|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] merge?
# HG changeset patch # User cl349@xxxxxxxxxxxxxxxxxxxx # Node ID bf1746842c46602fae0b17af7c5a012b064ffae8 # Parent a86fb4df3bdd591a302527496700c9b950e49db8 # Parent 7b6f55756f9c3079e9fb46cfe44a7c14f16a81b0 merge? diff -r a86fb4df3bdd -r bf1746842c46 Config.mk --- a/Config.mk Fri Aug 19 12:21:29 2005 +++ b/Config.mk Fri Aug 19 12:22:27 2005 @@ -35,3 +35,11 @@ # Choose the best mirror to download linux kernel KERNEL_REPO = http://www.kernel.org + +# ACM_USE_SECURITY_POLICY is set to security policy of Xen +# Supported models are: +# ACM_NULL_POLICY (ACM will not be built with this policy) +# ACM_CHINESE_WALL_POLICY +# ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY +# ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY +ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY diff -r a86fb4df3bdd -r bf1746842c46 docs/src/user.tex --- a/docs/src/user.tex Fri Aug 19 12:21:29 2005 +++ b/docs/src/user.tex Fri Aug 19 12:22:27 2005 @@ -1763,7 +1763,7 @@ physical address in the memory map will be ignored. This parameter may be specified with a B, K, M or G suffix, representing bytes, kilobytes, megabytes and gigabytes respectively. The - default unit, if no suffix is specified, is bytes. + default unit, if no suffix is specified, is kilobytes. \item [dom0\_mem=xxx ] Set the amount of memory to be allocated to domain0. In Xen 3.x the parameter diff -r a86fb4df3bdd -r bf1746842c46 linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c --- a/linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c Fri Aug 19 12:21:29 2005 +++ b/linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c Fri Aug 19 12:22:27 2005 @@ -94,9 +94,6 @@ iotlb_nslabs = simple_strtoul(str, &str, 0) << (20 - IO_TLB_SHIFT); iotlb_nslabs = ALIGN(iotlb_nslabs, IO_TLB_SEGSIZE); - /* Round up to power of two (xen_create_contiguous_region). */ - while (iotlb_nslabs & (iotlb_nslabs-1)) - iotlb_nslabs += iotlb_nslabs & ~(iotlb_nslabs-1); } if (*str == ',') ++str; @@ -123,9 +120,6 @@ if (!iotlb_nslabs) { iotlb_nslabs = (default_size >> IO_TLB_SHIFT); iotlb_nslabs = ALIGN(iotlb_nslabs, IO_TLB_SEGSIZE); - /* Round up to power of two (xen_create_contiguous_region). */ - while (iotlb_nslabs & (iotlb_nslabs-1)) - iotlb_nslabs += iotlb_nslabs & ~(iotlb_nslabs-1); } bytes = iotlb_nslabs * (1UL << IO_TLB_SHIFT); @@ -135,10 +129,14 @@ */ iotlb_virt_start = alloc_bootmem_low_pages(bytes); if (!iotlb_virt_start) - panic("Cannot allocate SWIOTLB buffer"); - - xen_create_contiguous_region( - (unsigned long)iotlb_virt_start, get_order(bytes)); + panic("Cannot allocate SWIOTLB buffer!\n" + "Use dom0_mem Xen boot parameter to reserve\n" + "some DMA memory (e.g., dom0_mem=-128M).\n"); + + for (i = 0; i < iotlb_nslabs; i += IO_TLB_SEGSIZE) + xen_create_contiguous_region( + (unsigned long)iotlb_virt_start + (i << IO_TLB_SHIFT), + get_order(IO_TLB_SEGSIZE << IO_TLB_SHIFT)); iotlb_virt_end = iotlb_virt_start + bytes; diff -r a86fb4df3bdd -r bf1746842c46 linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c --- a/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c Fri Aug 19 12:21:29 2005 +++ b/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c Fri Aug 19 12:22:27 2005 @@ -280,19 +280,16 @@ if (cpu) { memcpy(cpu_gdt_table[cpu], cpu_gdt_table[0], GDT_SIZE); } -#endif cpu_gdt_descr[cpu].size = GDT_SIZE; cpu_gdt_descr[cpu].address = (unsigned long)cpu_gdt_table[cpu]; - cpu_gdt_init(&cpu_gdt_descr[cpu]); - -#ifndef CONFIG_XEN memcpy(me->thread.tls_array, cpu_gdt_table[cpu], GDT_ENTRY_TLS_ENTRIES * 8); - #else memcpy(me->thread.tls_array, &get_cpu_gdt_table(cpu)[GDT_ENTRY_TLS_MIN], GDT_ENTRY_TLS_ENTRIES * 8); + + cpu_gdt_init(&cpu_gdt_descr[cpu]); #endif /* diff -r a86fb4df3bdd -r bf1746842c46 tools/security/Makefile --- a/tools/security/Makefile Fri Aug 19 12:21:29 2005 +++ b/tools/security/Makefile Fri Aug 19 12:22:27 2005 @@ -2,27 +2,71 @@ include $(XEN_ROOT)/tools/Rules.mk SRCS = secpol_tool.c -CFLAGS += -static CFLAGS += -Wall CFLAGS += -Werror CFLAGS += -O3 CFLAGS += -fno-strict-aliasing -CFLAGS += -I. +CFLAGS += -I. -I/usr/include/libxml2 +CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs ) +#if above does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm +XML2VERSION = $(shell xml2-config --version ) +VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi; ) +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY) +POLICY=null +endif +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY) +POLICY=chwall +endif +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) +POLICY=ste +endif +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY) +POLICY=chwall_ste +endif +POLICYFILE=./policies/$(POLICY)/$(POLICY).bin + +ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY) all: build + +install:all + +default:all +else +all: + +install: + +default: +endif + build: mk-symlinks $(MAKE) secpol_tool + $(MAKE) secpol_xml2bin + chmod 700 ./setlabel.sh + chmod 700 ./updategrub.sh -default: all - -install: all - -secpol_tool : secpol_tool.c +secpol_tool : secpol_tool.c secpol_compat.h $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< +secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h secpol_compat.h + $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ $< + clean: - rm -rf secpol_tool xen + rm -rf secpol_tool secpol_xml2bin xen +policy_clean: + rm -rf policies/*/*.bin policies/*/*.map + +mrproper: clean policy_clean + + +$(POLICYFILE) : build + @./secpol_xml2bin $(POLICY) > /dev/null + +boot_install: $(POLICYFILE) + @cp $(POLICYFILE) /boot + @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT) LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse mk-symlinks: diff -r a86fb4df3bdd -r bf1746842c46 tools/security/secpol_tool.c --- a/tools/security/secpol_tool.c Fri Aug 19 12:21:29 2005 +++ b/tools/security/secpol_tool.c Fri Aug 19 12:22:27 2005 @@ -31,18 +31,8 @@ #include <stdlib.h> #include <sys/ioctl.h> #include <string.h> -#include <stdint.h> #include <netinet/in.h> - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; -typedef int8_t s8; -typedef int16_t s16; -typedef int32_t s32; -typedef int64_t s64; - +#include "secpol_compat.h" #include <xen/acm.h> #include <xen/acm_ops.h> #include <xen/linux/privcmd.h> @@ -270,171 +260,6 @@ } } -/*************************** set policy ****************************/ - -int acm_domain_set_chwallpolicy(void *bufstart, int buflen) -{ -#define CWALL_MAX_SSIDREFS 6 -#define CWALL_MAX_TYPES 10 -#define CWALL_MAX_CONFLICTSETS 2 - - struct acm_chwall_policy_buffer *chwall_bin_pol = - (struct acm_chwall_policy_buffer *) bufstart; - domaintype_t *ssidrefs, *conflicts; - int ret = 0; - int j; - - chwall_bin_pol->chwall_max_types = htonl(CWALL_MAX_TYPES); - chwall_bin_pol->chwall_max_ssidrefs = htonl(CWALL_MAX_SSIDREFS); - chwall_bin_pol->policy_code = htonl(ACM_CHINESE_WALL_POLICY); - chwall_bin_pol->policy_version = htonl(ACM_CHWALL_VERSION); - chwall_bin_pol->chwall_ssid_offset = - htonl(sizeof(struct acm_chwall_policy_buffer)); - chwall_bin_pol->chwall_max_conflictsets = - htonl(CWALL_MAX_CONFLICTSETS); - chwall_bin_pol->chwall_conflict_sets_offset = - htonl(ntohl(chwall_bin_pol->chwall_ssid_offset) + - sizeof(domaintype_t) * CWALL_MAX_SSIDREFS * CWALL_MAX_TYPES); - chwall_bin_pol->chwall_running_types_offset = 0; /* not set */ - chwall_bin_pol->chwall_conflict_aggregate_offset = 0; /* not set */ - ret += sizeof(struct acm_chwall_policy_buffer); - /* now push example ssids into the buffer (max_ssidrefs x max_types entries) */ - /* check buffer size */ - if ((buflen - ret) < - (CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t))) - return -1; /* not enough space */ - - ssidrefs = (domaintype_t *) (bufstart + - ntohl(chwall_bin_pol->chwall_ssid_offset)); - memset(ssidrefs, 0, - CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t)); - - /* now set type j-1 for ssidref i+1 */ - for (j = 0; j <= CWALL_MAX_SSIDREFS; j++) - if ((0 < j) && (j <= CWALL_MAX_TYPES)) - ssidrefs[j * CWALL_MAX_TYPES + j - 1] = htons(1); - - ret += CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t); - if ((buflen - ret) < - (CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES * sizeof(domaintype_t))) - return -1; /* not enough space */ - - /* now the chinese wall policy conflict sets */ - conflicts = (domaintype_t *) (bufstart + - ntohl(chwall_bin_pol-> - chwall_conflict_sets_offset)); - memset((void *) conflicts, 0, - CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES * - sizeof(domaintype_t)); - /* just 1 conflict set [0]={2,3}, [1]={1,5,6} */ - if (CWALL_MAX_TYPES > 3) - { - conflicts[2] = htons(1); - conflicts[3] = htons(1); /* {2,3} */ - conflicts[CWALL_MAX_TYPES + 1] = htons(1); - conflicts[CWALL_MAX_TYPES + 5] = htons(1); - conflicts[CWALL_MAX_TYPES + 6] = htons(1); /* {0,5,6} */ - } - ret += sizeof(domaintype_t) * CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES; - return ret; -} - -int acm_domain_set_stepolicy(void *bufstart, int buflen) -{ -#define STE_MAX_SSIDREFS 6 -#define STE_MAX_TYPES 5 - - struct acm_ste_policy_buffer *ste_bin_pol = - (struct acm_ste_policy_buffer *) bufstart; - domaintype_t *ssidrefs; - int j, ret = 0; - - ste_bin_pol->ste_max_types = htonl(STE_MAX_TYPES); - ste_bin_pol->ste_max_ssidrefs = htonl(STE_MAX_SSIDREFS); - ste_bin_pol->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); - ste_bin_pol->policy_version = htonl(ACM_STE_VERSION); - ste_bin_pol->ste_ssid_offset = - htonl(sizeof(struct acm_ste_policy_buffer)); - ret += sizeof(struct acm_ste_policy_buffer); - /* check buffer size */ - if ((buflen - ret) < - (STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t))) - return -1; /* not enough space */ - - ssidrefs = - (domaintype_t *) (bufstart + ntohl(ste_bin_pol->ste_ssid_offset)); - memset(ssidrefs, 0, - STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t)); - /* all types 1 for ssidref 1 */ - for (j = 0; j < STE_MAX_TYPES; j++) - ssidrefs[1 * STE_MAX_TYPES + j] = htons(1); - /* now set type j-1 for ssidref j */ - for (j = 0; j < STE_MAX_SSIDREFS; j++) - if ((0 < j) && (j <= STE_MAX_TYPES)) - ssidrefs[j * STE_MAX_TYPES + j - 1] = htons(1); - ret += STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t); - return ret; -} - -#define MAX_PUSH_BUFFER 16384 -u8 push_buffer[MAX_PUSH_BUFFER]; - -int acm_domain_setpolicy(int xc_handle) -{ - int ret; - struct acm_policy_buffer *bin_pol; - acm_op_t op; - - /* future: read policy from file and set it */ - bin_pol = (struct acm_policy_buffer *) push_buffer; - bin_pol->policy_version = htonl(ACM_POLICY_VERSION); - bin_pol->magic = htonl(ACM_MAGIC); - bin_pol->primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY); - bin_pol->secondary_policy_code = - htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); - - bin_pol->len = htonl(sizeof(struct acm_policy_buffer)); - bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len)); - ret = - acm_domain_set_chwallpolicy(push_buffer + - ntohl(bin_pol->primary_buffer_offset), - MAX_PUSH_BUFFER - - ntohl(bin_pol->primary_buffer_offset)); - if (ret < 0) - { - printf("ERROR creating chwallpolicy buffer.\n"); - return -1; - } - bin_pol->len = htonl(ntohl(bin_pol->len) + ret); - bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len)); - ret = acm_domain_set_stepolicy(push_buffer + - ntohl(bin_pol->secondary_buffer_offset), - MAX_PUSH_BUFFER - - ntohl(bin_pol->secondary_buffer_offset)); - if (ret < 0) - { - printf("ERROR creating chwallpolicy buffer.\n"); - return -1; - } - bin_pol->len = htonl(ntohl(bin_pol->len) + ret); - - /* dump it and then push it down into xen/acm */ - acm_dump_policy_buffer(push_buffer, ntohl(bin_pol->len)); - - op.cmd = ACM_SETPOLICY; - op.interface_version = ACM_INTERFACE_VERSION; - op.u.setpolicy.pushcache = (void *) push_buffer; - op.u.setpolicy.pushcache_size = ntohl(bin_pol->len); - ret = do_acm_op(xc_handle, &op); - - if (ret) - printf("ERROR setting policy. Use 'xm dmesg' to see details.\n"); - else - printf("Successfully changed policy.\n"); - - return ret; -} - /******************************* get policy ******************************/ #define PULL_CACHE_SIZE 8192 @@ -602,7 +427,6 @@ void usage(char *progname) { printf("Use: %s \n" - "\t setpolicy\n" "\t getpolicy\n" "\t dumpstats\n" "\t loadpolicy <binary policy file>\n", progname); @@ -623,12 +447,7 @@ exit(-1); } - if (!strcmp(argv[1], "setpolicy")) - { - if (argc != 2) - usage(argv[0]); - ret = acm_domain_setpolicy(acm_cmd_fd); - } else if (!strcmp(argv[1], "getpolicy")) { + if (!strcmp(argv[1], "getpolicy")) { if (argc != 2) usage(argv[0]); ret = acm_domain_getpolicy(acm_cmd_fd); diff -r a86fb4df3bdd -r bf1746842c46 xen/Rules.mk --- a/xen/Rules.mk Fri Aug 19 12:21:29 2005 +++ b/xen/Rules.mk Fri Aug 19 12:22:27 2005 @@ -10,14 +10,6 @@ optimize ?= y domu_debug ?= n crash_debug ?= n - -# ACM_USE_SECURITY_POLICY is set to security policy of Xen -# Supported models are: -# ACM_NULL_POLICY (ACM will not be built with this policy) -# ACM_CHINESE_WALL_POLICY -# ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY -# ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY -ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY include $(BASEDIR)/../Config.mk diff -r a86fb4df3bdd -r bf1746842c46 xen/arch/x86/domain_build.c --- a/xen/arch/x86/domain_build.c Fri Aug 19 12:21:29 2005 +++ b/xen/arch/x86/domain_build.c Fri Aug 19 12:22:27 2005 @@ -22,16 +22,28 @@ #include <asm/i387.h> #include <asm/shadow.h> -/* opt_dom0_mem: memory allocated to domain 0. */ -static unsigned int opt_dom0_mem; +static long dom0_nrpages; + +/* + * dom0_mem: + * If +ve: + * * The specified amount of memory is allocated to domain 0. + * If -ve: + * * All of memory is allocated to domain 0, minus the specified amount. + * If not specified: + * * All of memory is allocated to domain 0, minus 1/16th which is reserved + * for uses such as DMA buffers (the reservation is clamped to 128MB). + */ static void parse_dom0_mem(char *s) { - unsigned long long bytes = parse_size_and_unit(s); - /* If no unit is specified we default to kB units, not bytes. */ - if ( isdigit(s[strlen(s)-1]) ) - opt_dom0_mem = (unsigned int)bytes; - else - opt_dom0_mem = (unsigned int)(bytes >> 10); + unsigned long long bytes; + char *t = s; + if ( *s == '-' ) + t++; + bytes = parse_size_and_unit(t); + dom0_nrpages = bytes >> PAGE_SHIFT; + if ( *s == '-' ) + dom0_nrpages = -dom0_nrpages; } custom_param("dom0_mem", parse_dom0_mem); @@ -137,12 +149,30 @@ printk("*** LOADING DOMAIN 0 ***\n"); - /* By default DOM0 is allocated all available memory. */ d->max_pages = ~0U; - if ( (nr_pages = opt_dom0_mem >> (PAGE_SHIFT - 10)) == 0 ) + + /* + * If domain 0 allocation isn't specified, reserve 1/16th of available + * memory for things like DMA buffers. This reservation is clamped to + * a maximum of 128MB. + */ + if ( dom0_nrpages == 0 ) + { + dom0_nrpages = avail_domheap_pages() + + ((initrd_len + PAGE_SIZE - 1) >> PAGE_SHIFT) + + ((image_len + PAGE_SIZE - 1) >> PAGE_SHIFT); + dom0_nrpages = min(dom0_nrpages / 16, 128L << (20 - PAGE_SHIFT)); + dom0_nrpages = -dom0_nrpages; + } + + /* Negative memory specification means "all memory - specified amount". */ + if ( dom0_nrpages < 0 ) nr_pages = avail_domheap_pages() + ((initrd_len + PAGE_SIZE - 1) >> PAGE_SHIFT) + - ((image_len + PAGE_SIZE - 1) >> PAGE_SHIFT); + ((image_len + PAGE_SIZE - 1) >> PAGE_SHIFT) + + dom0_nrpages; + else + nr_pages = dom0_nrpages; if ( (rc = parseelfimage(&dsi)) != 0 ) return rc; diff -r a86fb4df3bdd -r bf1746842c46 xen/common/lib.c --- a/xen/common/lib.c Fri Aug 19 12:21:29 2005 +++ b/xen/common/lib.c Fri Aug 19 12:22:27 2005 @@ -450,8 +450,10 @@ ret <<= 10; case 'M': case 'm': ret <<= 10; - case 'K': case 'k': + case 'K': case 'k': default: ret <<= 10; + case 'B': case 'b': + break; } return ret; diff -r a86fb4df3bdd -r bf1746842c46 patches/linux-2.6.12/workaround_double_br_del_if.patch --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/patches/linux-2.6.12/workaround_double_br_del_if.patch Fri Aug 19 12:22:27 2005 @@ -0,0 +1,11 @@ +--- linux-2.6.12/net/bridge/br_if.c 2005-06-17 14:48:29.000000000 -0500 ++++ linux-2.6.12-xen0-smp/net/bridge/br_if.c 2005-08-18 15:17:27.302615846 -0500 +@@ -382,7 +382,7 @@ + { + struct net_bridge_port *p = dev->br_port; + +- if (!p || p->br != br) ++ if (!p || p->br != br || p->state == BR_STATE_DISABLED) + return -EINVAL; + + br_sysfs_removeif(p); diff -r a86fb4df3bdd -r bf1746842c46 tools/security/example.txt --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/example.txt Fri Aug 19 12:22:27 2005 @@ -0,0 +1,269 @@ +## +# example.txt <description to the xen access control architecture> +# +# Author: +# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx> +# +# +# This file introduces into the tools to manage policies +# and to label domains and resources. +## + +We will show how to install and use the chwall_ste policy. +Other policies work similarly. Feedback welcome! + + + +1. Using secpol_xml2bin to translate the chwall_ste policy: +=========================================================== + +#tools/security/secpol_xml2bin chwall_ste + +Successful execution should print: + + [root@laptopxn security]# ./secpol_xml2bin chwall_ste + Validating label file policies/chwall_ste/chwall_ste-security_label_template.xml... + XML Schema policies/security_policy.xsd valid. + Validating policy file policies/chwall_ste/chwall_ste-security_policy.xml... + XML Schema policies/security_policy.xsd valid. + Creating ssid mappings ... + Creating label mappings ... + Max chwall labels: 7 + Max chwall-types: 4 + Max chwall-ssids: 5 + Max ste labels: 14 + Max ste-types: 6 + Max ste-ssids: 10 + +The tool looks in directory policies/chwall_ste for +the label and policy files. + +The default policy directory structure under tools/security looks like: + +policies +|-- security_policy.xsd +|-- chwall +| |-- chwall-security_label_template.xml +| `-- chwall-security_policy.xml +|-- chwall_ste +| |-- chwall_ste-security_label_template.xml +| `-- chwall_ste-security_policy.xml +|-- null +| |-- null-security_label_template.xml +| `-- null-security_policy.xml +`-- ste + |-- ste-security_label_template.xml + `-- ste-security_policy.xml + +policies/security_policy.xsd contains the schema against which both the +label-template and the policy files must validate during translation. + +policies/chwall_ste/chwall_ste-security_policy.xml defines the +policies and the types known to the policies. + +policies/chwall_ste/chwall_ste-security_label_template.xml contains +label definitions that group chwall and ste types together and make +them easier to use for users + +After executing the above secpol_xml2bin command, you will find 2 new +files in the policies/chwall_ste sub-directory: + +policies/chwall_ste/chwall_ste.map ... this file includes the mapping +of names from the xml files into their binary code representation. + +policies/chwall_ste/chwall_ste.bin ... this is the binary policy file, +the result of parsing the xml files and using the mapping to extract a +binary version that can be loaded into the hypervisor. + + + +2. Loading and activating the policy: +===================================== + +We assume that xen is already configured to use the chwall_ste policy; +please refer to install.txt for instructions. + +To activate the policy from the command line (assuming that the +currently established policy is the minimal boot-policy that is +hard-coded into the hypervisor: + +# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin + +To activate the policy at next reboot: + +# cp policies/chwall_ste/chwall_ste.bin /boot + +Add a module line to your /boot/grub/grub.conf Xen entry. +My boot entry with chwall_ste enabled looks like this: + + title Xen (2.6.12) + root (hd0,5) + kernel /boot/xen.gz dom0_mem=1200000 console=vga + module /boot/vmlinuz-2.6.12-xen0 ro root=/dev/hda6 rhgb + module /boot/initrd-2.6.12-xen0.img + module /boot/chwall_ste.bin + +This tells the grub boot-loader to load the binary policy, which +the hypervisor will recognize. The hypervisor will then establish +this binary policy during boot instead of the minimal policy that +is hardcoded as default. + +If you have any trouble here, maks sure you have the access control +framework enabled (see: install.txt). + + + +3. Labeling domains: +==================== + +a) Labeling Domain0: + +The chwall_ste-security_label_template.xml file includes an attribute +"bootstrap", which is set to the label name that will be assigned to +Dom0 (this label will be mapped to ssidref 1/1, the default for Dom0). + +b) Labeling User Domains: + +Use the script tools/security/setlabel.sh to choose a label and to +assign labels to user domains. + +To show available labels for the chwall_ste policy: + +#tools/security/setlabel.sh -l + +lists all available labels. For the default chwall_ste it should print +the following: + + [root@laptopxn security]# ./setlabel.sh -l chwall_ste + The following labels are available: + dom_SystemManagement + dom_HomeBanking + dom_Fun + dom_BoincClient + dom_StorageDomain + dom_NetworkDomain + +You need to have compiled the policy beforehand so that a .map file +exists. Setlabel.sh uses the mapping file created throughout the +policy translation to translate a user-friendly label string into a +ssidref-number that is eventually used by the Xen hypervisor. + +We distinguish two kinds of labels: a) VM labels (for domains) and RES +Labels (for resources). We are currently working on support for +resource labeling but will focus here on VM labels. + +Setlabel.sh only prints VM labels (which we have prefixed with "dom_") +since only those are used at this time. + +If you would like to assign the dom_HomeBanking label to one of your +user domains (which you hopefully keep clean), look at an example +domain configuration homebanking.xm: + + #------HOMEBANKING--------- + kernel = "/boot/vmlinuz-2.6.12-xenU" + ramdisk="/boot/U1_ramdisk.img" + memory = 65 + name = "test34" + cpu = -1 # leave to Xen to pick + # Number of network interfaces. Default is 1. + nics=1 + dhcp="dhcp" + #------------------------- + +Now we label this domain + +[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking chwall_ste +Mapped label 'dom_HomeBanking' to ssidref '0x00020002'. + +The domain configuration my look now like: + + [root@laptopxn security]# cat homebanking.xm + #------HOMEBANKING--------- + kernel = "/boot/vmlinuz-2.6.12-xenU" + ramdisk="/boot/U1_ramdisk.img" + memory = 65 + name = "test34" + cpu = -1 # leave to Xen to pick + # Number of network interfaces. Default is 1. + nics=1 + dhcp="dhcp" + #------------------------- + #ACM_POLICY=chwall_ste-security_policy.xml + #ACM_LABEL=dom_HomeBanking + ssidref = 0x00020002 + +You can see 3 new entries, two of which are comments. The only value +that the hypervisor cares about is the ssidref that will reference +those types assigned to this label. You can look them up in the +xml label-template file for the chwall_ste policy. + +This script will eventually move into the domain management and will +be called when the domain is instantiated. For now, the setlabel +script must be run on domains whenever the policy files change since +the mapping between label names and ssidrefs can change in this case. + + +4. Starting a labeled domain +============================ + +Now, start the domain: + #xm create -c homebanking.xm + + +If you label another domain configuration as dom_Fun and try to start +it afterwards, its start will fail. Why? + +Because the running homebanking domain has the chinese wall type +"cw_Sensitive". The new domain dom_Fun has the chinese wall label +"cw_Distrusted". This domain is not allowed to run simultaneously +because of the defined conflict set + + <conflictset name="Protection1"> + <type>cw_Sensitive</type> + <type>cw_Distrusted</type> + </conflictset> + +(in policies/chwall_ste/chwall_ste-security_policy.xml), which says +that only one of the types cw_sensitive and cw_Distrusted can run at a +time. + +If you save or shutdown the HomeBanking domain, you will be able to +start the "Fun" domain. You can look into the Xen log to see if a +domain was denied to start because of the access control framework +with the command 'xm dmesg'. + +It is important (and usually non-trivial) to define the labels in a +way that the semantics of the labels are enforced and supported by the +types and the conflict sets. + +Note: While the chinese wall policy enforcement is complete, the type +enforcement is currently enforced in the Xen hypervisor +only. Therefore, only point-to-point sharing with regard to the type +enforcement is currently controlled. We are working on enhancements to +Dom0 that enforce types also for network traffic that is routed +through Dom0 and on the enforcement of resource labeling when binding +resources to domains (e.g., enforcing types between domains and +hardware resources, such as disk partitions). + + +4. Adding your own policies +=========================== + +Writing your own policy (e.g. "mypolicy") requires the following: + +a) the policy definition (types etc.) file +b) the label template definition (labels etc.) file + +If your policy name is "mypolicy", you need to create a +subdirectory mypolicy in tools/security/policies. + +Then you create +tools/security/policies/mypolicy/mypolicy-security_policy.xml and +tools/security/policies/mypolicy/mypolicy-security_label_template.xml. + +You need to keep to the schema as defined in +tools/security/security_policy.xsd since the translation tool +secpol_xml2bin is written against this schema. + +If you keep to the security policy schema, then you can use all the +tools described above. Refer to install.txt to install it. diff -r a86fb4df3bdd -r bf1746842c46 tools/security/install.txt --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/install.txt Fri Aug 19 12:22:27 2005 @@ -0,0 +1,67 @@ +## +# install.txt <description to the xen access control architecture> +# +# Author: +# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx> +# +# +# This file shows how to activate and install the access control +# framework. +## + + +INSTALLING A SECURITY POLICY IN XEN +=================================== + +By default, the access control architecture is disabled in Xen. To +enable the access control architecture in Xen follow the steps below. +This description assumes that you want to install the Chinese Wall and +Simple Type Enforcement policy. Some file names need to be replaced +below to activate the Chinese Wall OR the Type Enforcement policy +exclusively (chwall_ste --> {chwall, ste}). + +1. enable access control in Xen + # cd "xen_root" + # edit/xemacs/vi Config.mk + + change the line: + ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY + + to: + ACM_USE_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY + + # make all + # ./install.sh + +2. compile the policy from xml to a binary format that can be loaded + into the hypervisor for enforcement + # cd tools/security + # make + + manual steps (alternative to make boot_install): + #./secpol_xml2bin chwall_ste + #cp policies/chwall_ste/chwall_ste.bin /boot + #edit /boot/grub/grub.conf + add the follwoing line to your xen boot entry: + "module chwall_ste.bin" + + alternatively, you can try our automatic translation and + installation of the policy: + # make boot_install + + [we try hard to do the right thing to the right boot entry but + please verify boot entry in /boot/grub/grub.conf afterwards; + your xen boot entry should have an additional module line + specifying a chwall_ste.bin file with the correct directory + (e.g. "/" or "/boot").] + + +3. reboot into the newly compiled hypervisor + + after boot + #xm dmesg should show an entry about the policy being loaded + during the boot process + + #tools/security/secpol_tool getpolicy + should print the new chwall_ste binary policy representation + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/chwall/chwall-security_label_template.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/chwall/chwall-security_label_template.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,76 @@ +<?xml version="1.0"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security labels, which can --> +<!-- be attached to Domains and resources. Based on --> +<!-- these labels, the access control module decides --> +<!-- about sharing between Domains and about access --> +<!-- of Domains to real resources. --> + +<SecurityLabelTemplate + xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> + <LabelHeader> + <Name>chwall-security_label_template</Name> + <Date>2005-08-10</Date> + <PolicyName> + <Url>chwall-security_policy.xml</Url> + <Reference>abcdef123456abcdef</Reference> + </PolicyName> + </LabelHeader> + + <SubjectLabels bootstrap="dom_SystemManagement"> + <!-- single ste typed domains --> + <!-- ACM enforces that only domains with --> + <!-- the same type can share information --> + <!-- --> + <!-- Bootstrap label is assigned to Dom0 --> + <VirtualMachineLabel> + <Name>dom_HomeBanking</Name> + <ChineseWallTypes> + <Type>cw_Sensitive</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <Name>dom_Fun</Name> + <ChineseWallTypes> + <Type>cw_Distrusted</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- donating some cycles to seti@home --> + <Name>dom_BoincClient</Name> + <ChineseWallTypes> + <Type>cw_Isolated</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <!-- Domains with multiple ste types services; such domains --> + <!-- must keep the types inside their domain safely confined. --> + <VirtualMachineLabel> + <Name>dom_SystemManagement</Name> + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- serves persistent storage to other domains --> + <Name>dom_StorageDomain</Name> + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- serves network access to other domains --> + <Name>dom_NetworkDomain</Name> + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + </SubjectLabels> +</SecurityLabelTemplate> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/chwall/chwall-security_policy.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/chwall/chwall-security_policy.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security policies, which --> +<!-- can be enforced by the Xen Access Control Module. --> +<!-- Currently: Chinese Wall and Simple Type Enforcement--> +<SecurityPolicyDefinition xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> +<PolicyHeader> + <Name>chwall-security_policy</Name> + <Date>2005-08-10</Date> +</PolicyHeader> +<!-- --> +<!-- example of a chinese wall type definition --> +<!-- along with its conflict sets --> +<!-- (typse in a confict set are exclusive, i.e. --> +<!-- once a Domain with one type of a set is --> +<!-- running, no other Domain with another type --> +<!-- of the same conflict set can start.) --> + <ChineseWall priority="PrimaryPolicyComponent"> + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + <Type>cw_Sensitive</Type> + <Type>cw_Isolated</Type> + <Type>cw_Distrusted</Type> + </ChineseWallTypes> + + <ConflictSets> + <Conflict name="Protection1"> + <Type>cw_Sensitive</Type> + <Type>cw_Distrusted</Type> + </Conflict> + </ConflictSets> + </ChineseWall> +</SecurityPolicyDefinition> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,167 @@ +<?xml version="1.0"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security labels, which can --> +<!-- be attached to Domains and resources. Based on --> +<!-- these labels, the access control module decides --> +<!-- about sharing between Domains and about access --> +<!-- of Domains to real resources. --> + +<SecurityLabelTemplate + xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> + <LabelHeader> + <Name>chwall_ste-security_label_template</Name> + <Date>2005-08-10</Date> + <PolicyName> + <Url>chwall_ste-security_policy.xml</Url> + <Reference>abcdef123456abcdef</Reference> + </PolicyName> + </LabelHeader> + + <SubjectLabels bootstrap="dom_SystemManagement"> + <!-- single ste typed domains --> + <!-- ACM enforces that only domains with --> + <!-- the same type can share information --> + <!-- --> + <!-- Bootstrap label is assigned to Dom0 --> + <VirtualMachineLabel> + <Name>dom_HomeBanking</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersonalFinances</Type> + </SimpleTypeEnforcementTypes> + + <ChineseWallTypes> + <Type>cw_Sensitive</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <Name>dom_Fun</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_InternetInsecure</Type> + </SimpleTypeEnforcementTypes> + + <ChineseWallTypes> + <Type>cw_Distrusted</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- donating some cycles to seti@home --> + <Name>dom_BoincClient</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_DonatedCycles</Type> + </SimpleTypeEnforcementTypes> + + <ChineseWallTypes> + <Type>cw_Isolated</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <!-- Domains with multiple ste types services; such domains --> + <!-- must keep the types inside their domain safely confined. --> + <VirtualMachineLabel> + <Name>dom_SystemManagement</Name> + <SimpleTypeEnforcementTypes> + <!-- since dom0 needs access to every domain and --> + <!-- resource right now ... --> + <Type>ste_SystemManagement</Type> + <Type>ste_PersonalFinances</Type> + <Type>ste_InternetInsecure</Type> + <Type>ste_DonatedCycles</Type> + <Type>ste_PersistentStorageA</Type> + <Type>ste_NetworkAdapter0</Type> + </SimpleTypeEnforcementTypes> + + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- serves persistent storage to other domains --> + <Name>dom_StorageDomain</Name> + <SimpleTypeEnforcementTypes> + <!-- access right to the resource (hard drive a) --> + <Type>ste_PersistentStorageA</Type> + <!-- can serve following types --> + <Type>ste_PersonalFinances</Type> + <Type>ste_InternetInsecure</Type> + </SimpleTypeEnforcementTypes> + + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- serves network access to other domains --> + <Name>dom_NetworkDomain</Name> + <SimpleTypeEnforcementTypes> + <!-- access right to the resource (ethernet card) --> + <Type>ste_NetworkAdapter0</Type> + <!-- can serve following types --> + <Type>ste_PersonalFinances</Type> + <Type>ste_InternetInsecure</Type> + <Type>ste_DonatedCycles</Type> + </SimpleTypeEnforcementTypes> + + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + </ChineseWallTypes> + </VirtualMachineLabel> + </SubjectLabels> + + <ObjectLabels> + <ResourceLabel> + <Name>res_ManagementResource</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_SystemManagement</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_HardDrive (hda)</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersistentStorageA</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_LogicalDiskPartition1 (hda1)</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersonalFinances</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_LogicalDiskPartition2 (hda2)</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_InternetInsecure</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_EthernetCard</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_NetworkAdapter0</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_SecurityToken</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersonalFinances</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_GraphicsAdapter</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_SystemManagement</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + </ObjectLabels> +</SecurityLabelTemplate> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/chwall_ste/chwall_ste-security_policy.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/chwall_ste/chwall_ste-security_policy.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security policies, which --> +<!-- can be enforced by the Xen Access Control Module. --> +<!-- Currently: Chinese Wall and Simple Type Enforcement--> +<SecurityPolicyDefinition xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> +<PolicyHeader> + <Name>chwall_ste-security_policy</Name> + <Date>2005-08-10</Date> +</PolicyHeader> +<!-- --> +<!-- example of a simple type enforcement policy definition --> +<!-- --> + <SimpleTypeEnforcement> + <SimpleTypeEnforcementTypes> + <Type>ste_SystemManagement</Type> <!-- machine/security management --> + <Type>ste_PersonalFinances</Type> <!-- personal finances --> + <Type>ste_InternetInsecure</Type> <!-- games, active X, etc. --> + <Type>ste_DonatedCycles</Type> <!-- donation to BOINC/seti@home --> + <Type>ste_PersistentStorageA</Type> <!-- domain managing the harddrive A--> + <Type>ste_NetworkAdapter0</Type> <!-- type of the domain managing ethernet adapter 0--> + </SimpleTypeEnforcementTypes> + </SimpleTypeEnforcement> +<!-- --> +<!-- example of a chinese wall type definition --> +<!-- along with its conflict sets --> +<!-- (typse in a confict set are exclusive, i.e. --> +<!-- once a Domain with one type of a set is --> +<!-- running, no other Domain with another type --> +<!-- of the same conflict set can start.) --> + <ChineseWall priority="PrimaryPolicyComponent"> + <ChineseWallTypes> + <Type>cw_SystemManagement</Type> + <Type>cw_Sensitive</Type> + <Type>cw_Isolated</Type> + <Type>cw_Distrusted</Type> + </ChineseWallTypes> + + <ConflictSets> + <Conflict name="Protection1"> + <Type>cw_Sensitive</Type> + <Type>cw_Distrusted</Type> + </Conflict> + </ConflictSets> + </ChineseWall> +</SecurityPolicyDefinition> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/null/null-security_label_template.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/null/null-security_label_template.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,24 @@ +<?xml version="1.0"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security labels, which can --> +<!-- be attached to Domains and resources. Based on --> +<!-- these labels, the access control module decides --> +<!-- about sharing between Domains and about access --> +<!-- of Domains to real resources. --> + +<SecurityLabelTemplate + xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> + <LabelHeader> + <Name>null-security_label_template</Name> + + <Date>2005-08-10</Date> + <PolicyName> + <Url>null-security_policy.xml</Url> + + <Reference>abcdef123456abcdef</Reference> + </PolicyName> + </LabelHeader> +</SecurityLabelTemplate> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/null/null-security_policy.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/null/null-security_policy.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security policies, which --> +<!-- can be enforced by the Xen Access Control Module. --> +<!-- Currently: Chinese Wall and Simple Type Enforcement--> +<SecurityPolicyDefinition xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> +<PolicyHeader> + <Name>null-security_policy</Name> + <Date>2005-08-10</Date> +</PolicyHeader> +</SecurityPolicyDefinition> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/security_policy.xsd --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/security_policy.xsd Fri Aug 19 12:22:27 2005 @@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com --> +<!-- This file defines the schema, which is used to define --> +<!-- the security policy and the security labels in Xe. --> + +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"; targetNamespace="http://www.ibm.com"; xmlns="http://www.ibm.com"; elementFormDefault="qualified"> + <xsd:element name="SecurityPolicyDefinition"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="PolicyHeader" minOccurs="0" maxOccurs="1"></xsd:element> + <xsd:element ref="SimpleTypeEnforcement" minOccurs="0" maxOccurs="1"></xsd:element> + <xsd:element ref="ChineseWall" minOccurs="0" maxOccurs="1"></xsd:element> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="SecurityLabelTemplate"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="LabelHeader" minOccurs="1" maxOccurs="1"></xsd:element> + <xsd:element name="SubjectLabels" minOccurs="0" maxOccurs="1"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element> + </xsd:sequence> + <xsd:attribute name="bootstrap" type="xsd:string" use="required"></xsd:attribute> + </xsd:complexType> + </xsd:element> + <xsd:element name="ObjectLabels" minOccurs="0" maxOccurs="1"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="PolicyHeader"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="Name" minOccurs="1" maxOccurs="1" /> + <xsd:element ref="Date" minOccurs="1" maxOccurs="1" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="LabelHeader"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="Name"></xsd:element> + <xsd:element ref="Date" minOccurs="1" maxOccurs="1"></xsd:element> + <xsd:element ref="PolicyName" minOccurs="1" maxOccurs="1"></xsd:element> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="SimpleTypeEnforcement"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="SimpleTypeEnforcementTypes" /> + </xsd:sequence> + <xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute> + </xsd:complexType> + </xsd:element> + <xsd:element name="ChineseWall"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="ChineseWallTypes" /> + <xsd:element ref="ConflictSets" /> + </xsd:sequence> + <xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute> + </xsd:complexType> + </xsd:element> + <xsd:element name="ChineseWallTypes"> + <xsd:complexType> + <xsd:sequence> + <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="ConflictSets"> + <xsd:complexType> + <xsd:sequence> + <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Conflict" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="SimpleTypeEnforcementTypes"> + <xsd:complexType> + <xsd:sequence> + <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="Conflict"> + <xsd:complexType> + <xsd:sequence> + <xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" /> + </xsd:sequence> + <xsd:attribute name="name" type="xsd:string" use="optional"></xsd:attribute> + </xsd:complexType> + </xsd:element> + <xsd:element name="VirtualMachineLabel"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="Name"></xsd:element> + <xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" /> + <xsd:element ref="ChineseWallTypes" minOccurs="0" maxOccurs="unbounded" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="ResourceLabel"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="Name"></xsd:element> + <xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="PolicyName"> + <xsd:complexType> + <xsd:sequence> + <xsd:element ref="Url" /> + <xsd:element ref="Reference" /> + </xsd:sequence> + </xsd:complexType> + </xsd:element> + <xsd:element name="Date" type="xsd:string" /> + <xsd:element name="Name" type="xsd:string" /> + <xsd:element name="Type" type="xsd:string" /> + <xsd:element name="Reference" type="xsd:string" /> + <xsd:element name="Url"></xsd:element> + + <xsd:simpleType name="PolicyOrder"> + <xsd:restriction base="xsd:string"> + <xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration> + </xsd:restriction> + </xsd:simpleType> + +</xsd:schema> diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/ste/ste-security_label_template.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/ste/ste-security_label_template.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,143 @@ +<?xml version="1.0"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security labels, which can --> +<!-- be attached to Domains and resources. Based on --> +<!-- these labels, the access control module decides --> +<!-- about sharing between Domains and about access --> +<!-- of Domains to real resources. --> + +<SecurityLabelTemplate + xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> + <LabelHeader> + <Name>ste-security_label_template</Name> + <Date>2005-08-10</Date> + <PolicyName> + <Url>ste-security_policy.xml</Url> + <Reference>abcdef123456abcdef</Reference> + </PolicyName> + </LabelHeader> + + <SubjectLabels bootstrap="dom_SystemManagement"> + <!-- single ste typed domains --> + <!-- ACM enforces that only domains with --> + <!-- the same type can share information --> + <!-- --> + <!-- Bootstrap label is assigned to Dom0 --> + <VirtualMachineLabel> + <Name>dom_HomeBanking</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersonalFinances</Type> + </SimpleTypeEnforcementTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <Name>dom_Fun</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_InternetInsecure</Type> + </SimpleTypeEnforcementTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- donating some cycles to seti@home --> + <Name>dom_BoincClient</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_DonatedCycles</Type> + </SimpleTypeEnforcementTypes> + </VirtualMachineLabel> + + <!-- Domains with multiple ste types services; such domains --> + <!-- must keep the types inside their domain safely confined. --> + <VirtualMachineLabel> + <Name>dom_SystemManagement</Name> + <SimpleTypeEnforcementTypes> + <!-- since dom0 needs access to every domain and --> + <!-- resource right now ... --> + <Type>ste_SystemManagement</Type> + <Type>ste_PersonalFinances</Type> + <Type>ste_InternetInsecure</Type> + <Type>ste_DonatedCycles</Type> + <Type>ste_PersistentStorageA</Type> + <Type>ste_NetworkAdapter0</Type> + </SimpleTypeEnforcementTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- serves persistent storage to other domains --> + <Name>dom_StorageDomain</Name> + <SimpleTypeEnforcementTypes> + <!-- access right to the resource (hard drive a) --> + <Type>ste_PersistentStorageA</Type> + <!-- can serve following types --> + <Type>ste_PersonalFinances</Type> + <Type>ste_InternetInsecure</Type> + </SimpleTypeEnforcementTypes> + </VirtualMachineLabel> + + <VirtualMachineLabel> + <!-- serves network access to other domains --> + <Name>dom_NetworkDomain</Name> + <SimpleTypeEnforcementTypes> + <!-- access right to the resource (ethernet card) --> + <Type>ste_NetworkAdapter0</Type> + <!-- can serve following types --> + <Type>ste_PersonalFinances</Type> + <Type>ste_InternetInsecure</Type> + <Type>ste_DonatedCycles</Type> + </SimpleTypeEnforcementTypes> + </VirtualMachineLabel> + </SubjectLabels> + + <ObjectLabels> + <ResourceLabel> + <Name>res_ManagementResource</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_SystemManagement</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_HardDrive (hda)</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersistentStorageA</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_LogicalDiskPartition1 (hda1)</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersonalFinances</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_LogicalDiskPartition2 (hda2)</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_InternetInsecure</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_EthernetCard</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_NetworkAdapter0</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_SecurityToken</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_PersonalFinances</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + + <ResourceLabel> + <Name>res_GraphicsAdapter</Name> + <SimpleTypeEnforcementTypes> + <Type>ste_SystemManagement</Type> + </SimpleTypeEnforcementTypes> + </ResourceLabel> + </ObjectLabels> +</SecurityLabelTemplate> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policies/ste/ste-security_policy.xml --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policies/ste/ste-security_policy.xml Fri Aug 19 12:22:27 2005 @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com --> +<!-- This file defines the security policies, which --> +<!-- can be enforced by the Xen Access Control Module. --> +<!-- Currently: Chinese Wall and Simple Type Enforcement--> +<SecurityPolicyDefinition xmlns="http://www.ibm.com"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://www.ibm.com security_policy.xsd"> +<PolicyHeader> + <Name>ste-security_policy</Name> + <Date>2005-08-10</Date> +</PolicyHeader> +<!-- --> +<!-- example of a simple type enforcement policy definition --> +<!-- --> + <SimpleTypeEnforcement> + <SimpleTypeEnforcementTypes> + <Type>ste_SystemManagement</Type> <!-- machine/security management --> + <Type>ste_PersonalFinances</Type> <!-- personal finances --> + <Type>ste_InternetInsecure</Type> <!-- games, active X, etc. --> + <Type>ste_DonatedCycles</Type> <!-- donation to BOINC/seti@home --> + <Type>ste_PersistentStorageA</Type> <!-- domain managing the harddrive A--> + <Type>ste_NetworkAdapter0</Type> <!