tokens */
+#define XML2BIN_CHWALLTYPES        13
+#define XML2BIN_TYPE               14
+#define XML2BIN_NAME            15
+#define XML2BIN_TEXT               16
+#define XML2BIN_COMMENT                17
+
+/* type "data type" (currently 16bit) */
+typedef u_int16_t type_t;
+
+/* list of known elements and token equivalent  *
+ * state constants and token positions must be  *
+ * in sync for correct state recognition        */
+
+char *token[20] =                       /* parser triggers */
+{
+    [0] = "SecurityPolicyDefinition",   /* policy xml */
+    [1] = "SimpleTypeEnforcement",
+    [2] = "ChineseWall",
+    [3] = "ConflictSets",
+    [4] = "Conflict",                   /* label-template xml */
+    [5] = "SecurityLabelTemplate",
+    [6] = "PolicyHeader",
+    [7] = "LabelHeader",
+    [8] = "SubjectLabels",
+    [9] = "ObjectLabels",
+    [10] = "VirtualMachineLabel",
+    [11] = "ResourceLabel",
+    [12] = "SimpleTypeEnforcementTypes",                  /* common tags */
+    [13] = "ChineseWallTypes",
+    [14] = "Type",
+    [15] = "Name",
+    [16] = "text",
+    [17] = "comment",
+    [18] = NULL,
+};
+
+/* important combined states */
+#define XML2BIN_NULL           0
+
+/* policy xml parsing states _S */
+
+/* e.g., here we are in a <secpol,ste,stetypes> environment,  *
+ * so when finding a type element, we know where to put it    */
+#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_STE) |    \
+                                (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_CHWALL) | \
+                                (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_CHWALL) | \
+                                (1 << XML2BIN_CONFLICTSETS))
+
+#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_CHWALL) | \
+                                (1 << XML2BIN_CONFLICTSETS) | \
+                                (1 << XML2BIN_CSTYPE))
+
+
+/* label xml states */
+#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
+                      (1 << XML2BIN_SUBJECTS) |    \
+                      (1 << XML2BIN_VM))
+
+#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
+                       (1 << XML2BIN_OBJECTS) |     \
+                       (1 << XML2BIN_RES))
+
+#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
+                        (1 << XML2BIN_SUBJECTS) | \
+                        (1 << XML2BIN_VM) | \
+                        (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
+                           (1 << XML2BIN_SUBJECTS) | \
+                           (1 << XML2BIN_VM) | \
+                           (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
+                         (1 << XML2BIN_OBJECTS) | \
+                         (1 << XML2BIN_RES) | \
+                         (1 << XML2BIN_STETYPES))
+
+
+
+/* check versions of headers against which the
+ * xml2bin translation tool was written
+ */
+
+/* protects from unnoticed changes in struct acm_policy_buffer */
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION  1
+
+/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
+#define WRITTEN_AGAINST_ACM_CHWALL_VERSION  1
+
+/* protects from unnoticed changes in struct acm_ste_policy_buffer */
+#define WRITTEN_AGAINST_ACM_STE_VERSION     1
diff -r 1895942150a5 -r 513acbeac420 tools/security/setlabel.sh
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/setlabel.sh        Fri Aug 19 09:03:17 2005
@@ -0,0 +1,345 @@
+#!/bin/sh
+# *
+# * setlabel
+# *
+# * Copyright (C) 2005 IBM Corporation
+# *
+# * Authors:
+# * Stefan Berger <stefanb@xxxxxxxxxx>
+# *
+# * This program is free software; you can redistribute it and/or
+# * modify it under the terms of the GNU General Public License as
+# * published by the Free Software Foundation, version 2 of the
+# * License.
+# *
+# * 'setlabel' labels virtual machine (domain) configuration files with
+# * security identifiers that can be enforced in Xen.
+# *
+# * 'setlabel -?' shows the usage of the program
+# *
+# * 'setlabel -l vmconfig-file' lists all available labels (only VM
+# *            labels are used right now)
+# *
+# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
+# *                       that corresponds to the security-label under the
+# *                       current policy (if policy changes, 'label'
+# *                       must be re-run over the configuration files;
+# *                       map-file is created during policy translation and
+# *                       is found in the policy's directory
+#
+
+if [ -z "$runbash" ]; then
+       runbash="1"
+       export runbash
+       exec sh -c "bash $0 $*"
+fi
+
+
+usage ()
+{
+       echo "Usage: $0 [Option] <vmfile> <label> <policy name> "
+       echo "    or $0 -l <policy name>"
+       echo ""
+       echo "Valid Options are:"
+       echo "-r          : to relabel a file without being prompted"
+       echo ""
+       echo "vmfile      : XEN vm configuration file"
+       echo "label       : the label to map"
+       echo "policy name : the name of the policy, i.e. 'chwall'"
+       echo ""
+       echo "-l <policy name> is used to show valid labels in the map file"
+       echo ""
+}
+
+
+findMapFile ()
+{
+       mapfile="./$1.map"
+       if [ -r "$mapfile" ]; then
+               return 1
+       fi
+
+       mapfile="./policies/$1/$1.map"
+       if [ -r "$mapfile" ]; then
+               return 1
+       fi
+
+       return 0
+}
+
+showLabels ()
+{
+       mapfile=$1
+       if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
+               echo "Cannot read from vm configuration file $vmfile."
+               return -1
+       fi
+
+       getPrimaryPolicy $mapfile
+       getSecondaryPolicy $mapfile
+
+       echo "The following labels are available:"
+       let line=1
+       while [ 1 ]; do
+               ITEM=`cat $mapfile |         \
+                     awk -vline=$line       \
+                         -vprimary=$primary \
+                     '{                     \
+                        if ($1 == "LABEL->SSID" &&  \
+                            $2 == "VM" &&           \
+                            $3 == primary ) {       \
+                          ctr++;                    \
+                          if (ctr == line) {        \
+                            print $4;               \
+                          }                         \
+                        }                           \
+                      } END {                       \
+                      }'`
+
+               if [ "$ITEM" == "" ]; then
+                       break
+               fi
+               if [ "$secondary" != "NULL" ]; then
+                       LABEL=`cat $mapfile |     \
+                              awk -vitem=$ITEM   \
+                              '{
+                                 if ($1 == "LABEL->SSID" && \
+                                     $2 == "VM" &&          \
+                                     $3 == "CHWALL" &&      \
+                                     $4 == item ) {         \
+                                   result = item;           \
+                                 }                          \
+                               } END {                      \
+                                   print result             \
+                               }'`
+               else
+                       LABEL=$ITEM
+               fi
+
+               if [ "$LABEL" != "" ]; then
+                       echo "$LABEL"
+                       found=1
+               fi
+               let line=line+1
+       done
+       if [ "$found" != "1" ]; then
+               echo "No labels found."
+       fi
+}
+
+getPrimaryPolicy ()
+{
+       mapfile=$1
+       primary=`cat $mapfile  |   \
+                awk '             \
+                 {                \
+                   if ( $1 == "PRIMARY" ) { \
+                     res=$2;                \
+                   }                        \
+                 } END {                    \
+                   print res;               \
+                 } '`
+}
+
+getSecondaryPolicy ()
+{
+       mapfile=$1
+       secondary=`cat $mapfile  |   \
+                awk '             \
+                 {                \
+                   if ( $1 == "SECONDARY" ) { \
+                     res=$2;                \
+                   }                        \
+                 } END {                    \
+                   print res;               \
+                 } '`
+}
+
+
+getDefaultSsid ()
+{
+       mapfile=$1
+       pol=$2
+       RES=`cat $mapfile    \
+            awk -vpol=$pol  \
+             {              \
+               if ($1 == "LABEL->SSID" && \
+                   $2 == "ANY"         && \
+                   $3 == pol           && \
+                   $4 == "DEFAULT"       ) {\
+                     res=$5;                \
+               }                            \
+             } END {                        \
+               printf "%04x", strtonum(res) \
+            }'`
+       echo "default NULL mapping is $RES"
+       defaultssid=$RES
+}
+
+relabel ()
+{
+       vmfile=$1
+       label=$2
+       mapfile=$3
+       mode=$4
+
+       if [ ! -r "$vmfile" ]; then
+               echo "Cannot read from vm configuration file $vmfile."
+               return -1
+       fi
+
+       if [ ! -w "$vmfile" ]; then
+               echo "Cannot write to vm configuration file $vmfile."
+               return -1
+       fi
+
+       if [ ! -r "$mapfile" ] ; then
+               echo "Cannot read mapping file $mapfile."
+               return -1
+       fi
+
+       # Determine which policy is primary, which sec.
+       getPrimaryPolicy $mapfile
+       getSecondaryPolicy $mapfile
+
+       # Calculate the primary policy's SSIDREF
+       if [ "$primary" == "NULL" ]; then
+               SSIDLO="0000"
+       else
+               SSIDLO=`cat $mapfile |                    \
+                       awk -vlabel=$label                \
+                           -vprimary=$primary            \
+                          '{                             \
+                             if ( $1 == "LABEL->SSID" && \
+                                  $2 == "VM" &&          \
+                                  $3 == primary  &&      \
+                                  $4 == label ) {        \
+                               result=$5                 \
+                             }                           \
+                          } END {                        \
+                            if (result != "" )           \
+                              {printf "%04x", strtonum(result)}\
+                          }'`
+       fi
+
+       # Calculate the secondary policy's SSIDREF
+       if [ "$secondary" == "NULL" ]; then
+               SSIDHI="0000"
+       else
+               SSIDHI=`cat $mapfile |                    \
+                       awk -vlabel=$label                \
+                           -vsecondary=$secondary        \
+                          '{                             \
+                             if ( $1 == "LABEL->SSID" && \
+                                  $2 == "VM"          && \
+                                  $3 == secondary     && \
+                                  $4 == label ) {        \
+                               result=$5                 \
+                             }                           \
+                           }  END {                      \
+                             if (result != "" )          \
+                               {printf "%04x", strtonum(result)}\
+                           }'`
+       fi
+
+       if [ "$SSIDLO" == "" -o \
+            "$SSIDHI" == "" ]; then
+               echo "Could not map the given label '$label'."
+               return -1
+       fi
+
+       ACM_POLICY=`cat $mapfile |             \
+           awk ' { if ( $1 == "POLICY" ) {    \
+                     result=$2                \
+                   }                          \
+                 }                            \
+                 END {                        \
+                   if (result != "") {        \
+                     printf result            \
+                   }                          \
+                 }'`
+
+       if [ "$ACM_POLICY" == "" ]; then
+               echo "Could not find 'POLICY' entry in map file."
+               return -1
+       fi
+
+       SSIDREF="0x$SSIDHI$SSIDLO"
+
+       if [ "$mode" != "relabel" ]; then
+               RES=`cat $vmfile |  \
+                    awk '{         \
+                      if ( substr($1,0,7) == "ssidref" ) {\
+                        print $0;             \
+                      }                       \
+                    }'`
+               if [ "$RES" != "" ]; then
+                       echo "Do you want to overwrite the existing mapping 
($RES)? (y/N)"
+                       read user
+                       if [ "$user" != "y" -a "$user" != "Y" ]; then
+                               echo "Aborted."
+                               return 0
+                       fi
+               fi
+       fi
+
+       #Write the output
+       vmtmp1="/tmp/__setlabel.tmp1"
+       vmtmp2="/tmp/__setlabel.tmp2"
+       touch $vmtmp1
+       touch $vmtmp2
+       if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
+               echo "Cannot create temporary files. Aborting."
+               return -1
+       fi
+       RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
+       RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
+       RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
+       echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
+       echo "#ACM_LABEL=$label" >> $vmtmp1
+       echo "ssidref = $SSIDREF" >> $vmtmp1
+       mv -f $vmtmp1 $vmfile
+       rm -rf $vmtmp1 $vmtmp2
+       echo "Mapped label '$label' to ssidref '$SSIDREF'."
+}
+
+
+
+if [ "$1" == "-r" ]; then
+       mode="relabel"
+       shift
+elif [ "$1" == "-l" ]; then
+       mode="show"
+       shift
+elif [ "$1" == "-?" ]; then
+       mode="usage"
+fi
+
+if [ "$mode" == "show" ]; then
+       if [ "$1" == "" ]; then
+               usage
+               exit -1;
+       fi
+       findMapFile $1
+       res=$?
+       if [ "$res" != "0" ]; then
+               showLabels $mapfile
+       else
+               echo "Could not find map file for policy '$1'."
+       fi
+elif [ "$mode" == "usage" ]; then
+       usage
+else
+       if [ "$3" == "" ]; then
+               usage
+               exit -1;
+       fi
+       findMapFile $3
+       res=$?
+       if [ "$res" != "0" ]; then
+               relabel $1 $2 $mapfile $mode
+       else
+               echo "Could not find map file for policy '$3'."
+       fi
+
+fi
diff -r 1895942150a5 -r 513acbeac420 tools/security/updategrub.sh
--- /dev/null   Fri Aug 19 08:55:03 2005
+++ b/tools/security/updategrub.sh      Fri Aug 19 09:03:17 2005
@@ -0,0 +1,171 @@
+#!/bin/sh
+# *
+# * updategrub
+# *
+# * Copyright (C) 2005 IBM Corporation
+# *
+# * Authors:
+# * Stefan Berger <stefanb@xxxxxxxxxx>
+# *
+# * This program is free software; you can redistribute it and/or
+# * modify it under the terms of the GNU General Public License as
+# * published by the Free Software Foundation, version 2 of the
+# * License.
