WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] This patch deletes the old shell-based security tools.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] This patch deletes the old shell-based security tools.
From: Xen patchbot -unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Apr 2006 14:30:11 +0000
Delivery-date: Mon, 24 Apr 2006 08:00:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User smh22@xxxxxxxxxxxxxxxxxxxx
# Node ID 37da8dd5d43e7c43d0554ee6a8db048962cd7d1b
# Parent  65ce9bf4a86f40fe3a1774a992951ef0475cc601
This patch deletes the old shell-based security tools.

Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>

diff -r 65ce9bf4a86f -r 37da8dd5d43e tools/security/get_decision.c
--- a/tools/security/get_decision.c     Mon Apr 24 10:52:19 2006 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,176 +0,0 @@
-/****************************************************************
- * get_decision.c
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Authors:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * An example program that shows how to retrieve an access control
- * decision from the hypervisor ACM based on the currently active policy.
- *
- */
-
-#include <unistd.h>
-#include <stdio.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <getopt.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdlib.h>
-#include <sys/ioctl.h>
-#include <string.h>
-#include <netinet/in.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
-#include <xen/linux/privcmd.h>
-
-#define PERROR(_m, _a...) \
-fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a ,  \
-                errno, strerror(errno))
-
-void usage(char *progname)
-{
-    printf("Use: %s \n", progname);
-    printf(" Test program illustrating the retrieval of\n");
-    printf(" access control decisions from xen. At this time,\n");
-    printf(" only sharing (STE) policy decisions are supported.\n");
-    printf(" parameter options:\n");
-    printf("\t -i domid -i domid\n");
-    printf("\t -i domid -s ssidref\n");
-    printf("\t -s ssidref -s ssidref\n\n");
-    exit(-1);
-}
-
-static inline int do_policycmd(int xc_handle, unsigned int cmd,
-                               unsigned long data)
-{
-    return ioctl(xc_handle, cmd, data);
-}
-
-static inline int do_xen_hypercall(int xc_handle,
-                                   privcmd_hypercall_t * hypercall)
-{
-    return do_policycmd(xc_handle,
-                        IOCTL_PRIVCMD_HYPERCALL,
-                        (unsigned long) hypercall);
-}
-
-static inline int do_acm_op(int xc_handle, struct acm_op *op)
-{
-    int ret = -1;
-    privcmd_hypercall_t hypercall;
-
-    op->interface_version = ACM_INTERFACE_VERSION;
-
-    hypercall.op = __HYPERVISOR_acm_op;
-    hypercall.arg[0] = (unsigned long) op;
-
-    if (mlock(op, sizeof(*op)) != 0) {
-        PERROR("Could not lock memory for Xen policy hypercall");
-        goto out1;
-    }
-
-    if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
-        if (errno == EACCES)
-            fprintf(stderr, "ACM operation failed -- need to"
-                    " rebuild the user-space tool set?\n");
-        goto out2;
-    }
-
-  out2:(void) munlock(op, sizeof(*op));
-  out1:return ret;
-}
-
-
-/************************ get decision ******************************/
-
-/* this example uses two domain ids and retrieves the decision if these domains
- * can share information (useful, i.e., to enforce policy onto network traffic 
in dom0
- */
-int acm_get_decision(int xc_handle, int argc, char *const argv[])
-{
-    struct acm_op op;
-    int ret;
-
-    op.cmd = ACM_GETDECISION;
-    op.interface_version = ACM_INTERFACE_VERSION;
-    op.u.getdecision.get_decision_by1 = UNSET;
-    op.u.getdecision.get_decision_by2 = UNSET;
-    op.u.getdecision.hook = SHARING;
-
-    while (1) {
-        int c = getopt(argc, argv, "i:s:");
-        if (c == -1)
-            break;
-
-        if (c == 'i') {
-            if (op.u.getdecision.get_decision_by1 == UNSET) {
-                op.u.getdecision.get_decision_by1 = DOMAINID;
-                op.u.getdecision.id1.domainid = strtoul(optarg, NULL, 0);
-            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
-                op.u.getdecision.get_decision_by2 = DOMAINID;
-                op.u.getdecision.id2.domainid = strtoul(optarg, NULL, 0);
-            } else
-                usage(argv[0]);
-        } else if (c == 's') {
-            if (op.u.getdecision.get_decision_by1 == UNSET) {
-                op.u.getdecision.get_decision_by1 = SSIDREF;
-                op.u.getdecision.id1.ssidref = strtoul(optarg, NULL, 0);
-            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
-                op.u.getdecision.get_decision_by2 = SSIDREF;
-                op.u.getdecision.id2.ssidref = strtoul(optarg, NULL, 0);
-            } else
-                usage(argv[0]);
-        } else
-            usage(argv[0]);
-    }
-    if ((op.u.getdecision.get_decision_by1 == UNSET) ||
-        (op.u.getdecision.get_decision_by2 == UNSET))
-        usage(argv[0]);
-
-    if ((ret = do_acm_op(xc_handle, &op))) {
-        printf("%s: Error getting decision (%d).\n", __func__, ret);
-        printf("%s: decision = %s.\n", __func__,
-               (op.u.getdecision.acm_decision ==
-                ACM_ACCESS_PERMITTED) ? "PERMITTED" : ((op.u.getdecision.
