WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] [PATCH] tools/ Exposes Flask XSM AVC functions to user-space

from [Machon Gregory] [Permanent Link][Original]
To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] [PATCH] tools/ Exposes Flask XSM AVC functions to user-space
From: Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
Date: Fri, 22 Jan 2010 11:05:05 -0500
Cc: tc-team@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 22 Jan 2010 08:04:50 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.21 (X11/20090320) 
This patch exposes the flask_access,  flask_avc_cachestats,
flask_avc_hashstats, flask_getavc_threshold, flask_setavc_threshold, and
flask_policyvers functions to user-space. A python wrapper was created
for the flask_access function to facilitate policy based user-space
access control decisions. flask.h was renamed to libflask.h to remove a
naming conflict.

Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx>

---

 tools/flask/libflask/Makefile           |    2
 tools/flask/libflask/flask_op.c         |  159
+++++++++++++++++++++++++++++++-
 tools/flask/libflask/include/flask.h    |   43 --------
 tools/flask/libflask/include/libflask.h |   53 ++++++++++
 tools/flask/utils/getenforce.c          |    2
 tools/flask/utils/loadpolicy.c          |    2
 tools/flask/utils/setenforce.c          |    2
 tools/python/xen/lowlevel/flask/flask.c |   60 +++++++++++-
 8 files changed, 274 insertions(+), 49 deletions(-)




diff -r c06732ac2392 tools/flask/libflask/Makefile
--- a/tools/flask/libflask/Makefile     Thu Jan 21 15:13:00 2010 +0000
+++ b/tools/flask/libflask/Makefile     Thu Jan 21 16:14:41 2010 -0500
@@ -38,7 +38,7 @@
        $(INSTALL_DATA) libflask.a $(DESTDIR)$(LIBDIR)
        ln -sf libflask.so.$(MAJOR).$(MINOR) 
$(DESTDIR)$(LIBDIR)/libflask.so.$(MAJOR)
        ln -sf libflask.so.$(MAJOR) $(DESTDIR)$(LIBDIR)/libflask.so
-       $(INSTALL_DATA) include/flask.h $(DESTDIR)$(INCLUDEDIR)
+       $(INSTALL_DATA) include/libflask.h $(DESTDIR)$(INCLUDEDIR)/xen/xsm
 
 .PHONY: TAGS
 TAGS:
diff -r c06732ac2392 tools/flask/libflask/flask_op.c
--- a/tools/flask/libflask/flask_op.c   Thu Jan 21 15:13:00 2010 +0000
+++ b/tools/flask/libflask/flask_op.c   Thu Jan 21 16:14:41 2010 -0500
@@ -19,7 +19,7 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <sys/ioctl.h>
-#include <flask.h>
+#include <libflask.h>
 #include <xenctrl.h>
 
 int flask_load(int xc_handle, char *buf, uint32_t size)
@@ -342,3 +342,160 @@
     return 0;
 
 }
+
+int flask_access(int xc_handle, const char *scon, const char *tcon,
+                u_int16_t tclass, u_int32_t req,
+                u_int32_t *allowed, u_int32_t *decided,
+                u_int32_t *auditallow, u_int32_t *auditdeny,
+                u_int32_t *seqno)
+{
+/* maximum number of digits in a 16-bit decimal number: */
+#define MAX_SHORT_DEC_LEN 5
+
+    char *buf;
+    int bufLen;
+    int err;
+    flask_op_t op;
+    u_int32_t dummy_allowed;
+    u_int32_t dummy_decided;
+    u_int32_t dummy_auditallow;
+    u_int32_t dummy_auditdeny;
+    u_int32_t dummy_seqno;
+  
+    if (!allowed)
+        allowed = &dummy_allowed;
+    if (!decided)
+        decided = &dummy_decided;
+    if (!auditallow)
+        auditallow = &dummy_auditallow;
+    if (!auditdeny)
+        auditdeny = &dummy_auditdeny;
+    if (!seqno)
+        seqno = &dummy_seqno;
+
+    if (!scon)
+        return -EINVAL;
+    if (!tcon)
+        return -EINVAL;
+
+    bufLen = strlen(scon) + 1 + strlen(tcon) + 1 +
+        MAX_SHORT_DEC_LEN + 1 +
+        sizeof(req)*2 + 1;
+    buf = malloc(bufLen);
+    snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req);
+
+    op.cmd = FLASK_ACCESS;
+    op.buf = buf;
+    op.size = strlen(buf)+1;
+    
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+   
+    if (sscanf(op.buf, "%x %x %x %x %u",
+               allowed, decided,
+               auditallow, auditdeny,
+               seqno) != 5) {
+        err = -EILSEQ;
+    }
+
+    err = ((*allowed & req) == req)? 0 : -EPERM;
+
+    return err;
+
+}
+
+int flask_avc_hashstats(int xc_handle, char *buf, int size)
+{
+    int err;
+    flask_op_t op;
+  
+    op.cmd = FLASK_AVC_HASHSTATS;
+    op.buf = buf;
+    op.size = size;
+  
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+
+    return 0;
+}
+
+int flask_avc_cachestats(int xc_handle, char *buf, int size)
+{
+    int err;
+    flask_op_t op;
+  
+    op.cmd = FLASK_AVC_CACHESTATS;
+    op.buf = buf;
+    op.size = size;
+  
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+
+    return 0;
+}
+
+int flask_policyvers(int xc_handle, char *buf, int size)
+{
+    int err;
+    flask_op_t op;
+  
+    op.cmd = FLASK_POLICYVERS;
+    op.buf = buf;
+    op.size = size;
+
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+
+    return 0;
+}
+
+int flask_getavc_threshold(int xc_handle)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];            
+    int size = 20;
+    int threshold;
+ 
+    op.cmd = FLASK_GETAVC_THRESHOLD;
+    op.buf = buf;
+    op.size = size;
+    
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    sscanf(buf, "%i", &threshold);
+
+    return threshold;
+}
+
+int flask_setavc_threshold(int xc_handle, int threshold)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];            
+    int size = 20;
+ 
+    op.cmd = FLASK_SETAVC_THRESHOLD;
+    op.buf = buf;
+    op.size = size;
+
+    snprintf(buf, size, "%i", threshold);
+ 
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    return 0;
+}
diff -r c06732ac2392 tools/flask/libflask/include/flask.h
--- a/tools/flask/libflask/include/flask.h      Thu Jan 21 15:13:00 2010 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,43 +0,0 @@
-/*
- *
- *  Authors:  Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
- *            George Coker, <gscoker@xxxxxxxxxxxxxx>
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2,
- *  as published by the Free Software Foundation.
- */
-
-#ifndef __FLASK_H__
-#define __FLASK_H__
-
-#include <stdint.h>
-#include <xen/xen.h>
-#include <xen/xsm/flask_op.h>
-
-int flask_load(int xc_handle, char *buf, uint32_t size);
-int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t 
*sid);
-int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size);
-int flask_getenforce(int xc_handle);
-int flask_setenforce(int xc_handle, int mode);
-int flask_add_pirq(int xc_handle, unsigned int pirq, char *scontext);
-int flask_add_ioport(int xc_handle, unsigned long low, unsigned long high,
-                      char *scontext);
-int flask_add_iomem(int xc_handle, unsigned long low, unsigned long high,
-                     char *scontext);
-int flask_add_device(int xc_handle, unsigned long device, char *scontext);
-int flask_del_pirq(int xc_handle, unsigned int pirq);
-int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high);
-int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high);
-int flask_del_device(int xc_handle, unsigned long device);
-#define flask_add_single_ioport(x, l, s) flask_add_ioport(x, l, l, s)
-#define flask_add_single_iomem(x, l, s) flask_add_iomem(x, l, l, s)
-#define flask_del_single_ioport(x, l) flask_del_ioport(x, l, l)
-#define flask_del_single_iomem(x, l) flask_del_iomem(x, l, l);
-
-#define OCON_PIRQ_STR   "pirq"
-#define OCON_IOPORT_STR "ioport"
-#define OCON_IOMEM_STR  "iomem"
-#define OCON_DEVICE_STR "pcidevice"
-#define INITCONTEXTLEN  256
-#endif /* __FLASK_H__ */
diff -r c06732ac2392 tools/flask/libflask/include/libflask.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/libflask/include/libflask.h   Thu Jan 21 16:14:41 2010 -0500
@@ -0,0 +1,53 @@
+/*
+ *
+ *  Authors:  Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
+ *            George Coker, <gscoker@xxxxxxxxxxxxxx>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#ifndef __LIBFLASK_H__
+#define __LIBFLASK_H__
+
+#include <stdint.h>
+#include <xen/xen.h>
+#include <xen/xsm/flask_op.h>
+
+int flask_load(int xc_handle, char *buf, uint32_t size);
+int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t 
*sid);
+int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size);
+int flask_getenforce(int xc_handle);
+int flask_setenforce(int xc_handle, int mode);
+int flask_add_pirq(int xc_handle, unsigned int pirq, char *scontext);
+int flask_add_ioport(int xc_handle, unsigned long low, unsigned long high,
+                      char *scontext);
+int flask_add_iomem(int xc_handle, unsigned long low, unsigned long high,
+                     char *scontext);
+int flask_add_device(int xc_handle, unsigned long device, char *scontext);
+int flask_del_pirq(int xc_handle, unsigned int pirq);
+int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high);
+int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high);
+int flask_del_device(int xc_handle, unsigned long device);
+int flask_access(int xc_handle, const char *scon, const char *tcon,
+                  u_int16_t tclass, u_int32_t req,
+                  u_int32_t *allowed, u_int32_t *decided,
+                  u_int32_t *auditallow, u_int32_t *auditdeny,
+                  u_int32_t *seqno);
+int flask_avc_cachestats(int xc_handle, char *buf, int size);
+int flask_policyvers(int xc_handle, char *buf, int size);
+int flask_avc_hashstats(int xc_handle, char *buf, int size);
+int flask_getavc_threshold(int xc_handle);
+int flask_setavc_threshold(int xc_handle, int threshold);
+#define flask_add_single_ioport(x, l, s) flask_add_ioport(x, l, l, s)
+#define flask_add_single_iomem(x, l, s) flask_add_iomem(x, l, l, s)
+#define flask_del_single_ioport(x, l) flask_del_ioport(x, l, l)
+#define flask_del_single_iomem(x, l) flask_del_iomem(x, l, l);
+
+#define OCON_PIRQ_STR   "pirq"
+#define OCON_IOPORT_STR "ioport"
+#define OCON_IOMEM_STR  "iomem"
+#define OCON_DEVICE_STR "pcidevice"
+#define INITCONTEXTLEN  256
+#endif /* __LIBFLASK_H__ */
diff -r c06732ac2392 tools/flask/utils/getenforce.c
--- a/tools/flask/utils/getenforce.c    Thu Jan 21 15:13:00 2010 +0000
+++ b/tools/flask/utils/getenforce.c    Thu Jan 21 16:14:41 2010 -0500
@@ -16,7 +16,7 @@
 #include <sys/stat.h>
 #include <string.h>
 #include <unistd.h>
-#include <flask.h>
+#include <libflask.h>
 
 static void usage (int argCnt, const char *args[])
 {
diff -r c06732ac2392 tools/flask/utils/loadpolicy.c
--- a/tools/flask/utils/loadpolicy.c    Thu Jan 21 15:13:00 2010 +0000
+++ b/tools/flask/utils/loadpolicy.c    Thu Jan 21 16:14:41 2010 -0500
@@ -17,7 +17,7 @@
 #include <sys/stat.h>
 #include <string.h>
 #include <unistd.h>
-#include <flask.h>
+#include <libflask.h>
 
 #define USE_MMAP
 
diff -r c06732ac2392 tools/flask/utils/setenforce.c
--- a/tools/flask/utils/setenforce.c    Thu Jan 21 15:13:00 2010 +0000
+++ b/tools/flask/utils/setenforce.c    Thu Jan 21 16:14:41 2010 -0500
@@ -16,7 +16,7 @@
 #include <sys/stat.h>
 #include <string.h>
 #include <unistd.h>
-#include <flask.h>
+#include <libflask.h>
 
 static void usage (int argCnt, const char *args[])
 {
diff -r c06732ac2392 tools/python/xen/lowlevel/flask/flask.c
--- a/tools/python/xen/lowlevel/flask/flask.c   Thu Jan 21 15:13:00 2010 +0000
+++ b/tools/python/xen/lowlevel/flask/flask.c   Thu Jan 21 16:14:41 2010 -0500
@@ -12,7 +12,7 @@
 
 #include <Python.h>
 #include <xenctrl.h>
-#include <flask.h>
+#include <libflask.h>
 
 #define PKG "xen.lowlevel.flask"
 #define CLS "flask"
@@ -190,6 +190,44 @@
     return Py_BuildValue("i", ret);
 }
 
+static PyObject *pyflask_access(PyObject *self, PyObject *args,
+                                                       PyObject *kwds)
+{
+    int xc_handle;
+    char *tcon, *scon;
+    uint16_t tclass;
+    uint32_t req, allowed, decided, auditallow, auditdeny, seqno;
+    int ret;
+
+    static char *kwd_list[] = { "src_context", "tar_context", 
+                                "tar_class", "req_permissions",
+                                "decided", "auditallow","auditdeny",
+                                "seqno", NULL };
+
+    if ( !PyArg_ParseTupleAndKeywords(args, kwds, "ssil|llll", kwd_list,
+                                      &scon, &tcon, &tclass, &req, &decided,
+                                      &auditallow, &auditdeny, &seqno) )
+        return NULL;
+
+    xc_handle = xc_interface_open();
+    if (xc_handle < 0) {
+        errno = xc_handle;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+    
+    ret = flask_access(xc_handle, scon, tcon, tclass, req, &allowed, &decided,
+                        &auditallow, &auditdeny, &seqno);
+        
+    xc_interface_close(xc_handle);
+
+    if ( ret != 0 ) {
+        errno = -ret;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    return Py_BuildValue("i",ret);
+}
+
 static PyMethodDef pyflask_methods[] = {
     { "flask_context_to_sid",
       (PyCFunction)pyflask_context_to_sid,
@@ -224,7 +262,27 @@
       "Modifies the current mode for the Flask XSM module.\n"
       " mode [int]: mode to change to\n"
       "Returns: [int]: 0 on success; -1 on failure.\n" }, 
+
+    { "flask_access",
+      (PyCFunction)pyflask_access,
+      METH_KEYWORDS, "\n"
+      "Returns whether a source context has access to target context based on \
+       class and permissions requested.\n"
+      " scon [str]: source context\n"
+      " tcon [str]: target context\n"
+      " tclass [int]: target security class\n"
+      " req [int] requested permissions\n"
+      " allowed [int] permissions allow for the target class between the 
source \
+        and target context\n"
+      " decided [int] the permissions that were returned in the allowed \
+        parameter\n"
+      " auditallow [int] permissions set to audit on allow\n"
+      " auditdeny [int] permissions set to audit on deny\n"
+      " seqno [int] not used\n"
+      "Returns: [int]: 0 on all permission granted; -1 if any permissions are \
+       denied\n" }, 
     { NULL, NULL, 0, NULL }
+
 };
 
 PyMODINIT_FUNC initflask(void)

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Re: libconfig installs in /lib, should be /lib64, Stefano Stabellini
Next by Date:  Re: [Xen-devel] [PATCH] tools/ Exposes Flask XSM AVC functions to user-space, Keir Fraser
Previous by Thread:  [Xen-community] Xen.org Community Weekly Newsletter Vol 10 No 3, Stephen Spector
Next by Thread:  Re: [Xen-devel] [PATCH] tools/ Exposes Flask XSM AVC functions to user-space, Keir Fraser
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy