WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] The attached patch makes a couple of changes to the ACM

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] The attached patch makes a couple of changes to the ACM security tools
From: Xen patchbot -unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Dec 2005 21:22:08 +0000
Delivery-date: Thu, 08 Dec 2005 21:23:06 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User emellor@xxxxxxxxxxxxxxxxxxxxxx
# Node ID 8aac8746047ba585801cac6e8e08be843b96853f
# Parent  3ab6a6c4b6edda2bc4f7d920de581cb542d3d36c
  The attached patch makes a couple of changes to the ACM security tools
and installation. Particularly it does the following:
- the Makefile installs the ACM security-related tools
into /etc/xen/acm-security
- improves and cleans up some of the tools
- updates the documentation

Signed-off-by: Tom Lendacky <toml@xxxxxxxxxx>
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>

diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/Makefile
--- a/tools/security/Makefile   Thu Dec  8 18:19:24 2005
+++ b/tools/security/Makefile   Thu Dec  8 18:21:05 2005
@@ -1,16 +1,19 @@
 XEN_ROOT = ../..
 include $(XEN_ROOT)/tools/Rules.mk
 
-SRCS     = secpol_tool.c
 CFLAGS   += -Wall
 CFLAGS   += -Werror
 CFLAGS   += -O3
 CFLAGS   += -fno-strict-aliasing
-CFLAGS   += -I. -I/usr/include/libxml2
-CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
-#if above does not work, try  -L/usr/lib -lxml2 -lz -lpthread -lm
+CFLAGS   += -I.
+
+CPPFLAGS += -MMD -MF .$*.d
+PROG_DEPS = .*.d
+
 XML2VERSION = $(shell xml2-config --version )
-VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else 
echo "-DVALIDATE_SCHEMA"; fi; )
+CFLAGS     += $(shell xml2-config --cflags )
+CFLAGS     += $(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else 
echo "-DVALIDATE_SCHEMA"; fi )
+LDFLAGS    += $(shell xml2-config --libs ) # if this does not work, try 
-L/usr/lib -lxml2 -lz -lpthread -lm
 
 ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY)
 POLICY=null
@@ -24,48 +27,71 @@
 ifeq 
($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
 POLICY=chwall_ste
 endif
-POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
+
+SRCS_TOOL     = secpol_tool.c
+OBJS_TOOL    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
+SRCS_XML2BIN  = secpol_xml2bin.c secpol_xml2bin.h
+OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
+SRCS_GETD     = get_decision.c
+OBJS_GETD    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
+
+ACM_INST_TOOLS    = xensec_tool xensec_xml2bin
+ACM_NOINST_TOOLS  = get_decision
+ACM_OBJS          = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
+ACM_SCRIPTS       = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
+
+ACM_CONFIG_DIR    = /etc/xen/acm-security
+ACM_POLICY_DIR    = $(ACM_CONFIG_DIR)/policies
+ACM_SCRIPT_DIR    = $(ACM_CONFIG_DIR)/scripts
+
+ACM_SCHEMA        = security_policy.xsd
+ACM_EXAMPLES      = null chwall ste chwall_ste
+ACM_POLICY_SUFFIX = security_policy.xml
+ACM_LABEL_SUFFIX  = security_label_template.xml
 
 ifeq ($(ACM_SECURITY),y)
 all: build
 
-install:all
-
-default:all
+install: all $(ACM_CONFIG_FILE)
+       $(INSTALL_DIR) -p $(DESTDIR)/usr/sbin
+       $(INSTALL_PROG) -p $(ACM_INST_TOOLS) $(DESTDIR)/usr/sbin
+       $(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
+       $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
+       $(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
+       for i in $(ACM_EXAMPLES); do \
+               $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+               $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) 
$(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+               $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) 
$(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+       done
+       $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
+       $(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
 else
 all:
 
 install:
-
-default:
 endif
 
-build: mk-symlinks
-       $(MAKE) secpol_tool
-       $(MAKE) secpol_xml2bin
-       $(MAKE) get_decision
-       chmod 700 ./setlabel.sh
-       chmod 700 ./updategrub.sh
-       chmod 700 ./getlabel.sh
+build: mk-symlinks $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS)
+       chmod 700 $(ACM_SCRIPTS)
 
-secpol_tool : secpol_tool.c
-       $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
+xensec_tool: $(OBJS_TOOL)
+       $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
 
-secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h
-       $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ 
$<
+xensec_xml2bin: $(OBJS_XML2BIN)
+       $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+
+get_decision: $(OBJS_GETD)
+       $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
 
 clean:
-       rm -rf secpol_tool secpol_xml2bin xen get_decision
+       $(RM) $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS)
+       $(RM) $(ACM_OBJS)
+       $(RM) $(PROG_DEPS)
+       $(RM) -r xen
 
-policy_clean:
-       rm -rf policies/*/*.bin policies/*/*.map
+mrproper: clean
 
-mrproper: clean policy_clean
+boot_install: install
+       $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
 
-
-$(POLICYFILE) : build
-       @./secpol_xml2bin $(POLICY) > /dev/null
-
-boot_install: $(POLICYFILE)
-       @cp $(POLICYFILE) /boot
-       @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
+-include $(PROG_DEPS)
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/example.txt
--- a/tools/security/example.txt        Thu Dec  8 18:19:24 2005
+++ b/tools/security/example.txt        Thu Dec  8 18:21:05 2005
@@ -9,23 +9,23 @@
 # and to label domains and resources.
 ##
 
-We will show how to install and use the chwall_ste policy.
+We will show how to install and use the example chwall_ste policy.
 Other policies work similarly. Feedback welcome!
 