-                                                        acm_decision ==
-                                                        ACM_ACCESS_DENIED)
-                                                       ? "DENIED" :
-                                                       "ERROR"));
-        return ret;
-    }
-    return op.u.getdecision.acm_decision;
-}
-
-/***************************** main **************************************/
-
-int main(int argc, char **argv)
-{
-
-    int acm_cmd_fd, ret = 0;
-
-    if (argc < 5)
-        usage(argv[0]);
-
-    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
-        printf("ERROR: Could not open xen privcmd device!\n");
-        exit(-1);
-    }
-
-    ret = acm_get_decision(acm_cmd_fd, argc, argv);
-
-    printf("Decision: %s (%d)\n",
-           (ret == ACM_ACCESS_PERMITTED) ? "PERMITTED" :
-           ((ret == ACM_ACCESS_DENIED) ? "DENIED" : "ERROR"), ret);
-
-    close(acm_cmd_fd);
-    return ret;
-}
diff -r 65ce9bf4a86f -r 37da8dd5d43e tools/security/getlabel.sh
--- a/tools/security/getlabel.sh        Mon Apr 24 10:52:19 2006 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,94 +0,0 @@
-#!/bin/sh
-# *
-# * getlabel
-# *
-# * Copyright (C) 2005 IBM Corporation
-# *
-# * Authors:
-# * Stefan Berger <stefanb@xxxxxxxxxx>
-# *
-# * This program is free software; you can redistribute it and/or
-# * modify it under the terms of the GNU General Public License as
-# * published by the Free Software Foundation, version 2 of the
-# * License.
-# *
-# * 'getlabel' tries to find the labels corresponding to the ssidref
-# *
-# * 'getlabel -?' shows the usage of the program
-# *
-# * 'getlabel -sid <ssidref> [<policy name>]' lists the label corresponding
-# *                              to the given ssidref.
-# *
-# * 'getlabel -dom <domain id> [<policy name>]' lists the label of the
-# *                              domain with given id
-# *
-#
-
-if [ -z "$runbash" ]; then
-       runbash="1"
-       export runbash
-       exec sh -c "bash $0 $*"
-fi
-
-
-export PATH=$PATH:.
-dir=`dirname $0`
-source $dir/labelfuncs.sh
-
-usage ()
-{
-       prg=`basename $0`
-echo "Use this tool to display the label of a domain or the label that is
-corresponding to an ssidref given the name of the running policy.
-
-Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or
-       $prg -dom <domid>   [<policy name> [<policy dir>]]
-
-policy name : the name of the policy, i.e. 'chwall'
-              If the policy name is omitted, the grub.conf
-              entry of the running system is tried to be read
-              and the policy name determined from there.
-policy dir  : the directory where the <policy name> policy is located
-              The default location is '/etc/xen/acm-security/policies'
-ssidref     : an ssidref in hex or decimal format, i.e., '0x00010002'
-              or '65538'
-domid       : id of the domain, i.e., '1'; Use numbers from the 2nd
-              column shown when invoking 'xm list'
-"
-}
-
-
-
-if [ "$1" == "-h" ]; then
-       usage
-       exit 0
-elif [ "$1" == "-dom" ]; then
-       mode="domid"
-       shift
-elif [ "$1" == "-sid" ]; then
-       mode="sid"
-       shift
-else
-       usage
-       exit -1
-fi
-
-setPolicyVars $2 $3
-findMapFile $policy $policydir
-ret=$?
-if [ $ret -eq 0 ]; then
-       echo "Could not find map file for policy '$policy'."
-       exit -1
-fi
-
-if [ "$mode" == "domid" ]; then
-       getSSIDUsingSecpolTool $1
-       ret=$?
-       if [ $ret -eq 0 ]; then
-               echo "Could not determine the SSID of the domain."
-               exit -1
-       fi
-       translateSSIDREF $ssid $mapfile
-else # mode == sid
-       translateSSIDREF $1 $mapfile
-fi
diff -r 65ce9bf4a86f -r 37da8dd5d43e tools/security/labelfuncs.sh
--- a/tools/security/labelfuncs.sh      Mon Apr 24 10:52:19 2006 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,799 +0,0 @@
-# *
-# * labelfuncs.sh
-# *
-# * Copyright (C) 2005 IBM Corporation
-# *
-# * Authors:
-# * Stefan Berger <stefanb@xxxxxxxxxx>
-# *
-# * This program is free software; you can redistribute it and/or
-# * modify it under the terms of the GNU General Public License as
-# * published by the Free Software Foundation, version 2 of the
-# * License.
-# *
-# *
-# * A collection of functions to handle polcies, mapfiles,
-# * and ssidrefs.