+# *
+# *
+#
+
+if [ -z "$runbash" ]; then
+       runbash="1"
+       export runbash
+       exec sh -c "bash $0 $*"
+       exit
+fi
+
+
+# Show usage of this program
+usage ()
+{
+       echo "Usage: $0 <policy name> <root of xen repository>"
+       echo ""
+       echo "<policy name>             : The name of the policy, i.e. xen_null"
+       echo "<root of xen repository>  : The root of the XEN repositrory."
+       echo ""
+}
+
+# This function sets the global variable 'linux'
+# to the name of the linux kernel that was compiled
+# For now a pattern should do the trick
+getLinuxVersion ()
+{
+       path=$1
+       linux=""
+       for f in $path/linux-*-xen0 ; do
+               versionfile=$f/include/linux/version.h
+               if [ -r $versionfile ]; then
+                       lnx=`cat $versionfile | \
+                            grep UTS_RELEASE | \
+                            awk '{             \
+                              len=length($3);  \
+                              print substr($3,2,len-2) }'`
+               fi
+               if [ "$lnx" != "" ]; then
+                       linux="[./0-9a-zA-z]*$lnx"
+                       return;
+               fi
+       done
+
+       #Last resort.
+       linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
+}
+
+#Return where the grub.conf file is.
+#I only know of one place it can be.
+findGrubConf()
+{
+       grubconf="/boot/grub/grub.conf"
+       if [ -w $grubconf ]; then
+               return 1
+       fi
+       return 0
+}
+
+
+#Update the grub configuration file.
+#Search for existing entries and replace the current
+#policy entry with the policy passed to this script
+#
+#Arguments passed to this function
+# 1st : the grub configuration file
+# 2nd : the binary policy file name
+# 3rd : the name or pattern of the linux kernel name to match
+#
+# The algorithm here is based on pattern matching
+# and is working correctly if
+# - under a title a line beginning with 'kernel' is found
+#   whose following item ends with "xen.gz"
+#   Example:  kernel /xen.gz dom0_mem=....
+# - a module line matching the 3rd parameter is found
+#
+updateGrub ()
+{
+       grubconf=$1
+       policyfile=$2
+       linux=$3
+
+       tmpfile="/tmp/new_grub.conf"
+
+       cat $grubconf |                                \
+                awk -vpolicy=$policyfile              \
+                    -vlinux=$linux '{                 \
+                  if ( $1 == "title" ) {              \
+                    kernelfound = 0;                  \
+                    if ( policymaycome == 1 ){        \
+                      printf ("\tmodule %s%s\n", path, policy);      \
+                    }                                 \
+                    policymaycome = 0;                \
+                  }                                   \
+                  else if ( $1 == "kernel" ) {        \
+                    if ( match($2,"xen.gz$") ) {      \
+                      path=substr($2,1,RSTART-1);     \
+                      kernelfound = 1;                \
+                    }                                 \
+                  }                                   \
+                  else if ( $1 == "module" &&         \
+                            kernelfound == 1 &&       \
+                            match($2,linux) ) {       \
+                     policymaycome = 1;               \
+                  }                                   \
+                  else if ( $1 == "module" &&         \
+                            kernelfound == 1 &&       \
+                            policymaycome == 1 &&     \
+                            match($2,"[0-9a-zA-Z]*.bin$") ) { \
+                     printf ("\tmodule %s%s\n", path, policy); \
+                     policymaycome = 0;               \
+                     kernelfound = 0;                 \
+                     dontprint = 1;                   \
+                  }                                   \
+                  else if ( $1 == "" &&               \
+                            kernelfound == 1 &&       \
+                            policymaycome == 1) {     \
+                     dontprint = 1;                   \
+                  }                                   \
+                  if (dontprint == 0) {               \
+                    printf ("%s\n", $0);              \
+                  }                                   \
+                  dontprint = 0;                      \
+                } END {                               \
+                  if ( policymaycome == 1 ) {         \
+                    printf ("\tmodule %s%s\n", path, policy);  \
+                  }                                   \
+                }' > $tmpfile
+       if [ ! -r $tmpfile ]; then
+               echo "Could not create temporary file! Aborting."
+               exit -1
+       fi
+       mv -f $tmpfile $grubconf
+}
+
+if [ "$1" == "" -o "$2" == "" ]; then
+       usage
+       exit -1
+fi
+
+if [ "$1" == "-?" ]; then
+       usage
+       exit 0
+fi
+
+policy=$1
+policyfile=$policy.bin
+
+getLinuxVersion $2
+
+findGrubConf
+ERR=$?
+if [ $ERR -eq 0 ]; then
+       echo "Could not find grub.conf. Aborting."
+       exit -1
+fi
+
+updateGrub $grubconf $policyfile $linux
diff -r 1895942150a5 -r 513acbeac420 docs/misc/shype4xen_readme.txt
--- a/docs/misc/shype4xen_readme.txt    Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,588 +0,0 @@
-Copyright: IBM Corporation (C)
-20 June 2005
-Author: Reiner Sailer
-
-This document is a very short introduction into the sHype access control 
-security architecture implementation and how it is perceived by users. It 
-is a very preliminary draft  for the courageous ones to get "their feet wet" 
-and to be able to give feedback (via the xen-devel/xense-devel mailing lists).
-
-Install:
-
-cd into xeno-unstable.bk 
-(use --dry-run option if you want to test the patch only)
-patch -p1 -g0 < *tools.diff
-patch -p1 -g0 < *xen.diff
-
-(no rejects, probably some line offsets)
-
-make uninstall; make mrproper; make; ./install.sh should install the default 
-sHype into Xen (rebuild your initrd images if necessary). Reboot.
-
-Debug output: there are two triggers for debug output:
-a) General sHype debug:
-    xeno-unstable.bk/xen/include/public/acm.h
-    undefine ACM_DEBUG to switch this debug off
-
-b) sHype enforcement hook trace: This prints a small trace for each 
enforcement 
-hook that is executed. The trigger is in
-    xeno-unstable.bk/xen/include/acm/acm_hooks.h
-    undefine ACM_TRACE_MODE to switch this debug off
-
-1. The default NULL policy
-***************************
-When you apply the patches and startup xen, you should at first not notice any 
-difference because the default policy is the "NULL" policy, which as the name 
-implies does not enforce anything.
-
-To display the currently enforced policy, use the policy tool under xeno-
-unstable.bk/tools/policy: policy_tool getpolicy. You should see output like 
the 
-one below.
-
-[root@laptop policy]#./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 14.
-Primary   = NULL policy (c=0, off=14).
-Secondary = NULL policy (c=0, off=14).
-No primary policy (NULL).
-No secondary policy (NULL).
-
-Policy dump End.
-
-Since this is a dump of a binary policy, it's not pretty. The important parts 
-are the "Primary" and "Secondary" policy fields set to "NULL policy". sHype 
-currently allows to set two independent policies; thus the two SSID-REF parts 
-shown in 'xm list'. Right here: primary policy only means this policy is 
-checked first, the secondary policy is checked if the primary results in 
-"permitted access". The result of the combined policy is "permitted" if both 
-policies return permitted (NULL policy always returns permitted). The result 
is 
-"denied" if at least one of the policies returns "denied". Look into xeno-
-unstable.bk/xen/include/acm/acm_hooks.h for the general hook structure 
-integrating the policy decisions (if you like, you won't need it for the rest 
-of the Readme file).
-
-2. Setting Chinese Wall and Simple Type Enforcement policies:
-*************************************************************
-
-We'll get fast to the point. However, in order to understand what we are 
doing, 
-we must at least understand the purpose of the policies that we are going to 
-enforce. The two policies presented here are just examples and the 
-implementation encourages adding new policies easily.
-
-2.1. Chinese Wall policy: "decides whether a domain can be started based on 
-this domain's ssidref and the ssidrefs of the currently running domains". 
-Generally, the Chinese wall policy allows specifying certain types (or classes 
-or categories, whatever the preferred word) that conflict; we usually assign a 
-type to a workload and the set of types of those workloads running in a domain 
-make up the type set for this domain.  Each domain is assigned a set of types 
-through its SSID-REF (we register Chinese Wall as primary policy, so the 
-ssidref used for determining the Chinese Wall types is the one annotated with 
-"p:" in xm list) since each SSID-REF points at a set of types. We'll see how 
-SSIDREFs are represented in Xen later when we will look at the policy. (A good 
-read for Chinese Wall is: Brewer/Nash The Chinese Wall Security Policy 1989.)
-
-So let's assume the Chinese Wall policy we are running distinguishes 10 types: 
-t0 ... t9. Let us assume further that each SSID-REF points to a set that 
-includes exactly one type (attached to domains that run workloads of a single 
-type). SSID-REF 0 points to {t0}, ssidref 1 points to {t1} ... 9 points to 
-{t9}. [This is actually the example policy we are going to push into xen later]
-
-Now the Chinese Wall policy allows you to define "Conflict type sets" and it 
-guarantees that of any conflict set at most one type is "running" at any time. 
-As an example, we have defined 2 conflict set: {t2, t3} and {t0, t5, t6}. 
-Specifying these conflict sets, sHype ensures that at most one type of each 
set 
-is running (either t2 or t3 but not both; either t0 or t5 or t6 but not 
-multiple of them).
-
-The effect is that administrators can define which workload types cannot run 
-simultaneously on a single Xen system. This is useful to limit the covert 
-timing channels between such payloads or to ensure that payloads don't 
-interfere with each other through existing resource dependencies.
-
-2.2. Simple Type Enforcement (ste) policy: "decides whether two domains can 
-share data, e.g., setup event channels or grant tables to each other, based on 
-the two domains' ssidref. This, as the name says, is a simple policy. Think of 
-each type as of a single color. Each domain has one or more colors, i.e., the 
-domains ssid for the ste policy points to a set that has set one or multiple 
-types. Let us assume in our example policy we differentiate 5 colors (types) 
-and define 5 different ssids referenced by ssidref=0..4. Each ssid shall have 
-exactly one type set, i.e., describes a uni-color. Only ssid(0) has all types 
-set, i.e., has all defined colors.
-
-Sharing is enforced by the ste policy by requiring that two domains that want 
-to establish an event channel or grant pages to each other must have a common 
-color. Currently all domains communicate through DOM0 by default; i.e., 
Domain0 
-will necessarily have all colors to be able to create domains (thus, we will 
-assign ssidref(0) to Domain0 in our example below.
-
-More complex mandatory access control policies governing sharing will follow; 
-such policies are more sophisticated than the "color" scheme above by allowing 
-more flexible (and complex :_) access control decisions than "share a color" 
or 
-"don't share a color" and will be able to express finer-grained policies.
-
-
-2.3 Binary Policy:
-In the future, we will have a policy tool that takes as input a more humane 
-policy description, using types such as development, home-banking, donated-
-Grid, CorpA-Payload ... and translates the respective policy into what we see 
-today as the binary policy using 1s and 0s and sets of them. For now, we must 
-live with the binary policy when working with sHype.
-
-    
-2.4 Exemplary use of a real sHype policy on Xen. To activate a real policy, 
-edit the file (yes, this will soon be a compile option):
-  xeno-unstable.bk/xen/include/public/acm.h
-  Change: #define ACM_USE_SECURITY_POLICY ACM_NULL_POLICY
-   To : #define ACM_USE_SECURITY_POLICY 
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-   cd xeno-unstable.bk
-   make mrproper
-   make uninstall (manually remove /etc/xen.old if necessary)
-   make
-   ./install.sh      (recreate your kernel initrd's if necessary)
-   Reboot into new xen.gz
-     
-After booting, check out 'xm dmesg'; should show somewhere in the middle:
-
-(XEN) acm_init: Enforcing Primary CHINESE WALL policy, Secondary SIMPLE TYPE 
-ENFORCEMENT policy.
-
-Even though you can activate those policies in any combination and also 
-independently, the policy tool currently only supports setting the policy for 
-the above combination.
-
-Now look at the minimal startup policy with:
-                xeno-unstable.bk/tools/policytool getpolicy
-
-You should see something like:
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 36.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=2c).
-
-
-Chinese Wall policy:
-====================
-Max Types     = 1.
-Max Ssidrefs  = 1.
-Max ConfSets  = 1.
-Ssidrefs Off  = 10.
-Conflicts Off = 12.
-Runing T. Off = 14.
-C. Agg. Off   = 16.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  00 
-
-Confict Sets:
-
-   c-set 0:    00 
-
-Running
-Types:         00 
-
-Conflict
-Aggregate Set: 00 
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types     = 1.
-Max Ssidrefs  = 1.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 
-
-
-Policy dump End.
-
-This is a minimal policy (of little use), except it will disable starting any 
-domain that does not have ssidref set to 0x0. The Chinese Wall policy has 
-nothing to enforce and the ste policy only knows one type, which is set for 
the 
-only defined ssidref.
-
-The item that defines the ssidref in a domain configuration is:
-
-ssidref = 0x12345678
-
-Where ssidref is interpreted as a 32bit number, where the lower 16bits become 
-the ssidref for the primary policy and the higher 16bits become the ssidref 
for 
-the secondary policy. sHype currently supports two policies but this is an 
-implementation decision and can be extended if necessary.
-
-This reference defines the security information of a domain. The meaning of 
the 
-SSID-REF depends on the policy, so we explain it when we explain the real 
-policies.
-
-
-Setting a new Security Policy:
-******************************
-The policy tool with all its current limitations has one usable example policy 
-compiled-in. Please try at this time to use the setpolicy command:
-       xeno-unstable.bk/tools/policy/policy_tool setpolicy
-
-You should see a dump of the policy you are setting. It should say at the very 
-end: 
-
-Policy successfully set.