 
 
-1. Using secpol_xml2bin to translate the chwall_ste policy:
+1. Using xensec_xml2bin to translate the chwall_ste policy:
 ===========================================================
 
-#tools/security/secpol_xml2bin chwall_ste
+#xensec_xml2bin chwall_ste
 
 Successful execution should print:
 
-    [root@laptopxn security]# ./secpol_xml2bin chwall_ste
-    Validating label file 
policies/chwall_ste/chwall_ste-security_label_template.xml...
-    XML Schema policies/security_policy.xsd valid.
-    Validating policy file 
policies/chwall_ste/chwall_ste-security_policy.xml...
-    XML Schema policies/security_policy.xsd valid.
+    [root@laptopxn security]# xensec_xml2bin chwall_ste
+    Validating label file 
/etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_label_template.xml...
+    XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
+    Validating policy file 
/etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_policy.xml...
+    XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
     Creating ssid mappings ...
     Creating label mappings ...
     Max chwall labels:  7
@@ -35,10 +35,15 @@
     Max ste-types:      6
     Max ste-ssids:      10
 
-The tool looks in directory policies/chwall_ste for
+By default, the tool looks in directory /etc/xen/acm-security/policies
+for a directory that matches the policy name (i.e. chwall_ste) to find
 the label and policy files.
-
-The default policy directory structure under tools/security looks like:
+The '-d' option can be used to override the /etc/xen/acm-security/policies
+directory, for example if running the tool in the Xen security tool build
+directory.
+
+The default policy directory structure under /etc/xen/acm-security (and
+the Xen security tool build directory - tools/security) looks like:
 
 policies
 |-- security_policy.xsd
@@ -55,25 +60,25 @@
     |-- ste-security_label_template.xml
     `-- ste-security_policy.xml
 
-policies/security_policy.xsd contains the schema against which both the
+The security_policy.xsd file contains the schema against which both the
 label-template and the policy files must validate during translation.
 
-policies/chwall_ste/chwall_ste-security_policy.xml defines the
-policies and the types known to the policies.
-
-policies/chwall_ste/chwall_ste-security_label_template.xml contains
-label definitions that group chwall and ste types together and make
-them easier to use for users
-
-After executing the above secpol_xml2bin command, you will find 2 new
-files in the policies/chwall_ste sub-directory:
-
-policies/chwall_ste/chwall_ste.map ... this file includes the mapping
-of names from the xml files into their binary code representation.
-
-policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
-the result of parsing the xml files and using the mapping to extract a
-binary version that can be loaded into the hypervisor.
+The files ending in -security_policy.xml define the policies and the
+types known to the policies.
+
+The files ending in -security_label_template.xml contain the label
+definitions that group types together and make them easier to use for
+users.
+
+After executing the above xensec_xml2bin command, you will find 2 new
+files in the /etc/xen/acm-security/policies/chwall_ste sub-directory:
+
+  chwall_ste.map ... this file includes the mapping
+    of names from the xml files into their binary code representation.
+
+  chwall_ste.bin ... this is the binary policy file,
+    the result of parsing the xml files and using the mapping to extract a
+    binary version that can be loaded into the hypervisor.
 
 
 
@@ -85,13 +90,13 @@
 
 To activate the policy from the command line (assuming that the
 currently established policy is the minimal boot-policy that is
-hard-coded into the hypervisor:
-
-# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
+hard-coded into the hypervisor):
+
+# xensec_tool loadpolicy 
/etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin
 
 To activate the policy at next reboot:
 
-# cp policies/chwall_ste/chwall_ste.bin /boot
+# cp /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin /boot
 
 Add a module line to your /boot/grub/grub.conf Xen entry.
 My boot entry with chwall_ste enabled looks like this:
@@ -129,12 +134,12 @@
 
 To show available labels for the chwall_ste policy:
 
-#tools/security/setlabel.sh -l
+# /etc/xen/acm-security/scripts/setlabel.sh -l
 
 lists all available labels. For the default chwall_ste it should print
 the following:
 
-    [root@laptopxn security]# ./setlabel.sh -l chwall_ste
+    [root@laptopxn security]# /etc/xen/acm-security/scripts/setlabel.sh -l 
chwall_ste
     The following labels are available:
     dom_SystemManagement
     dom_HomeBanking
@@ -156,8 +161,8 @@
 since only those are used at this time.
 
 If you would like to assign the dom_HomeBanking label to one of your
-user domains (which you hopefully keep clean), look at an example
-domain configuration homebanking.xm:
+user domains (which you hopefully keep clean), look at the hypothetical
+domain configuration contained in /etc/xen/homebanking.xm:
 
     #------HOMEBANKING---------
     kernel = "/boot/vmlinuz-2.6.12-xenU"
@@ -172,7 +177,7 @@
 
 Now we label this domain
 
-[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking 
chwall_ste
+[root@laptopxn security]# /etc/xen/acm-securit/scripts/setlabel.sh 
/etc/xen/homebanking.xm dom_HomeBanking chwall_ste
 Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
 
 The domain configuration my look now like:
@@ -223,9 +228,8 @@
                                <type>cw_Distrusted</type>
                        </conflictset>
 
-(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
-that only one of the types cw_sensitive and cw_Distrusted can run at a
-time.
+(in chwall_ste-security_policy.xml), which says that only one of the
+types cw_Sensitive and cw_Distrusted can run at a time.
 
 If you save or shutdown the HomeBanking domain, you will be able to
 start the "Fun" domain. You can look into the Xen log to see if a
@@ -255,15 +259,15 @@
 b) the label template definition (labels etc.) file
 
 If your policy name is "mypolicy", you need to create a
-subdirectory mypolicy in tools/security/policies.
+subdirectory mypolicy in /etc/xen/acm-security/policies.
 
 Then you create
-tools/security/policies/mypolicy/mypolicy-security_policy.xml and
-tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
+/etc/xen/acm-security/policies/mypolicy/mypolicy-security_policy.xml and
+/etc/xen/acm-security/policies/mypolicy/mypolicy-security_label_template.xml.
 
 You need to keep to the schema as defined in
-tools/security/security_policy.xsd since the translation tool
-secpol_xml2bin is written against this schema.
+/etc/xen/acm-security/security_policy.xsd since the translation tool
+xensec_xml2bin is written against this schema.
 
 If you keep to the security policy schema, then you can use all the
 tools described above. Refer to install.txt to install it.
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/getlabel.sh
--- a/tools/security/getlabel.sh        Thu Dec  8 18:19:24 2005
+++ b/tools/security/getlabel.sh        Thu Dec  8 18:21:05 2005
@@ -32,20 +32,24 @@
 
 
 export PATH=$PATH:.
-source labelfuncs.sh
+dir=`dirname $0`
+source $dir/labelfuncs.sh
 
 usage ()
 {
+       prg=`basename $0`
 echo "Use this tool to display the label of a domain or the label that is
 corresponding to an ssidref given the name of the running policy.
 
-Usage: $0 -sid <ssidref> [<policy name>] or
-       $0 -dom <domid>   [<policy name>]
+Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or
+       $prg -dom <domid>   [<policy name> [<policy dir>]]
 
 policy name : the name of the policy, i.e. 'chwall'
               If the policy name is omitted, the grub.conf
               entry of the running system is tried to be read
               and the policy name determined from there.
+policy dir  : the directory where the <policy name> policy is located
+              The default location is '/etc/xen/acm-security/policies'
 ssidref     : an ssidref in hex or decimal format, i.e., '0x00010002'
               or '65538'
 domid       : id of the domain, i.e., '1'; Use numbers from the 2nd
@@ -55,79 +59,36 @@
 
 
 
-if [ "$1" == "-?" ]; then
-       mode="usage"
+if [ "$1" == "-h" ]; then
+       usage
+       exit 0
 elif [ "$1" == "-dom" ]; then
        mode="domid"
        shift
 elif [ "$1" == "-sid" ]; then
        mode="sid"
        shift
-elif [ "$1" == "" ]; then
+else
        usage
        exit -1
 fi
 
+setPolicyVars $2 $3
+findMapFile $policy $policydir
+ret=$?
+if [ $ret -eq 0 ]; then
+       echo "Could not find map file for policy '$policy'."
+       exit -1
+fi
 
-if [ "$mode" == "usage" ]; then
-       usage
-elif [ "$mode" == "domid" ]; then
-       if [ "$2" == "" ]; then
-               findGrubConf
-               ret=$?
-               if [ $ret -eq 0 ]; then
-                       echo "Could not find grub.conf"
-                       exit -1;
-               fi
-               findPolicyInGrub $grubconf
-               if [ "$policy" != "" ]; then
-                       echo "Assuming policy to be '$policy'.";
-               else
-                       echo "Could not find policy."
-                       exit -1;
-               fi
-       else
-               policy=$2
+if [ "$mode" == "domid" ]; then
+       getSSIDUsingSecpolTool $1
+       ret=$?
+       if [ $ret -eq 0 ]; then
+               echo "Could not determine the SSID of the domain."
+               exit -1
        fi
-       findMapFile $policy
-       res=$?
-       if [ "$res" != "0" ]; then
-               getSSIDUsingSecpolTool $1
-               res=$?
-               if [ "$res" != "0" ]; then
-                       translateSSIDREF $ssid $mapfile
-               else
-                       echo "Could not determine the SSID of the domain."
-               fi
-       else
-               echo "Could not find map file for policy '$policy'."
-       fi
-elif [ "$mode" == "sid" ]; then
-       if [ "$2" == "" ]; then
-               findGrubConf
-               ret=$?
-               if [ $ret -eq 0 ]; then
-                       echo "Could not find grub.conf"
-                       exit -1;
-               fi
-               findPolicyInGrub $grubconf
-               if [ "$policy" != "" ]; then
-                       echo "Assuming policy to be '$policy'.";
-               else
-                       echo "Could not find policy."
-                       exit -1;
-               fi
-       else
-               policy=$2
-       fi
-       findMapFile $policy
-       res=$?
-       if [ "$res" != "0" ]; then
-               translateSSIDREF $1 $mapfile
-       else
-               echo "Could not find map file for policy '$policy'."
-       fi
-
-else
-    usage
+       translateSSIDREF $ssid $mapfile
+else # mode == sid
+       translateSSIDREF $1 $mapfile
 fi
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/install.txt
--- a/tools/security/install.txt        Thu Dec  8 18:19:24 2005
+++ b/tools/security/install.txt        Thu Dec  8 18:21:05 2005
@@ -41,11 +41,11 @@
        # make
 
        manual steps (alternative to make boot_install):
-       #./secpol_xml2bin chwall_ste
-       #cp policies/chwall_ste/chwall_ste.bin /boot
-       #edit /boot/grub/grub.conf
+       # ./xensec_xml2bin -d policies/ chwall_ste
+       # cp policies/chwall_ste/chwall_ste.bin /boot
+       # edit /boot/grub/grub.conf
         add the follwoing line to your xen boot entry:
-       "module chwall_ste.bin"
+       "module /boot/chwall_ste.bin"
 
        alternatively, you can try our automatic translation and
        installation of the policy:
@@ -61,9 +61,9 @@
 3. reboot into the newly compiled hypervisor
 
         after boot
-       #xm dmesg should show an entry about the policy being loaded
+       # xm dmesg should show an entry about the policy being loaded
             during the boot process
 