-- type of the domain managing ethernet adapter 0--> + </SimpleTypeEnforcementTypes> + </SimpleTypeEnforcement> +</SecurityPolicyDefinition> + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/policy.txt --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/policy.txt Fri Aug 19 12:22:27 2005 @@ -0,0 +1,405 @@ +## +# policy.txt <description to the Xen access control architecture> +# +# Author: +# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx> +# +# +# This file gives an overview of the security policies currently +# provided and also gives some reasoning about how to assign +# labels to domains. +## + +Xen access control policies + + +General explanation of supported security policies: +===================================================== + +We have implemented the mandatory access control architecture of our +hypervisor security architecture (sHype) for the Xen hypervisor. It +controls communication (in Xen: event channels, grant tables) between +Virtual Machines (from here on called domains) and through this the +virtual block devices, networking, and shared memory are implemented +on top of these communication means. While we have implemented the +described policies and access control architecture for other +hypervisor systems, we will describe below specifically its +implementation and use in the Xen hypervisor. The policy enforcement +is called mandatory regarding user domains since the policy it is +given by the security administration and enforced independently of the +user domains by the Xen hypervisor in cooperation with the domain +management. + +The access control architecture consists of three parts: + +i) The access control policy determines the "command set" of the ACM +and the hooks with which they can be configured to constrain the +sharing of virtual resources. The current access control architecture +implemented for Xen supports two policies: Chinese Wall and Simple +Type Enforcement, which we describe in turn below. + + +ii) The actually enforced policy instantiation uses the policy +language (i) to configure the Xen access control in a way that suits +the specific application (home desktop environment, company desktop, +Web server system, etc.). We have defined an exemplary policy +instantiation for Chinese Wall (chwall policy) and Simple Type +Enforcement (ste policy) for a desktop system. We offer these policies +in combination since they are controlling orthogonal events. + + +iii) The access control module (ACM) and related hooks are part of the +core hypervisor and their controls cannot be bypassed by domains. The +ACM and hooks are the active security components. We refer to +publications that describe how access control is enforced in the Xen +hypervisor using the ACM (access decision) and the hooks (decision +enforcement) inserted into the setup of event channels and grant +tables, and into domain operations (create, destroy, save, restore, +migrate). These controls decide based on the active policy +configuration (see i. and ii.) if the operation proceeds of if the +operation is aborted (denied). + + +In general, security policy instantiations in the Xen access control +framework are defined by two files: + +a) a single "policy-name"-security_policy.xml file that defines the +types known to the ACM and policy rules based on these types + +b) a single "policy-name"-security_label_template.xml file that +defines labels based on known types + +Every security policy has its own sub-directory under +"Xen-root"/tools/security/policies in order to simplify their +management and the security policy tools. We will describe those files +for our example policy (Chinese Wall and Simple Type Enforcement) in +more detail as we go along. Eventually, we will move towards a system +installation where the policies will reside under /etc. + + +CHINESE WALL +============ + +The Chinese Wall policy enables the user to define "which workloads +(domain payloads) cannot run on a single physical system at the same +time". Why would we want to prevent workloads from running at the same +time on the same system? This supports requirements that can (but +don't have to) be rooted in the measure of trust into the isolation of +different domains that share the same hardware. Since the access +control architecture aims at high performance and non-intrusive +implementation, it currently does not address covert (timing) channels +and aims at medium assurance. Users can apply the Chinese Wall policy +to guarantee an air-gap between very sensitive payloads both regarding +covert information channels and regarding resource starvation. + +To enable the CW control, each domain is labeled with a set of Chinese +Wall types and CW Conflict Sets are defined which include those CW +types that cannot run simultaneously on the same hardware. This +interpretation of conflict sets is the only policy rule for the Chines +Wall policy. + +This is enforced by controlling the start of domains according to +their assigned CW worload types. Domains with Chinese Wall types that +appear in a common conflict set are running mutually exclusive on a +platform, i.e., once a domain with one of the cw-types of a conflict +set is running, no domain with another cw-type of the same conflict +set can start until the first domain is destroyed, paused, or migrated +away from the physical system (this assumes that such a partition can +no longer be observed). The idea is to assign cw-types according to +the type of payload that a domain runs and to use the Chinese Wall +policy to ensure that payload types can be differentiated by the +hypervisor and can be prevented from being executed on the same system +at the same time. Using the flexible CW policy maintains system +consolidation and workload-balancing while introducing guaranteed +constraints where necessary. + + +Example of a Chinese Wall Policy Instantiation +---------------------------------------------- + +The file chwall-security_policy.xml defines the Chinese Wall types as +well as the conflict sets for our example policy (you find it in the +directory "xen_root"/tools/security/policies/chwall). + +It defines four Chinese Wall types (prefixed with cw_) with the +following meaning: + +* cw_SystemsManagement is a type identifying workloads for systems +management, e.g., domain management, device management, or hypervisor +management. + +* cw_Sensitive is identifying workloads that are critical to the user +for one reason or another. + +* cw_Distrusted is identifying workloads a user does not have much +confidence in. E.g. a domain used for surfing in the internet without +protection( i.e., active-X, java, java-script, executing web content) +or for (Internet) Games should be typed this way. + +* cw_Isolated is identifying workloads that are supposedly isolated by +use of the type enforcement policy (described below). For example, if +a user wants to donate cycles to seti@home, she can setup a separate +domain for a Boinc (http://boinc.ssl.berkeley.edu/) client, disable +this domain from accessing the hard drive and from communicating to +other local domains, and type it as cw_Isolated. We will look at a +specific example later. + +The example policy uses the defined types to define one conflict set: +Protection1 = {cw_Sensitive, cw_Distrusted}. This conflict set tells +the hypervisor that once a domain typed as cw_Sensitive is running, a +domain typed as cw_Distrusted cannot run concurrently (and the other +way round). With this policy, a domain typed as cw_Isolated is allowed +to run simultaneously with domains tagged as cw_Sensitive. + +Consequently, the access control module in the Xen hypervisor +distinguishes in this example policy 4 different workload types in +this example policy. It is the user's responsibility to type the +domains in a way that reflects the workloads of these domains and, in +the case of cw_Isolated, its properties, e.g. by configuring the +sharing capabilities of the domain accordingly by using the simple +type enforcement policy. + +Users can define their own or change the existing example policy +according to their working environment and security requirements. To +do so, replace the file chwall-security_policy.xml with the new +policy. + + +SIMPLE TYPE ENFORCEMENT +======================= + +The file ste-security_policy.xml defines the simple type enforcement +types for our example policy (you find it in the directory +"xen_root"/tools/security/policies/ste). The Simple Type Enforcement +policy defines which domains can share information with which other +domains. To this end, it controls + +i) inter-domain communication channels (e.g., network traffic, events, +and shared memory). + +ii) access of domains to physical resources (e.g., hard drive, network +cards, graphics adapter, keyboard). + +In order to enable the hypervisor to distinguish different domains and +the user to express access rules, the simple type enforcement defines +a set of types (ste_types). + +The policy defines that communication between domains is allowed if +the domains share a common STE type. As with the chwall types, STE +types should enable the differentiation of workloads. The simple type +enforcement access control implementation in the hypervisor enforces +that domains can only communicate (setup event channels, grant tables) +if they share a common type, i.e., both domains have assigned at least +on type in common. A domain can access a resource, if the domain and +the resource share a common type. Hence, assigning STE types to +domains and resources allows users to define constraints on sharing +between domains and to keep sensitive data confined from distrusted +domains. + +Domain <--> Domain Sharing +'''''''''''''''''''''''''' +(implemented but its effective use requires factorization of Dom0) + +a) Domains with a single STE type (general user domains): Sharing +between such domains is enforced entirely by the hypervisor access +control. It is independent of the domains and does not require their +co-operation. + +b) Domains with multiple STE types: One example is a domain that +virtualizes a physical resource (e.g., hard drive) and serves it as +multiple virtual resources (virtual block drives) to other domains of +different types. The idea is that only a specific device domain has +assigned the type required to access the physical hard-drive. Logical +drives are then assigned the types of domains that have access to this +logical drive. Since the Xen hypervisor cannot distinguish between the +logical drives, the access control (type enforcement) is delegated to +the device domain, which has access to the types of domains requesting +to mount a logical drive as well as the types assigned to the +different available logical drives. + +Currently in Xen, Dom0 controls all hardware, needs to communicate +with all domains during their setup, and intercepts all communication +between domains. Consequently, Dom0 needs to be assigned all types +used and must be completely trusted to maintain the separation of +informatio ncoming from domains with different STE types. Thus a +refactoring of Dom0 is recommended for stronger confinement +guarantees. + +Domain --> RESOURCES Access +''''''''''''''''''''''''''' +(current work) + +We define for each resource that we want to distinguish a separate STE +type. Each STE type is assigned to the respective resource and to +those domains that are allowed to access this resource. Type +enforcement will guarantee that other domains cannot access this +resource since they don't share the resource's STE type. + +Since in the current implementation of Xen, Dom0 controls access to +all hardware (e.g., disk drives, network), Domain-->Resource access +control enforcement must be implemented in Dom0. This is possible +since Dom0 has access to both the domain configuration (including the +domain STE types) and the resource configuration (including the +resource STE types). + +For purposes of gaining higher assurance in the resulting system, it +may be desirable to reduce the size of dom0 by adding one or more +"device domains" (DDs). These DDs, e.g. providing storage or network +access, can support one or more physical devices, and manage +enforcement of MAC policy relevant for said devices. Security benefits +come from the smaller size of these DDs, as they can be more easily +audited than monolithic device driver domains. DDs can help to obtain +maximum security benefit from sHype. + + +Example of a Simple Type Enforcement Policy Instantiation +--------------------------------------------------------- + +We define the following types: + +* ste_SystemManagement identifies workloads (and domains that runs +them) that must share information to accomplish the management of the +system + +* ste_PersonalFinances identifies workloads that are related to +sensitive programs such as HomeBanking applications or safely +configured web browsers for InternetBanking + +* ste_InternetInsecure identifies workloads that are very +function-rich and unrestricted to offer for example an environment +where internet games can run efficiently + +* ste_DonatedCycles identifies workloads that run on behalf of others, +e.g. a Boinc client + +* ste_PersistentStorage identifies workloads that have direct access +to persistent storage (e.g., hard drive) + +* ste_NetworkAccess identifies workload that have direct access to +network cards and related networks + + + +SECURITY LABEL TEMPLATES +======================== + +We introduce security label templates because it is difficult for +users to ensure tagging of domains consistently and since there are +--as we have seen in the case of isolation-- useful dependencies +between the policies. Security Label Templates define type sets that +can be addressed by more user-friendly label names, +e.g. dom_Homebanking describes a typical typeset tagged to domains +used for sensitive Homebanking work-loads. Labels are defined in the +file + +Using Security Label Templates has multiple advantages: +a) easy reference of typical sets of type assignments +b) consistent interpretation of type combinations +c) meaningful application-level label names + +The definition of label templates depends on the combination of +policies that are used. We will describe some of the labels defined +for the Chinese Wall and Simple Type Enforcement combination. + +In the BoincClient example, the label_template file specifies that +this Label is assigned the Chinese Wall type cw_Isolated. We do this +assuming that this BoincClient is isolated against the rest of the +system infrastructure (no persistent memory, no sharing with local +domains). Since cw_Isolated is not included in any conflict set, it +can run at any time concurrently with any other domain. The +ste_DonatedCycles type assigned to the BoincClient reflect the +isolation assumption: it is only assigned to the dom_NetworkDomain +giving the BoincClient domain access to the network to communicate +with its BoincServer. + +The strategy for combining types into Labels is the following: First +we define a label for each type of general user domain +(workload-oriented). Then we define a new label for each physical +resource that shall be shared using a DD domain (e.g., disk) and for +each logical resource offered through this physical resource (logical +disk partition). We define then device domain labels (here: +dom_SystemManagement, dom_StorageDomain, dom_NetworkDomain) which +include the types of the physical resources (e.g. hda) their domains +need to connect to. Such physical resources can only be accessed +directly by device domains types with the respective device's STE +type. Additionally we assign to such a device domain Label the STE +types of those user domains that are allowed to access one of the +logical resources (e.g., hda1, hda2) built on top of this physical +resource through the device domain. + + +Label Construction Example: +--------------------------- + +We define here a storage domain label for a domain that owns a real +disk drive and creates the logical disk partitions hda1 and hda2 which +it serves to domains labeled dom_HomeBanking and dom_Fun +respectively. The labels we refer to are defined in the label template +file policies/chwall_ste/chwall_ste-security-label-template.xml. + +step1: To distinguish different shared disk drives, we create a +separate Label and STE type for each of them. Here: we create a type +ste_PersistentStorageA for disk drive hda. If you have another disk +drive, you may define another persistent storage type +ste_PersistentStorageB in the chwall_ste-security_policy.xml. + +step2: To distinguish different domains, we create multiple domain +labels including different types. Here: label dom_HomeBanking includes +STE type ste_PersonalFinances, label dom_Fun includes STE type +ste_InternetInsecure. + +step3: The storage domain in charge of the hard drive A needs access +to this hard drive. Therefore the storage domain label +dom_StorageDomain must include the type assigned to the hard drive +(ste_PersistentStorageA). + +step4: In order to serve dom hda1 to domains labeled dom_HomeBanking +and hda2 to domains labeled dom_Fun, the storage domain label must +include the types of those domains as well (ste_PersonalFinance, +ste_InternetInsecure). + +step5: In order to keep the data for different types safely apart, the +different logical disk partitions must be assigned unique labels and +types, which are used inside the storage domain to extend the ACM +access enforcement to logical resources served from inside the storage +domain. We define labels "res_LogicalDiskPartition1 (hda1)" and assign +it to hda1 and "res_LogicalDiskPartition2 (hda2)" and assign it to +hda2. These labels must include the STE types of those domains that +are allowed to use them (e.g., ste_PersonalFinances for hda1). + +The overall mandatory access control is then enforced in 3 different +Xen components and these components use a single consistent policy to +co-operatively enforce the policy. In the storage domain example, we +have three components that co-operate: + +1. The ACM module inside the hypervisor enforces: communication between +user domains and the storage domain (only domains including types +ste_PersonalFinances or ste_InternetInsecure can communicate with the +storage domain and request access to logical resource). This confines +the sharing to the types assigned to the storage domain. + +2. The domain management will enforce (work in progress): assignment of +real resources (hda) to domains (storage domain) that share a +type with the resource. + +3. If the storage domain serves multiple STE types (as in our example), +it enforces (work in progress): that domains can access (mount) +logical resources only if they share an STE type with the respective +resource. In our example, domains with the STE type +ste_PersonalFinances can request access (mount) to logical resource +hda1 from the storage domain. + +If you look at the virtual machine label dom_StorageDomain, you will +see the minimal set of types assigned to our domain manageing disk +drive hda for serving logical disk partitions exclusively to +dom_HomeBanking and dom_Fun. + +Similary, network domains can confine access to the network or +network communication between user domains. + +As a result, device domains (e.g., storage domain, network domain) +must be simple and small to ensure their correct co-operation in the +type enforcement model. If such trust is not possible, then hardware +should be assigned exclusively to a single type (or to a single +partition) in which case the hypervisor ACM enforcement enforces the +types independently. diff -r a86fb4df3bdd -r bf1746842c46 tools/security/readme.txt --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/readme.txt Fri Aug 19 12:22:27 2005 @@ -0,0 +1,29 @@ + +## +# readme.txt <description to the xen access control architecture> +# +# Author: +# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx> +# +# +# This file is a toc for information regarding +# the access control policy and tools in Xen. +## + +1. policy.txt: + + describes the general reasoning and examples for access + control policies in Xen + + +2. install.txt + + describes the activation of the access control framework + in Xen + +3. example.txt + + describes the available tools for managing security policies + in Xen and the tools to label domains + + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/secpol_compat.h --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/secpol_compat.h Fri Aug 19 12:22:27 2005 @@ -0,0 +1,14 @@ +/* secpol_compat.h + * 'translates' data types necessary to + * include <xen/acm.h> + */ +#include <stdint.h> + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; +typedef uint64_t u64; +typedef int8_t s8; +typedef int16_t s16; +typedef int32_t s32; +typedef int64_t s64; diff -r a86fb4df3bdd -r bf1746842c46 tools/security/secpol_xml2bin.c --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/secpol_xml2bin.c Fri Aug 19 12:22:27 2005 @@ -0,0 +1,1396 @@ +/**************************************************************** + * secpol_xml2bin.c + * + * Copyright (C) 2005 IBM Corporation + * + * Author: Reiner Sailer <sailer@xxxxxxxxxx> + * + * Maintained: + * Reiner Sailer <sailer@xxxxxxxxxx> + * Ray Valdez <rvaldez@xxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + * sHype policy translation tool. This tool takes an XML + * policy specification as input and produces a binary + * policy file that can be loaded into Xen through the + * ACM operations (secpol_tool loadpolicy) interface or at + * boot time (grub module parameter) + * + * indent -i4 -kr -nut + */ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <libgen.h> +#include <fcntl.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/queue.h> +#include <netinet/in.h> +#include <libxml/xmlschemas.h> +#include <libxml/parser.h> +#include <libxml/tree.h> +#include <libxml/xmlreader.h> +#include "secpol_compat.h" +#include <xen/acm.h> + +#include "secpol_xml2bin.h" + +#define DEBUG 0 + +/* primary / secondary policy component setting */ +enum policycomponent { CHWALL, STE, NULLPOLICY } + primary = NULLPOLICY, secondary = NULLPOLICY; + +/* general list element for ste and chwall type queues */ +struct type_entry { + TAILQ_ENTRY(type_entry) entries; + char *name; /* name of type from xml file */ + type_t mapping; /* type mapping into 16bit */ +}; + +TAILQ_HEAD(tailhead, type_entry) ste_head, chwall_head; + +/* general list element for all label queues */ +enum label_type { VM, RES, ANY }; +struct ssid_entry { + TAILQ_ENTRY(ssid_entry) entries; + char *name; /* label name */ + enum label_type type; /* type: VM / RESOURCE LABEL */ + u_int32_t num; /* ssid or referenced ssid */ + int is_ref; /* if this entry references earlier ssid number */ + unsigned char *row; /* index of types (if not a reference) */ +}; + +TAILQ_HEAD(tailhead_ssid, ssid_entry) ste_ssid_head, chwall_ssid_head, + conflictsets_head; +struct ssid_entry *current_chwall_ssid_p = NULL; +struct ssid_entry *current_ste_ssid_p = NULL; +struct ssid_entry *current_conflictset_p = NULL; + +/* which label to assign to dom0 during boot */ +char *bootstrap_label; + +u_int32_t max_ste_ssids = 0; +u_int32_t max_chwall_ssids = 0; +u_int32_t max_chwall_labels = 0; +u_int32_t max_ste_labels = 0; +u_int32_t max_conflictsets = 0; + +char *current_ssid_name; /* store name until structure is allocated */ +char *current_conflictset_name; /* store name until structure is allocated */ + +/* dynamic list of type mappings for STE */ +u_int32_t max_ste_types = 0; + +/* dynamic list of type mappings for CHWALL */ +u_int32_t max_chwall_types = 0; + +/* dynamic list of conflict sets */ +int max_conflict_set = 0; + +/* which policies are defined */ +int have_ste = 0; +int have_chwall = 0; + +/* input/output file names */ +char *policy_filename = NULL, + *label_filename = NULL, + *binary_filename = NULL, *mapping_filename = NULL; + +void usage(char *prg) +{ + printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n", + prg); + exit(EXIT_FAILURE); +} + + +/***************** policy-related parsing *********************/ + +char *type_by_mapping(struct tailhead *head, u_int32_t mapping) +{ + struct type_entry *np; + for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) + if (np->mapping == mapping) + return np->name; + return NULL; +} + + +struct type_entry *lookup(struct tailhead *head, char *name) +{ + struct type_entry *np; + for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) + if (!(strcmp(np->name, name))) + return np; + return NULL; +} + +/* enforces single-entry lists */ +int add_entry(struct tailhead *head, char *name, type_t mapping) +{ + struct type_entry *e; + if (lookup(head, name)) + { + printf("Error: Type >%s< defined more than once.\n", name); + return -EFAULT; /* already in the list */ + } + if (!(e = malloc(sizeof(struct type_entry)))) + return -ENOMEM; + + e->name = name; + e->mapping = mapping; + TAILQ_INSERT_TAIL(head, e, entries); + return 0; +} + +int totoken(char *tok) +{ + int i; + for (i = 0; token[i] != NULL; i++) + if (!strcmp(token[i], tok)) + return i; + return -EFAULT; +} + +/* conflictsets use the same data structure as ssids; since + * they are similar in structure (set of types) + */ +int init_next_conflictset(void) +{ + struct ssid_entry *conflictset = malloc(sizeof(struct ssid_entry)); + + if (!conflictset) + return -ENOMEM; + + conflictset->name = current_conflictset_name; + conflictset->num = max_conflictsets++; + conflictset->is_ref = 0; /* n/a for conflictsets */ + /** + * row: allocate one byte per type; + * [i] != 0 --> mapped type >i< is part of the conflictset + */ + conflictset->row = malloc(max_chwall_types); + if (!conflictset->row) + return -ENOMEM; + + memset(conflictset->row, 0, max_chwall_types); + TAILQ_INSERT_TAIL(&conflictsets_head, conflictset, entries); + current_conflictset_p = conflictset; + return 0; +} + +int register_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state) +{ + xmlChar *text; + struct type_entry *e; + + + text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); + if (!text) + { + printf("Error reading type name!