-
-Now try to dump the currently enforced policy, which is the policy we have 
just 
-set and the dynamic security state information of this policy 
-(<<< ... some additional explanations)
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 112.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types     = a.
-Max Ssidrefs  = 5.
-Max ConfSets  = 2.
-Ssidrefs Off  = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off   = b0.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  01 00 00 00 00 00 00 00 00 00  <<< type0 is set for ssidref0
-   ssidref 1:  00 01 00 00 00 00 00 00 00 00 
-   ssidref 2:  00 00 01 00 00 00 00 00 00 00 
-   ssidref 3:  00 00 00 01 00 00 00 00 00 00 
-   ssidref 4:  00 00 00 00 01 00 00 00 00 00  <<< type4 is set for ssidref4
-                                              <<< types 5-9 are unused
-Confict Sets:
-
-   c-set 0:    00 00 01 01 00 00 00 00 00 00  <<< type2 and type3 never run 
together
-   c-set 1:    01 00 00 00 00 01 01 00 00 00  <<< only one of types 0, 5 or 6 
-                                              <<<   can run simultaneously
-Running
-Types:         01 00 00 00 00 00 00 00 00 00  <<< ref-count for types of 
running domains
-
-Conflict
-Aggregate Set: 00 00 00 00 00 01 01 00 00 00  <<< aggregated set of types that 
                 
-                                              <<< cannot run because they 
-                                              <<< are in conflict set 1 and
-                                              <<< (domain 0 is running w t0)
-                                             
-
-Simple Type Enforcement policy:
-===============================
-Max Types     = 5.
-Max Ssidrefs  = 5.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 01 01 01 01                  <<< ssidref0 points to a set 
that                  
-                                              <<< has all types set (colors)
-   ssidref 1: 00 01 00 00 00                  <<< ssidref1 has color1 set
-   ssidref 2: 00 00 01 00 00                  <<< ...
-   ssidref 3: 00 00 00 01 00 
-   ssidref 4: 00 00 00 00 01 
-
-
-Policy dump End.
-
-
-This is a small example policy with which we will demonstrate the enforcement.
-
-Starting Domains with policy enforcement
-========================================
-Now let us play with this policy. 
-
-Define 3 or 4 domain configurations. I use the following config using a 
ramdisk 
-only and about 8MBytes of memory for each DomU (test purposes):
-
-#-------configuration xmsec1-------------------------
-kernel = "/boot/vmlinuz-2.6.11-xenU"
-ramdisk="/boot/U1_ramdisk.img"
-#security reference identifier
-ssidref= 0x00010001
-memory = 10
-name = "xmsec1"
-cpu = -1   # leave to Xen to pick
-# Number of network interfaces. Default is 1.
-nics=1
-dhcp="dhcp"
-#-----------------------------------------------------
-
-xmsec2 and xmsec3 look the same except for the name and the ssidref line. Use 
-your domain config file and add "ssidref = 0x00010001" to the first (xmsec1),  
-"ssidref= 0x00020002" to the second (call it xmsec2), and "ssidref=0x00030003" 
 
-to the third (we will call this one xmsec3).
-
-First start xmsec1: xm create -c xmsec1 (succeeds)
-
-Then
-[root@laptop policy]# xm list 
-Name              Id  Mem(MB)  CPU  State  Time(s)  Console  
-Domain-0           0      620   0  r----     42.3            s:00/p:00
-xmnosec            1        9   0  -b---      0.3    9601    s:00/p:05
-xmsec1             2        9   0  -b---      0.2    9602    s:01/p:01
-
-Shows a new domain xmsec1 running with primary (here: chinese wall) ssidref 1 
-and secondary (here: simple type enforcement) ssidref 1. The ssidrefs are  
-independent and can differ for a domain.
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 112.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types     = a.
-Max Ssidrefs  = 5.
-Max ConfSets  = 2.
-Ssidrefs Off  = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off   = b0.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  01 00 00 00 00 00 00 00 00 00
-   ssidref 1:  00 01 00 00 00 00 00 00 00 00
-   ssidref 2:  00 00 01 00 00 00 00 00 00 00
-   ssidref 3:  00 00 00 01 00 00 00 00 00 00
-   ssidref 4:  00 00 00 00 01 00 00 00 00 00
-
-Confict Sets:
-
-   c-set 0:    00 00 01 01 00 00 00 00 00 00
-   c-set 1:    01 00 00 00 00 01 01 00 00 00   <<< t1 is not part of any c-set
-
-Running
-Types:         01 01 00 00 00 00 00 00 00 00   <<< xmsec1 has ssidref 1->type1
-                  ^^                           <<< ref-count at position 1 incr
-Conflict
-Aggregate Set: 00 00 00 00 00 01 01 00 00 00   <<< domain 1 was allowed to     
  
-                                               <<< start since type 1 was not
-                                               <<< in conflict with running 
-                                               <<< types
-                                            
-Simple Type Enforcement policy:
-===============================
-Max Types     = 5.
-Max Ssidrefs  = 5.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 01 01 01 01           <<< the ste policy does not maintain; we
-   ssidref 1: 00 01 00 00 00   <--     <<< see that domain xmsec1 has ste 
-   ssidref 2: 00 00 01 00 00           <<< ssidref1->type1 and has this type in
-   ssidref 3: 00 00 00 01 00           <<< common with dom0
-   ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-Look at sHype output in xen dmesg:
-
-[root@laptop xen]# xm dmesg
-.
-.
-[somewhere near the very end]
-(XEN) chwall_init_domain_ssid: determined chwall_ssidref to 1.
-(XEN) ste_init_domain_ssid.
-(XEN) ste_init_domain_ssid: determined ste_ssidref to 1.
-(XEN) acm_init_domain_ssid: Instantiated individual ssid for domain 0x01.
-(XEN) chwall_post_domain_create.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-(XEN) shype_authorize_domops.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-
-
-You can see that the chinese wall policy does not complain and that the ste 
-policy makes three access control decisions for three event-channels setup 
-between domain 0 and the new domain 1. Each time, the two domains share the 
-type1 and setting up the eventchannel is permitted.
-
-
-Starting up a second domain xmsec2:
-
-[root@laptop xen]# xm create -c xmsec2
-Using config file "xmsec2".
-Started domain xmsec2, console on port 9602
-************ REMOTE CONSOLE: CTRL-] TO QUIT ********
-Linux version 2.6.11-xenU (root@xxxxxxxxxxxxxxx) (gcc version 3.4.2 20041017 
-(Red Hat 3.4.2-6.fc3)) #1 Wed Mar 30 13:14:31 EST 2005
-.
-.
-.
-[root@laptop policy]# xm list
-Name              Id  Mem(MB)  CPU  State  Time(s)  Console  
-Domain-0           0      620   0  r----     71.7            s:00/p:00
-xmsec1             1        9   0  -b---      0.3    9601    s:01/p:01
-xmsec2             2        7   0  -b---      0.3    9602    s:02/p:02   << 
our domain runs both policies with ssidref 2
-
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 112.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types     = a.
-Max Ssidrefs  = 5.
-Max ConfSets  = 2.
-Ssidrefs Off  = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off   = b0.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  01 00 00 00 00 00 00 00 00 00
-   ssidref 1:  00 01 00 00 00 00 00 00 00 00
-   ssidref 2:  00 00 01 00 00 00 00 00 00 00   <<< our domain has type 2 set
-   ssidref 3:  00 00 00 01 00 00 00 00 00 00
-   ssidref 4:  00 00 00 00 01 00 00 00 00 00
-
-Confict Sets:
-
-   c-set 0:    00 00 01 01 00 00 00 00 00 00   <<< t2 is in c-set0 with type 3
-   c-set 1:    01 00 00 00 00 01 01 00 00 00
-
-Running
-Types:         01 01 01 00 00 00 00 00 00 00   <<< t2 is running since the 
-                     ^^                        <<< current aggregate conflict
-                                               <<< set (see above) does not 
-                                               <<< include type 2
-Conflict
-Aggregate Set: 00 00 00 01 00 01 01 00 00 00   <<< type 3 is added to the 
-                                               <<< conflict aggregate
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types     = 5.
-Max Ssidrefs  = 5.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 01 01 01 01
-   ssidref 1: 00 01 00 00 00
-   ssidref 2: 00 00 01 00 00
-   ssidref 3: 00 00 00 01 00
-   ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-
-The sHype xen dmesg output looks similar to the one above when starting the 
-first domain.
-
-Now we start xmsec3 and it has ssidref3. Thus, it tries to run as type3 which 
-conflicts with running type2 (from xmsec2). As expected, creating this domain 
-fails for security policy enforcement reasons.
-
-[root@laptop xen]# xm create -c xmsec3
-Using config file "xmsec3".
-Error: Error creating domain: (22, 'Invalid argument')
-[root@laptop xen]#
-
-[root@laptop xen]# xm dmesg
-.
-.
-[somewhere near the very end]
-(XEN) chwall_pre_domain_create.
-(XEN) chwall_pre_domain_create: CHINESE WALL CONFLICT in type 03.
-
-xmsec3 ssidref3 points to type3, which is in the current conflict aggregate 
-set. This domain cannot start until domain xmsec2 is destroyed, at which time 
-the aggregate conflict set is reduced and type3 is excluded from it. Then, 
-xmsec3 can start. Of course, afterwards, xmsec2 cannot be restarted. Try it.
-
-3. Policy tool
-**************
-toos/policy/policy_tool.c
-
-a) ./policy_tool getpolicy
-      prints the currently enforced policy
-      (see for example section 1.)
-
-b) ./policy_tool setpolicy
-      sets a predefined and hardcoded security
-      policy (the one described in section 2.)
-
-c) ./policy_tool dumpstats
-      prints some status information about the caching
-      of access control decisions (number of cache hits
-      and number of policy evaluations for grant_table
-      and event channels).
-
-d) ./policy_tool loadpolicy <binary_policy_file>
-      sets the policy defined in the <binary_policy_file>
-      please use the policy_processor that is posted to this
-      mailing list to create such a binary policy from an XML
-      policy description
-
-4. Policy interface:
-********************
-The Policy interface is working in "network-byte-order" (big endian). The 
reason for this
-is that policy files/management should be portable and independent of the 
platforms.
-
-Our policy interface enables managers to create a single binary policy file in 
a trusted
-environment and distributed it to multiple systems for enforcement.
-
-5. Booting with a binary policy:
-********************************
-The grub configuration file can be adapted to boot the hypervisor with an
-already active policy. To do this, a binary policy file - this can be
-the same file as used by the policy_tool - should be placed into the boot
-partition. The following entry from the grub configuration file shows how
-a binary policy can be added to the system during boot time. Note that the 
-binary policy must be of the same type that the hypervisor was compiled 
-for. The policy module line should also only be added as the last module
-line if XEN was compiled with the access control module (ACM).
-
-title XEN0 3.0 Devel
-       kernel /xen.gz dom0_mem=400000
-       module /vmlinuz-2.6.12-xen0 root=/dev/hda2 ro console=tty0
-       module /initrd-2.6.12-xen0.img
-       module /xen_sample_policy.bin
-
-
-====================end-of file=======================================
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/Makefile
--- a/tools/misc/policyprocessor/Makefile       Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,42 +0,0 @@
-XEN_ROOT = ../../..
-include $(XEN_ROOT)/tools/Rules.mk
-
-CFLAGS   += -static
-CFLAGS   += -Wall
-CFLAGS   += -Werror
-CFLAGS   += -O3
-CFLAGS   += -fno-strict-aliasing
-CFLAGS   += -I.
-
-all: build
-
-build: mk-symlinks
-       $(MAKE) xml_to_bin
-
-default: all
-
-install: all
-
-xml_to_bin : make_include XmlToBin.java XmlToBinInterface.java SsidsEntry.java 
SecurityLabel.java myHandler.java
-       javac XmlToBin.java
-
-make_include : c2j_include
-       ./c2j_include
-
-c2j_include: c2j_include.c
-       $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
-
-clean:
-       rm -rf *.class xen c2j_include policy_version.java *.bin
-
-
-LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
-mk-symlinks:
-       [ -e xen/linux ] || mkdir -p xen/linux
-       [ -e xen/io ]    || mkdir -p xen/io
-       ( cd xen >/dev/null ; \
-         ln -sf ../$(XEN_ROOT)/xen/include/public/*.h . )
-       ( cd xen/io >/dev/null ; \
-         ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
-       ( cd xen/linux >/dev/null ; \
-         ln -sf ../../$(LINUX_ROOT)/include/asm-xen/linux-public/*.h . )
diff -r 1895942150a5 -r 513acbeac420 
tools/misc/policyprocessor/SecurityLabel.java
--- a/tools/misc/policyprocessor/SecurityLabel.java     Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,34 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: SecurityLabel.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * SecurityLabel Class.  
- *
- * <p>
- *
- * Keeps track of types.