-        #tools/security/secpol_tool getpolicy
+        # xensec_tool getpolicy
             should print the new chwall_ste binary policy representation
 
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/labelfuncs.sh
--- a/tools/security/labelfuncs.sh      Thu Dec  8 18:19:24 2005
+++ b/tools/security/labelfuncs.sh      Thu Dec  8 18:21:05 2005
@@ -17,10 +17,53 @@
 #
 
 
+#Some global variables for tools using this module
+ACM_DEFAULT_ROOT="/etc/xen/acm-security"
+
+# Set the policy and policydir variables
+# Parameters:
+# 1st : possible policy name
+# 2nd : possible policy directory
+# Results:
+# The variables policy and policydir will hold the values for locating
+# policy information
+# If there are no errors, the functions returns a '1',
+# a '0' otherwise.
+setPolicyVars ()
+{
+       local ret
+       # Set default values
+       policydir="$ACM_DEFAULT_ROOT/policies"
+       policy=""
+
+       if [ "$1" == "" ]; then
+               findGrubConf
+               ret=$?
+               if [ $ret -eq 0 ]; then
+                       echo "Could not find grub.conf."
+                       return 0;
+               fi
+               findPolicyInGrub $grubconf
+               if [ "$policy" == "" ]; then
+                       echo "Could not find policy in grub.conf. Looked for 
entry using kernel $linux."
+                       return 0;
+               fi
+               echo "Assuming policy to be '$policy'.";
+       else
+               policy=$1
+               if [ "$2" != "" ]; then
+                       policydir=$2
+               fi
+       fi
+
+       return 1
+}
+
 # Find the mapfile given a policy nmame
 # Parameters:
 # 1st : the name of the policy whose map file is to be found, i.e.,
 #       chwall
+# 2nd : the policy directory for locating the map file
 # Results:
 # The variable mapfile will hold the realtive path to the mapfile
 # for the given policy.
@@ -28,16 +71,10 @@
 # a '0' otherwise.
 findMapFile ()
 {
-       mapfile="./$1.map"
+       mapfile="$2/$1/$1.map"
        if [ -r "$mapfile" ]; then
                return 1
        fi
-
-       mapfile="./policies/$1/$1.map"
-       if [ -r "$mapfile" ]; then
-               return 1
-       fi
-
        return 0
 }
 
@@ -50,7 +87,7 @@
 # The variable primary will hold the name of the primary policy
 getPrimaryPolicy ()
 {
-       mapfile=$1
+       local mapfile=$1
        primary=`cat $mapfile  |   \
                 awk '             \
                  {                \
@@ -71,7 +108,7 @@
 # The variable secondary will hold the name of the secondary policy
 getSecondaryPolicy ()
 {
-       mapfile=$1
+       local mapfile=$1
        secondary=`cat $mapfile  |   \
                 awk '             \
                  {                \
@@ -86,6 +123,10 @@
 
 #Return where the grub.conf file is.
 #I only know of one place it can be.
+#Returns:
+# 1 : if the file is writeable and readable
+# 2 : if the file is only readable
+# 0 : if the file does not exist
 findGrubConf()
 {
        grubconf="/boot/grub/grub.conf"
@@ -112,16 +153,37 @@
 # kernel, i.e., 'vmlinuz-2.6.12-xen0'
 getLinuxVersion ()
 {
-       path=$1
+       local path
+       local versionfile
+       local lnx
+       if [ "$1" == "" ]; then
+               path="/lib/modules/*-xen0"
+       else
+               path="/lib/modules/$1"
+       fi
+
        linux=""
        for f in $path/linux-*-xen0 ; do
-               versionfile=$f/include/linux/version.h
+               versionfile=$f/build/include/linux/version.h
                if [ -r $versionfile ]; then
                        lnx=`cat $versionfile | \
                             grep UTS_RELEASE | \
                             awk '{             \
                               len=length($3);  \
-                              print substr($3,2,len-2) }'`
+                              version=substr($3,2,len-2);     \
+                              split(version,numbers,".");     \
+                              if (numbers[4]=="") {           \
+                                printf("%s.%s.%s",            \
+                                        numbers[1],           \
+                                        numbers[2],           \
+                                        numbers[3]);          \
+                              } else {                        \
+                                printf("%s.%s.%s[.0-9]*-xen0",\
+                                       numbers[1],            \
+                                       numbers[2],            \
+                                       numbers[3]);           \
+                              }                               \
+                            }'`
                fi
                if [ "$lnx" != "" ]; then
                        linux="[./0-9a-zA-z]*$lnx"
@@ -137,11 +199,12 @@
 # Find out with which policy the hypervisor was booted with.
 # Parameters
 # 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
-#
+# Result:
+# Sets the variable 'policy' to the name of the policy
 findPolicyInGrub ()
 {
-       grubconf=$1
-       linux=`uname -r`
+       local grubconf=$1
+       local linux=`uname -r`
        policy=`cat $grubconf |                        \
                 awk -vlinux=$linux '{                 \
                   if ( $1 == "title" ) {              \
@@ -184,9 +247,9 @@
 # The funtion returns '1' on success, '0' on failure
 getSSIDUsingSecpolTool ()
 {
-       domid=$1
+       local domid=$1
        export PATH=$PATH:.
-       ssid=`secpol_tool getssid -d $domid -f | \
+       ssid=`xensec_tool getssid -d $domid -f | \
                grep -E "SSID:" |          \
                awk '{ print $4 }'`
 
@@ -206,7 +269,7 @@
 # high ssid values as integers.
 getSSIDLOHI ()
 {
-       ssid=$1
+       local ssid=$1
        ssidlo_int=`echo $ssid | awk          \
                    '{                        \
                       len=length($0);        \
@@ -289,11 +352,11 @@
 #
 updateGrub ()
 {
-       grubconf=$1
-       policyfile=$2
-       linux=$3
-
-       tmpfile="/tmp/new_grub.conf"
+       local grubconf=$1
+       local policyfile=$2
+       local linux=$3
+
+       local tmpfile="/tmp/new_grub.conf"
 
        cat $grubconf |                                \
                 awk -vpolicy=$policyfile              \
@@ -343,7 +406,59 @@
                echo "Could not create temporary file! Aborting."
                exit -1
        fi
-       mv -f $tmpfile $grubconf
+       diff $tmpfile $grubconf > /dev/null
+       RES=$?
+       if [ "$RES" == "0" ]; then
+               echo "No changes were made to $grubconf."
+       else
+               echo "Successfully updated $grubconf."
+               mv -f $tmpfile $grubconf
+       fi
+}
+
+
+#Compile a policy into its binary representation
+# Parameters:
+# 1st: The directory where the ./policies directory is located at
+# 2nd: The name of the policy
+genBinPolicy ()
+{
+       local root=$1
+       local policy=$2
+       pushd $root > /dev/null
+       xensec_xml2bin -d policies $policy > /dev/null
+       popd > /dev/null
+}
+
+
+# Copy the bootpolicy into the destination directory
+# Generate the policy's .bin and .map files if necessary
+# Parameters:
+# 1st: Destination directory
+# 2nd: The root directory of the security tools; this is where the
+#      policies directory is located at
+# 3rd: The policy name
+# Returns  '1' on success, '0' on failure.
+cpBootPolicy ()
+{
+       local dest=$1
+       local root=$2
+       local policy=$3
+       local binfile=$root/policies/$policy/$policy.bin
+       local dstfile=$dest/$policy.bin
+       if [ ! -e $binfile ]; then
+               genBinPolicy $root $policy
+               if [ ! -e $binfile ]; then
+                       echo "Could not compile policy '$policy'."
+                       return 0
+               fi
+       fi
+
+       if [ ! -e $dstfile -o \
+            $binfile -nt $dstfile ]; then
+               cp -f $binfile $dstfile
+       fi
+       return 1
 }
 
 
@@ -352,7 +467,11 @@
 # 1st: Full or relative path to the policy's mapfile
 showLabels ()
 {
-       mapfile=$1
+       local mapfile=$1
+       local line
+       local ITEM
+       local found=0
+
        if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
                echo "Cannot read from vm configuration file $vmfile."
                return -1
@@ -417,8 +536,8 @@
 # 2nd: the name of the policy
 getDefaultSsid ()
 {
-       mapfile=$1
-       pol=$2
+       local mapfile=$1
+       local pol=$2
        RES=`cat $mapfile    \
             awk -vpol=$pol  \
              {              \
@@ -446,10 +565,13 @@
 #      other     : Prompts the user whether to proceed
 relabel ()
 {
-       vmfile=$1
-       label=$2
-       mapfile=$3
-       mode=$4
+       local vmfile=$1
+       local label=$2
+       local mapfile=$3
+       local mode=$4
+       local SSIDLO
+       local SSIDHI
+       local RES
 
        if [ ! -r "$vmfile" ]; then
                echo "Cannot read from vm configuration file $vmfile."
@@ -556,8 +678,8 @@
        fi
 
        #Write the output
-       vmtmp1="/tmp/__setlabel.tmp1"
-       vmtmp2="/tmp/__setlabel.tmp2"
+       local vmtmp1="/tmp/__setlabel.tmp1"
+       local vmtmp2="/tmp/__setlabel.tmp2"
        touch $vmtmp1
        touch $vmtmp2
        if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
@@ -584,8 +706,10 @@
 # 2nd: Full or relative path to the policy's mapfile
 translateSSIDREF ()
 {
-       ssidref=$1
-       mapfile=$2
+       local ssidref=$1
+       local mapfile=$2
+       local line1
+       local line2
 
        if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
                echo "Cannot read from vm configuration file $vmfile."
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c      Thu Dec  8 18:19:24 2005
+++ b/tools/security/secpol_tool.c      Thu Dec  8 18:21:05 2005
@@ -44,12 +44,13 @@
 
 void usage(char *progname)
 {
-    printf("Use: %s \n"
+    printf("Usage: %s ACTION\n"
+           "ACTION is one of:\n"
            "\t getpolicy\n"
            "\t dumpstats\n"
            "\t loadpolicy <binary policy file>\n"
            "\t getssid -d <domainid> [-f]\n"
-                  "\t getssid -s <ssidref> [-f]\n", progname);
+           "\t getssid -s <ssidref> [-f]\n", progname);
     exit(-1);
 }
 
@@ -85,6 +86,7 @@
 
     if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0)
     {
+        printf( "ACM operation failed: errno=%d\n", errno );
         if (errno == EACCES)
             fprintf(stderr, "ACM operation failed -- need to"
                     " rebuild the user-space tool set?\n");
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/secpol_xml2bin.c
--- a/tools/security/secpol_xml2bin.c   Thu Dec  8 18:19:24 2005
+++ b/tools/security/secpol_xml2bin.c   Thu Dec  8 18:21:05 2005
@@ -17,7 +17,7 @@
  * sHype policy translation tool. This tool takes an XML
  * policy specification as input and produces a binary
  * policy file that can be loaded into Xen through the
- * ACM operations (secpol_tool loadpolicy) interface or at
+ * ACM operations (xensec_tool loadpolicy) interface or at
  * boot time (grub module parameter)
  *
  * indent -i4 -kr -nut
@@ -102,12 +102,22 @@
 /* input/output file names */
 char *policy_filename = NULL,
     *label_filename = NULL,
-    *binary_filename = NULL, *mapping_filename = NULL;
+    *binary_filename = NULL, *mapping_filename = NULL,
+    *schema_filename = NULL;
 
 void usage(char *prg)
 {
-    printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
-         prg);
+    printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
+    printf("POLICYNAME is the directory name within the policy directory\n");
+    printf("that contains the policy files.  The default policy directory\n");
+    printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR);
+    printf("The policy files contained in the POLICYNAME directory must be 
named:\n");
+    printf("\tPOLICYNAME-security_policy.xml\n");
+    printf("\tPOLICYNAME-security_label_template.xml\n\n");
+    printf("OPTIONS:\n");
+    printf("\t-d POLICYDIR\n");
+    printf("\t\tUse POLICYDIR as the policy directory. This directory must 
contain\n");
+    printf("\t\tthe policy schema file 'security_policy.xsd'\n");
     exit(EXIT_FAILURE);
 }
 
@@ -1237,7 +1247,7 @@
     xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
     xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
 
-    schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
+    schemaparser_ctxt = xmlSchemaNewParserCtxt(schema_filename);
     schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
     schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
 
@@ -1246,12 +1256,12 @@
     if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
     {
         printf("ERROR: Invalid schema file %s (err=%d)\n",
-               SCHEMA_FILENAME, err);
+               schema_filename, err);
         err = -EIO;
         goto out;
     }
     else
-        printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
+        printf("XML Schema %s valid.\n", schema_filename);
 #endif
     if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
     {
@@ -1275,37 +1285,59 @@
     char *file_prefix;
     int prefix_len;
 
+    int opt_char;
+    char *policy_dir = POLICY_DIR;
+
     if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
     {
         printf("ERROR: This program was written against an older ACM 
version.\n");
         exit(EXIT_FAILURE);
     }
 
-    if (argc != 2)
+    while ((opt_char = getopt(argc, argv, "d:")) != -1) {
+        switch (opt_char) {
+        case 'd':
+            policy_dir = malloc(strlen(optarg) + 2); // null terminator and 
possibly "/"
+            if (!policy_dir) {
+                printf("ERROR allocating directory name memory.\n");
+                exit(EXIT_FAILURE);
+            }
+            strcpy(policy_dir, optarg);
+            if (policy_dir[strlen(policy_dir) - 1] != '/')
+                strcat(policy_dir, "/");
+            break;
+
+        default:
+            usage(basename(argv[0]));
+        }
+    }
+
+    if ((argc - optind) != 1)
         usage(basename(argv[0]));
 
-    prefix_len = strlen(POLICY_SUBDIR) +
-        strlen(argv[1]) + 1 /* "/" */  +
-        strlen(argv[1]) + 1 /* "/" */ ;
+    prefix_len = strlen(policy_dir) +
+        strlen(argv[optind]) + 1 /* "/" */  +
+        strlen(argv[optind]) + 1 /* null terminator */ ;
 
     file_prefix = malloc(prefix_len);
     policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
     label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
     binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
     mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
+    schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
 
     if (!file_prefix || !policy_filename || !label_filename ||
-        !binary_filename || !mapping_filename)
+        !binary_filename || !mapping_filename || !schema_filename)
     {
         printf("ERROR allocating file name memory.\n");
         goto out2;
     }
 
     /* create input/output filenames out of prefix */
-    strcat(file_prefix, POLICY_SUBDIR);
-    strcat(file_prefix, argv[1]);
+    strcpy(file_prefix, policy_dir);
+    strcat(file_prefix, argv[optind]);
     strcat(file_prefix, "/");
-    strcat(file_prefix, argv[1]);
+    strcat(file_prefix, argv[optind]);
 
     strcpy(policy_filename, file_prefix);
     strcpy(label_filename, file_prefix);
@@ -1317,11 +1349,14 @@
     strcat(binary_filename, BINARY_EXTENSION);
     strcat(mapping_filename, MAPPING_EXTENSION);
 
+    strcpy(schema_filename, policy_dir);
+    strcat(schema_filename, SCHEMA_FILENAME);
+
     labeldoc = xmlParseFile(label_filename);
 
     if (labeldoc == NULL)
     {
-        printf("Error: could not parse file %s.\n", argv[1]);
+        printf("Error: could not parse file %s.\n", argv[optind]);
         goto out2;
     }
 
@@ -1337,7 +1372,7 @@
 
     if (policydoc == NULL)
     {
-        printf("Error: could not parse file %s.\n", argv[1]);
+        printf("Error: could not parse file %s.\n", argv[optind]);
         goto out1;
     }
 
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/secpol_xml2bin.h
--- a/tools/security/secpol_xml2bin.h   Thu Dec  8 18:19:24 2005
+++ b/tools/security/secpol_xml2bin.h   Thu Dec  8 18:21:05 2005
@@ -12,7 +12,7 @@
  * License.
  *
  */
-#define POLICY_SUBDIR       "policies/"
+#define POLICY_DIR          "/etc/xen/acm-security/policies/"
 #define POLICY_EXTENSION    "-security_policy.xml"
 #define LABEL_EXTENSION     "-security_label_template.xml"
 #define BINARY_EXTENSION    ".bin"
@@ -20,7 +20,7 @@
 #define PRIMARY_COMPONENT_ATTR_NAME "order"
 #define BOOTSTRAP_LABEL_ATTR_NAME   "bootstrap"
 #define PRIMARY_COMPONENT   "PrimaryPolicyComponent"
-#define SCHEMA_FILENAME     "policies/security_policy.xsd"
+#define SCHEMA_FILENAME     "security_policy.xsd"
 
 /* basic states (used as 1 << X) */
 #define XML2BIN_SECPOL             0   /* policy tokens */
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/setlabel.sh
--- a/tools/security/setlabel.sh        Thu Dec  8 18:19:24 2005
+++ b/tools/security/setlabel.sh        Thu Dec  8 18:21:05 2005
@@ -35,33 +35,29 @@
 fi
 
 export PATH=$PATH:.
-source labelfuncs.sh
+dir=`dirname $0`
+source $dir/labelfuncs.sh
 
 usage ()
 {
+       prg=`basename $0`
 echo "Use this tool to put the ssidref corresponding to a label of a policy 
into
 the VM configuration file, or use it to display all labels of a policy.
 
-Usage: $0 [Option] <vmfile> <label> [<policy name>]
-    or $0 -l [<policy name>]
+Usage: $prg [-r] <vmfile> <label> [<policy name> [<policy dir>]] or
+       $prg -l [<policy name> [<policy dir>]]
 
-Valid options are:
 -r          : to relabel a file without being prompted
-
+-l          : to show the valid labels in a map file
 vmfile      : XEN vm configuration file; give complete path
 label       : the label to map to an ssidref
 policy name : the name of the policy, i.e. 'chwall'
               If the policy name is omitted, it is attempted
               to find the current policy's name in grub.conf.
-
--l [<policy name>] is used to show valid labels in the map file of
-                   the given or current policy. If the policy name
-                   is omitted, it will be tried to determine the
-                   current policy from grub.conf (/boot/grub/grub.conf)
-
+policy dir  : the directory where the <policy name> policy is located
+              The default location is '/etc/xen/acm-security/policies'
 "
 }
-
 
 if [ "$1" == "-r" ]; then
        mode="relabel"
@@ -69,68 +65,42 @@
 elif [ "$1" == "-l" ]; then
        mode="show"
        shift
-elif [ "$1" == "-?" ]; then
+elif [ "$1" == "-h" ]; then
        mode="usage"
 fi
 
-if [ "$mode" == "show" ]; then
-       if [ "$1" == "" ]; then
-               findGrubConf
-               ret=$?
-               if [ $ret -eq 0 ]; then
-                       echo "Could not find grub.conf"
-                       exit -1;
-               fi
-               findPolicyInGrub $grubconf
-               if [ "$policy" != "" ]; then
-                       echo "Assuming policy to be '$policy'.";
-               else
-                       echo "Could not find policy."
-                       exit -1;
-               fi
-       else
-               policy=$1;
+if [ "$mode" == "usage" ]; then
+       usage
+elif [ "$mode" == "show" ]; then
+       setPolicyVars $1 $2
+       ret=$?
+       if [ $ret -eq 0 ]; then
+               echo "Error when trying to find policy-related information."
+               exit -1
        fi
-
-
-       findMapFile $policy
-       res=$?
-       if [ "$res" != "0" ]; then
-               showLabels $mapfile
-       else
+       findMapFile $policy $policydir
+       ret=$?
+       if [ $ret -eq 0 ]; then
                echo "Could not find map file for policy '$policy'."
+               exit -1
        fi
-elif [ "$mode" == "usage" ]; then
-       usage
+       showLabels $mapfile
 else
        if [ "$2" == "" ]; then
                usage
                exit -1
        fi
-       if [ "$3" == "" ]; then
-               findGrubConf
-               ret=$?
-               if [ $ret -eq 0 ]; then
-                       echo "Could not find grub.conf"
-                       exit -1;
-               fi
-               findPolicyInGrub $grubconf
-               if [ "$policy" != "" ]; then
-                       echo "Assuming policy to be '$policy'.";
-               else
-                       echo "Could not find policy."
-                       exit -1;
-               fi
-
-       else
-               policy=$3;
+       setPolicyVars $3 $4
+       ret=$?
+       if [ $ret -eq 0 ]; then
+               echo "Error when trying to find policy-related information."
+               exit -1
        fi
-       findMapFile $policy
-       res=$?
-       if [ "$res" != "0" ]; then
-               relabel $1 $2 $mapfile $mode
-       else
-               echo "Could not find map file for policy '$3'."
+       findMapFile $policy $policydir
+       ret=$?
+       if [ $ret -eq 0 ]; then
+               echo "Could not find map file for policy '$policy'."
+               exit -1
        fi
-
+       relabel $1 $2 $mapfile $mode
 fi
diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/updategrub.sh
--- a/tools/security/updategrub.sh      Thu Dec  8 18:19:24 2005
+++ b/tools/security/updategrub.sh      Thu Dec  8 18:21:05 2005
@@ -22,166 +22,49 @@
        exit
 fi
 
+dir=`dirname $0`
+source $dir/labelfuncs.sh
+
+acmroot=$ACM_DEFAULT_ROOT
+
 
 # Show usage of this program
 usage ()
 {
+       prg=`basename $0`
 echo "Use this tool to add the binary policy to the Xen grub entry and
 have Xen automatically enforce the policy when starting.
 
-Usage: $0 <policy name> <root of xen repository>
+Usage: $prg [-d <policies root>] <policy name> [<kernel version>]
 
-<policy name>             : The name of the policy, i.e. xen_null
-<root of xen repository>  : The root of the XEN repository. Give
-                            complete path.
-
+<policies root>  : The directory where the policies directory is located in;
+                   default is $acmroot
+<policy name>    : The name of the policy, i.e. xen_null
+<kernel version> : The version of the kernel to apply the policy
+                   against, i.e. 2.6.12.6-xen0
+                   If not specified, a kernel version ending with '-xen0'
+                   will be searched for in '/lib/modules'
 "
 }
 
-# This function sets the global variable 'linux'
-# to the name of the linux kernel that was compiled
-# For now a pattern should do the trick
-getLinuxVersion ()
-{
-       path=$1
-       linux=""
-       for f in $path/linux-*-xen0 ; do
-               versionfile=$f/include/linux/version.h
-               if [ -r $versionfile ]; then
-                       lnx=`cat $versionfile |                \
-                            grep UTS_RELEASE |                \
-                            awk '{                            \
-                              len=length($3);                 \
-                              version=substr($3,2,len-2);     \
-                              split(version,numbers,".");     \
-                              if (numbers[4]=="") {           \
-                                printf("%s.%s.%s",            \
-                                        numbers[1],           \
-                                        numbers[2],           \
-                                        numbers[3]);          \
-                              } else {                        \
-                                printf("%s.%s.%s[.0-9]*-xen0",\
-                                       numbers[1],            \
-                                       numbers[2],            \
-                                       numbers[3]);           \
-                              }                               \
-                            }'`
-               fi
-               if [ "$lnx" != "" ]; then
-                       linux="[./0-9a-zA-z]*$lnx"
-                       return;
-               fi
-       done
-
-       #Last resort.
-       linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
-}
-
-#Return where the grub.conf file is.
-#I only know of one place it can be.
-findGrubConf()
-{
-       grubconf="/boot/grub/grub.conf"
-       if [ -w $grubconf ]; then
-               return 1
-       fi
-       return 0
-}
 
 
-#Update the grub configuration file.
-#Search for existing entries and replace the current
-#policy entry with the policy passed to this script
-#
-#Arguments passed to this function
-# 1st : the grub configuration file
-# 2nd : the binary policy file name
-# 3rd : the name or pattern of the linux kernel name to match
-#
-# The algorithm here is based on pattern matching
-# and is working correctly if
-# - under a title a line beginning with 'kernel' is found
-#   whose following item ends with "xen.gz"
-#   Example:  kernel /xen.gz dom0_mem=....
-# - a module line matching the 3rd parameter is found
-#
-updateGrub ()
-{
-       grubconf=$1
-       policyfile=$2
-       linux=$3
+if [ "$1" == "-h" ]; then
+       usage
+       exit 0
+elif [ "$1" == "-d" ]; then
+       shift
+       acmroot=$1
+       shift
+fi
 
-       tmpfile="/tmp/new_grub.conf"
-
-       cat $grubconf |                                \
-                awk -vpolicy=$policyfile              \
-                    -vlinux=$linux '{                 \
-                  if ( $1 == "title" ) {              \
-                    kernelfound = 0;                  \
-                    if ( policymaycome == 1 ){        \
-                      printf ("\tmodule %s%s\n", path, policy);      \
-                    }                                 \
-                    policymaycome = 0;                \
-                  }                                   \
-                  else if ( $1 == "kernel" ) {        \
-                    if ( match($2,"xen.gz$") ) {      \
-                      path=substr($2,1,RSTART-1);     \
-                      kernelfound = 1;                \
-                    }                                 \
-                  }                                   \
-                  else if ( $1 == "module" &&         \
-                            kernelfound == 1 &&       \
-                            match($2,linux) ) {       \
-                     policymaycome = 1;               \
-                  }                                   \
-                  else if ( $1 == "module" &&         \
-                            kernelfound == 1 &&       \
-                            policymaycome == 1 &&     \
-                            match($2,"[0-9a-zA-Z]*.bin$") ) { \
-                     printf ("\tmodule %s%s\n", path, policy); \
-                     policymaycome = 0;               \
-                     kernelfound = 0;                 \
-                     dontprint = 1;                   \
-                  }                                   \
-                  else if ( $1 == "" &&               \
-                            kernelfound == 1 &&       \
-                            policymaycome == 1) {     \
-                     dontprint = 1;                   \
-                  }                                   \
-                  if (dontprint == 0) {               \
-                    printf ("%s\n", $0);              \
-                  }                                   \
-                  dontprint = 0;                      \
-                } END {                               \
-                  if ( policymaycome == 1 ) {         \
-                    printf ("\tmodule %s%s\n", path, policy);  \
-                  }                                   \
-                }' > $tmpfile
-       if [ ! -r $tmpfile ]; then
-               echo "Could not create temporary file! Aborting."
-               exit -1
-       fi
-       diff $tmpfile $grubconf > /dev/null
-       RES=$?
-       if [ "$RES" == "0" ]; then
-               echo "No changes were made to $grubconf."
-       else
-               echo "Successfully updated $grubconf."
-               mv -f $tmpfile $grubconf
-       fi
-}
-
-if [ "$1" == "" -o "$2" == "" ]; then
+if [ "$1" == "" ]; then
        echo "Error: Not enough command line parameters."
        echo ""
        usage
        exit -1
 fi
 
-if [ "$1" == "-?" ]; then
-       usage
-       exit 0
-fi
 
 policy=$1
 policyfile=$policy.bin
@@ -189,10 +72,19 @@
 getLinuxVersion $2
 
 findGrubConf
-ERR=$?
-if [ $ERR -eq 0 ]; then
-       echo "Could not find grub.conf. Aborting."
+ret=$?
+if [ $ret -eq 0 ]; then
+       echo "Could not find grub.conf."
+       exit -1
+elif [ $ret -eq 2 ]; then
+       echo "Need to have write-access to $grubconf. Exiting."
        exit -1
 fi
 
+cpBootPolicy /boot $acmroot $policy
+ret=$?
+if [ $ret -ne 1 ]; then
+       echo "Error copying or generating the binary policy."
+       exit -1
+fi
 updateGrub $grubconf $policyfile $linux

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] The attached patch makes a couple of changes to the ACM security tools, Xen patchbot -unstable <=