-#
-
-
-#Some global variables for tools using this module
-ACM_DEFAULT_ROOT="/etc/xen/acm-security"
-
-# Set the policy and policydir variables
-# Parameters:
-# 1st : possible policy name
-# 2nd : possible policy directory
-# Results:
-# The variables policy and policydir will hold the values for locating
-# policy information
-# If there are no errors, the functions returns a '1',
-# a '0' otherwise.
-setPolicyVars ()
-{
-       local ret
-       # Set default values
-       policydir="$ACM_DEFAULT_ROOT/policies"
-       policy=""
-
-       if [ "$1" == "" ]; then
-               findGrubConf
-               ret=$?
-               if [ $ret -eq 0 ]; then
-                       echo "Could not find grub.conf."
-                       return 0;
-               fi
-               findPolicyInGrub $grubconf
-               if [ "$policy" == "" ]; then
-                       echo "Could not find policy in grub.conf. Looked for 
entry using kernel $linux."
-                       return 0;
-               fi
-               echo "Assuming policy to be '$policy'.";
-       else
-               policy=$1
-               if [ "$2" != "" ]; then
-                       policydir=$2
-               fi
-       fi
-
-       return 1
-}
-
-# Find the mapfile given a policy nmame
-# Parameters:
-# 1st : the name of the policy whose map file is to be found, i.e.,
-#       chwall
-# 2nd : the policy directory for locating the map file
-# Results:
-# The variable mapfile will hold the realtive path to the mapfile
-# for the given policy.
-# In case the mapfile could be found, the functions returns a '1',
-# a '0' otherwise.
-findMapFile ()
-{
-       mapfile="$2/$1/$1.map"
-       if [ -r "$mapfile" ]; then
-               return 1
-       fi
-       return 0
-}
-
-
-# Determine the name of the primary policy
-# Parameters
-# 1st : the path to the mapfile; the path may be relative
-#       to the current directory
-# Results
-# The variable primary will hold the name of the primary policy
-getPrimaryPolicy ()
-{
-       local mapfile=$1
-       primary=`cat $mapfile  |   \
-                awk '             \
-                 {                \
-                   if ( $1 == "PRIMARY" ) { \
-                     res=$2;                \
-                   }                        \
-                 } END {                    \
-                   print res;               \
-                 } '`
-}
-
-
-# Determine the name of the secondary policy
-# Parameters
-# 1st : the path to the mapfile; the path may be relative
-#       to the current directory
-# Results
-# The variable secondary will hold the name of the secondary policy
-getSecondaryPolicy ()
-{
-       local mapfile=$1
-       secondary=`cat $mapfile  |   \
-                awk '             \
-                 {                \
-                   if ( $1 == "SECONDARY" ) { \
-                     res=$2;                \
-                   }                        \
-                 } END {                    \
-                   print res;               \
-                 } '`
-}
-
-
-#Return where the grub.conf file is.
-#I only know of one place it can be.
-#Returns:
-# 1 : if the file is writeable and readable
-# 2 : if the file is only readable
-# 0 : if the file does not exist
-findGrubConf()
-{
-       grubconf="/boot/grub/grub.conf"
-       if [ -w $grubconf ]; then
-               return 1
-       fi
-       if [ -r $grubconf ]; then
-               return 2
-       fi
-       return 0
-}
-
-
-# This function sets the global variable 'linux'
-# to the name and version of the Linux kernel that was compiled
-# for domain 0.
-# If this variable could not be found, the variable 'linux'
-# will hold a pattern
-# Parameters:
-# 1st: the path to reach the root directory of the XEN build tree
-#      where linux-*-xen is located at
-# Results:
-# The variable linux holds then name and version of the compiled
-# kernel, i.e., 'vmlinuz-2.6.12-xen'
-getLinuxVersion ()
-{
-       local path
-       local versionfile
-       local lnx
-       if [ "$1" == "" ]; then
-               path="/lib/modules/*-xen"
-       else
-               path="/lib/modules/$1"
-       fi
-
-       linux=""
-       for f in $path ; do
-               versionfile=$f/build/include/linux/version.h
-               if [ -r $versionfile ]; then
-                       lnx=`cat $versionfile | \
-                            grep UTS_RELEASE | \
-                            awk '{             \
-                              len=length($3);  \
-                              version=substr($3,2,len-2);     \
-                              split(version,numbers,".");     \
-                              if (numbers[4]=="") {           \
-                                printf("%s.%s.%s",            \
-                                        numbers[1],           \
-                                        numbers[2],           \
-                                        numbers[3]);          \
-                              } else {                        \
-                                printf("%s.%s.%s[.0-9]*-xen", \
-                                       numbers[1],            \
-                                       numbers[2],            \
-                                       numbers[3]);           \
-                              }                               \
-                            }'`
-               fi
-               if [ "$lnx" != "" ]; then
-                       linux="[./0-9a-zA-z]*$lnx"
-                       return;
-               fi
-       done
-
-       #Last resort.
-       linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen$"
-}
-
-
-# Find out with which policy the hypervisor was booted with.