- *
- * <p>
- *
- *
- */
-import java.util.*;
-public class SecurityLabel
-{
- Vector ids;
- Vector vlans;
- Vector slots;
- Vector steTypes;
- int steSsidPosition;
- Vector chwIDs;
- Vector chwTypes;
- int chwSsidPosition;
-}
diff -r 1895942150a5 -r 513acbeac420 
tools/misc/policyprocessor/SecurityPolicySpec.xsd
--- a/tools/misc/policyprocessor/SecurityPolicySpec.xsd Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,115 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- xml schema definition for xen xml policies -->
-<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema";
-targetNamespace="http://www.ibm.com";
-xmlns="http://www.ibm.com"; 
-elementFormDefault="qualified">
-
-<xsd:element name="TE" type="xsd:string" />
-<xsd:element name="ChWall" type="xsd:string" />
-
-<xsd:element name="Definition">
-  <xsd:complexType>
-       <xsd:sequence>
-
-         <!-- simple type enforcement -->
-         <xsd:element name="Types" minOccurs ="0" maxOccurs="1">
-               <xsd:complexType>
-                 <xsd:sequence>
-                       <xsd:element ref="TE" minOccurs ="1" maxOccurs 
="unbounded"/>
-                 </xsd:sequence>
-               </xsd:complexType>
-         </xsd:element>
-
-         <!-- chinese wall -->
-         <!--   type definition -->
-         <xsd:element name="ChWallTypes" minOccurs ="0" maxOccurs="1">
-               <xsd:complexType>
-                 <xsd:sequence>
-                       <xsd:element ref="ChWall"  minOccurs ="1" maxOccurs 
="unbounded"/>
-
-               </xsd:sequence>
-          </xsd:complexType>
-       </xsd:element>
-
-       <!--   conflict set -->
-         <xsd:element name="ConflictSet" minOccurs ="0" maxOccurs="unbounded">
-               <xsd:complexType>
-                 <xsd:sequence>
-                       <xsd:element ref="ChWall"  minOccurs ="2" maxOccurs 
="unbounded"/>
-                 </xsd:sequence>
-               </xsd:complexType>
-       </xsd:element>
-
-       </xsd:sequence>
-  </xsd:complexType>
-</xsd:element>
-
-<xsd:element name="Policy">
-    <xsd:complexType>
-      <xsd:sequence>
-
-       <xsd:element name="PolicyHeader">
-       <xsd:complexType>
-          <xsd:all>
-               <xsd:element name = "Name" type="xsd:string"/>
-               <xsd:element name = "DateTime" type="xsd:dateTime"/>
-               <xsd:element name = "Tag" minOccurs ="1" maxOccurs ="1" 
type="xsd:string"/>
-               <xsd:element name = "TypeDefinition">
-               <xsd:complexType>
-                 <xsd:all>
-                       <xsd:element name = "url" type="xsd:string"/>
-                       <xsd:element name = "hash" minOccurs ="0" maxOccurs 
="1" type="xsd:string"/>
-                 </xsd:all>
-               </xsd:complexType>
-               </xsd:element>
-
-          </xsd:all>
-       </xsd:complexType>
-       </xsd:element>
-
-       <xsd:element name="VM" minOccurs ="1" maxOccurs="unbounded">
-         <xsd:complexType>
-          <xsd:sequence>
-               <xsd:element name="id" type="xsd:integer"/>
-               <xsd:element ref="TE" minOccurs="0" maxOccurs="unbounded" />
-               <xsd:element ref="ChWall" minOccurs ="0" maxOccurs="unbounded"/>
-          </xsd:sequence>
-         </xsd:complexType>
-       </xsd:element>
-
-       <xsd:element name="Vlan" minOccurs ="0" maxOccurs="unbounded">
-         <xsd:complexType>
-          <xsd:sequence>
-               <xsd:element name="vid" type="xsd:integer"/>
-               <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
-          </xsd:sequence>
-         </xsd:complexType>
-       </xsd:element>
-
-       <xsd:element name="Slot" minOccurs ="0" maxOccurs="unbounded">
-         <xsd:complexType>
-          <xsd:sequence>
-               <xsd:element name="bus" type="xsd:integer"/>
-               <xsd:element name="slot" type="xsd:integer"/>
-               <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
-          </xsd:sequence>
-         </xsd:complexType>
-       </xsd:element>
-
-
-      </xsd:sequence>
-    </xsd:complexType>
-</xsd:element>
-
-<!-- root element -->
-<xsd:element name="SecurityPolicySpec">
-    <xsd:complexType>
-      <xsd:choice>
-               <xsd:element ref="Definition" minOccurs ="1" 
maxOccurs="unbounded"/>
-               <xsd:element ref="Policy" minOccurs ="1" maxOccurs="unbounded"/>
-      </xsd:choice>
-    </xsd:complexType>
-</xsd:element>
-</xsd:schema>
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/SsidsEntry.java
--- a/tools/misc/policyprocessor/SsidsEntry.java        Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,29 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: SsidsEntry.java,v 1.2 2005/06/17 20:02:40 rvaldez Exp $
- *
- * Author: Ray Valdez
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * SsidsEntry Class.  
- * <p>
- *
- * Holds ssid information.
- *
- * <p>
- *
- *
- */
-public class SsidsEntry 
- {
-  int id;      /* used for partition and vlan */
-  int bus;     /* used for slots */
-  int slot;
-  int ste = 0xffffffff;
-  int chw = 0xffffffff;
- }
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/XmlToBin.java
--- a/tools/misc/policyprocessor/XmlToBin.java  Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,1570 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: XmlToBin.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * Contributors:
- *         Reiner Sailer - adjust type-lengths
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * XmlToBin  Class.  
- * <p>
- *
- * Translates a xml representation of a SHYPE policy into a binary  
- * format.  The class processes an xml policy file based on elment tags 
- * defined in a schema definition files: SecurityPolicySpec.xsd.
- *
- * XmlToBin Command line Options: 
- *
- *      -i              inputFile:      name of policyfile (.xml)
- *      -o              outputFile:     name of binary policy file (Big Endian)
- *      -xssid          SsidFile:       xen ssids to types text file
- *      -xssidconf      SsidConf:      xen conflict ssids to types text file
- *      -debug                          turn on debug messages
- *      -help                           help. This printout
- *
- * <p>
- *
- *
- */
-import java.util.*;
-import java.io.*;
-import java.io.IOException;
-import java.io.FileNotFoundException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.Attr;
-import org.w3c.dom.NodeList;
-import org.w3c.dom.NamedNodeMap;
-import org.xml.sax.*;
-import javax.xml.parsers.*;
-import org.xml.sax.helpers.*;
-
-public class XmlToBin 
- implements XmlToBinInterface
-{
-  class SlotInfo {
-       String bus;
-       String slot;
-  }
-
- boolean LittleEndian = false;
- boolean debug = false;
-
- static final String JAXP_SCHEMA_LANGUAGE = 
"http://java.sun.com/xml/jaxp/properties/schemaLanguage";;
-
- static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";;
-
- public static void printUsage()
- {
-  System.out.println("XmlToBin Command line Options: ");
-  System.out.println("\t-i\t\tinputFile:\tname of policyfile (.xml)");
-  System.out.println("\t-o\t\toutputFile:\tname of binary policy file (Big 
Endian)");
-  System.out.println("\t-xssid\t\tSsidFile:\tXen ssids to named types text 
file");
-  System.out.println("\t-xssidconf\tSsidConfFile:\tXen conflict ssids to named 
types text file");
-  System.out.println("\t-debug\t\t\t\tturn on debug messages");
-  System.out.println("\t-help\t\t\t\thelp. This printout");
-  return;
- }
-
- public void printDebug(String message) 
- {
-  if (debug)
-    System.out.println(message);
- }
-
- public void writeBinPolicy(byte[] binPolicy, String outputFileName)
-  throws Exception
- {
-    if (debug) 
-       printHex(binPolicy,binPolicy.length);
-
-    DataOutputStream writeObj = new DataOutputStream(
-                                new FileOutputStream(outputFileName));
-
-    writeObj.write(binPolicy);
-    writeObj.flush();
-    writeObj.close();
-    System.out.println(" wBP:: wrote outputfile: " + outputFileName);
-
-    return; 
- }  
-
- public void writeXenTypeVectorFile(Vector list, String outputFileName)
-  throws Exception
- {
-  PrintWriter out;
-
-  if (0 == list.size())
-  {
-       printDebug(" wSTF : size of input is zero when writing :" + 
outputFileName); 
-       return;
-  }
- out = new PrintWriter(
-               new BufferedWriter(
-                      new FileWriter(outputFileName)));
-
-
-  for (int i = 0; i < list.size(); i++)
-  {
-       Vector  ee = (Vector) list.elementAt(i);
-       out.println(i + " " +ee.toString());
-  } 
-    out.close();
-   
-    return; 
- }
-
- public void writeXenTypeFile(Vector list, String outputFileName, boolean 
slabel)
-  throws Exception
- {
-  Vector entry; 
-  String strTypes = "";
-  SecurityLabel ee;
-  PrintWriter out;
-
-  if (0 == list.size())
-  {
-       printDebug(" wSTF : size of input is zero when writing :" + 
outputFileName); 
-       return;
-  }
-  out = new PrintWriter(
-               new BufferedWriter(
-                      new FileWriter(outputFileName)));
-
-  for (int i = 0; i < list.size(); i++)
-  {
-       ee = (SecurityLabel) list.elementAt(i);
-
-       if (slabel)
-       {
-               entry = ee.steTypes; 
-       } else {
-
-               entry = ee.chwTypes; 
-       }
-       if (null == entry) continue;
-
-       Enumeration e = entry.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         strTypes = strTypes + " " + typeName;
-        }
-         printDebug(" WXTF:: ssid : "+i +" :"+strTypes); 
-         out.println(i +" "+strTypes);
-         strTypes = "";
-  } 
-  out.close();
-   
-  return; 
- }
-
- public void setDebug(boolean value)
- {
-  debug=value;
- }
-
- public void setEndian(boolean value)
- {
-  LittleEndian = value;
- }
-
- public byte[] generateVlanSsids(Vector bagOfSsids)
-  throws Exception
- {
-  /**
-        typedef struct {
-        u16 vlan;
-        u16 ssid_ste;
-        } acm_vlan_entry_t;
-  **/
-
-  Hashtable  vlanSsid = new Hashtable();
-  printDebug(" gVS::Size of bagOfSsids: "+ bagOfSsids.size());
-
-  /* Get the number of partitions */
-  for (int i = 0; i < bagOfSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
-       if (null == entry.vlans)
-         continue;
-
-       Enumeration e = entry.vlans.elements(); 
-       while (e.hasMoreElements())
-       {
-         String id = (String) e.nextElement(); 
-         printDebug(" gVS:: vlan: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-         if (-1 == entry.steSsidPosition)
-               continue;  
-
-         /* Only use ste for vlan */
-         SsidsEntry  ssidsObj = new SsidsEntry();
-
-         ssidsObj.id = Integer.parseInt(id); 
-         ssidsObj.ste = entry.steSsidPosition;
-
-         if (vlanSsid.contains(id))
-               printDebug(" gVS:: Error already in the Hash part:" + 
ssidsObj.id);
-         else 
-               vlanSsid.put(id, ssidsObj);
-               printDebug(" gVS:: added part: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-       }
-  }
-
-  /* allocate array */ 
-  int numOfVlan = vlanSsid.size();
-  int totalSize = (numOfVlan * vlanEntrySz);  
-
-  if (0 == numOfVlan) 
-  {
-       printDebug(" gVS:: vlan: binary ==> zero");
-        return new byte[0];
-  }
-
-  byte[] vlanArray = new byte[totalSize];
-
-  int index = 0;
-
-  Enumeration e = vlanSsid.elements(); 
-  while (e.hasMoreElements())
-  {
-       SsidsEntry entry = (SsidsEntry) e.nextElement(); 
-       printDebug(" gVS:: part: " + entry.id + " ste ssid: " + entry.ste);
-
-       /* Write id */
-       writeShortToStream(vlanArray,(short)entry.id,index);
-       index = index + u16Size;
-
-       /* write ste ssid */
-       writeShortToStream(vlanArray,(short) entry.ste,index);
-       index = index + u16Size;
-  }
-
-  printDebug(" gVS:: vlan: num of vlans  " + numOfVlan);
-  printDebug(" gVS:: vlan: binary ==> Length "+ vlanArray.length);
-
-  if (debug) 
-       printHex(vlanArray,vlanArray.length);
-  printDebug("\n");
-
-  return vlanArray; 
- }  
-
- public byte[] generateSlotSsids(Vector bagOfSsids)
-  throws Exception
- {
-  /**
-        typedef struct {
-        u16 slot_max;
-        u16 slot_offset;
-        } acm_slot_buffer_t;
-
-        typedef struct {
-        u16 bus;
-        u16 slot;
-        u16 ssid_ste;
-        } acm_slot_entry_t;
-  **/
-  Hashtable  slotSsid = new Hashtable();
-  printDebug(" gSS::Size of bagOfSsids: "+ bagOfSsids.size());
-
-  /* Find the number of VMs */ 
-  for (int i = 0; i < bagOfSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
-       if (null == entry.slots)
-         continue;
-
-       Enumeration e = entry.slots.elements(); 
-       while (e.hasMoreElements())
-       {
-         SlotInfo item = (SlotInfo) e.nextElement(); 
-         printDebug(" gSS:: bus slot: " + item.bus + " "+ item.slot + " " +  
entry.steSsidPosition);
-         if (-1 == entry.steSsidPosition)
-               continue;  
-
-         SsidsEntry  ssidsObj = new SsidsEntry();
-
-         String id = item.bus +" "+item.slot;
-         ssidsObj.bus = Integer.parseInt(item.bus); 
-         ssidsObj.slot = Integer.parseInt(item.slot); 
-         /* set ste ssid */
-         ssidsObj.ste = entry.steSsidPosition;
-
-         if (slotSsid.contains(id))
-               printDebug(" gSS:: Error already in the Hash part:" + id);
-         else 
-               slotSsid.put(id, ssidsObj);
-
-               printDebug(" gSS:: added slot: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-       }
-  }
-
-  /* allocate array */
-  int numOfSlot = slotSsid.size();
-
-  if (0 == numOfSlot) 
-  {
-       printDebug(" gVS:: slot: binary ==> zero");
-        return new byte[0];
-  }
-
-  int totalSize = (numOfSlot * slotEntrySz);  
-
-  byte[] slotArray = new byte[totalSize];
-
-  int index = 0;
-
-  Enumeration e = slotSsid.elements(); 
-  while (e.hasMoreElements())
-  {
-       SsidsEntry entry = (SsidsEntry) e.nextElement(); 
-       System.out.println(" gSS:: bus slot: " + entry.bus + " " + entry.slot + 
" ste ssid: " + entry.ste);
-
-       /* Write bus */
-       writeShortToStream(slotArray,(short)entry.bus,index);
-       index = index + u16Size;
-
-       /* Write slot */ 
-       writeShortToStream(slotArray,(short)entry.slot,index);
-       index = index + u16Size;
-
-       /* Write ste ssid */
-       writeShortToStream(slotArray,(short) entry.ste,index);
-       index = index + u16Size;
-
-  }
-   
-  printDebug(" gSS:: slot: num of vlans  " + numOfSlot);
-  printDebug(" gSS:: slot: binary ==> Length "+ slotArray.length);
-
-  if (debug) 
-        printHex(slotArray,slotArray.length);
-  printDebug("\n");
-
-  return slotArray; 
-
- }  
-
- public byte[] generatePartSsids(Vector bagOfSsids, Vector bagOfChwSsids)
-  throws Exception
- {
-  /**
-        typedef struct {
-        u16 id;
-        u16 ssid_ste;
-        u16 ssid_chwall;
-        } acm_partition_entry_t;
-
-  **/
-  Hashtable  partSsid = new Hashtable();
-  printDebug(" gPS::Size of bagOfSsids: "+ bagOfSsids.size());
-
-  /* Find the number of VMs */ 
-  for (int i = 0; i < bagOfSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
-       if (null == entry.ids)
-         continue;
-
-       Enumeration e = entry.ids.elements(); 
-       while (e.hasMoreElements())
-       {
-         String id = (String) e.nextElement(); 
-         printDebug(" gPS:: part: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-         if (-1 == entry.steSsidPosition)
-               continue;  
-
-         SsidsEntry  ssidsObj = new SsidsEntry();
-
-         ssidsObj.id = Integer.parseInt(id); 
-         ssidsObj.ste = entry.steSsidPosition;
-
-         if (partSsid.contains(id))
-               printDebug(" gPS:: Error already in the Hash part:" + 
ssidsObj.id);
-         else 
-               partSsid.put(id, ssidsObj);
-               printDebug(" gPS:: added part: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-       }
-
-  }
-
-  for (int i = 0; i < bagOfChwSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfChwSsids.elementAt(i);
-
-       Enumeration e = entry.chwIDs.elements(); 
-       while (e.hasMoreElements())
-       {
-         String id = (String) e.nextElement(); 
-         printDebug(" gPS:: part: " + id + "has chw ssid: " + 
entry.chwSsidPosition);
-         if (partSsid.containsKey(id))
-         {
-               SsidsEntry item = (SsidsEntry) partSsid.get(id);
-               item.chw = entry.chwSsidPosition;
-               printDebug(" gPS:: added :" + item.id +" chw: " + item.chw);
-         }
-         else 
-         {
-               printDebug(" gPS:: creating :" + id +" chw: " + 
entry.chwSsidPosition);
-               SsidsEntry  ssidsObj = new SsidsEntry();
-               ssidsObj.id = Integer.parseInt(id); 
-               ssidsObj.chw = entry.chwSsidPosition;
-               partSsid.put(id, ssidsObj);
-
-         }
-       }
-  }      
-
-  /* Allocate array */
-  int numOfPar = partSsid.size();
-  int totalSize =  (numOfPar * partitionEntrySz);  
-
-  if (0 == numOfPar) 
-  {
-       printDebug(" gPS:: part: binary ==> zero");
-        return new byte[0];
-  }
-
-  byte[] partArray = new byte[totalSize];
-
-  int index = 0;
-
-  Enumeration e = partSsid.elements(); 
-  while (e.hasMoreElements())
-  {
-       SsidsEntry entry = (SsidsEntry) e.nextElement(); 
-       printDebug(" gPS:: part: " + entry.id + " ste ssid: " + entry.ste + " 
chw ssid: "+ entry.chw);
-
-       /* Write id */
-       writeShortToStream(partArray,(short)entry.id,index);
-       index = index + u16Size;
-
-       /* Write ste ssid */
-       writeShortToStream(partArray,(short) entry.ste,index);
-       index = index + u16Size;
-
-       /* Write chw ssid */
-       writeShortToStream(partArray,(short) entry.chw,index);
-       index = index + u16Size;
-  }
-
-  printDebug(" gPS:: part: num of partitions  " + numOfPar);
-  printDebug(" gPS:: part: binary ==> Length " + partArray.length);
-
-  if (debug) 
-       printHex(partArray,partArray.length);
-  printDebug("\n");
-   
-   return partArray; 
- }
-
- public  byte[] GenBinaryPolicyBuffer(byte[] chwPolicy, byte[] stePolicy, byte 
[] partMap, byte[] vlanMap, byte[] slotMap)
- {
-  byte[] binBuffer;
-  short chwSize =0;
-  short steSize =0;
-  int  index = 0;
-
-  /* Builds data structure acm_policy_buffer_t */
-  /* Get number of colorTypes */
-  if (null != chwPolicy)
-       chwSize = (short) chwPolicy.length;
-
-  if (null != stePolicy)
-       steSize = (short) stePolicy.length;
-
-  int totalDataSize = chwSize + steSize + resourceOffsetSz +  3 *(2 * u16Size);
-
-  /*  Add vlan and slot */ 
-  totalDataSize = totalDataSize +partMap.length + vlanMap.length + 
slotMap.length; 
-  binBuffer = new byte[binaryBufferHeaderSz +totalDataSize];
-       
-
-  try {
-         index = 0;
-         /* fill in General Policy Version */
-         writeIntToStream(binBuffer, ACM_POLICY_VERSION, index);
-         index += u32Size;
-
-         /* Write magic */
-         writeIntToStream(binBuffer, ACM_MAGIC, index);
-         index += u32Size;
-
-         /* write len */
-         writeIntToStream(binBuffer, binBuffer.length, index);
-         index += u32Size;
-
-  } catch (IOException ee) {
-         System.out.println(" GBPB:: got exception : " + ee);
-         return null;
-  }
-
-  int offset, address;
-  address = index;
-
-  if (null != partMap) 
-         offset = binaryBufferHeaderSz + resourceOffsetSz;
-  else
-         offset = binaryBufferHeaderSz;
-
-  try {
-         int skip = 0;
-
-         /* init with NULL policy setting */
-         writeIntToStream(binBuffer, ACM_NULL_POLICY, index);
-         writeIntToStream(binBuffer, 0, index + u32Size);
-         writeIntToStream(binBuffer, ACM_NULL_POLICY, index + 2*u32Size);
-         writeIntToStream(binBuffer, 0, index + 3*u32Size);
-         
-         index = address;
-         if (null != chwPolicy) {
-         
-                 /* Write policy name */
-                 writeIntToStream(binBuffer, ACM_CHINESE_WALL_POLICY, index);
-                 index += u32Size;
-
-                 /* Write offset */
-                 writeIntToStream(binBuffer, offset, index);
-                 index += u32Size;
-
-                 /* Write payload. No need increment index */
-                 address = offset;
-                 System.arraycopy(chwPolicy, 0, binBuffer,address, 
chwPolicy.length);
-                 address = address + chwPolicy.length;
-         } else
-                 skip += 2*u32Size;
-
-         if (null != stePolicy) 
-         {     
-               /* Write policy name */
-               writeIntToStream(binBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
index);
-               index += u32Size;
-
-               /* Write offset */
-               writeIntToStream(binBuffer, address, index);
-               index += u32Size;
-
-               /* Copy array */
-               System.arraycopy(stePolicy, 0, binBuffer,address, 
stePolicy.length);
-               /* Update address */
-               address = address + stePolicy.length;
-         } else
-                skip += 2*u32Size;
-
-         /* Skip writing policy name and offset for each null policy*/
-         index +=  skip;
-
-         int size;
-         /* Assumes that you will always have a partition defined in policy */
-         if ( 0 < partMap.length) {
-                 writeIntToStream(binBuffer, address, index);
-                 index = address;
-
-                 /* Compute num of VMs */
-                 size = partMap.length / (3 * u16Size);
-
-                 writeShortToStream(binBuffer, (short)size,index);
-                 index = index + u16Size;
-
-                 /* part, vlan and slot: each one consists of two entries */
-                 offset = 3 * (2 * u16Size);
-                 writeShortToStream(binBuffer, (short) offset,index);
-
-                 /* Write partition array at offset */
-                 System.arraycopy(partMap, 0, binBuffer,(offset + address), 
partMap.length);
-                 index = index + u16Size;
-                 offset = offset + partMap.length;
-         }
-
-         if ( 0 < vlanMap.length) {
-                 size = vlanMap.length / (2 * u16Size);
-                 writeShortToStream(binBuffer, (short) size,index);
-                 index = index + u16Size;
-
-                 writeShortToStream(binBuffer, (short) offset,index);
-                 index = index + u16Size;
-                 System.arraycopy(vlanMap, 0, binBuffer,(offset + address), 
vlanMap.length);
-         } else {
-                 /* Write vlan max */
-                 writeShortToStream(binBuffer, (short) 0,index);
-                 index = index + u16Size;
- 
-                 /* Write vlan offset */
-                 writeShortToStream(binBuffer, (short) 0,index);
-                 index = index + u16Size;
-         }
-
-         offset = offset + vlanMap.length;
-         if ( 0 < slotMap.length) {
-                 size = slotMap.length / (3 * u16Size);
-                 writeShortToStream(binBuffer, (short) size,index);
-                 index = index + u16Size;
-
-                 writeShortToStream(binBuffer, (short) offset,index);
-                 index = index + u16Size;
-                 System.arraycopy(slotMap, 0, binBuffer,(offset + address), 
slotMap.length);
-         }
-  } catch (IOException ee) {
-         System.out.println(" GBPB:: got exception : " + ee);
-         return null;
-  }
-
-  printDebug(" GBP:: Binary Policy ==> length " + binBuffer.length);
-  if (debug)
-         printHex(binBuffer,binBuffer.length);
-
-  return  binBuffer;
- } 
-
- public  byte[] generateChwBuffer(Vector Ssids, Vector ConflictSsids, Vector 
ColorTypes)
- {
-  byte[] chwBuffer;
-  int index = 0;
-  int position = 0;
-
-  /* Get number of rTypes */
-  int maxTypes = ColorTypes.size();
-
-  /* Get number of SSids entry */
-  int maxSsids = Ssids.size();
-
-  /* Get number of conflict sets */
-  int maxConflict = ConflictSsids.size();
-
-   
-  if (maxTypes * maxSsids == 0)
-       return null; 
-  /*
-     data structure acm_chwall_policy_buffer
-     se XmlToBinInterface.java
-  */
-  int totalBytes = chwHeaderSize  + u16Size *(maxTypes * (maxSsids + 
maxConflict)); 
-
-  chwBuffer = new byte[ totalBytes ];
-  int address = chwHeaderSize + (u16Size * maxTypes * maxSsids );
-
-  printDebug(" gCB:: chwall totalbytes : "+totalBytes); 
-
-  try {
-         index = 0;
-         /* fill in General Policy Version */
-         writeIntToStream(chwBuffer, ACM_CHWALL_VERSION, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, ACM_CHINESE_WALL_POLICY, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, maxTypes, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, maxSsids, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, maxConflict, index);
-         index += u32Size;
-
-         /*  Write chwall_ssid_offset */
-         writeIntToStream(chwBuffer, chwHeaderSize, index);
-         index += u32Size;
-
-         /* Write chwall_conflict_sets_offset */
-         writeIntToStream(chwBuffer, address, index);
-         index += u32Size;
-
-         /*  Write chwall_running_types_offset */
-         writeIntToStream(chwBuffer, 0, index);
-         index += u32Size;
-
-         /*  Write chwall_conflict_aggregate_offset */
-         writeIntToStream(chwBuffer, 0, index);
-         index += u32Size;
-
-  } catch (IOException ee) {
-       System.out.println(" gCB:: got exception : " + ee); 
-       return null;
-  }
-  int markPos = 0;
-
-  /* Create the SSids entry */
-  for (int i = 0; i < maxSsids; i++)
-  {
-       SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
-       /* Get chwall types */
-       ssidEntry.chwSsidPosition = i;
-       Enumeration e = ssidEntry.chwTypes.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         printDebug(" gCB:: Ssid "+ i+ ": has type : " + typeName);
-         position = ColorTypes.indexOf(typeName);
-
-         if (position < 0) 
-         {
-               System.out.println (" gCB:: Error type : " + typeName + " not 
found in ColorTypes"); 
-               return null; 
-         }
-         printDebug(" GCB:: type : " + typeName + "  found in ColorTypes at 
position: " + position); 
-         markPos = ((i * maxTypes + position) * u16Size) + index;      
-
-         try {
-               writeShortToStream(chwBuffer,markSymbol,markPos);
-         } catch (IOException ee) {
-               System.out.println(" gCB:: got exception : "); 
-               return null; 
-         }
-       }
-  }
-
-  if (debug) 
-      printHex(chwBuffer,chwBuffer.length);
-
-  /* Add conflict set */
-  index = address;
-  for (int i = 0; i < maxConflict; i++)
-  {
-       /* Get ste types */
-       Vector entry = (Vector) ConflictSsids.elementAt(i);
-       Enumeration e = entry.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         printDebug (" GCB:: conflict Ssid "+ i+ ": has type : " + typeName);
-         position = ColorTypes.indexOf(typeName);
-
-         if (position < 0) 
-         {
-               System.out.println (" GCB:: Error type : " + typeName + " not 
found in ColorTypes"); 
-               return null; 
-         }
-         printDebug(" GCB:: type : " + typeName + "  found in ColorTypes at 
position: " + position); 
-         markPos = ((i * maxTypes + position) * u16Size) + index;      
-
-         try {
-               writeShortToStream(chwBuffer,markSymbol,markPos);
-         } catch (IOException ee) {
-               System.out.println(" GCB:: got exception : "); 
-               return null; 
-         }
-       }
-               
-  } 
-  printDebug(" gSB:: chw binary  ==> Length " + chwBuffer.length); 
-  if (debug) 
-       printHex(chwBuffer,chwBuffer.length);
-  printDebug("\n");
-
-  return chwBuffer;
- }
-
-/**********************************************************************
- Generate byte representation of policy using type information
- <p>
- @param Ssids                  Vector
- @param ColorTypes             Vector
- <p>
- @return bytes represenation of simple type enforcement policy 
-**********************************************************************/
- public  byte[] generateSteBuffer(Vector Ssids, Vector ColorTypes)
- {
-  byte[] steBuffer;
-  int index = 0;
-  int position = 0;
-
-  /* Get number of colorTypes */
-  int numColorTypes = ColorTypes.size();
-
-  /* Get number of SSids entry */
-  int numSsids = Ssids.size();
-   
-  if (numColorTypes * numSsids == 0)
-       return null; 
-
-  /* data structure: acm_ste_policy_buffer
-   * see XmlToBinInterface.java
-   * total bytes: steHeaderSize * 2B + colorTypes(size) * Ssids(size)
-   * 
-  */
-  steBuffer = new byte[ steHeaderSize + (numColorTypes * numSsids) * 2];
-
-  try {
-       
-         index = 0;
-         writeIntToStream(steBuffer, ACM_STE_VERSION, index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, numColorTypes, index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, numSsids, index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, steHeaderSize, index);
-         index += u32Size;
-
-
-  } catch (IOException ee) {
-       System.out.println(" gSB:: got exception : " + ee); 
-       return null; 
-  }
-  int markPos = 0;
-  for (int i = 0; i < numSsids; i++)
-  {
-       
-       SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
-       ssidEntry.steSsidPosition = i;
-       /* Get ste types */
-       Enumeration e = ssidEntry.steTypes.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         printDebug (" gSB:: Ssid "+ i+ ": has type : " + typeName);
-         position = ColorTypes.indexOf(typeName);
-
-         if (position < 0) 
-         {
-               printDebug(" gSB:: Error type : " + typeName + " not found in 
ColorTypes"); 
-               return null; 
-         }
-         printDebug(" gSB:: type : " + typeName + "  found in ColorTypes at 
position: " + position); 
-         markPos = ((i * numColorTypes + position) * u16Size) + index; 
-
-         try {
-               writeShortToStream(steBuffer,markSymbol,markPos);
-         } catch (IOException ee)
-         {
-               System.out.println(" gSB:: got exception : "); 
-               return null; 
-         }
-       }
-               
-  } 
-
-  printDebug(" gSB:: ste binary  ==> Length " + steBuffer.length); 
-  if (debug) 
-       printHex(steBuffer,steBuffer.length);
-  printDebug("\n");
-
-  return steBuffer;
- }
-
- public static  void printHex(byte [] dataArray, int length)
- {
-  char[] hexChars = {'0', '1', '2', '3', '4', '5', '6', '7',
-                '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
-  int hexIndex;
-  int value;
-  int arraylength;
-
-  arraylength = length;
-
-  if (dataArray == null)
-  {
-        System.err.print("printHex: input byte array is null");
-  }
-
-  if (length > dataArray.length || length < 0)
-        arraylength = dataArray.length;
-
-  System.out.print("\n\t");
-
-  int i;
-  for(i = 0; i < arraylength; )
-  {
-        value = dataArray[i] & 0xFF;
-        hexIndex = (value >>> 4);
-        System.out.print(hexChars[hexIndex]);
-        hexIndex = (value & 0x0F);
-        System.out.print(hexChars[hexIndex]);
-
-        i++;
-        /* if done, print a final newline */
-        if (i == arraylength) {
-            if (arraylength < dataArray.length) {
-                System.out.print("...");
-            }
-            System.out.println();
-        }
-        else if ((i % 24) == 0) {
-            System.out.print("\n\t");
-        }
-        else if ((i % 4) == 0) {
-                System.out.print(" ");
-        }
-  }
-
-  return;
- }
-
-  
- private void writeShortToStream(byte[] stream, short value, int index)
-  throws IOException
- {
-  int littleEndian = 0;
-  int byteVal;
-
-  if (index + 2 > stream.length)
-  {
-      throw new IOException("Writing beyond stream length: " +
-                            stream.length + " writing at locations from: " + 
index + " to " + (index + 4));
-  }
-
-  if (!LittleEndian)
-  {
-
-       byteVal = value >> 8;
-       stream[index ] = (byte) byteVal;
-
-       byteVal = value;
-       stream[index + 1] = (byte) byteVal;
-  } else {
-       stream[index]  = (byte) ((value & 0x00ff) );
-       stream[index + 1]  = (byte) ((value & 0xff00) >> 8);
- }
-  return;
- }
-
- private void writeIntToStream(byte[] stream, int value, int index)
-  throws IOException
- {
-  int littleEndian = 0;
-  int byteVal;
-
-  if (4 > stream.length)
-  {
-      throw new IOException("writeIntToStream: stream length less than 4 bytes 
" +
-                            stream.length);
-  }
-
-  /* Do not Write beyond range */
-  if (index + 4 > stream.length)
-  {
-      throw new IOException("writeIntToStream: writing beyond stream length: " 
+
-                            stream.length + " writing at locations from: " + 
index + " to " + (index + 4));
-  }
-  if (!LittleEndian)
-  {
-       byteVal = value >>> 24;
-       stream[index] = (byte) byteVal;
-
-       byteVal = value >> 16;
-       stream[index + 1] = (byte) byteVal;
-
-       byteVal = value >> 8;
-       stream[index + 2] = (byte) byteVal;
-
-       byteVal = value;
-       stream[index + 3] = (byte) byteVal;
-  } else {
-       stream[index] = (byte) value;
-       stream[index + 1]  = (byte) ((value & 0x0000ff00) >> 8);
-       stream[index + 2]  = (byte) ((value & 0x00ff0000) >> 16);
-       stream[index + 3] = (byte) ( value >>> 24);
-  }
-  return;
- }
-
- public Document getDomTree(String xmlFileName)
-  throws Exception, SAXException, ParserConfigurationException
- {
-  javax.xml.parsers.DocumentBuilderFactory dbf = 
-       javax.xml.parsers.DocumentBuilderFactory.newInstance();
-
-  /* Turn on namespace aware and validation */
-  dbf.setNamespaceAware(true); 
-  dbf.setValidating(true);     
-  dbf.setAttribute(JAXP_SCHEMA_LANGUAGE,W3C_XML_SCHEMA);
-
-  /* Checks that the document is well-formed */
-  javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
-
-  myHandler errHandler= new myHandler();
-  db.setErrorHandler(errHandler);
-  Document doc = db.parse(xmlFileName);
-
-  /* Checks for validation errors */
-  if (errHandler.isValid)
-       printDebug(" gDT:: Xml file: " + xmlFileName + " is valid");
-   else
-      throw new Exception("Xml file: " + xmlFileName + " is NOT valid");
-
-  return doc;
- }  
-
- public void processDomTree(
-       Document doc,
-       Vector bagOfSsids,      
-       Vector bagOfTypes, 
-       Vector bagOfChwSsids, 
-       Vector bagOfChwTypes, 
-       Vector bagOfConflictSsids)
-  throws Exception, SAXException, ParserConfigurationException
- {
-  boolean found;
-
-  /* print the root Element */
-  Element root = doc.getDocumentElement();
-  printDebug ("\n pDT:: Document Element: Name = " + root.getNodeName() + 
",Value = " + root.getNodeValue());
-
-  /* Go through the list of the root Element's Attributes */
-  NamedNodeMap nnm = root.getAttributes();
-  printDebug (" pDT:: # of Attributes: " + nnm.getLength());
-  for (int i = 0; i < nnm.getLength(); i++)
-  {
-         Node n = nnm.item (i);
-        printDebug (" pDT:: Attribute: Name = " + n.getNodeName() + ", Value = 
" 
-             + n.getNodeValue());
-  }
-
-  /* Retrieve the policy definition */ 
-  NodeList elementList = root.getElementsByTagName ("url");
-  String definitionFileName = 
elementList.item(0).getFirstChild().getNodeValue();  
-
-  String definitionHash = null;
-
-  /* Note that SecurityPolicySpec.xsd allows for 0 hash value! */
-  elementList = root.getElementsByTagName ("hash");
-  if (0 != elementList.getLength())
-       definitionHash = elementList.item(0).getFirstChild().getNodeValue();  
-
-  Document definitionDoc = 
pGetDomDefinition(definitionFileName,definitionHash);
-  pGetTypes(definitionDoc,bagOfTypes, bagOfChwTypes, bagOfConflictSsids);
-
-
-  /* Get VM security information */
-  elementList = root.getElementsByTagName ("VM");
-  printDebug ("\n pDT:: partition length of NodeList:" + 
elementList.getLength());
-  /* Add default Ssid to Ste and Chw bags */                   
-  SecurityLabel defEntry = new SecurityLabel();
-
-  defEntry.chwTypes = new Vector();
-  defEntry.steTypes = new Vector();
-  defEntry.chwIDs = new Vector();
-  defEntry.ids = new Vector();
-
-  defEntry.steSsidPosition =0;
-  defEntry.chwSsidPosition =0;
-  bagOfChwSsids.add(defEntry);
-  bagOfSsids.add(defEntry);
-
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       found = false;
-
-        Node node = elementList.item (x);          
-
-       if (node.getNodeType() == Node.ELEMENT_NODE)
-       {
-         printDebug (" pDT:: child: " + x + " is an element node" );
-         Element e1 = (Element) node;
-
-         /* Get id */
-         NodeList elist = e1.getElementsByTagName ("id");
-         String idStr = elist.item(0).getFirstChild().getNodeValue();  
-         printDebug (" pDT:: id:" + idStr);
-
-         /* Get TE */
-         Vector colorTypes = new Vector();
-         pConflictEntries(e1, "TE", bagOfTypes, colorTypes);
-
-         Enumeration e = bagOfSsids.elements();
-         while (e.hasMoreElements())
-         {
-               SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-               if ( elem.steTypes.size() == colorTypes.size() && 
elem.steTypes.containsAll(colorTypes))
-               {
-                 found = true;
-                 elem.ids.add(idStr);
-               }
-               
-         }
-               if (!found && (0 < colorTypes.size()))
-               {
-                SecurityLabel entry = new SecurityLabel();
-                entry.steTypes = colorTypes;
-                entry.ids = new Vector();
-                entry.ids.add(idStr);
-                bagOfSsids.add(entry);
-               }
-
-               /* Get Chinese wall type */
-               Vector chwTypes = new Vector();
-               pConflictEntries(e1, "ChWall", bagOfChwTypes, chwTypes);
-
-               found = false;
-               e = bagOfChwSsids.elements();
-
-               while (e.hasMoreElements())
-               {
-                 SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-                 if ( elem.chwTypes.size() == chwTypes.size() && 
elem.chwTypes.containsAll(chwTypes))
-                 {
-                   found = true;
-                   elem.chwIDs.add(idStr);
-                 }
-               
-               }
-
-               if (!found && (0 < chwTypes.size()))
-               {
-                SecurityLabel entry = new SecurityLabel();
-                entry.chwTypes = chwTypes;
-                entry.chwIDs = new Vector();
-                entry.chwIDs.add(idStr);
-                bagOfChwSsids.add(entry);
-               }
-      }
-  } 
-  return;
- }
-
- public Document pGetDomDefinition(
-       String definitionFileName, 
-       String definitionHash) 
-  throws Exception, SAXException, ParserConfigurationException
- {
-  printDebug("\n pGDD:: definition file name: " + definitionFileName);
-  printDebug("\n pGDD:: definition file hash: " + definitionHash);
-  
-  Document doc =  getDomTree(definitionFileName);
-  return doc; 
- }
-
- public void pGetTypes(
-       Document defDoc,
-       Vector bagOfTypes, 
-       Vector bagOfChwTypes, 
-       Vector bagOfConflictSsids)
-  throws Exception
- {
-
-
-  if (null == defDoc)
-      throw new Exception(" pGT:: definition file DOM is null ");
-
-  Element root = defDoc.getDocumentElement();
-
-  /* Get list of TE types */
-  NodeList elementList = root.getElementsByTagName ("Types");
-  printDebug ("\n pGT:: Types length of NodeList:" + elementList.getLength());
-  Element e1 = (Element) elementList.item (0);          
-  pGetEntries(e1,"TE",bagOfTypes);
-
-  /* Get list of Chinese types */
-  elementList = root.getElementsByTagName ("ChWallTypes");
-  printDebug ("\n pGT:: ChwTypes length of NodeList:" + 
elementList.getLength());
-  if (0 ==  elementList.getLength())
-  {
-       printDebug ("\n pGT:: ChWallTypes has zero length: :" + 
elementList.getLength());
-  } else {
-       e1 = (Element) elementList.item (0);          
-       pGetEntries(e1,"ChWall",bagOfChwTypes);
-  }
-  printDebug (" pGT:: Total number of unique chw types: " + 
bagOfChwTypes.size());
-
-  /* Get Chinese type conflict sets */
-  elementList = root.getElementsByTagName ("ConflictSet");
-  printDebug ("\n pGT:: Conflict sets length of NodeList:" + 
elementList.getLength());
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       Vector conflictEntry  = new Vector();
-       e1 = (Element) elementList.item (x);          
-       printDebug ("\n pGT:: Conflict sets : " + x);
-
-       pConflictEntries(e1, "ChWall", bagOfChwTypes, conflictEntry);
-
-       if (conflictEntry.size() > 0)
-       {
-         boolean found = false;
-         Enumeration e = bagOfConflictSsids.elements();
-       
-         while (e.hasMoreElements())
-         {
-               Vector elem = (Vector) e.nextElement(); 
-               if (elem.size() == conflictEntry.size() && 
elem.containsAll(conflictEntry))
-               {
-                 found = true;
-               }
-               
-         }
-         if (!found)
-         {
-               bagOfConflictSsids.add(conflictEntry);
-         }
-       }
-  }
-
- }
-
- public void  pGetEntries(Element doc, String tag, Vector typeBag)
-  throws Exception
- {
-
-  if (null == doc)
-      throw new Exception(" pGE:: Element doc is null");
-
-  if (null == typeBag)
-      throw new Exception(" pGE:: typeBag  is null");
-
-  NodeList elist = doc.getElementsByTagName (tag);
-  for (int j = 0; j < elist.getLength(); j++)
-  {
-       Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-       printDebug (" pGT:: "+ tag +" type: " + value);
-
-        /* Check if value is known */
-       if (!typeBag.contains(value))
-               typeBag.addElement(value);
-  }
- }
-
- public void  pConflictEntries(Element doc, String tag, Vector typeBag, Vector 
conflictEntry)
-  throws Exception
- {
-
-  if (null == doc)
-      throw new Exception(" pGE:: Element doc is null");
-
-  if (null == typeBag)
-      throw new Exception(" pGE:: typeBag  is null");
-
-  if (null == conflictEntry)
-      throw new Exception(" pGE:: typeBag  is null");
-
-
-  NodeList elist = doc.getElementsByTagName (tag);
-
-  for (int j = 0; j < elist.getLength(); j++)
-  {
-       Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-       printDebug (" pGE:: "+ tag +" type: " + value);
-
-        /* Check if value is known */
-       if (!typeBag.contains(value))
-               throw new Exception(" pCE:: found undefined type set " + value);
-
-       if (!conflictEntry.contains(value))
-               conflictEntry.addElement(value);
-
-  }
- }
-
-  public void processDomTreeVlanSlot(
-       Document doc,
-       Vector bagOfSsids,      
-       Vector bagOfTypes)      
-  throws Exception
- {
-      boolean found;
-
-  printDebug(" pDTVS::Size of bagOfSsids: "+ bagOfSsids.size());
-  Element root = doc.getDocumentElement();
-
-  NodeList elementList = root.getElementsByTagName ("Vlan");
-  printDebug("\n pDTVS:: Vlan length of NodeList:" + elementList.getLength());
-
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       found = false;
-
-        Node node = elementList.item (x);          
-
-       if (node.getNodeType() == Node.ELEMENT_NODE)
-       {
-         printDebug(" pDTVS:: child: " + x + " is an element node" );
-         Element e1 = (Element) node;
-
-         /* Get vid */
-         NodeList elist = e1.getElementsByTagName ("vid");
-         String idStr = elist.item(0).getFirstChild().getNodeValue();  
-         printDebug (" pDTVS:: vid:" + idStr);
-
-         /* Get TE */
-         elist = e1.getElementsByTagName ("TE");
-          printDebug (" pDTVS:: Total ste types: " + elist.getLength());
-
-         Vector colorTypes = new Vector();
-         for (int j = 0; j < elist.getLength(); j++)
-         {
-               Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-               printDebug (" pDT:: My color is: " + value);
-               if (!bagOfTypes.contains(value))
-               {
-                 throw new IOException("pDT:: Vlan: " + idStr+ " has unknown 
type : "+ value);
-               }
-
-               if (!colorTypes.contains(value))
-                 colorTypes.addElement(value);
-         }
-         Enumeration e = bagOfSsids.elements();
-         while (e.hasMoreElements())
-         {
-               SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-               if ( elem.steTypes.size() == colorTypes.size() && 
elem.steTypes.containsAll(colorTypes))
-               {
-                 found = true;
-                 if (null == elem.vlans)
-                       elem.vlans = new Vector();
-                  elem.vlans.add(idStr);
-               }
-               
-         }
-         if (!found && (0 < colorTypes.size()))
-         {
-                SecurityLabel entry = new SecurityLabel();
-                entry.steTypes = colorTypes;
-                entry.vlans = new Vector();
-                entry.vlans.add(idStr);
-                bagOfSsids.add(entry);
-         }
-
-       }
-  } 
-  printDebug(" pDTVS::After slot Size of bagOfSsids: "+ bagOfSsids.size());
-
-  elementList = root.getElementsByTagName ("Slot");
-  printDebug ("\n pDTVS:: Slot length of NodeList:" + elementList.getLength());
-
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       found = false;
-
-        Node node = elementList.item (x);          
-
-       if (node.getNodeType() == Node.ELEMENT_NODE)
-       {
-         printDebug(" pDT:: child: " + x + " is an element node" );
-         Element e1 = (Element) node;
-
-
-         /* Get slot and bus */
-         SlotInfo item = new SlotInfo();
-
-         NodeList elist = e1.getElementsByTagName ("bus");
-         item.bus = elist.item(0).getFirstChild().getNodeValue();  
-         elist = e1.getElementsByTagName ("slot");
-         item.slot = elist.item(0).getFirstChild().getNodeValue();  
-         printDebug (" pDT:: bus and slot:" + item.bus + " "+ item.slot);
-
-         /* Get TE */
-         elist = e1.getElementsByTagName ("TE");
-          printDebug (" pDT:: Total ste types: " + elist.getLength());
-
-         Vector colorTypes = new Vector();
-         for (int j = 0; j < elist.getLength(); j++)
-         {
-               Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-               printDebug (" pDT:: My color is: " + value);
-               if (!bagOfTypes.contains(value))
-               {
-                 throw new IOException("pDT:: bus: " + item.bus + " slot: "+ 
item.slot + " has unknown type : "+ value);
-               }
-
-               if (!colorTypes.contains(value))
-                 colorTypes.addElement(value);
-               }
-
-               Enumeration e = bagOfSsids.elements();
-               while (e.hasMoreElements())
-               {
-                 SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-                 if ( elem.steTypes.size() == colorTypes.size() && 
elem.steTypes.containsAll(colorTypes))
-                 {
-                       found = true;
-                       if (null == elem.slots)
-                         elem.slots = new Vector();
-                       elem.slots.add(item);
-
-                 }
-               
-               }
-
-               if (!found && (0 < colorTypes.size()))
-               {
-                 SecurityLabel entry = new SecurityLabel();
-                 entry.steTypes = colorTypes;
-                 entry.slots = new Vector();
-                 entry.slots.add(item);
-                 bagOfSsids.add(entry);
-               }
-
-       }
-  }
-  return;
- }
-
- public static void main (String[] args) 
- {
-  String xmlFileName = null;           /* policy file */ 
-  String outputFileName = null;        /* binary policy file */
-  String xenSsidOutputFileName = null;         /* outputfile ssid to named 
types */    
-                                       /* outputfile conflicts ssid to named 
types */  
-  String xenSsidConfOutputFileName = null;     
-
-  XmlToBin genObj = new XmlToBin(); 
-
-  policy_version active_policy = new policy_version();
-
-  if ((active_policy.ACM_POLICY_VERSION != ACM_POLICY_VERSION) ||
-      (active_policy.ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) ||
-      (active_policy.ACM_STE_VERSION != ACM_STE_VERSION)) {
-         System.out.println("ACM policy versions differ.");
-         System.out.println("Please verify that data structures are correct");
-         System.out.println("and then adjust the version numbers in 
XmlToBinInterface.java.");
-         return;
-  }
-
-
-  for (int i = 0 ; i < args.length ; i++) {
-
-       if ( args[i].equals("-help"))  {
-          printUsage();
-          System.exit(1);
-
-        } else if ( args[i].equals("-i"))  {
-          i++;
-          if (i < args.length) {
-               xmlFileName = args[i];   
-          } else  {
-                System.out.println("-i argument needs parameter");
-                System.exit(1);
-          }
-
-       } else if ( args[i].equals("-o"))  {
-          i++;
-          if (i < args.length) {
-                outputFileName = args[i];   
-          } else {
-                System.out.println("-o argument needs parameter");
-                System.exit(1);
-          }
-
-       } else if ( args[i].equals("-xssid"))  {
-          i++;
-          if (i < args.length) {
-                 xenSsidOutputFileName = args[i];   
-          } else {
-                System.out.println("-xssid argument needs parameter");
-                System.exit(1);
-          }
-
-       } else if ( args[i].equals("-xssidconf"))  {
-          i++;
-          if (i < args.length) {
-                xenSsidConfOutputFileName = args[i]; 
-          } else {
-                System.out.println("-xssidconf argument needs parameter");
-                System.exit(1);
-          }
-       } else if ( args[i].equals("-debug"))  { /* turn on debug msg */
-               genObj.setDebug(true);
-        } else {
-          System.out.println("bad command line argument: " + args[i]);
-          printUsage();
-          System.exit(1);
-        }
-
-  }
-
-  if (xmlFileName == null)
-  { 
-       System.out.println("Need to specify input file -i option");
-        printUsage();
-        System.exit(1);
-  }
-
-
-  try 
-  {
-       /* Parse and validate */
-       Document doc =  genObj.getDomTree(xmlFileName);
-
-       /* Vectors to hold sets of types */
-       Vector bagOfSsids = new Vector();
-       Vector bagOfTypes = new Vector();
-       Vector bagOfChwSsids = new Vector();
-       Vector bagOfChwTypes = new Vector();
-       Vector bagOfConflictSsids = new Vector();
-
-       Vector vlanMapSsids = new Vector();
-       Vector slotMapSsids = new Vector();
-
-       genObj.processDomTree(doc, bagOfSsids, bagOfTypes, bagOfChwSsids, 
bagOfChwTypes, bagOfConflictSsids);
-
-       genObj.processDomTreeVlanSlot(doc, bagOfSsids, bagOfTypes);
-
-       /* Get binary representation of policies */
-       byte[] stePolicy = genObj.generateSteBuffer(bagOfSsids, bagOfTypes);
-       byte[] chwPolicy = genObj.generateChwBuffer(bagOfChwSsids, 
bagOfConflictSsids,bagOfChwTypes);
-
-       byte[] binPolicy = null;
-       byte[] binaryPartionSsid = null;
-       byte[] binaryVlanSsid = null;
-       byte[] binarySlotSsid = null;
-
-       /* Get binary representation of partition to ssid mapping */
-       binaryPartionSsid = genObj.generatePartSsids(bagOfSsids,bagOfChwSsids);
-
-       /* Get binary representation of vlan to ssid mapping */
-       binaryVlanSsid = genObj.generateVlanSsids(bagOfSsids);
-
-       /* Get binary representation of slot to ssid mapping */
-       binarySlotSsid = genObj.generateSlotSsids(bagOfSsids);
-
-       /* Generate binary representation: policy, partition, slot and vlan */
-       binPolicy = genObj.GenBinaryPolicyBuffer(chwPolicy,stePolicy, 
binaryPartionSsid, binaryVlanSsid, binarySlotSsid);
-
-
-       /* Write binary policy into file */
-       if (null != outputFileName)
-       {
-               genObj.writeBinPolicy(binPolicy, outputFileName);
-       } else {
-               System.out.println (" No binary policy generated, 
outputFileName:  " + outputFileName);
-       }
-
-       /* Print total number of types */
-       System.out.println (" Total number of unique ste types: " + 
bagOfTypes.size());
-       System.out.println (" Total number of Ssids : " + bagOfSsids.size());
-       System.out.println (" Total number of unique chw types: " + 
bagOfChwTypes.size());
-       System.out.println (" Total number of conflict ssids : " + 
bagOfConflictSsids.size());
-       System.out.println (" Total number of chw Ssids : " + 
bagOfChwSsids.size());
-
-       if (null != xenSsidOutputFileName)
-               genObj.writeXenTypeFile(bagOfSsids, xenSsidOutputFileName, 
true);
-
-       if (null != xenSsidConfOutputFileName)
-               genObj.writeXenTypeFile(bagOfChwSsids, 
xenSsidConfOutputFileName, false);
-    } 
-    catch (Exception e) 
-    {
-      e.printStackTrace();
-    }
-  }
-}
diff -r 1895942150a5 -r 513acbeac420 
tools/misc/policyprocessor/XmlToBinInterface.java
--- a/tools/misc/policyprocessor/XmlToBinInterface.java Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,138 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: XmlToBinInterface.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * XmlToBinInterface Class.  
- * <p>
- *
- * Defines constants used by XmToBin.
- *
- * <p>
- *
- *     policy binary structures
- *
- * struct acm_policy_buffer {
- *     u32 policy_version; * ACM_POLICY_VERSION *
- *      u32 magic;
- *     u32 len;
- *     u32 primary_policy_code;
- *     u32 primary_buffer_offset;
- *     u32 secondary_policy_code;
- *     u32 secondary_buffer_offset;
- *      +u32 resource offset (not used yet in Xen)
- * };
- *
- *
- * struct acm_ste_policy_buffer {
- *     u32 policy_version; * ACM_STE_VERSION *
- *     u32 policy_code;
- *     u32 ste_max_types;
- *     u32 ste_max_ssidrefs;
- *     u32 ste_ssid_offset;
- * };
- *
- * struct acm_chwall_policy_buffer {
- *     u32 policy_version; * ACM_CHWALL_VERSION *
- *     u32 policy_code;
- *     u32 chwall_max_types;
- *     u32 chwall_max_ssidrefs;
- *     u32 chwall_max_conflictsets;
- *     u32 chwall_ssid_offset;
- *     u32 chwall_conflict_sets_offset;
- *     u32 chwall_running_types_offset;
- *     u32 chwall_conflict_aggregate_offset;
- * };
- *
- *     typedef struct {
- *     u16 partition_max;
- *     u16 partition_offset;
- *     u16 vlan_max;
- *     u16 vlan_offset;
- *     u16 slot_max;
- *     u16 slot_offset;
- *     } acm_resource_buffer_t;
- *
- *     typedef struct {
- *     u16 id;
- *     u16 ssid_ste;
- *     u16 ssid_chwall;
- *     } acm_partition_entry_t;
- *
- *     typedef struct {
- *     u16 vlan;
- *     u16 ssid_ste;
- *     } acm_vlan_entry_t;
- *
- *     typedef struct {
- *     u16 bus;
- *     u16 slot;
- *     u16 ssid_ste;
- *     } acm_slot_entry_t;
- *
- *       
- *
- */
-public interface XmlToBinInterface
-{
-  /* policy code  (uint16) */
-  final int policyCodeSize = 2;
-
-  /* max_types    (uint16) */
-  final int maxTypesSize = 2;
-
-  /* max_ssidrefs (uint16) */
-  final int maxSsidrefSize = 2;
-
-  /* ssid_offset  (uint32) */
-  final int ssidOffsetSize = 2;
-
-  final short markSymbol = 0x0001;
-
-  final int u32Size = 4;
-  final int u16Size = 2;
-
-  /* num of bytes for acm_ste_policy_buffer_t */
-  final int steHeaderSize = (5 * u32Size);
-
-  /* byte for acm_chinese_wall_policy_buffer_t */
-  final int chwHeaderSize = (9 * u32Size);
-
-  final int primaryPolicyCodeSize = u32Size;
-  final int primaryBufferOffsetSize = u32Size ;
-
-  final int secondaryPolicyCodeSz = u32Size;
-  final int secondaryBufferOffsetSz = u32Size;
-  final int resourceOffsetSz = u32Size;
-
-  final short partitionBufferSz = (2 * u16Size);
-  final short partitionEntrySz = (3 * u16Size);
-
-  final short slotBufferSz = (2 * u16Size);
-  final short slotEntrySz = (3 * u16Size);
-
-  final short vlanBufferSz = (2 * u16Size);
-  final short vlanEntrySz = (2 * u16Size);
-
-  final int binaryBufferHeaderSz = (8 * u32Size); /* 8th not used in Xen */
-
-  /* copied directly from acm.h */
-  final int ACM_MAGIC  =  0x0001debc;
-  final int ACM_NULL_POLICY = 0;
-  final int ACM_CHINESE_WALL_POLICY = 1;
-  final int ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2;
-  final int ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY = 3;
-  final int ACM_EMPTY_POLICY = 4;
-
-  /* version for compatibility check */
-  final int ACM_POLICY_VERSION = 1;
-  final int ACM_STE_VERSION    = 1;
-  final int ACM_CHWALL_VERSION = 1;
-}
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/c2j_include.c
--- a/tools/misc/policyprocessor/c2j_include.c  Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,57 +0,0 @@
-/****************************************************************
- * c2j_include.c
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Authors:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * This tool makes some constants from acm.h available to the
- * java policyprocessor for version checking.
- */
-#include <stdio.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdint.h>
-
-typedef uint8_t  u8;
-typedef uint16_t u16;
-typedef uint32_t u32;
-typedef uint64_t u64;
-typedef int8_t   s8;
-typedef int16_t  s16;
-typedef int32_t  s32;
-typedef int64_t  s64;
-
-#include <xen/acm.h>
-
-char *filename = "policy_version.java";
-
-int main(int argc, char **argv)
-{
-
-    FILE *fd;
-    if ((fd = fopen(filename, "w")) <= 0)
-    {
-        printf("File %s not found.\n", filename);
-        exit(-ENOENT);
-    }
-
-    fprintf(fd, "/*\n * This file was automatically generated\n");
-    fprintf(fd, " * Do not change it manually!\n */\n");
-    fprintf(fd, "public class policy_version {\n");
-    fprintf(fd, "      final int ACM_POLICY_VERSION = %x;\n",
-            ACM_POLICY_VERSION);
-    fprintf(fd, "      final int ACM_CHWALL_VERSION = %x;\n",
-            ACM_CHWALL_VERSION);
-    fprintf(fd, "      final int ACM_STE_VERSION = %x;\n",
-            ACM_STE_VERSION);
-    fprintf(fd, "}\n");
-    fclose(fd);
-    return 0;
-}
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/myHandler.java
--- a/tools/misc/policyprocessor/myHandler.java Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,47 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: myHandler.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * myHandler Class.  
- *
- * <p>
- *
- * A dummy class used for detecting XML validating/parsing errors.
- *
- * <p>
- *
- *
- */
-import org.xml.sax.helpers.*;
-import org.xml.sax.SAXParseException;
-
-class myHandler extends DefaultHandler 
-{ 
- public boolean isValid = true;
-
- /* Notification of a recoverable error. */
- public void error(SAXParseException se) 
- { 
-  isValid = false;
- } 
-
- /* Notification of a non-recoverable error. */
- public void fatalError(SAXParseException se) 
- { 
-  isValid = false;
- } 
-
- /* Notification of a warning. */
- public void warning(SAXParseException se) 
- {
-  isValid = false;
- }
-}
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/readme.install
--- a/tools/misc/policyprocessor/readme.install Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,33 +0,0 @@
-# Author: Ray Valdez, rvaldez@xxxxxxxxxx 
-# Version: 1.0
-#
-# install readme
-#
-PREREQUISITES:
-
-Prior to installation of the policy processor tool (XmlToBin) you must have...
-
- 1. Java version 1.4.2
- 2. xmlParserAPIs.jar and xercesImpl.jar
-
-The above can be obtained from the Sun Developer Network web site at
-http://java.sun.com/j2se/1.4.2/download.html.
-
-XmlParserAPIs and xercesImpl jars can be obtained from
-http://www.apache.org/dist/xml/xerces-j (Xerces-J-bin.2.6.2.tar.gz,
-for example).
-
-The tool has been tested with J2SE v1.4.2_08 JRE on Linux (32-bit
-INTEL).
-
-INSTALLATION
-
-1. Set PATH to include $HOME_JAVA/bin and $HOME_JAVA/jre/bin
-   where $HOME_JAVA is your java installation directory
-
-2. Compile XmlToBin:
-   javac XmlToBin.java
-       
-USAGE
-
- See readme.xen
diff -r 1895942150a5 -r 513acbeac420 tools/misc/policyprocessor/readme.xen
--- a/tools/misc/policyprocessor/readme.xen     Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,65 +0,0 @@
-# Author: Ray Valdez, rvaldez@xxxxxxxxxx 
-# Version: 1.0
-#
-# This readme describes the policy processor tool for sHype.
-#
-
-Java program:
-
- java XmlToBin -i [file.xml] -o <file.bin> -xssid <SsidFile> -xssidconf 
<SsidConf>
-
- Command line options:
-
-        -i              inputFile:      name of policyfile (.xml)
-        -o              outputFile:     name of binary policy file (Big Endian)
-        -xssid          SsidFile:       xen ssids to named types text file
-        -xssidconf      SsidConf:      xen conflict ssids to types text file
-        -debug                          turn on debug messages
-        -help                           help. This printout
-
-Where:
-
-file.xml is the (input) xml policy file to be parsed and validated.
-The syntax for file.xml is defined in the SecurityPolicySpec.xsd file.
-file.bin is the (output) binary policy file generated by XmlToBin.
-This binary policy can be activated in sHype. The binary policy file
-is laid out in network byte order (i.e., big endian).  The SsidFile
-file contains the mapping of type enforcement (TE) ssids to the "named
-types".  Similarly, the SsidConf file contains the mapping of Chinese
-Wall (ChWall) ssids to conflict named types. The ssidFile and SsidConf
-files are used by Xen.
-
-Xml Schema and policy:
-
-The SecurityPolicySpec.xsd defines the syntax of a policy file. It
-declares the tags that are used by XmlToBin to generate the binary
-policy file. The tags that XmlToBin keys on are TE, ChWall, id, vid,
-etc.  The xml files that describe a policy are simple.  Semantic
-checking of a policy is performed mostly by XmlToBin.  A type, for
-example, is a string. No fixed values are defined for types in Xml.
-  
-A policy consists of two Xml files: definition and policy. The
-definition Xml declares the types that are permitted in the policy
-Xml.  The policy Xml contains the assignment of labels to
-subject/object (e.g., vm). This Xml file contains an explicit
-reference to the definition Xml (e.g., <url>xen_sample_def.xml</url>).
-The policy Xml is the one provided as a command line argument.
-
-
-Files:
-
-*.java                 - policy processor source 
-xen_sample_policy.xml  - sample xml policy file
-xen_sample_def.xml     - sample user defined types
-SecurityPolicySpec.xsd         - schema definition file
-
-
-To generate the sample binary policy: 
-
-export CLASSPATH=$XERCES_HOME/xercesImpl.jar:$XERCES_HOME/xmlParserAPIs.jar:.
-
-java XmlToBin -i xen_sample_policy.xml -o xen_sample_policy.bin
-
-where $XERCES_HOME is the installation directory of the Apache Xerces-J
-
-
diff -r 1895942150a5 -r 513acbeac420 
tools/misc/policyprocessor/xen_sample_def.xml
--- a/tools/misc/policyprocessor/xen_sample_def.xml     Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,46 +0,0 @@
-<?xml version="1.0"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- example policy type definition -->
-<SecurityPolicySpec
-xmlns="http://www.ibm.com";
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
-xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
-
-<Definition>
-<!-- an example of a simple type enforcement type definition -->
-  <Types>
-        <TE>LOCAL-management</TE>
-        <TE>R-Company-development</TE>
-        <TE>S-Company-order</TE>
-        <TE>T-Company-advertising</TE>
-        <TE>U-Company-computing</TE>
-                <!-- TE nondevelopment  -->
-  </Types>
-
-<!-- an example of a chinese wall type definition along with conflict sets-->
-  <ChWallTypes>
-                <ChWall>Q-Company</ChWall>
-                <ChWall>R-Company</ChWall>
-                <ChWall>S-Company</ChWall>
-                <ChWall>T-Company</ChWall>
-                <ChWall>U-Company</ChWall>
-                <ChWall>V-Company</ChWall>
-                <ChWall>W-Company</ChWall>
-                <ChWall>X-Company</ChWall>
-                <ChWall>Y-Company</ChWall>
-                <ChWall>Z-Company</ChWall>
-  </ChWallTypes>
-
-  <ConflictSet>
-                <ChWall>T-Company</ChWall>
-                <ChWall>S-Company</ChWall>
-   </ConflictSet>
-
-   <ConflictSet>
-                <ChWall>R-Company</ChWall>
-                <ChWall>V-Company</ChWall>
-                <ChWall>W-Company</ChWall>
-   </ConflictSet>
-
-</Definition>
-</SecurityPolicySpec>
diff -r 1895942150a5 -r 513acbeac420 
tools/misc/policyprocessor/xen_sample_policy.xml
--- a/tools/misc/policyprocessor/xen_sample_policy.xml  Fri Aug 19 08:55:03 2005
+++ /dev/null   Fri Aug 19 09:03:17 2005
@@ -1,58 +0,0 @@
-<?xml version="1.0"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- example xen policy file -->
-
-<SecurityPolicySpec
-xmlns="http://www.ibm.com";
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
-xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
-<Policy>
- <PolicyHeader>
-        <Name>xen sample policy</Name>
-        <DateTime>2005-05-20T16:56:00</DateTime>
-        <Tag>foobar</Tag>
-        <TypeDefinition>
-          <url>xen_sample_def.xml</url>
-          <hash>abcdef123456abcdef</hash>
-        </TypeDefinition>
- </PolicyHeader>
-
- <VM>
-        <id> 0 </id>
-        <TE>LOCAL-management</TE>
-        <TE>R-Company-development</TE>
-        <TE>S-Company-order</TE>
-        <TE>T-Company-advertising</TE>
-        <TE>U-Company-computing</TE>
-                <ChWall>Q-Company</ChWall>
- </VM>
-
- <VM>
-        <id> 1 </id>
-        <TE>R-Company-development</TE>
-                <ChWall>R-Company</ChWall>
- </VM>
-
- <VM>
-        <id> 2 </id>
-        <TE>S-Company-order</TE>
-                <ChWall>S-Company</ChWall>
-
- </VM>
-
- <VM>
-        <id> 3 </id>
-        <TE>T-Company-advertising</TE>
-                <ChWall>T-Company</ChWall>
- </VM>
-
-
- <VM>
-        <id> 4 </id>
-        <TE>U-Company-computing</TE>
-                <ChWall>U-Company</ChWall>
- </VM>
-
-
-</Policy>
-</SecurityPolicySpec>

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] This patch:, Xen patchbot -unstable <=