This patch adds support for the simplified policies to the policy
translation tools.
Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>
---
tools/security/Makefile | 24 -
tools/security/secpol_tool.c | 199 ++----------
tools/security/secpol_xml2bin.c | 624 +++++++++++++++++++---------------------
tools/security/secpol_xml2bin.h | 179 ++++++-----
4 files changed, 437 insertions(+), 589 deletions(-)
Index: xen-unstable.hg-shype/tools/security/Makefile
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/Makefile
+++ xen-unstable.hg-shype/tools/security/Makefile
@@ -30,28 +30,23 @@ SRCS_TOOL = secpol_tool.c
OBJS_TOOL := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
SRCS_XML2BIN = secpol_xml2bin.c secpol_xml2bin.h
OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
-SRCS_GETD = get_decision.c
-OBJS_GETD := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen
-ACM_NOINST_TOOLS = get_decision
ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
+ACM_SCRIPTS = python/xensec_tools/acm_getlabel
python/xensec_tools/acm_getdecision
ACM_CONFIG_DIR = /etc/xen/acm-security
ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies
ACM_SCRIPT_DIR = $(ACM_CONFIG_DIR)/scripts
ACM_INST_HTML = python/xensec_gen/index.html
-ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi \
- python/xensec_gen/cgi-bin/policylabel.cgi
+ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi
ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen
ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin
ACM_SCHEMA = security_policy.xsd
-ACM_EXAMPLES = null chwall ste chwall_ste
+ACM_EXAMPLES = chwall ste chwall_ste
ACM_POLICY_SUFFIX = security_policy.xml
-ACM_LABEL_SUFFIX = security_label_template.xml
ifeq ($(ACM_SECURITY),y)
.PHONY: all
@@ -64,10 +59,10 @@ install: all $(ACM_CONFIG_FILE)
$(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
$(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example
for i in $(ACM_EXAMPLES); do \
- $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
- $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX)
$(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
- $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX)
$(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
+ $(INSTALL_DATA) -p
policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX)
$(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
done
$(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
$(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
@@ -99,9 +94,6 @@ xensec_tool: $(OBJS_TOOL)
xensec_xml2bin: $(OBJS_XML2BIN)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
-get_decision: $(OBJS_GETD)
- $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
-
xensec_gen: xensec_gen.py
cp -f $^ $@
@@ -116,8 +108,4 @@ clean:
.PHONY: mrproper
mrproper: clean
-.PHONY: boot_install
-boot_install: install
- $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
-
-include $(PROG_DEPS)
Index: xen-unstable.hg-shype/tools/security/secpol_tool.c
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_tool.c
+++ xen-unstable.hg-shype/tools/security/secpol_tool.c
@@ -48,9 +48,7 @@ void usage(char *progname)
"ACTION is one of:\n"
"\t getpolicy\n"
"\t dumpstats\n"
- "\t loadpolicy <binary policy file>\n"
- "\t getssid -d <domainid> [-f]\n"
- "\t getssid -s <ssidref> [-f]\n", progname);
+ "\t loadpolicy <binary policy file>\n", progname);
exit(-1);
}
@@ -68,7 +66,7 @@ static inline int do_xen_hypercall(int x
(unsigned long) hypercall);
}
-static inline int do_acm_op(int xc_handle, struct acm_op * op)
+static inline int do_acm_op(int xc_handle, struct acm_op *op)
{
int ret = -1;
privcmd_hypercall_t hypercall;
@@ -78,15 +76,13 @@ static inline int do_acm_op(int xc_handl
hypercall.op = __HYPERVISOR_acm_op;
hypercall.arg[0] = (unsigned long) op;
- if (mlock(op, sizeof(*op)) != 0)
- {
+ if (mlock(op, sizeof(*op)) != 0) {
PERROR("Could not lock memory for Xen policy hypercall");
goto out1;
}
- if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0)
- {
- printf( "ACM operation failed: errno=%d\n", errno );
+ if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
+ printf("ACM operation failed: errno=%d\n", errno);
if (errno == EACCES)
fprintf(stderr, "ACM operation failed -- need to"
" rebuild the user-space tool set?\n");
@@ -108,8 +104,7 @@ void acm_dump_chinesewall_buffer(void *b
int i, j;
- if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY)
- {
+ if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY) {
printf("CHINESE WALL POLICY CODE not found ERROR!!\n");
return;
}
@@ -129,8 +124,7 @@ void acm_dump_chinesewall_buffer(void *b
printf("\nSSID To CHWALL-Type matrix:\n");
ssids = (domaintype_t *) (buf + ntohl(cwbuf->chwall_ssid_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++)
- {
+ for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++) {
printf("\n ssidref%2x: ", i);
for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
printf("%02x ",
@@ -139,8 +133,7 @@ void acm_dump_chinesewall_buffer(void *b
printf("\n\nConfict Sets:\n");
conflicts =
(domaintype_t *) (buf + ntohl(cwbuf->chwall_conflict_sets_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++)
- {
+ for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++) {
printf("\n c-set%2x: ", i);
for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
printf("%02x ",
@@ -150,13 +143,11 @@ void acm_dump_chinesewall_buffer(void *b
printf("\n");
printf("\nRunning\nTypes: ");
- if (ntohl(cwbuf->chwall_running_types_offset))
- {
+ if (ntohl(cwbuf->chwall_running_types_offset)) {
running_types =
(domaintype_t *) (buf +
ntohl(cwbuf->chwall_running_types_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++)
- {
+ for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) {
printf("%02x ", ntohs(running_types[i]));
}
printf("\n");
@@ -164,13 +155,12 @@ void acm_dump_chinesewall_buffer(void *b
printf("Not Reported!\n");
}
printf("\nConflict\nAggregate Set: ");
- if (ntohl(cwbuf->chwall_conflict_aggregate_offset))
- {
+ if (ntohl(cwbuf->chwall_conflict_aggregate_offset)) {
conflict_aggregate =
(domaintype_t *) (buf +
- ntohl(cwbuf->chwall_conflict_aggregate_offset));
- for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++)
- {
+ ntohl(cwbuf->
+ chwall_conflict_aggregate_offset));
+ for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) {
printf("%02x ", ntohs(conflict_aggregate[i]));
}
printf("\n\n");
@@ -201,11 +191,11 @@ void acm_dump_ste_buffer(void *buf, int
printf("\nSSID To STE-Type matrix:\n");
ssids = (domaintype_t *) (buf + ntohl(stebuf->ste_ssid_offset));
- for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++)
- {
+ for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++) {
printf("\n ssidref%2x: ", i);
for (j = 0; j < ntohl(stebuf->ste_max_types); j++)
- printf("%02x ", ntohs(ssids[i * ntohl(stebuf->ste_max_types) +
j]));
+ printf("%02x ",
+ ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j]));
}
printf("\n\n");
}
@@ -213,9 +203,12 @@ void acm_dump_ste_buffer(void *buf, int
void acm_dump_policy_buffer(void *buf, int buflen)
{
struct acm_policy_buffer *pol = (struct acm_policy_buffer *) buf;
-
+ char *policy_reference_name =
+ (buf + ntohl(pol->policy_reference_offset) +
+ sizeof(struct acm_policy_reference_buffer));
printf("\nPolicy dump:\n");
printf("============\n");
+ printf("POLICY REFERENCE = %s.\n", policy_reference_name);
printf("PolicyVer = %x.\n", ntohl(pol->policy_version));
printf("Magic = %x.\n", ntohl(pol->magic));
printf("Len = %x.\n", ntohl(pol->len));
@@ -227,8 +220,7 @@ void acm_dump_policy_buffer(void *buf, i
ACM_POLICY_NAME(ntohl(pol->secondary_policy_code)),
ntohl(pol->secondary_policy_code),
ntohl(pol->secondary_buffer_offset));
- switch (ntohl(pol->primary_policy_code))
- {
+ switch (ntohl(pol->primary_policy_code)) {
case ACM_CHINESE_WALL_POLICY:
acm_dump_chinesewall_buffer(buf +
ntohl(pol->primary_buffer_offset),
@@ -250,8 +242,7 @@ void acm_dump_policy_buffer(void *buf, i
printf("UNKNOWN POLICY!\n");
}
- switch (ntohl(pol->secondary_policy_code))
- {
+ switch (ntohl(pol->secondary_policy_code)) {
case ACM_CHINESE_WALL_POLICY:
acm_dump_chinesewall_buffer(buf +
ntohl(pol->secondary_buffer_offset),
@@ -303,26 +294,22 @@ int acm_domain_loadpolicy(int xc_handle,
off_t len;
uint8_t *buffer;
- if ((ret = stat(filename, &mystat)))
- {
+ if ((ret = stat(filename, &mystat))) {
printf("File %s not found.\n", filename);
goto out;
}
len = mystat.st_size;
- if ((buffer = malloc(len)) == NULL)
- {
+ if ((buffer = malloc(len)) == NULL) {
ret = -ENOMEM;
goto out;
}
- if ((fd = open(filename, O_RDONLY)) <= 0)
- {
+ if ((fd = open(filename, O_RDONLY)) <= 0) {
ret = -ENOENT;
printf("File %s not found.\n", filename);
goto free_out;
}
- if (len == read(fd, buffer, len))
- {
+ if (len == read(fd, buffer, len)) {
struct acm_op op;
/* dump it and then push it down into xen/acm */
acm_dump_policy_buffer(buffer, len);
@@ -334,7 +321,7 @@ int acm_domain_loadpolicy(int xc_handle,
if (ret)
printf
- ("ERROR setting policy. Try 'xm dmesg' to see details.\n");
+ ("ERROR setting policy.\n");
else
printf("Successfully changed policy.\n");
@@ -382,9 +369,9 @@ int acm_domain_dumpstats(int xc_handle)
op.u.dumpstats.pullcache_size = sizeof(stats_buffer);
ret = do_acm_op(xc_handle, &op);
- if (ret < 0)
- {
- printf("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n");
+ if (ret < 0) {
+ printf
+ ("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n");
return ret;
}
stats = (struct acm_stats_buffer *) stats_buffer;
@@ -394,8 +381,7 @@ int acm_domain_dumpstats(int xc_handle)
printf("Magic = %x.\n", ntohl(stats->magic));
printf("Len = %x.\n", ntohl(stats->len));
- switch (ntohl(stats->primary_policy_code))
- {
+ switch (ntohl(stats->primary_policy_code)) {
case ACM_NULL_POLICY:
printf("NULL Policy: No statistics apply.\n");
break;
@@ -414,8 +400,7 @@ int acm_domain_dumpstats(int xc_handle)
printf("UNKNOWN PRIMARY POLICY ERROR!\n");
}
- switch (ntohl(stats->secondary_policy_code))
- {
+ switch (ntohl(stats->secondary_policy_code)) {
case ACM_NULL_POLICY:
printf("NULL Policy: No statistics apply.\n");
break;
@@ -435,119 +420,6 @@ int acm_domain_dumpstats(int xc_handle)
}
return ret;
}
-/************************ get ssidref & types ******************************/
-/*
- * the ssid (types) can be looked up either by domain id or by ssidref
- */
-int acm_domain_getssid(int xc_handle, int argc, char * const argv[])
-{
- /* this includes header and a set of types */
- #define MAX_SSIDBUFFER 2000
- int ret, i;
- struct acm_op op;
- struct acm_ssid_buffer *hdr;
- unsigned char *buf;
- int nice_print = 1;
-
- op.cmd = ACM_GETSSID;
- op.interface_version = ACM_INTERFACE_VERSION;
- op.u.getssid.get_ssid_by = UNSET;
- /* arguments
- -d ... domain id to look up
- -s ... ssidref number to look up
- -f ... formatted print (scripts depend on this format)
- */
- while (1)
- {
- int c = getopt(argc, argv, "d:s:f");
- if (c == -1)
- break;
- if (c == 'd')
- {
- if (op.u.getssid.get_ssid_by != UNSET)
- usage(argv[0]);
- op.u.getssid.get_ssid_by = DOMAINID;
- op.u.getssid.id.domainid = strtoul(optarg, NULL, 0);
- }
- else if (c== 's')
- {
- if (op.u.getssid.get_ssid_by != UNSET)
- usage(argv[0]);
- op.u.getssid.get_ssid_by = SSIDREF;
- op.u.getssid.id.ssidref = strtoul(optarg, NULL, 0);
- }
- else if (c== 'f')
- {
- nice_print = 0;
- }
- else
- usage(argv[0]);
- }
- if (op.u.getssid.get_ssid_by == UNSET)
- usage(argv[0]);
-
- buf = malloc(MAX_SSIDBUFFER);
- if (!buf)
- return -ENOMEM;
-
- /* dump it and then push it down into xen/acm */
- op.u.getssid.ssidbuf = buf; /* out */
- op.u.getssid.ssidbuf_size = MAX_SSIDBUFFER;
- ret = do_acm_op(xc_handle, &op);
-
- if (ret)
- {
- printf("ERROR getting ssidref. Try 'xm dmesg' to see details.\n");
- goto out;
- }
- hdr = (struct acm_ssid_buffer *)buf;
- if (hdr->len > MAX_SSIDBUFFER)
- {
- printf("ERROR: Buffer length inconsistent (ret=%d, hdr->len=%d)!\n",
- ret, hdr->len);
- return -EIO;
- }
- if (nice_print)
- {
- printf("SSID: ssidref = 0x%08x \n", hdr->ssidref);
- printf(" P: %s, max_types = %d\n",
- ACM_POLICY_NAME(hdr->primary_policy_code),
hdr->primary_max_types);
- printf(" Types: ");
- for (i=0; i< hdr->primary_max_types; i++)
- if (buf[hdr->primary_types_offset + i])
- printf("%02x ", i);
- else
- printf("-- ");
- printf("\n");
-
- printf(" S: %s, max_types = %d\n",
- ACM_POLICY_NAME(hdr->secondary_policy_code),
hdr->secondary_max_types);
- printf(" Types: ");
- for (i=0; i< hdr->secondary_max_types; i++)
- if (buf[hdr->secondary_types_offset + i])
- printf("%02x ", i);
- else
- printf("-- ");
- printf("\n");
- }
- else
- {
- /* formatted print for use with scripts (.sh)
- * update scripts when updating here (usually
- * used in combination with -d to determine a
- * running domain's label
- */
- printf("SSID: ssidref = 0x%08x \n", hdr->ssidref);
- }
-
- /* return ste ssidref */
- if (hdr->primary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
- ret = (hdr->ssidref) & 0xffff;
- else if (hdr->secondary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
- ret = (hdr->ssidref) >> 16;
- out:
- return ret;
-}
/***************************** main **************************************/
@@ -559,8 +431,7 @@ int main(int argc, char **argv)
if (argc < 2)
usage(argv[0]);
- if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0)
- {
+ if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
printf("ERROR: Could not open xen privcmd device!\n");
exit(-1);
}
@@ -577,8 +448,6 @@ int main(int argc, char **argv)
if (argc != 2)
usage(argv[0]);
ret = acm_domain_dumpstats(acm_cmd_fd);
- } else if (!strcmp(argv[1], "getssid")) {
- ret = acm_domain_getssid(acm_cmd_fd, argc, argv);
} else
usage(argv[0]);
Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.c
+++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.c
@@ -101,22 +101,30 @@ int have_chwall = 0;
/* input/output file names */
char *policy_filename = NULL,
- *label_filename = NULL,
- *binary_filename = NULL, *mapping_filename = NULL,
- *schema_filename = NULL;
+ *binary_filename = NULL,
+ *mapping_filename = NULL, *schema_filename = NULL;
+
+char *policy_reference_name = NULL;
+
+void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state);
void usage(char *prg)
{
printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
- printf("POLICYNAME is the directory name within the policy directory\n");
- printf("that contains the policy files. The default policy directory\n");
- printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR);
- printf("The policy files contained in the POLICYNAME directory must be
named:\n");
+ printf
+ ("POLICYNAME is the directory name within the policy directory\n");
+ printf
+ ("that contains the policy files. The default policy directory\n");
+ printf("is '%s' (see the '-d' option below to change it)\n",
+ POLICY_DIR);
+ printf
+ ("The policy files contained in the POLICYNAME directory must be
named:\n");
printf("\tPOLICYNAME-security_policy.xml\n");
printf("\tPOLICYNAME-security_label_template.xml\n\n");
printf("OPTIONS:\n");
printf("\t-d POLICYDIR\n");
- printf("\t\tUse POLICYDIR as the policy directory. This directory must
contain\n");
+ printf
+ ("\t\tUse POLICYDIR as the policy directory. This directory must
contain\n");
printf("\t\tthe policy schema file 'security_policy.xsd'\n");
exit(EXIT_FAILURE);
}
@@ -147,8 +155,7 @@ struct type_entry *lookup(struct tailhea
int add_entry(struct tailhead *head, char *name, type_t mapping)
{
struct type_entry *e;
- if (lookup(head, name))
- {
+ if (lookup(head, name)) {
printf("Error: Type >%s< defined more than once.\n", name);
return -EFAULT; /* already in the list */
}
@@ -204,16 +211,14 @@ int register_type(xmlNode * cur_node, xm
text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
- if (!text)
- {
+ if (!text) {
printf("Error reading type name!\n");
return -EFAULT;
}
switch (state) {
case XML2BIN_stetype_S:
- if (add_entry(&ste_head, (char *) text, max_ste_types))
- {
+ if (add_entry(&ste_head, (char *) text, max_ste_types)) {
xmlFree(text);
return -EFAULT;
}
@@ -221,8 +226,7 @@ int register_type(xmlNode * cur_node, xm
break;
case XML2BIN_chwalltype_S:
- if (add_entry(&chwall_head, (char *) text, max_chwall_types))
- {
+ if (add_entry(&chwall_head, (char *) text, max_chwall_types)) {
xmlFree(text);
return -EFAULT;
}
@@ -232,16 +236,15 @@ int register_type(xmlNode * cur_node, xm
case XML2BIN_conflictsettype_S:
/* a) search the type in the chwall_type list */
e = lookup(&chwall_head, (char *) text);
- if (e == NULL)
- {
+ if (e == NULL) {
printf("CS type >%s< not a CHWALL type.\n", text);
xmlFree(text);
return -EFAULT;
}
/* b) add type entry to the current cs set */
- if (current_conflictset_p->row[e->mapping])
- {
- printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
+ if (current_conflictset_p->row[e->mapping]) {
+ printf
+ ("ERROR: Double entry of type >%s< in conflict set %d.\n",
text, current_conflictset_p->num);
xmlFree(text);
return -EFAULT;
@@ -262,16 +265,15 @@ void set_component_type(xmlNode * cur_no
{
xmlChar *order;
- if ((order = xmlGetProp(cur_node, (xmlChar *)
PRIMARY_COMPONENT_ATTR_NAME))) {
- if (strcmp((char *) order, PRIMARY_COMPONENT))
- {
+ if ((order =
+ xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) {
+ if (strcmp((char *) order, PRIMARY_COMPONENT)) {
printf("ERROR: Illegal attribut value >order=%s<.\n",
(char *) order);
xmlFree(order);
exit(EXIT_FAILURE);
}
- if (primary != NULLPOLICY)
- {
+ if (primary != NULLPOLICY) {
printf("ERROR: Primary Policy Component set twice!\n");
exit(EXIT_FAILURE);
}
@@ -285,10 +287,8 @@ void walk_policy(xmlNode * start, xmlDoc
xmlNode *cur_node = NULL;
int code;
- for (cur_node = start; cur_node; cur_node = cur_node->next)
- {
- if ((code = totoken((char *) cur_node->name)) < 0)
- {
+ for (cur_node = start; cur_node; cur_node = cur_node->next) {
+ if ((code = totoken((char *) cur_node->name)) < 0) {
printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
exit(EXIT_FAILURE);
}
@@ -297,13 +297,32 @@ void walk_policy(xmlNode * start, xmlDoc
case XML2BIN_STETYPES:
case XML2BIN_CHWALLTYPES:
case XML2BIN_CONFLICTSETS:
+ case XML2BIN_POLICYHEADER:
walk_policy(cur_node->children, doc, state | (1 << code));
break;
+ case XML2BIN_POLICYNAME: /* get policy reference name .... */
+ if (state != XML2BIN_PN_S) {
+ printf("ERROR: >Url< >%s< out of context.\n",
+ (char *) xmlNodeListGetString(doc,
+ cur_node->
+ xmlChildrenNode, 1));
+ exit(EXIT_FAILURE);
+ }
+ policy_reference_name = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!policy_reference_name) {
+ printf("ERROR: empty >policy reference name (Url)<!\n");
+ exit(EXIT_FAILURE);
+ } else
+ printf("Policy Reference name (Url): %s\n",
+ policy_reference_name);
+ break;
+
case XML2BIN_STE:
- if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
- {
- printf("ERROR: This program was written against another STE
version.\n");
+ if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION) {
+ printf
+ ("ERROR: This program was written against another STE
version.\n");
exit(EXIT_FAILURE);
}
have_ste = 1;
@@ -312,9 +331,9 @@ void walk_policy(xmlNode * start, xmlDoc
break;
case XML2BIN_CHWALL:
- if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
- {
- printf("ERROR: This program was written against another CHWALL
version.\n");
+ if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) {
+ printf
+ ("ERROR: This program was written against another CHWALL
version.\n");
exit(EXIT_FAILURE);
}
have_chwall = 1;
@@ -328,8 +347,7 @@ void walk_policy(xmlNode * start, xmlDoc
if (!current_conflictset_name)
current_conflictset_name = "";
- if (init_next_conflictset())
- {
+ if (init_next_conflictset()) {
printf
("ERROR: creating new conflictset structure failed.\n");
exit(EXIT_FAILURE);
@@ -343,14 +361,18 @@ void walk_policy(xmlNode * start, xmlDoc
/* type leaf */
break;
+ case XML2BIN_LABELTEMPLATE: /* handle in second pass */
case XML2BIN_TEXT:
case XML2BIN_COMMENT:
- case XML2BIN_POLICYHEADER:
+ case XML2BIN_DATE:
+ case XML2BIN_REFERENCE:
+ case XML2BIN_NSURL: /* for future use: where to find global label /
type name mappings */
+ case XML2BIN_URL: /* for future use: where to find policy */
/* leaf - nothing to do */
break;
default:
- printf("Unkonwn token Error (%d)\n", code);
+ printf("Unkonwn token Error (%d) in Policy\n", code);
exit(EXIT_FAILURE);
}
@@ -358,21 +380,21 @@ void walk_policy(xmlNode * start, xmlDoc
return;
}
-int create_type_mapping(xmlDocPtr doc)
+void init_type_mapping(void)
{
- xmlNode *root_element = xmlDocGetRootElement(doc);
- struct type_entry *te;
- struct ssid_entry *se;
- int i;
-
printf("Creating ssid mappings ...\n");
/* initialize the ste and chwall type lists */
TAILQ_INIT(&ste_head);
TAILQ_INIT(&chwall_head);
TAILQ_INIT(&conflictsets_head);
+}
- walk_policy(root_element, doc, XML2BIN_NULL);
+void post_type_mapping(void)
+{
+ struct type_entry *te;
+ struct ssid_entry *se;
+ int i;
/* determine primary/secondary policy component orders */
if ((primary == NULLPOLICY) && have_chwall)
@@ -400,19 +422,17 @@ int create_type_mapping(xmlDocPtr doc)
}
if (!DEBUG)
- return 0;
+ return;
/* print queues */
- if (have_ste)
- {
+ if (have_ste) {
printf("STE-Type queue (%s):\n",
(primary == STE) ? "PRIMARY" : "SECONDARY");
for (te = ste_head.tqh_first; te != NULL;
te = te->entries.tqe_next)
printf("name=%22s, map=%x\n", te->name, te->mapping);
}
- if (have_chwall)
- {
+ if (have_chwall) {
printf("CHWALL-Type queue (%s):\n",
(primary == CHWALL) ? "PRIMARY" : "SECONDARY");
for (te = chwall_head.tqh_first; te != NULL;
@@ -421,8 +441,7 @@ int create_type_mapping(xmlDocPtr doc)
printf("Conflictset queue (max=%d):\n", max_conflictsets);
for (se = conflictsets_head.tqh_first; se != NULL;
- se = se->entries.tqe_next)
- {
+ se = se->entries.tqe_next) {
printf("conflictset name >%s<\n",
se->name ? se->name : "NONAME");
for (i = 0; i < max_chwall_types; i++)
@@ -431,7 +450,6 @@ int create_type_mapping(xmlDocPtr doc)
printf("\n");
}
}
- return 0;
}
@@ -554,8 +572,7 @@ int add_type(xmlNode * cur_node, xmlDocP
struct type_entry *e;
text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
- if (!text)
- {
+ if (!text) {
printf("Error reading type name!\n");
return -EFAULT;
}
@@ -564,8 +581,7 @@ int add_type(xmlNode * cur_node, xmlDocP
case XML2BIN_VM_STE_S:
case XML2BIN_RES_STE_S:
/* lookup the type mapping and include the type mapping into the array
*/
- if (!(e = lookup(&ste_head, (char *) text)))
- {
+ if (!(e = lookup(&ste_head, (char *) text))) {
printf("ERROR: unknown VM STE type >%s<.\n", text);
exit(EXIT_FAILURE);
}
@@ -577,8 +593,7 @@ int add_type(xmlNode * cur_node, xmlDocP
case XML2BIN_VM_CHWALL_S:
/* lookup the type mapping and include the type mapping into the array
*/
- if (!(e = lookup(&chwall_head, (char *) text)))
- {
+ if (!(e = lookup(&chwall_head, (char *) text))) {
printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
exit(EXIT_FAILURE);
}
@@ -602,8 +617,9 @@ void set_bootstrap_label(xmlNode * cur_n
{
xmlChar *order;
- if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
- bootstrap_label = (char *)order;
+ if ((order =
+ xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
+ bootstrap_label = (char *) order;
else {
printf("ERROR: No bootstrap label defined!\n");
exit(EXIT_FAILURE);
@@ -615,45 +631,40 @@ void walk_labels(xmlNode * start, xmlDoc
xmlNode *cur_node = NULL;
int code;
- for (cur_node = start; cur_node; cur_node = cur_node->next)
- {
- if ((code = totoken((char *) cur_node->name)) < 0)
- {
+ for (cur_node = start; cur_node; cur_node = cur_node->next) {
+ if ((code = totoken((char *) cur_node->name)) < 0) {
printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
exit(EXIT_FAILURE);
}
switch (code) { /* adjust state to new state */
-
case XML2BIN_SUBJECTS:
set_bootstrap_label(cur_node);
/* fall through */
+ case XML2BIN_SECPOL:
+ case XML2BIN_LABELTEMPLATE:
case XML2BIN_VM:
case XML2BIN_RES:
- case XML2BIN_SECTEMPLATE:
case XML2BIN_OBJECTS:
walk_labels(cur_node->children, doc, state | (1 << code));
break;
case XML2BIN_STETYPES:
/* create new ssid entry to use and point current to it */
- if (init_next_ste_ssid(state))
- {
+ if (init_next_ste_ssid(state)) {
printf("ERROR: creating new ste ssid structure failed.\n");
exit(EXIT_FAILURE);
}
walk_labels(cur_node->children, doc, state | (1 << code));
-
break;
case XML2BIN_CHWALLTYPES:
/* create new ssid entry to use and point current to it */
- if (init_next_chwall_ssid(state))
- {
- printf("ERROR: creating new chwall ssid structure failed.\n");
+ if (init_next_chwall_ssid(state)) {
+ printf
+ ("ERROR: creating new chwall ssid structure failed.\n");
exit(EXIT_FAILURE);
}
walk_labels(cur_node->children, doc, state | (1 << code));
-
break;
case XML2BIN_TYPE:
@@ -663,115 +674,66 @@ void walk_labels(xmlNode * start, xmlDoc
break;
case XML2BIN_NAME:
- if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
- {
- printf("ERROR: >name< out of VM/RES context.\n");
- exit(EXIT_FAILURE);
- }
- current_ssid_name = (char *)
- xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
-
- if (!current_ssid_name)
- {
- printf("ERROR: empty >name<!\n");
+ if ((state == XML2BIN_VM_S) || (state == XML2BIN_RES_S)) {
+ current_ssid_name = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode,
+ 1);
+ if (!current_ssid_name) {
+ printf("ERROR: empty >vm/res name<!\n");
+ exit(EXIT_FAILURE);
+ }
+ } else {
+ printf
+ ("ERROR: >name< >%s< out of context (state = 0x%lx.\n",
+ (char *) xmlNodeListGetString(doc,
+ cur_node->
+ xmlChildrenNode, 1),
+ state);
exit(EXIT_FAILURE);
}
break;
case XML2BIN_TEXT:
case XML2BIN_COMMENT:
- case XML2BIN_LABELHEADER:
+ case XML2BIN_POLICYHEADER:
+ case XML2BIN_STE:
+ case XML2BIN_CHWALL:
break;
default:
- printf("Unkonwn token Error (%d)\n", code);
+ printf("Unkonwn token Error (%d) in Label Template\n", code);
exit(EXIT_FAILURE);
}
-
}
return;
}
-/* this function walks through a ssid queue
- * and transforms double entries into references
- * of the first definition (we need to keep the
- * entry to map labels but we don't want double
- * ssids in the binary policy
- */
-void
-remove_doubles(struct tailhead_ssid *head,
- u_int32_t max_types, u_int32_t * max_ssids)
-{
- struct ssid_entry *np, *ni;
-
- /* walk once through the list */
- for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
- {
- /* now search from the start until np for the same entry */
- for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
- {
- if (ni->is_ref)
- continue;
- if (memcmp(np->row, ni->row, max_types))
- continue;
- /* found one, set np reference to ni */
- np->is_ref = 1;
- np->num = ni->num;
- (*max_ssids)--;
- }
- }
-
- /* now minimize the ssid numbers used (doubles introduce holes) */
- (*max_ssids) = 0; /* reset */
-
- for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
- {
- if (np->is_ref)
- continue;
-
- if (np->num != (*max_ssids)) {
- /* first reset all later references to the new max_ssid */
- for (ni = np->entries.tqe_next; ni != NULL; ni =
ni->entries.tqe_next)
- {
- if (ni->num == np->num)
- ni->num = (*max_ssids);
- }
- /* now reset num */
- np->num = (*max_ssids)++;
- }
- else
- (*max_ssids)++;
- }
-}
-
/*
* will go away as soon as we have non-static bootstrap ssidref for dom0
*/
void fixup_bootstrap_label(struct tailhead_ssid *head,
- u_int32_t max_types, u_int32_t * max_ssids)
+ u_int32_t max_types, u_int32_t * max_ssids)
{
struct ssid_entry *np;
int i;
/* should not happen if xml / xsd checks work */
- if (!bootstrap_label)
- {
+ if (!bootstrap_label) {
printf("ERROR: No bootstrap label defined.\n");
exit(EXIT_FAILURE);
}
/* search bootstrap_label */
- for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
- {
- if (!strcmp(np->name, bootstrap_label))
- {
+ for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) {
+ if (!strcmp(np->name, bootstrap_label)) {
break;
}
}
if (!np) {
/* bootstrap label not found */
- printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
+ printf("ERROR: Bootstrap label >%s< not found.\n",
+ bootstrap_label);
exit(EXIT_FAILURE);
}
@@ -781,16 +743,14 @@ void fixup_bootstrap_label(struct tailhe
TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
/* renumber the ssids (we could also just switch places with 1st element)
*/
- for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
- np->num = i;
+ for (np = head->tqh_first, i = 0; np != NULL;
+ np = np->entries.tqe_next, i++)
+ np->num = i;
}
-int create_ssid_mapping(xmlDocPtr doc)
+void init_label_mapping(void)
{
- xmlNode *root_element = xmlDocGetRootElement(doc);
- struct ssid_entry *np;
- int i;
printf("Creating label mappings ...\n");
/* initialize the ste and chwall type lists */
@@ -798,14 +758,16 @@ int create_ssid_mapping(xmlDocPtr doc)
TAILQ_INIT(&ste_ssid_head);
/* init with default ssids */
- if (init_ssid_queues())
- {
+ if (init_ssid_queues()) {
printf("ERROR adding default ssids.\n");
exit(EXIT_FAILURE);
}
+}
- /* now walk the template DOM tree and fill in ssids */
- walk_labels(root_element, doc, XML2BIN_NULL);
+void post_label_mapping(void)
+{
+ struct ssid_entry *np;
+ int i;
/*
* now sort bootstrap label to the head of the list
@@ -814,30 +776,20 @@ int create_ssid_mapping(xmlDocPtr doc)
*/
if (have_chwall)
fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
- &max_chwall_ssids);
+ &max_chwall_ssids);
if (have_ste)
fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
- &max_ste_ssids);
-
- /* remove any double entries (insert reference instead) */
- if (have_chwall)
- remove_doubles(&chwall_ssid_head, max_chwall_types,
- &max_chwall_ssids);
- if (have_ste)
- remove_doubles(&ste_ssid_head, max_ste_types,
- &max_ste_ssids);
+ &max_ste_ssids);
if (!DEBUG)
- return 0;
+ return;
/* print queues */
- if (have_chwall)
- {
+ if (have_chwall) {
printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
np = NULL;
for (np = chwall_ssid_head.tqh_first; np != NULL;
- np = np->entries.tqe_next)
- {
+ np = np->entries.tqe_next) {
printf("SSID #%02u (Label=%s)\n", np->num, np->name);
if (np->is_ref)
printf("REFERENCE");
@@ -848,13 +800,11 @@ int create_ssid_mapping(xmlDocPtr doc)
printf("\n\n");
}
}
- if (have_ste)
- {
+ if (have_ste) {
printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
np = NULL;
for (np = ste_ssid_head.tqh_first; np != NULL;
- np = np->entries.tqe_next)
- {
+ np = np->entries.tqe_next) {
printf("SSID #%02u (Label=%s)\n", np->num, np->name);
if (np->is_ref)
printf("REFERENCE");
@@ -865,7 +815,19 @@ int create_ssid_mapping(xmlDocPtr doc)
printf("\n\n");
}
}
- return 0;
+}
+
+void create_mappings(xmlDocPtr doc)
+{
+ xmlNode *doc_root_node = xmlDocGetRootElement(doc);
+
+ /* walk the XML policy tree and fill in types and labels */
+ init_type_mapping();
+ walk_policy(doc_root_node, doc, XML2BIN_NULL); /* first pass: types */
+ post_type_mapping();
+ init_label_mapping();
+ walk_labels(doc_root_node, doc, XML2BIN_NULL); /* second pass: labels
*/
+ post_label_mapping();
}
/***************** writing the binary policy *********************/
@@ -888,19 +850,16 @@ int write_mapping(char *filename)
if ((file = fopen(filename, "w")) == NULL)
return -EIO;
+ fprintf(file, "POLICYREFERENCENAME %s\n", policy_reference_name);
fprintf(file, "MAGIC %08x\n", ACM_MAGIC);
- fprintf(file, "POLICY %s\n",
- basename(policy_filename));
- fprintf(file, "BINARY %s\n",
- basename(binary_filename));
- if (have_chwall)
- {
+ fprintf(file, "POLICY FILE %s\n", policy_filename);
+ fprintf(file, "BINARY FILE %s\n", binary_filename);
+ if (have_chwall) {
fprintf(file, "MAX-CHWALL-TYPES %08x\n", max_chwall_types);
fprintf(file, "MAX-CHWALL-SSIDS %08x\n", max_chwall_ssids);
fprintf(file, "MAX-CHWALL-LABELS %08x\n", max_chwall_labels);
}
- if (have_ste)
- {
+ if (have_ste) {
fprintf(file, "MAX-STE-TYPES %08x\n", max_ste_types);
fprintf(file, "MAX-STE-SSIDS %08x\n", max_ste_ssids);
fprintf(file, "MAX-STE-LABELS %08x\n", max_ste_labels);
@@ -939,11 +898,9 @@ int write_mapping(char *filename)
fprintf(file, "\n");
/* first labels to ssid mappings */
- if (have_chwall)
- {
+ if (have_chwall) {
for (e = chwall_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
(e->type ==
VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
@@ -951,11 +908,9 @@ int write_mapping(char *filename)
}
fprintf(file, "\n");
}
- if (have_ste)
- {
+ if (have_ste) {
for (e = ste_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
fprintf(file, "LABEL->SSID %s STE %-25s %8x\n",
(e->type ==
VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
@@ -965,11 +920,9 @@ int write_mapping(char *filename)
}
/* second ssid to type mappings */
- if (have_chwall)
- {
+ if (have_chwall) {
for (e = chwall_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -985,8 +938,7 @@ int write_mapping(char *filename)
}
if (have_ste) {
for (e = ste_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -1001,18 +953,15 @@ int write_mapping(char *filename)
fprintf(file, "\n");
}
/* third type mappings */
- if (have_chwall)
- {
- for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
- {
+ if (have_chwall) {
+ for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next) {
fprintf(file, "TYPE CHWALL %-25s %8x\n",
t->name, t->mapping);
}
fprintf(file, "\n");
}
if (have_ste) {
- for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
- {
+ for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next) {
fprintf(file, "TYPE STE %-25s %8x\n",
t->name, t->mapping);
}
@@ -1022,6 +971,38 @@ int write_mapping(char *filename)
return 0;
}
+
+unsigned char *write_policy_reference_binary(u_int32_t * len_pr)
+{
+ unsigned char *buf, *ptr;
+ struct acm_policy_reference_buffer *pr_header;
+ u_int32_t len;
+
+ if (policy_reference_name == NULL) {
+ printf("ERROR: No policy reference name found.\n");
+ exit(EXIT_FAILURE);
+ }
+ len = (sizeof(struct acm_policy_reference_buffer) +
+ strlen(policy_reference_name) + 1);
+ buf = malloc(len);
+ ptr = buf;
+
+ if (!buf) {
+ printf
+ ("ERROR: out of memory allocating label reference buffer.\n");
+ exit(EXIT_FAILURE);
+ }
+ pr_header = (struct acm_policy_reference_buffer *) buf;
+ pr_header->len =
+ htonl(strlen(policy_reference_name) + 1 /* strend \'0' */ );
+ ptr += sizeof(struct acm_policy_reference_buffer);
+ strcpy((char *) ptr, policy_reference_name);
+
+ (*len_pr) = len;
+ return buf;
+}
+
+
unsigned char *write_chwall_binary(u_int32_t * len_chwall)
{
unsigned char *buf, *ptr;
@@ -1040,8 +1021,7 @@ unsigned char *write_chwall_binary(u_int
buf = malloc(len);
ptr = buf;
- if (!buf)
- {
+ if (!buf) {
printf("ERROR: out of memory allocating chwall buffer.\n");
exit(EXIT_FAILURE);
}
@@ -1058,14 +1038,13 @@ unsigned char *write_chwall_binary(u_int
chwall_header->chwall_conflict_sets_offset =
htonl(ntohl(chwall_header->chwall_ssid_offset) +
sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
- chwall_header->chwall_running_types_offset = 0; /* not set, only
retrieved */
- chwall_header->chwall_conflict_aggregate_offset = 0; /* not set,
only retrieved */
+ chwall_header->chwall_running_types_offset = 0;
+ chwall_header->chwall_conflict_aggregate_offset = 0;
ptr += sizeof(struct acm_chwall_policy_buffer);
/* types */
for (e = chwall_ssid_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -1077,16 +1056,14 @@ unsigned char *write_chwall_binary(u_int
/* conflictsets */
for (e = conflictsets_head.tqh_first; e != NULL;
- e = e->entries.tqe_next)
- {
+ e = e->entries.tqe_next) {
for (i = 0; i < max_chwall_types; i++)
((type_t *) ptr)[i] = htons((type_t) e->row[i]);
ptr += sizeof(type_t) * max_chwall_types;
}
- if ((ptr - buf) != len)
- {
+ if ((ptr - buf) != len) {
printf("ERROR: wrong lengths in %s.\n", __func__);
exit(EXIT_FAILURE);
}
@@ -1112,8 +1089,7 @@ unsigned char *write_ste_binary(u_int32_
buf = malloc(len);
ptr = buf;
- if (!buf)
- {
+ if (!buf) {
printf("ERROR: out of memory allocating chwall buffer.\n");
exit(EXIT_FAILURE);
}
@@ -1130,8 +1106,7 @@ unsigned char *write_ste_binary(u_int32_
ptr += sizeof(struct acm_ste_policy_buffer);
/* types */
- for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
- {
+ for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next) {
if (e->is_ref)
continue;
@@ -1141,8 +1116,7 @@ unsigned char *write_ste_binary(u_int32_
ptr += sizeof(type_t) * max_ste_types;
}
- if ((ptr - buf) != len)
- {
+ if ((ptr - buf) != len) {
printf("ERROR: wrong lengths in %s.\n", __func__);
exit(EXIT_FAILURE);
}
@@ -1153,16 +1127,21 @@ unsigned char *write_ste_binary(u_int32_
int write_binary(char *filename)
{
struct acm_policy_buffer header;
- unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
+ unsigned char *ste_buffer = NULL, *chwall_buffer =
+ NULL, *policy_reference_buffer = NULL;
u_int32_t len;
- int fd;
+ int fd, ret = 0;
- u_int32_t len_ste = 0, len_chwall = 0; /* length of policy components
*/
+ u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0; /* length of policy
components */
/* open binary file */
- if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR))
<= 0)
- return -EIO;
-
+ if ((fd =
+ open(filename, O_WRONLY | O_CREAT | O_TRUNC,
+ S_IRUSR | S_IWUSR)) <= 0) {
+ ret = -EIO;
+ goto out1;
+ }
+ policy_reference_buffer = write_policy_reference_binary(&len_pr);
ste_buffer = write_ste_binary(&len_ste);
chwall_buffer = write_chwall_binary(&len_chwall);
@@ -1175,24 +1154,26 @@ int write_binary(char *filename)
len += len_chwall;
if (have_ste)
len += len_ste;
+ len += len_pr; /* policy reference is mandatory */
header.len = htonl(len);
- header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
- if (primary == CHWALL)
- {
+ header.policy_reference_offset =
+ htonl(sizeof(struct acm_policy_buffer));
+
+ header.primary_buffer_offset =
+ htonl(sizeof(struct acm_policy_buffer) + len_pr);
+ if (primary == CHWALL) {
header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
header.secondary_buffer_offset =
- htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
- }
- else if (primary == STE)
- {
+ htonl((sizeof(struct acm_policy_buffer)) + len_pr +
+ len_chwall);
+ } else if (primary == STE) {
header.primary_policy_code =
htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
header.secondary_buffer_offset =
- htonl((sizeof(struct acm_policy_buffer)) + len_ste);
- }
- else
- {
+ htonl((sizeof(struct acm_policy_buffer)) + len_pr +
+ len_ste);
+ } else {
/* null policy */
header.primary_policy_code = htonl(ACM_NULL_POLICY);
header.secondary_buffer_offset =
@@ -1208,36 +1189,52 @@ int write_binary(char *filename)
header.secondary_policy_code = htonl(ACM_NULL_POLICY);
if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
- != sizeof(struct acm_policy_buffer))
- return -EIO;
+ != sizeof(struct acm_policy_buffer)) {
+ ret = -EIO;
+ goto out1;
+ }
+ /* write label reference name */
+ if (write(fd, policy_reference_buffer, len_pr) != len_pr) {
+ ret = -EIO;
+ goto out1;
+ }
/* write primary policy component */
- if (primary == CHWALL)
- {
- if (write(fd, chwall_buffer, len_chwall) != len_chwall)
- return -EIO;
- }
- else if (primary == STE)
- {
- if (write(fd, ste_buffer, len_ste) != len_ste)
- return -EIO;
- } else
- ; /* NULL POLICY has no policy data */
+ if (primary == CHWALL) {
+ if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
+ ret = -EIO;
+ goto out1;
+ }
+ } else if (primary == STE) {
+ if (write(fd, ste_buffer, len_ste) != len_ste) {
+ ret = -EIO;
+ goto out1;
+ }
+ } else; /* NULL POLICY has no policy data */
/* write secondary policy component */
- if (secondary == CHWALL)
- {
- if (write(fd, chwall_buffer, len_chwall) != len_chwall)
- return -EIO;
- }
- else if (secondary == STE)
- {
- if (write(fd, ste_buffer, len_ste) != len_ste)
- return -EIO;
+ if (secondary == CHWALL) {
+ if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
+ ret = -EIO;
+ goto out1;
+ }
+ } else if (secondary == STE) {
+ if (write(fd, ste_buffer, len_ste) != len_ste) {
+ ret = -EIO;
+ goto out1;
+ }
} else; /* NULL POLICY has no policy data */
+ out1:
+ /* cleanup */
+ if (policy_reference_buffer)
+ free(policy_reference_buffer);
+ if (chwall_buffer)
+ free(chwall_buffer);
+ if (ste_buffer)
+ free(ste_buffer);
close(fd);
- return 0;
+ return ret;
}
int is_valid(xmlDocPtr doc)
@@ -1253,18 +1250,15 @@ int is_valid(xmlDocPtr doc)
#ifdef VALIDATE_SCHEMA
/* only tested to be available from libxml2-2.6.20 upwards */
- if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
- {
+ if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) {
printf("ERROR: Invalid schema file %s (err=%d)\n",
schema_filename, err);
err = -EIO;
goto out;
- }
- else
+ } else
printf("XML Schema %s valid.\n", schema_filename);
#endif
- if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
- {
+ if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) {
err = -EIO;
goto out;
}
@@ -1277,10 +1271,9 @@ int is_valid(xmlDocPtr doc)
int main(int argc, char **argv)
{
- xmlDocPtr labeldoc = NULL;
xmlDocPtr policydoc = NULL;
- int err = EXIT_SUCCESS;
+ int err = EXIT_FAILURE;
char *file_prefix;
int prefix_len;
@@ -1288,16 +1281,18 @@ int main(int argc, char **argv)
int opt_char;
char *policy_dir = POLICY_DIR;
- if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
- {
- printf("ERROR: This program was written against an older ACM
version.\n");
+ if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) {
+ printf
+ ("ERROR: This program was written against an older ACM
version.\n");
+ printf("ERROR: ACM_POLICY_VERSION=%d, WRITTEN AGAINST= %d.\n",
+ ACM_POLICY_VERSION, WRITTEN_AGAINST_ACM_POLICY_VERSION);
exit(EXIT_FAILURE);
}
while ((opt_char = getopt(argc, argv, "d:")) != -1) {
switch (opt_char) {
case 'd':
- policy_dir = malloc(strlen(optarg) + 2); // null terminator and
possibly "/"
+ policy_dir = malloc(strlen(optarg) + 2); /* null terminator and
possibly "/" */
if (!policy_dir) {
printf("ERROR allocating directory name memory.\n");
exit(EXIT_FAILURE);
@@ -1315,20 +1310,21 @@ int main(int argc, char **argv)
if ((argc - optind) != 1)
usage(basename(argv[0]));
- prefix_len = strlen(policy_dir) +
- strlen(argv[optind]) + 1 /* "/" */ +
- strlen(argv[optind]) + 1 /* null terminator */ ;
+ printf("arg=%s\n", argv[optind]);
+
+ prefix_len =
+ strlen(policy_dir) + strlen(argv[optind]) +
+ 1 /* null terminator */ ;
file_prefix = malloc(prefix_len);
policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
- label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
- schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
+ schema_filename =
+ malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
- if (!file_prefix || !policy_filename || !label_filename ||
- !binary_filename || !mapping_filename || !schema_filename)
- {
+ if (!file_prefix || !policy_filename ||
+ !binary_filename || !mapping_filename || !schema_filename) {
printf("ERROR allocating file name memory.\n");
goto out2;
}
@@ -1336,85 +1332,56 @@ int main(int argc, char **argv)
/* create input/output filenames out of prefix */
strcpy(file_prefix, policy_dir);
strcat(file_prefix, argv[optind]);
- strcat(file_prefix, "/");
- strcat(file_prefix, argv[optind]);
strcpy(policy_filename, file_prefix);
- strcpy(label_filename, file_prefix);
strcpy(binary_filename, file_prefix);
strcpy(mapping_filename, file_prefix);
strcat(policy_filename, POLICY_EXTENSION);
- strcat(label_filename, LABEL_EXTENSION);
strcat(binary_filename, BINARY_EXTENSION);
strcat(mapping_filename, MAPPING_EXTENSION);
strcpy(schema_filename, policy_dir);
strcat(schema_filename, SCHEMA_FILENAME);
- labeldoc = xmlParseFile(label_filename);
-
- if (labeldoc == NULL)
- {
- printf("Error: could not parse file %s.\n", argv[optind]);
- goto out2;
- }
-
- printf("Validating label file %s...\n", label_filename);
- if (!is_valid(labeldoc))
- {
- printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
- label_filename, err);
- goto out1;
- }
-
policydoc = xmlParseFile(policy_filename);
- if (policydoc == NULL)
- {
+ if (policydoc == NULL) {
printf("Error: could not parse file %s.\n", argv[optind]);
- goto out1;
+ goto out;
}
printf("Validating policy file %s...\n", policy_filename);
- if (!is_valid(policydoc))
- {
+ if (!is_valid(policydoc)) {
printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
policy_filename, err);
goto out;
}
- /* Init queues and parse policy */
- create_type_mapping(policydoc);
-
- /* create ssids */
- create_ssid_mapping(labeldoc);
+ /* create mappings */
+ create_mappings(policydoc);
/* write label mapping file */
- if (write_mapping(mapping_filename))
- {
+ if (write_mapping(mapping_filename)) {
printf("ERROR: writing mapping file %s.\n", mapping_filename);
goto out;
}
/* write binary file */
- if (write_binary(binary_filename))
- {
+ if (write_binary(binary_filename)) {
printf("ERROR: writing binary file %s.\n", binary_filename);
goto out;
}
-
+ err = EXIT_SUCCESS;
/* write stats */
- if (have_chwall)
- {
+ if (have_chwall) {
printf("Max chwall labels: %u\n", max_chwall_labels);
printf("Max chwall-types: %u\n", max_chwall_types);
printf("Max chwall-ssids: %u\n", max_chwall_ssids);
}
- if (have_ste)
- {
+ if (have_ste) {
printf("Max ste labels: %u\n", max_ste_labels);
printf("Max ste-types: %u\n", max_ste_types);
printf("Max ste-ssids: %u\n", max_ste_ssids);
@@ -1422,10 +1389,17 @@ int main(int argc, char **argv)
/* cleanup */
out:
xmlFreeDoc(policydoc);
- out1:
- xmlFreeDoc(labeldoc);
out2:
xmlCleanupParser();
return err;
}
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
Index: xen-unstable.hg-shype/tools/security/secpol_xml2bin.h
===================================================================
--- xen-unstable.hg-shype.orig/tools/security/secpol_xml2bin.h
+++ xen-unstable.hg-shype/tools/security/secpol_xml2bin.h
@@ -12,37 +12,41 @@
* License.
*
*/
-#define POLICY_DIR "/etc/xen/acm-security/policies/"
-#define POLICY_EXTENSION "-security_policy.xml"
-#define LABEL_EXTENSION "-security_label_template.xml"
-#define BINARY_EXTENSION ".bin"
-#define MAPPING_EXTENSION ".map"
-#define PRIMARY_COMPONENT_ATTR_NAME "order"
-#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap"
-#define PRIMARY_COMPONENT "PrimaryPolicyComponent"
-#define SCHEMA_FILENAME "security_policy.xsd"
+#define POLICY_DIR
"/etc/xen/acm-security/policies/"
+#define POLICY_EXTENSION "-security_policy.xml"
+#define BINARY_EXTENSION ".bin"
+#define MAPPING_EXTENSION ".map"
+#define PRIMARY_COMPONENT_ATTR_NAME "order"
+#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap"
+#define PRIMARY_COMPONENT "PrimaryPolicyComponent"
+#define SCHEMA_FILENAME "security_policy.xsd"
/* basic states (used as 1 << X) */
-#define XML2BIN_SECPOL 0 /* policy tokens */
-#define XML2BIN_STE 1
+#define ENDOFLIST_POS 22 /* ADAPT!! this position will be NULL;
stay below 32 (bit) */
+#define XML2BIN_SECPOL 0 /* policy tokens */
+#define XML2BIN_STE 1
#define XML2BIN_CHWALL 2
-#define XML2BIN_CONFLICTSETS 3
-#define XML2BIN_CSTYPE 4
-
-#define XML2BIN_SECTEMPLATE 5 /* label tokens */
-#define XML2BIN_POLICYHEADER 6
-#define XML2BIN_LABELHEADER 7
-#define XML2BIN_SUBJECTS 8
-#define XML2BIN_OBJECTS 9
-#define XML2BIN_VM 10
-#define XML2BIN_RES 11
-
-#define XML2BIN_STETYPES 12 /* shared tokens */
-#define XML2BIN_CHWALLTYPES 13
-#define XML2BIN_TYPE 14
-#define XML2BIN_NAME 15
-#define XML2BIN_TEXT 16
-#define XML2BIN_COMMENT 17
+#define XML2BIN_CONFLICTSETS 3
+#define XML2BIN_CSTYPE 4
+#define XML2BIN_POLICYHEADER 5
+#define XML2BIN_NSURL 6
+#define XML2BIN_POLICYNAME 7
+#define XML2BIN_URL 8
+#define XML2BIN_REFERENCE 9
+#define XML2BIN_DATE 10
+
+#define XML2BIN_LABELTEMPLATE 11 /* label tokens */
+#define XML2BIN_SUBJECTS 12
+#define XML2BIN_OBJECTS 13
+#define XML2BIN_VM 14
+#define XML2BIN_RES 15
+#define XML2BIN_NAME 16
+
+#define XML2BIN_STETYPES 17 /* shared tokens */
+#define XML2BIN_CHWALLTYPES 18
+#define XML2BIN_TYPE 19
+#define XML2BIN_TEXT 20
+#define XML2BIN_COMMENT 21
/* type "data type" (currently 16bit) */
typedef u_int16_t type_t;
@@ -51,27 +55,34 @@ typedef u_int16_t type_t;
* state constants and token positions must be *
* in sync for correct state recognition */
-char *token[20] = /* parser triggers */
+char *token[32] = /* parser triggers */
{
- [0] = "SecurityPolicyDefinition", /* policy xml */
- [1] = "SimpleTypeEnforcement",
- [2] = "ChineseWall",
- [3] = "ConflictSets",
- [4] = "Conflict", /* label-template xml */
- [5] = "SecurityLabelTemplate",
- [6] = "PolicyHeader",
- [7] = "LabelHeader",
- [8] = "SubjectLabels",
- [9] = "ObjectLabels",
- [10] = "VirtualMachineLabel",
- [11] = "ResourceLabel",
- [12] = "SimpleTypeEnforcementTypes", /* common tags */
- [13] = "ChineseWallTypes",
- [14] = "Type",
- [15] = "Name",
- [16] = "text",
- [17] = "comment",
- [18] = NULL,
+ [XML2BIN_SECPOL] = "SecurityPolicyDefinition", /* policy xml */
+ [XML2BIN_STE] = "SimpleTypeEnforcement",
+ [XML2BIN_CHWALL] = "ChineseWall",
+ [XML2BIN_CONFLICTSETS] = "ConflictSets",
+ [XML2BIN_CSTYPE] = "Conflict",
+ [XML2BIN_POLICYHEADER] = "PolicyHeader",
+ [XML2BIN_NSURL] = "NameSpaceUrl",
+ [XML2BIN_POLICYNAME] = "PolicyName",
+ [XML2BIN_URL] = "PolicyUrl",
+ [XML2BIN_REFERENCE] = "Reference",
+ [XML2BIN_DATE] = "Date",
+
+ [XML2BIN_LABELTEMPLATE] = "SecurityLabelTemplate", /* label-template xml */
+ [XML2BIN_SUBJECTS] = "SubjectLabels",
+ [XML2BIN_OBJECTS] = "ObjectLabels",
+ [XML2BIN_VM] = "VirtualMachineLabel",
+ [XML2BIN_RES] = "ResourceLabel",
+ [XML2BIN_NAME] = "Name",
+
+ [XML2BIN_STETYPES] = "SimpleTypeEnforcementTypes", /* common tags */
+ [XML2BIN_CHWALLTYPES] = "ChineseWallTypes",
+ [XML2BIN_TYPE] = "Type",
+ [XML2BIN_TEXT] = "text",
+ [XML2BIN_COMMENT] = "comment",
+ [ENDOFLIST_POS] = NULL /* End of LIST, adapt ENDOFLIST_POS
+ when adding entries */
};
/* important combined states */
@@ -82,47 +93,53 @@ char *token[20] =
/* e.g., here we are in a <secpol,ste,stetypes> environment, *
* so when finding a type element, we know where to put it */
#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_STE) | \
- (1 << XML2BIN_STETYPES))
+ (1 << XML2BIN_STE) | \
+ (1 << XML2BIN_STETYPES))
#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_CHWALL) | \
- (1 << XML2BIN_CHWALLTYPES))
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CHWALLTYPES))
#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_CHWALL) | \
- (1 << XML2BIN_CONFLICTSETS))
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CONFLICTSETS))
#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
- (1 << XML2BIN_CHWALL) | \
- (1 << XML2BIN_CONFLICTSETS) | \
- (1 << XML2BIN_CSTYPE))
+ (1 << XML2BIN_CHWALL) | \
+ (1 << XML2BIN_CONFLICTSETS) | \
+ (1 << XML2BIN_CSTYPE))
+#define XML2BIN_PN_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_POLICYHEADER))
/* label xml states */
-#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_SUBJECTS) | \
- (1 << XML2BIN_VM))
-
-#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_OBJECTS) | \
- (1 << XML2BIN_RES))
-
-#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_SUBJECTS) | \
- (1 << XML2BIN_VM) | \
- (1 << XML2BIN_STETYPES))
-
-#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_SUBJECTS) | \
- (1 << XML2BIN_VM) | \
- (1 << XML2BIN_CHWALLTYPES))
-
-#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
- (1 << XML2BIN_OBJECTS) | \
- (1 << XML2BIN_RES) | \
- (1 << XML2BIN_STETYPES))
-
+#define XML2BIN_VM_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM))
+
+#define XML2BIN_RES_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_OBJECTS) | \
+ (1 << XML2BIN_RES))
+
+#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM) | \
+ (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_SUBJECTS) | \
+ (1 << XML2BIN_VM) | \
+ (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_LABELTEMPLATE) | \
+ (1 << XML2BIN_OBJECTS) | \
+ (1 << XML2BIN_RES) | \
+ (1 << XML2BIN_STETYPES))
/* check versions of headers against which the
@@ -130,7 +147,7 @@ char *token[20] =
*/
/* protects from unnoticed changes in struct acm_policy_buffer */
-#define WRITTEN_AGAINST_ACM_POLICY_VERSION 1
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION 2
/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
#define WRITTEN_AGAINST_ACM_CHWALL_VERSION 1
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home