-# Parameters
-# 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
-# Result:
-# Sets the variable 'policy' to the name of the policy
-findPolicyInGrub ()
-{
-       local grubconf=$1
-       local linux=`uname -r`
-       policy=`cat $grubconf |                        \
-                awk -vlinux=$linux '{                 \
-                  if ( $1 == "title" ) {              \
-                    kernelfound = 0;                  \
-                    policymaycome = 0;                \
-                  }                                   \
-                  else if ( $1 == "kernel" ) {        \
-                    if ( match($2,"xen.gz$") ) {      \
-                      pathlen=RSTART;                 \
-                      kernelfound = 1;                \
-                    }                                 \
-                  }                                   \
-                  else if ( $1 == "module" &&         \
-                            kernelfound == 1 &&       \
-                            match($2,linux) ) {       \
-                     policymaycome = 1;               \
-                  }                                   \
-                  else if ( $1 == "module" &&         \
-                            kernelfound == 1 &&       \
-                            policymaycome == 1 &&     \
-                            match($2,"[0-9a-zA-Z_]*.bin$") ) { \
-                     policymaycome = 0;               \
-                     kernelfound = 0;                 \
-                     polname = substr($2,pathlen);    \
-                     len=length(polname);             \
-                     polname = substr(polname,0,len-4); \
-                  }                                   \
-                } END {                               \
-                  print polname                       \
-                }'`
-}
-
-
-# Get the SSID of a domain
-# Parameters:
-# 1st : domain ID, i.e. '1'
-# Results
-# If the ssid could be found, the variable 'ssid' will hold
-# the currently used ssid in the hex format, i.e., '0x00010001'.
-# The funtion returns '1' on success, '0' on failure
-getSSIDUsingSecpolTool ()
-{
-       local domid=$1
-       export PATH=$PATH:.
-       ssid=`xensec_tool getssid -d $domid -f | \
-               grep -E "SSID:" |          \
-               awk '{ print $4 }'`
-
-       if [ "$ssid" != "" ]; then
-               return 1
-       fi
-       return 0
-}
-
-
-# Break the ssid identifier into its high and low values,
-# which are equal to the secondary and primary policy references.
-# Parameters:
-# 1st: ssid to break into high and low value, i.e., '0x00010002'
-# Results:
-# The variable ssidlo_int and ssidhi_int will hold the low and
-# high ssid values as integers.
-getSSIDLOHI ()
-{
-       local ssid=$1
-       ssidlo_int=`echo $ssid | awk          \
-                   '{                        \
-                      len=length($0);        \
-                      beg=substr($0,1,2);    \
-                      if ( beg == "0x" ) {   \
-                          dig = len - 2;     \
-                          if (dig <= 0) {    \
-                            exit;            \
-                          }                  \
-                          if (dig > 4) {     \
-                            dig=4;           \
-                          }                  \
-                          lo=sprintf("0x%s",substr($0,len-dig+1,dig)); \
-                          print strtonum(lo);\
-                      } else {               \
-                          lo=strtonum($0);   \
-                          if (lo < 65536) {  \
-                            print lo;        \
-                          } else {           \
-                            hi=lo;           \
-                            hi2= (hi / 65536);\
-                            hi2_str=sprintf("%d",hi2); \
-                            hi2=strtonum(hi2_str);\
-                            lo=hi-(hi2*65536); \
-                            printf("%d",lo); \
-                          }                  \
-                       }                     \
-                   }'`
-       ssidhi_int=`echo $ssid | awk          \
-                   '{                        \
-                      len=length($0);        \
-                      beg=substr($0,1,2);    \
-                      if ( beg == "0x" ) {   \
-                          dig = len - 2;     \
-                          if (dig <= 0 ||    \
-                            dig >  8) {      \
-                            exit;            \
-                          }                  \
-                          if (dig < 4) {     \
-                            print 0;         \
-                            exit;            \
-                          }                  \
-                          dig -= 4;          \
-                          hi=sprintf("0x%s",substr($0,len-4-dig+1,dig)); \
-                          print strtonum(hi);\
-                      } else {               \
-                          hi=strtonum($0);   \
-                          if (hi >= 65536) { \
-                            hi = hi / 65536; \
-                            printf ("%d",hi);\
-                          } else {           \
-                            printf ("0");    \
-                          }                  \
-                      }                      \
-                   }'`
-       if [ "$ssidhi_int" == "" -o \
-            "$ssidlo_int" == "" ]; then
-               return 0;
-       fi
-       return 1
-}
-
-
-#Update the grub configuration file.
-#Search for existing entries and replace the current
-#policy entry with the policy passed to this script
-#
-#Arguments passed to this function
-# 1st : the grub configuration file with full path
-# 2nd : the binary policy file name, i.e. chwall.bin
-# 3rd : the name or pattern of the linux kernel name to match
-#       (this determines where the module entry will be made)
-#
-# The algorithm here is based on pattern matching
-# and is working correctly if
-# - under a title a line beginning with 'kernel' is found
-#   whose following item ends with "xen.gz"
-#   Example:  kernel /xen.gz dom0_mem=....
-# - a module line matching the 3rd parameter is found
-#
-updateGrub ()
-{
-       local grubconf=$1
-       local policyfile=$2
-       local linux=$3
-
-       local tmpfile="/tmp/new_grub.conf"
-
-       cat $grubconf |                                \
-                awk -vpolicy=$policyfile              \
-                    -vlinux=$linux '{                 \
-                  if ( $1 == "title" ) {              \
-                    kernelfound = 0;                  \
-                    if ( policymaycome == 1 ){        \
-                      printf ("\tmodule %s%s\n", path, policy);      \
-                    }                                 \
-                    policymaycome = 0;                \
-                  }                                   \
-                  else if ( $1 == "kernel" ) {        \
-                    if ( match($2,"xen.gz$") ) {      \
-                      path=substr($2,1,RSTART-1);     \
-                      kernelfound = 1;                \
-                    }                                 \
-                  }                                   \
-                  else if ( $1 == "module" &&         \
-                            kernelfound == 1 &&       \
-                            match($2,linux) ) {       \
-                     policymaycome = 1;               \
-                  }                                   \
-                  else if ( $1 == "module" &&         \
-                            kernelfound == 1 &&       \
-                            policymaycome == 1 &&     \
-                            match($2,"[0-9a-zA-Z]*.bin$") ) { \
-                     printf ("\tmodule %s%s\n", path, policy); \
-                     policymaycome = 0;               \
-                     kernelfound = 0;                 \
-                     dontprint = 1;                   \
-                  }                                   \
-                  else if ( $1 == "" &&               \
-                            kernelfound == 1 &&       \
-                            policymaycome == 1) {     \
-                     dontprint = 1;                   \
-                  }                                   \
-                  if (dontprint == 0) {               \
-                    printf ("%s\n", $0);              \
-                  }                                   \
-                  dontprint = 0;                      \
-                } END {                               \
-                  if ( policymaycome == 1 ) {         \
-                    printf ("\tmodule %s%s\n", path, policy);  \
-                  }                                   \
-                }' > $tmpfile
-       if [ ! -r $tmpfile ]; then
-               echo "Could not create temporary file! Aborting."
-               exit -1
-       fi
-       diff $tmpfile $grubconf > /dev/null
-       RES=$?
-       if [ "$RES" == "0" ]; then
-               echo "No changes were made to $grubconf."
-       else
-               echo "Successfully updated $grubconf."
-               mv -f $tmpfile $grubconf
-       fi
-}
-
-
-#Compile a policy into its binary representation
-# Parameters:
-# 1st: The directory where the ./policies directory is located at
-# 2nd: The name of the policy
-genBinPolicy ()
-{
-       local root=$1
-       local policy=$2
-       pushd $root > /dev/null
-       xensec_xml2bin -d policies $policy > /dev/null
-       popd > /dev/null
-}
-
-
-# Copy the bootpolicy into the destination directory
-# Generate the policy's .bin and .map files if necessary
-# Parameters:
-# 1st: Destination directory
-# 2nd: The root directory of the security tools; this is where the
-#      policies directory is located at
-# 3rd: The policy name
-# Returns  '1' on success, '0' on failure.
-cpBootPolicy ()
-{
-       local dest=$1
-       local root=$2
-       local policy=$3
-       local binfile=$root/policies/$policy/$policy.bin
-       local dstfile=$dest/$policy.bin
-       if [ ! -e $binfile ]; then
-               genBinPolicy $root $policy
-               if [ ! -e $binfile ]; then
-                       echo "Could not compile policy '$policy'."
-                       return 0
-               fi
-       fi
-
-       if [ ! -e $dstfile -o \
-            $binfile -nt $dstfile ]; then
-               cp -f $binfile $dstfile
-       fi
-       return 1
-}
-
-
-# Display all the labels in a given mapfile
-# Parameters
-# 1st: Full or relative path to the policy's mapfile
-showLabels ()
-{
-       local mapfile=$1
-       local line
-       local ITEM
-       local found=0
-
-       if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
-               echo "Cannot read from vm configuration file $vmfile."
-               return -1
-       fi
-
-       getPrimaryPolicy $mapfile
-       getSecondaryPolicy $mapfile
-
-       echo "The following labels are available:"
-       let line=1
-       while [ 1 ]; do
-               ITEM=`cat $mapfile |         \
-                     awk -vline=$line       \
-                         -vprimary=$primary \
-                     '{                     \
-                        if ($1 == "LABEL->SSID" &&  \
-                            $2 == "VM" &&           \
-                            $3 == primary ) {       \
-                          ctr++;                    \
-                          if (ctr == line) {        \
-                            print $4;               \
-                          }                         \
-                        }                           \
-                      } END {                       \
-                      }'`
-
-               if [ "$ITEM" == "" ]; then
-                       break
-               fi
-               if [ "$secondary" != "NULL" ]; then
-                       LABEL=`cat $mapfile |     \
-                              awk -vitem=$ITEM   \
-                              '{
-                                 if ($1 == "LABEL->SSID" && \
-                                     $2 == "VM" &&          \
-                                     $3 == "CHWALL" &&      \
-                                     $4 == item ) {         \
-                                   result = item;           \
-                                 }                          \
-                               } END {                      \
-                                   print result             \
-                               }'`
-               else
-                       LABEL=$ITEM
-               fi
-
-               if [ "$LABEL" != "" ]; then
-                       echo "$LABEL"
-                       found=1
-               fi
-               let line=line+1
-       done
-       if [ "$found" != "1" ]; then
-               echo "No labels found."
-       fi
-}
-
-
-# Get the default SSID given a mapfile and the policy name
-# Parameters
-# 1st: Full or relative path to the policy's mapfile
-# 2nd: the name of the policy
-getDefaultSsid ()
-{
-       local mapfile=$1
-       local pol=$2
-       RES=`cat $mapfile    \
-            awk -vpol=$pol  \
-             {              \
-               if ($1 == "LABEL->SSID" && \
-                   $2 == "ANY"         && \
-                   $3 == pol           && \
-                   $4 == "DEFAULT"       ) {\
-                     res=$5;                \
-               }                            \
-             } END {                        \
-               printf "%04x", strtonum(res) \
-            }'`
-       echo "default NULL mapping is $RES"
-       defaultssid=$RES
-}
-
-
-#Relabel a VM configuration file
-# Parameters
-# 1st: Full or relative path to the VM configuration file
-# 2nd: The label to translate into an ssidref
-# 3rd: Full or relative path to the policy's map file
-# 4th: The mode this function is supposed to operate in:
-#      'relabel' : Relabels the file without querying the user
-#      other     : Prompts the user whether to proceed
-relabel ()
-{
-       local vmfile=$1
-       local label=$2
-       local mapfile=$3
-       local mode=$4
-       local SSIDLO
-       local SSIDHI
-       local RES
-
-       if [ ! -r "$vmfile" ]; then
-               echo "Cannot read from vm configuration file $vmfile."
-               return -1
-       fi
-
-       if [ ! -w "$vmfile" ]; then
-               echo "Cannot write to vm configuration file $vmfile."
-               return -1
-       fi
-
-       if [ ! -r "$mapfile" ] ; then
-               echo "Cannot read mapping file $mapfile."
-               return -1
-       fi
-
-       # Determine which policy is primary, which sec.
-       getPrimaryPolicy $mapfile
-       getSecondaryPolicy $mapfile
-
-       # Calculate the primary policy's SSIDREF
-       if [ "$primary" == "NULL" ]; then
-               SSIDLO="0001"
-       else
-               SSIDLO=`cat $mapfile |                    \
-                       awk -vlabel=$label                \
-                           -vprimary=$primary            \
-                          '{                             \
-                             if ( $1 == "LABEL->SSID" && \
-                                  $2 == "VM" &&          \
-                                  $3 == primary  &&      \
-                                  $4 == label ) {        \
-                               result=$5                 \
-                             }                           \
-                          } END {                        \
-                            if (result != "" )           \
-                              {printf "%04x", strtonum(result)}\
-                          }'`
-       fi
-
-       # Calculate the secondary policy's SSIDREF
-       if [ "$secondary" == "NULL" ]; then
-               if [ "$primary" == "NULL" ]; then
-                       SSIDHI="0001"
-               else
-                       SSIDHI="0000"
-               fi
-       else
-               SSIDHI=`cat $mapfile |                    \
-                       awk -vlabel=$label                \
-                           -vsecondary=$secondary        \
-                          '{                             \
-                             if ( $1 == "LABEL->SSID" && \
-                                  $2 == "VM"          && \
-                                  $3 == secondary     && \
-                                  $4 == label ) {        \
-                               result=$5                 \
-                             }                           \
-                           }  END {                      \
-                             if (result != "" )          \
-                               {printf "%04x", strtonum(result)}\
-                           }'`
-       fi
-
-       if [ "$SSIDLO" == "" -o \
-            "$SSIDHI" == "" ]; then
-               echo "Could not map the given label '$label'."
-               return -1
-       fi
-
-       ACM_POLICY=`cat $mapfile |             \
-           awk ' { if ( $1 == "POLICY" ) {    \
-                     result=$2                \
-                   }                          \
-                 }                            \
-                 END {                        \
-                   if (result != "") {        \
-                     printf result            \
-                   }                          \
-                 }'`
-
-       if [ "$ACM_POLICY" == "" ]; then
-               echo "Could not find 'POLICY' entry in map file."
-               return -1
-       fi
-
-       SSIDREF="0x$SSIDHI$SSIDLO"
-
-       if [ "$mode" != "relabel" ]; then
-               RES=`cat $vmfile |  \
-                    awk '{         \
-                      if ( substr($1,0,7) == "ssidref" ) {\
-                        print $0;             \
-                      }                       \
-                    }'`
-               if [ "$RES" != "" ]; then
-                       echo "Do you want to overwrite the existing mapping 
($RES)? (y/N)"
-                       read user
-                       if [ "$user" != "y" -a "$user" != "Y" ]; then
-                               echo "Aborted."
-                               return 0
-                       fi
-               fi
-       fi
-
-       #Write the output
-       local vmtmp1="/tmp/__setlabel.tmp1"
-       local vmtmp2="/tmp/__setlabel.tmp2"
-       touch $vmtmp1
-       touch $vmtmp2
-       if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
-               echo "Cannot create temporary files. Aborting."
-               return -1
-       fi
-       RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
-       RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
-       RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
-       echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
-       echo "#ACM_LABEL=$label" >> $vmtmp1
-       echo "ssidref = $SSIDREF" >> $vmtmp1
-       mv -f $vmtmp1 $vmfile
-       rm -rf $vmtmp1 $vmtmp2
-       echo "Mapped label '$label' to ssidref '$SSIDREF'."
-}
-
-
-# Translate an ssidref into its label. This does the reverse lookup
-# to the relabel function above.
-# This function displays the results.
-# Parameters:
-# 1st: The ssidref to translate; must be in the form '0x00010002'
-# 2nd: Full or relative path to the policy's mapfile
-translateSSIDREF ()
-{
-       local ssidref=$1
-       local mapfile=$2
-       local line1
-       local line2
-
-       if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
-               echo "Cannot read from vm configuration file $vmfile."
-               return -1
-       fi
-
-       getPrimaryPolicy $mapfile
-       getSecondaryPolicy $mapfile
-
-       if [ "$primary" == "NULL" -a "$secondary" == "NULL" ]; then
-               echo "There are no labels for the NULL policy."
-               return
-       fi
-
-       getSSIDLOHI $ssidref
-       ret=$?
-       if [ $ret -ne 1 ]; then
-               echo "Error while parsing the ssid ref number '$ssidref'."
-       fi;
-
-       let line1=0
-       let line2=0
-       while [ 1 ]; do
-               ITEM1=`cat $mapfile |                       \
-                     awk -vprimary=$primary                \
-                         -vssidlo=$ssidlo_int              \
-                         -vline=$line1                     \
-                     '{                                    \
-                        if ( $1 == "LABEL->SSID" &&        \
-                             $3 == primary &&              \
-                             int($5) == ssidlo     ) {     \
-                            if (l == line) {               \
-                                print $4;                  \
-                                exit;                      \
-                            }                              \
-                            l++;                           \
-                        }                                  \
-                      }'`
-
-               ITEM2=`cat $mapfile |                       \
-                     awk -vsecondary=$secondary            \
-                         -vssidhi=$ssidhi_int              \
-                         -vline=$line2                     \
-                     '{                                    \
-                        if ( $1 == "LABEL->SSID" &&        \
-                             $3 == secondary &&            \
-                             int($5) == ssidhi     ) {     \
-                            if (l == line) {               \
-                                print $4;                  \
-                                exit;                      \
-                            }                              \
-                            l++;                           \
-                        }                                  \
-                      }'`
-
-               if [ "$secondary" != "NULL" ]; then
-                       if [ "$ITEM1" == "" ]; then
-                               let line1=0
-                               let line2=line2+1
-                       else
-                               let line1=line1+1
-                       fi
-
-                       if [ "$ITEM1" == "" -a \
-                            "$ITEM2" == "" ]; then
-                               echo "Could not determine the referenced label."
-                               break
-                       fi
-
-                       if [ "$ITEM1" == "$ITEM2" ]; then
-                               echo "Label: $ITEM1"
-                               break
-                       fi
-               else
-                       if [ "$ITEM1" != "" ]; then
-                               echo "Label: $ITEM1"
-                       else
-                               if [ "$found" == "0" ]; then
-                                       found=1
-                               else
-                                       break
-                               fi
-                       fi
-                       let line1=line1+1
-               fi
-       done
-}
diff -r 65ce9bf4a86f -r 37da8dd5d43e tools/security/setlabel.sh
--- a/tools/security/setlabel.sh        Mon Apr 24 10:52:19 2006 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,106 +0,0 @@
-#!/bin/sh
-# *
-# * setlabel
-# *
-# * Copyright (C) 2005 IBM Corporation
-# *
-# * Authors:
-# * Stefan Berger <stefanb@xxxxxxxxxx>
-# *
-# * This program is free software; you can redistribute it and/or
-# * modify it under the terms of the GNU General Public License as
-# * published by the Free Software Foundation, version 2 of the
-# * License.
-# *
-# * 'setlabel' labels virtual machine (domain) configuration files with
-# * security identifiers that can be enforced in Xen.
-# *
-# * 'setlabel -?' shows the usage of the program
-# *
-# * 'setlabel -l vmconfig-file' lists all available labels (only VM
-# *            labels are used right now)
-# *
-# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
-# *                       that corresponds to the security-label under the
-# *                       current policy (if policy changes, 'label'
-# *                       must be re-run over the configuration files;
-# *                       map-file is created during policy translation and
-# *                       is found in the policy's directory
-#
-
-if [ -z "$runbash" ]; then
-       runbash="1"
-       export runbash
-       exec sh -c "bash $0 $*"
-fi
-
-export PATH=$PATH:.
-dir=`dirname $0`
-source $dir/labelfuncs.sh
-
-usage ()
-{
-       prg=`basename $0`
-echo "Use this tool to put the ssidref corresponding to a label of a policy 
into
-the VM configuration file, or use it to display all labels of a policy.
-
-Usage: $prg [-r] <vmfile> <label> [<policy name> [<policy dir>]] or
-       $prg -l [<policy name> [<policy dir>]]
-
--r          : to relabel a file without being prompted
--l          : to show the valid labels in a map file
-vmfile      : XEN vm configuration file; give complete path
-label       : the label to map to an ssidref
-policy name : the name of the policy, i.e. 'chwall'
-              If the policy name is omitted, it is attempted
-              to find the current policy's name in grub.conf.
-policy dir  : the directory where the <policy name> policy is located
-              The default location is '/etc/xen/acm-security/policies'
-"
-}
-
-if [ "$1" == "-r" ]; then
-       mode="relabel"
-       shift
-elif [ "$1" == "-l" ]; then
-       mode="show"
-       shift
-elif [ "$1" == "-h" ]; then
-       mode="usage"
-fi
-
-if [ "$mode" == "usage" ]; then
-       usage
-elif [ "$mode" == "show" ]; then
-       setPolicyVars $1 $2
-       ret=$?
-       if [ $ret -eq 0 ]; then
-               echo "Error when trying to find policy-related information."
-               exit -1
-       fi
-       findMapFile $policy $policydir
-       ret=$?
-       if [ $ret -eq 0 ]; then
-               echo "Could not find map file for policy '$policy'."
-               exit -1
-       fi
-       showLabels $mapfile
-else
-       if [ "$2" == "" ]; then
-               usage
-               exit -1
-       fi
-       setPolicyVars $3 $4
-       ret=$?
-       if [ $ret -eq 0 ]; then
-               echo "Error when trying to find policy-related information."
-               exit -1
-       fi
-       findMapFile $policy $policydir
-       ret=$?
-       if [ $ret -eq 0 ]; then
-               echo "Could not find map file for policy '$policy'."
-               exit -1
-       fi
-       relabel $1 $2 $mapfile $mode
-fi
diff -r 65ce9bf4a86f -r 37da8dd5d43e tools/security/updategrub.sh
--- a/tools/security/updategrub.sh      Mon Apr 24 10:52:19 2006 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,90 +0,0 @@
-#!/bin/sh
-# *
-# * updategrub
-# *
-# * Copyright (C) 2005 IBM Corporation
-# *
-# * Authors:
-# * Stefan Berger <stefanb@xxxxxxxxxx>
-# *
-# * This program is free software; you can redistribute it and/or
-# * modify it under the terms of the GNU General Public License as
-# * published by the Free Software Foundation, version 2 of the
-# * License.
-# *
-# *
-#
-
-if [ -z "$runbash" ]; then
-       runbash="1"
-       export runbash
-       exec sh -c "bash $0 $*"
-       exit
-fi
-
-dir=`dirname $0`
-source $dir/labelfuncs.sh
-
-acmroot=$ACM_DEFAULT_ROOT
-
-
-# Show usage of this program
-usage ()
-{
-       prg=`basename $0`
-echo "Use this tool to add the binary policy to the Xen grub entry and
-have Xen automatically enforce the policy when starting.
-
-Usage: $prg [-d <policies root>] <policy name> [<kernel version>]
-
-<policies root>  : The directory where the policies directory is located in;
-                   default is $acmroot
-<policy name>    : The name of the policy, i.e. xen_null
-<kernel version> : The version of the kernel to apply the policy
-                   against, i.e. 2.6.16-xen
-                   If not specified, a kernel version ending with '-xen'
-                   will be searched for in '/lib/modules'
-"
-}
-
-
-
-if [ "$1" == "-h" ]; then
-       usage
-       exit 0
-elif [ "$1" == "-d" ]; then
-       shift
-       acmroot=$1
-       shift
-fi
-
-if [ "$1" == "" ]; then
-       echo "Error: Not enough command line parameters."
-       echo ""
-       usage
-       exit -1
-fi
-
-
-policy=$1
-policyfile=$policy.bin
-
-getLinuxVersion $2
-
-findGrubConf
-ret=$?
-if [ $ret -eq 0 ]; then
-       echo "Could not find grub.conf."
-       exit -1
-elif [ $ret -eq 2 ]; then
-       echo "Need to have write-access to $grubconf. Exiting."
-       exit -1
-fi
-
-cpBootPolicy /boot $acmroot $policy
-ret=$?
-if [ $ret -ne 1 ]; then
-       echo "Error copying or generating the binary policy."
-       exit -1
-fi
-updateGrub $grubconf $policyfile $linux

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] This patch deletes the old shell-based security tools., Xen patchbot -unstable <=