Index: root/xen-unstable.hg/tools/python/xen/util/acmpolicy.py =================================================================== --- root.orig/xen-unstable.hg/tools/python/xen/util/acmpolicy.py +++ root/xen-unstable.hg/tools/python/xen/util/acmpolicy.py @@ -76,6 +76,7 @@ DEFAULT_policy = \ " \n" +\ " \n" +\ " SystemManagement\n" +\ +" __UNLABELED__\n" +\ " \n" +\ " \n" +\ " \n" +\ @@ -89,12 +90,30 @@ DEFAULT_policy = \ " SystemManagement\n" +\ " \n" +\ " SystemManagement\n" +\ +" __UNLABELED__\n" +\ +" \n" +\ +" \n" +\ +" \n" +\ +" \n" +\ +" \n" +\ +" \n" +\ +" __UNLABELED__\n" +\ +" \n" +\ +" __UNLABELED__\n" +\ " \n" +\ " \n" +\ " \n" +\ " \n" +\ " \n" +\ " \n" +\ +" \n" +\ +" \n" +\ +" __UNLABELED__\n" +\ +" \n" +\ +" __UNLABELED__\n" +\ +" \n" +\ +" \n" +\ +" \n" +\ " \n" +\ "\n" @@ -231,13 +250,14 @@ class ACMPolicy(XSPolicy): """ Determine whether this is the default policy """ - default = ['SystemManagement'] + default = ['SystemManagement', ACM_LABEL_UNLABELED ] if self.policy_get_virtualmachinelabel_names() == default and \ self.policy_get_bootstrap_vmlabel() == default[0] and \ self.policy_get_stetypes_types() == default and \ self.policy_get_stes_of_vmlabel(default[0]) == default and \ - self.policy_get_resourcelabel_names() == [] and \ - self.policy_get_chwall_types() == default and \ + self.policy_get_stes_of_vmlabel(default[1]) == [default[1]] and \ + self.policy_get_resourcelabel_names() == [default[1]] and \ + self.policy_get_chwall_types() == [ default[0] ] and \ self.get_name() == "DEFAULT": return True return False Index: root/xen-unstable.hg/xen/xsm/acm/acm_simple_type_enforcement_hooks.c =================================================================== --- root.orig/xen-unstable.hg/xen/xsm/acm/acm_simple_type_enforcement_hooks.c +++ root/xen-unstable.hg/xen/xsm/acm/acm_simple_type_enforcement_hooks.c @@ -108,7 +108,7 @@ static int share_common_type(struct doma int acm_init_ste_policy(void) { /* minimal startup policy; policy write-locked already */ - ste_bin_pol.max_types = 1; + ste_bin_pol.max_types = 2; ste_bin_pol.max_ssidrefs = 1 + dom0_ste_ssidref; ste_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, @@ -123,7 +123,9 @@ int acm_init_ste_policy(void) ste_bin_pol.max_ssidrefs); /* initialize state so that dom0 can start up and communicate with itself */ + ste_bin_pol.ssidrefs[ste_bin_pol.max_types - 1 ] = 1; ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref] = 1; + ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref + 1] = 1; /* init stats */ atomic_set(&(ste_bin_pol.ec_eval_count), 0); @@ -866,8 +868,12 @@ ste_authorization(ssidref_t ssidref1, ss static int ste_is_default_policy(void) { - return ((ste_bin_pol.max_types == 1) && - (ste_bin_pol.max_ssidrefs == 2)); + const static domaintype_t def_policy[4] = { 0x0, 0x1, 0x1, 0x1}; + return ((ste_bin_pol.max_types == 2) && + (ste_bin_pol.max_ssidrefs == 2) && + (memcmp(ste_bin_pol.ssidrefs, + def_policy, + sizeof(def_policy)) == 0)); } /* now define the hook structure similarly to LSM */ Index: root/xen-unstable.hg/tools/security/policies/DEFAULT-UL-security_policy.xml =================================================================== --- root.orig/xen-unstable.hg/tools/security/policies/DEFAULT-UL-security_policy.xml +++ /dev/null @@ -1,41 +0,0 @@ - - - - DEFAULT-UL - 1.0 - - - - SystemManagement - __UNLABELED__ - - - - - SystemManagement - - - - - - SystemManagement - - SystemManagement - __UNLABELED__ - - - - - - - __UNLABELED__ - - __UNLABELED__ - - - - - - - - Index: root/xen-unstable.hg/tools/security/Makefile =================================================================== --- root.orig/xen-unstable.hg/tools/security/Makefile +++ root/xen-unstable.hg/tools/security/Makefile @@ -32,7 +32,7 @@ ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR ACM_SCHEMA = security_policy.xsd ACM_EXAMPLES = client_v1 test -ACM_DEF_POLICIES = DEFAULT-UL +ACM_DEF_POLICIES = ACM_POLICY_SUFFIX = security_policy.xml ACM_SETUP_TOOL = python/acm.py Index: root/xen-unstable.hg/xen/xsm/acm/acm_chinesewall_hooks.c =================================================================== --- root.orig/xen-unstable.hg/xen/xsm/acm/acm_chinesewall_hooks.c +++ root/xen-unstable.hg/xen/xsm/acm/acm_chinesewall_hooks.c @@ -637,8 +637,12 @@ static void chwall_domain_destroy(void * static int chwall_is_default_policy(void) { - return ( (chwall_bin_pol.max_types == 1 ) && - (chwall_bin_pol.max_ssidrefs == 2 ) ); + static const domaintype_t def_policy[2] = { 0x0, 0x0 }; + return ( ( chwall_bin_pol.max_types == 1 ) && + ( chwall_bin_pol.max_ssidrefs == 2 ) && + ( memcmp(chwall_bin_pol.ssidrefs, + def_policy, + sizeof(def_policy)) == 0 ) ); }