\n"); + return -EFAULT; + } + + switch (state) { + case XML2BIN_stetype_S: + if (add_entry(&ste_head, (char *) text, max_ste_types)) + { + xmlFree(text); + return -EFAULT; + } + max_ste_types++; + break; + + case XML2BIN_chwalltype_S: + if (add_entry(&chwall_head, (char *) text, max_chwall_types)) + { + xmlFree(text); + return -EFAULT; + } + max_chwall_types++; + break; + + case XML2BIN_conflictsettype_S: + /* a) search the type in the chwall_type list */ + e = lookup(&chwall_head, (char *) text); + if (e == NULL) + { + printf("CS type >%s< not a CHWALL type.\n", text); + xmlFree(text); + return -EFAULT; + } + /* b) add type entry to the current cs set */ + if (current_conflictset_p->row[e->mapping]) + { + printf("ERROR: Double entry of type >%s< in conflict set %d.\n", + text, current_conflictset_p->num); + xmlFree(text); + return -EFAULT; + } + current_conflictset_p->row[e->mapping] = 1; + break; + + default: + printf("Incorrect type environment (state = %lx, text = %s).\n", + state, text); + xmlFree(text); + return -EFAULT; + } + return 0; +} + +void set_component_type(xmlNode * cur_node, enum policycomponent pc) +{ + xmlChar *order; + + if ((order = xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) { + if (strcmp((char *) order, PRIMARY_COMPONENT)) + { + printf("ERROR: Illegal attribut value >order=%s<.\n", + (char *) order); + xmlFree(order); + exit(EXIT_FAILURE); + } + if (primary != NULLPOLICY) + { + printf("ERROR: Primary Policy Component set twice!\n"); + exit(EXIT_FAILURE); + } + primary = pc; + xmlFree(order); + } +} + +void walk_policy(xmlNode * start, xmlDocPtr doc, unsigned long state) +{ + xmlNode *cur_node = NULL; + int code; + + for (cur_node = start; cur_node; cur_node = cur_node->next) + { + if ((code = totoken((char *) cur_node->name)) < 0) + { + printf("Unknown token: >%s<. Aborting.\n", cur_node->name); + exit(EXIT_FAILURE); + } + switch (code) { /* adjust state to new state */ + case XML2BIN_SECPOL: + case XML2BIN_STETYPES: + case XML2BIN_CHWALLTYPES: + case XML2BIN_CONFLICTSETS: + walk_policy(cur_node->children, doc, state | (1 << code)); + break; + + case XML2BIN_STE: + if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION) + { + printf("ERROR: This program was written against another STE version.\n"); + exit(EXIT_FAILURE); + } + have_ste = 1; + set_component_type(cur_node, STE); + walk_policy(cur_node->children, doc, state | (1 << code)); + break; + + case XML2BIN_CHWALL: + if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) + { + printf("ERROR: This program was written against another CHWALL version.\n"); + exit(EXIT_FAILURE); + } + have_chwall = 1; + set_component_type(cur_node, CHWALL); + walk_policy(cur_node->children, doc, state | (1 << code)); + break; + + case XML2BIN_CSTYPE: + current_conflictset_name = + (char *) xmlGetProp(cur_node, (xmlChar *) "name"); + if (!current_conflictset_name) + current_conflictset_name = ""; + + if (init_next_conflictset()) + { + printf + ("ERROR: creating new conflictset structure failed.\n"); + exit(EXIT_FAILURE); + } + walk_policy(cur_node->children, doc, state | (1 << code)); + break; + + case XML2BIN_TYPE: + if (register_type(cur_node, doc, state)) + exit(EXIT_FAILURE); + /* type leaf */ + break; + + case XML2BIN_TEXT: + case XML2BIN_COMMENT: + case XML2BIN_POLICYHEADER: + /* leaf - nothing to do */ + break; + + default: + printf("Unkonwn token Error (%d)\n", code); + exit(EXIT_FAILURE); + } + + } + return; +} + +int create_type_mapping(xmlDocPtr doc) +{ + xmlNode *root_element = xmlDocGetRootElement(doc); + struct type_entry *te; + struct ssid_entry *se; + int i; + + printf("Creating ssid mappings ...\n"); + + /* initialize the ste and chwall type lists */ + TAILQ_INIT(&ste_head); + TAILQ_INIT(&chwall_head); + TAILQ_INIT(&conflictsets_head); + + walk_policy(root_element, doc, XML2BIN_NULL); + + /* determine primary/secondary policy component orders */ + if ((primary == NULLPOLICY) && have_chwall) + primary = CHWALL; /* default if not set */ + else if ((primary == NULLPOLICY) && have_ste) + primary = STE; + + switch (primary) { + + case CHWALL: + if (have_ste) + secondary = STE; + /* else default = NULLPOLICY */ + break; + + case STE: + if (have_chwall) + secondary = CHWALL; + /* else default = NULLPOLICY */ + break; + + default: + /* NULL/NULL policy */ + break; + } + + if (!DEBUG) + return 0; + + /* print queues */ + if (have_ste) + { + printf("STE-Type queue (%s):\n", + (primary == STE) ? "PRIMARY" : "SECONDARY"); + for (te = ste_head.tqh_first; te != NULL; + te = te->entries.tqe_next) + printf("name=%22s, map=%x\n", te->name, te->mapping); + } + if (have_chwall) + { + printf("CHWALL-Type queue (%s):\n", + (primary == CHWALL) ? "PRIMARY" : "SECONDARY"); + for (te = chwall_head.tqh_first; te != NULL; + te = te->entries.tqe_next) + printf("name=%s, map=%x\n", te->name, te->mapping); + + printf("Conflictset queue (max=%d):\n", max_conflictsets); + for (se = conflictsets_head.tqh_first; se != NULL; + se = se->entries.tqe_next) + { + printf("conflictset name >%s<\n", + se->name ? se->name : "NONAME"); + for (i = 0; i < max_chwall_types; i++) + if (se->row[i]) + printf("#%x ", i); + printf("\n"); + } + } + return 0; +} + + +/***************** template-related parsing *********************/ + +/* add default ssid at head of ssid queues */ +int init_ssid_queues(void) +{ + struct ssid_entry *default_ssid_chwall, *default_ssid_ste; + + default_ssid_chwall = malloc(sizeof(struct ssid_entry)); + default_ssid_ste = malloc(sizeof(struct ssid_entry)); + + if ((!default_ssid_chwall) || (!default_ssid_ste)) + return -ENOMEM; + + /* default chwall ssid */ + default_ssid_chwall->name = "DEFAULT"; + default_ssid_chwall->num = max_chwall_ssids++; + default_ssid_chwall->is_ref = 0; + default_ssid_chwall->type = ANY; + + default_ssid_chwall->row = malloc(max_chwall_types); + + if (!default_ssid_chwall->row) + return -ENOMEM; + + memset(default_ssid_chwall->row, 0, max_chwall_types); + + TAILQ_INSERT_TAIL(&chwall_ssid_head, default_ssid_chwall, entries); + current_chwall_ssid_p = default_ssid_chwall; + max_chwall_labels++; + + /* default ste ssid */ + default_ssid_ste->name = "DEFAULT"; + default_ssid_ste->num = max_ste_ssids++; + default_ssid_ste->is_ref = 0; + default_ssid_ste->type = ANY; + + default_ssid_ste->row = malloc(max_ste_types); + + if (!default_ssid_ste->row) + return -ENOMEM; + + memset(default_ssid_ste->row, 0, max_ste_types); + + TAILQ_INSERT_TAIL(&ste_ssid_head, default_ssid_ste, entries); + current_ste_ssid_p = default_ssid_ste; + max_ste_labels++; + return 0; +} + +int init_next_chwall_ssid(unsigned long state) +{ + struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry)); + + if (!ssid) + return -ENOMEM; + + ssid->name = current_ssid_name; + ssid->num = max_chwall_ssids++; + ssid->is_ref = 0; + + if (state & (1 << XML2BIN_VM)) + ssid->type = VM; + else + ssid->type = RES; + /** + * row: allocate one byte per type; + * [i] != 0 --> mapped type >i< is part of the ssid + */ + ssid->row = malloc(max_chwall_types); + if (!ssid->row) + return -ENOMEM; + + memset(ssid->row, 0, max_chwall_types); + TAILQ_INSERT_TAIL(&chwall_ssid_head, ssid, entries); + current_chwall_ssid_p = ssid; + max_chwall_labels++; + return 0; +} + +int init_next_ste_ssid(unsigned long state) +{ + struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry)); + + if (!ssid) + return -ENOMEM; + + ssid->name = current_ssid_name; + ssid->num = max_ste_ssids++; + ssid->is_ref = 0; + + if (state & (1 << XML2BIN_VM)) + ssid->type = VM; + else + ssid->type = RES; + + /** + * row: allocate one byte per type; + * [i] != 0 --> mapped type >i< is part of the ssid + */ + ssid->row = malloc(max_ste_types); + if (!ssid->row) + return -ENOMEM; + + memset(ssid->row, 0, max_ste_types); + TAILQ_INSERT_TAIL(&ste_ssid_head, ssid, entries); + current_ste_ssid_p = ssid; + max_ste_labels++; + + return 0; +} + + +/* adds a type to the current ssid */ +int add_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state) +{ + xmlChar *text; + struct type_entry *e; + + text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); + if (!text) + { + printf("Error reading type name!\n"); + return -EFAULT; + } + /* same for all: 1. lookup type mapping, 2. mark type in ssid */ + switch (state) { + case XML2BIN_VM_STE_S: + case XML2BIN_RES_STE_S: + /* lookup the type mapping and include the type mapping into the array */ + if (!(e = lookup(&ste_head, (char *) text))) + { + printf("ERROR: unknown VM STE type >%s<.\n", text); + exit(EXIT_FAILURE); + } + if (current_ste_ssid_p->row[e->mapping]) + printf("Warning: double entry of VM STE type >%s<.\n", text); + + current_ste_ssid_p->row[e->mapping] = 1; + break; + + case XML2BIN_VM_CHWALL_S: + /* lookup the type mapping and include the type mapping into the array */ + if (!(e = lookup(&chwall_head, (char *) text))) + { + printf("ERROR: unknown VM CHWALL type >%s<.\n", text); + exit(EXIT_FAILURE); + } + if (current_chwall_ssid_p->row[e->mapping]) + printf("Warning: double entry of VM CHWALL type >%s<.\n", + text); + + current_chwall_ssid_p->row[e->mapping] = 1; + break; + + default: + printf("Incorrect type environment (state = %lx, text = %s).\n", + state, text); + xmlFree(text); + return -EFAULT; + } + return 0; +} + +void set_bootstrap_label(xmlNode * cur_node) +{ + xmlChar *order; + + if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME))) + bootstrap_label = (char *)order; + else { + printf("ERROR: No bootstrap label defined!\n"); + exit(EXIT_FAILURE); + } +} + +void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state) +{ + xmlNode *cur_node = NULL; + int code; + + for (cur_node = start; cur_node; cur_node = cur_node->next) + { + if ((code = totoken((char *) cur_node->name)) < 0) + { + printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name); + exit(EXIT_FAILURE); + } + switch (code) { /* adjust state to new state */ + + case XML2BIN_SUBJECTS: + set_bootstrap_label(cur_node); + /* fall through */ + case XML2BIN_VM: + case XML2BIN_RES: + case XML2BIN_SECTEMPLATE: + case XML2BIN_OBJECTS: + walk_labels(cur_node->children, doc, state | (1 << code)); + break; + + case XML2BIN_STETYPES: + /* create new ssid entry to use and point current to it */ + if (init_next_ste_ssid(state)) + { + printf("ERROR: creating new ste ssid structure failed.\n"); + exit(EXIT_FAILURE); + } + walk_labels(cur_node->children, doc, state | (1 << code)); + + break; + + case XML2BIN_CHWALLTYPES: + /* create new ssid entry to use and point current to it */ + if (init_next_chwall_ssid(state)) + { + printf("ERROR: creating new chwall ssid structure failed.\n"); + exit(EXIT_FAILURE); + } + walk_labels(cur_node->children, doc, state | (1 << code)); + + break; + + case XML2BIN_TYPE: + /* add type to current ssid */ + if (add_type(cur_node, doc, state)) + exit(EXIT_FAILURE); + break; + + case XML2BIN_NAME: + if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S)) + { + printf("ERROR: >name< out of VM/RES context.\n"); + exit(EXIT_FAILURE); + } + current_ssid_name = (char *) + xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); + + if (!current_ssid_name) + { + printf("ERROR: empty >name<!\n"); + exit(EXIT_FAILURE); + } + break; + + case XML2BIN_TEXT: + case XML2BIN_COMMENT: + case XML2BIN_LABELHEADER: + break; + + default: + printf("Unkonwn token Error (%d)\n", code); + exit(EXIT_FAILURE); + } + + } + return; +} + +/* this function walks through a ssid queue + * and transforms double entries into references + * of the first definition (we need to keep the + * entry to map labels but we don't want double + * ssids in the binary policy + */ +void +remove_doubles(struct tailhead_ssid *head, + u_int32_t max_types, u_int32_t * max_ssids) +{ + struct ssid_entry *np, *ni; + + /* walk once through the list */ + for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) + { + /* now search from the start until np for the same entry */ + for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next) + { + if (ni->is_ref) + continue; + if (memcmp(np->row, ni->row, max_types)) + continue; + /* found one, set np reference to ni */ + np->is_ref = 1; + np->num = ni->num; + (*max_ssids)--; + } + } + + /* now minimize the ssid numbers used (doubles introduce holes) */ + (*max_ssids) = 0; /* reset */ + + for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) + { + if (np->is_ref) + continue; + + if (np->num != (*max_ssids)) { + /* first reset all later references to the new max_ssid */ + for (ni = np->entries.tqe_next; ni != NULL; ni = ni->entries.tqe_next) + { + if (ni->num == np->num) + ni->num = (*max_ssids); + } + /* now reset num */ + np->num = (*max_ssids)++; + } + else + (*max_ssids)++; + } +} + +/* + * will go away as soon as we have non-static bootstrap ssidref for dom0 + */ +void fixup_bootstrap_label(struct tailhead_ssid *head, + u_int32_t max_types, u_int32_t * max_ssids) +{ + struct ssid_entry *np; + int i; + + /* should not happen if xml / xsd checks work */ + if (!bootstrap_label) + { + printf("ERROR: No bootstrap label defined.\n"); + exit(EXIT_FAILURE); + } + + /* search bootstrap_label */ + for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) + { + if (!strcmp(np->name, bootstrap_label)) + { + break; + } + } + + if (!np) { + /* bootstrap label not found */ + printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label); + exit(EXIT_FAILURE); + } + + /* move this entry ahead in the list right after the default entry so it + * receives ssidref 1/1 */ + TAILQ_REMOVE(head, np, entries); + TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries); + + /* renumber the ssids (we could also just switch places with 1st element) */ + for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++) + np->num = i; + +} + +int create_ssid_mapping(xmlDocPtr doc) +{ + xmlNode *root_element = xmlDocGetRootElement(doc); + struct ssid_entry *np; + int i; + + printf("Creating label mappings ...\n"); + /* initialize the ste and chwall type lists */ + TAILQ_INIT(&chwall_ssid_head); + TAILQ_INIT(&ste_ssid_head); + + /* init with default ssids */ + if (init_ssid_queues()) + { + printf("ERROR adding default ssids.\n"); + exit(EXIT_FAILURE); + } + + /* now walk the template DOM tree and fill in ssids */ + walk_labels(root_element, doc, XML2BIN_NULL); + + /* + * now sort bootstrap label to the head of the list + * (for now), dom0 assumes its label in the first + * defined ssidref (1/1). 0/0 is the default non-Label + */ + if (have_chwall) + fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types, + &max_chwall_ssids); + if (have_ste) + fixup_bootstrap_label(&ste_ssid_head, max_ste_types, + &max_ste_ssids); + + /* remove any double entries (insert reference instead) */ + if (have_chwall) + remove_doubles(&chwall_ssid_head, max_chwall_types, + &max_chwall_ssids); + if (have_ste) + remove_doubles(&ste_ssid_head, max_ste_types, + &max_ste_ssids); + + if (!DEBUG) + return 0; + + /* print queues */ + if (have_chwall) + { + printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids); + np = NULL; + for (np = chwall_ssid_head.tqh_first; np != NULL; + np = np->entries.tqe_next) + { + printf("SSID #%02u (Label=%s)\n", np->num, np->name); + if (np->is_ref) + printf("REFERENCE"); + else + for (i = 0; i < max_chwall_types; i++) + if (np->row[i]) + printf("#%02d ", i); + printf("\n\n"); + } + } + if (have_ste) + { + printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids); + np = NULL; + for (np = ste_ssid_head.tqh_first; np != NULL; + np = np->entries.tqe_next) + { + printf("SSID #%02u (Label=%s)\n", np->num, np->name); + if (np->is_ref) + printf("REFERENCE"); + else + for (i = 0; i < max_ste_types; i++) + if (np->row[i]) + printf("#%02d ", i); + printf("\n\n"); + } + } + return 0; +} + +/***************** writing the binary policy *********************/ + +/* + * the mapping file is ascii-based since it will likely be used from + * within scripts (using awk, grep, etc.); + * + * We print from high-level to low-level information so that with one + * pass, any symbol can be resolved (e.g. Label -> types) + */ +int write_mapping(char *filename) +{ + + struct ssid_entry *e; + struct type_entry *t; + int i; + FILE *file; + + if ((file = fopen(filename, "w")) == NULL) + return -EIO; + + fprintf(file, "MAGIC %08x\n", ACM_MAGIC); + fprintf(file, "POLICY %s\n", + basename(policy_filename)); + fprintf(file, "BINARY %s\n", + basename(binary_filename)); + if (have_chwall) + { + fprintf(file, "MAX-CHWALL-TYPES %08x\n", max_chwall_types); + fprintf(file, "MAX-CHWALL-SSIDS %08x\n", max_chwall_ssids); + fprintf(file, "MAX-CHWALL-LABELS %08x\n", max_chwall_labels); + } + if (have_ste) + { + fprintf(file, "MAX-STE-TYPES %08x\n", max_ste_types); + fprintf(file, "MAX-STE-SSIDS %08x\n", max_ste_ssids); + fprintf(file, "MAX-STE-LABELS %08x\n", max_ste_labels); + } + fprintf(file, "\n"); + + /* primary / secondary order for combined ssid synthesis/analysis + * if no primary is named, then chwall is primary */ + switch (primary) { + case CHWALL: + fprintf(file, "PRIMARY CHWALL\n"); + break; + + case STE: + fprintf(file, "PRIMARY STE\n"); + break; + + default: + fprintf(file, "PRIMARY NULL\n"); + break; + } + + switch (secondary) { + case CHWALL: + fprintf(file, "SECONDARY CHWALL\n"); + break; + + case STE: + fprintf(file, "SECONDARY STE\n"); + break; + + default: + fprintf(file, "SECONDARY NULL\n"); + break; + } + fprintf(file, "\n"); + + /* first labels to ssid mappings */ + if (have_chwall) + { + for (e = chwall_ssid_head.tqh_first; e != NULL; + e = e->entries.tqe_next) + { + fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n", + (e->type == + VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"), + e->name, e->num); + } + fprintf(file, "\n"); + } + if (have_ste) + { + for (e = ste_ssid_head.tqh_first; e != NULL; + e = e->entries.tqe_next) + { + fprintf(file, "LABEL->SSID %s STE %-25s %8x\n", + (e->type == + VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"), + e->name, e->num); + } + fprintf(file, "\n"); + } + + /* second ssid to type mappings */ + if (have_chwall) + { + for (e = chwall_ssid_head.tqh_first; e != NULL; + e = e->entries.tqe_next) + { + if (e->is_ref) + continue; + + fprintf(file, "SSID->TYPE CHWALL %08x", e->num); + + for (i = 0; i < max_chwall_types; i++) + if (e->row[i]) + fprintf(file, " %s", type_by_mapping(&chwall_head, i)); + + fprintf(file, "\n"); + } + fprintf(file, "\n"); + } + if (have_ste) { + for (e = ste_ssid_head.tqh_first; e != NULL; + e = e->entries.tqe_next) + { + if (e->is_ref) + continue; + + fprintf(file, "SSID->TYPE STE %08x", e->num); + + for (i = 0; i < max_ste_types; i++) + if (e->row[i]) + fprintf(file, " %s", type_by_mapping(&ste_head, i)); + + fprintf(file, "\n"); + } + fprintf(file, "\n"); + } + /* third type mappings */ + if (have_chwall) + { + for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next) + { + fprintf(file, "TYPE CHWALL %-25s %8x\n", + t->name, t->mapping); + } + fprintf(file, "\n"); + } + if (have_ste) { + for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next) + { + fprintf(file, "TYPE STE %-25s %8x\n", + t->name, t->mapping); + } + fprintf(file, "\n"); + } + fclose(file); + return 0; +} + +unsigned char *write_chwall_binary(u_int32_t * len_chwall) +{ + unsigned char *buf, *ptr; + struct acm_chwall_policy_buffer *chwall_header; + u_int32_t len; + struct ssid_entry *e; + int i; + + if (!have_chwall) + return NULL; + + len = sizeof(struct acm_chwall_policy_buffer) + + sizeof(type_t) * max_chwall_types * max_chwall_ssids + + sizeof(type_t) * max_chwall_types * max_conflictsets; + + buf = malloc(len); + ptr = buf; + + if (!buf) + { + printf("ERROR: out of memory allocating chwall buffer.\n"); + exit(EXIT_FAILURE); + } + /* chwall has 3 parts : header, types, conflictsets */ + + chwall_header = (struct acm_chwall_policy_buffer *) buf; + chwall_header->chwall_max_types = htonl(max_chwall_types); + chwall_header->chwall_max_ssidrefs = htonl(max_chwall_ssids); + chwall_header->policy_code = htonl(ACM_CHINESE_WALL_POLICY); + chwall_header->policy_version = htonl(ACM_CHWALL_VERSION); + chwall_header->chwall_ssid_offset = + htonl(sizeof(struct acm_chwall_policy_buffer)); + chwall_header->chwall_max_conflictsets = htonl(max_conflictsets); + chwall_header->chwall_conflict_sets_offset = + htonl(ntohl(chwall_header->chwall_ssid_offset) + + sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types); + chwall_header->chwall_running_types_offset = 0; /* not set, only retrieved */ + chwall_header->chwall_conflict_aggregate_offset = 0; /* not set, only retrieved */ + ptr += sizeof(struct acm_chwall_policy_buffer); + + /* types */ + for (e = chwall_ssid_head.tqh_first; e != NULL; + e = e->entries.tqe_next) + { + if (e->is_ref) + continue; + + for (i = 0; i < max_chwall_types; i++) + ((type_t *) ptr)[i] = htons((type_t) e->row[i]); + + ptr += sizeof(type_t) * max_chwall_types; + } + + /* conflictsets */ + for (e = conflictsets_head.tqh_first; e != NULL; + e = e->entries.tqe_next) + { + for (i = 0; i < max_chwall_types; i++) + ((type_t *) ptr)[i] = htons((type_t) e->row[i]); + + ptr += sizeof(type_t) * max_chwall_types; + } + + if ((ptr - buf) != len) + { + printf("ERROR: wrong lengths in %s.\n", __func__); + exit(EXIT_FAILURE); + } + + (*len_chwall) = len; + return buf; +} + +unsigned char *write_ste_binary(u_int32_t * len_ste) +{ + unsigned char *buf, *ptr; + struct acm_ste_policy_buffer *ste_header; + struct ssid_entry *e; + u_int32_t len; + int i; + + if (!have_ste) + return NULL; + + len = sizeof(struct acm_ste_policy_buffer) + + sizeof(type_t) * max_ste_types * max_ste_ssids; + + buf = malloc(len); + ptr = buf; + + if (!buf) + { + printf("ERROR: out of memory allocating chwall buffer.\n"); + exit(EXIT_FAILURE); + } + + /* fill buffer */ + ste_header = (struct acm_ste_policy_buffer *) buf; + ste_header->policy_version = htonl(ACM_STE_VERSION); + ste_header->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); + ste_header->ste_max_types = htonl(max_ste_types); + ste_header->ste_max_ssidrefs = htonl(max_ste_ssids); + ste_header->ste_ssid_offset = + htonl(sizeof(struct acm_ste_policy_buffer)); + + ptr += sizeof(struct acm_ste_policy_buffer); + + /* types */ + for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next) + { + if (e->is_ref) + continue; + + for (i = 0; i < max_ste_types; i++) + ((type_t *) ptr)[i] = htons((type_t) e->row[i]); + + ptr += sizeof(type_t) * max_ste_types; + } + + if ((ptr - buf) != len) + { + printf("ERROR: wrong lengths in %s.\n", __func__); + exit(EXIT_FAILURE); + } + (*len_ste) = len; + return buf; /* for now */ +} + +int write_binary(char *filename) +{ + struct acm_policy_buffer header; + unsigned char *ste_buffer = NULL, *chwall_buffer = NULL; + u_int32_t len; + int fd; + + u_int32_t len_ste = 0, len_chwall = 0; /* length of policy components */ + + /* open binary file */ + if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) <= 0) + return -EIO; + + ste_buffer = write_ste_binary(&len_ste); + chwall_buffer = write_chwall_binary(&len_chwall); + + /* determine primary component (default chwall) */ + header.policy_version = htonl(ACM_POLICY_VERSION); + header.magic = htonl(ACM_MAGIC); + + len = sizeof(struct acm_policy_buffer); + if (have_chwall) + len += len_chwall; + if (have_ste) + len += len_ste; + header.len = htonl(len); + + header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer)); + if (primary == CHWALL) + { + header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY); + header.secondary_buffer_offset = + htonl((sizeof(struct acm_policy_buffer)) + len_chwall); + } + else if (primary == STE) + { + header.primary_policy_code = + htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); + header.secondary_buffer_offset = + htonl((sizeof(struct acm_policy_buffer)) + len_ste); + } + else + { + /* null policy */ + header.primary_policy_code = htonl(ACM_NULL_POLICY); + header.secondary_buffer_offset = + htonl(header.primary_buffer_offset); + } + + if (secondary == CHWALL) + header.secondary_policy_code = htonl(ACM_CHINESE_WALL_POLICY); + else if (secondary == STE) + header.secondary_policy_code = + htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); + else + header.secondary_policy_code = htonl(ACM_NULL_POLICY); + + if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer)) + != sizeof(struct acm_policy_buffer)) + return -EIO; + + /* write primary policy component */ + if (primary == CHWALL) + { + if (write(fd, chwall_buffer, len_chwall) != len_chwall) + return -EIO; + } + else if (primary == STE) + { + if (write(fd, ste_buffer, len_ste) != len_ste) + return -EIO; + } else + ; /* NULL POLICY has no policy data */ + + /* write secondary policy component */ + if (secondary == CHWALL) + { + if (write(fd, chwall_buffer, len_chwall) != len_chwall) + return -EIO; + } + else if (secondary == STE) + { + if (write(fd, ste_buffer, len_ste) != len_ste) + return -EIO; + } else; /* NULL POLICY has no policy data */ + + close(fd); + return 0; +} + +int is_valid(xmlDocPtr doc) +{ + int err = 0; + xmlSchemaPtr schema_ctxt = NULL; + xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL; + xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL; + + schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME); + schema_ctxt = xmlSchemaParse(schemaparser_ctxt); + schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt); + +#ifdef VALIDATE_SCHEMA + /* only tested to be available from libxml2-2.6.20 upwards */ + if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) + { + printf("ERROR: Invalid schema file %s (err=%d)\n", + SCHEMA_FILENAME, err); + err = -EIO; + goto out; + } + else + printf("XML Schema %s valid.\n", SCHEMA_FILENAME); +#endif + if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) + { + err = -EIO; + goto out; + } + out: + xmlSchemaFreeValidCtxt(schemavalid_ctxt); + xmlSchemaFreeParserCtxt(schemaparser_ctxt); + xmlSchemaFree(schema_ctxt); + return (err != 0) ? 0 : 1; +} + +int main(int argc, char **argv) +{ + xmlDocPtr labeldoc = NULL; + xmlDocPtr policydoc = NULL; + + int err = EXIT_SUCCESS; + + char *file_prefix; + int prefix_len; + + if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) + { + printf("ERROR: This program was written against an older ACM version.\n"); + exit(EXIT_FAILURE); + } + + if (argc != 2) + usage(basename(argv[0])); + + prefix_len = strlen(POLICY_SUBDIR) + + strlen(argv[1]) + 1 /* "/" */ + + strlen(argv[1]) + 1 /* "/" */ ; + + file_prefix = malloc(prefix_len); + policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION)); + label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION)); + binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION)); + mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION)); + + if (!file_prefix || !policy_filename || !label_filename || + !binary_filename || !mapping_filename) + { + printf("ERROR allocating file name memory.\n"); + goto out2; + } + + /* create input/output filenames out of prefix */ + strcat(file_prefix, POLICY_SUBDIR); + strcat(file_prefix, argv[1]); + strcat(file_prefix, "/"); + strcat(file_prefix, argv[1]); + + strcpy(policy_filename, file_prefix); + strcpy(label_filename, file_prefix); + strcpy(binary_filename, file_prefix); + strcpy(mapping_filename, file_prefix); + + strcat(policy_filename, POLICY_EXTENSION); + strcat(label_filename, LABEL_EXTENSION); + strcat(binary_filename, BINARY_EXTENSION); + strcat(mapping_filename, MAPPING_EXTENSION); + + labeldoc = xmlParseFile(label_filename); + + if (labeldoc == NULL) + { + printf("Error: could not parse file %s.\n", argv[1]); + goto out2; + } + + printf("Validating label file %s...\n", label_filename); + if (!is_valid(labeldoc)) + { + printf("ERROR: Failed schema-validation for file %s (err=%d)\n", + label_filename, err); + goto out1; + } + + policydoc = xmlParseFile(policy_filename); + + if (policydoc == NULL) + { + printf("Error: could not parse file %s.\n", argv[1]); + goto out1; + } + + printf("Validating policy file %s...\n", policy_filename); + + if (!is_valid(policydoc)) + { + printf("ERROR: Failed schema-validation for file %s (err=%d)\n", + policy_filename, err); + goto out; + } + + /* Init queues and parse policy */ + create_type_mapping(policydoc); + + /* create ssids */ + create_ssid_mapping(labeldoc); + + /* write label mapping file */ + if (write_mapping(mapping_filename)) + { + printf("ERROR: writing mapping file %s.\n", mapping_filename); + goto out; + } + + /* write binary file */ + if (write_binary(binary_filename)) + { + printf("ERROR: writing binary file %s.\n", binary_filename); + goto out; + } + + /* write stats */ + if (have_chwall) + { + printf("Max chwall labels: %u\n", max_chwall_labels); + printf("Max chwall-types: %u\n", max_chwall_types); + printf("Max chwall-ssids: %u\n", max_chwall_ssids); + } + + if (have_ste) + { + printf("Max ste labels: %u\n", max_ste_labels); + printf("Max ste-types: %u\n", max_ste_types); + printf("Max ste-ssids: %u\n", max_ste_ssids); + } + /* cleanup */ + out: + xmlFreeDoc(policydoc); + out1: + xmlFreeDoc(labeldoc); + out2: + xmlCleanupParser(); + return err; +} + diff -r a86fb4df3bdd -r bf1746842c46 tools/security/secpol_xml2bin.h --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/secpol_xml2bin.h Fri Aug 19 12:22:27 2005 @@ -0,0 +1,139 @@ +/**************************************************************** + * secpol_xml2bin.h + * + * Copyright (C) 2005 IBM Corporation + * + * Authors: + * Reiner Sailer <sailer@xxxxxxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + */ +#define POLICY_SUBDIR "policies/" +#define POLICY_EXTENSION "-security_policy.xml" +#define LABEL_EXTENSION "-security_label_template.xml" +#define BINARY_EXTENSION ".bin" +#define MAPPING_EXTENSION ".map" +#define PRIMARY_COMPONENT_ATTR_NAME "order" +#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap" +#define PRIMARY_COMPONENT "PrimaryPolicyComponent" +#define SCHEMA_FILENAME "policies/security_policy.xsd" + +/* basic states (used as 1 << X) */ +#define XML2BIN_SECPOL 0 /* policy tokens */ +#define XML2BIN_STE 1 +#define XML2BIN_CHWALL 2 +#define XML2BIN_CONFLICTSETS 3 +#define XML2BIN_CSTYPE 4 + +#define XML2BIN_SECTEMPLATE 5 /* label tokens */ +#define XML2BIN_POLICYHEADER 6 +#define XML2BIN_LABELHEADER 7 +#define XML2BIN_SUBJECTS 8 +#define XML2BIN_OBJECTS 9 +#define XML2BIN_VM 10 +#define XML2BIN_RES 11 + +#define XML2BIN_STETYPES 12 /* shared tokens */ +#define XML2BIN_CHWALLTYPES 13 +#define XML2BIN_TYPE 14 +#define XML2BIN_NAME 15 +#define XML2BIN_TEXT 16 +#define XML2BIN_COMMENT 17 + +/* type "data type" (currently 16bit) */ +typedef u_int16_t type_t; + +/* list of known elements and token equivalent * + * state constants and token positions must be * + * in sync for correct state recognition */ + +char *token[20] = /* parser triggers */ +{ + [0] = "SecurityPolicyDefinition", /* policy xml */ + [1] = "SimpleTypeEnforcement", + [2] = "ChineseWall", + [3] = "ConflictSets", + [4] = "Conflict", /* label-template xml */ + [5] = "SecurityLabelTemplate", + [6] = "PolicyHeader", + [7] = "LabelHeader", + [8] = "SubjectLabels", + [9] = "ObjectLabels", + [10] = "VirtualMachineLabel", + [11] = "ResourceLabel", + [12] = "SimpleTypeEnforcementTypes", /* common tags */ + [13] = "ChineseWallTypes", + [14] = "Type", + [15] = "Name", + [16] = "text", + [17] = "comment", + [18] = NULL, +}; + +/* important combined states */ +#define XML2BIN_NULL 0 + +/* policy xml parsing states _S */ + +/* e.g., here we are in a <secpol,ste,stetypes> environment, * + * so when finding a type element, we know where to put it */ +#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \ + (1 << XML2BIN_STE) | \ + (1 << XML2BIN_STETYPES)) + +#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \ + (1 << XML2BIN_CHWALL) | \ + (1 << XML2BIN_CHWALLTYPES)) + +#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \ + (1 << XML2BIN_CHWALL) | \ + (1 << XML2BIN_CONFLICTSETS)) + +#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \ + (1 << XML2BIN_CHWALL) | \ + (1 << XML2BIN_CONFLICTSETS) | \ + (1 << XML2BIN_CSTYPE)) + + +/* label xml states */ +#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \ + (1 << XML2BIN_SUBJECTS) | \ + (1 << XML2BIN_VM)) + +#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \ + (1 << XML2BIN_OBJECTS) | \ + (1 << XML2BIN_RES)) + +#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \ + (1 << XML2BIN_SUBJECTS) | \ + (1 << XML2BIN_VM) | \ + (1 << XML2BIN_STETYPES)) + +#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \ + (1 << XML2BIN_SUBJECTS) | \ + (1 << XML2BIN_VM) | \ + (1 << XML2BIN_CHWALLTYPES)) + +#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \ + (1 << XML2BIN_OBJECTS) | \ + (1 << XML2BIN_RES) | \ + (1 << XML2BIN_STETYPES)) + + + +/* check versions of headers against which the + * xml2bin translation tool was written + */ + +/* protects from unnoticed changes in struct acm_policy_buffer */ +#define WRITTEN_AGAINST_ACM_POLICY_VERSION 1 + +/* protects from unnoticed changes in struct acm_chwall_policy_buffer */ +#define WRITTEN_AGAINST_ACM_CHWALL_VERSION 1 + +/* protects from unnoticed changes in struct acm_ste_policy_buffer */ +#define WRITTEN_AGAINST_ACM_STE_VERSION 1 diff -r a86fb4df3bdd -r bf1746842c46 tools/security/setlabel.sh --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/setlabel.sh Fri Aug 19 12:22:27 2005 @@ -0,0 +1,345 @@ +#!/bin/sh +# * +# * setlabel +# * +# * Copyright (C) 2005 IBM Corporation +# * +# * Authors: +# * Stefan Berger <stefanb@xxxxxxxxxx> +# * +# * This program is free software; you can redistribute it and/or +# * modify it under the terms of the GNU General Public License as +# * published by the Free Software Foundation, version 2 of the +# * License. +# * +# * 'setlabel' labels virtual machine (domain) configuration files with +# * security identifiers that can be enforced in Xen. +# * +# * 'setlabel -?' shows the usage of the program +# * +# * 'setlabel -l vmconfig-file' lists all available labels (only VM +# * labels are used right now) +# * +# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref' +# * that corresponds to the security-label under the +# * current policy (if policy changes, 'label' +# * must be re-run over the configuration files; +# * map-file is created during policy translation and +# * is found in the policy's directory +# + +if [ -z "$runbash" ]; then + runbash="1" + export runbash + exec sh -c "bash $0 $*" +fi + + +usage () +{ + echo "Usage: $0 [Option] <vmfile> <label> <policy name> " + echo " or $0 -l <policy name>" + echo "" + echo "Valid Options are:" + echo "-r : to relabel a file without being prompted" + echo "" + echo "vmfile : XEN vm configuration file" + echo "label : the label to map" + echo "policy name : the name of the policy, i.e. 'chwall'" + echo "" + echo "-l <policy name> is used to show valid labels in the map file" + echo "" +} + + +findMapFile () +{ + mapfile="./$1.map" + if [ -r "$mapfile" ]; then + return 1 + fi + + mapfile="./policies/$1/$1.map" + if [ -r "$mapfile" ]; then + return 1 + fi + + return 0 +} + +showLabels () +{ + mapfile=$1 + if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then + echo "Cannot read from vm configuration file $vmfile." + return -1 + fi + + getPrimaryPolicy $mapfile + getSecondaryPolicy $mapfile + + echo "The following labels are available:" + let line=1 + while [ 1 ]; do + ITEM=`cat $mapfile | \ + awk -vline=$line \ + -vprimary=$primary \ + '{ \ + if ($1 == "LABEL->SSID" && \ + $2 == "VM" && \ + $3 == primary ) { \ + ctr++; \ + if (ctr == line) { \ + print $4; \ + } \ + } \ + } END { \ + }'` + + if [ "$ITEM" == "" ]; then + break + fi + if [ "$secondary" != "NULL" ]; then + LABEL=`cat $mapfile | \ + awk -vitem=$ITEM \ + '{ + if ($1 == "LABEL->SSID" && \ + $2 == "VM" && \ + $3 == "CHWALL" && \ + $4 == item ) { \ + result = item; \ + } \ + } END { \ + print result \ + }'` + else + LABEL=$ITEM + fi + + if [ "$LABEL" != "" ]; then + echo "$LABEL" + found=1 + fi + let line=line+1 + done + if [ "$found" != "1" ]; then + echo "No labels found." + fi +} + +getPrimaryPolicy () +{ + mapfile=$1 + primary=`cat $mapfile | \ + awk ' \ + { \ + if ( $1 == "PRIMARY" ) { \ + res=$2; \ + } \ + } END { \ + print res; \ + } '` +} + +getSecondaryPolicy () +{ + mapfile=$1 + secondary=`cat $mapfile | \ + awk ' \ + { \ + if ( $1 == "SECONDARY" ) { \ + res=$2; \ + } \ + } END { \ + print res; \ + } '` +} + + +getDefaultSsid () +{ + mapfile=$1 + pol=$2 + RES=`cat $mapfile \ + awk -vpol=$pol \ + { \ + if ($1 == "LABEL->SSID" && \ + $2 == "ANY" && \ + $3 == pol && \ + $4 == "DEFAULT" ) {\ + res=$5; \ + } \ + } END { \ + printf "%04x", strtonum(res) \ + }'` + echo "default NULL mapping is $RES" + defaultssid=$RES +} + +relabel () +{ + vmfile=$1 + label=$2 + mapfile=$3 + mode=$4 + + if [ ! -r "$vmfile" ]; then + echo "Cannot read from vm configuration file $vmfile." + return -1 + fi + + if [ ! -w "$vmfile" ]; then + echo "Cannot write to vm configuration file $vmfile." + return -1 + fi + + if [ ! -r "$mapfile" ] ; then + echo "Cannot read mapping file $mapfile." + return -1 + fi + + # Determine which policy is primary, which sec. + getPrimaryPolicy $mapfile + getSecondaryPolicy $mapfile + + # Calculate the primary policy's SSIDREF + if [ "$primary" == "NULL" ]; then + SSIDLO="0000" + else + SSIDLO=`cat $mapfile | \ + awk -vlabel=$label \ + -vprimary=$primary \ + '{ \ + if ( $1 == "LABEL->SSID" && \ + $2 == "VM" && \ + $3 == primary && \ + $4 == label ) { \ + result=$5 \ + } \ + } END { \ + if (result != "" ) \ + {printf "%04x", strtonum(result)}\ + }'` + fi + + # Calculate the secondary policy's SSIDREF + if [ "$secondary" == "NULL" ]; then + SSIDHI="0000" + else + SSIDHI=`cat $mapfile | \ + awk -vlabel=$label \ + -vsecondary=$secondary \ + '{ \ + if ( $1 == "LABEL->SSID" && \ + $2 == "VM" && \ + $3 == secondary && \ + $4 == label ) { \ + result=$5 \ + } \ + } END { \ + if (result != "" ) \ + {printf "%04x", strtonum(result)}\ + }'` + fi + + if [ "$SSIDLO" == "" -o \ + "$SSIDHI" == "" ]; then + echo "Could not map the given label '$label'." + return -1 + fi + + ACM_POLICY=`cat $mapfile | \ + awk ' { if ( $1 == "POLICY" ) { \ + result=$2 \ + } \ + } \ + END { \ + if (result != "") { \ + printf result \ + } \ + }'` + + if [ "$ACM_POLICY" == "" ]; then + echo "Could not find 'POLICY' entry in map file." + return -1 + fi + + SSIDREF="0x$SSIDHI$SSIDLO" + + if [ "$mode" != "relabel" ]; then + RES=`cat $vmfile | \ + awk '{ \ + if ( substr($1,0,7) == "ssidref" ) {\ + print $0; \ + } \ + }'` + if [ "$RES" != "" ]; then + echo "Do you want to overwrite the existing mapping ($RES)? (y/N)" + read user + if [ "$user" != "y" -a "$user" != "Y" ]; then + echo "Aborted." + return 0 + fi + fi + fi + + #Write the output + vmtmp1="/tmp/__setlabel.tmp1" + vmtmp2="/tmp/__setlabel.tmp2" + touch $vmtmp1 + touch $vmtmp2 + if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then + echo "Cannot create temporary files. Aborting." + return -1 + fi + RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1` + RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2` + RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1` + echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1 + echo "#ACM_LABEL=$label" >> $vmtmp1 + echo "ssidref = $SSIDREF" >> $vmtmp1 + mv -f $vmtmp1 $vmfile + rm -rf $vmtmp1 $vmtmp2 + echo "Mapped label '$label' to ssidref '$SSIDREF'." +} + + + +if [ "$1" == "-r" ]; then + mode="relabel" + shift +elif [ "$1" == "-l" ]; then + mode="show" + shift +elif [ "$1" == "-?" ]; then + mode="usage" +fi + +if [ "$mode" == "show" ]; then + if [ "$1" == "" ]; then + usage + exit -1; + fi + findMapFile $1 + res=$? + if [ "$res" != "0" ]; then + showLabels $mapfile + else + echo "Could not find map file for policy '$1'." + fi +elif [ "$mode" == "usage" ]; then + usage +else + if [ "$3" == "" ]; then + usage + exit -1; + fi + findMapFile $3 + res=$? + if [ "$res" != "0" ]; then + relabel $1 $2 $mapfile $mode + else + echo "Could not find map file for policy '$3'." + fi + +fi diff -r a86fb4df3bdd -r bf1746842c46 tools/security/updategrub.sh --- /dev/null Fri Aug 19 12:21:29 2005 +++ b/tools/security/updategrub.sh Fri Aug 19 12:22:27 2005 @@ -0,0 +1,171 @@ +#!/bin/sh +# * +# * updategrub +# * +# * Copyright (C) 2005 IBM Corporation +# * +# * Authors: +# * Stefan Berger <stefanb@xxxxxxxxxx> +# * +# * This program is free software; you can redistribute it and/or +# * modify it under the terms of the GNU General Public License as +# * published by the Free Software Foundation, version 2 of the +# * License. +# * +# * +# + +if [ -z "$runbash" ]; then + runbash="1" + export runbash + exec sh -c "bash $0 $*" + exit +fi + + +# Show usage of this program +usage () +{ + echo "Usage: $0 <policy name> <root of xen repository>" + echo "" + echo "<policy name> : The name of the policy, i.e. xen_null" + echo "<root of xen repository> : The root of the XEN repositrory." + echo "" +} + +# This function sets the global variable 'linux' +# to the name of the linux kernel that was compiled +# For now a pattern should do the trick +getLinuxVersion () +{ + path=$1 + linux="" + for f in $path/linux-*-xen0 ; do + versionfile=$f/include/linux/version.h + if [ -r $versionfile ]; then + lnx=`cat $versionfile | \ + grep UTS_RELEASE | \ + awk '{ \ + len=length($3); \ + print substr($3,2,len-2) }'` + fi + if [ "$lnx" != "" ]; then + linux="[./0-9a-zA-z]*$lnx" + return; + fi + done + + #Last resort. + linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$" +} + +#Return where the grub.conf file is. +#I only know of one place it can be. +findGrubConf() +{ + grubconf="/boot/grub/grub.conf" + if [ -w $grubconf ]; then + return 1 + fi + return 0 +} + + +#Update the grub configuration file. +#Search for existing entries and replace the current +#policy entry with the policy passed to this script +# +#Arguments passed to this function +# 1st : the grub configuration file +# 2nd : the binary policy file name +# 3rd : the name or pattern of the linux kernel name to match +# +# The algorithm here is based on pattern matching +# and is working correctly if +# - under a title a line beginning with 'kernel' is found +# whose following item ends with "xen.gz" +# Example: kernel /xen.gz dom0_mem=.... +# - a module line matching the 3rd parameter is found +# +updateGrub () +{ + grubconf=$1 + policyfile=$2 + linux=$3 + + tmpfile="/tmp/new_grub.conf" + + cat $grubconf | \ + awk -vpolicy=$policyfile \ + -vlinux=$linux '{ \ + if ( $1 == "title" ) { \ + kernelfound = 0; \ + if ( policymaycome == 1 ){ \ + printf ("\tmodule %s%s\n", path, policy); \ + } \ + policymaycome = 0; \ + } \ + else if ( $1 == "kernel" ) { \ + if ( match($2,"xen.gz$") ) { \ + path=substr($2,1,RSTART-1); \ + kernelfound = 1; \ + } \ + } \ + else if ( $1 == "module" && \ + kernelfound == 1 && \ + match($2,linux) ) { \ + policymaycome = 1; \ + } \ + else if ( $1 == "module" && \ + kernelfound == 1 && \ + policymaycome == 1 && \ + match($2,"[0-9a-zA-Z]*.bin$") ) { \ + printf ("\tmodule %s%s\n", path, policy); \ + policymaycome = 0; \ + kernelfound = 0; \ + dontprint = 1; \ + } \ + else if ( $1 == "" && \ + kernelfound == 1 && \ + policymaycome == 1) { \ + dontprint = 1; \ + } \ + if (dontprint == 0) { \ + printf ("%s\n", $0); \ + } \ + dontprint = 0; \ + } END { \ + if ( policymaycome == 1 ) { \ + printf ("\tmodule %s%s\n", path, policy); \ + } \ + }' > $tmpfile + if [ ! -r $tmpfile ]; then + echo "Could not create temporary file! Aborting." + exit -1 + fi + mv -f $tmpfile $grubconf +} + +if [ "$1" == "" -o "$2" == "" ]; then + usage + exit -1 +fi + +if [ "$1" == "-?" ]; then + usage + exit 0 +fi + +policy=$1 +policyfile=$policy.bin + +getLinuxVersion $2 + +findGrubConf +ERR=$? +if [ $ERR -eq 0 ]; then + echo "Could not find grub.conf. Aborting." + exit -1 +fi + +updateGrub $grubconf $policyfile $linux diff -r a86fb4df3bdd -r bf1746842c46 docs/misc/shype4xen_readme.txt --- a/docs/misc/shype4xen_readme.txt Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,588 +0,0 @@ -Copyright: IBM Corporation (C) -20 June 2005 -Author: Reiner Sailer - -This document is a very short introduction into the sHype access control -security architecture implementation and how it is perceived by users. It -is a very preliminary draft for the courageous ones to get "their feet wet" -and to be able to give feedback (via the xen-devel/xense-devel mailing lists). - -Install: - -cd into xeno-unstable.bk -(use --dry-run option if you want to test the patch only) -patch -p1 -g0 < *tools.diff -patch -p1 -g0 < *xen.diff - -(no rejects, probably some line offsets) - -make uninstall; make mrproper; make; ./install.sh should install the default -sHype into Xen (rebuild your initrd images if necessary). Reboot. - -Debug output: there are two triggers for debug output: -a) General sHype debug: - xeno-unstable.bk/xen/include/public/acm.h - undefine ACM_DEBUG to switch this debug off - -b) sHype enforcement hook trace: This prints a small trace for each enforcement -hook that is executed. The trigger is in - xeno-unstable.bk/xen/include/acm/acm_hooks.h - undefine ACM_TRACE_MODE to switch this debug off - -1. The default NULL policy -*************************** -When you apply the patches and startup xen, you should at first not notice any -difference because the default policy is the "NULL" policy, which as the name -implies does not enforce anything. - -To display the currently enforced policy, use the policy tool under xeno- -unstable.bk/tools/policy: policy_tool getpolicy. You should see output like the -one below. - -[root@laptop policy]#./policy_tool getpolicy - -Policy dump: -============ -Magic = 1debc. -PolVer = aaaa0000. -Len = 14. -Primary = NULL policy (c=0, off=14). -Secondary = NULL policy (c=0, off=14). -No primary policy (NULL). -No secondary policy (NULL). - -Policy dump End. - -Since this is a dump of a binary policy, it's not pretty. The important parts -are the "Primary" and "Secondary" policy fields set to "NULL policy". sHype -currently allows to set two independent policies; thus the two SSID-REF parts -shown in 'xm list'. Right here: primary policy only means this policy is -checked first, the secondary policy is checked if the primary results in -"permitted access". The result of the combined policy is "permitted" if both -policies return permitted (NULL policy always returns permitted). The result is -"denied" if at least one of the policies returns "denied". Look into xeno- -unstable.bk/xen/include/acm/acm_hooks.h for the general hook structure -integrating the policy decisions (if you like, you won't need it for the rest -of the Readme file). - -2. Setting Chinese Wall and Simple Type Enforcement policies: -************************************************************* - -We'll get fast to the point. However, in order to understand what we are doing, -we must at least understand the purpose of the policies that we are going to -enforce. The two policies presented here are just examples and the -implementation encourages adding new policies easily. - -2.1. Chinese Wall policy: "decides whether a domain can be started based on -this domain's ssidref and the ssidrefs of the currently running domains". -Generally, the Chinese wall policy allows specifying certain types (or classes -or categories, whatever the preferred word) that conflict; we usually assign a -type to a workload and the set of types of those workloads running in a domain -make up the type set for this domain. Each domain is assigned a set of types -through its SSID-REF (we register Chinese Wall as primary policy, so the -ssidref used for determining the Chinese Wall types is the one annotated with -"p:" in xm list) since each SSID-REF points at a set of types. We'll see how -SSIDREFs are represented in Xen later when we will look at the policy. (A good -read for Chinese Wall is: Brewer/Nash The Chinese Wall Security Policy 1989.) - -So let's assume the Chinese Wall policy we are running distinguishes 10 types: -t0 ... t9. Let us assume further that each SSID-REF points to a set that -includes exactly one type (attached to domains that run workloads of a single -type). SSID-REF 0 points to {t0}, ssidref 1 points to {t1} ... 9 points to -{t9}. [This is actually the example policy we are going to push into xen later] - -Now the Chinese Wall policy allows you to define "Conflict type sets" and it -guarantees that of any conflict set at most one type is "running" at any time. -As an example, we have defined 2 conflict set: {t2, t3} and {t0, t5, t6}. -Specifying these conflict sets, sHype ensures that at most one type of each set -is running (either t2 or t3 but not both; either t0 or t5 or t6 but not -multiple of them). - -The effect is that administrators can define which workload types cannot run -simultaneously on a single Xen system. This is useful to limit the covert -timing channels between such payloads or to ensure that payloads don't -interfere with each other through existing resource dependencies. - -2.2. Simple Type Enforcement (ste) policy: "decides whether two domains can -share data, e.g., setup event channels or grant tables to each other, based on -the two domains' ssidref. This, as the name says, is a simple policy. Think of -each type as of a single color. Each domain has one or more colors, i.e., the -domains ssid for the ste policy points to a set that has set one or multiple -types. Let us assume in our example policy we differentiate 5 colors (types) -and define 5 different ssids referenced by ssidref=0..4. Each ssid shall have -exactly one type set, i.e., describes a uni-color. Only ssid(0) has all types -set, i.e., has all defined colors. - -Sharing is enforced by the ste policy by requiring that two domains that want -to establish an event channel or grant pages to each other must have a common -color. Currently all domains communicate through DOM0 by default; i.e., Domain0 -will necessarily have all colors to be able to create domains (thus, we will -assign ssidref(0) to Domain0 in our example below. - -More complex mandatory access control policies governing sharing will follow; -such policies are more sophisticated than the "color" scheme above by allowing -more flexible (and complex :_) access control decisions than "share a color" or -"don't share a color" and will be able to express finer-grained policies. - - -2.3 Binary Policy: -In the future, we will have a policy tool that takes as input a more humane -policy description, using types such as development, home-banking, donated- -Grid, CorpA-Payload ... and translates the respective policy into what we see -today as the binary policy using 1s and 0s and sets of them. For now, we must -live with the binary policy when working with sHype. - - -2.4 Exemplary use of a real sHype policy on Xen. To activate a real policy, -edit the file (yes, this will soon be a compile option): - xeno-unstable.bk/xen/include/public/acm.h - Change: #define ACM_USE_SECURITY_POLICY ACM_NULL_POLICY - To : #define ACM_USE_SECURITY_POLICY ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY - cd xeno-unstable.bk - make mrproper - make uninstall (manually remove /etc/xen.old if necessary) - make - ./install.sh (recreate your kernel initrd's if necessary) - Reboot into new xen.gz - -After booting, check out 'xm dmesg'; should show somewhere in the middle: - -(XEN) acm_init: Enforcing Primary CHINESE WALL policy, Secondary SIMPLE TYPE -ENFORCEMENT policy. - -Even though you can activate those policies in any combination and also -independently, the policy tool currently only supports setting the policy for -the above combination. - -Now look at the minimal startup policy with: - xeno-unstable.bk/tools/policytool getpolicy - -You should see something like: - -[root@laptop policy]# ./policy_tool getpolicy - -Policy dump: -============ -Magic = 1debc. -PolVer = aaaa0000. -Len = 36. -Primary = CHINESE WALL policy (c=1, off=14). -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=2c). - - -Chinese Wall policy: -==================== -Max Types = 1. -Max Ssidrefs = 1. -Max ConfSets = 1. -Ssidrefs Off = 10. -Conflicts Off = 12. -Runing T. Off = 14. -C. Agg. Off = 16. - -SSID To CHWALL-Type matrix: - - ssidref 0: 00 - -Confict Sets: - - c-set 0: 00 - -Running -Types: 00 - -Conflict -Aggregate Set: 00 - - -Simple Type Enforcement policy: -=============================== -Max Types = 1. -Max Ssidrefs = 1. -Ssidrefs Off = 8. - -SSID To STE-Type matrix: - - ssidref 0: 01 - - -Policy dump End. - -This is a minimal policy (of little use), except it will disable starting any -domain that does not have ssidref set to 0x0. The Chinese Wall policy has -nothing to enforce and the ste policy only knows one type, which is set for the -only defined ssidref. - -The item that defines the ssidref in a domain configuration is: - -ssidref = 0x12345678 - -Where ssidref is interpreted as a 32bit number, where the lower 16bits become -the ssidref for the primary policy and the higher 16bits become the ssidref for -the secondary policy. sHype currently supports two policies but this is an -implementation decision and can be extended if necessary. - -This reference defines the security information of a domain. The meaning of the -SSID-REF depends on the policy, so we explain it when we explain the real -policies. - - -Setting a new Security Policy: -****************************** -The policy tool with all its current limitations has one usable example policy -compiled-in. Please try at this time to use the setpolicy command: - xeno-unstable.bk/tools/policy/policy_tool setpolicy - -You should see a dump of the policy you are setting. It should say at the very -end: - -Policy successfully set. - -Now try to dump the currently enforced policy, which is the policy we have just -set and the dynamic security state information of this policy -(<<< ... some additional explanations) - -[root@laptop policy]# ./policy_tool getpolicy - -Policy dump: -============ -Magic = 1debc. -PolVer = aaaa0000. -Len = 112. -Primary = CHINESE WALL policy (c=1, off=14). -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8). - - -Chinese Wall policy: -==================== -Max Types = a. -Max Ssidrefs = 5. -Max ConfSets = 2. -Ssidrefs Off = 10. -Conflicts Off = 74. -Runing T. Off = 9c. -C. Agg. Off = b0. - -SSID To CHWALL-Type matrix: - - ssidref 0: 01 00 00 00 00 00 00 00 00 00 <<< type0 is set for ssidref0 - ssidref 1: 00 01 00 00 00 00 00 00 00 00 - ssidref 2: 00 00 01 00 00 00 00 00 00 00 - ssidref 3: 00 00 00 01 00 00 00 00 00 00 - ssidref 4: 00 00 00 00 01 00 00 00 00 00 <<< type4 is set for ssidref4 - <<< types 5-9 are unused -Confict Sets: - - c-set 0: 00 00 01 01 00 00 00 00 00 00 <<< type2 and type3 never run together - c-set 1: 01 00 00 00 00 01 01 00 00 00 <<< only one of types 0, 5 or 6 - <<< can run simultaneously -Running -Types: 01 00 00 00 00 00 00 00 00 00 <<< ref-count for types of running domains - -Conflict -Aggregate Set: 00 00 00 00 00 01 01 00 00 00 <<< aggregated set of types that - <<< cannot run because they - <<< are in conflict set 1 and - <<< (domain 0 is running w t0) - - -Simple Type Enforcement policy: -=============================== -Max Types = 5. -Max Ssidrefs = 5. -Ssidrefs Off = 8. - -SSID To STE-Type matrix: - - ssidref 0: 01 01 01 01 01 <<< ssidref0 points to a set that - <<< has all types set (colors) - ssidref 1: 00 01 00 00 00 <<< ssidref1 has color1 set - ssidref 2: 00 00 01 00 00 <<< ... - ssidref 3: 00 00 00 01 00 - ssidref 4: 00 00 00 00 01 - - -Policy dump End. - - -This is a small example policy with which we will demonstrate the enforcement. - -Starting Domains with policy enforcement -======================================== -Now let us play with this policy. - -Define 3 or 4 domain configurations. I use the following config using a ramdisk -only and about 8MBytes of memory for each DomU (test purposes): - -#-------configuration xmsec1------------------------- -kernel = "/boot/vmlinuz-2.6.11-xenU" -ramdisk="/boot/U1_ramdisk.img" -#security reference identifier -ssidref= 0x00010001 -memory = 10 -name = "xmsec1" -cpu = -1 # leave to Xen to pick -# Number of network interfaces. Default is 1. -nics=1 -dhcp="dhcp" -#----------------------------------------------------- - -xmsec2 and xmsec3 look the same except for the name and the ssidref line. Use -your domain config file and add "ssidref = 0x00010001" to the first (xmsec1), -"ssidref= 0x00020002" to the second (call it xmsec2), and "ssidref=0x00030003" -to the third (we will call this one xmsec3). - -First start xmsec1: xm create -c xmsec1 (succeeds) - -Then -[root@laptop policy]# xm list -Name Id Mem(MB) CPU State Time(s) Console -Domain-0 0 620 0 r---- 42.3 s:00/p:00 -xmnosec 1 9 0 -b--- 0.3 9601 s:00/p:05 -xmsec1 2 9 0 -b--- 0.2 9602 s:01/p:01 - -Shows a new domain xmsec1 running with primary (here: chinese wall) ssidref 1 -and secondary (here: simple type enforcement) ssidref 1. The ssidrefs are -independent and can differ for a domain. - -[root@laptop policy]# ./policy_tool getpolicy - -Policy dump: -============ -Magic = 1debc. -PolVer = aaaa0000. -Len = 112. -Primary = CHINESE WALL policy (c=1, off=14). -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8). - - -Chinese Wall policy: -==================== -Max Types = a. -Max Ssidrefs = 5. -Max ConfSets = 2. -Ssidrefs Off = 10. -Conflicts Off = 74. -Runing T. Off = 9c. -C. Agg. Off = b0. - -SSID To CHWALL-Type matrix: - - ssidref 0: 01 00 00 00 00 00 00 00 00 00 - ssidref 1: 00 01 00 00 00 00 00 00 00 00 - ssidref 2: 00 00 01 00 00 00 00 00 00 00 - ssidref 3: 00 00 00 01 00 00 00 00 00 00 - ssidref 4: 00 00 00 00 01 00 00 00 00 00 - -Confict Sets: - - c-set 0: 00 00 01 01 00 00 00 00 00 00 - c-set 1: 01 00 00 00 00 01 01 00 00 00 <<< t1 is not part of any c-set - -Running -Types: 01 01 00 00 00 00 00 00 00 00 <<< xmsec1 has ssidref 1->type1 - ^^ <<< ref-count at position 1 incr -Conflict -Aggregate Set: 00 00 00 00 00 01 01 00 00 00 <<< domain 1 was allowed to - <<< start since type 1 was not - <<< in conflict with running - <<< types - -Simple Type Enforcement policy: -=============================== -Max Types = 5. -Max Ssidrefs = 5. -Ssidrefs Off = 8. - -SSID To STE-Type matrix: - - ssidref 0: 01 01 01 01 01 <<< the ste policy does not maintain; we - ssidref 1: 00 01 00 00 00 <-- <<< see that domain xmsec1 has ste - ssidref 2: 00 00 01 00 00 <<< ssidref1->type1 and has this type in - ssidref 3: 00 00 00 01 00 <<< common with dom0 - ssidref 4: 00 00 00 00 01 - - -Policy dump End. - -Look at sHype output in xen dmesg: - -[root@laptop xen]# xm dmesg -. -. -[somewhere near the very end] -(XEN) chwall_init_domain_ssid: determined chwall_ssidref to 1. -(XEN) ste_init_domain_ssid. -(XEN) ste_init_domain_ssid: determined ste_ssidref to 1. -(XEN) acm_init_domain_ssid: Instantiated individual ssid for domain 0x01. -(XEN) chwall_post_domain_create. -(XEN) ste_pre_eventchannel_interdomain. -(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01. -(XEN) shype_authorize_domops. -(XEN) ste_pre_eventchannel_interdomain. -(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01. -(XEN) ste_pre_eventchannel_interdomain. -(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01. - - -You can see that the chinese wall policy does not complain and that the ste -policy makes three access control decisions for three event-channels setup -between domain 0 and the new domain 1. Each time, the two domains share the -type1 and setting up the eventchannel is permitted. - - -Starting up a second domain xmsec2: - -[root@laptop xen]# xm create -c xmsec2 -Using config file "xmsec2". -Started domain xmsec2, console on port 9602 -************ REMOTE CONSOLE: CTRL-] TO QUIT ******** -Linux version 2.6.11-xenU (root@xxxxxxxxxxxxxxx) (gcc version 3.4.2 20041017 -(Red Hat 3.4.2-6.fc3)) #1 Wed Mar 30 13:14:31 EST 2005 -. -. -. -[root@laptop policy]# xm list -Name Id Mem(MB) CPU State Time(s) Console -Domain-0 0 620 0 r---- 71.7 s:00/p:00 -xmsec1 1 9 0 -b--- 0.3 9601 s:01/p:01 -xmsec2 2 7 0 -b--- 0.3 9602 s:02/p:02 << our domain runs both policies with ssidref 2 - - -[root@laptop policy]# ./policy_tool getpolicy - -Policy dump: -============ -Magic = 1debc. -PolVer = aaaa0000. -Len = 112. -Primary = CHINESE WALL policy (c=1, off=14). -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8). - - -Chinese Wall policy: -==================== -Max Types = a. -Max Ssidrefs = 5. -Max ConfSets = 2. -Ssidrefs Off = 10. -Conflicts Off = 74. -Runing T. Off = 9c. -C. Agg. Off = b0. - -SSID To CHWALL-Type matrix: - - ssidref 0: 01 00 00 00 00 00 00 00 00 00 - ssidref 1: 00 01 00 00 00 00 00 00 00 00 - ssidref 2: 00 00 01 00 00 00 00 00 00 00 <<< our domain has type 2 set - ssidref 3: 00 00 00 01 00 00 00 00 00 00 - ssidref 4: 00 00 00 00 01 00 00 00 00 00 - -Confict Sets: - - c-set 0: 00 00 01 01 00 00 00 00 00 00 <<< t2 is in c-set0 with type 3 - c-set 1: 01 00 00 00 00 01 01 00 00 00 - -Running -Types: 01 01 01 00 00 00 00 00 00 00 <<< t2 is running since the - ^^ <<< current aggregate conflict - <<< set (see above) does not - <<< include type 2 -Conflict -Aggregate Set: 00 00 00 01 00 01 01 00 00 00 <<< type 3 is added to the - <<< conflict aggregate - - -Simple Type Enforcement policy: -=============================== -Max Types = 5. -Max Ssidrefs = 5. -Ssidrefs Off = 8. - -SSID To STE-Type matrix: - - ssidref 0: 01 01 01 01 01 - ssidref 1: 00 01 00 00 00 - ssidref 2: 00 00 01 00 00 - ssidref 3: 00 00 00 01 00 - ssidref 4: 00 00 00 00 01 - - -Policy dump End. - - -The sHype xen dmesg output looks similar to the one above when starting the -first domain. - -Now we start xmsec3 and it has ssidref3. Thus, it tries to run as type3 which -conflicts with running type2 (from xmsec2). As expected, creating this domain -fails for security policy enforcement reasons. - -[root@laptop xen]# xm create -c xmsec3 -Using config file "xmsec3". -Error: Error creating domain: (22, 'Invalid argument') -[root@laptop xen]# - -[root@laptop xen]# xm dmesg -. -. -[somewhere near the very end] -(XEN) chwall_pre_domain_create. -(XEN) chwall_pre_domain_create: CHINESE WALL CONFLICT in type 03. - -xmsec3 ssidref3 points to type3, which is in the current conflict aggregate -set. This domain cannot start until domain xmsec2 is destroyed, at which time -the aggregate conflict set is reduced and type3 is excluded from it. Then, -xmsec3 can start. Of course, afterwards, xmsec2 cannot be restarted. Try it. - -3. Policy tool -************** -toos/policy/policy_tool.c - -a) ./policy_tool getpolicy - prints the currently enforced policy - (see for example section 1.) - -b) ./policy_tool setpolicy - sets a predefined and hardcoded security - policy (the one described in section 2.) - -c) ./policy_tool dumpstats - prints some status information about the caching - of access control decisions (number of cache hits - and number of policy evaluations for grant_table - and event channels). - -d) ./policy_tool loadpolicy <binary_policy_file> - sets the policy defined in the <binary_policy_file> - please use the policy_processor that is posted to this - mailing list to create such a binary policy from an XML - policy description - -4. Policy interface: -******************** -The Policy interface is working in "network-byte-order" (big endian). The reason for this -is that policy files/management should be portable and independent of the platforms. - -Our policy interface enables managers to create a single binary policy file in a trusted -environment and distributed it to multiple systems for enforcement. - -5. Booting with a binary policy: -******************************** -The grub configuration file can be adapted to boot the hypervisor with an -already active policy. To do this, a binary policy file - this can be -the same file as used by the policy_tool - should be placed into the boot -partition. The following entry from the grub configuration file shows how -a binary policy can be added to the system during boot time. Note that the -binary policy must be of the same type that the hypervisor was compiled -for. The policy module line should also only be added as the last module -line if XEN was compiled with the access control module (ACM). - -title XEN0 3.0 Devel - kernel /xen.gz dom0_mem=400000 - module /vmlinuz-2.6.12-xen0 root=/dev/hda2 ro console=tty0 - module /initrd-2.6.12-xen0.img - module /xen_sample_policy.bin - - -====================end-of file======================================= diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/Makefile --- a/tools/misc/policyprocessor/Makefile Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,42 +0,0 @@ -XEN_ROOT = ../../.. -include $(XEN_ROOT)/tools/Rules.mk - -CFLAGS += -static -CFLAGS += -Wall -CFLAGS += -Werror -CFLAGS += -O3 -CFLAGS += -fno-strict-aliasing -CFLAGS += -I. - -all: build - -build: mk-symlinks - $(MAKE) xml_to_bin - -default: all - -install: all - -xml_to_bin : make_include XmlToBin.java XmlToBinInterface.java SsidsEntry.java SecurityLabel.java myHandler.java - javac XmlToBin.java - -make_include : c2j_include - ./c2j_include - -c2j_include: c2j_include.c - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< - -clean: - rm -rf *.class xen c2j_include policy_version.java *.bin - - -LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse -mk-symlinks: - [ -e xen/linux ] || mkdir -p xen/linux - [ -e xen/io ] || mkdir -p xen/io - ( cd xen >/dev/null ; \ - ln -sf ../$(XEN_ROOT)/xen/include/public/*.h . ) - ( cd xen/io >/dev/null ; \ - ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . ) - ( cd xen/linux >/dev/null ; \ - ln -sf ../../$(LINUX_ROOT)/include/asm-xen/linux-public/*.h . ) diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/SecurityLabel.java --- a/tools/misc/policyprocessor/SecurityLabel.java Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,34 +0,0 @@ -/** - * (C) Copyright IBM Corp. 2005 - * - * $Id: SecurityLabel.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $ - * - * Author: Ray Valdez - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * SecurityLabel Class. - * - * <p> - * - * Keeps track of types. - * - * <p> - * - * - */ -import java.util.*; -public class SecurityLabel -{ - Vector ids; - Vector vlans; - Vector slots; - Vector steTypes; - int steSsidPosition; - Vector chwIDs; - Vector chwTypes; - int chwSsidPosition; -} diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/SecurityPolicySpec.xsd --- a/tools/misc/policyprocessor/SecurityPolicySpec.xsd Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,115 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx --> -<!-- xml schema definition for xen xml policies --> -<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"; -targetNamespace="http://www.ibm.com"; -xmlns="http://www.ibm.com"; -elementFormDefault="qualified"> - -<xsd:element name="TE" type="xsd:string" /> -<xsd:element name="ChWall" type="xsd:string" /> - -<xsd:element name="Definition"> - <xsd:complexType> - <xsd:sequence> - - <!-- simple type enforcement --> - <xsd:element name="Types" minOccurs ="0" maxOccurs="1"> - <xsd:complexType> - <xsd:sequence> - <xsd:element ref="TE" minOccurs ="1" maxOccurs ="unbounded"/> - </xsd:sequence> - </xsd:complexType> - </xsd:element> - - <!-- chinese wall --> - <!-- type definition --> - <xsd:element name="ChWallTypes" minOccurs ="0" maxOccurs="1"> - <xsd:complexType> - <xsd:sequence> - <xsd:element ref="ChWall" minOccurs ="1" maxOccurs ="unbounded"/> - - </xsd:sequence> - </xsd:complexType> - </xsd:element> - - <!-- conflict set --> - <xsd:element name="ConflictSet" minOccurs ="0" maxOccurs="unbounded"> - <xsd:complexType> - <xsd:sequence> - <xsd:element ref="ChWall" minOccurs ="2" maxOccurs ="unbounded"/> - </xsd:sequence> - </xsd:complexType> - </xsd:element> - - </xsd:sequence> - </xsd:complexType> -</xsd:element> - -<xsd:element name="Policy"> - <xsd:complexType> - <xsd:sequence> - - <xsd:element name="PolicyHeader"> - <xsd:complexType> - <xsd:all> - <xsd:element name = "Name" type="xsd:string"/> - <xsd:element name = "DateTime" type="xsd:dateTime"/> - <xsd:element name = "Tag" minOccurs ="1" maxOccurs ="1" type="xsd:string"/> - <xsd:element name = "TypeDefinition"> - <xsd:complexType> - <xsd:all> - <xsd:element name = "url" type="xsd:string"/> - <xsd:element name = "hash" minOccurs ="0" maxOccurs ="1" type="xsd:string"/> - </xsd:all> - </xsd:complexType> - </xsd:element> - - </xsd:all> - </xsd:complexType> - </xsd:element> - - <xsd:element name="VM" minOccurs ="1" maxOccurs="unbounded"> - <xsd:complexType> - <xsd:sequence> - <xsd:element name="id" type="xsd:integer"/> - <xsd:element ref="TE" minOccurs="0" maxOccurs="unbounded" /> - <xsd:element ref="ChWall" minOccurs ="0" maxOccurs="unbounded"/> - </xsd:sequence> - </xsd:complexType> - </xsd:element> - - <xsd:element name="Vlan" minOccurs ="0" maxOccurs="unbounded"> - <xsd:complexType> - <xsd:sequence> - <xsd:element name="vid" type="xsd:integer"/> - <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" /> - </xsd:sequence> - </xsd:complexType> - </xsd:element> - - <xsd:element name="Slot" minOccurs ="0" maxOccurs="unbounded"> - <xsd:complexType> - <xsd:sequence> - <xsd:element name="bus" type="xsd:integer"/> - <xsd:element name="slot" type="xsd:integer"/> - <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" /> - </xsd:sequence> - </xsd:complexType> - </xsd:element> - - - </xsd:sequence> - </xsd:complexType> -</xsd:element> - -<!-- root element --> -<xsd:element name="SecurityPolicySpec"> - <xsd:complexType> - <xsd:choice> - <xsd:element ref="Definition" minOccurs ="1" maxOccurs="unbounded"/> - <xsd:element ref="Policy" minOccurs ="1" maxOccurs="unbounded"/> - </xsd:choice> - </xsd:complexType> -</xsd:element> -</xsd:schema> diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/SsidsEntry.java --- a/tools/misc/policyprocessor/SsidsEntry.java Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,29 +0,0 @@ -/** - * (C) Copyright IBM Corp. 2005 - * - * $Id: SsidsEntry.java,v 1.2 2005/06/17 20:02:40 rvaldez Exp $ - * - * Author: Ray Valdez - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * SsidsEntry Class. - * <p> - * - * Holds ssid information. - * - * <p> - * - * - */ -public class SsidsEntry - { - int id; /* used for partition and vlan */ - int bus; /* used for slots */ - int slot; - int ste = 0xffffffff; - int chw = 0xffffffff; - } diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/XmlToBin.java --- a/tools/misc/policyprocessor/XmlToBin.java Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,1570 +0,0 @@ -/** - * (C) Copyright IBM Corp. 2005 - * - * $Id: XmlToBin.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $ - * - * Author: Ray Valdez - * - * Contributors: - * Reiner Sailer - adjust type-lengths - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * XmlToBin Class. - * <p> - * - * Translates a xml representation of a SHYPE policy into a binary - * format. The class processes an xml policy file based on elment tags - * defined in a schema definition files: SecurityPolicySpec.xsd. - * - * XmlToBin Command line Options: - * - * -i inputFile: name of policyfile (.xml) - * -o outputFile: name of binary policy file (Big Endian) - * -xssid SsidFile: xen ssids to types text file - * -xssidconf SsidConf: xen conflict ssids to types text file - * -debug turn on debug messages - * -help help. This printout - * - * <p> - * - * - */ -import java.util.*; -import java.io.*; -import java.io.IOException; -import java.io.FileNotFoundException; -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.w3c.dom.Node; -import org.w3c.dom.Attr; -import org.w3c.dom.NodeList; -import org.w3c.dom.NamedNodeMap; -import org.xml.sax.*; -import javax.xml.parsers.*; -import org.xml.sax.helpers.*; - -public class XmlToBin - implements XmlToBinInterface -{ - class SlotInfo { - String bus; - String slot; - } - - boolean LittleEndian = false; - boolean debug = false; - - static final String JAXP_SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";; - - static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";; - - public static void printUsage() - { - System.out.println("XmlToBin Command line Options: "); - System.out.println("\t-i\t\tinputFile:\tname of policyfile (.xml)"); - System.out.println("\t-o\t\toutputFile:\tname of binary policy file (Big Endian)"); - System.out.println("\t-xssid\t\tSsidFile:\tXen ssids to named types text file"); - System.out.println("\t-xssidconf\tSsidConfFile:\tXen conflict ssids to named types text file"); - System.out.println("\t-debug\t\t\t\tturn on debug messages"); - System.out.println("\t-help\t\t\t\thelp. This printout"); - return; - } - - public void printDebug(String message) - { - if (debug) - System.out.println(message); - } - - public void writeBinPolicy(byte[] binPolicy, String outputFileName) - throws Exception - { - if (debug) - printHex(binPolicy,binPolicy.length); - - DataOutputStream writeObj = new DataOutputStream( - new FileOutputStream(outputFileName)); - - writeObj.write(binPolicy); - writeObj.flush(); - writeObj.close(); - System.out.println(" wBP:: wrote outputfile: " + outputFileName); - - return; - } - - public void writeXenTypeVectorFile(Vector list, String outputFileName) - throws Exception - { - PrintWriter out; - - if (0 == list.size()) - { - printDebug(" wSTF : size of input is zero when writing :" + outputFileName); - return; - } - out = new PrintWriter( - new BufferedWriter( - new FileWriter(outputFileName))); - - - for (int i = 0; i < list.size(); i++) - { - Vector ee = (Vector) list.elementAt(i); - out.println(i + " " +ee.toString()); - } - out.close(); - - return; - } - - public void writeXenTypeFile(Vector list, String outputFileName, boolean slabel) - throws Exception - { - Vector entry; - String strTypes = ""; - SecurityLabel ee; - PrintWriter out; - - if (0 == list.size()) - { - printDebug(" wSTF : size of input is zero when writing :" + outputFileName); - return; - } - out = new PrintWriter( - new BufferedWriter( - new FileWriter(outputFileName))); - - for (int i = 0; i < list.size(); i++) - { - ee = (SecurityLabel) list.elementAt(i); - - if (slabel) - { - entry = ee.steTypes; - } else { - - entry = ee.chwTypes; - } - if (null == entry) continue; - - Enumeration e = entry.elements(); - while (e.hasMoreElements()) - { - String typeName = (String) e.nextElement(); - strTypes = strTypes + " " + typeName; - } - printDebug(" WXTF:: ssid : "+i +" :"+strTypes); - out.println(i +" "+strTypes); - strTypes = ""; - } - out.close(); - - return; - } - - public void setDebug(boolean value) - { - debug=value; - } - - public void setEndian(boolean value) - { - LittleEndian = value; - } - - public byte[] generateVlanSsids(Vector bagOfSsids) - throws Exception - { - /** - typedef struct { - u16 vlan; - u16 ssid_ste; - } acm_vlan_entry_t; - **/ - - Hashtable vlanSsid = new Hashtable(); - printDebug(" gVS::Size of bagOfSsids: "+ bagOfSsids.size()); - - /* Get the number of partitions */ - for (int i = 0; i < bagOfSsids.size(); i++) - { - SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i); - - if (null == entry.vlans) - continue; - - Enumeration e = entry.vlans.elements(); - while (e.hasMoreElements()) - { - String id = (String) e.nextElement(); - printDebug(" gVS:: vlan: " + id + "has ste ssid: " + entry.steSsidPosition); - if (-1 == entry.steSsidPosition) - continue; - - /* Only use ste for vlan */ - SsidsEntry ssidsObj = new SsidsEntry(); - - ssidsObj.id = Integer.parseInt(id); - ssidsObj.ste = entry.steSsidPosition; - - if (vlanSsid.contains(id)) - printDebug(" gVS:: Error already in the Hash part:" + ssidsObj.id); - else - vlanSsid.put(id, ssidsObj); - printDebug(" gVS:: added part: " + id + "has ste ssid: " + entry.steSsidPosition); - } - } - - /* allocate array */ - int numOfVlan = vlanSsid.size(); - int totalSize = (numOfVlan * vlanEntrySz); - - if (0 == numOfVlan) - { - printDebug(" gVS:: vlan: binary ==> zero"); - return new byte[0]; - } - - byte[] vlanArray = new byte[totalSize]; - - int index = 0; - - Enumeration e = vlanSsid.elements(); - while (e.hasMoreElements()) - { - SsidsEntry entry = (SsidsEntry) e.nextElement(); - printDebug(" gVS:: part: " + entry.id + " ste ssid: " + entry.ste); - - /* Write id */ - writeShortToStream(vlanArray,(short)entry.id,index); - index = index + u16Size; - - /* write ste ssid */ - writeShortToStream(vlanArray,(short) entry.ste,index); - index = index + u16Size; - } - - printDebug(" gVS:: vlan: num of vlans " + numOfVlan); - printDebug(" gVS:: vlan: binary ==> Length "+ vlanArray.length); - - if (debug) - printHex(vlanArray,vlanArray.length); - printDebug("\n"); - - return vlanArray; - } - - public byte[] generateSlotSsids(Vector bagOfSsids) - throws Exception - { - /** - typedef struct { - u16 slot_max; - u16 slot_offset; - } acm_slot_buffer_t; - - typedef struct { - u16 bus; - u16 slot; - u16 ssid_ste; - } acm_slot_entry_t; - **/ - Hashtable slotSsid = new Hashtable(); - printDebug(" gSS::Size of bagOfSsids: "+ bagOfSsids.size()); - - /* Find the number of VMs */ - for (int i = 0; i < bagOfSsids.size(); i++) - { - SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i); - - if (null == entry.slots) - continue; - - Enumeration e = entry.slots.elements(); - while (e.hasMoreElements()) - { - SlotInfo item = (SlotInfo) e.nextElement(); - printDebug(" gSS:: bus slot: " + item.bus + " "+ item.slot + " " + entry.steSsidPosition); - if (-1 == entry.steSsidPosition) - continue; - - SsidsEntry ssidsObj = new SsidsEntry(); - - String id = item.bus +" "+item.slot; - ssidsObj.bus = Integer.parseInt(item.bus); - ssidsObj.slot = Integer.parseInt(item.slot); - /* set ste ssid */ - ssidsObj.ste = entry.steSsidPosition; - - if (slotSsid.contains(id)) - printDebug(" gSS:: Error already in the Hash part:" + id); - else - slotSsid.put(id, ssidsObj); - - printDebug(" gSS:: added slot: " + id + "has ste ssid: " + entry.steSsidPosition); - } - } - - /* allocate array */ - int numOfSlot = slotSsid.size(); - - if (0 == numOfSlot) - { - printDebug(" gVS:: slot: binary ==> zero"); - return new byte[0]; - } - - int totalSize = (numOfSlot * slotEntrySz); - - byte[] slotArray = new byte[totalSize]; - - int index = 0; - - Enumeration e = slotSsid.elements(); - while (e.hasMoreElements()) - { - SsidsEntry entry = (SsidsEntry) e.nextElement(); - System.out.println(" gSS:: bus slot: " + entry.bus + " " + entry.slot + " ste ssid: " + entry.ste); - - /* Write bus */ - writeShortToStream(slotArray,(short)entry.bus,index); - index = index + u16Size; - - /* Write slot */ - writeShortToStream(slotArray,(short)entry.slot,index); - index = index + u16Size; - - /* Write ste ssid */ - writeShortToStream(slotArray,(short) entry.ste,index); - index = index + u16Size; - - } - - printDebug(" gSS:: slot: num of vlans " + numOfSlot); - printDebug(" gSS:: slot: binary ==> Length "+ slotArray.length); - - if (debug) - printHex(slotArray,slotArray.length); - printDebug("\n"); - - return slotArray; - - } - - public byte[] generatePartSsids(Vector bagOfSsids, Vector bagOfChwSsids) - throws Exception - { - /** - typedef struct { - u16 id; - u16 ssid_ste; - u16 ssid_chwall; - } acm_partition_entry_t; - - **/ - Hashtable partSsid = new Hashtable(); - printDebug(" gPS::Size of bagOfSsids: "+ bagOfSsids.size()); - - /* Find the number of VMs */ - for (int i = 0; i < bagOfSsids.size(); i++) - { - SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i); - - if (null == entry.ids) - continue; - - Enumeration e = entry.ids.elements(); - while (e.hasMoreElements()) - { - String id = (String) e.nextElement(); - printDebug(" gPS:: part: " + id + "has ste ssid: " + entry.steSsidPosition); - if (-1 == entry.steSsidPosition) - continue; - - SsidsEntry ssidsObj = new SsidsEntry(); - - ssidsObj.id = Integer.parseInt(id); - ssidsObj.ste = entry.steSsidPosition; - - if (partSsid.contains(id)) - printDebug(" gPS:: Error already in the Hash part:" + ssidsObj.id); - else - partSsid.put(id, ssidsObj); - printDebug(" gPS:: added part: " + id + "has ste ssid: " + entry.steSsidPosition); - } - - } - - for (int i = 0; i < bagOfChwSsids.size(); i++) - { - SecurityLabel entry = (SecurityLabel) bagOfChwSsids.elementAt(i); - - Enumeration e = entry.chwIDs.elements(); - while (e.hasMoreElements()) - { - String id = (String) e.nextElement(); - printDebug(" gPS:: part: " + id + "has chw ssid: " + entry.chwSsidPosition); - if (partSsid.containsKey(id)) - { - SsidsEntry item = (SsidsEntry) partSsid.get(id); - item.chw = entry.chwSsidPosition; - printDebug(" gPS:: added :" + item.id +" chw: " + item.chw); - } - else - { - printDebug(" gPS:: creating :" + id +" chw: " + entry.chwSsidPosition); - SsidsEntry ssidsObj = new SsidsEntry(); - ssidsObj.id = Integer.parseInt(id); - ssidsObj.chw = entry.chwSsidPosition; - partSsid.put(id, ssidsObj); - - } - } - } - - /* Allocate array */ - int numOfPar = partSsid.size(); - int totalSize = (numOfPar * partitionEntrySz); - - if (0 == numOfPar) - { - printDebug(" gPS:: part: binary ==> zero"); - return new byte[0]; - } - - byte[] partArray = new byte[totalSize]; - - int index = 0; - - Enumeration e = partSsid.elements(); - while (e.hasMoreElements()) - { - SsidsEntry entry = (SsidsEntry) e.nextElement(); - printDebug(" gPS:: part: " + entry.id + " ste ssid: " + entry.ste + " chw ssid: "+ entry.chw); - - /* Write id */ - writeShortToStream(partArray,(short)entry.id,index); - index = index + u16Size; - - /* Write ste ssid */ - writeShortToStream(partArray,(short) entry.ste,index); - index = index + u16Size; - - /* Write chw ssid */ - writeShortToStream(partArray,(short) entry.chw,index); - index = index + u16Size; - } - - printDebug(" gPS:: part: num of partitions " + numOfPar); - printDebug(" gPS:: part: binary ==> Length " + partArray.length); - - if (debug) - printHex(partArray,partArray.length); - printDebug("\n"); - - return partArray; - } - - public byte[] GenBinaryPolicyBuffer(byte[] chwPolicy, byte[] stePolicy, byte [] partMap, byte[] vlanMap, byte[] slotMap) - { - byte[] binBuffer; - short chwSize =0; - short steSize =0; - int index = 0; - - /* Builds data structure acm_policy_buffer_t */ - /* Get number of colorTypes */ - if (null != chwPolicy) - chwSize = (short) chwPolicy.length; - - if (null != stePolicy) - steSize = (short) stePolicy.length; - - int totalDataSize = chwSize + steSize + resourceOffsetSz + 3 *(2 * u16Size); - - /* Add vlan and slot */ - totalDataSize = totalDataSize +partMap.length + vlanMap.length + slotMap.length; - binBuffer = new byte[binaryBufferHeaderSz +totalDataSize]; - - - try { - index = 0; - /* fill in General Policy Version */ - writeIntToStream(binBuffer, ACM_POLICY_VERSION, index); - index += u32Size; - - /* Write magic */ - writeIntToStream(binBuffer, ACM_MAGIC, index); - index += u32Size; - - /* write len */ - writeIntToStream(binBuffer, binBuffer.length, index); - index += u32Size; - - } catch (IOException ee) { - System.out.println(" GBPB:: got exception : " + ee); - return null; - } - - int offset, address; - address = index; - - if (null != partMap) - offset = binaryBufferHeaderSz + resourceOffsetSz; - else - offset = binaryBufferHeaderSz; - - try { - int skip = 0; - - /* init with NULL policy setting */ - writeIntToStream(binBuffer, ACM_NULL_POLICY, index); - writeIntToStream(binBuffer, 0, index + u32Size); - writeIntToStream(binBuffer, ACM_NULL_POLICY, index + 2*u32Size); - writeIntToStream(binBuffer, 0, index + 3*u32Size); - - index = address; - if (null != chwPolicy) { - - /* Write policy name */ - writeIntToStream(binBuffer, ACM_CHINESE_WALL_POLICY, index); - index += u32Size; - - /* Write offset */ - writeIntToStream(binBuffer, offset, index); - index += u32Size; - - /* Write payload. No need increment index */ - address = offset; - System.arraycopy(chwPolicy, 0, binBuffer,address, chwPolicy.length); - address = address + chwPolicy.length; - } else - skip += 2*u32Size; - - if (null != stePolicy) - { - /* Write policy name */ - writeIntToStream(binBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, index); - index += u32Size; - - /* Write offset */ - writeIntToStream(binBuffer, address, index); - index += u32Size; - - /* Copy array */ - System.arraycopy(stePolicy, 0, binBuffer,address, stePolicy.length); - /* Update address */ - address = address + stePolicy.length; - } else - skip += 2*u32Size; - - /* Skip writing policy name and offset for each null policy*/ - index += skip; - - int size; - /* Assumes that you will always have a partition defined in policy */ - if ( 0 < partMap.length) { - writeIntToStream(binBuffer, address, index); - index = address; - - /* Compute num of VMs */ - size = partMap.length / (3 * u16Size); - - writeShortToStream(binBuffer, (short)size,index); - index = index + u16Size; - - /* part, vlan and slot: each one consists of two entries */ - offset = 3 * (2 * u16Size); - writeShortToStream(binBuffer, (short) offset,index); - - /* Write partition array at offset */ - System.arraycopy(partMap, 0, binBuffer,(offset + address), partMap.length); - index = index + u16Size; - offset = offset + partMap.length; - } - - if ( 0 < vlanMap.length) { - size = vlanMap.length / (2 * u16Size); - writeShortToStream(binBuffer, (short) size,index); - index = index + u16Size; - - writeShortToStream(binBuffer, (short) offset,index); - index = index + u16Size; - System.arraycopy(vlanMap, 0, binBuffer,(offset + address), vlanMap.length); - } else { - /* Write vlan max */ - writeShortToStream(binBuffer, (short) 0,index); - index = index + u16Size; - - /* Write vlan offset */ - writeShortToStream(binBuffer, (short) 0,index); - index = index + u16Size; - } - - offset = offset + vlanMap.length; - if ( 0 < slotMap.length) { - size = slotMap.length / (3 * u16Size); - writeShortToStream(binBuffer, (short) size,index); - index = index + u16Size; - - writeShortToStream(binBuffer, (short) offset,index); - index = index + u16Size; - System.arraycopy(slotMap, 0, binBuffer,(offset + address), slotMap.length); - } - } catch (IOException ee) { - System.out.println(" GBPB:: got exception : " + ee); - return null; - } - - printDebug(" GBP:: Binary Policy ==> length " + binBuffer.length); - if (debug) - printHex(binBuffer,binBuffer.length); - - return binBuffer; - } - - public byte[] generateChwBuffer(Vector Ssids, Vector ConflictSsids, Vector ColorTypes) - { - byte[] chwBuffer; - int index = 0; - int position = 0; - - /* Get number of rTypes */ - int maxTypes = ColorTypes.size(); - - /* Get number of SSids entry */ - int maxSsids = Ssids.size(); - - /* Get number of conflict sets */ - int maxConflict = ConflictSsids.size(); - - - if (maxTypes * maxSsids == 0) - return null; - /* - data structure acm_chwall_policy_buffer - se XmlToBinInterface.java - */ - int totalBytes = chwHeaderSize + u16Size *(maxTypes * (maxSsids + maxConflict)); - - chwBuffer = new byte[ totalBytes ]; - int address = chwHeaderSize + (u16Size * maxTypes * maxSsids ); - - printDebug(" gCB:: chwall totalbytes : "+totalBytes); - - try { - index = 0; - /* fill in General Policy Version */ - writeIntToStream(chwBuffer, ACM_CHWALL_VERSION, index); - index += u32Size; - - writeIntToStream(chwBuffer, ACM_CHINESE_WALL_POLICY, index); - index += u32Size; - - writeIntToStream(chwBuffer, maxTypes, index); - index += u32Size; - - writeIntToStream(chwBuffer, maxSsids, index); - index += u32Size; - - writeIntToStream(chwBuffer, maxConflict, index); - index += u32Size; - - /* Write chwall_ssid_offset */ - writeIntToStream(chwBuffer, chwHeaderSize, index); - index += u32Size; - - /* Write chwall_conflict_sets_offset */ - writeIntToStream(chwBuffer, address, index); - index += u32Size; - - /* Write chwall_running_types_offset */ - writeIntToStream(chwBuffer, 0, index); - index += u32Size; - - /* Write chwall_conflict_aggregate_offset */ - writeIntToStream(chwBuffer, 0, index); - index += u32Size; - - } catch (IOException ee) { - System.out.println(" gCB:: got exception : " + ee); - return null; - } - int markPos = 0; - - /* Create the SSids entry */ - for (int i = 0; i < maxSsids; i++) - { - SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i); - /* Get chwall types */ - ssidEntry.chwSsidPosition = i; - Enumeration e = ssidEntry.chwTypes.elements(); - while (e.hasMoreElements()) - { - String typeName = (String) e.nextElement(); - printDebug(" gCB:: Ssid "+ i+ ": has type : " + typeName); - position = ColorTypes.indexOf(typeName); - - if (position < 0) - { - System.out.println (" gCB:: Error type : " + typeName + " not found in ColorTypes"); - return null; - } - printDebug(" GCB:: type : " + typeName + " found in ColorTypes at position: " + position); - markPos = ((i * maxTypes + position) * u16Size) + index; - - try { - writeShortToStream(chwBuffer,markSymbol,markPos); - } catch (IOException ee) { - System.out.println(" gCB:: got exception : "); - return null; - } - } - } - - if (debug) - printHex(chwBuffer,chwBuffer.length); - - /* Add conflict set */ - index = address; - for (int i = 0; i < maxConflict; i++) - { - /* Get ste types */ - Vector entry = (Vector) ConflictSsids.elementAt(i); - Enumeration e = entry.elements(); - while (e.hasMoreElements()) - { - String typeName = (String) e.nextElement(); - printDebug (" GCB:: conflict Ssid "+ i+ ": has type : " + typeName); - position = ColorTypes.indexOf(typeName); - - if (position < 0) - { - System.out.println (" GCB:: Error type : " + typeName + " not found in ColorTypes"); - return null; - } - printDebug(" GCB:: type : " + typeName + " found in ColorTypes at position: " + position); - markPos = ((i * maxTypes + position) * u16Size) + index; - - try { - writeShortToStream(chwBuffer,markSymbol,markPos); - } catch (IOException ee) { - System.out.println(" GCB:: got exception : "); - return null; - } - } - - } - printDebug(" gSB:: chw binary ==> Length " + chwBuffer.length); - if (debug) - printHex(chwBuffer,chwBuffer.length); - printDebug("\n"); - - return chwBuffer; - } - -/********************************************************************** - Generate byte representation of policy using type information - <p> - @param Ssids Vector - @param ColorTypes Vector - <p> - @return bytes represenation of simple type enforcement policy -**********************************************************************/ - public byte[] generateSteBuffer(Vector Ssids, Vector ColorTypes) - { - byte[] steBuffer; - int index = 0; - int position = 0; - - /* Get number of colorTypes */ - int numColorTypes = ColorTypes.size(); - - /* Get number of SSids entry */ - int numSsids = Ssids.size(); - - if (numColorTypes * numSsids == 0) - return null; - - /* data structure: acm_ste_policy_buffer - * see XmlToBinInterface.java - * total bytes: steHeaderSize * 2B + colorTypes(size) * Ssids(size) - * - */ - steBuffer = new byte[ steHeaderSize + (numColorTypes * numSsids) * 2]; - - try { - - index = 0; - writeIntToStream(steBuffer, ACM_STE_VERSION, index); - index += u32Size; - - writeIntToStream(steBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, index); - index += u32Size; - - writeIntToStream(steBuffer, numColorTypes, index); - index += u32Size; - - writeIntToStream(steBuffer, numSsids, index); - index += u32Size; - - writeIntToStream(steBuffer, steHeaderSize, index); - index += u32Size; - - - } catch (IOException ee) { - System.out.println(" gSB:: got exception : " + ee); - return null; - } - int markPos = 0; - for (int i = 0; i < numSsids; i++) - { - - SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i); - ssidEntry.steSsidPosition = i; - /* Get ste types */ - Enumeration e = ssidEntry.steTypes.elements(); - while (e.hasMoreElements()) - { - String typeName = (String) e.nextElement(); - printDebug (" gSB:: Ssid "+ i+ ": has type : " + typeName); - position = ColorTypes.indexOf(typeName); - - if (position < 0) - { - printDebug(" gSB:: Error type : " + typeName + " not found in ColorTypes"); - return null; - } - printDebug(" gSB:: type : " + typeName + " found in ColorTypes at position: " + position); - markPos = ((i * numColorTypes + position) * u16Size) + index; - - try { - writeShortToStream(steBuffer,markSymbol,markPos); - } catch (IOException ee) - { - System.out.println(" gSB:: got exception : "); - return null; - } - } - - } - - printDebug(" gSB:: ste binary ==> Length " + steBuffer.length); - if (debug) - printHex(steBuffer,steBuffer.length); - printDebug("\n"); - - return steBuffer; - } - - public static void printHex(byte [] dataArray, int length) - { - char[] hexChars = {'0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; - int hexIndex; - int value; - int arraylength; - - arraylength = length; - - if (dataArray == null) - { - System.err.print("printHex: input byte array is null"); - } - - if (length > dataArray.length || length < 0) - arraylength = dataArray.length; - - System.out.print("\n\t"); - - int i; - for(i = 0; i < arraylength; ) - { - value = dataArray[i] & 0xFF; - hexIndex = (value >>> 4); - System.out.print(hexChars[hexIndex]); - hexIndex = (value & 0x0F); - System.out.print(hexChars[hexIndex]); - - i++; - /* if done, print a final newline */ - if (i == arraylength) { - if (arraylength < dataArray.length) { - System.out.print("..."); - } - System.out.println(); - } - else if ((i % 24) == 0) { - System.out.print("\n\t"); - } - else if ((i % 4) == 0) { - System.out.print(" "); - } - } - - return; - } - - - private void writeShortToStream(byte[] stream, short value, int index) - throws IOException - { - int littleEndian = 0; - int byteVal; - - if (index + 2 > stream.length) - { - throw new IOException("Writing beyond stream length: " + - stream.length + " writing at locations from: " + index + " to " + (index + 4)); - } - - if (!LittleEndian) - { - - byteVal = value >> 8; - stream[index ] = (byte) byteVal; - - byteVal = value; - stream[index + 1] = (byte) byteVal; - } else { - stream[index] = (byte) ((value & 0x00ff) ); - stream[index + 1] = (byte) ((value & 0xff00) >> 8); - } - return; - } - - private void writeIntToStream(byte[] stream, int value, int index) - throws IOException - { - int littleEndian = 0; - int byteVal; - - if (4 > stream.length) - { - throw new IOException("writeIntToStream: stream length less than 4 bytes " + - stream.length); - } - - /* Do not Write beyond range */ - if (index + 4 > stream.length) - { - throw new IOException("writeIntToStream: writing beyond stream length: " + - stream.length + " writing at locations from: " + index + " to " + (index + 4)); - } - if (!LittleEndian) - { - byteVal = value >>> 24; - stream[index] = (byte) byteVal; - - byteVal = value >> 16; - stream[index + 1] = (byte) byteVal; - - byteVal = value >> 8; - stream[index + 2] = (byte) byteVal; - - byteVal = value; - stream[index + 3] = (byte) byteVal; - } else { - stream[index] = (byte) value; - stream[index + 1] = (byte) ((value & 0x0000ff00) >> 8); - stream[index + 2] = (byte) ((value & 0x00ff0000) >> 16); - stream[index + 3] = (byte) ( value >>> 24); - } - return; - } - - public Document getDomTree(String xmlFileName) - throws Exception, SAXException, ParserConfigurationException - { - javax.xml.parsers.DocumentBuilderFactory dbf = - javax.xml.parsers.DocumentBuilderFactory.newInstance(); - - /* Turn on namespace aware and validation */ - dbf.setNamespaceAware(true); - dbf.setValidating(true); - dbf.setAttribute(JAXP_SCHEMA_LANGUAGE,W3C_XML_SCHEMA); - - /* Checks that the document is well-formed */ - javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder(); - - myHandler errHandler= new myHandler(); - db.setErrorHandler(errHandler); - Document doc = db.parse(xmlFileName); - - /* Checks for validation errors */ - if (errHandler.isValid) - printDebug(" gDT:: Xml file: " + xmlFileName + " is valid"); - else - throw new Exception("Xml file: " + xmlFileName + " is NOT valid"); - - return doc; - } - - public void processDomTree( - Document doc, - Vector bagOfSsids, - Vector bagOfTypes, - Vector bagOfChwSsids, - Vector bagOfChwTypes, - Vector bagOfConflictSsids) - throws Exception, SAXException, ParserConfigurationException - { - boolean found; - - /* print the root Element */ - Element root = doc.getDocumentElement(); - printDebug ("\n pDT:: Document Element: Name = " + root.getNodeName() + ",Value = " + root.getNodeValue()); - - /* Go through the list of the root Element's Attributes */ - NamedNodeMap nnm = root.getAttributes(); - printDebug (" pDT:: # of Attributes: " + nnm.getLength()); - for (int i = 0; i < nnm.getLength(); i++) - { - Node n = nnm.item (i); - printDebug (" pDT:: Attribute: Name = " + n.getNodeName() + ", Value = " - + n.getNodeValue()); - } - - /* Retrieve the policy definition */ - NodeList elementList = root.getElementsByTagName ("url"); - String definitionFileName = elementList.item(0).getFirstChild().getNodeValue(); - - String definitionHash = null; - - /* Note that SecurityPolicySpec.xsd allows for 0 hash value! */ - elementList = root.getElementsByTagName ("hash"); - if (0 != elementList.getLength()) - definitionHash = elementList.item(0).getFirstChild().getNodeValue(); - - Document definitionDoc = pGetDomDefinition(definitionFileName,definitionHash); - pGetTypes(definitionDoc,bagOfTypes, bagOfChwTypes, bagOfConflictSsids); - - - /* Get VM security information */ - elementList = root.getElementsByTagName ("VM"); - printDebug ("\n pDT:: partition length of NodeList:" + elementList.getLength()); - /* Add default Ssid to Ste and Chw bags */ - SecurityLabel defEntry = new SecurityLabel(); - - defEntry.chwTypes = new Vector(); - defEntry.steTypes = new Vector(); - defEntry.chwIDs = new Vector(); - defEntry.ids = new Vector(); - - defEntry.steSsidPosition =0; - defEntry.chwSsidPosition =0; - bagOfChwSsids.add(defEntry); - bagOfSsids.add(defEntry); - - for (int x = 0; x < elementList.getLength(); x++) - { - found = false; - - Node node = elementList.item (x); - - if (node.getNodeType() == Node.ELEMENT_NODE) - { - printDebug (" pDT:: child: " + x + " is an element node" ); - Element e1 = (Element) node; - - /* Get id */ - NodeList elist = e1.getElementsByTagName ("id"); - String idStr = elist.item(0).getFirstChild().getNodeValue(); - printDebug (" pDT:: id:" + idStr); - - /* Get TE */ - Vector colorTypes = new Vector(); - pConflictEntries(e1, "TE", bagOfTypes, colorTypes); - - Enumeration e = bagOfSsids.elements(); - while (e.hasMoreElements()) - { - SecurityLabel elem = (SecurityLabel) e.nextElement(); - if ( elem.steTypes.size() == colorTypes.size() && elem.steTypes.containsAll(colorTypes)) - { - found = true; - elem.ids.add(idStr); - } - - } - if (!found && (0 < colorTypes.size())) - { - SecurityLabel entry = new SecurityLabel(); - entry.steTypes = colorTypes; - entry.ids = new Vector(); - entry.ids.add(idStr); - bagOfSsids.add(entry); - } - - /* Get Chinese wall type */ - Vector chwTypes = new Vector(); - pConflictEntries(e1, "ChWall", bagOfChwTypes, chwTypes); - - found = false; - e = bagOfChwSsids.elements(); - - while (e.hasMoreElements()) - { - SecurityLabel elem = (SecurityLabel) e.nextElement(); - if ( elem.chwTypes.size() == chwTypes.size() && elem.chwTypes.containsAll(chwTypes)) - { - found = true; - elem.chwIDs.add(idStr); - } - - } - - if (!found && (0 < chwTypes.size())) - { - SecurityLabel entry = new SecurityLabel(); - entry.chwTypes = chwTypes; - entry.chwIDs = new Vector(); - entry.chwIDs.add(idStr); - bagOfChwSsids.add(entry); - } - } - } - return; - } - - public Document pGetDomDefinition( - String definitionFileName, - String definitionHash) - throws Exception, SAXException, ParserConfigurationException - { - printDebug("\n pGDD:: definition file name: " + definitionFileName); - printDebug("\n pGDD:: definition file hash: " + definitionHash); - - Document doc = getDomTree(definitionFileName); - return doc; - } - - public void pGetTypes( - Document defDoc, - Vector bagOfTypes, - Vector bagOfChwTypes, - Vector bagOfConflictSsids) - throws Exception - { - - - if (null == defDoc) - throw new Exception(" pGT:: definition file DOM is null "); - - Element root = defDoc.getDocumentElement(); - - /* Get list of TE types */ - NodeList elementList = root.getElementsByTagName ("Types"); - printDebug ("\n pGT:: Types length of NodeList:" + elementList.getLength()); - Element e1 = (Element) elementList.item (0); - pGetEntries(e1,"TE",bagOfTypes); - - /* Get list of Chinese types */ - elementList = root.getElementsByTagName ("ChWallTypes"); - printDebug ("\n pGT:: ChwTypes length of NodeList:" + elementList.getLength()); - if (0 == elementList.getLength()) - { - printDebug ("\n pGT:: ChWallTypes has zero length: :" + elementList.getLength()); - } else { - e1 = (Element) elementList.item (0); - pGetEntries(e1,"ChWall",bagOfChwTypes); - } - printDebug (" pGT:: Total number of unique chw types: " + bagOfChwTypes.size()); - - /* Get Chinese type conflict sets */ - elementList = root.getElementsByTagName ("ConflictSet"); - printDebug ("\n pGT:: Conflict sets length of NodeList:" + elementList.getLength()); - for (int x = 0; x < elementList.getLength(); x++) - { - Vector conflictEntry = new Vector(); - e1 = (Element) elementList.item (x); - printDebug ("\n pGT:: Conflict sets : " + x); - - pConflictEntries(e1, "ChWall", bagOfChwTypes, conflictEntry); - - if (conflictEntry.size() > 0) - { - boolean found = false; - Enumeration e = bagOfConflictSsids.elements(); - - while (e.hasMoreElements()) - { - Vector elem = (Vector) e.nextElement(); - if (elem.size() == conflictEntry.size() && elem.containsAll(conflictEntry)) - { - found = true; - } - - } - if (!found) - { - bagOfConflictSsids.add(conflictEntry); - } - } - } - - } - - public void pGetEntries(Element doc, String tag, Vector typeBag) - throws Exception - { - - if (null == doc) - throw new Exception(" pGE:: Element doc is null"); - - if (null == typeBag) - throw new Exception(" pGE:: typeBag is null"); - - NodeList elist = doc.getElementsByTagName (tag); - for (int j = 0; j < elist.getLength(); j++) - { - Node knode = elist.item (j); - Node childNode = knode.getFirstChild(); - String value = childNode.getNodeValue(); - - printDebug (" pGT:: "+ tag +" type: " + value); - - /* Check if value is known */ - if (!typeBag.contains(value)) - typeBag.addElement(value); - } - } - - public void pConflictEntries(Element doc, String tag, Vector typeBag, Vector conflictEntry) - throws Exception - { - - if (null == doc) - throw new Exception(" pGE:: Element doc is null"); - - if (null == typeBag) - throw new Exception(" pGE:: typeBag is null"); - - if (null == conflictEntry) - throw new Exception(" pGE:: typeBag is null"); - - - NodeList elist = doc.getElementsByTagName (tag); - - for (int j = 0; j < elist.getLength(); j++) - { - Node knode = elist.item (j); - Node childNode = knode.getFirstChild(); - String value = childNode.getNodeValue(); - - printDebug (" pGE:: "+ tag +" type: " + value); - - /* Check if value is known */ - if (!typeBag.contains(value)) - throw new Exception(" pCE:: found undefined type set " + value); - - if (!conflictEntry.contains(value)) - conflictEntry.addElement(value); - - } - } - - public void processDomTreeVlanSlot( - Document doc, - Vector bagOfSsids, - Vector bagOfTypes) - throws Exception - { - boolean found; - - printDebug(" pDTVS::Size of bagOfSsids: "+ bagOfSsids.size()); - Element root = doc.getDocumentElement(); - - NodeList elementList = root.getElementsByTagName ("Vlan"); - printDebug("\n pDTVS:: Vlan length of NodeList:" + elementList.getLength()); - - for (int x = 0; x < elementList.getLength(); x++) - { - found = false; - - Node node = elementList.item (x); - - if (node.getNodeType() == Node.ELEMENT_NODE) - { - printDebug(" pDTVS:: child: " + x + " is an element node" ); - Element e1 = (Element) node; - - /* Get vid */ - NodeList elist = e1.getElementsByTagName ("vid"); - String idStr = elist.item(0).getFirstChild().getNodeValue(); - printDebug (" pDTVS:: vid:" + idStr); - - /* Get TE */ - elist = e1.getElementsByTagName ("TE"); - printDebug (" pDTVS:: Total ste types: " + elist.getLength()); - - Vector colorTypes = new Vector(); - for (int j = 0; j < elist.getLength(); j++) - { - Node knode = elist.item (j); - Node childNode = knode.getFirstChild(); - String value = childNode.getNodeValue(); - - printDebug (" pDT:: My color is: " + value); - if (!bagOfTypes.contains(value)) - { - throw new IOException("pDT:: Vlan: " + idStr+ " has unknown type : "+ value); - } - - if (!colorTypes.contains(value)) - colorTypes.addElement(value); - } - Enumeration e = bagOfSsids.elements(); - while (e.hasMoreElements()) - { - SecurityLabel elem = (SecurityLabel) e.nextElement(); - if ( elem.steTypes.size() == colorTypes.size() && elem.steTypes.containsAll(colorTypes)) - { - found = true; - if (null == elem.vlans) - elem.vlans = new Vector(); - elem.vlans.add(idStr); - } - - } - if (!found && (0 < colorTypes.size())) - { - SecurityLabel entry = new SecurityLabel(); - entry.steTypes = colorTypes; - entry.vlans = new Vector(); - entry.vlans.add(idStr); - bagOfSsids.add(entry); - } - - } - } - printDebug(" pDTVS::After slot Size of bagOfSsids: "+ bagOfSsids.size()); - - elementList = root.getElementsByTagName ("Slot"); - printDebug ("\n pDTVS:: Slot length of NodeList:" + elementList.getLength()); - - for (int x = 0; x < elementList.getLength(); x++) - { - found = false; - - Node node = elementList.item (x); - - if (node.getNodeType() == Node.ELEMENT_NODE) - { - printDebug(" pDT:: child: " + x + " is an element node" ); - Element e1 = (Element) node; - - - /* Get slot and bus */ - SlotInfo item = new SlotInfo(); - - NodeList elist = e1.getElementsByTagName ("bus"); - item.bus = elist.item(0).getFirstChild().getNodeValue(); - elist = e1.getElementsByTagName ("slot"); - item.slot = elist.item(0).getFirstChild().getNodeValue(); - printDebug (" pDT:: bus and slot:" + item.bus + " "+ item.slot); - - /* Get TE */ - elist = e1.getElementsByTagName ("TE"); - printDebug (" pDT:: Total ste types: " + elist.getLength()); - - Vector colorTypes = new Vector(); - for (int j = 0; j < elist.getLength(); j++) - { - Node knode = elist.item (j); - Node childNode = knode.getFirstChild(); - String value = childNode.getNodeValue(); - - printDebug (" pDT:: My color is: " + value); - if (!bagOfTypes.contains(value)) - { - throw new IOException("pDT:: bus: " + item.bus + " slot: "+ item.slot + " has unknown type : "+ value); - } - - if (!colorTypes.contains(value)) - colorTypes.addElement(value); - } - - Enumeration e = bagOfSsids.elements(); - while (e.hasMoreElements()) - { - SecurityLabel elem = (SecurityLabel) e.nextElement(); - if ( elem.steTypes.size() == colorTypes.size() && elem.steTypes.containsAll(colorTypes)) - { - found = true; - if (null == elem.slots) - elem.slots = new Vector(); - elem.slots.add(item); - - } - - } - - if (!found && (0 < colorTypes.size())) - { - SecurityLabel entry = new SecurityLabel(); - entry.steTypes = colorTypes; - entry.slots = new Vector(); - entry.slots.add(item); - bagOfSsids.add(entry); - } - - } - } - return; - } - - public static void main (String[] args) - { - String xmlFileName = null; /* policy file */ - String outputFileName = null; /* binary policy file */ - String xenSsidOutputFileName = null; /* outputfile ssid to named types */ - /* outputfile conflicts ssid to named types */ - String xenSsidConfOutputFileName = null; - - XmlToBin genObj = new XmlToBin(); - - policy_version active_policy = new policy_version(); - - if ((active_policy.ACM_POLICY_VERSION != ACM_POLICY_VERSION) || - (active_policy.ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) || - (active_policy.ACM_STE_VERSION != ACM_STE_VERSION)) { - System.out.println("ACM policy versions differ."); - System.out.println("Please verify that data structures are correct"); - System.out.println("and then adjust the version numbers in XmlToBinInterface.java."); - return; - } - - - for (int i = 0 ; i < args.length ; i++) { - - if ( args[i].equals("-help")) { - printUsage(); - System.exit(1); - - } else if ( args[i].equals("-i")) { - i++; - if (i < args.length) { - xmlFileName = args[i]; - } else { - System.out.println("-i argument needs parameter"); - System.exit(1); - } - - } else if ( args[i].equals("-o")) { - i++; - if (i < args.length) { - outputFileName = args[i]; - } else { - System.out.println("-o argument needs parameter"); - System.exit(1); - } - - } else if ( args[i].equals("-xssid")) { - i++; - if (i < args.length) { - xenSsidOutputFileName = args[i]; - } else { - System.out.println("-xssid argument needs parameter"); - System.exit(1); - } - - } else if ( args[i].equals("-xssidconf")) { - i++; - if (i < args.length) { - xenSsidConfOutputFileName = args[i]; - } else { - System.out.println("-xssidconf argument needs parameter"); - System.exit(1); - } - } else if ( args[i].equals("-debug")) { /* turn on debug msg */ - genObj.setDebug(true); - } else { - System.out.println("bad command line argument: " + args[i]); - printUsage(); - System.exit(1); - } - - } - - if (xmlFileName == null) - { - System.out.println("Need to specify input file -i option"); - printUsage(); - System.exit(1); - } - - - try - { - /* Parse and validate */ - Document doc = genObj.getDomTree(xmlFileName); - - /* Vectors to hold sets of types */ - Vector bagOfSsids = new Vector(); - Vector bagOfTypes = new Vector(); - Vector bagOfChwSsids = new Vector(); - Vector bagOfChwTypes = new Vector(); - Vector bagOfConflictSsids = new Vector(); - - Vector vlanMapSsids = new Vector(); - Vector slotMapSsids = new Vector(); - - genObj.processDomTree(doc, bagOfSsids, bagOfTypes, bagOfChwSsids, bagOfChwTypes, bagOfConflictSsids); - - genObj.processDomTreeVlanSlot(doc, bagOfSsids, bagOfTypes); - - /* Get binary representation of policies */ - byte[] stePolicy = genObj.generateSteBuffer(bagOfSsids, bagOfTypes); - byte[] chwPolicy = genObj.generateChwBuffer(bagOfChwSsids, bagOfConflictSsids,bagOfChwTypes); - - byte[] binPolicy = null; - byte[] binaryPartionSsid = null; - byte[] binaryVlanSsid = null; - byte[] binarySlotSsid = null; - - /* Get binary representation of partition to ssid mapping */ - binaryPartionSsid = genObj.generatePartSsids(bagOfSsids,bagOfChwSsids); - - /* Get binary representation of vlan to ssid mapping */ - binaryVlanSsid = genObj.generateVlanSsids(bagOfSsids); - - /* Get binary representation of slot to ssid mapping */ - binarySlotSsid = genObj.generateSlotSsids(bagOfSsids); - - /* Generate binary representation: policy, partition, slot and vlan */ - binPolicy = genObj.GenBinaryPolicyBuffer(chwPolicy,stePolicy, binaryPartionSsid, binaryVlanSsid, binarySlotSsid); - - - /* Write binary policy into file */ - if (null != outputFileName) - { - genObj.writeBinPolicy(binPolicy, outputFileName); - } else { - System.out.println (" No binary policy generated, outputFileName: " + outputFileName); - } - - /* Print total number of types */ - System.out.println (" Total number of unique ste types: " + bagOfTypes.size()); - System.out.println (" Total number of Ssids : " + bagOfSsids.size()); - System.out.println (" Total number of unique chw types: " + bagOfChwTypes.size()); - System.out.println (" Total number of conflict ssids : " + bagOfConflictSsids.size()); - System.out.println (" Total number of chw Ssids : " + bagOfChwSsids.size()); - - if (null != xenSsidOutputFileName) - genObj.writeXenTypeFile(bagOfSsids, xenSsidOutputFileName, true); - - if (null != xenSsidConfOutputFileName) - genObj.writeXenTypeFile(bagOfChwSsids, xenSsidConfOutputFileName, false); - } - catch (Exception e) - { - e.printStackTrace(); - } - } -} diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/XmlToBinInterface.java --- a/tools/misc/policyprocessor/XmlToBinInterface.java Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,138 +0,0 @@ -/** - * (C) Copyright IBM Corp. 2005 - * - * $Id: XmlToBinInterface.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $ - * - * Author: Ray Valdez - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * XmlToBinInterface Class. - * <p> - * - * Defines constants used by XmToBin. - * - * <p> - * - * policy binary structures - * - * struct acm_policy_buffer { - * u32 policy_version; * ACM_POLICY_VERSION * - * u32 magic; - * u32 len; - * u32 primary_policy_code; - * u32 primary_buffer_offset; - * u32 secondary_policy_code; - * u32 secondary_buffer_offset; - * +u32 resource offset (not used yet in Xen) - * }; - * - * - * struct acm_ste_policy_buffer { - * u32 policy_version; * ACM_STE_VERSION * - * u32 policy_code; - * u32 ste_max_types; - * u32 ste_max_ssidrefs; - * u32 ste_ssid_offset; - * }; - * - * struct acm_chwall_policy_buffer { - * u32 policy_version; * ACM_CHWALL_VERSION * - * u32 policy_code; - * u32 chwall_max_types; - * u32 chwall_max_ssidrefs; - * u32 chwall_max_conflictsets; - * u32 chwall_ssid_offset; - * u32 chwall_conflict_sets_offset; - * u32 chwall_running_types_offset; - * u32 chwall_conflict_aggregate_offset; - * }; - * - * typedef struct { - * u16 partition_max; - * u16 partition_offset; - * u16 vlan_max; - * u16 vlan_offset; - * u16 slot_max; - * u16 slot_offset; - * } acm_resource_buffer_t; - * - * typedef struct { - * u16 id; - * u16 ssid_ste; - * u16 ssid_chwall; - * } acm_partition_entry_t; - * - * typedef struct { - * u16 vlan; - * u16 ssid_ste; - * } acm_vlan_entry_t; - * - * typedef struct { - * u16 bus; - * u16 slot; - * u16 ssid_ste; - * } acm_slot_entry_t; - * - * - * - */ -public interface XmlToBinInterface -{ - /* policy code (uint16) */ - final int policyCodeSize = 2; - - /* max_types (uint16) */ - final int maxTypesSize = 2; - - /* max_ssidrefs (uint16) */ - final int maxSsidrefSize = 2; - - /* ssid_offset (uint32) */ - final int ssidOffsetSize = 2; - - final short markSymbol = 0x0001; - - final int u32Size = 4; - final int u16Size = 2; - - /* num of bytes for acm_ste_policy_buffer_t */ - final int steHeaderSize = (5 * u32Size); - - /* byte for acm_chinese_wall_policy_buffer_t */ - final int chwHeaderSize = (9 * u32Size); - - final int primaryPolicyCodeSize = u32Size; - final int primaryBufferOffsetSize = u32Size ; - - final int secondaryPolicyCodeSz = u32Size; - final int secondaryBufferOffsetSz = u32Size; - final int resourceOffsetSz = u32Size; - - final short partitionBufferSz = (2 * u16Size); - final short partitionEntrySz = (3 * u16Size); - - final short slotBufferSz = (2 * u16Size); - final short slotEntrySz = (3 * u16Size); - - final short vlanBufferSz = (2 * u16Size); - final short vlanEntrySz = (2 * u16Size); - - final int binaryBufferHeaderSz = (8 * u32Size); /* 8th not used in Xen */ - - /* copied directly from acm.h */ - final int ACM_MAGIC = 0x0001debc; - final int ACM_NULL_POLICY = 0; - final int ACM_CHINESE_WALL_POLICY = 1; - final int ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2; - final int ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY = 3; - final int ACM_EMPTY_POLICY = 4; - - /* version for compatibility check */ - final int ACM_POLICY_VERSION = 1; - final int ACM_STE_VERSION = 1; - final int ACM_CHWALL_VERSION = 1; -} diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/c2j_include.c --- a/tools/misc/policyprocessor/c2j_include.c Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,57 +0,0 @@ -/**************************************************************** - * c2j_include.c - * - * Copyright (C) 2005 IBM Corporation - * - * Authors: - * Reiner Sailer <sailer@xxxxxxxxxxxxxx> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * This tool makes some constants from acm.h available to the - * java policyprocessor for version checking. - */ -#include <stdio.h> -#include <errno.h> -#include <stdlib.h> -#include <stdint.h> - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; -typedef int8_t s8; -typedef int16_t s16; -typedef int32_t s32; -typedef int64_t s64; - -#include <xen/acm.h> - -char *filename = "policy_version.java"; - -int main(int argc, char **argv) -{ - - FILE *fd; - if ((fd = fopen(filename, "w")) <= 0) - { - printf("File %s not found.\n", filename); - exit(-ENOENT); - } - - fprintf(fd, "/*\n * This file was automatically generated\n"); - fprintf(fd, " * Do not change it manually!\n */\n"); - fprintf(fd, "public class policy_version {\n"); - fprintf(fd, " final int ACM_POLICY_VERSION = %x;\n", - ACM_POLICY_VERSION); - fprintf(fd, " final int ACM_CHWALL_VERSION = %x;\n", - ACM_CHWALL_VERSION); - fprintf(fd, " final int ACM_STE_VERSION = %x;\n", - ACM_STE_VERSION); - fprintf(fd, "}\n"); - fclose(fd); - return 0; -} diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/myHandler.java --- a/tools/misc/policyprocessor/myHandler.java Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,47 +0,0 @@ -/** - * (C) Copyright IBM Corp. 2005 - * - * $Id: myHandler.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $ - * - * Author: Ray Valdez - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * myHandler Class. - * - * <p> - * - * A dummy class used for detecting XML validating/parsing errors. - * - * <p> - * - * - */ -import org.xml.sax.helpers.*; -import org.xml.sax.SAXParseException; - -class myHandler extends DefaultHandler -{ - public boolean isValid = true; - - /* Notification of a recoverable error. */ - public void error(SAXParseException se) - { - isValid = false; - } - - /* Notification of a non-recoverable error. */ - public void fatalError(SAXParseException se) - { - isValid = false; - } - - /* Notification of a warning. */ - public void warning(SAXParseException se) - { - isValid = false; - } -} diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/readme.install --- a/tools/misc/policyprocessor/readme.install Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,33 +0,0 @@ -# Author: Ray Valdez, rvaldez@xxxxxxxxxx -# Version: 1.0 -# -# install readme -# -PREREQUISITES: - -Prior to installation of the policy processor tool (XmlToBin) you must have... - - 1. Java version 1.4.2 - 2. xmlParserAPIs.jar and xercesImpl.jar - -The above can be obtained from the Sun Developer Network web site at -http://java.sun.com/j2se/1.4.2/download.html. - -XmlParserAPIs and xercesImpl jars can be obtained from -http://www.apache.org/dist/xml/xerces-j (Xerces-J-bin.2.6.2.tar.gz, -for example). - -The tool has been tested with J2SE v1.4.2_08 JRE on Linux (32-bit -INTEL). - -INSTALLATION - -1. Set PATH to include $HOME_JAVA/bin and $HOME_JAVA/jre/bin - where $HOME_JAVA is your java installation directory - -2. Compile XmlToBin: - javac XmlToBin.java - -USAGE - - See readme.xen diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/readme.xen --- a/tools/misc/policyprocessor/readme.xen Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,65 +0,0 @@ -# Author: Ray Valdez, rvaldez@xxxxxxxxxx -# Version: 1.0 -# -# This readme describes the policy processor tool for sHype. -# - -Java program: - - java XmlToBin -i [file.xml] -o <file.bin> -xssid <SsidFile> -xssidconf <SsidConf> - - Command line options: - - -i inputFile: name of policyfile (.xml) - -o outputFile: name of binary policy file (Big Endian) - -xssid SsidFile: xen ssids to named types text file - -xssidconf SsidConf: xen conflict ssids to types text file - -debug turn on debug messages - -help help. This printout - -Where: - -file.xml is the (input) xml policy file to be parsed and validated. -The syntax for file.xml is defined in the SecurityPolicySpec.xsd file. -file.bin is the (output) binary policy file generated by XmlToBin. -This binary policy can be activated in sHype. The binary policy file -is laid out in network byte order (i.e., big endian). The SsidFile -file contains the mapping of type enforcement (TE) ssids to the "named -types". Similarly, the SsidConf file contains the mapping of Chinese -Wall (ChWall) ssids to conflict named types. The ssidFile and SsidConf -files are used by Xen. - -Xml Schema and policy: - -The SecurityPolicySpec.xsd defines the syntax of a policy file. It -declares the tags that are used by XmlToBin to generate the binary -policy file. The tags that XmlToBin keys on are TE, ChWall, id, vid, -etc. The xml files that describe a policy are simple. Semantic -checking of a policy is performed mostly by XmlToBin. A type, for -example, is a string. No fixed values are defined for types in Xml. - -A policy consists of two Xml files: definition and policy. The -definition Xml declares the types that are permitted in the policy -Xml. The policy Xml contains the assignment of labels to -subject/object (e.g., vm). This Xml file contains an explicit -reference to the definition Xml (e.g., <url>xen_sample_def.xml</url>). -The policy Xml is the one provided as a command line argument. - - -Files: - -*.java - policy processor source -xen_sample_policy.xml - sample xml policy file -xen_sample_def.xml - sample user defined types -SecurityPolicySpec.xsd - schema definition file - - -To generate the sample binary policy: - -export CLASSPATH=$XERCES_HOME/xercesImpl.jar:$XERCES_HOME/xmlParserAPIs.jar:. - -java XmlToBin -i xen_sample_policy.xml -o xen_sample_policy.bin - -where $XERCES_HOME is the installation directory of the Apache Xerces-J - - diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/xen_sample_def.xml --- a/tools/misc/policyprocessor/xen_sample_def.xml Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,46 +0,0 @@ -<?xml version="1.0"?> -<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx --> -<!-- example policy type definition --> -<SecurityPolicySpec -xmlns="http://www.ibm.com"; -xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; -xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd"> - -<Definition> -<!-- an example of a simple type enforcement type definition --> - <Types> - <TE>LOCAL-management</TE> - <TE>R-Company-development</TE> - <TE>S-Company-order</TE> - <TE>T-Company-advertising</TE> - <TE>U-Company-computing</TE> - <!-- TE nondevelopment --> - </Types> - -<!-- an example of a chinese wall type definition along with conflict sets--> - <ChWallTypes> - <ChWall>Q-Company</ChWall> - <ChWall>R-Company</ChWall> - <ChWall>S-Company</ChWall> - <ChWall>T-Company</ChWall> - <ChWall>U-Company</ChWall> - <ChWall>V-Company</ChWall> - <ChWall>W-Company</ChWall> - <ChWall>X-Company</ChWall> - <ChWall>Y-Company</ChWall> - <ChWall>Z-Company</ChWall> - </ChWallTypes> - - <ConflictSet> - <ChWall>T-Company</ChWall> - <ChWall>S-Company</ChWall> - </ConflictSet> - - <ConflictSet> - <ChWall>R-Company</ChWall> - <ChWall>V-Company</ChWall> - <ChWall>W-Company</ChWall> - </ConflictSet> - -</Definition> -</SecurityPolicySpec> diff -r a86fb4df3bdd -r bf1746842c46 tools/misc/policyprocessor/xen_sample_policy.xml --- a/tools/misc/policyprocessor/xen_sample_policy.xml Fri Aug 19 12:21:29 2005 +++ /dev/null Fri Aug 19 12:22:27 2005 @@ -1,58 +0,0 @@ -<?xml version="1.0"?> -<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx --> -<!-- example xen policy file --> - -<SecurityPolicySpec -xmlns="http://www.ibm.com"; -xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; -xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd"> -<Policy> - <PolicyHeader> - <Name>xen sample policy</Name> - <DateTime>2005-05-20T16:56:00</DateTime> - <Tag>foobar</Tag> - <TypeDefinition> - <url>xen_sample_def.xml</url> - <hash>abcdef123456abcdef</hash> - </TypeDefinition> - </PolicyHeader> - - <VM> - <id> 0 </id> - <TE>LOCAL-management</TE> - <TE>R-Company-development</TE> - <TE>S-Company-order</TE> - <TE>T-Company-advertising</TE> - <TE>U-Company-computing</TE> - <ChWall>Q-Company</ChWall> - </VM> - - <VM> - <id> 1 </id> - <TE>R-Company-development</TE> - <ChWall>R-Company</ChWall> - </VM> - - <VM> - <id> 2 </id> - <TE>S-Company-order</TE> - <ChWall>S-Company</ChWall> - - </VM> - - <VM> - <id> 3 </id> - <TE>T-Company-advertising</TE> - <ChWall>T-Company</ChWall> - </VM> - - - <VM> - <id> 4 </id> - <TE>U-Company-computing</TE> - <ChWall>U-Company</ChWall> - </VM> - - -</Policy> -</SecurityPolicySpec> _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |