[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] Merge.



# HG changeset patch
# User sos22@xxxxxxxxxxxxxxxxxxxx
# Node ID 509316987d6596b77b293c4fc162bfd7c60c132a
# Parent  3d45fb64b064d4cbf239aea83b2e8b994ed7b356
# Parent  7b6f55756f9c3079e9fb46cfe44a7c14f16a81b0
Merge.

Signed-off-by: Steven Smith, sos22@xxxxxxxxx

diff -r 3d45fb64b064 -r 509316987d65 Config.mk
--- a/Config.mk Fri Aug 19 10:18:53 2005
+++ b/Config.mk Fri Aug 19 10:50:15 2005
@@ -35,3 +35,11 @@
 
 # Choose the best mirror to download linux kernel
 KERNEL_REPO = http://www.kernel.org
+
+# ACM_USE_SECURITY_POLICY is set to security policy of Xen
+# Supported models are:
+#      ACM_NULL_POLICY (ACM will not be built with this policy)
+#      ACM_CHINESE_WALL_POLICY
+#      ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
+#      ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
diff -r 3d45fb64b064 -r 509316987d65 docs/src/user.tex
--- a/docs/src/user.tex Fri Aug 19 10:18:53 2005
+++ b/docs/src/user.tex Fri Aug 19 10:50:15 2005
@@ -1763,7 +1763,7 @@
  physical address in the memory map will be ignored. This parameter
  may be specified with a B, K, M or G suffix, representing bytes,
  kilobytes, megabytes and gigabytes respectively. The
- default unit, if no suffix is specified, is bytes.
+ default unit, if no suffix is specified, is kilobytes.
 
 \item [dom0\_mem=xxx ] 
  Set the amount of memory to be allocated to domain0. In Xen 3.x the parameter
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/configs/xen0_defconfig_x86_32
--- a/linux-2.6-xen-sparse/arch/xen/configs/xen0_defconfig_x86_32       Fri Aug 
19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/configs/xen0_defconfig_x86_32       Fri Aug 
19 10:50:15 2005
@@ -541,7 +541,7 @@
 # CONFIG_IP_NF_MATCH_STATE is not set
 # CONFIG_IP_NF_MATCH_CONNTRACK is not set
 # CONFIG_IP_NF_MATCH_OWNER is not set
-# CONFIG_IP_NF_MATCH_PHYSDEV is not set
+CONFIG_IP_NF_MATCH_PHYSDEV=y
 # CONFIG_IP_NF_MATCH_ADDRTYPE is not set
 # CONFIG_IP_NF_MATCH_REALM is not set
 # CONFIG_IP_NF_MATCH_SCTP is not set
@@ -689,7 +689,7 @@
 # CONFIG_HAMACHI is not set
 # CONFIG_YELLOWFIN is not set
 # CONFIG_R8169 is not set
-# CONFIG_SK98LIN is not set
+CONFIG_SK98LIN=y
 # CONFIG_VIA_VELOCITY is not set
 CONFIG_TIGON3=y
 # CONFIG_BNX2 is not set
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/configs/xen0_defconfig_x86_64
--- a/linux-2.6-xen-sparse/arch/xen/configs/xen0_defconfig_x86_64       Fri Aug 
19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/configs/xen0_defconfig_x86_64       Fri Aug 
19 10:50:15 2005
@@ -480,7 +480,7 @@
 # CONFIG_IP_NF_MATCH_STATE is not set
 # CONFIG_IP_NF_MATCH_CONNTRACK is not set
 # CONFIG_IP_NF_MATCH_OWNER is not set
-# CONFIG_IP_NF_MATCH_PHYSDEV is not set
+CONFIG_IP_NF_MATCH_PHYSDEV=y
 # CONFIG_IP_NF_MATCH_ADDRTYPE is not set
 # CONFIG_IP_NF_MATCH_REALM is not set
 # CONFIG_IP_NF_MATCH_SCTP is not set
@@ -611,7 +611,7 @@
 # CONFIG_HAMACHI is not set
 # CONFIG_YELLOWFIN is not set
 # CONFIG_R8169 is not set
-# CONFIG_SK98LIN is not set
+CONFIG_SK98LIN=y
 # CONFIG_VIA_VELOCITY is not set
 CONFIG_TIGON3=y
 # CONFIG_BNX2 is not set
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/configs/xenU_defconfig_x86_64
--- a/linux-2.6-xen-sparse/arch/xen/configs/xenU_defconfig_x86_64       Fri Aug 
19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/configs/xenU_defconfig_x86_64       Fri Aug 
19 10:50:15 2005
@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
-# Linux kernel version: 2.6.12.4-xenU
-# Mon Aug 15 19:25:22 2005
+# Linux kernel version: 2.6.12-xenU
+# Thu Aug 18 11:15:14 2005
 #
 CONFIG_XEN=y
 CONFIG_ARCH_XEN=y
@@ -270,7 +270,10 @@
 CONFIG_IP_ROUTE_MULTIPATH=y
 # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
 CONFIG_IP_ROUTE_VERBOSE=y
-# CONFIG_IP_PNP is not set
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_RARP=y
 CONFIG_NET_IPIP=m
 CONFIG_NET_IPGRE=m
 CONFIG_NET_IPGRE_BROADCAST=y
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/kernel/Makefile
--- a/linux-2.6-xen-sparse/arch/xen/i386/kernel/Makefile        Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/kernel/Makefile        Fri Aug 19 
10:50:15 2005
@@ -44,7 +44,7 @@
 c-obj-$(CONFIG_EFI)            += efi.o efi_stub.o
 c-obj-$(CONFIG_EARLY_PRINTK)   += early_printk.o
 c-obj-$(CONFIG_SMP_ALTERNATIVES)+= smpalts.o
-c-obj-$(CONFIG_SWIOTLB)                += swiotlb.o
+obj-$(CONFIG_SWIOTLB)          += swiotlb.o
 
 EXTRA_AFLAGS   := -traditional
 
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/kernel/pci-dma.c
--- a/linux-2.6-xen-sparse/arch/xen/i386/kernel/pci-dma.c       Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/kernel/pci-dma.c       Fri Aug 19 
10:50:15 2005
@@ -24,13 +24,14 @@
        unsigned long   *bitmap;
 };
 
-static void iommu_bug(void)
-{
-       printk(KERN_ALERT "Fatal DMA error! Please use 'swiotlb=force'\n");
-       BUG();
-}
-
-#define IOMMU_BUG_ON(test) do { if (unlikely(test)) iommu_bug(); } while(0)
+#define IOMMU_BUG_ON(test)                             \
+do {                                                   \
+       if (unlikely(test)) {                           \
+               printk(KERN_ALERT "Fatal DMA error! "   \
+                      "Please use 'swiotlb=force'\n"); \
+               BUG();                                  \
+       }                                               \
+} while (0)
 
 int
 dma_map_sg(struct device *hwdev, struct scatterlist *sg, int nents,
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/kernel/smp.c
--- a/linux-2.6-xen-sparse/arch/xen/i386/kernel/smp.c   Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/kernel/smp.c   Fri Aug 19 10:50:15 2005
@@ -129,8 +129,6 @@
 
 DECLARE_PER_CPU(int, ipi_to_evtchn[NR_IPIS]);
 
-extern unsigned uber_debug;
-
 static inline void __send_IPI_one(unsigned int cpu, int vector)
 {
        unsigned int evtchn;
@@ -144,9 +142,6 @@
                       synch_test_bit(evtchn, &s->evtchn_mask[0]))
                        ;
 #endif
-               if (uber_debug)
-                       printk("<0>Send ipi %d to %d evtchn %d.\n",
-                              vector, cpu, evtchn);
                notify_via_evtchn(evtchn);
        } else
                printk("send_IPI to unbound port %d/%d",
@@ -605,7 +600,6 @@
        void (*func) (void *info) = call_data->func;
        void *info = call_data->info;
        int wait = call_data->wait;
-       extern unsigned uber_debug;
 
        /*
         * Notify initiating CPU that I've grabbed the data and am
@@ -617,9 +611,6 @@
         * At this point the info structure may be out of scope unless wait==1
         */
        irq_enter();
-       if (uber_debug && smp_processor_id())
-               printk("<0>Processor %d calling %p.\n", smp_processor_id(),
-                      func);
        (*func)(info);
        irq_exit();
 
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c
--- a/linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c       Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c       Fri Aug 19 
10:50:15 2005
@@ -49,13 +49,14 @@
  * swiotlb_sync_single_*, to see if the memory was in fact allocated by this
  * API.
  */
-static char *io_tlb_start, *io_tlb_end;
-
-/*
- * The number of IO TLB blocks (in groups of 64) betweeen io_tlb_start and
- * io_tlb_end.  This is command line adjustable via setup_io_tlb_npages.
- */
-static unsigned long io_tlb_nslabs;
+static char *iotlb_virt_start, *iotlb_virt_end;
+static dma_addr_t iotlb_bus_start, iotlb_bus_end;
+
+/*
+ * The number of IO TLB blocks (in groups of 64) betweeen iotlb_virt_start and
+ * iotlb_virt_end.  This is command line adjustable via setup_io_tlb_npages.
+ */
+static unsigned long iotlb_nslabs;
 
 /*
  * When the IOMMU overflows we return a fallback buffer. This sets the size.
@@ -88,11 +89,11 @@
 static int __init
 setup_io_tlb_npages(char *str)
 {
+       /* Unlike ia64, the size is aperture in megabytes, not 'slabs'! */
        if (isdigit(*str)) {
-               io_tlb_nslabs = simple_strtoul(str, &str, 0) <<
-                       (PAGE_SHIFT - IO_TLB_SHIFT);
-               /* avoid tail segment of size < IO_TLB_SEGSIZE */
-               io_tlb_nslabs = ALIGN(io_tlb_nslabs, IO_TLB_SEGSIZE);
+               iotlb_nslabs = simple_strtoul(str, &str, 0) <<
+                       (20 - IO_TLB_SHIFT);
+               iotlb_nslabs = ALIGN(iotlb_nslabs, IO_TLB_SEGSIZE);
        }
        if (*str == ',')
                ++str;
@@ -114,45 +115,56 @@
 void
 swiotlb_init_with_default_size (size_t default_size)
 {
-       unsigned long i;
-
-       if (!io_tlb_nslabs) {
-               io_tlb_nslabs = (default_size >> PAGE_SHIFT);
-               io_tlb_nslabs = ALIGN(io_tlb_nslabs, IO_TLB_SEGSIZE);
-       }
+       unsigned long i, bytes;
+
+       if (!iotlb_nslabs) {
+               iotlb_nslabs = (default_size >> IO_TLB_SHIFT);
+               iotlb_nslabs = ALIGN(iotlb_nslabs, IO_TLB_SEGSIZE);
+       }
+
+       bytes = iotlb_nslabs * (1UL << IO_TLB_SHIFT);
 
        /*
         * Get IO TLB memory from the low pages
         */
-       io_tlb_start = alloc_bootmem_low_pages(io_tlb_nslabs *
-                                              (1 << IO_TLB_SHIFT));
-       if (!io_tlb_start)
-               panic("Cannot allocate SWIOTLB buffer");
-
-       xen_create_contiguous_region(
-               (unsigned long)io_tlb_start, 
-               get_order(io_tlb_nslabs * (1 << IO_TLB_SHIFT)));
-
-       io_tlb_end = io_tlb_start + io_tlb_nslabs * (1 << IO_TLB_SHIFT);
+       iotlb_virt_start = alloc_bootmem_low_pages(bytes);
+       if (!iotlb_virt_start)
+               panic("Cannot allocate SWIOTLB buffer!\n"
+                     "Use dom0_mem Xen boot parameter to reserve\n"
+                     "some DMA memory (e.g., dom0_mem=-128M).\n");
+
+       for (i = 0; i < iotlb_nslabs; i += IO_TLB_SEGSIZE)
+               xen_create_contiguous_region(
+                       (unsigned long)iotlb_virt_start + (i << IO_TLB_SHIFT),
+                       get_order(IO_TLB_SEGSIZE << IO_TLB_SHIFT));
+
+       iotlb_virt_end = iotlb_virt_start + bytes;
 
        /*
         * Allocate and initialize the free list array.  This array is used
         * to find contiguous free memory regions of size up to IO_TLB_SEGSIZE
-        * between io_tlb_start and io_tlb_end.
-        */
-       io_tlb_list = alloc_bootmem(io_tlb_nslabs * sizeof(int));
-       for (i = 0; i < io_tlb_nslabs; i++)
+        * between iotlb_virt_start and iotlb_virt_end.
+        */
+       io_tlb_list = alloc_bootmem(iotlb_nslabs * sizeof(int));
+       for (i = 0; i < iotlb_nslabs; i++)
                io_tlb_list[i] = IO_TLB_SEGSIZE - OFFSET(i, IO_TLB_SEGSIZE);
        io_tlb_index = 0;
        io_tlb_orig_addr = alloc_bootmem(
-               io_tlb_nslabs * sizeof(*io_tlb_orig_addr));
+               iotlb_nslabs * sizeof(*io_tlb_orig_addr));
 
        /*
         * Get the overflow emergency buffer
         */
        io_tlb_overflow_buffer = alloc_bootmem_low(io_tlb_overflow);
-       printk(KERN_INFO "Placing software IO TLB between 0x%lx - 0x%lx\n",
-              virt_to_bus(io_tlb_start), virt_to_bus(io_tlb_end-1));
+       iotlb_bus_start = virt_to_bus(iotlb_virt_start);
+       iotlb_bus_end   = iotlb_bus_start + bytes;
+       printk(KERN_INFO "Software IO TLB enabled: \n"
+              " Aperture:     %lu megabytes\n"
+              " Bus range:    0x%016lx - 0x%016lx\n"
+              " Kernel range: 0x%016lx - 0x%016lx\n",
+              bytes >> 20,
+              (unsigned long)iotlb_bus_start, (unsigned long)iotlb_bus_end,
+              (unsigned long)iotlb_virt_start, (unsigned long)iotlb_virt_end);
 }
 
 void
@@ -240,7 +252,7 @@
        {
                wrap = index = ALIGN(io_tlb_index, stride);
 
-               if (index >= io_tlb_nslabs)
+               if (index >= iotlb_nslabs)
                        wrap = index = 0;
 
                do {
@@ -260,7 +272,7 @@
                                      IO_TLB_SEGSIZE -1) && io_tlb_list[i];
                                     i--)
                                        io_tlb_list[i] = ++count;
-                               dma_addr = io_tlb_start +
+                               dma_addr = iotlb_virt_start +
                                        (index << IO_TLB_SHIFT);
 
                                /*
@@ -268,13 +280,13 @@
                                 * the next round.
                                 */
                                io_tlb_index = 
-                                       ((index + nslots) < io_tlb_nslabs
+                                       ((index + nslots) < iotlb_nslabs
                                         ? (index + nslots) : 0);
 
                                goto found;
                        }
                        index += stride;
-                       if (index >= io_tlb_nslabs)
+                       if (index >= iotlb_nslabs)
                                index = 0;
                } while (index != wrap);
 
@@ -304,7 +316,7 @@
 {
        unsigned long flags;
        int i, count, nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT;
-       int index = (dma_addr - io_tlb_start) >> IO_TLB_SHIFT;
+       int index = (dma_addr - iotlb_virt_start) >> IO_TLB_SHIFT;
        struct phys_addr buffer = io_tlb_orig_addr[index];
 
        /*
@@ -345,7 +357,7 @@
 static void
 sync_single(struct device *hwdev, char *dma_addr, size_t size, int dir)
 {
-       int index = (dma_addr - io_tlb_start) >> IO_TLB_SHIFT;
+       int index = (dma_addr - iotlb_virt_start) >> IO_TLB_SHIFT;
        struct phys_addr buffer = io_tlb_orig_addr[index];
        BUG_ON((dir != DMA_FROM_DEVICE) && (dir != DMA_TO_DEVICE));
        __sync_single(buffer, dma_addr, size, dir);
@@ -431,11 +443,9 @@
 swiotlb_unmap_single(struct device *hwdev, dma_addr_t dev_addr, size_t size,
                     int dir)
 {
-       char *dma_addr = bus_to_virt(dev_addr);
-
-       BUG_ON(dir == DMA_NONE);
-       if (dma_addr >= io_tlb_start && dma_addr < io_tlb_end)
-               unmap_single(hwdev, dma_addr, size, dir);
+       BUG_ON(dir == DMA_NONE);
+       if ((dev_addr >= iotlb_bus_start) && (dev_addr < iotlb_bus_end))
+               unmap_single(hwdev, bus_to_virt(dev_addr), size, dir);
 }
 
 /*
@@ -452,22 +462,18 @@
 swiotlb_sync_single_for_cpu(struct device *hwdev, dma_addr_t dev_addr,
                            size_t size, int dir)
 {
-       char *dma_addr = bus_to_virt(dev_addr);
-
-       BUG_ON(dir == DMA_NONE);
-       if (dma_addr >= io_tlb_start && dma_addr < io_tlb_end)
-               sync_single(hwdev, dma_addr, size, dir);
+       BUG_ON(dir == DMA_NONE);
+       if ((dev_addr >= iotlb_bus_start) && (dev_addr < iotlb_bus_end))
+               sync_single(hwdev, bus_to_virt(dev_addr), size, dir);
 }
 
 void
 swiotlb_sync_single_for_device(struct device *hwdev, dma_addr_t dev_addr,
                               size_t size, int dir)
 {
-       char *dma_addr = bus_to_virt(dev_addr);
-
-       BUG_ON(dir == DMA_NONE);
-       if (dma_addr >= io_tlb_start && dma_addr < io_tlb_end)
-               sync_single(hwdev, dma_addr, size, dir);
+       BUG_ON(dir == DMA_NONE);
+       if ((dev_addr >= iotlb_bus_start) && (dev_addr < iotlb_bus_end))
+               sync_single(hwdev, bus_to_virt(dev_addr), size, dir);
 }
 
 /*
@@ -603,11 +609,9 @@
 swiotlb_unmap_page(struct device *hwdev, dma_addr_t dma_address,
                   size_t size, enum dma_data_direction direction)
 {
-       char *dma_addr = bus_to_virt(dma_address);
-
        BUG_ON(direction == DMA_NONE);
-       if (dma_addr >= io_tlb_start && dma_addr < io_tlb_end)
-               unmap_single(hwdev, dma_addr, size, direction);
+       if ((dma_address >= iotlb_bus_start) && (dma_address < iotlb_bus_end))
+               unmap_single(hwdev, bus_to_virt(dma_address), size, direction);
 }
 
 int
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/mm/hypervisor.c
--- a/linux-2.6-xen-sparse/arch/xen/i386/mm/hypervisor.c        Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/mm/hypervisor.c        Fri Aug 19 
10:50:15 2005
@@ -59,124 +59,124 @@
 #ifndef CONFIG_XEN_SHADOW_MODE
 void xen_l1_entry_update(pte_t *ptr, pte_t val)
 {
-    mmu_update_t u;
-    u.ptr = virt_to_machine(ptr);
-    u.val = pte_val_ma(val);
-    BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
+       mmu_update_t u;
+       u.ptr = virt_to_machine(ptr);
+       u.val = pte_val_ma(val);
+       BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_l2_entry_update(pmd_t *ptr, pmd_t val)
 {
-    mmu_update_t u;
-    u.ptr = virt_to_machine(ptr);
-    u.val = pmd_val_ma(val);
-    BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
+       mmu_update_t u;
+       u.ptr = virt_to_machine(ptr);
+       u.val = pmd_val_ma(val);
+       BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
 }
 
 #ifdef CONFIG_X86_PAE
 void xen_l3_entry_update(pud_t *ptr, pud_t val)
 {
-    mmu_update_t u;
-    u.ptr = virt_to_machine(ptr);
-    u.val = pud_val_ma(val);
-    BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
+       mmu_update_t u;
+       u.ptr = virt_to_machine(ptr);
+       u.val = pud_val_ma(val);
+       BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
 }
 #endif
 
 #ifdef CONFIG_X86_64
 void xen_l3_entry_update(pud_t *ptr, pud_t val)
 {
-    mmu_update_t u;
-    u.ptr = virt_to_machine(ptr);
-    u.val = val.pud;
-    BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
+       mmu_update_t u;
+       u.ptr = virt_to_machine(ptr);
+       u.val = val.pud;
+       BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_l4_entry_update(pgd_t *ptr, pgd_t val)
 {
-    mmu_update_t u;
-    u.ptr = virt_to_machine(ptr);
-    u.val = val.pgd;
-    BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
+       mmu_update_t u;
+       u.ptr = virt_to_machine(ptr);
+       u.val = val.pgd;
+       BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
 }
 #endif /* CONFIG_X86_64 */
 #endif /* CONFIG_XEN_SHADOW_MODE */
 
 void xen_machphys_update(unsigned long mfn, unsigned long pfn)
 {
-    mmu_update_t u;
-    u.ptr = (mfn << PAGE_SHIFT) | MMU_MACHPHYS_UPDATE;
-    u.val = pfn;
-    BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
+       mmu_update_t u;
+       u.ptr = (mfn << PAGE_SHIFT) | MMU_MACHPHYS_UPDATE;
+       u.val = pfn;
+       BUG_ON(HYPERVISOR_mmu_update(&u, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pt_switch(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_NEW_BASEPTR;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_NEW_BASEPTR;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_new_user_pt(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_NEW_USER_BASEPTR;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_NEW_USER_BASEPTR;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_tlb_flush(void)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_TLB_FLUSH_LOCAL;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_TLB_FLUSH_LOCAL;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_invlpg(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_INVLPG_LOCAL;
-    op.linear_addr = ptr & PAGE_MASK;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_INVLPG_LOCAL;
+       op.linear_addr = ptr & PAGE_MASK;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 #ifdef CONFIG_SMP
 
 void xen_tlb_flush_all(void)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_TLB_FLUSH_ALL;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_TLB_FLUSH_ALL;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_tlb_flush_mask(cpumask_t *mask)
 {
-    struct mmuext_op op;
-    if ( cpus_empty(*mask) )
-        return;
-    op.cmd = MMUEXT_TLB_FLUSH_MULTI;
-    op.vcpumask = mask->bits;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       if ( cpus_empty(*mask) )
+               return;
+       op.cmd = MMUEXT_TLB_FLUSH_MULTI;
+       op.vcpumask = mask->bits;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_invlpg_all(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_INVLPG_ALL;
-    op.linear_addr = ptr & PAGE_MASK;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_INVLPG_ALL;
+       op.linear_addr = ptr & PAGE_MASK;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_invlpg_mask(cpumask_t *mask, unsigned long ptr)
 {
-    struct mmuext_op op;
-    if ( cpus_empty(*mask) )
-        return;
-    op.cmd = MMUEXT_INVLPG_MULTI;
-    op.vcpumask = mask->bits;
-    op.linear_addr = ptr & PAGE_MASK;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       if ( cpus_empty(*mask) )
+               return;
+       op.cmd = MMUEXT_INVLPG_MULTI;
+       op.vcpumask = mask->bits;
+       op.linear_addr = ptr & PAGE_MASK;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 #endif /* CONFIG_SMP */
@@ -184,221 +184,281 @@
 #ifndef CONFIG_XEN_SHADOW_MODE
 void xen_pgd_pin(unsigned long ptr)
 {
-    struct mmuext_op op;
+       struct mmuext_op op;
 #ifdef CONFIG_X86_64
-    op.cmd = MMUEXT_PIN_L4_TABLE;
+       op.cmd = MMUEXT_PIN_L4_TABLE;
 #elif defined(CONFIG_X86_PAE)
-    op.cmd = MMUEXT_PIN_L3_TABLE;
+       op.cmd = MMUEXT_PIN_L3_TABLE;
 #else
-    op.cmd = MMUEXT_PIN_L2_TABLE;
-#endif
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       op.cmd = MMUEXT_PIN_L2_TABLE;
+#endif
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pgd_unpin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_UNPIN_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_UNPIN_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pte_pin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_PIN_L1_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_PIN_L1_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pte_unpin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_UNPIN_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_UNPIN_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 #ifdef CONFIG_X86_64
 void xen_pud_pin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_PIN_L3_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_PIN_L3_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pud_unpin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_UNPIN_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_UNPIN_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pmd_pin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_PIN_L2_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_PIN_L2_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 
 void xen_pmd_unpin(unsigned long ptr)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_UNPIN_TABLE;
-    op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_UNPIN_TABLE;
+       op.mfn = pfn_to_mfn(ptr >> PAGE_SHIFT);
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
 }
 #endif /* CONFIG_X86_64 */
 #endif /* CONFIG_XEN_SHADOW_MODE */
 
 void xen_set_ldt(unsigned long ptr, unsigned long len)
 {
-    struct mmuext_op op;
-    op.cmd = MMUEXT_SET_LDT;
-    op.linear_addr = ptr;
-    op.nr_ents = len;
-    BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+       struct mmuext_op op;
+       op.cmd = MMUEXT_SET_LDT;
+       op.linear_addr = ptr;
+       op.nr_ents = len;
+       BUG_ON(HYPERVISOR_mmuext_op(&op, 1, NULL, DOMID_SELF) < 0);
+}
+
+/*
+ * Bitmap is indexed by page number. If bit is set, the page is part of a
+ * xen_create_contiguous_region() area of memory.
+ */
+unsigned long *contiguous_bitmap;
+
+static void contiguous_bitmap_set(
+       unsigned long first_page, unsigned long nr_pages)
+{
+       unsigned long start_off, end_off, curr_idx, end_idx;
+
+       curr_idx  = first_page / BITS_PER_LONG;
+       start_off = first_page & (BITS_PER_LONG-1);
+       end_idx   = (first_page + nr_pages) / BITS_PER_LONG;
+       end_off   = (first_page + nr_pages) & (BITS_PER_LONG-1);
+
+       if (curr_idx == end_idx) {
+               contiguous_bitmap[curr_idx] |=
+                       ((1UL<<end_off)-1) & -(1UL<<start_off);
+       } else {
+               contiguous_bitmap[curr_idx] |= -(1UL<<start_off);
+               while ( ++curr_idx < end_idx )
+                       contiguous_bitmap[curr_idx] = ~0UL;
+               contiguous_bitmap[curr_idx] |= (1UL<<end_off)-1;
+       }
+}
+
+static void contiguous_bitmap_clear(
+       unsigned long first_page, unsigned long nr_pages)
+{
+       unsigned long start_off, end_off, curr_idx, end_idx;
+
+       curr_idx  = first_page / BITS_PER_LONG;
+       start_off = first_page & (BITS_PER_LONG-1);
+       end_idx   = (first_page + nr_pages) / BITS_PER_LONG;
+       end_off   = (first_page + nr_pages) & (BITS_PER_LONG-1);
+
+       if (curr_idx == end_idx) {
+               contiguous_bitmap[curr_idx] &=
+                       -(1UL<<end_off) | ((1UL<<start_off)-1);
+       } else {
+               contiguous_bitmap[curr_idx] &= (1UL<<start_off)-1;
+               while ( ++curr_idx != end_idx )
+                       contiguous_bitmap[curr_idx] = 0;
+               contiguous_bitmap[curr_idx] &= -(1UL<<end_off);
+       }
 }
 
 /* Ensure multi-page extents are contiguous in machine memory. */
 void xen_create_contiguous_region(unsigned long vstart, unsigned int order)
 {
-    pgd_t         *pgd; 
-    pud_t         *pud; 
-    pmd_t         *pmd;
-    pte_t         *pte;
-    unsigned long  mfn, i, flags;
-
-    scrub_pages(vstart, 1 << order);
-
-    balloon_lock(flags);
-
-    /* 1. Zap current PTEs, giving away the underlying pages. */
-    for (i = 0; i < (1<<order); i++) {
-        pgd = pgd_offset_k(vstart + (i*PAGE_SIZE));
-        pud = pud_offset(pgd, (vstart + (i*PAGE_SIZE)));
-        pmd = pmd_offset(pud, (vstart + (i*PAGE_SIZE)));
-        pte = pte_offset_kernel(pmd, (vstart + (i*PAGE_SIZE)));
-        mfn = pte_mfn(*pte);
-        BUG_ON(HYPERVISOR_update_va_mapping(
-            vstart + (i*PAGE_SIZE), __pte_ma(0), 0));
-        phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] =
-            INVALID_P2M_ENTRY;
-        BUG_ON(HYPERVISOR_dom_mem_op(
-            MEMOP_decrease_reservation, &mfn, 1, 0) != 1);
-    }
-
-    /* 2. Get a new contiguous memory extent. */
-    BUG_ON(HYPERVISOR_dom_mem_op(
-              MEMOP_increase_reservation, &mfn, 1, order | (32<<8)) != 1);
-
-    /* 3. Map the new extent in place of old pages. */
-    for (i = 0; i < (1<<order); i++) {
-        BUG_ON(HYPERVISOR_update_va_mapping(
-            vstart + (i*PAGE_SIZE),
-            __pte_ma(((mfn+i)<<PAGE_SHIFT)|__PAGE_KERNEL), 0));
-        xen_machphys_update(mfn+i, (__pa(vstart)>>PAGE_SHIFT)+i);
-        phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] = mfn+i;
-    }
-
-    flush_tlb_all();
-
-    balloon_unlock(flags);
+       pgd_t         *pgd; 
+       pud_t         *pud; 
+       pmd_t         *pmd;
+       pte_t         *pte;
+       unsigned long  mfn, i, flags;
+
+       scrub_pages(vstart, 1 << order);
+
+       balloon_lock(flags);
+
+       /* 1. Zap current PTEs, giving away the underlying pages. */
+       for (i = 0; i < (1<<order); i++) {
+               pgd = pgd_offset_k(vstart + (i*PAGE_SIZE));
+               pud = pud_offset(pgd, (vstart + (i*PAGE_SIZE)));
+               pmd = pmd_offset(pud, (vstart + (i*PAGE_SIZE)));
+               pte = pte_offset_kernel(pmd, (vstart + (i*PAGE_SIZE)));
+               mfn = pte_mfn(*pte);
+               BUG_ON(HYPERVISOR_update_va_mapping(
+                       vstart + (i*PAGE_SIZE), __pte_ma(0), 0));
+               phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] =
+                       INVALID_P2M_ENTRY;
+               BUG_ON(HYPERVISOR_dom_mem_op(
+                       MEMOP_decrease_reservation, &mfn, 1, 0) != 1);
+       }
+
+       /* 2. Get a new contiguous memory extent. */
+       BUG_ON(HYPERVISOR_dom_mem_op(
+               MEMOP_increase_reservation, &mfn, 1, order | (32<<8)) != 1);
+
+       /* 3. Map the new extent in place of old pages. */
+       for (i = 0; i < (1<<order); i++) {
+               BUG_ON(HYPERVISOR_update_va_mapping(
+                       vstart + (i*PAGE_SIZE),
+                       pfn_pte_ma(mfn+i, PAGE_KERNEL), 0));
+               xen_machphys_update(mfn+i, (__pa(vstart)>>PAGE_SHIFT)+i);
+               phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] = mfn+i;
+       }
+
+       flush_tlb_all();
+
+       contiguous_bitmap_set(__pa(vstart) >> PAGE_SHIFT, 1UL << order);
+
+       balloon_unlock(flags);
 }
 
 void xen_destroy_contiguous_region(unsigned long vstart, unsigned int order)
 {
-    pgd_t         *pgd; 
-    pud_t         *pud; 
-    pmd_t         *pmd;
-    pte_t         *pte;
-    unsigned long  mfn, i, flags;
-
-    scrub_pages(vstart, 1 << order);
-
-    balloon_lock(flags);
-
-    /* 1. Zap current PTEs, giving away the underlying pages. */
-    for (i = 0; i < (1<<order); i++) {
-        pgd = pgd_offset_k(vstart + (i*PAGE_SIZE));
-        pud = pud_offset(pgd, (vstart + (i*PAGE_SIZE)));
-        pmd = pmd_offset(pud, (vstart + (i*PAGE_SIZE)));
-        pte = pte_offset_kernel(pmd, (vstart + (i*PAGE_SIZE)));
-        mfn = pte_mfn(*pte);
-        BUG_ON(HYPERVISOR_update_va_mapping(
-            vstart + (i*PAGE_SIZE), __pte_ma(0), 0));
-        phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] =
-            INVALID_P2M_ENTRY;
-        BUG_ON(HYPERVISOR_dom_mem_op(
-            MEMOP_decrease_reservation, &mfn, 1, 0) != 1);
-    }
-
-    /* 2. Map new pages in place of old pages. */
-    for (i = 0; i < (1<<order); i++) {
-        BUG_ON(HYPERVISOR_dom_mem_op(
-            MEMOP_increase_reservation, &mfn, 1, 0) != 1);
-        BUG_ON(HYPERVISOR_update_va_mapping(
-            vstart + (i*PAGE_SIZE),
-            __pte_ma((mfn<<PAGE_SHIFT)|__PAGE_KERNEL), 0));
-        xen_machphys_update(mfn, (__pa(vstart)>>PAGE_SHIFT)+i);
-        phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] = mfn;
-    }
-
-    flush_tlb_all();
-
-    balloon_unlock(flags);
+       pgd_t         *pgd; 
+       pud_t         *pud; 
+       pmd_t         *pmd;
+       pte_t         *pte;
+       unsigned long  mfn, i, flags;
+
+       scrub_pages(vstart, 1 << order);
+
+       balloon_lock(flags);
+
+       contiguous_bitmap_clear(__pa(vstart) >> PAGE_SHIFT, 1UL << order);
+
+       /* 1. Zap current PTEs, giving away the underlying pages. */
+       for (i = 0; i < (1<<order); i++) {
+               pgd = pgd_offset_k(vstart + (i*PAGE_SIZE));
+               pud = pud_offset(pgd, (vstart + (i*PAGE_SIZE)));
+               pmd = pmd_offset(pud, (vstart + (i*PAGE_SIZE)));
+               pte = pte_offset_kernel(pmd, (vstart + (i*PAGE_SIZE)));
+               mfn = pte_mfn(*pte);
+               BUG_ON(HYPERVISOR_update_va_mapping(
+                       vstart + (i*PAGE_SIZE), __pte_ma(0), 0));
+               phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] =
+                       INVALID_P2M_ENTRY;
+               BUG_ON(HYPERVISOR_dom_mem_op(
+                       MEMOP_decrease_reservation, &mfn, 1, 0) != 1);
+       }
+
+       /* 2. Map new pages in place of old pages. */
+       for (i = 0; i < (1<<order); i++) {
+               BUG_ON(HYPERVISOR_dom_mem_op(
+                       MEMOP_increase_reservation, &mfn, 1, 0) != 1);
+               BUG_ON(HYPERVISOR_update_va_mapping(
+                       vstart + (i*PAGE_SIZE),
+                       pfn_pte_ma(mfn, PAGE_KERNEL), 0));
+               xen_machphys_update(mfn, (__pa(vstart)>>PAGE_SHIFT)+i);
+               phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] = mfn;
+       }
+
+       flush_tlb_all();
+
+       balloon_unlock(flags);
 }
 
 
 unsigned long allocate_empty_lowmem_region(unsigned long pages)
 {
-    pgd_t         *pgd;
-    pud_t         *pud; 
-    pmd_t         *pmd;
-    pte_t         *pte;
-    unsigned long *pfn_array;
-    unsigned long  vstart;
-    unsigned long  i;
-    unsigned int   order = get_order(pages*PAGE_SIZE);
-
-    vstart = __get_free_pages(GFP_KERNEL, order);
-    if ( vstart == 0 )
-        return 0UL;
-
-    scrub_pages(vstart, 1 << order);
-
-    pfn_array = vmalloc((1<<order) * sizeof(*pfn_array));
-    if ( pfn_array == NULL )
-        BUG();
-
-    for ( i = 0; i < (1<<order); i++ )
-    {
-        pgd = pgd_offset_k(   (vstart + (i*PAGE_SIZE)));
-        pud = pud_offset(pgd, (vstart + (i*PAGE_SIZE)));
-        pmd = pmd_offset(pud, (vstart + (i*PAGE_SIZE)));
-        pte = pte_offset_kernel(pmd, (vstart + (i*PAGE_SIZE))); 
-        pfn_array[i] = pte_mfn(*pte);
+       pgd_t         *pgd;
+       pud_t         *pud; 
+       pmd_t         *pmd;
+       pte_t         *pte;
+       unsigned long *pfn_array;
+       unsigned long  vstart;
+       unsigned long  i;
+       unsigned int   order = get_order(pages*PAGE_SIZE);
+
+       vstart = __get_free_pages(GFP_KERNEL, order);
+       if (vstart == 0)
+               return 0UL;
+
+       scrub_pages(vstart, 1 << order);
+
+       pfn_array = vmalloc((1<<order) * sizeof(*pfn_array));
+       BUG_ON(pfn_array == NULL);
+
+       for (i = 0; i < (1<<order); i++) {
+               pgd = pgd_offset_k(   (vstart + (i*PAGE_SIZE)));
+               pud = pud_offset(pgd, (vstart + (i*PAGE_SIZE)));
+               pmd = pmd_offset(pud, (vstart + (i*PAGE_SIZE)));
+               pte = pte_offset_kernel(pmd, (vstart + (i*PAGE_SIZE))); 
+               pfn_array[i] = pte_mfn(*pte);
 #ifdef CONFIG_X86_64
-        xen_l1_entry_update(pte, __pte(0));
+               xen_l1_entry_update(pte, __pte(0));
 #else
-        BUG_ON(HYPERVISOR_update_va_mapping(vstart + (i*PAGE_SIZE), 
-                                           __pte_ma(0), 0));
-#endif
-        phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] =
-            INVALID_P2M_ENTRY;
-    }
-
-    flush_tlb_all();
-
-    balloon_put_pages(pfn_array, 1 << order);
-
-    vfree(pfn_array);
-
-    return vstart;
+               BUG_ON(HYPERVISOR_update_va_mapping(vstart + (i*PAGE_SIZE), 
+                                                   __pte_ma(0), 0));
+#endif
+               phys_to_machine_mapping[(__pa(vstart)>>PAGE_SHIFT)+i] =
+                       INVALID_P2M_ENTRY;
+       }
+
+       flush_tlb_all();
+
+       balloon_put_pages(pfn_array, 1 << order);
+
+       vfree(pfn_array);
+
+       return vstart;
 }
 
 EXPORT_SYMBOL(allocate_empty_lowmem_region);
+
+/*
+ * Local variables:
+ *  c-file-style: "linux"
+ *  indent-tabs-mode: t
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/mm/init.c
--- a/linux-2.6-xen-sparse/arch/xen/i386/mm/init.c      Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/mm/init.c      Fri Aug 19 10:50:15 2005
@@ -41,6 +41,8 @@
 #include <asm/sections.h>
 #include <asm-xen/hypervisor.h>
 
+extern unsigned long *contiguous_bitmap;
+
 #if defined(CONFIG_SWIOTLB)
 extern void swiotlb_init(void);
 int swiotlb;
@@ -636,6 +638,11 @@
        int tmp;
        int bad_ppro;
        unsigned long pfn;
+
+       contiguous_bitmap = alloc_bootmem_low_pages(
+               (max_low_pfn + 2*BITS_PER_LONG) >> 3);
+       BUG_ON(!contiguous_bitmap);
+       memset(contiguous_bitmap, 0, (max_low_pfn + 2*BITS_PER_LONG) >> 3);
 
 #if defined(CONFIG_SWIOTLB)
        swiotlb_init(); 
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/i386/mm/ioremap.c
--- a/linux-2.6-xen-sparse/arch/xen/i386/mm/ioremap.c   Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/i386/mm/ioremap.c   Fri Aug 19 10:50:15 2005
@@ -300,17 +300,17 @@
 
 
 static int direct_remap_area_pte_fn(pte_t *pte, 
-                                    struct page *pte_page,
-                                    unsigned long address, 
-                                    void *data)
-{
-        mmu_update_t **v = (mmu_update_t **)data;
-
-        (*v)->ptr = (pfn_to_mfn(page_to_pfn(pte_page)) << PAGE_SHIFT)
-                    | ((unsigned long)pte & ~PAGE_MASK);
-        (*v)++;
-
-        return 0;
+                                   struct page *pte_page,
+                                   unsigned long address, 
+                                   void *data)
+{
+       mmu_update_t **v = (mmu_update_t **)data;
+
+       (*v)->ptr = ((physaddr_t)pfn_to_mfn(page_to_pfn(pte_page)) <<
+                    PAGE_SHIFT) | ((unsigned long)pte & ~PAGE_MASK);
+       (*v)++;
+
+       return 0;
 }
 
 int direct_remap_area_pages(struct mm_struct *mm,
@@ -397,6 +397,16 @@
        }
 
        return generic_page_range(mm, address, size, f, NULL);
-}                 
+} 
 
 EXPORT_SYMBOL(touch_pte_range);
+
+/*
+ * Local variables:
+ *  c-file-style: "linux"
+ *  indent-tabs-mode: t
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/kernel/evtchn.c
--- a/linux-2.6-xen-sparse/arch/xen/kernel/evtchn.c     Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/kernel/evtchn.c     Fri Aug 19 10:50:15 2005
@@ -124,8 +124,6 @@
 
 #define VALID_EVTCHN(_chn) ((_chn) >= 0)
 
-unsigned uber_debug;
-
 /*
  * Force a proper event-channel callback from Xen after clearing the
  * callback mask. We do this in a very simple manner, by making a call
@@ -160,11 +158,7 @@
             l2 &= ~(1 << l2i);
             
             port = (l1i << 5) + l2i;
-           if (uber_debug && cpu)
-               printk("<0>Upcall to %d on %d.\n", port, cpu);
             if ( (irq = evtchn_to_irq[port]) != -1 ) {
-               if (uber_debug && cpu)
-                   printk("<0>IRQ %d.\n", irq);
                 do_IRQ(irq, regs);
            } else
                 evtchn_device_upcall(port);
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/kernel/skbuff.c
--- a/linux-2.6-xen-sparse/arch/xen/kernel/skbuff.c     Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/kernel/skbuff.c     Fri Aug 19 10:50:15 2005
@@ -5,8 +5,6 @@
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
-#include <linux/string.h>
-#include <linux/errno.h>
 #include <linux/netdevice.h>
 #include <linux/inetdevice.h>
 #include <linux/etherdevice.h>
@@ -14,34 +12,86 @@
 #include <linux/init.h>
 #include <asm/io.h>
 #include <asm/page.h>
-
-EXPORT_SYMBOL(__dev_alloc_skb);
+#include <asm-xen/hypervisor.h>
 
 /* Referenced in netback.c. */
 /*static*/ kmem_cache_t *skbuff_cachep;
 
-/* Size must be cacheline-aligned (alloc_skb uses SKB_DATA_ALIGN). */
-#define XEN_SKB_SIZE \
-    ((PAGE_SIZE - sizeof(struct skb_shared_info)) & ~(SMP_CACHE_BYTES - 1))
+#define MAX_SKBUFF_ORDER 2
+static kmem_cache_t *skbuff_order_cachep[MAX_SKBUFF_ORDER + 1];
 
 struct sk_buff *__dev_alloc_skb(unsigned int length, int gfp_mask)
 {
-    struct sk_buff *skb;
-    skb = alloc_skb_from_cache(skbuff_cachep, length + 16, gfp_mask);
-    if ( likely(skb != NULL) )
-        skb_reserve(skb, 16);
-    return skb;
+       struct sk_buff *skb;
+       int order;
+
+       length = SKB_DATA_ALIGN(length + 16);
+       order = get_order(length + sizeof(struct skb_shared_info));
+       if (order > MAX_SKBUFF_ORDER) {
+               printk(KERN_ALERT "Attempt to allocate order %d skbuff. "
+                      "Increase MAX_SKBUFF_ORDER.\n", order);
+               return NULL;
+       }
+
+       skb = alloc_skb_from_cache(
+               skbuff_order_cachep[order], length, gfp_mask);
+       if (skb != NULL)
+               skb_reserve(skb, 16);
+
+       return skb;
 }
 
 static void skbuff_ctor(void *buf, kmem_cache_t *cachep, unsigned long unused)
 {
-    scrub_pages(buf, 1);
+       int order = 0;
+
+       while (skbuff_order_cachep[order] != cachep)
+               order++;
+
+       if (order != 0)
+               xen_create_contiguous_region((unsigned long)buf, order);
+
+       scrub_pages(buf, 1 << order);
+}
+
+static void skbuff_dtor(void *buf, kmem_cache_t *cachep, unsigned long unused)
+{
+       int order = 0;
+
+       while (skbuff_order_cachep[order] != cachep)
+               order++;
+
+       if (order != 0)
+               xen_destroy_contiguous_region((unsigned long)buf, order);
 }
 
 static int __init skbuff_init(void)
 {
-    skbuff_cachep = kmem_cache_create(
-        "xen-skb", PAGE_SIZE, PAGE_SIZE, 0, skbuff_ctor, NULL);
-    return 0;
+       static char name[MAX_SKBUFF_ORDER + 1][20];
+       unsigned long size;
+       int order;
+
+       for (order = 0; order <= MAX_SKBUFF_ORDER; order++) {
+               size = PAGE_SIZE << order;
+               sprintf(name[order], "xen-skb-%lu", size);
+               skbuff_order_cachep[order] = kmem_cache_create(
+                       name[order], size, size, 0, skbuff_ctor, skbuff_dtor);
+       }
+
+       skbuff_cachep = skbuff_order_cachep[0];
+
+       return 0;
 }
 __initcall(skbuff_init);
+
+EXPORT_SYMBOL(__dev_alloc_skb);
+
+/*
+ * Local variables:
+ *  c-file-style: "linux"
+ *  indent-tabs-mode: t
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ *  tab-width: 8
+ * End:
+ */
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup.c
--- a/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup.c       Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup.c       Fri Aug 19 
10:50:15 2005
@@ -426,16 +426,10 @@
 #ifdef CONFIG_XEN
 static void __init contig_initmem_init(void)
 {
-        unsigned long bootmap_size, bootmap; 
-
-        bootmap_size = bootmem_bootmap_pages(end_pfn)<<PAGE_SHIFT;
-        bootmap = start_pfn;
-        bootmap_size = init_bootmem(bootmap, end_pfn);
-        reserve_bootmem(bootmap, bootmap_size);
-        
-        free_bootmem(start_pfn << PAGE_SHIFT, (end_pfn - start_pfn) << 
PAGE_SHIFT);   
-        reserve_bootmem(0, (PFN_PHYS(start_pfn) +
-                            bootmap_size + PAGE_SIZE-1));
+        unsigned long bootmap_size = init_bootmem(start_pfn, end_pfn);
+        free_bootmem(0, end_pfn << PAGE_SHIFT);   
+        /* XXX KAF: Why can't we leave low 1MB of memory free? */
+        reserve_bootmem(0, (PFN_PHYS(start_pfn) + bootmap_size + PAGE_SIZE-1));
 }
 #else
 static void __init contig_initmem_init(void)
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c
--- a/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c     Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c     Fri Aug 19 
10:50:15 2005
@@ -280,19 +280,16 @@
        if (cpu) {
                memcpy(cpu_gdt_table[cpu], cpu_gdt_table[0], GDT_SIZE);
        }       
-#endif
 
        cpu_gdt_descr[cpu].size = GDT_SIZE;
        cpu_gdt_descr[cpu].address = (unsigned long)cpu_gdt_table[cpu];
 
-        cpu_gdt_init(&cpu_gdt_descr[cpu]);
-
-#ifndef CONFIG_XEN 
        memcpy(me->thread.tls_array, cpu_gdt_table[cpu], GDT_ENTRY_TLS_ENTRIES 
* 8);
-
 #else
        memcpy(me->thread.tls_array, &get_cpu_gdt_table(cpu)[GDT_ENTRY_TLS_MIN],
            GDT_ENTRY_TLS_ENTRIES * 8);
+
+    cpu_gdt_init(&cpu_gdt_descr[cpu]);
 #endif
        
        /*
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/x86_64/mm/fault.c
--- a/linux-2.6-xen-sparse/arch/xen/x86_64/mm/fault.c   Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/x86_64/mm/fault.c   Fri Aug 19 10:50:15 2005
@@ -250,7 +250,11 @@
           happen within a race in page table update. In the later
           case just flush. */
 
-       pgd = pgd_offset(current->mm ?: &init_mm, address);
+       /* On Xen the line below does not always work. Needs investigating! */
+       /*pgd = pgd_offset(current->mm ?: &init_mm, address);*/
+       pgd = (pgd_t *)per_cpu(cur_pgd, smp_processor_id());
+       pgd += pgd_index(address);
+
        pgd_ref = pgd_offset_k(address);
        if (pgd_none(*pgd_ref))
                return -1;
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/arch/xen/x86_64/mm/init.c
--- a/linux-2.6-xen-sparse/arch/xen/x86_64/mm/init.c    Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/arch/xen/x86_64/mm/init.c    Fri Aug 19 10:50:15 2005
@@ -39,6 +39,12 @@
 #include <asm/mmu_context.h>
 #include <asm/proto.h>
 #include <asm/smp.h>
+
+extern unsigned long *contiguous_bitmap;
+
+#if defined(CONFIG_SWIOTLB)
+extern void swiotlb_init(void);
+#endif
 
 #ifndef Dprintk
 #define Dprintk(x...)
@@ -794,8 +800,12 @@
        int codesize, reservedpages, datasize, initsize;
        int tmp;
 
+       contiguous_bitmap = alloc_bootmem_low_pages(
+               (end_pfn + 2*BITS_PER_LONG) >> 3);
+       BUG_ON(!contiguous_bitmap);
+       memset(contiguous_bitmap, 0, (end_pfn + 2*BITS_PER_LONG) >> 3);
+
 #if defined(CONFIG_SWIOTLB)
-       extern void swiotlb_init(void);
        swiotlb_init(); 
 #endif
 
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/drivers/xen/balloon/balloon.c
--- a/linux-2.6-xen-sparse/drivers/xen/balloon/balloon.c        Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/drivers/xen/balloon/balloon.c        Fri Aug 19 
10:50:15 2005
@@ -213,9 +213,7 @@
             {
                 BUG_ON(HYPERVISOR_update_va_mapping(
                     (unsigned long)__va(pfn << PAGE_SHIFT),
-                    __pte_ma((mfn_list[i] << PAGE_SHIFT) |
-                             pgprot_val(PAGE_KERNEL)),
-                    0));
+                    pfn_pte_ma(mfn_list[i], PAGE_KERNEL), 0));
             }
 
             /* Finally, relinquish the memory back to the system allocator. */
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c
--- a/linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c        Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c        Fri Aug 19 
10:50:15 2005
@@ -406,21 +406,15 @@
 #endif
 
 
-#ifdef CONFIG_XEN_BLKDEV_TAP_BE
     if ( HYPERVISOR_update_va_mapping_otherdomain(
         MMAP_VADDR(pending_idx, 0),
-        (pte_t) { (req->frame_and_sects[0] & PAGE_MASK) | __PAGE_KERNEL },
+        pfn_pte_ma(req->frame_and_sects[0] >> PAGE_SHIFT, PAGE_KERNEL),
+#ifdef CONFIG_XEN_BLKDEV_TAP_BE
         0, (blkif->is_blktap ? ID_TO_DOM(req->id) : blkif->domid) ) )
-        
+#else
+        0, blkif->domid) )
+#endif
         goto out;
-#else
-    if ( HYPERVISOR_update_va_mapping_otherdomain(
-        MMAP_VADDR(pending_idx, 0),
-        (pte_t) { (req->frame_and_sects[0] & PAGE_MASK) | __PAGE_KERNEL },
-        0, blkif->domid) ) 
-        
-        goto out;
-#endif
 #endif /* endif CONFIG_XEN_BLKDEV_GRANT */
    
     rsp = vbd_probe(blkif, (vdisk_t *)MMAP_VADDR(pending_idx, 0), 
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_probe.c
--- a/linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_probe.c    Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_probe.c    Fri Aug 19 
10:50:15 2005
@@ -48,15 +48,7 @@
 match_device(const struct xenbus_device_id *arr, struct xenbus_device *dev)
 {
        for (; !streq(arr->devicetype, ""); arr++) {
-               if (!streq(arr->devicetype, dev->devicetype))
-                       continue;
-
-               /* If they don't care what subtype, it's a match. */
-               if (streq(arr->subtype, ""))
-                       return arr;
-
-               /* If they care, device must have (same) subtype. */
-               if (dev->subtype && streq(arr->subtype, dev->subtype))
+               if (streq(arr->devicetype, dev->devicetype))
                        return arr;
        }
        return NULL;
@@ -72,10 +64,102 @@
        return match_device(drv->ids, to_xenbus_device(_dev)) != NULL;
 }
 
+struct xen_bus_type
+{
+       char *root;
+       unsigned int levels;
+       int (*get_bus_id)(char bus_id[BUS_ID_SIZE], const char *nodename);
+       int (*probe)(const char *type, const char *dir);
+       struct bus_type bus;
+       struct device dev;
+};
+
+/* device/<type>/<id> => <type>-<id> */
+static int frontend_bus_id(char bus_id[BUS_ID_SIZE], const char *nodename)
+{
+       nodename = strchr(nodename, '/');
+       if (!nodename || strlen(nodename + 1) >= BUS_ID_SIZE) {
+               printk(KERN_WARNING "XENBUS: bad frontend %s\n", nodename);
+               return -EINVAL;
+       }
+
+       strlcpy(bus_id, nodename + 1, BUS_ID_SIZE);
+       if (!strchr(bus_id, '/')) {
+               printk(KERN_WARNING "XENBUS: bus_id %s no slash\n", bus_id);
+               return -EINVAL;
+       }
+       *strchr(bus_id, '/') = '-';
+       return 0;
+}
+
 /* Bus type for frontend drivers. */
-static struct bus_type xenbus_type = {
-       .name  = "xenbus",
-       .match = xenbus_match,
+static int xenbus_probe_frontend(const char *type, const char *name);
+static struct xen_bus_type xenbus_frontend = {
+       .root = "device",
+       .levels = 2,            /* device/type/<id> */
+       .get_bus_id = frontend_bus_id,
+       .probe = xenbus_probe_frontend,
+       .bus = {
+               .name  = "xen",
+               .match = xenbus_match,
+       },
+       .dev = {
+               .bus_id = "xen",
+       },
+};
+
+/* backend/<type>/<fe-uuid>/<id> => <type>-<fe-domid>-<id> */
+static int backend_bus_id(char bus_id[BUS_ID_SIZE], const char *nodename)
+{
+       int domid, err;
+       const char *devid, *type, *frontend;
+       unsigned int typelen;
+
+       type = strchr(nodename, '/');
+       if (!type)
+               return -EINVAL;
+       type++;
+       typelen = strcspn(type, "/");
+       if (!typelen || type[typelen] != '/')
+               return -EINVAL;
+
+       devid = strrchr(nodename, '/') + 1;
+
+       err = xenbus_gather(nodename, "frontend-id", "%i", &domid,
+                           "frontend", NULL, &frontend,
+                           NULL);
+       if (err)
+               return err;
+       if (strlen(frontend) == 0)
+               err = -ERANGE;
+
+       if (!err && !xenbus_exists(frontend, ""))
+               err = -ENOENT;
+
+       if (err) {
+               kfree(frontend);
+               return err;
+       }
+
+       if (snprintf(bus_id, BUS_ID_SIZE,
+                    "%.*s-%i-%s", typelen, type, domid, devid) >= BUS_ID_SIZE)
+               return -ENOSPC;
+       return 0;
+}
+
+static int xenbus_probe_backend(const char *type, const char *uuid);
+static struct xen_bus_type xenbus_backend = {
+       .root = "backend",
+       .levels = 3,            /* backend/type/<frontend>/<id> */
+       .get_bus_id = backend_bus_id,
+       .probe = xenbus_probe_backend,
+       .bus = {
+               .name  = "xen-backend",
+               .match = xenbus_match,
+       },
+       .dev = {
+               .bus_id = "xen-backend",
+       },
 };
 
 static int xenbus_dev_probe(struct device *_dev)
@@ -104,12 +188,13 @@
        return drv->remove(dev);
 }
 
-int xenbus_register_driver(struct xenbus_driver *drv)
+static int xenbus_register_driver(struct xenbus_driver *drv,
+                                 struct xen_bus_type *bus)
 {
        int err;
 
        drv->driver.name = drv->name;
-       drv->driver.bus = &xenbus_type;
+       drv->driver.bus = &bus->bus;
        drv->driver.owner = drv->owner;
        drv->driver.probe = xenbus_dev_probe;
        drv->driver.remove = xenbus_dev_remove;
@@ -120,6 +205,16 @@
        return err;
 }
 
+int xenbus_register_device(struct xenbus_driver *drv)
+{
+       return xenbus_register_driver(drv, &xenbus_frontend);
+}
+
+int xenbus_register_backend(struct xenbus_driver *drv)
+{
+       return xenbus_register_driver(drv, &xenbus_backend);
+}
+
 void xenbus_unregister_driver(struct xenbus_driver *drv)
 {
        down(&xenbus_lock);
@@ -130,52 +225,98 @@
 struct xb_find_info
 {
        struct xenbus_device *dev;
-       const char *busid;
+       const char *nodename;
 };
 
 static int cmp_dev(struct device *dev, void *data)
 {
+       struct xenbus_device *xendev = to_xenbus_device(dev);
        struct xb_find_info *info = data;
 
-       if (streq(dev->bus_id, info->busid)) {
-               info->dev = container_of(get_device(dev),
-                                        struct xenbus_device, dev);
+       if (streq(xendev->nodename, info->nodename)) {
+               info->dev = xendev;
+               get_device(dev);
                return 1;
        }
        return 0;
 }
 
-/* FIXME: device_find is fixed in 2.6.13-rc2 according to Greg KH --RR */
-struct xenbus_device *xenbus_device_find(const char *busid)
-{
-       struct xb_find_info info = { .dev = NULL, .busid = busid };
-
-       bus_for_each_dev(&xenbus_type, NULL, &info, cmp_dev);
+struct xenbus_device *xenbus_device_find(const char *nodename,
+                                        struct bus_type *bus)
+{
+       struct xb_find_info info = { .dev = NULL, .nodename = nodename };
+
+       bus_for_each_dev(bus, NULL, &info, cmp_dev);
        return info.dev;
 }
 
+static int cleanup_dev(struct device *dev, void *data)
+{
+       struct xenbus_device *xendev = to_xenbus_device(dev);
+       struct xb_find_info *info = data;
+       int len = strlen(info->nodename);
+
+       if (!strncmp(xendev->nodename, info->nodename, len)) {
+               info->dev = xendev;
+               get_device(dev);
+               return 1;
+       }
+       return 0;
+}
+
+static void xenbus_cleanup_devices(const char *path, struct bus_type *bus)
+{
+       struct xb_find_info info = { .nodename = path };
+
+       do {
+               info.dev = NULL;
+               bus_for_each_dev(bus, NULL, &info, cleanup_dev);
+               if (info.dev) {
+                       device_unregister(&info.dev->dev);
+                       put_device(&info.dev->dev);
+               }
+       } while (info.dev);
+}
 
 static void xenbus_release_device(struct device *dev)
 {
        if (dev) {
                struct xenbus_device *xendev = to_xenbus_device(dev);
 
-               kfree(xendev->subtype);
                kfree(xendev);
        }
 }
-/* devices/<typename>/<name> */
-static int xenbus_probe_device(const char *dirpath, const char *devicetype,
-                              const char *name)
+
+/* Simplified asprintf. */
+static char *kasprintf(const char *fmt, ...)
+{
+       va_list ap;
+       unsigned int len;
+       char *p, dummy[1];
+
+       va_start(ap, fmt);
+       /* FIXME: vsnprintf has a bug, NULL should work */
+       len = vsnprintf(dummy, 0, fmt, ap);
+       va_end(ap);
+
+       p = kmalloc(len + 1, GFP_KERNEL);
+       if (!p)
+               return NULL;
+       va_start(ap, fmt);
+       vsprintf(p, fmt, ap);
+       va_end(ap);
+       return p;
+}
+
+static int xenbus_probe_node(struct xen_bus_type *bus,
+                            const char *type,
+                            const char *nodename)
 {
        int err;
        struct xenbus_device *xendev;
        unsigned int stringlen;
 
-       /* Nodename: /device/<typename>/<name>/ */
-       stringlen = strlen(dirpath) + strlen(devicetype) + strlen(name) + 3;
-       /* Typename */
-       stringlen += strlen(devicetype) + 1;
+       stringlen = strlen(nodename) + 1 + strlen(type) + 1;
        xendev = kmalloc(sizeof(*xendev) + stringlen, GFP_KERNEL);
        if (!xendev)
                return -ENOMEM;
@@ -183,38 +324,103 @@
 
        /* Copy the strings into the extra space. */
        xendev->nodename = (char *)(xendev + 1);
-       sprintf(xendev->nodename, "%s/%s/%s", dirpath, devicetype, name);
+       strcpy(xendev->nodename, nodename);
        xendev->devicetype = xendev->nodename + strlen(xendev->nodename) + 1;
-       strcpy(xendev->devicetype, devicetype);
-
-       /* FIXME: look for "subtype" field. */
-       snprintf(xendev->dev.bus_id, BUS_ID_SIZE, "%s-%s", devicetype, name);
-       xendev->dev.bus = &xenbus_type;
+       strcpy(xendev->devicetype, type);
+
+       xendev->dev.parent = &bus->dev;
+       xendev->dev.bus = &bus->bus;
        xendev->dev.release = xenbus_release_device;
+
+       err = bus->get_bus_id(xendev->dev.bus_id, xendev->nodename);
+       if (err) {
+               kfree(xendev);
+               return err;
+       }
 
        /* Register with generic device framework. */
        err = device_register(&xendev->dev);
        if (err) {
-               printk("XENBUS: Registering device %s: error %i\n",
-                      xendev->dev.bus_id, err);
+               printk("XENBUS: Registering %s device %s: error %i\n",
+                      bus->bus.name, xendev->dev.bus_id, err);
                kfree(xendev);
        }
        return err;
 }
 
-static int xenbus_probe_device_type(const char *dirpath, const char *typename)
+/* device/<typename>/<name> */
+static int xenbus_probe_frontend(const char *type, const char *name)
+{
+       char *nodename;
+       int err;
+
+       nodename = kasprintf("%s/%s/%s", xenbus_frontend.root, type, name);
+       if (!nodename)
+               return -ENOMEM;
+       
+       err = xenbus_probe_node(&xenbus_frontend, type, nodename);
+       kfree(nodename);
+       return err;
+}
+
+/* backend/<typename>/<frontend-uuid>/<name> */
+static int xenbus_probe_backend_unit(const char *dir,
+                                    const char *type,
+                                    const char *name)
+{
+       char *nodename;
+       int err;
+
+       nodename = kasprintf("%s/%s", dir, name);
+       if (!nodename)
+               return -ENOMEM;
+
+       err = xenbus_probe_node(&xenbus_backend, type, nodename);
+       kfree(nodename);
+       return err;
+}
+
+/* backend/<typename>/<frontend-uuid> */
+static int xenbus_probe_backend(const char *type, const char *uuid)
+{
+       char *nodename;
+       int err = 0;
+       char **dir;
+       unsigned int i, dir_n = 0;
+
+       nodename = kasprintf("%s/%s/%s", xenbus_backend.root, type, uuid);
+       if (!nodename)
+               return -ENOMEM;
+
+       dir = xenbus_directory(nodename, "", &dir_n);
+       if (IS_ERR(dir)) {
+               kfree(nodename);
+               return PTR_ERR(dir);
+       }
+
+       for (i = 0; i < dir_n; i++) {
+               err = xenbus_probe_backend_unit(nodename, type, dir[i]);
+               if (err)
+                       break;
+       }
+       kfree(dir);
+       kfree(nodename);
+       return err;
+}
+
+static int xenbus_probe_device_type(struct xen_bus_type *bus, const char *type)
 {
        int err = 0;
        char **dir;
        unsigned int dir_n = 0;
        int i;
 
-       dir = xenbus_directory(dirpath, typename, &dir_n);
+       dir = xenbus_directory(bus->root, type, &dir_n);
        if (IS_ERR(dir))
                return PTR_ERR(dir);
 
        for (i = 0; i < dir_n; i++) {
-               err = xenbus_probe_device(dirpath, typename, dir[i]);
+               err = bus->probe(type, dir[i]);
                if (err)
                        break;
        }
@@ -222,18 +428,18 @@
        return err;
 }
 
-static int xenbus_probe_devices(const char *path)
+static int xenbus_probe_devices(struct xen_bus_type *bus)
 {
        int err = 0;
        char **dir;
        unsigned int i, dir_n;
 
-       dir = xenbus_directory(path, "", &dir_n);
+       dir = xenbus_directory(bus->root, "", &dir_n);
        if (IS_ERR(dir))
                return PTR_ERR(dir);
 
        for (i = 0; i < dir_n; i++) {
-               err = xenbus_probe_device_type(path, dir[i]);
+               err = xenbus_probe_device_type(bus, dir[i]);
                if (err)
                        break;
        }
@@ -251,58 +457,111 @@
        return ret;
 }
 
-static void dev_changed(struct xenbus_watch *watch, const char *node)
-{
-       char busid[BUS_ID_SIZE];
-       int exists;
+static int strsep_len(const char *str, char c, unsigned int len)
+{
+       unsigned int i;
+
+       for (i = 0; str[i]; i++)
+               if (str[i] == c) {
+                       if (len == 0)
+                               return i;
+                       len--;
+               }
+       return (len == 0) ? i : -ERANGE;
+}
+
+static void dev_changed(const char *node, struct xen_bus_type *bus)
+{
+       int exists, rootlen;
        struct xenbus_device *dev;
-       char *p;
-
-       /* Node is of form device/<type>/<identifier>[/...] */
-       if (char_count(node, '/') != 2)
+       char type[BUS_ID_SIZE];
+       const char *p, *root;
+
+       if (char_count(node, '/') < 2)
+               return;
+
+       exists = xenbus_exists(node, "");
+       if (!exists) {
+               xenbus_cleanup_devices(node, &bus->bus);
                return;
-
-       /* Created or deleted? */
-       exists = xenbus_exists(node, "");
-
+       }
+
+       /* backend/<type>/... or device/<type>/... */
        p = strchr(node, '/') + 1;
-       if (strlen(p) + 1 > BUS_ID_SIZE) {
-               printk("Device for node %s is too big!\n", node);
+       snprintf(type, BUS_ID_SIZE, "%.*s", strcspn(p, "/"), p);
+       type[BUS_ID_SIZE-1] = '\0';
+
+       rootlen = strsep_len(node, '/', bus->levels);
+       if (rootlen < 0)
                return;
-       }
-       /* Bus ID is name with / changed to - */
-       strcpy(busid, p);
-       *strchr(busid, '/') = '-';
-
-       dev = xenbus_device_find(busid);
-       printk("xenbus: device %s %s\n", busid, dev ? "exists" : "new");
-       if (dev && !exists) {
-               printk("xenbus: Unregistering device %s\n", busid);
-               /* FIXME: free? */
-               device_unregister(&dev->dev);
-       } else if (!dev && exists) {
-               printk("xenbus: Adding device %s\n", busid);
-               /* Hack bus id back into two strings. */
-               *strrchr(busid, '-') = '\0';
-               xenbus_probe_device("device", busid, busid+strlen(busid)+1);
-       } else
-               printk("xenbus: strange, %s already %s\n", busid,
-                      exists ? "exists" : "gone");
-       if (dev)
+       root = kasprintf("%.*s", rootlen, node);
+       if (!root)
+               return;
+
+       dev = xenbus_device_find(root, &bus->bus);
+       if (!dev)
+               xenbus_probe_node(bus, type, root);
+       else
                put_device(&dev->dev);
+
+       kfree(root);
+}
+
+static void frontend_changed(struct xenbus_watch *watch, const char *node)
+{
+       dev_changed(node, &xenbus_frontend);
+}
+
+static void backend_changed(struct xenbus_watch *watch, const char *node)
+{
+       dev_changed(node, &xenbus_backend);
 }
 
 /* We watch for devices appearing and vanishing. */
-static struct xenbus_watch dev_watch = {
-       /* FIXME: Ideally we'd only watch for changes 2 levels deep... */
+static struct xenbus_watch fe_watch = {
        .node = "device",
-       .callback = dev_changed,
+       .callback = frontend_changed,
 };
+
+static struct xenbus_watch be_watch = {
+       .node = "backend",
+       .callback = backend_changed,
+};
+
+static int suspend_dev(struct device *dev, void *data)
+{
+       int err = 0;
+       struct xenbus_driver *drv = to_xenbus_driver(dev->driver);
+       struct xenbus_device *xdev
+               = container_of(dev, struct xenbus_device, dev);
+
+       if (drv->suspend)
+               err = drv->suspend(xdev);
+       if (err)
+               printk("xenbus: suspend %s failed: %i\n", dev->bus_id, err);
+       return 0;
+}
+
+static int resume_dev(struct device *dev, void *data)
+{
+       int err = 0;
+       struct xenbus_driver *drv = to_xenbus_driver(dev->driver);
+       struct xenbus_device *xdev
+               = container_of(dev, struct xenbus_device, dev);
+
+       if (drv->resume)
+               err = drv->resume(xdev);
+       if (err)
+               printk("xenbus: resume %s failed: %i\n", dev->bus_id, err);
+       return 0;
+}
 
 void xenbus_suspend(void)
 {
        /* We keep lock, so no comms can happen as page moves. */
        down(&xenbus_lock);
+       bus_for_each_dev(&xenbus_frontend.bus, NULL, NULL, suspend_dev);
+       bus_for_each_dev(&xenbus_backend.bus, NULL, NULL, suspend_dev);
        xb_suspend_comms();
 }
 
@@ -310,6 +569,8 @@
 {
        xb_init_comms();
        reregister_xenbus_watches();
+       bus_for_each_dev(&xenbus_frontend.bus, NULL, NULL, resume_dev);
+       bus_for_each_dev(&xenbus_backend.bus, NULL, NULL, resume_dev);
        up(&xenbus_lock);
 }
 
@@ -354,30 +615,23 @@
        }
 
        down(&xenbus_lock);
-       err = notifier_call_chain(&xenstore_chain, 0, 0);
+       /* Enumerate devices in xenstore. */
+       xenbus_probe_devices(&xenbus_frontend);
+       xenbus_probe_devices(&xenbus_backend);
+       /* Watch for changes. */
+       register_xenbus_watch(&fe_watch);
+       register_xenbus_watch(&be_watch);
        up(&xenbus_lock);
-
-       if (err == NOTIFY_BAD) {
-               printk("%s: calling xenstore notify chain failed\n",
-                      __FUNCTION__);
-               return -EINVAL;
-       }
-
-       err = 0;
-
-       down(&xenbus_lock);
-       /* Enumerate devices in xenstore. */
-       xenbus_probe_devices("device");
-       /* Watch for changes. */
-       register_xenbus_watch(&dev_watch);
-       up(&xenbus_lock);
        return 0;
 }
 
 static int __init xenbus_probe_init(void)
 {
-       bus_register(&xenbus_type);
-
+       bus_register(&xenbus_frontend.bus);
+       bus_register(&xenbus_backend.bus);
+       device_register(&xenbus_frontend.dev);
+       device_register(&xenbus_backend.dev);
+       
        if (!xen_start_info.store_evtchn)
                return 0;
 
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_xs.c
--- a/linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_xs.c       Fri Aug 19 
10:18:53 2005
+++ b/linux-2.6-xen-sparse/drivers/xen/xenbus/xenbus_xs.c       Fri Aug 19 
10:50:15 2005
@@ -187,6 +187,7 @@
        static char buffer[4096];
 
        BUG_ON(down_trylock(&xenbus_lock) == 0);
+       /* XXX FIXME: might not be correct if name == "" */
        BUG_ON(strlen(dir) + strlen("/") + strlen(name) + 1 > sizeof(buffer));
 
        strcpy(buffer, dir);
@@ -399,9 +400,12 @@
                        ret = PTR_ERR(p);
                        break;
                }
-               if (sscanf(p, fmt, result) == 0)
-                       ret = -EINVAL;
-               kfree(p);
+               if (fmt) {
+                       if (sscanf(p, fmt, result) == 0)
+                               ret = -EINVAL;
+                       kfree(p);
+               } else
+                       *(char **)result = p;
        }
        va_end(ap);
        return ret;
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/include/asm-xen/asm-i386/dma-mapping.h
--- a/linux-2.6-xen-sparse/include/asm-xen/asm-i386/dma-mapping.h       Fri Aug 
19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/include/asm-xen/asm-i386/dma-mapping.h       Fri Aug 
19 10:50:15 2005
@@ -26,7 +26,9 @@
 static inline int
 range_straddles_page_boundary(void *p, size_t size)
 {
-       return ((((unsigned long)p & ~PAGE_MASK) + size) > PAGE_SIZE);
+       extern unsigned long *contiguous_bitmap;
+       return (((((unsigned long)p & ~PAGE_MASK) + size) > PAGE_SIZE) &&
+               !test_bit(__pa(p) >> PAGE_SHIFT, contiguous_bitmap));
 }
 
 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
diff -r 3d45fb64b064 -r 509316987d65 
linux-2.6-xen-sparse/include/asm-xen/xenbus.h
--- a/linux-2.6-xen-sparse/include/asm-xen/xenbus.h     Fri Aug 19 10:18:53 2005
+++ b/linux-2.6-xen-sparse/include/asm-xen/xenbus.h     Fri Aug 19 10:50:15 2005
@@ -37,7 +37,6 @@
 /* A xenbus device. */
 struct xenbus_device {
        char *devicetype;
-       char *subtype;
        char *nodename;
        struct device dev;
        int has_error;
@@ -53,7 +52,6 @@
 {
        /* .../device/<device_type>/<identifier> */
        char devicetype[32];    /* General class of device. */
-       char subtype[32];       /* Contents of "subtype" for this device */
 };
 
 /* A xenbus driver. */
@@ -61,9 +59,11 @@
        char *name;
        struct module *owner;
        const struct xenbus_device_id *ids;
-       int  (*probe)    (struct xenbus_device * dev,
-                         const struct xenbus_device_id * id);
-       int  (*remove)   (struct xenbus_device * dev);
+       int (*probe)(struct xenbus_device *dev,
+                    const struct xenbus_device_id *id);
+       int (*remove)(struct xenbus_device *dev);
+       int (*suspend)(struct xenbus_device *dev);
+       int (*resume)(struct xenbus_device *dev);
        struct device_driver driver;
 };
 
@@ -72,7 +72,8 @@
        return container_of(drv, struct xenbus_driver, driver);
 }
 
-int xenbus_register_driver(struct xenbus_driver *drv);
+int xenbus_register_device(struct xenbus_driver *drv);
+int xenbus_register_backend(struct xenbus_driver *drv);
 void xenbus_unregister_driver(struct xenbus_driver *drv);
 
 /* Caller must hold this lock to call these functions: it's also held
diff -r 3d45fb64b064 -r 509316987d65 tools/examples/network-bridge
--- a/tools/examples/network-bridge     Fri Aug 19 10:18:53 2005
+++ b/tools/examples/network-bridge     Fri Aug 19 10:50:15 2005
@@ -51,7 +51,7 @@
 
 bridge=${bridge:-xen-br0}
 netdev=${netdev:-eth0}
-antispoof=${antispoof:-yes}
+antispoof=${antispoof:-no}
 
 echo "*network $OP bridge=$bridge netdev=$netdev antispoof=$antispoof" >&2
 
diff -r 3d45fb64b064 -r 509316987d65 tools/python/xen/xend/server/event.py
--- a/tools/python/xen/xend/server/event.py     Fri Aug 19 10:18:53 2005
+++ b/tools/python/xen/xend/server/event.py     Fri Aug 19 10:50:15 2005
@@ -50,7 +50,7 @@
     def dataReceived(self, data):
         try:
             self.parser.input(data)
-            if self.parser.ready():
+            while(self.parser.ready()):
                 val = self.parser.get_val()
                 res = self.dispatch(val)
                 self.send_result(res)
diff -r 3d45fb64b064 -r 509316987d65 tools/python/xen/xend/server/relocate.py
--- a/tools/python/xen/xend/server/relocate.py  Fri Aug 19 10:18:53 2005
+++ b/tools/python/xen/xend/server/relocate.py  Fri Aug 19 10:50:15 2005
@@ -42,7 +42,7 @@
     def dataReceived(self, data):
         try:
             self.parser.input(data)
-            if self.parser.ready():
+            while(self.parser.ready()):
                 val = self.parser.get_val()
                 res = self.dispatch(val)
                 self.send_result(res)
diff -r 3d45fb64b064 -r 509316987d65 tools/python/xen/xm/create.py
--- a/tools/python/xen/xm/create.py     Fri Aug 19 10:18:53 2005
+++ b/tools/python/xen/xm/create.py     Fri Aug 19 10:50:15 2005
@@ -23,6 +23,7 @@
 import sys
 import socket
 import commands
+import time
 
 import xen.lowlevel.xc
 
@@ -674,18 +675,33 @@
     return 0
 
 def balloon_out(dom0_min_mem, opts):
-    """Balloon out to get memory for domU, if necessarily"""
+    """Balloon out memory from dom0 if necessary"""
     SLACK = 4
+    timeout = 20 # 2s
+    ret = 0
 
     xc = xen.lowlevel.xc.new()
     pinfo = xc.physinfo()
-    free_mem = pinfo['free_pages']/256
-    if free_mem < opts.vals.memory + SLACK:
-        need_mem = opts.vals.memory + SLACK - free_mem
-        cur_alloc = get_dom0_alloc()
-        if cur_alloc - need_mem >= dom0_min_mem:
-            server.xend_domain_mem_target_set(0, cur_alloc - need_mem)
+    free_mem = pinfo['free_pages'] / 256
+    domU_need_mem = opts.vals.memory + SLACK 
+
+    dom0_cur_alloc = get_dom0_alloc()
+    dom0_new_alloc = dom0_cur_alloc - (domU_need_mem - free_mem)
+
+    if free_mem < domU_need_mem and dom0_new_alloc >= dom0_min_mem:
+
+        server.xend_domain_mem_target_set(0, dom0_new_alloc)
+
+        while dom0_cur_alloc > dom0_new_alloc and timeout > 0:
+            time.sleep(0.1) # sleep 100ms
+            dom0_cur_alloc = get_dom0_alloc()
+            timeout -= 1
+        
+        if dom0_cur_alloc > dom0_new_alloc:
+            ret = 1
+    
     del xc
+    return ret
 
 def main(argv):
     random.seed()
@@ -717,7 +733,8 @@
     else:
         dom0_min_mem = xroot.get_dom0_min_mem()
         if dom0_min_mem != 0:
-            balloon_out(dom0_min_mem, opts)
+            if balloon_out(dom0_min_mem, opts):
+                return
 
         dom = make_domain(opts, config)
         if opts.vals.console_autoconnect:
diff -r 3d45fb64b064 -r 509316987d65 tools/python/xen/xm/main.py
--- a/tools/python/xen/xm/main.py       Fri Aug 19 10:18:53 2005
+++ b/tools/python/xen/xm/main.py       Fri Aug 19 10:50:15 2005
@@ -200,7 +200,11 @@
 def xm_list(args):
     use_long = 0
     show_vcpus = 0
-    (options, params) = getopt(args, 'lv', ['long','vcpus'])
+    try:
+        (options, params) = getopt(args, 'lv', ['long','vcpus'])
+    except GetoptError, opterr:
+        err(opterr)
+        sys.exit(1)
     
     n = len(params)
     for (k, v) in options:
diff -r 3d45fb64b064 -r 509316987d65 tools/security/Makefile
--- a/tools/security/Makefile   Fri Aug 19 10:18:53 2005
+++ b/tools/security/Makefile   Fri Aug 19 10:50:15 2005
@@ -2,27 +2,71 @@
 include $(XEN_ROOT)/tools/Rules.mk
 
 SRCS     = secpol_tool.c
-CFLAGS   += -static
 CFLAGS   += -Wall
 CFLAGS   += -Werror
 CFLAGS   += -O3
 CFLAGS   += -fno-strict-aliasing
-CFLAGS   += -I.
+CFLAGS   += -I. -I/usr/include/libxml2
+CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
+#if above does not work, try  -L/usr/lib -lxml2 -lz -lpthread -lm
+XML2VERSION = $(shell xml2-config --version )
+VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else 
echo "-DVALIDATE_SCHEMA"; fi; )
 
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
+POLICY=null
+endif
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
+POLICY=chwall
+endif
+ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+POLICY=ste
+endif
+ifeq 
($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
+POLICY=chwall_ste
+endif
+POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
+
+ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY)
 all: build
+
+install:all
+
+default:all
+else
+all:
+
+install:
+
+default:
+endif
+
 build: mk-symlinks
        $(MAKE) secpol_tool
+       $(MAKE) secpol_xml2bin
+       chmod 700 ./setlabel.sh
+       chmod 700 ./updategrub.sh
 
-default: all
-
-install: all
-
-secpol_tool : secpol_tool.c
+secpol_tool : secpol_tool.c secpol_compat.h
        $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
 
+secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h secpol_compat.h
+       $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ 
$<
+
 clean:
-       rm -rf secpol_tool xen
+       rm -rf secpol_tool secpol_xml2bin xen
 
+policy_clean:
+       rm -rf policies/*/*.bin policies/*/*.map
+
+mrproper: clean policy_clean
+
+
+$(POLICYFILE) : build
+       @./secpol_xml2bin $(POLICY) > /dev/null
+
+boot_install: $(POLICYFILE)
+       @cp $(POLICYFILE) /boot
+       @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
 
 LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
 mk-symlinks:
diff -r 3d45fb64b064 -r 509316987d65 tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c      Fri Aug 19 10:18:53 2005
+++ b/tools/security/secpol_tool.c      Fri Aug 19 10:50:15 2005
@@ -31,18 +31,8 @@
 #include <stdlib.h>
 #include <sys/ioctl.h>
 #include <string.h>
-#include <stdint.h>
 #include <netinet/in.h>
-
-typedef uint8_t u8;
-typedef uint16_t u16;
-typedef uint32_t u32;
-typedef uint64_t u64;
-typedef int8_t s8;
-typedef int16_t s16;
-typedef int32_t s32;
-typedef int64_t s64;
-
+#include "secpol_compat.h"
 #include <xen/acm.h>
 #include <xen/acm_ops.h>
 #include <xen/linux/privcmd.h>
@@ -270,171 +260,6 @@
     }
 }
 
-/*************************** set policy ****************************/
-
-int acm_domain_set_chwallpolicy(void *bufstart, int buflen)
-{
-#define CWALL_MAX_SSIDREFS             6
-#define CWALL_MAX_TYPES             10
-#define CWALL_MAX_CONFLICTSETS         2
-
-    struct acm_chwall_policy_buffer *chwall_bin_pol =
-        (struct acm_chwall_policy_buffer *) bufstart;
-    domaintype_t *ssidrefs, *conflicts;
-    int ret = 0;
-    int j;
-
-    chwall_bin_pol->chwall_max_types = htonl(CWALL_MAX_TYPES);
-    chwall_bin_pol->chwall_max_ssidrefs = htonl(CWALL_MAX_SSIDREFS);
-    chwall_bin_pol->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
-    chwall_bin_pol->policy_version = htonl(ACM_CHWALL_VERSION);
-    chwall_bin_pol->chwall_ssid_offset =
-        htonl(sizeof(struct acm_chwall_policy_buffer));
-    chwall_bin_pol->chwall_max_conflictsets =
-        htonl(CWALL_MAX_CONFLICTSETS);
-    chwall_bin_pol->chwall_conflict_sets_offset =
-        htonl(ntohl(chwall_bin_pol->chwall_ssid_offset) +
-              sizeof(domaintype_t) * CWALL_MAX_SSIDREFS * CWALL_MAX_TYPES);
-    chwall_bin_pol->chwall_running_types_offset = 0;    /* not set */
-    chwall_bin_pol->chwall_conflict_aggregate_offset = 0;       /* not set */
-    ret += sizeof(struct acm_chwall_policy_buffer);
-    /* now push example ssids into the buffer (max_ssidrefs x max_types 
entries) */
-    /* check buffer size */
-    if ((buflen - ret) <
-        (CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t)))
-        return -1;              /* not enough space */
-
-    ssidrefs = (domaintype_t *) (bufstart +
-                          ntohl(chwall_bin_pol->chwall_ssid_offset));
-    memset(ssidrefs, 0,
-           CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t));
-
-    /* now set type j-1 for ssidref i+1 */
-    for (j = 0; j <= CWALL_MAX_SSIDREFS; j++)
-        if ((0 < j) && (j <= CWALL_MAX_TYPES))
-            ssidrefs[j * CWALL_MAX_TYPES + j - 1] = htons(1);
-
-    ret += CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t);
-    if ((buflen - ret) <
-        (CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES * sizeof(domaintype_t)))
-        return -1;              /* not enough space */
-
-    /* now the chinese wall policy conflict sets */
-    conflicts = (domaintype_t *) (bufstart +
-                                  ntohl(chwall_bin_pol->
-                                        chwall_conflict_sets_offset));
-    memset((void *) conflicts, 0,
-           CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES *
-           sizeof(domaintype_t));
-    /* just 1 conflict set [0]={2,3}, [1]={1,5,6} */
-    if (CWALL_MAX_TYPES > 3)
-    {
-        conflicts[2] = htons(1);
-        conflicts[3] = htons(1);        /* {2,3} */
-        conflicts[CWALL_MAX_TYPES + 1] = htons(1);
-        conflicts[CWALL_MAX_TYPES + 5] = htons(1);
-        conflicts[CWALL_MAX_TYPES + 6] = htons(1);      /* {0,5,6} */
-    }
-    ret += sizeof(domaintype_t) * CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES;
-    return ret;
-}
-
-int acm_domain_set_stepolicy(void *bufstart, int buflen)
-{
-#define STE_MAX_SSIDREFS        6
-#define STE_MAX_TYPES                  5
-
-    struct acm_ste_policy_buffer *ste_bin_pol =
-        (struct acm_ste_policy_buffer *) bufstart;
-    domaintype_t *ssidrefs;
-    int j, ret = 0;
-
-    ste_bin_pol->ste_max_types = htonl(STE_MAX_TYPES);
-    ste_bin_pol->ste_max_ssidrefs = htonl(STE_MAX_SSIDREFS);
-    ste_bin_pol->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
-    ste_bin_pol->policy_version = htonl(ACM_STE_VERSION);
-    ste_bin_pol->ste_ssid_offset =
-        htonl(sizeof(struct acm_ste_policy_buffer));
-    ret += sizeof(struct acm_ste_policy_buffer);
-    /* check buffer size */
-    if ((buflen - ret) <
-        (STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t)))
-        return -1;              /* not enough space */
-
-    ssidrefs =
-        (domaintype_t *) (bufstart + ntohl(ste_bin_pol->ste_ssid_offset));
-    memset(ssidrefs, 0,
-           STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t));
-    /* all types 1 for ssidref 1 */
-    for (j = 0; j < STE_MAX_TYPES; j++)
-        ssidrefs[1 * STE_MAX_TYPES + j] = htons(1);
-    /* now set type j-1 for ssidref j */
-    for (j = 0; j < STE_MAX_SSIDREFS; j++)
-        if ((0 < j) && (j <= STE_MAX_TYPES))
-            ssidrefs[j * STE_MAX_TYPES + j - 1] = htons(1);
-    ret += STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t);
-    return ret;
-}
-
-#define MAX_PUSH_BUFFER        16384
-u8 push_buffer[MAX_PUSH_BUFFER];
-
-int acm_domain_setpolicy(int xc_handle)
-{
-    int ret;
-    struct acm_policy_buffer *bin_pol;
-    acm_op_t op;
-
-    /* future: read policy from file and set it */
-    bin_pol = (struct acm_policy_buffer *) push_buffer;
-    bin_pol->policy_version = htonl(ACM_POLICY_VERSION);
-    bin_pol->magic = htonl(ACM_MAGIC);
-    bin_pol->primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
-    bin_pol->secondary_policy_code =
-        htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
-
-    bin_pol->len = htonl(sizeof(struct acm_policy_buffer));
-    bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len));
-    ret =
-        acm_domain_set_chwallpolicy(push_buffer +
-                                    ntohl(bin_pol->primary_buffer_offset),
-                                    MAX_PUSH_BUFFER -
-                                    ntohl(bin_pol->primary_buffer_offset));
-    if (ret < 0)
-    {
-        printf("ERROR creating chwallpolicy buffer.\n");
-        return -1;
-    }
-    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
-    bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
-    ret = acm_domain_set_stepolicy(push_buffer +
-                                 ntohl(bin_pol->secondary_buffer_offset),
-                                 MAX_PUSH_BUFFER -
-                                 ntohl(bin_pol->secondary_buffer_offset));
-    if (ret < 0)
-    {
-        printf("ERROR creating chwallpolicy buffer.\n");
-        return -1;
-    }
-    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
-
-    /* dump it and then push it down into xen/acm */
-    acm_dump_policy_buffer(push_buffer, ntohl(bin_pol->len));
-
-    op.cmd = ACM_SETPOLICY;
-    op.interface_version = ACM_INTERFACE_VERSION;
-    op.u.setpolicy.pushcache = (void *) push_buffer;
-    op.u.setpolicy.pushcache_size = ntohl(bin_pol->len);
-    ret = do_acm_op(xc_handle, &op);
-
-    if (ret)
-        printf("ERROR setting policy. Use 'xm dmesg' to see details.\n");
-    else
-        printf("Successfully changed policy.\n");
-
-    return ret;
-}
-
 /******************************* get policy ******************************/
 
 #define PULL_CACHE_SIZE                8192
@@ -602,7 +427,6 @@
 void usage(char *progname)
 {
     printf("Use: %s \n"
-           "\t setpolicy\n"
            "\t getpolicy\n"
            "\t dumpstats\n"
            "\t loadpolicy <binary policy file>\n", progname);
@@ -623,12 +447,7 @@
         exit(-1);
     }
 
-    if (!strcmp(argv[1], "setpolicy"))
-    {
-        if (argc != 2)
-            usage(argv[0]);
-        ret = acm_domain_setpolicy(acm_cmd_fd);
-    } else if (!strcmp(argv[1], "getpolicy")) {
+    if (!strcmp(argv[1], "getpolicy")) {
         if (argc != 2)
             usage(argv[0]);
         ret = acm_domain_getpolicy(acm_cmd_fd);
diff -r 3d45fb64b064 -r 509316987d65 xen/Rules.mk
--- a/xen/Rules.mk      Fri Aug 19 10:18:53 2005
+++ b/xen/Rules.mk      Fri Aug 19 10:50:15 2005
@@ -10,14 +10,6 @@
 optimize    ?= y
 domu_debug  ?= n
 crash_debug ?= n
-
-# ACM_USE_SECURITY_POLICY is set to security policy of Xen
-# Supported models are:
-#      ACM_NULL_POLICY (ACM will not be built with this policy)
-#      ACM_CHINESE_WALL_POLICY
-#      ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
-#      ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
 
 include $(BASEDIR)/../Config.mk
 
diff -r 3d45fb64b064 -r 509316987d65 xen/arch/x86/domain_build.c
--- a/xen/arch/x86/domain_build.c       Fri Aug 19 10:18:53 2005
+++ b/xen/arch/x86/domain_build.c       Fri Aug 19 10:50:15 2005
@@ -22,16 +22,28 @@
 #include <asm/i387.h>
 #include <asm/shadow.h>
 
-/* opt_dom0_mem: memory allocated to domain 0. */
-static unsigned int opt_dom0_mem;
+static long dom0_nrpages;
+
+/*
+ * dom0_mem:
+ *  If +ve:
+ *   * The specified amount of memory is allocated to domain 0.
+ *  If -ve:
+ *   * All of memory is allocated to domain 0, minus the specified amount.
+ *  If not specified: 
+ *   * All of memory is allocated to domain 0, minus 1/16th which is reserved
+ *     for uses such as DMA buffers (the reservation is clamped to 128MB).
+ */
 static void parse_dom0_mem(char *s)
 {
-    unsigned long long bytes = parse_size_and_unit(s);
-    /* If no unit is specified we default to kB units, not bytes. */
-    if ( isdigit(s[strlen(s)-1]) )
-        opt_dom0_mem = (unsigned int)bytes;
-    else
-        opt_dom0_mem = (unsigned int)(bytes >> 10);
+    unsigned long long bytes;
+    char *t = s;
+    if ( *s == '-' )
+        t++;
+    bytes = parse_size_and_unit(t);
+    dom0_nrpages = bytes >> PAGE_SHIFT;
+    if ( *s == '-' )
+        dom0_nrpages = -dom0_nrpages;
 }
 custom_param("dom0_mem", parse_dom0_mem);
 
@@ -137,12 +149,30 @@
 
     printk("*** LOADING DOMAIN 0 ***\n");
 
-    /* By default DOM0 is allocated all available memory. */
     d->max_pages = ~0U;
-    if ( (nr_pages = opt_dom0_mem >> (PAGE_SHIFT - 10)) == 0 )
+
+    /*
+     * If domain 0 allocation isn't specified, reserve 1/16th of available
+     * memory for things like DMA buffers. This reservation is clamped to 
+     * a maximum of 128MB.
+     */
+    if ( dom0_nrpages == 0 )
+    {
+        dom0_nrpages = avail_domheap_pages() +
+            ((initrd_len + PAGE_SIZE - 1) >> PAGE_SHIFT) +
+            ((image_len  + PAGE_SIZE - 1) >> PAGE_SHIFT);
+        dom0_nrpages = min(dom0_nrpages / 16, 128L << (20 - PAGE_SHIFT));
+        dom0_nrpages = -dom0_nrpages;
+    }
+
+    /* Negative memory specification means "all memory - specified amount". */
+    if ( dom0_nrpages < 0 )
         nr_pages = avail_domheap_pages() +
             ((initrd_len + PAGE_SIZE - 1) >> PAGE_SHIFT) +
-            ((image_len  + PAGE_SIZE - 1) >> PAGE_SHIFT);
+            ((image_len  + PAGE_SIZE - 1) >> PAGE_SHIFT) +
+            dom0_nrpages;
+    else
+        nr_pages = dom0_nrpages;
 
     if ( (rc = parseelfimage(&dsi)) != 0 )
         return rc;
diff -r 3d45fb64b064 -r 509316987d65 xen/arch/x86/mm.c
--- a/xen/arch/x86/mm.c Fri Aug 19 10:18:53 2005
+++ b/xen/arch/x86/mm.c Fri Aug 19 10:50:15 2005
@@ -3061,7 +3061,7 @@
     }
 
     /* Turn a sub-word access into a full-word access. */
-    if (bytes != sizeof(physaddr_t))
+    if ( bytes != sizeof(physaddr_t) )
     {
         int           rc;
         physaddr_t    full;
@@ -3078,6 +3078,10 @@
         val  &= (((physaddr_t)1 << (bytes*8)) - 1);
         val <<= (offset)*8;
         val  |= full;
+        /* Also fill in missing parts of the cmpxchg old value. */
+        old  &= (((physaddr_t)1 << (bytes*8)) - 1);
+        old <<= (offset)*8;
+        old  |= full;
     }
 
     /* Read the PTE that maps the page being updated. */
@@ -3113,7 +3117,7 @@
     if ( do_cmpxchg )
     {
         ol1e = l1e_from_intpte(old);
-        if ( cmpxchg((unsigned long *)pl1e, old, val) != old )
+        if ( cmpxchg((intpte_t *)pl1e, old, val) != old )
         {
             unmap_domain_page(pl1e);
             put_page_from_l1e(nl1e, d);
@@ -3301,8 +3305,8 @@
     
     /* Finally, make the p.t. page writable by the guest OS. */
     l1e_add_flags(pte, _PAGE_RW);
-    if ( unlikely(__copy_to_user(&linear_pg_table[l1_linear_offset(addr)],
-                                 &pte, sizeof(pte))) )
+    if ( unlikely(__put_user(pte.l1,
+                             &linear_pg_table[l1_linear_offset(addr)].l1)) )
     {
         MEM_LOG("ptwr: Could not update pte at %p", (unsigned long *)
                 &linear_pg_table[l1_linear_offset(addr)]);
diff -r 3d45fb64b064 -r 509316987d65 xen/arch/x86/setup.c
--- a/xen/arch/x86/setup.c      Fri Aug 19 10:18:53 2005
+++ b/xen/arch/x86/setup.c      Fri Aug 19 10:50:15 2005
@@ -244,6 +244,8 @@
 
 #define EARLY_FAIL() for ( ; ; ) __asm__ __volatile__ ( "hlt" )
 
+static struct e820entry e820_raw[E820MAX];
+
 void __init __start_xen(multiboot_info_t *mbi)
 {
     char *cmdline;
@@ -253,7 +255,6 @@
     unsigned long _initrd_start = 0, _initrd_len = 0;
     unsigned int initrdidx = 1;
     physaddr_t s, e;
-    struct e820entry e820_raw[E820MAX];
     int i, e820_raw_nr = 0, bytes = 0;
     struct ns16550_defaults ns16550 = {
         .data_bits = 8,
diff -r 3d45fb64b064 -r 509316987d65 xen/arch/x86/traps.c
--- a/xen/arch/x86/traps.c      Fri Aug 19 10:18:53 2005
+++ b/xen/arch/x86/traps.c      Fri Aug 19 10:50:15 2005
@@ -159,10 +159,8 @@
         addr = *stack++;
         if ( is_kernel_text(addr) )
         {
-            if ( (i != 0) && ((i % 6) == 0) )
-                printk("\n   ");
             printk("[<%p>]", _p(addr));
-            print_symbol(" %s\n", addr);
+            print_symbol(" %s\n   ", addr);
             i++;
         }
     }
diff -r 3d45fb64b064 -r 509316987d65 xen/arch/x86/x86_32/traps.c
--- a/xen/arch/x86/x86_32/traps.c       Fri Aug 19 10:18:53 2005
+++ b/xen/arch/x86/x86_32/traps.c       Fri Aug 19 10:50:15 2005
@@ -66,8 +66,9 @@
 
     printk("CPU:    %d\nEIP:    %04lx:[<%08lx>]",
            smp_processor_id(), (unsigned long)0xffff & regs->cs, eip);
-    print_symbol(" %s\n", eip);
-    printk("EFLAGS: %08lx   CONTEXT: %s\n", eflags, context);
+    if ( !GUEST_MODE(regs) )
+        print_symbol(" %s", eip);
+    printk("\nEFLAGS: %08lx   CONTEXT: %s\n", eflags, context);
     printk("eax: %08x   ebx: %08x   ecx: %08x   edx: %08x\n",
            regs->eax, regs->ebx, regs->ecx, regs->edx);
     printk("esi: %08x   edi: %08x   ebp: %08x   esp: %08lx\n",
diff -r 3d45fb64b064 -r 509316987d65 xen/arch/x86/x86_64/traps.c
--- a/xen/arch/x86/x86_64/traps.c       Fri Aug 19 10:18:53 2005
+++ b/xen/arch/x86/x86_64/traps.c       Fri Aug 19 10:50:15 2005
@@ -17,8 +17,9 @@
 {
     printk("CPU:    %d\nEIP:    %04x:[<%016lx>]",
            smp_processor_id(), 0xffff & regs->cs, regs->rip);
-    print_symbol(" %s\n", regs->rip);
-    printk("EFLAGS: %016lx\n", regs->eflags);
+    if ( !GUEST_MODE(regs) )
+        print_symbol(" %s", regs->rip);
+    printk("\nEFLAGS: %016lx\n", regs->eflags);
     printk("rax: %016lx   rbx: %016lx   rcx: %016lx   rdx: %016lx\n",
            regs->rax, regs->rbx, regs->rcx, regs->rdx);
     printk("rsi: %016lx   rdi: %016lx   rbp: %016lx   rsp: %016lx\n",
diff -r 3d45fb64b064 -r 509316987d65 xen/common/lib.c
--- a/xen/common/lib.c  Fri Aug 19 10:18:53 2005
+++ b/xen/common/lib.c  Fri Aug 19 10:50:15 2005
@@ -450,8 +450,10 @@
                ret <<= 10;
        case 'M': case 'm':
                ret <<= 10;
-       case 'K': case 'k':
+       case 'K': case 'k': default:
                ret <<= 10;
+       case 'B': case 'b':
+               break;
        }
 
        return ret;
diff -r 3d45fb64b064 -r 509316987d65 xen/drivers/char/console.c
--- a/xen/drivers/char/console.c        Fri Aug 19 10:18:53 2005
+++ b/xen/drivers/char/console.c        Fri Aug 19 10:50:15 2005
@@ -652,8 +652,9 @@
 void panic(const char *fmt, ...)
 {
     va_list args;
-    char buf[128], cpustr[10];
+    char buf[128];
     unsigned long flags;
+    static spinlock_t lock = SPIN_LOCK_UNLOCKED;
     extern void machine_restart(char *);
     
     debugtrace_dump();
@@ -665,16 +666,13 @@
     debugger_trap_immediate();
 
     /* Spit out multiline message in one go. */
-    spin_lock_irqsave(&console_lock, flags);
-    __putstr("\n****************************************\n");
-    __putstr("Panic on CPU");
-    sprintf(cpustr, "%d", smp_processor_id());
-    __putstr(cpustr);
-    __putstr(":\n");
-    __putstr(buf);
-    __putstr("****************************************\n\n");
-    __putstr("Reboot in five seconds...\n");
-    spin_unlock_irqrestore(&console_lock, flags);
+    spin_lock_irqsave(&lock, flags);
+    printk("\n****************************************\n");
+    printk("Panic on CPU %d:\n", smp_processor_id());
+    printk(buf);
+    printk("****************************************\n\n");
+    printk("Reboot in five seconds...\n");
+    spin_unlock_irqrestore(&lock, flags);
 
     watchdog_disable();
     mdelay(5000);
diff -r 3d45fb64b064 -r 509316987d65 xen/include/asm-x86/e820.h
--- a/xen/include/asm-x86/e820.h        Fri Aug 19 10:18:53 2005
+++ b/xen/include/asm-x86/e820.h        Fri Aug 19 10:50:15 2005
@@ -3,7 +3,7 @@
 
 #include <asm/page.h>
 
-#define E820MAX        32
+#define E820MAX        128
 
 #define E820_RAM          1
 #define E820_RESERVED     2
diff -r 3d45fb64b064 -r 509316987d65 xen/include/asm-x86/uaccess.h
--- a/xen/include/asm-x86/uaccess.h     Fri Aug 19 10:18:53 2005
+++ b/xen/include/asm-x86/uaccess.h     Fri Aug 19 10:50:15 2005
@@ -125,22 +125,20 @@
        __pu_err;                                                       \
 })                                                     
 
-#define __get_user_nocheck(x,ptr,size)                         \
-({                                                             \
-       long __gu_err, __gu_val;                                \
-       __get_user_size(__gu_val,(ptr),(size),__gu_err,-EFAULT);\
-       (x) = (__typeof__(*(ptr)))__gu_val;                     \
-       __gu_err;                                               \
+#define __get_user_nocheck(x,ptr,size)                          \
+({                                                              \
+       long __gu_err;                                          \
+       __get_user_size((x),(ptr),(size),__gu_err,-EFAULT);     \
+       __gu_err;                                               \
 })
 
-#define __get_user_check(x,ptr,size)                                   \
-({                                                                     \
-       long __gu_err, __gu_val;                                        \
-       __typeof__(*(ptr)) __user *__gu_addr = (ptr);                   \
-       __get_user_size(__gu_val,__gu_addr,(size),__gu_err,-EFAULT);    \
-       (x) = (__typeof__(*(ptr)))__gu_val;                             \
-       if (!__addr_ok(__gu_addr)) __gu_err = -EFAULT;                  \
-       __gu_err;                                                       \
+#define __get_user_check(x,ptr,size)                            \
+({                                                              \
+       long __gu_err;                                          \
+       __typeof__(*(ptr)) __user *__gu_addr = (ptr);           \
+       __get_user_size((x),__gu_addr,(size),__gu_err,-EFAULT); \
+       if (!__addr_ok(__gu_addr)) __gu_err = -EFAULT;          \
+       __gu_err;                                               \
 })                                                     
 
 struct __large_struct { unsigned long buf[100]; };
diff -r 3d45fb64b064 -r 509316987d65 
patches/linux-2.6.12/workaround_double_br_del_if.patch
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/patches/linux-2.6.12/workaround_double_br_del_if.patch    Fri Aug 19 
10:50:15 2005
@@ -0,0 +1,11 @@
+--- linux-2.6.12/net/bridge/br_if.c    2005-06-17 14:48:29.000000000 -0500
++++ linux-2.6.12-xen0-smp/net/bridge/br_if.c   2005-08-18 15:17:27.302615846 
-0500
+@@ -382,7 +382,7 @@
+ {
+       struct net_bridge_port *p = dev->br_port;
+       
+-      if (!p || p->br != br) 
++      if (!p || p->br != br || p->state == BR_STATE_DISABLED)
+               return -EINVAL;
+ 
+       br_sysfs_removeif(p);
diff -r 3d45fb64b064 -r 509316987d65 tools/security/example.txt
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/example.txt        Fri Aug 19 10:50:15 2005
@@ -0,0 +1,269 @@
+##
+# example.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file introduces into the tools to manage policies
+# and to label domains and resources.
+##
+
+We will show how to install and use the chwall_ste policy.
+Other policies work similarly. Feedback welcome!
+
+
+
+1. Using secpol_xml2bin to translate the chwall_ste policy:
+===========================================================
+
+#tools/security/secpol_xml2bin chwall_ste
+
+Successful execution should print:
+
+    [root@laptopxn security]# ./secpol_xml2bin chwall_ste
+    Validating label file 
policies/chwall_ste/chwall_ste-security_label_template.xml...
+    XML Schema policies/security_policy.xsd valid.
+    Validating policy file 
policies/chwall_ste/chwall_ste-security_policy.xml...
+    XML Schema policies/security_policy.xsd valid.
+    Creating ssid mappings ...
+    Creating label mappings ...
+    Max chwall labels:  7
+    Max chwall-types:   4
+    Max chwall-ssids:   5
+    Max ste labels:     14
+    Max ste-types:      6
+    Max ste-ssids:      10
+
+The tool looks in directory policies/chwall_ste for
+the label and policy files.
+
+The default policy directory structure under tools/security looks like:
+
+policies
+|-- security_policy.xsd
+|-- chwall
+|   |-- chwall-security_label_template.xml
+|   `-- chwall-security_policy.xml
+|-- chwall_ste
+|   |-- chwall_ste-security_label_template.xml
+|   `-- chwall_ste-security_policy.xml
+|-- null
+|   |-- null-security_label_template.xml
+|   `-- null-security_policy.xml
+`-- ste
+    |-- ste-security_label_template.xml
+    `-- ste-security_policy.xml
+
+policies/security_policy.xsd contains the schema against which both the
+label-template and the policy files must validate during translation.
+
+policies/chwall_ste/chwall_ste-security_policy.xml defines the
+policies and the types known to the policies.
+
+policies/chwall_ste/chwall_ste-security_label_template.xml contains
+label definitions that group chwall and ste types together and make
+them easier to use for users
+
+After executing the above secpol_xml2bin command, you will find 2 new
+files in the policies/chwall_ste sub-directory:
+
+policies/chwall_ste/chwall_ste.map ... this file includes the mapping
+of names from the xml files into their binary code representation.
+
+policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
+the result of parsing the xml files and using the mapping to extract a
+binary version that can be loaded into the hypervisor.
+
+
+
+2. Loading and activating the policy:
+=====================================
+
+We assume that xen is already configured to use the chwall_ste policy;
+please refer to install.txt for instructions.
+
+To activate the policy from the command line (assuming that the
+currently established policy is the minimal boot-policy that is
+hard-coded into the hypervisor:
+
+# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
+
+To activate the policy at next reboot:
+
+# cp policies/chwall_ste/chwall_ste.bin /boot
+
+Add a module line to your /boot/grub/grub.conf Xen entry.
+My boot entry with chwall_ste enabled looks like this:
+
+    title Xen (2.6.12)
+        root (hd0,5)
+        kernel /boot/xen.gz dom0_mem=1200000 console=vga
+        module /boot/vmlinuz-2.6.12-xen0 ro root=/dev/hda6 rhgb
+        module /boot/initrd-2.6.12-xen0.img
+        module /boot/chwall_ste.bin
+
+This tells the grub boot-loader to load the binary policy, which
+the hypervisor will recognize. The hypervisor will then establish
+this binary policy during boot instead of the minimal policy that
+is hardcoded as default.
+
+If you have any trouble here, maks sure you have the access control
+framework enabled (see: install.txt).
+
+
+
+3. Labeling domains:
+====================
+
+a) Labeling Domain0:
+
+The chwall_ste-security_label_template.xml file includes an attribute
+"bootstrap", which is set to the label name that will be assigned to
+Dom0 (this label will be mapped to ssidref 1/1, the default for Dom0).
+
+b) Labeling User Domains:
+
+Use the script tools/security/setlabel.sh to choose a label and to
+assign labels to user domains.
+
+To show available labels for the chwall_ste policy:
+
+#tools/security/setlabel.sh -l
+
+lists all available labels. For the default chwall_ste it should print
+the following:
+
+    [root@laptopxn security]# ./setlabel.sh -l chwall_ste
+    The following labels are available:
+    dom_SystemManagement
+    dom_HomeBanking
+    dom_Fun
+    dom_BoincClient
+    dom_StorageDomain
+    dom_NetworkDomain
+
+You need to have compiled the policy beforehand so that a .map file
+exists. Setlabel.sh uses the mapping file created throughout the
+policy translation to translate a user-friendly label string into a
+ssidref-number that is eventually used by the Xen hypervisor.
+
+We distinguish two kinds of labels: a) VM labels (for domains) and RES
+Labels (for resources). We are currently working on support for
+resource labeling but will focus here on VM labels.
+
+Setlabel.sh only prints VM labels (which we have prefixed with "dom_")
+since only those are used at this time.
+
+If you would like to assign the dom_HomeBanking label to one of your
+user domains (which you hopefully keep clean), look at an example
+domain configuration homebanking.xm:
+
+    #------HOMEBANKING---------
+    kernel = "/boot/vmlinuz-2.6.12-xenU"
+    ramdisk="/boot/U1_ramdisk.img"
+    memory = 65
+    name = "test34"
+    cpu = -1   # leave to Xen to pick
+    # Number of network interfaces. Default is 1.
+    nics=1
+    dhcp="dhcp"
+    #-------------------------
+
+Now we label this domain
+
+[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking 
chwall_ste
+Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
+
+The domain configuration my look now like:
+
+    [root@laptopxn security]# cat homebanking.xm
+    #------HOMEBANKING---------
+    kernel = "/boot/vmlinuz-2.6.12-xenU"
+    ramdisk="/boot/U1_ramdisk.img"
+    memory = 65
+    name = "test34"
+    cpu = -1   # leave to Xen to pick
+    # Number of network interfaces. Default is 1.
+    nics=1
+    dhcp="dhcp"
+    #-------------------------
+    #ACM_POLICY=chwall_ste-security_policy.xml
+    #ACM_LABEL=dom_HomeBanking
+    ssidref = 0x00020002
+
+You can see 3 new entries, two of which are comments.  The only value
+that the hypervisor cares about is the ssidref that will reference
+those types assigned to this label. You can look them up in the
+xml label-template file for the chwall_ste policy.
+
+This script will eventually move into the domain management and will
+be called when the domain is instantiated. For now, the setlabel
+script must be run on domains whenever the policy files change since
+the mapping between label names and ssidrefs can change in this case.
+
+
+4. Starting a labeled domain
+============================
+
+Now, start the domain:
+    #xm create -c homebanking.xm
+
+
+If you label another domain configuration as dom_Fun and try to start
+it afterwards, its start will fail. Why?
+
+Because the running homebanking domain has the chinese wall type
+"cw_Sensitive". The new domain dom_Fun has the chinese wall label
+"cw_Distrusted". This domain is not allowed to run simultaneously
+because of the defined conflict set
+
+                       <conflictset name="Protection1">
+                               <type>cw_Sensitive</type>
+                               <type>cw_Distrusted</type>
+                       </conflictset>
+
+(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
+that only one of the types cw_sensitive and cw_Distrusted can run at a
+time.
+
+If you save or shutdown the HomeBanking domain, you will be able to
+start the "Fun" domain. You can look into the Xen log to see if a
+domain was denied to start because of the access control framework
+with the command 'xm dmesg'.
+
+It is important (and usually non-trivial) to define the labels in a
+way that the semantics of the labels are enforced and supported by the
+types and the conflict sets.
+
+Note: While the chinese wall policy enforcement is complete, the type
+enforcement is currently enforced in the Xen hypervisor
+only. Therefore, only point-to-point sharing with regard to the type
+enforcement is currently controlled. We are working on enhancements to
+Dom0 that enforce types also for network traffic that is routed
+through Dom0 and on the enforcement of resource labeling when binding
+resources to domains (e.g., enforcing types between domains and
+hardware resources, such as disk partitions).
+
+
+4. Adding your own policies
+===========================
+
+Writing your own policy (e.g. "mypolicy") requires the following:
+
+a) the policy definition (types etc.) file
+b) the label template definition (labels etc.) file
+
+If your policy name is "mypolicy", you need to create a
+subdirectory mypolicy in tools/security/policies.
+
+Then you create
+tools/security/policies/mypolicy/mypolicy-security_policy.xml and
+tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
+
+You need to keep to the schema as defined in
+tools/security/security_policy.xsd since the translation tool
+secpol_xml2bin is written against this schema.
+
+If you keep to the security policy schema, then you can use all the
+tools described above. Refer to install.txt to install it.
diff -r 3d45fb64b064 -r 509316987d65 tools/security/install.txt
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/install.txt        Fri Aug 19 10:50:15 2005
@@ -0,0 +1,67 @@
+##
+# install.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file shows how to activate and install the access control
+# framework.
+##
+
+
+INSTALLING A SECURITY POLICY IN XEN
+===================================
+
+By default, the access control architecture is disabled in Xen. To
+enable the access control architecture in Xen follow the steps below.
+This description assumes that you want to install the Chinese Wall and
+Simple Type Enforcement policy. Some file names need to be replaced
+below to activate the Chinese Wall OR the Type Enforcement policy
+exclusively (chwall_ste --> {chwall, ste}).
+
+1. enable access control in Xen
+       # cd "xen_root"
+       # edit/xemacs/vi Config.mk
+
+       change the line:
+       ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
+
+       to:
+       ACM_USE_SECURITY_POLICY ?= 
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+
+       # make all
+       # ./install.sh
+
+2. compile the policy from xml to a binary format that can be loaded
+   into the hypervisor for enforcement
+       # cd tools/security
+       # make
+
+       manual steps (alternative to make boot_install):
+       #./secpol_xml2bin chwall_ste
+       #cp policies/chwall_ste/chwall_ste.bin /boot
+       #edit /boot/grub/grub.conf
+        add the follwoing line to your xen boot entry:
+       "module chwall_ste.bin"
+
+       alternatively, you can try our automatic translation and
+       installation of the policy:
+       # make boot_install
+
+       [we try hard to do the right thing to the right boot entry but
+        please verify boot entry in /boot/grub/grub.conf afterwards;
+        your xen boot entry should have an additional module line
+        specifying a chwall_ste.bin file with the correct directory
+        (e.g. "/" or "/boot").]
+
+
+3. reboot into the newly compiled hypervisor
+
+        after boot
+       #xm dmesg should show an entry about the policy being loaded
+            during the boot process
+
+        #tools/security/secpol_tool getpolicy
+            should print the new chwall_ste binary policy representation
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/chwall/chwall-security_label_template.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/chwall/chwall-security_label_template.xml Fri Aug 
19 10:50:15 2005
@@ -0,0 +1,76 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>chwall-security_label_template</Name>
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>chwall-security_policy.xml</Url>
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+
+   <SubjectLabels bootstrap="dom_SystemManagement">
+      <!-- single ste typed domains            -->
+      <!-- ACM enforces that only domains with -->
+      <!-- the same type can share information -->
+      <!--                                     -->
+      <!-- Bootstrap label is assigned to Dom0 -->
+      <VirtualMachineLabel>
+       <Name>dom_HomeBanking</Name>
+         <ChineseWallTypes>
+            <Type>cw_Sensitive</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+       <Name>dom_Fun</Name>
+         <ChineseWallTypes>
+            <Type>cw_Distrusted</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- donating some cycles to seti@home -->
+       <Name>dom_BoincClient</Name>
+         <ChineseWallTypes>
+            <Type>cw_Isolated</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <!-- Domains with multiple ste types services; such domains   -->
+      <!-- must keep the types inside their domain safely confined. -->
+      <VirtualMachineLabel>
+       <Name>dom_SystemManagement</Name>
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves persistent storage to other domains -->
+       <Name>dom_StorageDomain</Name>
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves network access to other domains -->
+       <Name>dom_NetworkDomain</Name>
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+   </SubjectLabels>
+</SecurityLabelTemplate>
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/chwall/chwall-security_policy.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/chwall/chwall-security_policy.xml Fri Aug 19 
10:50:15 2005
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>chwall-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+<!--                                             -->
+<!-- example of a chinese wall type definition   -->
+<!-- along with its conflict sets                -->
+<!-- (typse in a confict set are exclusive, i.e. -->
+<!--  once a Domain with one type of a set is    -->
+<!--  running, no other Domain with another type -->
+<!--  of the same conflict set can start.)       -->
+       <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Isolated</Type>
+            <Type>cw_Distrusted</Type>
+        </ChineseWallTypes>
+
+        <ConflictSets>
+        <Conflict name="Protection1">
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Distrusted</Type>
+        </Conflict>
+        </ConflictSets>
+       </ChineseWall>
+</SecurityPolicyDefinition>
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml 
Fri Aug 19 10:50:15 2005
@@ -0,0 +1,167 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>chwall_ste-security_label_template</Name>
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>chwall_ste-security_policy.xml</Url>
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+
+   <SubjectLabels bootstrap="dom_SystemManagement">
+      <!-- single ste typed domains            -->
+      <!-- ACM enforces that only domains with -->
+      <!-- the same type can share information -->
+      <!--                                     -->
+      <!-- Bootstrap label is assigned to Dom0 -->
+      <VirtualMachineLabel>
+       <Name>dom_HomeBanking</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_Sensitive</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+       <Name>dom_Fun</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_Distrusted</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- donating some cycles to seti@home -->
+       <Name>dom_BoincClient</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_Isolated</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <!-- Domains with multiple ste types services; such domains   -->
+      <!-- must keep the types inside their domain safely confined. -->
+      <VirtualMachineLabel>
+       <Name>dom_SystemManagement</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- since dom0 needs access to every domain and -->
+            <!-- resource right now ... -->
+            <Type>ste_SystemManagement</Type>
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+            <Type>ste_PersistentStorageA</Type>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves persistent storage to other domains -->
+       <Name>dom_StorageDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (hard drive a) -->
+            <Type>ste_PersistentStorageA</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves network access to other domains -->
+       <Name>dom_NetworkDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (ethernet card) -->
+            <Type>ste_NetworkAdapter0</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+
+         <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+         </ChineseWallTypes>
+      </VirtualMachineLabel>
+   </SubjectLabels>
+
+   <ObjectLabels>
+      <ResourceLabel>
+       <Name>res_ManagementResource</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_HardDrive (hda)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersistentStorageA</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition1 (hda1)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition2 (hda2)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_EthernetCard</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_SecurityToken</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_GraphicsAdapter</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+   </ObjectLabels>
+</SecurityLabelTemplate>
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/chwall_ste/chwall_ste-security_policy.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/chwall_ste/chwall_ste-security_policy.xml Fri Aug 
19 10:50:15 2005
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>chwall_ste-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+<!--                                                        -->
+<!-- example of a simple type enforcement policy definition -->
+<!--                                                        -->
+       <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>   <!-- machine/security 
management -->
+            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
+            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
+            <Type>ste_DonatedCycles</Type>      <!-- donation to 
BOINC/seti@home -->
+            <Type>ste_PersistentStorageA</Type> <!-- domain managing the 
harddrive A-->
+            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain 
managing ethernet adapter 0-->
+        </SimpleTypeEnforcementTypes>
+       </SimpleTypeEnforcement>
+<!--                                             -->
+<!-- example of a chinese wall type definition   -->
+<!-- along with its conflict sets                -->
+<!-- (typse in a confict set are exclusive, i.e. -->
+<!--  once a Domain with one type of a set is    -->
+<!--  running, no other Domain with another type -->
+<!--  of the same conflict set can start.)       -->
+       <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>cw_SystemManagement</Type>
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Isolated</Type>
+            <Type>cw_Distrusted</Type>
+        </ChineseWallTypes>
+
+        <ConflictSets>
+        <Conflict name="Protection1">
+            <Type>cw_Sensitive</Type>
+            <Type>cw_Distrusted</Type>
+        </Conflict>
+        </ConflictSets>
+       </ChineseWall>
+</SecurityPolicyDefinition>
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/null/null-security_label_template.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/null/null-security_label_template.xml     Fri Aug 
19 10:50:15 2005
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>null-security_label_template</Name>
+
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>null-security_policy.xml</Url>
+
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+</SecurityLabelTemplate>
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/null/null-security_policy.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/null/null-security_policy.xml     Fri Aug 19 
10:50:15 2005
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>null-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+</SecurityPolicyDefinition>
+
diff -r 3d45fb64b064 -r 509316987d65 tools/security/policies/security_policy.xsd
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/security_policy.xsd       Fri Aug 19 10:50:15 2005
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com -->
+<!--         This file defines the schema, which is used to define -->
+<!--         the security policy and the security labels in Xe.    -->
+
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"; 
targetNamespace="http://www.ibm.com"; xmlns="http://www.ibm.com"; 
elementFormDefault="qualified">
+       <xsd:element name="SecurityPolicyDefinition">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="PolicyHeader" minOccurs="0" 
maxOccurs="1"></xsd:element>
+                               <xsd:element ref="SimpleTypeEnforcement" 
minOccurs="0" maxOccurs="1"></xsd:element>
+                               <xsd:element ref="ChineseWall" minOccurs="0" 
maxOccurs="1"></xsd:element>
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="SecurityLabelTemplate">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="LabelHeader" minOccurs="1" 
maxOccurs="1"></xsd:element>
+                               <xsd:element name="SubjectLabels" minOccurs="0" 
maxOccurs="1">
+                                       <xsd:complexType>
+                                               <xsd:sequence>
+                                                       <xsd:element 
ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
+                                               </xsd:sequence>
+                                               <xsd:attribute name="bootstrap" 
type="xsd:string" use="required"></xsd:attribute>
+                                       </xsd:complexType>
+                               </xsd:element>
+                               <xsd:element name="ObjectLabels" minOccurs="0" 
maxOccurs="1">
+                                       <xsd:complexType>
+                                               <xsd:sequence>
+                                                       <xsd:element 
ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
+                                               </xsd:sequence>
+                                       </xsd:complexType>
+                               </xsd:element>
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="PolicyHeader">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name" minOccurs="1" 
maxOccurs="1" />
+                               <xsd:element ref="Date" minOccurs="1" 
maxOccurs="1" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="LabelHeader">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name"></xsd:element>
+                               <xsd:element ref="Date" minOccurs="1" 
maxOccurs="1"></xsd:element>
+                               <xsd:element ref="PolicyName" minOccurs="1" 
maxOccurs="1"></xsd:element>
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="SimpleTypeEnforcement">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="SimpleTypeEnforcementTypes" />
+                       </xsd:sequence>
+                       <xsd:attribute name="priority" type="PolicyOrder" 
use="optional"></xsd:attribute>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ChineseWall">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="ChineseWallTypes" />
+                               <xsd:element ref="ConflictSets" />
+                       </xsd:sequence>
+                       <xsd:attribute name="priority" type="PolicyOrder" 
use="optional"></xsd:attribute>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ChineseWallTypes">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Type" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ConflictSets">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Conflict" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="SimpleTypeEnforcementTypes">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Type" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="Conflict">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element maxOccurs="unbounded" 
minOccurs="1" ref="Type" />
+                       </xsd:sequence>
+                       <xsd:attribute name="name" type="xsd:string" 
use="optional"></xsd:attribute>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="VirtualMachineLabel">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name"></xsd:element>
+                               <xsd:element ref="SimpleTypeEnforcementTypes" 
minOccurs="0" maxOccurs="unbounded" />
+                               <xsd:element ref="ChineseWallTypes" 
minOccurs="0" maxOccurs="unbounded" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="ResourceLabel">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Name"></xsd:element>
+                               <xsd:element ref="SimpleTypeEnforcementTypes" 
minOccurs="0" maxOccurs="unbounded" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="PolicyName">
+               <xsd:complexType>
+                       <xsd:sequence>
+                               <xsd:element ref="Url" />
+                               <xsd:element ref="Reference" />
+                       </xsd:sequence>
+               </xsd:complexType>
+       </xsd:element>
+       <xsd:element name="Date" type="xsd:string" />
+       <xsd:element name="Name" type="xsd:string" />
+       <xsd:element name="Type" type="xsd:string" />
+       <xsd:element name="Reference" type="xsd:string" />
+       <xsd:element name="Url"></xsd:element>
+
+       <xsd:simpleType name="PolicyOrder">
+               <xsd:restriction base="xsd:string">
+                       <xsd:enumeration 
value="PrimaryPolicyComponent"></xsd:enumeration>
+               </xsd:restriction>
+       </xsd:simpleType>
+
+</xsd:schema>
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/ste/ste-security_label_template.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/ste/ste-security_label_template.xml       Fri Aug 
19 10:50:15 2005
@@ -0,0 +1,143 @@
+<?xml version="1.0"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--              This file defines the security labels, which can  -->
+<!--              be attached to Domains and resources. Based on    -->
+<!--              these labels, the access control module decides   -->
+<!--              about sharing between Domains and about access    -->
+<!--              of Domains to real resources.                     -->
+
+<SecurityLabelTemplate
+ xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+   <LabelHeader>
+      <Name>ste-security_label_template</Name>
+      <Date>2005-08-10</Date>
+      <PolicyName>
+         <Url>ste-security_policy.xml</Url>
+         <Reference>abcdef123456abcdef</Reference>
+      </PolicyName>
+   </LabelHeader>
+
+   <SubjectLabels bootstrap="dom_SystemManagement">
+      <!-- single ste typed domains            -->
+      <!-- ACM enforces that only domains with -->
+      <!-- the same type can share information -->
+      <!--                                     -->
+      <!-- Bootstrap label is assigned to Dom0 -->
+      <VirtualMachineLabel>
+       <Name>dom_HomeBanking</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+       <Name>dom_Fun</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- donating some cycles to seti@home -->
+       <Name>dom_BoincClient</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <!-- Domains with multiple ste types services; such domains   -->
+      <!-- must keep the types inside their domain safely confined. -->
+      <VirtualMachineLabel>
+       <Name>dom_SystemManagement</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- since dom0 needs access to every domain and -->
+            <!-- resource right now ... -->
+            <Type>ste_SystemManagement</Type>
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+            <Type>ste_PersistentStorageA</Type>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves persistent storage to other domains -->
+       <Name>dom_StorageDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (hard drive a) -->
+            <Type>ste_PersistentStorageA</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+
+      <VirtualMachineLabel>
+        <!-- serves network access to other domains -->
+       <Name>dom_NetworkDomain</Name>
+         <SimpleTypeEnforcementTypes>
+            <!-- access right to the resource (ethernet card) -->
+            <Type>ste_NetworkAdapter0</Type>
+            <!-- can serve following types -->
+            <Type>ste_PersonalFinances</Type>
+            <Type>ste_InternetInsecure</Type>
+            <Type>ste_DonatedCycles</Type>
+         </SimpleTypeEnforcementTypes>
+      </VirtualMachineLabel>
+   </SubjectLabels>
+
+   <ObjectLabels>
+      <ResourceLabel>
+       <Name>res_ManagementResource</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_HardDrive (hda)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersistentStorageA</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition1 (hda1)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_LogicalDiskPartition2 (hda2)</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_InternetInsecure</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_EthernetCard</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_NetworkAdapter0</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_SecurityToken</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_PersonalFinances</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+
+      <ResourceLabel>
+       <Name>res_GraphicsAdapter</Name>
+         <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>
+         </SimpleTypeEnforcementTypes>
+      </ResourceLabel>
+   </ObjectLabels>
+</SecurityLabelTemplate>
+
diff -r 3d45fb64b064 -r 509316987d65 
tools/security/policies/ste/ste-security_policy.xml
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policies/ste/ste-security_policy.xml       Fri Aug 19 
10:50:15 2005
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
+<PolicyHeader>
+               <Name>ste-security_policy</Name>
+               <Date>2005-08-10</Date>
+</PolicyHeader>
+<!--                                                        -->
+<!-- example of a simple type enforcement policy definition -->
+<!--                                                        -->
+       <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>ste_SystemManagement</Type>   <!-- machine/security 
management -->
+            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
+            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
+            <Type>ste_DonatedCycles</Type>      <!-- donation to 
BOINC/seti@home -->
+            <Type>ste_PersistentStorageA</Type> <!-- domain managing the 
harddrive A-->
+            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain 
managing ethernet adapter 0-->
+        </SimpleTypeEnforcementTypes>
+       </SimpleTypeEnforcement>
+</SecurityPolicyDefinition>
+
diff -r 3d45fb64b064 -r 509316987d65 tools/security/policy.txt
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/policy.txt Fri Aug 19 10:50:15 2005
@@ -0,0 +1,405 @@
+##
+# policy.txt <description to the Xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file gives an overview of the security policies currently
+# provided and also gives some reasoning about how to assign
+# labels to domains.
+##
+
+Xen access control policies
+
+
+General explanation of supported security policies:
+=====================================================
+
+We have implemented the mandatory access control architecture of our
+hypervisor security architecture (sHype) for the Xen hypervisor. It
+controls communication (in Xen: event channels, grant tables) between
+Virtual Machines (from here on called domains) and through this the
+virtual block devices, networking, and shared memory are implemented
+on top of these communication means. While we have implemented the
+described policies and access control architecture for other
+hypervisor systems, we will describe below specifically its
+implementation and use in the Xen hypervisor. The policy enforcement
+is called mandatory regarding user domains since the policy it is
+given by the security administration and enforced independently of the
+user domains by the Xen hypervisor in cooperation with the domain
+management.
+
+The access control architecture consists of three parts:
+
+i) The access control policy determines the "command set" of the ACM
+and the hooks with which they can be configured to constrain the
+sharing of virtual resources. The current access control architecture
+implemented for Xen supports two policies: Chinese Wall and Simple
+Type Enforcement, which we describe in turn below.
+
+
+ii) The actually enforced policy instantiation uses the policy
+language (i) to configure the Xen access control in a way that suits
+the specific application (home desktop environment, company desktop,
+Web server system, etc.). We have defined an exemplary policy
+instantiation for Chinese Wall (chwall policy) and Simple Type
+Enforcement (ste policy) for a desktop system. We offer these policies
+in combination since they are controlling orthogonal events.
+
+
+iii) The access control module (ACM) and related hooks are part of the
+core hypervisor and their controls cannot be bypassed by domains. The
+ACM and hooks are the active security components. We refer to
+publications that describe how access control is enforced in the Xen
+hypervisor using the ACM (access decision) and the hooks (decision
+enforcement) inserted into the setup of event channels and grant
+tables, and into domain operations (create, destroy, save, restore,
+migrate). These controls decide based on the active policy
+configuration (see i. and ii.) if the operation proceeds of if the
+operation is aborted (denied).
+
+
+In general, security policy instantiations in the Xen access control
+framework are defined by two files:
+
+a) a single "policy-name"-security_policy.xml file that defines the
+types known to the ACM and policy rules based on these types
+
+b) a single "policy-name"-security_label_template.xml file that
+defines labels based on known types
+
+Every security policy has its own sub-directory under
+"Xen-root"/tools/security/policies in order to simplify their
+management and the security policy tools. We will describe those files
+for our example policy (Chinese Wall and Simple Type Enforcement) in
+more detail as we go along. Eventually, we will move towards a system
+installation where the policies will reside under /etc.
+
+
+CHINESE WALL
+============
+
+The Chinese Wall policy enables the user to define "which workloads
+(domain payloads) cannot run on a single physical system at the same
+time". Why would we want to prevent workloads from running at the same
+time on the same system? This supports requirements that can (but
+don't have to) be rooted in the measure of trust into the isolation of
+different domains that share the same hardware. Since the access
+control architecture aims at high performance and non-intrusive
+implementation, it currently does not address covert (timing) channels
+and aims at medium assurance. Users can apply the Chinese Wall policy
+to guarantee an air-gap between very sensitive payloads both regarding
+covert information channels and regarding resource starvation.
+
+To enable the CW control, each domain is labeled with a set of Chinese
+Wall types and CW Conflict Sets are defined which include those CW
+types that cannot run simultaneously on the same hardware. This
+interpretation of conflict sets is the only policy rule for the Chines
+Wall policy.
+
+This is enforced by controlling the start of domains according to
+their assigned CW worload types. Domains with Chinese Wall types that
+appear in a common conflict set are running mutually exclusive on a
+platform, i.e., once a domain with one of the cw-types of a conflict
+set is running, no domain with another cw-type of the same conflict
+set can start until the first domain is destroyed, paused, or migrated
+away from the physical system (this assumes that such a partition can
+no longer be observed). The idea is to assign cw-types according to
+the type of payload that a domain runs and to use the Chinese Wall
+policy to ensure that payload types can be differentiated by the
+hypervisor and can be prevented from being executed on the same system
+at the same time. Using the flexible CW policy maintains system
+consolidation and workload-balancing while introducing guaranteed
+constraints where necessary.
+
+
+Example of a Chinese Wall Policy Instantiation
+----------------------------------------------
+
+The file chwall-security_policy.xml defines the Chinese Wall types as
+well as the conflict sets for our example policy (you find it in the
+directory "xen_root"/tools/security/policies/chwall).
+
+It defines four Chinese Wall types (prefixed with cw_) with the
+following meaning:
+
+* cw_SystemsManagement is a type identifying workloads for systems
+management, e.g., domain management, device management, or hypervisor
+management.
+
+* cw_Sensitive is identifying workloads that are critical to the user
+for one reason or another.
+
+* cw_Distrusted is identifying workloads a user does not have much
+confidence in. E.g. a domain used for surfing in the internet without
+protection( i.e., active-X, java, java-script, executing web content)
+or for (Internet) Games should be typed this way.
+
+* cw_Isolated is identifying workloads that are supposedly isolated by
+use of the type enforcement policy (described below). For example, if
+a user wants to donate cycles to seti@home, she can setup a separate
+domain for a Boinc (http://boinc.ssl.berkeley.edu/) client, disable
+this domain from accessing the hard drive and from communicating to
+other local domains, and type it as cw_Isolated. We will look at a
+specific example later.
+
+The example policy uses the defined types to define one conflict set:
+Protection1 = {cw_Sensitive, cw_Distrusted}. This conflict set tells
+the hypervisor that once a domain typed as cw_Sensitive is running, a
+domain typed as cw_Distrusted cannot run concurrently (and the other
+way round). With this policy, a domain typed as cw_Isolated is allowed
+to run simultaneously with domains tagged as cw_Sensitive.
+
+Consequently, the access control module in the Xen hypervisor
+distinguishes in this example policy 4 different workload types in
+this example policy. It is the user's responsibility to type the
+domains in a way that reflects the workloads of these domains and, in
+the case of cw_Isolated, its properties, e.g. by configuring the
+sharing capabilities of the domain accordingly by using the simple
+type enforcement policy.
+
+Users can define their own or change the existing example policy
+according to their working environment and security requirements. To
+do so, replace the file chwall-security_policy.xml with the new
+policy.
+
+
+SIMPLE TYPE ENFORCEMENT
+=======================
+
+The file ste-security_policy.xml defines the simple type enforcement
+types for our example policy (you find it in the directory
+"xen_root"/tools/security/policies/ste). The Simple Type Enforcement
+policy defines which domains can share information with which other
+domains. To this end, it controls
+
+i) inter-domain communication channels (e.g., network traffic, events,
+and shared memory).
+
+ii) access of domains to physical resources (e.g., hard drive, network
+cards, graphics adapter, keyboard).
+
+In order to enable the hypervisor to distinguish different domains and
+the user to express access rules, the simple type enforcement defines
+a set of types (ste_types).
+
+The policy defines that communication between domains is allowed if
+the domains share a common STE type. As with the chwall types, STE
+types should enable the differentiation of workloads. The simple type
+enforcement access control implementation in the hypervisor enforces
+that domains can only communicate (setup event channels, grant tables)
+if they share a common type, i.e., both domains have assigned at least
+on type in common. A domain can access a resource, if the domain and
+the resource share a common type. Hence, assigning STE types to
+domains and resources allows users to define constraints on sharing
+between domains and to keep sensitive data confined from distrusted
+domains.
+
+Domain <--> Domain Sharing
+''''''''''''''''''''''''''
+(implemented but its effective use requires factorization of Dom0)
+
+a) Domains with a single STE type (general user domains): Sharing
+between such domains is enforced entirely by the hypervisor access
+control. It is independent of the domains and does not require their
+co-operation.
+
+b) Domains with multiple STE types: One example is a domain that
+virtualizes a physical resource (e.g., hard drive) and serves it as
+multiple virtual resources (virtual block drives) to other domains of
+different types. The idea is that only a specific device domain has
+assigned the type required to access the physical hard-drive. Logical
+drives are then assigned the types of domains that have access to this
+logical drive. Since the Xen hypervisor cannot distinguish between the
+logical drives, the access control (type enforcement) is delegated to
+the device domain, which has access to the types of domains requesting
+to mount a logical drive as well as the types assigned to the
+different available logical drives.
+
+Currently in Xen, Dom0 controls all hardware, needs to communicate
+with all domains during their setup, and intercepts all communication
+between domains. Consequently, Dom0 needs to be assigned all types
+used and must be completely trusted to maintain the separation of
+informatio ncoming from domains with different STE types. Thus a
+refactoring of Dom0 is recommended for stronger confinement
+guarantees.
+
+Domain --> RESOURCES Access
+'''''''''''''''''''''''''''
+(current work)
+
+We define for each resource that we want to distinguish a separate STE
+type. Each STE type is assigned to the respective resource and to
+those domains that are allowed to access this resource. Type
+enforcement will guarantee that other domains cannot access this
+resource since they don't share the resource's STE type.
+
+Since in the current implementation of Xen, Dom0 controls access to
+all hardware (e.g., disk drives, network), Domain-->Resource access
+control enforcement must be implemented in Dom0. This is possible
+since Dom0 has access to both the domain configuration (including the
+domain STE types) and the resource configuration (including the
+resource STE types).
+
+For purposes of gaining higher assurance in the resulting system, it
+may be desirable to reduce the size of dom0 by adding one or more
+"device domains" (DDs). These DDs, e.g. providing storage or network
+access, can support one or more physical devices, and manage
+enforcement of MAC policy relevant for said devices. Security benefits
+come from the smaller size of these DDs, as they can be more easily
+audited than monolithic device driver domains. DDs can help to obtain
+maximum security benefit from sHype.
+
+
+Example of a Simple Type Enforcement Policy Instantiation
+---------------------------------------------------------
+
+We define the following types:
+
+* ste_SystemManagement identifies workloads (and domains that runs
+them) that must share information to accomplish the management of the
+system
+
+* ste_PersonalFinances identifies workloads that are related to
+sensitive programs such as HomeBanking applications or safely
+configured web browsers for InternetBanking
+
+* ste_InternetInsecure identifies workloads that are very
+function-rich and unrestricted to offer for example an environment
+where internet games can run efficiently
+
+* ste_DonatedCycles identifies workloads that run on behalf of others,
+e.g. a Boinc client
+
+* ste_PersistentStorage identifies workloads that have direct access
+to persistent storage (e.g., hard drive)
+
+* ste_NetworkAccess identifies workload that have direct access to
+network cards and related networks
+
+
+
+SECURITY LABEL TEMPLATES
+========================
+
+We introduce security label templates because it is difficult for
+users to ensure tagging of domains consistently and since there are
+--as we have seen in the case of isolation-- useful dependencies
+between the policies. Security Label Templates define type sets that
+can be addressed by more user-friendly label names,
+e.g. dom_Homebanking describes a typical typeset tagged to domains
+used for sensitive Homebanking work-loads. Labels are defined in the
+file
+
+Using Security Label Templates has multiple advantages:
+a) easy reference of typical sets of type assignments
+b) consistent interpretation of type combinations
+c) meaningful application-level label names
+
+The definition of label templates depends on the combination of
+policies that are used. We will describe some of the labels defined
+for the Chinese Wall and Simple Type Enforcement combination.
+
+In the BoincClient example, the label_template file specifies that
+this Label is assigned the Chinese Wall type cw_Isolated. We do this
+assuming that this BoincClient is isolated against the rest of the
+system infrastructure (no persistent memory, no sharing with local
+domains). Since cw_Isolated is not included in any conflict set, it
+can run at any time concurrently with any other domain. The
+ste_DonatedCycles type assigned to the BoincClient reflect the
+isolation assumption: it is only assigned to the dom_NetworkDomain
+giving the BoincClient domain access to the network to communicate
+with its BoincServer.
+
+The strategy for combining types into Labels is the following: First
+we define a label for each type of general user domain
+(workload-oriented). Then we define a new label for each physical
+resource that shall be shared using a DD domain (e.g., disk) and for
+each logical resource offered through this physical resource (logical
+disk partition). We define then device domain labels (here:
+dom_SystemManagement, dom_StorageDomain, dom_NetworkDomain) which
+include the types of the physical resources (e.g. hda) their domains
+need to connect to. Such physical resources can only be accessed
+directly by device domains types with the respective device's STE
+type. Additionally we assign to such a device domain Label the STE
+types of those user domains that are allowed to access one of the
+logical resources (e.g., hda1, hda2) built on top of this physical
+resource through the device domain.
+
+
+Label Construction Example:
+---------------------------
+
+We define here a storage domain label for a domain that owns a real
+disk drive and creates the logical disk partitions hda1 and hda2 which
+it serves to domains labeled dom_HomeBanking and dom_Fun
+respectively. The labels we refer to are defined in the label template
+file policies/chwall_ste/chwall_ste-security-label-template.xml.
+
+step1: To distinguish different shared disk drives, we create a
+separate Label and STE type for each of them. Here: we create a type
+ste_PersistentStorageA for disk drive hda. If you have another disk
+drive, you may define another persistent storage type
+ste_PersistentStorageB in the chwall_ste-security_policy.xml.
+
+step2: To distinguish different domains, we create multiple domain
+labels including different types. Here: label dom_HomeBanking includes
+STE type ste_PersonalFinances, label dom_Fun includes STE type
+ste_InternetInsecure.
+
+step3: The storage domain in charge of the hard drive A needs access
+to this hard drive. Therefore the storage domain label
+dom_StorageDomain must include the type assigned to the hard drive
+(ste_PersistentStorageA).
+
+step4: In order to serve dom hda1 to domains labeled dom_HomeBanking
+and hda2 to domains labeled dom_Fun, the storage domain label must
+include the types of those domains as well (ste_PersonalFinance,
+ste_InternetInsecure).
+
+step5: In order to keep the data for different types safely apart, the
+different logical disk partitions must be assigned unique labels and
+types, which are used inside the storage domain to extend the ACM
+access enforcement to logical resources served from inside the storage
+domain. We define labels "res_LogicalDiskPartition1 (hda1)" and assign
+it to hda1 and "res_LogicalDiskPartition2 (hda2)" and assign it to
+hda2. These labels must include the STE types of those domains that
+are allowed to use them (e.g., ste_PersonalFinances for hda1).
+
+The overall mandatory access control is then enforced in 3 different
+Xen components and these components use a single consistent policy to
+co-operatively enforce the policy. In the storage domain example, we
+have three components that co-operate:
+
+1. The ACM module inside the hypervisor enforces: communication between
+user domains and the storage domain (only domains including types
+ste_PersonalFinances or ste_InternetInsecure can communicate with the
+storage domain and request access to logical resource). This confines
+the sharing to the types assigned to the storage domain.
+
+2. The domain management will enforce (work in progress): assignment of
+real resources (hda) to domains (storage domain) that share a
+type with the resource.
+
+3. If the storage domain serves multiple STE types (as in our example),
+it enforces (work in progress): that domains can access (mount)
+logical resources only if they share an STE type with the respective
+resource. In our example, domains with the STE type
+ste_PersonalFinances can request access (mount) to logical resource
+hda1 from the storage domain.
+
+If you look at the virtual machine label dom_StorageDomain, you will
+see the minimal set of types assigned to our domain manageing disk
+drive hda for serving logical disk partitions exclusively to
+dom_HomeBanking and dom_Fun.
+
+Similary, network domains can confine access to the network or
+network communication between user domains.
+
+As a result, device domains (e.g., storage domain, network domain)
+must be simple and small to ensure their correct co-operation in the
+type enforcement model. If such trust is not possible, then hardware
+should be assigned exclusively to a single type (or to a single
+partition) in which case the hypervisor ACM enforcement enforces the
+types independently.
diff -r 3d45fb64b064 -r 509316987d65 tools/security/readme.txt
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/readme.txt Fri Aug 19 10:50:15 2005
@@ -0,0 +1,29 @@
+
+##
+# readme.txt <description to the xen access control architecture>
+#
+# Author:
+# Reiner Sailer 08/15/2005 <sailer@xxxxxxxxxxxxxx>
+#
+#
+# This file is a toc for information regarding
+# the access control policy and tools in Xen.
+##
+
+1. policy.txt:
+
+   describes the general reasoning and examples for access
+   control policies in Xen
+
+
+2. install.txt
+
+   describes the activation of the access control framework
+   in Xen
+
+3. example.txt
+
+   describes the available tools for managing security policies
+   in Xen and the tools to label domains
+
+
diff -r 3d45fb64b064 -r 509316987d65 tools/security/secpol_compat.h
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/secpol_compat.h    Fri Aug 19 10:50:15 2005
@@ -0,0 +1,14 @@
+/* secpol_compat.h
+ *     'translates' data types necessary to
+ *     include <xen/acm.h>
+ */
+#include <stdint.h>
+
+typedef uint8_t  u8;
+typedef uint16_t u16;
+typedef uint32_t u32;
+typedef uint64_t u64;
+typedef int8_t   s8;
+typedef int16_t  s16;
+typedef int32_t  s32;
+typedef int64_t  s64;
diff -r 3d45fb64b064 -r 509316987d65 tools/security/secpol_xml2bin.c
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/secpol_xml2bin.c   Fri Aug 19 10:50:15 2005
@@ -0,0 +1,1396 @@
+/****************************************************************
+ * secpol_xml2bin.c
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author: Reiner Sailer <sailer@xxxxxxxxxx>
+ *
+ * Maintained:
+ * Reiner Sailer <sailer@xxxxxxxxxx>
+ * Ray Valdez <rvaldez@xxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype policy translation tool. This tool takes an XML
+ * policy specification as input and produces a binary
+ * policy file that can be loaded into Xen through the
+ * ACM operations (secpol_tool loadpolicy) interface or at
+ * boot time (grub module parameter)
+ *
+ * indent -i4 -kr -nut
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <libgen.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/queue.h>
+#include <netinet/in.h>
+#include <libxml/xmlschemas.h>
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+#include <libxml/xmlreader.h>
+#include "secpol_compat.h"
+#include <xen/acm.h>
+
+#include "secpol_xml2bin.h"
+
+#define DEBUG    0
+
+/* primary / secondary policy component setting */
+enum policycomponent { CHWALL, STE, NULLPOLICY }
+    primary = NULLPOLICY, secondary = NULLPOLICY;
+
+/* general list element for ste and chwall type queues */
+struct type_entry {
+    TAILQ_ENTRY(type_entry) entries;
+    char *name;                 /* name of type from xml file */
+    type_t mapping;             /* type mapping into 16bit */
+};
+
+TAILQ_HEAD(tailhead, type_entry) ste_head, chwall_head;
+
+/* general list element for all label queues */
+enum label_type { VM, RES, ANY };
+struct ssid_entry {
+    TAILQ_ENTRY(ssid_entry) entries;
+    char *name;                 /* label name */
+    enum label_type type;       /* type: VM / RESOURCE LABEL */
+    u_int32_t num;              /* ssid or referenced ssid */
+    int is_ref;                 /* if this entry references earlier ssid 
number */
+    unsigned char *row;         /* index of types (if not a reference) */
+};
+
+TAILQ_HEAD(tailhead_ssid, ssid_entry) ste_ssid_head, chwall_ssid_head,
+    conflictsets_head;
+struct ssid_entry *current_chwall_ssid_p = NULL;
+struct ssid_entry *current_ste_ssid_p = NULL;
+struct ssid_entry *current_conflictset_p = NULL;
+
+/* which label to assign to dom0 during boot */
+char *bootstrap_label;
+
+u_int32_t max_ste_ssids = 0;
+u_int32_t max_chwall_ssids = 0;
+u_int32_t max_chwall_labels = 0;
+u_int32_t max_ste_labels = 0;
+u_int32_t max_conflictsets = 0;
+
+char *current_ssid_name;        /* store name until structure is allocated */
+char *current_conflictset_name; /* store name until structure is allocated */
+
+/* dynamic list of type mappings for STE */
+u_int32_t max_ste_types = 0;
+
+/* dynamic list of type mappings for CHWALL */
+u_int32_t max_chwall_types = 0;
+
+/* dynamic list of conflict sets */
+int max_conflict_set = 0;
+
+/* which policies are defined */
+int have_ste = 0;
+int have_chwall = 0;
+
+/* input/output file names */
+char *policy_filename = NULL,
+    *label_filename = NULL,
+    *binary_filename = NULL, *mapping_filename = NULL;
+
+void usage(char *prg)
+{
+    printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
+         prg);
+    exit(EXIT_FAILURE);
+}
+
+
+/***************** policy-related parsing *********************/
+
+char *type_by_mapping(struct tailhead *head, u_int32_t mapping)
+{
+    struct type_entry *np;
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+        if (np->mapping == mapping)
+            return np->name;
+    return NULL;
+}
+
+
+struct type_entry *lookup(struct tailhead *head, char *name)
+{
+    struct type_entry *np;
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+        if (!(strcmp(np->name, name)))
+            return np;
+    return NULL;
+}
+
+/* enforces single-entry lists */
+int add_entry(struct tailhead *head, char *name, type_t mapping)
+{
+    struct type_entry *e;
+    if (lookup(head, name))
+    {
+        printf("Error: Type >%s< defined more than once.\n", name);
+        return -EFAULT;         /* already in the list */
+    }
+    if (!(e = malloc(sizeof(struct type_entry))))
+        return -ENOMEM;
+
+    e->name = name;
+    e->mapping = mapping;
+    TAILQ_INSERT_TAIL(head, e, entries);
+    return 0;
+}
+
+int totoken(char *tok)
+{
+    int i;
+    for (i = 0; token[i] != NULL; i++)
+        if (!strcmp(token[i], tok))
+            return i;
+    return -EFAULT;
+}
+
+/* conflictsets use the same data structure as ssids; since
+ * they are similar in structure (set of types)
+ */
+int init_next_conflictset(void)
+{
+    struct ssid_entry *conflictset = malloc(sizeof(struct ssid_entry));
+
+    if (!conflictset)
+        return -ENOMEM;
+
+    conflictset->name = current_conflictset_name;
+    conflictset->num = max_conflictsets++;
+    conflictset->is_ref = 0;    /* n/a for conflictsets */
+        /**
+         *  row: allocate one byte per type;
+         *  [i] != 0 --> mapped type >i< is part of the conflictset
+         */
+    conflictset->row = malloc(max_chwall_types);
+    if (!conflictset->row)
+        return -ENOMEM;
+
+    memset(conflictset->row, 0, max_chwall_types);
+    TAILQ_INSERT_TAIL(&conflictsets_head, conflictset, entries);
+    current_conflictset_p = conflictset;
+    return 0;
+}
+
+int register_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
+{
+    xmlChar *text;
+    struct type_entry *e;
+
+
+    text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+    if (!text)
+    {
+        printf("Error reading type name!\n");
+        return -EFAULT;
+    }
+
+    switch (state) {
+    case XML2BIN_stetype_S:
+        if (add_entry(&ste_head, (char *) text, max_ste_types))
+        {
+            xmlFree(text);
+            return -EFAULT;
+        }
+        max_ste_types++;
+        break;
+
+    case XML2BIN_chwalltype_S:
+        if (add_entry(&chwall_head, (char *) text, max_chwall_types))
+        {
+            xmlFree(text);
+            return -EFAULT;
+        }
+        max_chwall_types++;
+        break;
+
+    case XML2BIN_conflictsettype_S:
+        /* a) search the type in the chwall_type list */
+        e = lookup(&chwall_head, (char *) text);
+        if (e == NULL)
+        {
+            printf("CS type >%s< not a CHWALL type.\n", text);
+            xmlFree(text);
+            return -EFAULT;
+        }
+        /* b) add type entry to the current cs set */
+        if (current_conflictset_p->row[e->mapping])
+        {
+            printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
+                 text, current_conflictset_p->num);
+            xmlFree(text);
+            return -EFAULT;
+        }
+        current_conflictset_p->row[e->mapping] = 1;
+        break;
+
+    default:
+        printf("Incorrect type environment (state = %lx, text = %s).\n",
+               state, text);
+        xmlFree(text);
+        return -EFAULT;
+    }
+    return 0;
+}
+
+void set_component_type(xmlNode * cur_node, enum policycomponent pc)
+{
+    xmlChar *order;
+
+    if ((order = xmlGetProp(cur_node, (xmlChar *) 
PRIMARY_COMPONENT_ATTR_NAME))) {
+        if (strcmp((char *) order, PRIMARY_COMPONENT))
+        {
+            printf("ERROR: Illegal attribut value >order=%s<.\n",
+                   (char *) order);
+            xmlFree(order);
+            exit(EXIT_FAILURE);
+        }
+        if (primary != NULLPOLICY)
+        {
+            printf("ERROR: Primary Policy Component set twice!\n");
+            exit(EXIT_FAILURE);
+        }
+        primary = pc;
+        xmlFree(order);
+    }
+}
+
+void walk_policy(xmlNode * start, xmlDocPtr doc, unsigned long state)
+{
+    xmlNode *cur_node = NULL;
+    int code;
+
+    for (cur_node = start; cur_node; cur_node = cur_node->next)
+    {
+        if ((code = totoken((char *) cur_node->name)) < 0)
+        {
+            printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
+            exit(EXIT_FAILURE);
+        }
+        switch (code) {         /* adjust state to new state */
+        case XML2BIN_SECPOL:
+        case XML2BIN_STETYPES:
+        case XML2BIN_CHWALLTYPES:
+        case XML2BIN_CONFLICTSETS:
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_STE:
+            if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
+            {
+                printf("ERROR: This program was written against another STE 
version.\n");
+                exit(EXIT_FAILURE);
+            }
+            have_ste = 1;
+            set_component_type(cur_node, STE);
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_CHWALL:
+            if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
+            {
+                printf("ERROR: This program was written against another CHWALL 
version.\n");
+                exit(EXIT_FAILURE);
+            }
+            have_chwall = 1;
+            set_component_type(cur_node, CHWALL);
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_CSTYPE:
+            current_conflictset_name =
+                (char *) xmlGetProp(cur_node, (xmlChar *) "name");
+            if (!current_conflictset_name)
+                current_conflictset_name = "";
+
+            if (init_next_conflictset())
+            {
+                printf
+                    ("ERROR: creating new conflictset structure failed.\n");
+                exit(EXIT_FAILURE);
+            }
+            walk_policy(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_TYPE:
+            if (register_type(cur_node, doc, state))
+                exit(EXIT_FAILURE);
+            /* type leaf */
+            break;
+
+        case XML2BIN_TEXT:
+        case XML2BIN_COMMENT:
+        case XML2BIN_POLICYHEADER:
+            /* leaf - nothing to do */
+            break;
+
+        default:
+            printf("Unkonwn token Error (%d)\n", code);
+            exit(EXIT_FAILURE);
+        }
+
+    }
+    return;
+}
+
+int create_type_mapping(xmlDocPtr doc)
+{
+    xmlNode *root_element = xmlDocGetRootElement(doc);
+    struct type_entry *te;
+    struct ssid_entry *se;
+    int i;
+
+    printf("Creating ssid mappings ...\n");
+
+    /* initialize the ste and chwall type lists */
+    TAILQ_INIT(&ste_head);
+    TAILQ_INIT(&chwall_head);
+    TAILQ_INIT(&conflictsets_head);
+
+    walk_policy(root_element, doc, XML2BIN_NULL);
+
+    /* determine primary/secondary policy component orders */
+    if ((primary == NULLPOLICY) && have_chwall)
+        primary = CHWALL;       /* default if not set */
+    else if ((primary == NULLPOLICY) && have_ste)
+        primary = STE;
+
+    switch (primary) {
+
+    case CHWALL:
+        if (have_ste)
+            secondary = STE;
+        /* else default = NULLPOLICY */
+        break;
+
+    case STE:
+        if (have_chwall)
+            secondary = CHWALL;
+        /* else default = NULLPOLICY */
+        break;
+
+    default:
+        /* NULL/NULL policy */
+        break;
+    }
+
+    if (!DEBUG)
+        return 0;
+
+    /* print queues */
+    if (have_ste)
+    {
+        printf("STE-Type queue (%s):\n",
+               (primary == STE) ? "PRIMARY" : "SECONDARY");
+        for (te = ste_head.tqh_first; te != NULL;
+             te = te->entries.tqe_next)
+            printf("name=%22s, map=%x\n", te->name, te->mapping);
+    }
+    if (have_chwall)
+    {
+        printf("CHWALL-Type queue (%s):\n",
+               (primary == CHWALL) ? "PRIMARY" : "SECONDARY");
+        for (te = chwall_head.tqh_first; te != NULL;
+             te = te->entries.tqe_next)
+            printf("name=%s, map=%x\n", te->name, te->mapping);
+
+        printf("Conflictset queue (max=%d):\n", max_conflictsets);
+        for (se = conflictsets_head.tqh_first; se != NULL;
+             se = se->entries.tqe_next)
+        {
+            printf("conflictset name >%s<\n",
+                   se->name ? se->name : "NONAME");
+            for (i = 0; i < max_chwall_types; i++)
+                if (se->row[i])
+                    printf("#%x ", i);
+            printf("\n");
+        }
+    }
+    return 0;
+}
+
+
+/***************** template-related parsing *********************/
+
+/* add default ssid at head of ssid queues */
+int init_ssid_queues(void)
+{
+    struct ssid_entry *default_ssid_chwall, *default_ssid_ste;
+
+    default_ssid_chwall = malloc(sizeof(struct ssid_entry));
+    default_ssid_ste = malloc(sizeof(struct ssid_entry));
+
+    if ((!default_ssid_chwall) || (!default_ssid_ste))
+        return -ENOMEM;
+
+    /* default chwall ssid */
+    default_ssid_chwall->name = "DEFAULT";
+    default_ssid_chwall->num = max_chwall_ssids++;
+    default_ssid_chwall->is_ref = 0;
+    default_ssid_chwall->type = ANY;
+
+    default_ssid_chwall->row = malloc(max_chwall_types);
+
+    if (!default_ssid_chwall->row)
+        return -ENOMEM;
+
+    memset(default_ssid_chwall->row, 0, max_chwall_types);
+
+    TAILQ_INSERT_TAIL(&chwall_ssid_head, default_ssid_chwall, entries);
+    current_chwall_ssid_p = default_ssid_chwall;
+    max_chwall_labels++;
+
+    /* default ste ssid */
+    default_ssid_ste->name = "DEFAULT";
+    default_ssid_ste->num = max_ste_ssids++;
+    default_ssid_ste->is_ref = 0;
+    default_ssid_ste->type = ANY;
+
+    default_ssid_ste->row = malloc(max_ste_types);
+
+    if (!default_ssid_ste->row)
+        return -ENOMEM;
+
+    memset(default_ssid_ste->row, 0, max_ste_types);
+
+    TAILQ_INSERT_TAIL(&ste_ssid_head, default_ssid_ste, entries);
+    current_ste_ssid_p = default_ssid_ste;
+    max_ste_labels++;
+    return 0;
+}
+
+int init_next_chwall_ssid(unsigned long state)
+{
+    struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
+
+    if (!ssid)
+        return -ENOMEM;
+
+    ssid->name = current_ssid_name;
+    ssid->num = max_chwall_ssids++;
+    ssid->is_ref = 0;
+
+    if (state & (1 << XML2BIN_VM))
+        ssid->type = VM;
+    else
+        ssid->type = RES;
+        /**
+         *  row: allocate one byte per type;
+         *  [i] != 0 --> mapped type >i< is part of the ssid
+         */
+    ssid->row = malloc(max_chwall_types);
+    if (!ssid->row)
+        return -ENOMEM;
+
+    memset(ssid->row, 0, max_chwall_types);
+    TAILQ_INSERT_TAIL(&chwall_ssid_head, ssid, entries);
+    current_chwall_ssid_p = ssid;
+    max_chwall_labels++;
+    return 0;
+}
+
+int init_next_ste_ssid(unsigned long state)
+{
+    struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
+
+    if (!ssid)
+        return -ENOMEM;
+
+    ssid->name = current_ssid_name;
+    ssid->num = max_ste_ssids++;
+    ssid->is_ref = 0;
+
+    if (state & (1 << XML2BIN_VM))
+        ssid->type = VM;
+    else
+        ssid->type = RES;
+
+        /**
+         *  row: allocate one byte per type;
+         *  [i] != 0 --> mapped type >i< is part of the ssid
+         */
+    ssid->row = malloc(max_ste_types);
+    if (!ssid->row)
+        return -ENOMEM;
+
+    memset(ssid->row, 0, max_ste_types);
+    TAILQ_INSERT_TAIL(&ste_ssid_head, ssid, entries);
+    current_ste_ssid_p = ssid;
+    max_ste_labels++;
+
+    return 0;
+}
+
+
+/* adds a type to the current ssid */
+int add_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
+{
+    xmlChar *text;
+    struct type_entry *e;
+
+    text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+    if (!text)
+    {
+        printf("Error reading type name!\n");
+        return -EFAULT;
+    }
+    /* same for all: 1. lookup type mapping, 2. mark type in ssid */
+    switch (state) {
+    case XML2BIN_VM_STE_S:
+    case XML2BIN_RES_STE_S:
+        /* lookup the type mapping and include the type mapping into the array 
*/
+        if (!(e = lookup(&ste_head, (char *) text)))
+        {
+            printf("ERROR: unknown VM STE type >%s<.\n", text);
+            exit(EXIT_FAILURE);
+        }
+        if (current_ste_ssid_p->row[e->mapping])
+            printf("Warning: double entry of VM STE type >%s<.\n", text);
+
+        current_ste_ssid_p->row[e->mapping] = 1;
+        break;
+
+    case XML2BIN_VM_CHWALL_S:
+        /* lookup the type mapping and include the type mapping into the array 
*/
+        if (!(e = lookup(&chwall_head, (char *) text)))
+        {
+            printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
+            exit(EXIT_FAILURE);
+        }
+        if (current_chwall_ssid_p->row[e->mapping])
+            printf("Warning: double entry of VM CHWALL type >%s<.\n",
+                   text);
+
+        current_chwall_ssid_p->row[e->mapping] = 1;
+        break;
+
+    default:
+        printf("Incorrect type environment (state = %lx, text = %s).\n",
+               state, text);
+        xmlFree(text);
+        return -EFAULT;
+    }
+    return 0;
+}
+
+void set_bootstrap_label(xmlNode * cur_node)
+{
+    xmlChar *order;
+
+    if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
+        bootstrap_label = (char *)order;
+    else {
+        printf("ERROR: No bootstrap label defined!\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state)
+{
+    xmlNode *cur_node = NULL;
+    int code;
+
+    for (cur_node = start; cur_node; cur_node = cur_node->next)
+    {
+        if ((code = totoken((char *) cur_node->name)) < 0)
+        {
+            printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
+            exit(EXIT_FAILURE);
+        }
+        switch (code) {         /* adjust state to new state */
+
+        case XML2BIN_SUBJECTS:
+            set_bootstrap_label(cur_node);
+            /* fall through */
+        case XML2BIN_VM:
+        case XML2BIN_RES:
+        case XML2BIN_SECTEMPLATE:
+        case XML2BIN_OBJECTS:
+            walk_labels(cur_node->children, doc, state | (1 << code));
+            break;
+
+        case XML2BIN_STETYPES:
+            /* create new ssid entry to use and point current to it */
+            if (init_next_ste_ssid(state))
+            {
+                printf("ERROR: creating new ste ssid structure failed.\n");
+                exit(EXIT_FAILURE);
+            }
+            walk_labels(cur_node->children, doc, state | (1 << code));
+
+            break;
+
+        case XML2BIN_CHWALLTYPES:
+            /* create new ssid entry to use and point current to it */
+            if (init_next_chwall_ssid(state))
+            {
+                printf("ERROR: creating new chwall ssid structure failed.\n");
+                exit(EXIT_FAILURE);
+            }
+            walk_labels(cur_node->children, doc, state | (1 << code));
+
+            break;
+
+        case XML2BIN_TYPE:
+            /* add type to current ssid */
+            if (add_type(cur_node, doc, state))
+                exit(EXIT_FAILURE);
+            break;
+
+        case XML2BIN_NAME:
+            if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
+            {
+                printf("ERROR: >name< out of VM/RES context.\n");
+                exit(EXIT_FAILURE);
+            }
+            current_ssid_name = (char *)
+                xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+
+            if (!current_ssid_name)
+            {
+                printf("ERROR: empty >name<!\n");
+                exit(EXIT_FAILURE);
+            }
+            break;
+
+        case XML2BIN_TEXT:
+        case XML2BIN_COMMENT:
+        case XML2BIN_LABELHEADER:
+            break;
+
+        default:
+            printf("Unkonwn token Error (%d)\n", code);
+            exit(EXIT_FAILURE);
+        }
+
+    }
+    return;
+}
+
+/* this function walks through a ssid queue
+ * and transforms double entries into references
+ * of the first definition (we need to keep the
+ * entry to map labels but we don't want double
+ * ssids in the binary policy
+ */
+void
+remove_doubles(struct tailhead_ssid *head,
+                        u_int32_t max_types, u_int32_t * max_ssids)
+{
+    struct ssid_entry *np, *ni;
+
+    /* walk once through the list */
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+    {
+        /* now search from the start until np for the same entry */
+        for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
+        {
+            if (ni->is_ref)
+                continue;
+            if (memcmp(np->row, ni->row, max_types))
+                continue;
+            /* found one, set np reference to ni */
+            np->is_ref = 1;
+            np->num = ni->num;
+            (*max_ssids)--;
+        }
+    }
+
+    /* now minimize the ssid numbers used (doubles introduce holes) */
+    (*max_ssids) = 0; /* reset */
+
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+    {
+        if (np->is_ref)
+            continue;
+
+        if (np->num != (*max_ssids)) {
+                /* first reset all later references to the new max_ssid */
+                for (ni = np->entries.tqe_next; ni != NULL; ni = 
ni->entries.tqe_next)
+                {
+                    if (ni->num == np->num)
+                        ni->num = (*max_ssids);
+                }
+                /* now reset num */
+                np->num = (*max_ssids)++;
+        }
+        else
+            (*max_ssids)++;
+    }
+}
+
+/*
+ * will go away as soon as we have non-static bootstrap ssidref for dom0
+ */
+void fixup_bootstrap_label(struct tailhead_ssid *head,
+                         u_int32_t max_types, u_int32_t * max_ssids)
+{
+    struct ssid_entry *np;
+    int i;
+
+    /* should not happen if xml / xsd checks work */
+    if (!bootstrap_label)
+    {
+        printf("ERROR: No bootstrap label defined.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    /* search bootstrap_label */
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
+    {
+        if (!strcmp(np->name, bootstrap_label))
+        {
+            break;
+        }
+    }
+
+    if (!np) {
+        /* bootstrap label not found */
+        printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
+        exit(EXIT_FAILURE);
+    }
+
+    /* move this entry ahead in the list right after the default entry so it
+     * receives ssidref 1/1 */
+    TAILQ_REMOVE(head, np, entries);
+    TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
+
+    /* renumber the ssids (we could also just switch places with 1st element) 
*/
+    for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
+        np->num   = i;
+
+}
+
+int create_ssid_mapping(xmlDocPtr doc)
+{
+    xmlNode *root_element = xmlDocGetRootElement(doc);
+    struct ssid_entry *np;
+    int i;
+
+    printf("Creating label mappings ...\n");
+    /* initialize the ste and chwall type lists */
+    TAILQ_INIT(&chwall_ssid_head);
+    TAILQ_INIT(&ste_ssid_head);
+
+    /* init with default ssids */
+    if (init_ssid_queues())
+    {
+        printf("ERROR adding default ssids.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    /* now walk the template DOM tree and fill in ssids */
+    walk_labels(root_element, doc, XML2BIN_NULL);
+
+    /*
+     * now sort bootstrap label to the head of the list
+     * (for now), dom0 assumes its label in the first
+     * defined ssidref (1/1). 0/0 is the default non-Label
+     */
+    if (have_chwall)
+        fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
+                                &max_chwall_ssids);
+    if (have_ste)
+        fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
+                                &max_ste_ssids);
+
+    /* remove any double entries (insert reference instead) */
+    if (have_chwall)
+        remove_doubles(&chwall_ssid_head, max_chwall_types,
+                       &max_chwall_ssids);
+    if (have_ste)
+        remove_doubles(&ste_ssid_head, max_ste_types,
+                       &max_ste_ssids);
+
+    if (!DEBUG)
+        return 0;
+
+    /* print queues */
+    if (have_chwall)
+    {
+        printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
+        np = NULL;
+        for (np = chwall_ssid_head.tqh_first; np != NULL;
+             np = np->entries.tqe_next)
+        {
+            printf("SSID #%02u (Label=%s)\n", np->num, np->name);
+            if (np->is_ref)
+                printf("REFERENCE");
+            else
+                for (i = 0; i < max_chwall_types; i++)
+                    if (np->row[i])
+                        printf("#%02d ", i);
+            printf("\n\n");
+        }
+    }
+    if (have_ste)
+    {
+        printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
+        np = NULL;
+        for (np = ste_ssid_head.tqh_first; np != NULL;
+             np = np->entries.tqe_next)
+        {
+            printf("SSID #%02u (Label=%s)\n", np->num, np->name);
+            if (np->is_ref)
+                printf("REFERENCE");
+            else
+                for (i = 0; i < max_ste_types; i++)
+                    if (np->row[i])
+                        printf("#%02d ", i);
+            printf("\n\n");
+        }
+    }
+    return 0;
+}
+
+/***************** writing the binary policy *********************/
+
+/*
+ * the mapping file is ascii-based since it will likely be used from
+ * within scripts (using awk, grep, etc.);
+ *
+ * We print from high-level to low-level information so that with one
+ * pass, any symbol can be resolved (e.g. Label -> types)
+ */
+int write_mapping(char *filename)
+{
+
+    struct ssid_entry *e;
+    struct type_entry *t;
+    int i;
+    FILE *file;
+
+    if ((file = fopen(filename, "w")) == NULL)
+        return -EIO;
+
+    fprintf(file, "MAGIC                  %08x\n", ACM_MAGIC);
+    fprintf(file, "POLICY                 %s\n",
+            basename(policy_filename));
+    fprintf(file, "BINARY                 %s\n",
+            basename(binary_filename));
+    if (have_chwall)
+    {
+        fprintf(file, "MAX-CHWALL-TYPES       %08x\n", max_chwall_types);
+        fprintf(file, "MAX-CHWALL-SSIDS       %08x\n", max_chwall_ssids);
+        fprintf(file, "MAX-CHWALL-LABELS      %08x\n", max_chwall_labels);
+    }
+    if (have_ste)
+    {
+        fprintf(file, "MAX-STE-TYPES          %08x\n", max_ste_types);
+        fprintf(file, "MAX-STE-SSIDS          %08x\n", max_ste_ssids);
+        fprintf(file, "MAX-STE-LABELS         %08x\n", max_ste_labels);
+    }
+    fprintf(file, "\n");
+
+    /* primary / secondary order for combined ssid synthesis/analysis
+     * if no primary is named, then chwall is primary */
+    switch (primary) {
+    case CHWALL:
+        fprintf(file, "PRIMARY                CHWALL\n");
+        break;
+
+    case STE:
+        fprintf(file, "PRIMARY                STE\n");
+        break;
+
+    default:
+        fprintf(file, "PRIMARY                NULL\n");
+        break;
+    }
+
+    switch (secondary) {
+    case CHWALL:
+        fprintf(file, "SECONDARY              CHWALL\n");
+        break;
+
+    case STE:
+        fprintf(file, "SECONDARY              STE\n");
+        break;
+
+    default:
+        fprintf(file, "SECONDARY              NULL\n");
+        break;
+    }
+    fprintf(file, "\n");
+
+    /* first labels to ssid mappings */
+    if (have_chwall)
+    {
+        for (e = chwall_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
+                    (e->type ==
+                     VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
+                    e->name, e->num);
+        }
+        fprintf(file, "\n");
+    }
+    if (have_ste)
+    {
+        for (e = ste_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            fprintf(file, "LABEL->SSID %s STE    %-25s %8x\n",
+                    (e->type ==
+                     VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
+                    e->name, e->num);
+        }
+        fprintf(file, "\n");
+    }
+
+    /* second ssid to type mappings */
+    if (have_chwall)
+    {
+        for (e = chwall_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            if (e->is_ref)
+                continue;
+
+            fprintf(file, "SSID->TYPE CHWALL      %08x", e->num);
+
+            for (i = 0; i < max_chwall_types; i++)
+                if (e->row[i])
+                    fprintf(file, " %s", type_by_mapping(&chwall_head, i));
+
+            fprintf(file, "\n");
+        }
+        fprintf(file, "\n");
+    }
+    if (have_ste) {
+        for (e = ste_ssid_head.tqh_first; e != NULL;
+             e = e->entries.tqe_next)
+        {
+            if (e->is_ref)
+                continue;
+
+            fprintf(file, "SSID->TYPE STE         %08x", e->num);
+
+            for (i = 0; i < max_ste_types; i++)
+                if (e->row[i])
+                    fprintf(file, " %s", type_by_mapping(&ste_head, i));
+
+            fprintf(file, "\n");
+        }
+        fprintf(file, "\n");
+    }
+    /* third type mappings */
+    if (have_chwall)
+    {
+        for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
+        {
+            fprintf(file, "TYPE CHWALL            %-25s %8x\n",
+                    t->name, t->mapping);
+        }
+        fprintf(file, "\n");
+    }
+    if (have_ste) {
+        for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
+        {
+            fprintf(file, "TYPE STE               %-25s %8x\n",
+                    t->name, t->mapping);
+        }
+        fprintf(file, "\n");
+    }
+    fclose(file);
+    return 0;
+}
+
+unsigned char *write_chwall_binary(u_int32_t * len_chwall)
+{
+    unsigned char *buf, *ptr;
+    struct acm_chwall_policy_buffer *chwall_header;
+    u_int32_t len;
+    struct ssid_entry *e;
+    int i;
+
+    if (!have_chwall)
+        return NULL;
+
+    len = sizeof(struct acm_chwall_policy_buffer) +
+        sizeof(type_t) * max_chwall_types * max_chwall_ssids +
+        sizeof(type_t) * max_chwall_types * max_conflictsets;
+
+    buf = malloc(len);
+    ptr = buf;
+
+    if (!buf)
+    {
+        printf("ERROR: out of memory allocating chwall buffer.\n");
+        exit(EXIT_FAILURE);
+    }
+    /* chwall has 3 parts : header, types, conflictsets */
+
+    chwall_header = (struct acm_chwall_policy_buffer *) buf;
+    chwall_header->chwall_max_types = htonl(max_chwall_types);
+    chwall_header->chwall_max_ssidrefs = htonl(max_chwall_ssids);
+    chwall_header->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+    chwall_header->policy_version = htonl(ACM_CHWALL_VERSION);
+    chwall_header->chwall_ssid_offset =
+        htonl(sizeof(struct acm_chwall_policy_buffer));
+    chwall_header->chwall_max_conflictsets = htonl(max_conflictsets);
+    chwall_header->chwall_conflict_sets_offset =
+        htonl(ntohl(chwall_header->chwall_ssid_offset) +
+              sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
+    chwall_header->chwall_running_types_offset = 0;     /* not set, only 
retrieved */
+    chwall_header->chwall_conflict_aggregate_offset = 0;        /* not set, 
only retrieved */
+    ptr += sizeof(struct acm_chwall_policy_buffer);
+
+    /* types */
+    for (e = chwall_ssid_head.tqh_first; e != NULL;
+         e = e->entries.tqe_next)
+    {
+        if (e->is_ref)
+            continue;
+
+        for (i = 0; i < max_chwall_types; i++)
+            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+        ptr += sizeof(type_t) * max_chwall_types;
+    }
+
+    /* conflictsets */
+    for (e = conflictsets_head.tqh_first; e != NULL;
+         e = e->entries.tqe_next)
+    {
+        for (i = 0; i < max_chwall_types; i++)
+            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+        ptr += sizeof(type_t) * max_chwall_types;
+    }
+
+    if ((ptr - buf) != len)
+    {
+        printf("ERROR: wrong lengths in %s.\n", __func__);
+        exit(EXIT_FAILURE);
+    }
+
+    (*len_chwall) = len;
+    return buf;
+}
+
+unsigned char *write_ste_binary(u_int32_t * len_ste)
+{
+    unsigned char *buf, *ptr;
+    struct acm_ste_policy_buffer *ste_header;
+    struct ssid_entry *e;
+    u_int32_t len;
+    int i;
+
+    if (!have_ste)
+        return NULL;
+
+    len = sizeof(struct acm_ste_policy_buffer) +
+        sizeof(type_t) * max_ste_types * max_ste_ssids;
+
+    buf = malloc(len);
+    ptr = buf;
+
+    if (!buf)
+    {
+        printf("ERROR: out of memory allocating chwall buffer.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    /* fill buffer */
+    ste_header = (struct acm_ste_policy_buffer *) buf;
+    ste_header->policy_version = htonl(ACM_STE_VERSION);
+    ste_header->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+    ste_header->ste_max_types = htonl(max_ste_types);
+    ste_header->ste_max_ssidrefs = htonl(max_ste_ssids);
+    ste_header->ste_ssid_offset =
+        htonl(sizeof(struct acm_ste_policy_buffer));
+
+    ptr += sizeof(struct acm_ste_policy_buffer);
+
+    /* types */
+    for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
+    {
+        if (e->is_ref)
+            continue;
+
+        for (i = 0; i < max_ste_types; i++)
+            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
+
+        ptr += sizeof(type_t) * max_ste_types;
+    }
+
+    if ((ptr - buf) != len)
+    {
+        printf("ERROR: wrong lengths in %s.\n", __func__);
+        exit(EXIT_FAILURE);
+    }
+    (*len_ste) = len;
+    return buf;                 /* for now */
+}
+
+int write_binary(char *filename)
+{
+    struct acm_policy_buffer header;
+    unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
+    u_int32_t len;
+    int fd;
+
+    u_int32_t len_ste = 0, len_chwall = 0;      /* length of policy components 
*/
+
+    /* open binary file */
+    if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) 
<= 0)
+        return -EIO;
+
+    ste_buffer = write_ste_binary(&len_ste);
+    chwall_buffer = write_chwall_binary(&len_chwall);
+
+    /* determine primary component (default chwall) */
+    header.policy_version = htonl(ACM_POLICY_VERSION);
+    header.magic = htonl(ACM_MAGIC);
+
+    len = sizeof(struct acm_policy_buffer);
+    if (have_chwall)
+        len += len_chwall;
+    if (have_ste)
+        len += len_ste;
+    header.len = htonl(len);
+
+    header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
+    if (primary == CHWALL)
+    {
+        header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+        header.secondary_buffer_offset =
+            htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
+    }
+    else if (primary == STE)
+    {
+        header.primary_policy_code =
+            htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+        header.secondary_buffer_offset =
+            htonl((sizeof(struct acm_policy_buffer)) + len_ste);
+    }
+    else
+    {
+        /* null policy */
+        header.primary_policy_code = htonl(ACM_NULL_POLICY);
+        header.secondary_buffer_offset =
+            htonl(header.primary_buffer_offset);
+    }
+
+    if (secondary == CHWALL)
+        header.secondary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
+    else if (secondary == STE)
+        header.secondary_policy_code =
+            htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
+    else
+        header.secondary_policy_code = htonl(ACM_NULL_POLICY);
+
+    if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
+        != sizeof(struct acm_policy_buffer))
+        return -EIO;
+
+    /* write primary policy component */
+    if (primary == CHWALL)
+    {
+        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
+            return -EIO;
+    }
+    else if (primary == STE)
+    {
+        if (write(fd, ste_buffer, len_ste) != len_ste)
+            return -EIO;
+    } else
+        ;                     /* NULL POLICY has no policy data */
+
+    /* write secondary policy component */
+    if (secondary == CHWALL)
+    {
+        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
+            return -EIO;
+    }
+    else if (secondary == STE)
+    {
+        if (write(fd, ste_buffer, len_ste) != len_ste)
+            return -EIO;
+    } else;                     /* NULL POLICY has no policy data */
+
+    close(fd);
+    return 0;
+}
+
+int is_valid(xmlDocPtr doc)
+{
+    int err = 0;
+    xmlSchemaPtr schema_ctxt = NULL;
+    xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
+    xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
+
+    schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
+    schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
+    schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
+
+#ifdef VALIDATE_SCHEMA
+    /* only tested to be available from libxml2-2.6.20 upwards */
+    if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
+    {
+        printf("ERROR: Invalid schema file %s (err=%d)\n",
+               SCHEMA_FILENAME, err);
+        err = -EIO;
+        goto out;
+    }
+    else
+        printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
+#endif
+    if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
+    {
+        err = -EIO;
+        goto out;
+    }
+  out:
+    xmlSchemaFreeValidCtxt(schemavalid_ctxt);
+    xmlSchemaFreeParserCtxt(schemaparser_ctxt);
+    xmlSchemaFree(schema_ctxt);
+    return (err != 0) ? 0 : 1;
+}
+
+int main(int argc, char **argv)
+{
+    xmlDocPtr labeldoc = NULL;
+    xmlDocPtr policydoc = NULL;
+
+    int err = EXIT_SUCCESS;
+
+    char *file_prefix;
+    int prefix_len;
+
+    if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
+    {
+        printf("ERROR: This program was written against an older ACM 
version.\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (argc != 2)
+        usage(basename(argv[0]));
+
+    prefix_len = strlen(POLICY_SUBDIR) +
+        strlen(argv[1]) + 1 /* "/" */  +
+        strlen(argv[1]) + 1 /* "/" */ ;
+
+    file_prefix = malloc(prefix_len);
+    policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
+    label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
+    binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
+    mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
+
+    if (!file_prefix || !policy_filename || !label_filename ||
+        !binary_filename || !mapping_filename)
+    {
+        printf("ERROR allocating file name memory.\n");
+        goto out2;
+    }
+
+    /* create input/output filenames out of prefix */
+    strcat(file_prefix, POLICY_SUBDIR);
+    strcat(file_prefix, argv[1]);
+    strcat(file_prefix, "/");
+    strcat(file_prefix, argv[1]);
+
+    strcpy(policy_filename, file_prefix);
+    strcpy(label_filename, file_prefix);
+    strcpy(binary_filename, file_prefix);
+    strcpy(mapping_filename, file_prefix);
+
+    strcat(policy_filename, POLICY_EXTENSION);
+    strcat(label_filename, LABEL_EXTENSION);
+    strcat(binary_filename, BINARY_EXTENSION);
+    strcat(mapping_filename, MAPPING_EXTENSION);
+
+    labeldoc = xmlParseFile(label_filename);
+
+    if (labeldoc == NULL)
+    {
+        printf("Error: could not parse file %s.\n", argv[1]);
+        goto out2;
+    }
+
+    printf("Validating label file %s...\n", label_filename);
+    if (!is_valid(labeldoc))
+    {
+        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
+               label_filename, err);
+        goto out1;
+    }
+
+    policydoc = xmlParseFile(policy_filename);
+
+    if (policydoc == NULL)
+    {
+        printf("Error: could not parse file %s.\n", argv[1]);
+        goto out1;
+    }
+
+    printf("Validating policy file %s...\n", policy_filename);
+
+    if (!is_valid(policydoc))
+    {
+        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
+               policy_filename, err);
+        goto out;
+    }
+
+    /* Init queues and parse policy */
+    create_type_mapping(policydoc);
+
+    /* create ssids */
+    create_ssid_mapping(labeldoc);
+
+    /* write label mapping file */
+    if (write_mapping(mapping_filename))
+    {
+        printf("ERROR: writing mapping file %s.\n", mapping_filename);
+        goto out;
+    }
+
+    /* write binary file */
+    if (write_binary(binary_filename))
+    {
+        printf("ERROR: writing binary file %s.\n", binary_filename);
+        goto out;
+    }
+
+    /* write stats */
+    if (have_chwall)
+    {
+        printf("Max chwall labels:  %u\n", max_chwall_labels);
+        printf("Max chwall-types:   %u\n", max_chwall_types);
+        printf("Max chwall-ssids:   %u\n", max_chwall_ssids);
+    }
+
+    if (have_ste)
+    {
+        printf("Max ste labels:     %u\n", max_ste_labels);
+        printf("Max ste-types:      %u\n", max_ste_types);
+        printf("Max ste-ssids:      %u\n", max_ste_ssids);
+    }
+    /* cleanup */
+  out:
+    xmlFreeDoc(policydoc);
+  out1:
+    xmlFreeDoc(labeldoc);
+  out2:
+    xmlCleanupParser();
+    return err;
+}
+
diff -r 3d45fb64b064 -r 509316987d65 tools/security/secpol_xml2bin.h
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/secpol_xml2bin.h   Fri Aug 19 10:50:15 2005
@@ -0,0 +1,139 @@
+/****************************************************************
+ * secpol_xml2bin.h
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ */
+#define POLICY_SUBDIR       "policies/"
+#define POLICY_EXTENSION    "-security_policy.xml"
+#define LABEL_EXTENSION     "-security_label_template.xml"
+#define BINARY_EXTENSION    ".bin"
+#define MAPPING_EXTENSION   ".map"
+#define PRIMARY_COMPONENT_ATTR_NAME "order"
+#define BOOTSTRAP_LABEL_ATTR_NAME   "bootstrap"
+#define PRIMARY_COMPONENT   "PrimaryPolicyComponent"
+#define SCHEMA_FILENAME     "policies/security_policy.xsd"
+
+/* basic states (used as 1 << X) */
+#define XML2BIN_SECPOL             0   /* policy tokens */
+#define XML2BIN_STE                    1
+#define XML2BIN_CHWALL          2
+#define XML2BIN_CONFLICTSETS           3
+#define XML2BIN_CSTYPE         4
+
+#define XML2BIN_SECTEMPLATE        5   /* label tokens */
+#define XML2BIN_POLICYHEADER           6
+#define XML2BIN_LABELHEADER     7
+#define XML2BIN_SUBJECTS        8
+#define XML2BIN_OBJECTS            9
+#define XML2BIN_VM                 10
+#define XML2BIN_RES            11
+
+#define XML2BIN_STETYPES           12  /* shared tokens */
+#define XML2BIN_CHWALLTYPES        13
+#define XML2BIN_TYPE               14
+#define XML2BIN_NAME            15
+#define XML2BIN_TEXT               16
+#define XML2BIN_COMMENT                17
+
+/* type "data type" (currently 16bit) */
+typedef u_int16_t type_t;
+
+/* list of known elements and token equivalent  *
+ * state constants and token positions must be  *
+ * in sync for correct state recognition        */
+
+char *token[20] =                       /* parser triggers */
+{
+    [0] = "SecurityPolicyDefinition",   /* policy xml */
+    [1] = "SimpleTypeEnforcement",
+    [2] = "ChineseWall",
+    [3] = "ConflictSets",
+    [4] = "Conflict",                   /* label-template xml */
+    [5] = "SecurityLabelTemplate",
+    [6] = "PolicyHeader",
+    [7] = "LabelHeader",
+    [8] = "SubjectLabels",
+    [9] = "ObjectLabels",
+    [10] = "VirtualMachineLabel",
+    [11] = "ResourceLabel",
+    [12] = "SimpleTypeEnforcementTypes",                  /* common tags */
+    [13] = "ChineseWallTypes",
+    [14] = "Type",
+    [15] = "Name",
+    [16] = "text",
+    [17] = "comment",
+    [18] = NULL,
+};
+
+/* important combined states */
+#define XML2BIN_NULL           0
+
+/* policy xml parsing states _S */
+
+/* e.g., here we are in a <secpol,ste,stetypes> environment,  *
+ * so when finding a type element, we know where to put it    */
+#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_STE) |    \
+                                (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_CHWALL) | \
+                                (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_CHWALL) | \
+                                (1 << XML2BIN_CONFLICTSETS))
+
+#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
+                                (1 << XML2BIN_CHWALL) | \
+                                (1 << XML2BIN_CONFLICTSETS) | \
+                                (1 << XML2BIN_CSTYPE))
+
+
+/* label xml states */
+#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
+                      (1 << XML2BIN_SUBJECTS) |    \
+                      (1 << XML2BIN_VM))
+
+#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
+                       (1 << XML2BIN_OBJECTS) |     \
+                       (1 << XML2BIN_RES))
+
+#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
+                        (1 << XML2BIN_SUBJECTS) | \
+                        (1 << XML2BIN_VM) | \
+                        (1 << XML2BIN_STETYPES))
+
+#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
+                           (1 << XML2BIN_SUBJECTS) | \
+                           (1 << XML2BIN_VM) | \
+                           (1 << XML2BIN_CHWALLTYPES))
+
+#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
+                         (1 << XML2BIN_OBJECTS) | \
+                         (1 << XML2BIN_RES) | \
+                         (1 << XML2BIN_STETYPES))
+
+
+
+/* check versions of headers against which the
+ * xml2bin translation tool was written
+ */
+
+/* protects from unnoticed changes in struct acm_policy_buffer */
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION  1
+
+/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
+#define WRITTEN_AGAINST_ACM_CHWALL_VERSION  1
+
+/* protects from unnoticed changes in struct acm_ste_policy_buffer */
+#define WRITTEN_AGAINST_ACM_STE_VERSION     1
diff -r 3d45fb64b064 -r 509316987d65 tools/security/setlabel.sh
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/setlabel.sh        Fri Aug 19 10:50:15 2005
@@ -0,0 +1,345 @@
+#!/bin/sh
+# *
+# * setlabel
+# *
+# * Copyright (C) 2005 IBM Corporation
+# *
+# * Authors:
+# * Stefan Berger <stefanb@xxxxxxxxxx>
+# *
+# * This program is free software; you can redistribute it and/or
+# * modify it under the terms of the GNU General Public License as
+# * published by the Free Software Foundation, version 2 of the
+# * License.
+# *
+# * 'setlabel' labels virtual machine (domain) configuration files with
+# * security identifiers that can be enforced in Xen.
+# *
+# * 'setlabel -?' shows the usage of the program
+# *
+# * 'setlabel -l vmconfig-file' lists all available labels (only VM
+# *            labels are used right now)
+# *
+# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
+# *                       that corresponds to the security-label under the
+# *                       current policy (if policy changes, 'label'
+# *                       must be re-run over the configuration files;
+# *                       map-file is created during policy translation and
+# *                       is found in the policy's directory
+#
+
+if [ -z "$runbash" ]; then
+       runbash="1"
+       export runbash
+       exec sh -c "bash $0 $*"
+fi
+
+
+usage ()
+{
+       echo "Usage: $0 [Option] <vmfile> <label> <policy name> "
+       echo "    or $0 -l <policy name>"
+       echo ""
+       echo "Valid Options are:"
+       echo "-r          : to relabel a file without being prompted"
+       echo ""
+       echo "vmfile      : XEN vm configuration file"
+       echo "label       : the label to map"
+       echo "policy name : the name of the policy, i.e. 'chwall'"
+       echo ""
+       echo "-l <policy name> is used to show valid labels in the map file"
+       echo ""
+}
+
+
+findMapFile ()
+{
+       mapfile="./$1.map"
+       if [ -r "$mapfile" ]; then
+               return 1
+       fi
+
+       mapfile="./policies/$1/$1.map"
+       if [ -r "$mapfile" ]; then
+               return 1
+       fi
+
+       return 0
+}
+
+showLabels ()
+{
+       mapfile=$1
+       if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
+               echo "Cannot read from vm configuration file $vmfile."
+               return -1
+       fi
+
+       getPrimaryPolicy $mapfile
+       getSecondaryPolicy $mapfile
+
+       echo "The following labels are available:"
+       let line=1
+       while [ 1 ]; do
+               ITEM=`cat $mapfile |         \
+                     awk -vline=$line       \
+                         -vprimary=$primary \
+                     '{                     \
+                        if ($1 == "LABEL->SSID" &&  \
+                            $2 == "VM" &&           \
+                            $3 == primary ) {       \
+                          ctr++;                    \
+                          if (ctr == line) {        \
+                            print $4;               \
+                          }                         \
+                        }                           \
+                      } END {                       \
+                      }'`
+
+               if [ "$ITEM" == "" ]; then
+                       break
+               fi
+               if [ "$secondary" != "NULL" ]; then
+                       LABEL=`cat $mapfile |     \
+                              awk -vitem=$ITEM   \
+                              '{
+                                 if ($1 == "LABEL->SSID" && \
+                                     $2 == "VM" &&          \
+                                     $3 == "CHWALL" &&      \
+                                     $4 == item ) {         \
+                                   result = item;           \
+                                 }                          \
+                               } END {                      \
+                                   print result             \
+                               }'`
+               else
+                       LABEL=$ITEM
+               fi
+
+               if [ "$LABEL" != "" ]; then
+                       echo "$LABEL"
+                       found=1
+               fi
+               let line=line+1
+       done
+       if [ "$found" != "1" ]; then
+               echo "No labels found."
+       fi
+}
+
+getPrimaryPolicy ()
+{
+       mapfile=$1
+       primary=`cat $mapfile  |   \
+                awk '             \
+                 {                \
+                   if ( $1 == "PRIMARY" ) { \
+                     res=$2;                \
+                   }                        \
+                 } END {                    \
+                   print res;               \
+                 } '`
+}
+
+getSecondaryPolicy ()
+{
+       mapfile=$1
+       secondary=`cat $mapfile  |   \
+                awk '             \
+                 {                \
+                   if ( $1 == "SECONDARY" ) { \
+                     res=$2;                \
+                   }                        \
+                 } END {                    \
+                   print res;               \
+                 } '`
+}
+
+
+getDefaultSsid ()
+{
+       mapfile=$1
+       pol=$2
+       RES=`cat $mapfile    \
+            awk -vpol=$pol  \
+             {              \
+               if ($1 == "LABEL->SSID" && \
+                   $2 == "ANY"         && \
+                   $3 == pol           && \
+                   $4 == "DEFAULT"       ) {\
+                     res=$5;                \
+               }                            \
+             } END {                        \
+               printf "%04x", strtonum(res) \
+            }'`
+       echo "default NULL mapping is $RES"
+       defaultssid=$RES
+}
+
+relabel ()
+{
+       vmfile=$1
+       label=$2
+       mapfile=$3
+       mode=$4
+
+       if [ ! -r "$vmfile" ]; then
+               echo "Cannot read from vm configuration file $vmfile."
+               return -1
+       fi
+
+       if [ ! -w "$vmfile" ]; then
+               echo "Cannot write to vm configuration file $vmfile."
+               return -1
+       fi
+
+       if [ ! -r "$mapfile" ] ; then
+               echo "Cannot read mapping file $mapfile."
+               return -1
+       fi
+
+       # Determine which policy is primary, which sec.
+       getPrimaryPolicy $mapfile
+       getSecondaryPolicy $mapfile
+
+       # Calculate the primary policy's SSIDREF
+       if [ "$primary" == "NULL" ]; then
+               SSIDLO="0000"
+       else
+               SSIDLO=`cat $mapfile |                    \
+                       awk -vlabel=$label                \
+                           -vprimary=$primary            \
+                          '{                             \
+                             if ( $1 == "LABEL->SSID" && \
+                                  $2 == "VM" &&          \
+                                  $3 == primary  &&      \
+                                  $4 == label ) {        \
+                               result=$5                 \
+                             }                           \
+                          } END {                        \
+                            if (result != "" )           \
+                              {printf "%04x", strtonum(result)}\
+                          }'`
+       fi
+
+       # Calculate the secondary policy's SSIDREF
+       if [ "$secondary" == "NULL" ]; then
+               SSIDHI="0000"
+       else
+               SSIDHI=`cat $mapfile |                    \
+                       awk -vlabel=$label                \
+                           -vsecondary=$secondary        \
+                          '{                             \
+                             if ( $1 == "LABEL->SSID" && \
+                                  $2 == "VM"          && \
+                                  $3 == secondary     && \
+                                  $4 == label ) {        \
+                               result=$5                 \
+                             }                           \
+                           }  END {                      \
+                             if (result != "" )          \
+                               {printf "%04x", strtonum(result)}\
+                           }'`
+       fi
+
+       if [ "$SSIDLO" == "" -o \
+            "$SSIDHI" == "" ]; then
+               echo "Could not map the given label '$label'."
+               return -1
+       fi
+
+       ACM_POLICY=`cat $mapfile |             \
+           awk ' { if ( $1 == "POLICY" ) {    \
+                     result=$2                \
+                   }                          \
+                 }                            \
+                 END {                        \
+                   if (result != "") {        \
+                     printf result            \
+                   }                          \
+                 }'`
+
+       if [ "$ACM_POLICY" == "" ]; then
+               echo "Could not find 'POLICY' entry in map file."
+               return -1
+       fi
+
+       SSIDREF="0x$SSIDHI$SSIDLO"
+
+       if [ "$mode" != "relabel" ]; then
+               RES=`cat $vmfile |  \
+                    awk '{         \
+                      if ( substr($1,0,7) == "ssidref" ) {\
+                        print $0;             \
+                      }                       \
+                    }'`
+               if [ "$RES" != "" ]; then
+                       echo "Do you want to overwrite the existing mapping 
($RES)? (y/N)"
+                       read user
+                       if [ "$user" != "y" -a "$user" != "Y" ]; then
+                               echo "Aborted."
+                               return 0
+                       fi
+               fi
+       fi
+
+       #Write the output
+       vmtmp1="/tmp/__setlabel.tmp1"
+       vmtmp2="/tmp/__setlabel.tmp2"
+       touch $vmtmp1
+       touch $vmtmp2
+       if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
+               echo "Cannot create temporary files. Aborting."
+               return -1
+       fi
+       RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
+       RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
+       RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
+       echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
+       echo "#ACM_LABEL=$label" >> $vmtmp1
+       echo "ssidref = $SSIDREF" >> $vmtmp1
+       mv -f $vmtmp1 $vmfile
+       rm -rf $vmtmp1 $vmtmp2
+       echo "Mapped label '$label' to ssidref '$SSIDREF'."
+}
+
+
+
+if [ "$1" == "-r" ]; then
+       mode="relabel"
+       shift
+elif [ "$1" == "-l" ]; then
+       mode="show"
+       shift
+elif [ "$1" == "-?" ]; then
+       mode="usage"
+fi
+
+if [ "$mode" == "show" ]; then
+       if [ "$1" == "" ]; then
+               usage
+               exit -1;
+       fi
+       findMapFile $1
+       res=$?
+       if [ "$res" != "0" ]; then
+               showLabels $mapfile
+       else
+               echo "Could not find map file for policy '$1'."
+       fi
+elif [ "$mode" == "usage" ]; then
+       usage
+else
+       if [ "$3" == "" ]; then
+               usage
+               exit -1;
+       fi
+       findMapFile $3
+       res=$?
+       if [ "$res" != "0" ]; then
+               relabel $1 $2 $mapfile $mode
+       else
+               echo "Could not find map file for policy '$3'."
+       fi
+
+fi
diff -r 3d45fb64b064 -r 509316987d65 tools/security/updategrub.sh
--- /dev/null   Fri Aug 19 10:18:53 2005
+++ b/tools/security/updategrub.sh      Fri Aug 19 10:50:15 2005
@@ -0,0 +1,171 @@
+#!/bin/sh
+# *
+# * updategrub
+# *
+# * Copyright (C) 2005 IBM Corporation
+# *
+# * Authors:
+# * Stefan Berger <stefanb@xxxxxxxxxx>
+# *
+# * This program is free software; you can redistribute it and/or
+# * modify it under the terms of the GNU General Public License as
+# * published by the Free Software Foundation, version 2 of the
+# * License.
+# *
+# *
+#
+
+if [ -z "$runbash" ]; then
+       runbash="1"
+       export runbash
+       exec sh -c "bash $0 $*"
+       exit
+fi
+
+
+# Show usage of this program
+usage ()
+{
+       echo "Usage: $0 <policy name> <root of xen repository>"
+       echo ""
+       echo "<policy name>             : The name of the policy, i.e. xen_null"
+       echo "<root of xen repository>  : The root of the XEN repositrory."
+       echo ""
+}
+
+# This function sets the global variable 'linux'
+# to the name of the linux kernel that was compiled
+# For now a pattern should do the trick
+getLinuxVersion ()
+{
+       path=$1
+       linux=""
+       for f in $path/linux-*-xen0 ; do
+               versionfile=$f/include/linux/version.h
+               if [ -r $versionfile ]; then
+                       lnx=`cat $versionfile | \
+                            grep UTS_RELEASE | \
+                            awk '{             \
+                              len=length($3);  \
+                              print substr($3,2,len-2) }'`
+               fi
+               if [ "$lnx" != "" ]; then
+                       linux="[./0-9a-zA-z]*$lnx"
+                       return;
+               fi
+       done
+
+       #Last resort.
+       linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
+}
+
+#Return where the grub.conf file is.
+#I only know of one place it can be.
+findGrubConf()
+{
+       grubconf="/boot/grub/grub.conf"
+       if [ -w $grubconf ]; then
+               return 1
+       fi
+       return 0
+}
+
+
+#Update the grub configuration file.
+#Search for existing entries and replace the current
+#policy entry with the policy passed to this script
+#
+#Arguments passed to this function
+# 1st : the grub configuration file
+# 2nd : the binary policy file name
+# 3rd : the name or pattern of the linux kernel name to match
+#
+# The algorithm here is based on pattern matching
+# and is working correctly if
+# - under a title a line beginning with 'kernel' is found
+#   whose following item ends with "xen.gz"
+#   Example:  kernel /xen.gz dom0_mem=....
+# - a module line matching the 3rd parameter is found
+#
+updateGrub ()
+{
+       grubconf=$1
+       policyfile=$2
+       linux=$3
+
+       tmpfile="/tmp/new_grub.conf"
+
+       cat $grubconf |                                \
+                awk -vpolicy=$policyfile              \
+                    -vlinux=$linux '{                 \
+                  if ( $1 == "title" ) {              \
+                    kernelfound = 0;                  \
+                    if ( policymaycome == 1 ){        \
+                      printf ("\tmodule %s%s\n", path, policy);      \
+                    }                                 \
+                    policymaycome = 0;                \
+                  }                                   \
+                  else if ( $1 == "kernel" ) {        \
+                    if ( match($2,"xen.gz$") ) {      \
+                      path=substr($2,1,RSTART-1);     \
+                      kernelfound = 1;                \
+                    }                                 \
+                  }                                   \
+                  else if ( $1 == "module" &&         \
+                            kernelfound == 1 &&       \
+                            match($2,linux) ) {       \
+                     policymaycome = 1;               \
+                  }                                   \
+                  else if ( $1 == "module" &&         \
+                            kernelfound == 1 &&       \
+                            policymaycome == 1 &&     \
+                            match($2,"[0-9a-zA-Z]*.bin$") ) { \
+                     printf ("\tmodule %s%s\n", path, policy); \
+                     policymaycome = 0;               \
+                     kernelfound = 0;                 \
+                     dontprint = 1;                   \
+                  }                                   \
+                  else if ( $1 == "" &&               \
+                            kernelfound == 1 &&       \
+                            policymaycome == 1) {     \
+                     dontprint = 1;                   \
+                  }                                   \
+                  if (dontprint == 0) {               \
+                    printf ("%s\n", $0);              \
+                  }                                   \
+                  dontprint = 0;                      \
+                } END {                               \
+                  if ( policymaycome == 1 ) {         \
+                    printf ("\tmodule %s%s\n", path, policy);  \
+                  }                                   \
+                }' > $tmpfile
+       if [ ! -r $tmpfile ]; then
+               echo "Could not create temporary file! Aborting."
+               exit -1
+       fi
+       mv -f $tmpfile $grubconf
+}
+
+if [ "$1" == "" -o "$2" == "" ]; then
+       usage
+       exit -1
+fi
+
+if [ "$1" == "-?" ]; then
+       usage
+       exit 0
+fi
+
+policy=$1
+policyfile=$policy.bin
+
+getLinuxVersion $2
+
+findGrubConf
+ERR=$?
+if [ $ERR -eq 0 ]; then
+       echo "Could not find grub.conf. Aborting."
+       exit -1
+fi
+
+updateGrub $grubconf $policyfile $linux
diff -r 3d45fb64b064 -r 509316987d65 docs/misc/shype4xen_readme.txt
--- a/docs/misc/shype4xen_readme.txt    Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,588 +0,0 @@
-Copyright: IBM Corporation (C)
-20 June 2005
-Author: Reiner Sailer
-
-This document is a very short introduction into the sHype access control 
-security architecture implementation and how it is perceived by users. It 
-is a very preliminary draft  for the courageous ones to get "their feet wet" 
-and to be able to give feedback (via the xen-devel/xense-devel mailing lists).
-
-Install:
-
-cd into xeno-unstable.bk 
-(use --dry-run option if you want to test the patch only)
-patch -p1 -g0 < *tools.diff
-patch -p1 -g0 < *xen.diff
-
-(no rejects, probably some line offsets)
-
-make uninstall; make mrproper; make; ./install.sh should install the default 
-sHype into Xen (rebuild your initrd images if necessary). Reboot.
-
-Debug output: there are two triggers for debug output:
-a) General sHype debug:
-    xeno-unstable.bk/xen/include/public/acm.h
-    undefine ACM_DEBUG to switch this debug off
-
-b) sHype enforcement hook trace: This prints a small trace for each 
enforcement 
-hook that is executed. The trigger is in
-    xeno-unstable.bk/xen/include/acm/acm_hooks.h
-    undefine ACM_TRACE_MODE to switch this debug off
-
-1. The default NULL policy
-***************************
-When you apply the patches and startup xen, you should at first not notice any 
-difference because the default policy is the "NULL" policy, which as the name 
-implies does not enforce anything.
-
-To display the currently enforced policy, use the policy tool under xeno-
-unstable.bk/tools/policy: policy_tool getpolicy. You should see output like 
the 
-one below.
-
-[root@laptop policy]#./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 14.
-Primary   = NULL policy (c=0, off=14).
-Secondary = NULL policy (c=0, off=14).
-No primary policy (NULL).
-No secondary policy (NULL).
-
-Policy dump End.
-
-Since this is a dump of a binary policy, it's not pretty. The important parts 
-are the "Primary" and "Secondary" policy fields set to "NULL policy". sHype 
-currently allows to set two independent policies; thus the two SSID-REF parts 
-shown in 'xm list'. Right here: primary policy only means this policy is 
-checked first, the secondary policy is checked if the primary results in 
-"permitted access". The result of the combined policy is "permitted" if both 
-policies return permitted (NULL policy always returns permitted). The result 
is 
-"denied" if at least one of the policies returns "denied". Look into xeno-
-unstable.bk/xen/include/acm/acm_hooks.h for the general hook structure 
-integrating the policy decisions (if you like, you won't need it for the rest 
-of the Readme file).
-
-2. Setting Chinese Wall and Simple Type Enforcement policies:
-*************************************************************
-
-We'll get fast to the point. However, in order to understand what we are 
doing, 
-we must at least understand the purpose of the policies that we are going to 
-enforce. The two policies presented here are just examples and the 
-implementation encourages adding new policies easily.
-
-2.1. Chinese Wall policy: "decides whether a domain can be started based on 
-this domain's ssidref and the ssidrefs of the currently running domains". 
-Generally, the Chinese wall policy allows specifying certain types (or classes 
-or categories, whatever the preferred word) that conflict; we usually assign a 
-type to a workload and the set of types of those workloads running in a domain 
-make up the type set for this domain.  Each domain is assigned a set of types 
-through its SSID-REF (we register Chinese Wall as primary policy, so the 
-ssidref used for determining the Chinese Wall types is the one annotated with 
-"p:" in xm list) since each SSID-REF points at a set of types. We'll see how 
-SSIDREFs are represented in Xen later when we will look at the policy. (A good 
-read for Chinese Wall is: Brewer/Nash The Chinese Wall Security Policy 1989.)
-
-So let's assume the Chinese Wall policy we are running distinguishes 10 types: 
-t0 ... t9. Let us assume further that each SSID-REF points to a set that 
-includes exactly one type (attached to domains that run workloads of a single 
-type). SSID-REF 0 points to {t0}, ssidref 1 points to {t1} ... 9 points to 
-{t9}. [This is actually the example policy we are going to push into xen later]
-
-Now the Chinese Wall policy allows you to define "Conflict type sets" and it 
-guarantees that of any conflict set at most one type is "running" at any time. 
-As an example, we have defined 2 conflict set: {t2, t3} and {t0, t5, t6}. 
-Specifying these conflict sets, sHype ensures that at most one type of each 
set 
-is running (either t2 or t3 but not both; either t0 or t5 or t6 but not 
-multiple of them).
-
-The effect is that administrators can define which workload types cannot run 
-simultaneously on a single Xen system. This is useful to limit the covert 
-timing channels between such payloads or to ensure that payloads don't 
-interfere with each other through existing resource dependencies.
-
-2.2. Simple Type Enforcement (ste) policy: "decides whether two domains can 
-share data, e.g., setup event channels or grant tables to each other, based on 
-the two domains' ssidref. This, as the name says, is a simple policy. Think of 
-each type as of a single color. Each domain has one or more colors, i.e., the 
-domains ssid for the ste policy points to a set that has set one or multiple 
-types. Let us assume in our example policy we differentiate 5 colors (types) 
-and define 5 different ssids referenced by ssidref=0..4. Each ssid shall have 
-exactly one type set, i.e., describes a uni-color. Only ssid(0) has all types 
-set, i.e., has all defined colors.
-
-Sharing is enforced by the ste policy by requiring that two domains that want 
-to establish an event channel or grant pages to each other must have a common 
-color. Currently all domains communicate through DOM0 by default; i.e., 
Domain0 
-will necessarily have all colors to be able to create domains (thus, we will 
-assign ssidref(0) to Domain0 in our example below.
-
-More complex mandatory access control policies governing sharing will follow; 
-such policies are more sophisticated than the "color" scheme above by allowing 
-more flexible (and complex :_) access control decisions than "share a color" 
or 
-"don't share a color" and will be able to express finer-grained policies.
-
-
-2.3 Binary Policy:
-In the future, we will have a policy tool that takes as input a more humane 
-policy description, using types such as development, home-banking, donated-
-Grid, CorpA-Payload ... and translates the respective policy into what we see 
-today as the binary policy using 1s and 0s and sets of them. For now, we must 
-live with the binary policy when working with sHype.
-
-    
-2.4 Exemplary use of a real sHype policy on Xen. To activate a real policy, 
-edit the file (yes, this will soon be a compile option):
-  xeno-unstable.bk/xen/include/public/acm.h
-  Change: #define ACM_USE_SECURITY_POLICY ACM_NULL_POLICY
-   To : #define ACM_USE_SECURITY_POLICY 
ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-   cd xeno-unstable.bk
-   make mrproper
-   make uninstall (manually remove /etc/xen.old if necessary)
-   make
-   ./install.sh      (recreate your kernel initrd's if necessary)
-   Reboot into new xen.gz
-     
-After booting, check out 'xm dmesg'; should show somewhere in the middle:
-
-(XEN) acm_init: Enforcing Primary CHINESE WALL policy, Secondary SIMPLE TYPE 
-ENFORCEMENT policy.
-
-Even though you can activate those policies in any combination and also 
-independently, the policy tool currently only supports setting the policy for 
-the above combination.
-
-Now look at the minimal startup policy with:
-                xeno-unstable.bk/tools/policytool getpolicy
-
-You should see something like:
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 36.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=2c).
-
-
-Chinese Wall policy:
-====================
-Max Types     = 1.
-Max Ssidrefs  = 1.
-Max ConfSets  = 1.
-Ssidrefs Off  = 10.
-Conflicts Off = 12.
-Runing T. Off = 14.
-C. Agg. Off   = 16.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  00 
-
-Confict Sets:
-
-   c-set 0:    00 
-
-Running
-Types:         00 
-
-Conflict
-Aggregate Set: 00 
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types     = 1.
-Max Ssidrefs  = 1.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 
-
-
-Policy dump End.
-
-This is a minimal policy (of little use), except it will disable starting any 
-domain that does not have ssidref set to 0x0. The Chinese Wall policy has 
-nothing to enforce and the ste policy only knows one type, which is set for 
the 
-only defined ssidref.
-
-The item that defines the ssidref in a domain configuration is:
-
-ssidref = 0x12345678
-
-Where ssidref is interpreted as a 32bit number, where the lower 16bits become 
-the ssidref for the primary policy and the higher 16bits become the ssidref 
for 
-the secondary policy. sHype currently supports two policies but this is an 
-implementation decision and can be extended if necessary.
-
-This reference defines the security information of a domain. The meaning of 
the 
-SSID-REF depends on the policy, so we explain it when we explain the real 
-policies.
-
-
-Setting a new Security Policy:
-******************************
-The policy tool with all its current limitations has one usable example policy 
-compiled-in. Please try at this time to use the setpolicy command:
-       xeno-unstable.bk/tools/policy/policy_tool setpolicy
-
-You should see a dump of the policy you are setting. It should say at the very 
-end: 
-
-Policy successfully set.
-
-Now try to dump the currently enforced policy, which is the policy we have 
just 
-set and the dynamic security state information of this policy 
-(<<< ... some additional explanations)
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 112.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types     = a.
-Max Ssidrefs  = 5.
-Max ConfSets  = 2.
-Ssidrefs Off  = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off   = b0.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  01 00 00 00 00 00 00 00 00 00  <<< type0 is set for ssidref0
-   ssidref 1:  00 01 00 00 00 00 00 00 00 00 
-   ssidref 2:  00 00 01 00 00 00 00 00 00 00 
-   ssidref 3:  00 00 00 01 00 00 00 00 00 00 
-   ssidref 4:  00 00 00 00 01 00 00 00 00 00  <<< type4 is set for ssidref4
-                                              <<< types 5-9 are unused
-Confict Sets:
-
-   c-set 0:    00 00 01 01 00 00 00 00 00 00  <<< type2 and type3 never run 
together
-   c-set 1:    01 00 00 00 00 01 01 00 00 00  <<< only one of types 0, 5 or 6 
-                                              <<<   can run simultaneously
-Running
-Types:         01 00 00 00 00 00 00 00 00 00  <<< ref-count for types of 
running domains
-
-Conflict
-Aggregate Set: 00 00 00 00 00 01 01 00 00 00  <<< aggregated set of types that 
                 
-                                              <<< cannot run because they 
-                                              <<< are in conflict set 1 and
-                                              <<< (domain 0 is running w t0)
-                                             
-
-Simple Type Enforcement policy:
-===============================
-Max Types     = 5.
-Max Ssidrefs  = 5.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 01 01 01 01                  <<< ssidref0 points to a set 
that                  
-                                              <<< has all types set (colors)
-   ssidref 1: 00 01 00 00 00                  <<< ssidref1 has color1 set
-   ssidref 2: 00 00 01 00 00                  <<< ...
-   ssidref 3: 00 00 00 01 00 
-   ssidref 4: 00 00 00 00 01 
-
-
-Policy dump End.
-
-
-This is a small example policy with which we will demonstrate the enforcement.
-
-Starting Domains with policy enforcement
-========================================
-Now let us play with this policy. 
-
-Define 3 or 4 domain configurations. I use the following config using a 
ramdisk 
-only and about 8MBytes of memory for each DomU (test purposes):
-
-#-------configuration xmsec1-------------------------
-kernel = "/boot/vmlinuz-2.6.11-xenU"
-ramdisk="/boot/U1_ramdisk.img"
-#security reference identifier
-ssidref= 0x00010001
-memory = 10
-name = "xmsec1"
-cpu = -1   # leave to Xen to pick
-# Number of network interfaces. Default is 1.
-nics=1
-dhcp="dhcp"
-#-----------------------------------------------------
-
-xmsec2 and xmsec3 look the same except for the name and the ssidref line. Use 
-your domain config file and add "ssidref = 0x00010001" to the first (xmsec1),  
-"ssidref= 0x00020002" to the second (call it xmsec2), and "ssidref=0x00030003" 
 
-to the third (we will call this one xmsec3).
-
-First start xmsec1: xm create -c xmsec1 (succeeds)
-
-Then
-[root@laptop policy]# xm list 
-Name              Id  Mem(MB)  CPU  State  Time(s)  Console  
-Domain-0           0      620   0  r----     42.3            s:00/p:00
-xmnosec            1        9   0  -b---      0.3    9601    s:00/p:05
-xmsec1             2        9   0  -b---      0.2    9602    s:01/p:01
-
-Shows a new domain xmsec1 running with primary (here: chinese wall) ssidref 1 
-and secondary (here: simple type enforcement) ssidref 1. The ssidrefs are  
-independent and can differ for a domain.
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 112.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types     = a.
-Max Ssidrefs  = 5.
-Max ConfSets  = 2.
-Ssidrefs Off  = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off   = b0.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  01 00 00 00 00 00 00 00 00 00
-   ssidref 1:  00 01 00 00 00 00 00 00 00 00
-   ssidref 2:  00 00 01 00 00 00 00 00 00 00
-   ssidref 3:  00 00 00 01 00 00 00 00 00 00
-   ssidref 4:  00 00 00 00 01 00 00 00 00 00
-
-Confict Sets:
-
-   c-set 0:    00 00 01 01 00 00 00 00 00 00
-   c-set 1:    01 00 00 00 00 01 01 00 00 00   <<< t1 is not part of any c-set
-
-Running
-Types:         01 01 00 00 00 00 00 00 00 00   <<< xmsec1 has ssidref 1->type1
-                  ^^                           <<< ref-count at position 1 incr
-Conflict
-Aggregate Set: 00 00 00 00 00 01 01 00 00 00   <<< domain 1 was allowed to     
  
-                                               <<< start since type 1 was not
-                                               <<< in conflict with running 
-                                               <<< types
-                                            
-Simple Type Enforcement policy:
-===============================
-Max Types     = 5.
-Max Ssidrefs  = 5.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 01 01 01 01           <<< the ste policy does not maintain; we
-   ssidref 1: 00 01 00 00 00   <--     <<< see that domain xmsec1 has ste 
-   ssidref 2: 00 00 01 00 00           <<< ssidref1->type1 and has this type in
-   ssidref 3: 00 00 00 01 00           <<< common with dom0
-   ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-Look at sHype output in xen dmesg:
-
-[root@laptop xen]# xm dmesg
-.
-.
-[somewhere near the very end]
-(XEN) chwall_init_domain_ssid: determined chwall_ssidref to 1.
-(XEN) ste_init_domain_ssid.
-(XEN) ste_init_domain_ssid: determined ste_ssidref to 1.
-(XEN) acm_init_domain_ssid: Instantiated individual ssid for domain 0x01.
-(XEN) chwall_post_domain_create.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-(XEN) shype_authorize_domops.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-(XEN) ste_pre_eventchannel_interdomain.
-(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
-
-
-You can see that the chinese wall policy does not complain and that the ste 
-policy makes three access control decisions for three event-channels setup 
-between domain 0 and the new domain 1. Each time, the two domains share the 
-type1 and setting up the eventchannel is permitted.
-
-
-Starting up a second domain xmsec2:
-
-[root@laptop xen]# xm create -c xmsec2
-Using config file "xmsec2".
-Started domain xmsec2, console on port 9602
-************ REMOTE CONSOLE: CTRL-] TO QUIT ********
-Linux version 2.6.11-xenU (root@xxxxxxxxxxxxxxx) (gcc version 3.4.2 20041017 
-(Red Hat 3.4.2-6.fc3)) #1 Wed Mar 30 13:14:31 EST 2005
-.
-.
-.
-[root@laptop policy]# xm list
-Name              Id  Mem(MB)  CPU  State  Time(s)  Console  
-Domain-0           0      620   0  r----     71.7            s:00/p:00
-xmsec1             1        9   0  -b---      0.3    9601    s:01/p:01
-xmsec2             2        7   0  -b---      0.3    9602    s:02/p:02   << 
our domain runs both policies with ssidref 2
-
-
-[root@laptop policy]# ./policy_tool getpolicy
-
-Policy dump:
-============
-Magic     = 1debc.
-PolVer    = aaaa0000.
-Len       = 112.
-Primary   = CHINESE WALL policy (c=1, off=14).
-Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
-
-
-Chinese Wall policy:
-====================
-Max Types     = a.
-Max Ssidrefs  = 5.
-Max ConfSets  = 2.
-Ssidrefs Off  = 10.
-Conflicts Off = 74.
-Runing T. Off = 9c.
-C. Agg. Off   = b0.
-
-SSID To CHWALL-Type matrix:
-
-   ssidref 0:  01 00 00 00 00 00 00 00 00 00
-   ssidref 1:  00 01 00 00 00 00 00 00 00 00
-   ssidref 2:  00 00 01 00 00 00 00 00 00 00   <<< our domain has type 2 set
-   ssidref 3:  00 00 00 01 00 00 00 00 00 00
-   ssidref 4:  00 00 00 00 01 00 00 00 00 00
-
-Confict Sets:
-
-   c-set 0:    00 00 01 01 00 00 00 00 00 00   <<< t2 is in c-set0 with type 3
-   c-set 1:    01 00 00 00 00 01 01 00 00 00
-
-Running
-Types:         01 01 01 00 00 00 00 00 00 00   <<< t2 is running since the 
-                     ^^                        <<< current aggregate conflict
-                                               <<< set (see above) does not 
-                                               <<< include type 2
-Conflict
-Aggregate Set: 00 00 00 01 00 01 01 00 00 00   <<< type 3 is added to the 
-                                               <<< conflict aggregate
-
-
-Simple Type Enforcement policy:
-===============================
-Max Types     = 5.
-Max Ssidrefs  = 5.
-Ssidrefs Off  = 8.
-
-SSID To STE-Type matrix:
-
-   ssidref 0: 01 01 01 01 01
-   ssidref 1: 00 01 00 00 00
-   ssidref 2: 00 00 01 00 00
-   ssidref 3: 00 00 00 01 00
-   ssidref 4: 00 00 00 00 01
-
-
-Policy dump End.
-
-
-The sHype xen dmesg output looks similar to the one above when starting the 
-first domain.
-
-Now we start xmsec3 and it has ssidref3. Thus, it tries to run as type3 which 
-conflicts with running type2 (from xmsec2). As expected, creating this domain 
-fails for security policy enforcement reasons.
-
-[root@laptop xen]# xm create -c xmsec3
-Using config file "xmsec3".
-Error: Error creating domain: (22, 'Invalid argument')
-[root@laptop xen]#
-
-[root@laptop xen]# xm dmesg
-.
-.
-[somewhere near the very end]
-(XEN) chwall_pre_domain_create.
-(XEN) chwall_pre_domain_create: CHINESE WALL CONFLICT in type 03.
-
-xmsec3 ssidref3 points to type3, which is in the current conflict aggregate 
-set. This domain cannot start until domain xmsec2 is destroyed, at which time 
-the aggregate conflict set is reduced and type3 is excluded from it. Then, 
-xmsec3 can start. Of course, afterwards, xmsec2 cannot be restarted. Try it.
-
-3. Policy tool
-**************
-toos/policy/policy_tool.c
-
-a) ./policy_tool getpolicy
-      prints the currently enforced policy
-      (see for example section 1.)
-
-b) ./policy_tool setpolicy
-      sets a predefined and hardcoded security
-      policy (the one described in section 2.)
-
-c) ./policy_tool dumpstats
-      prints some status information about the caching
-      of access control decisions (number of cache hits
-      and number of policy evaluations for grant_table
-      and event channels).
-
-d) ./policy_tool loadpolicy <binary_policy_file>
-      sets the policy defined in the <binary_policy_file>
-      please use the policy_processor that is posted to this
-      mailing list to create such a binary policy from an XML
-      policy description
-
-4. Policy interface:
-********************
-The Policy interface is working in "network-byte-order" (big endian). The 
reason for this
-is that policy files/management should be portable and independent of the 
platforms.
-
-Our policy interface enables managers to create a single binary policy file in 
a trusted
-environment and distributed it to multiple systems for enforcement.
-
-5. Booting with a binary policy:
-********************************
-The grub configuration file can be adapted to boot the hypervisor with an
-already active policy. To do this, a binary policy file - this can be
-the same file as used by the policy_tool - should be placed into the boot
-partition. The following entry from the grub configuration file shows how
-a binary policy can be added to the system during boot time. Note that the 
-binary policy must be of the same type that the hypervisor was compiled 
-for. The policy module line should also only be added as the last module
-line if XEN was compiled with the access control module (ACM).
-
-title XEN0 3.0 Devel
-       kernel /xen.gz dom0_mem=400000
-       module /vmlinuz-2.6.12-xen0 root=/dev/hda2 ro console=tty0
-       module /initrd-2.6.12-xen0.img
-       module /xen_sample_policy.bin
-
-
-====================end-of file=======================================
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/Makefile
--- a/tools/misc/policyprocessor/Makefile       Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,42 +0,0 @@
-XEN_ROOT = ../../..
-include $(XEN_ROOT)/tools/Rules.mk
-
-CFLAGS   += -static
-CFLAGS   += -Wall
-CFLAGS   += -Werror
-CFLAGS   += -O3
-CFLAGS   += -fno-strict-aliasing
-CFLAGS   += -I.
-
-all: build
-
-build: mk-symlinks
-       $(MAKE) xml_to_bin
-
-default: all
-
-install: all
-
-xml_to_bin : make_include XmlToBin.java XmlToBinInterface.java SsidsEntry.java 
SecurityLabel.java myHandler.java
-       javac XmlToBin.java
-
-make_include : c2j_include
-       ./c2j_include
-
-c2j_include: c2j_include.c
-       $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
-
-clean:
-       rm -rf *.class xen c2j_include policy_version.java *.bin
-
-
-LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
-mk-symlinks:
-       [ -e xen/linux ] || mkdir -p xen/linux
-       [ -e xen/io ]    || mkdir -p xen/io
-       ( cd xen >/dev/null ; \
-         ln -sf ../$(XEN_ROOT)/xen/include/public/*.h . )
-       ( cd xen/io >/dev/null ; \
-         ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
-       ( cd xen/linux >/dev/null ; \
-         ln -sf ../../$(LINUX_ROOT)/include/asm-xen/linux-public/*.h . )
diff -r 3d45fb64b064 -r 509316987d65 
tools/misc/policyprocessor/SecurityLabel.java
--- a/tools/misc/policyprocessor/SecurityLabel.java     Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,34 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: SecurityLabel.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * SecurityLabel Class.  
- *
- * <p>
- *
- * Keeps track of types.
- *
- * <p>
- *
- *
- */
-import java.util.*;
-public class SecurityLabel
-{
- Vector ids;
- Vector vlans;
- Vector slots;
- Vector steTypes;
- int steSsidPosition;
- Vector chwIDs;
- Vector chwTypes;
- int chwSsidPosition;
-}
diff -r 3d45fb64b064 -r 509316987d65 
tools/misc/policyprocessor/SecurityPolicySpec.xsd
--- a/tools/misc/policyprocessor/SecurityPolicySpec.xsd Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,115 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- xml schema definition for xen xml policies -->
-<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema";
-targetNamespace="http://www.ibm.com";
-xmlns="http://www.ibm.com"; 
-elementFormDefault="qualified">
-
-<xsd:element name="TE" type="xsd:string" />
-<xsd:element name="ChWall" type="xsd:string" />
-
-<xsd:element name="Definition">
-  <xsd:complexType>
-       <xsd:sequence>
-
-         <!-- simple type enforcement -->
-         <xsd:element name="Types" minOccurs ="0" maxOccurs="1">
-               <xsd:complexType>
-                 <xsd:sequence>
-                       <xsd:element ref="TE" minOccurs ="1" maxOccurs 
="unbounded"/>
-                 </xsd:sequence>
-               </xsd:complexType>
-         </xsd:element>
-
-         <!-- chinese wall -->
-         <!--   type definition -->
-         <xsd:element name="ChWallTypes" minOccurs ="0" maxOccurs="1">
-               <xsd:complexType>
-                 <xsd:sequence>
-                       <xsd:element ref="ChWall"  minOccurs ="1" maxOccurs 
="unbounded"/>
-
-               </xsd:sequence>
-          </xsd:complexType>
-       </xsd:element>
-
-       <!--   conflict set -->
-         <xsd:element name="ConflictSet" minOccurs ="0" maxOccurs="unbounded">
-               <xsd:complexType>
-                 <xsd:sequence>
-                       <xsd:element ref="ChWall"  minOccurs ="2" maxOccurs 
="unbounded"/>
-                 </xsd:sequence>
-               </xsd:complexType>
-       </xsd:element>
-
-       </xsd:sequence>
-  </xsd:complexType>
-</xsd:element>
-
-<xsd:element name="Policy">
-    <xsd:complexType>
-      <xsd:sequence>
-
-       <xsd:element name="PolicyHeader">
-       <xsd:complexType>
-          <xsd:all>
-               <xsd:element name = "Name" type="xsd:string"/>
-               <xsd:element name = "DateTime" type="xsd:dateTime"/>
-               <xsd:element name = "Tag" minOccurs ="1" maxOccurs ="1" 
type="xsd:string"/>
-               <xsd:element name = "TypeDefinition">
-               <xsd:complexType>
-                 <xsd:all>
-                       <xsd:element name = "url" type="xsd:string"/>
-                       <xsd:element name = "hash" minOccurs ="0" maxOccurs 
="1" type="xsd:string"/>
-                 </xsd:all>
-               </xsd:complexType>
-               </xsd:element>
-
-          </xsd:all>
-       </xsd:complexType>
-       </xsd:element>
-
-       <xsd:element name="VM" minOccurs ="1" maxOccurs="unbounded">
-         <xsd:complexType>
-          <xsd:sequence>
-               <xsd:element name="id" type="xsd:integer"/>
-               <xsd:element ref="TE" minOccurs="0" maxOccurs="unbounded" />
-               <xsd:element ref="ChWall" minOccurs ="0" maxOccurs="unbounded"/>
-          </xsd:sequence>
-         </xsd:complexType>
-       </xsd:element>
-
-       <xsd:element name="Vlan" minOccurs ="0" maxOccurs="unbounded">
-         <xsd:complexType>
-          <xsd:sequence>
-               <xsd:element name="vid" type="xsd:integer"/>
-               <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
-          </xsd:sequence>
-         </xsd:complexType>
-       </xsd:element>
-
-       <xsd:element name="Slot" minOccurs ="0" maxOccurs="unbounded">
-         <xsd:complexType>
-          <xsd:sequence>
-               <xsd:element name="bus" type="xsd:integer"/>
-               <xsd:element name="slot" type="xsd:integer"/>
-               <xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
-          </xsd:sequence>
-         </xsd:complexType>
-       </xsd:element>
-
-
-      </xsd:sequence>
-    </xsd:complexType>
-</xsd:element>
-
-<!-- root element -->
-<xsd:element name="SecurityPolicySpec">
-    <xsd:complexType>
-      <xsd:choice>
-               <xsd:element ref="Definition" minOccurs ="1" 
maxOccurs="unbounded"/>
-               <xsd:element ref="Policy" minOccurs ="1" maxOccurs="unbounded"/>
-      </xsd:choice>
-    </xsd:complexType>
-</xsd:element>
-</xsd:schema>
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/SsidsEntry.java
--- a/tools/misc/policyprocessor/SsidsEntry.java        Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,29 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: SsidsEntry.java,v 1.2 2005/06/17 20:02:40 rvaldez Exp $
- *
- * Author: Ray Valdez
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * SsidsEntry Class.  
- * <p>
- *
- * Holds ssid information.
- *
- * <p>
- *
- *
- */
-public class SsidsEntry 
- {
-  int id;      /* used for partition and vlan */
-  int bus;     /* used for slots */
-  int slot;
-  int ste = 0xffffffff;
-  int chw = 0xffffffff;
- }
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/XmlToBin.java
--- a/tools/misc/policyprocessor/XmlToBin.java  Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,1570 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: XmlToBin.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * Contributors:
- *         Reiner Sailer - adjust type-lengths
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * XmlToBin  Class.  
- * <p>
- *
- * Translates a xml representation of a SHYPE policy into a binary  
- * format.  The class processes an xml policy file based on elment tags 
- * defined in a schema definition files: SecurityPolicySpec.xsd.
- *
- * XmlToBin Command line Options: 
- *
- *      -i              inputFile:      name of policyfile (.xml)
- *      -o              outputFile:     name of binary policy file (Big Endian)
- *      -xssid          SsidFile:       xen ssids to types text file
- *      -xssidconf      SsidConf:      xen conflict ssids to types text file
- *      -debug                          turn on debug messages
- *      -help                           help. This printout
- *
- * <p>
- *
- *
- */
-import java.util.*;
-import java.io.*;
-import java.io.IOException;
-import java.io.FileNotFoundException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.Attr;
-import org.w3c.dom.NodeList;
-import org.w3c.dom.NamedNodeMap;
-import org.xml.sax.*;
-import javax.xml.parsers.*;
-import org.xml.sax.helpers.*;
-
-public class XmlToBin 
- implements XmlToBinInterface
-{
-  class SlotInfo {
-       String bus;
-       String slot;
-  }
-
- boolean LittleEndian = false;
- boolean debug = false;
-
- static final String JAXP_SCHEMA_LANGUAGE = 
"http://java.sun.com/xml/jaxp/properties/schemaLanguage";;
-
- static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";;
-
- public static void printUsage()
- {
-  System.out.println("XmlToBin Command line Options: ");
-  System.out.println("\t-i\t\tinputFile:\tname of policyfile (.xml)");
-  System.out.println("\t-o\t\toutputFile:\tname of binary policy file (Big 
Endian)");
-  System.out.println("\t-xssid\t\tSsidFile:\tXen ssids to named types text 
file");
-  System.out.println("\t-xssidconf\tSsidConfFile:\tXen conflict ssids to named 
types text file");
-  System.out.println("\t-debug\t\t\t\tturn on debug messages");
-  System.out.println("\t-help\t\t\t\thelp. This printout");
-  return;
- }
-
- public void printDebug(String message) 
- {
-  if (debug)
-    System.out.println(message);
- }
-
- public void writeBinPolicy(byte[] binPolicy, String outputFileName)
-  throws Exception
- {
-    if (debug) 
-       printHex(binPolicy,binPolicy.length);
-
-    DataOutputStream writeObj = new DataOutputStream(
-                                new FileOutputStream(outputFileName));
-
-    writeObj.write(binPolicy);
-    writeObj.flush();
-    writeObj.close();
-    System.out.println(" wBP:: wrote outputfile: " + outputFileName);
-
-    return; 
- }  
-
- public void writeXenTypeVectorFile(Vector list, String outputFileName)
-  throws Exception
- {
-  PrintWriter out;
-
-  if (0 == list.size())
-  {
-       printDebug(" wSTF : size of input is zero when writing :" + 
outputFileName); 
-       return;
-  }
- out = new PrintWriter(
-               new BufferedWriter(
-                      new FileWriter(outputFileName)));
-
-
-  for (int i = 0; i < list.size(); i++)
-  {
-       Vector  ee = (Vector) list.elementAt(i);
-       out.println(i + " " +ee.toString());
-  } 
-    out.close();
-   
-    return; 
- }
-
- public void writeXenTypeFile(Vector list, String outputFileName, boolean 
slabel)
-  throws Exception
- {
-  Vector entry; 
-  String strTypes = "";
-  SecurityLabel ee;
-  PrintWriter out;
-
-  if (0 == list.size())
-  {
-       printDebug(" wSTF : size of input is zero when writing :" + 
outputFileName); 
-       return;
-  }
-  out = new PrintWriter(
-               new BufferedWriter(
-                      new FileWriter(outputFileName)));
-
-  for (int i = 0; i < list.size(); i++)
-  {
-       ee = (SecurityLabel) list.elementAt(i);
-
-       if (slabel)
-       {
-               entry = ee.steTypes; 
-       } else {
-
-               entry = ee.chwTypes; 
-       }
-       if (null == entry) continue;
-
-       Enumeration e = entry.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         strTypes = strTypes + " " + typeName;
-        }
-         printDebug(" WXTF:: ssid : "+i +" :"+strTypes); 
-         out.println(i +" "+strTypes);
-         strTypes = "";
-  } 
-  out.close();
-   
-  return; 
- }
-
- public void setDebug(boolean value)
- {
-  debug=value;
- }
-
- public void setEndian(boolean value)
- {
-  LittleEndian = value;
- }
-
- public byte[] generateVlanSsids(Vector bagOfSsids)
-  throws Exception
- {
-  /**
-        typedef struct {
-        u16 vlan;
-        u16 ssid_ste;
-        } acm_vlan_entry_t;
-  **/
-
-  Hashtable  vlanSsid = new Hashtable();
-  printDebug(" gVS::Size of bagOfSsids: "+ bagOfSsids.size());
-
-  /* Get the number of partitions */
-  for (int i = 0; i < bagOfSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
-       if (null == entry.vlans)
-         continue;
-
-       Enumeration e = entry.vlans.elements(); 
-       while (e.hasMoreElements())
-       {
-         String id = (String) e.nextElement(); 
-         printDebug(" gVS:: vlan: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-         if (-1 == entry.steSsidPosition)
-               continue;  
-
-         /* Only use ste for vlan */
-         SsidsEntry  ssidsObj = new SsidsEntry();
-
-         ssidsObj.id = Integer.parseInt(id); 
-         ssidsObj.ste = entry.steSsidPosition;
-
-         if (vlanSsid.contains(id))
-               printDebug(" gVS:: Error already in the Hash part:" + 
ssidsObj.id);
-         else 
-               vlanSsid.put(id, ssidsObj);
-               printDebug(" gVS:: added part: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-       }
-  }
-
-  /* allocate array */ 
-  int numOfVlan = vlanSsid.size();
-  int totalSize = (numOfVlan * vlanEntrySz);  
-
-  if (0 == numOfVlan) 
-  {
-       printDebug(" gVS:: vlan: binary ==> zero");
-        return new byte[0];
-  }
-
-  byte[] vlanArray = new byte[totalSize];
-
-  int index = 0;
-
-  Enumeration e = vlanSsid.elements(); 
-  while (e.hasMoreElements())
-  {
-       SsidsEntry entry = (SsidsEntry) e.nextElement(); 
-       printDebug(" gVS:: part: " + entry.id + " ste ssid: " + entry.ste);
-
-       /* Write id */
-       writeShortToStream(vlanArray,(short)entry.id,index);
-       index = index + u16Size;
-
-       /* write ste ssid */
-       writeShortToStream(vlanArray,(short) entry.ste,index);
-       index = index + u16Size;
-  }
-
-  printDebug(" gVS:: vlan: num of vlans  " + numOfVlan);
-  printDebug(" gVS:: vlan: binary ==> Length "+ vlanArray.length);
-
-  if (debug) 
-       printHex(vlanArray,vlanArray.length);
-  printDebug("\n");
-
-  return vlanArray; 
- }  
-
- public byte[] generateSlotSsids(Vector bagOfSsids)
-  throws Exception
- {
-  /**
-        typedef struct {
-        u16 slot_max;
-        u16 slot_offset;
-        } acm_slot_buffer_t;
-
-        typedef struct {
-        u16 bus;
-        u16 slot;
-        u16 ssid_ste;
-        } acm_slot_entry_t;
-  **/
-  Hashtable  slotSsid = new Hashtable();
-  printDebug(" gSS::Size of bagOfSsids: "+ bagOfSsids.size());
-
-  /* Find the number of VMs */ 
-  for (int i = 0; i < bagOfSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
-       if (null == entry.slots)
-         continue;
-
-       Enumeration e = entry.slots.elements(); 
-       while (e.hasMoreElements())
-       {
-         SlotInfo item = (SlotInfo) e.nextElement(); 
-         printDebug(" gSS:: bus slot: " + item.bus + " "+ item.slot + " " +  
entry.steSsidPosition);
-         if (-1 == entry.steSsidPosition)
-               continue;  
-
-         SsidsEntry  ssidsObj = new SsidsEntry();
-
-         String id = item.bus +" "+item.slot;
-         ssidsObj.bus = Integer.parseInt(item.bus); 
-         ssidsObj.slot = Integer.parseInt(item.slot); 
-         /* set ste ssid */
-         ssidsObj.ste = entry.steSsidPosition;
-
-         if (slotSsid.contains(id))
-               printDebug(" gSS:: Error already in the Hash part:" + id);
-         else 
-               slotSsid.put(id, ssidsObj);
-
-               printDebug(" gSS:: added slot: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-       }
-  }
-
-  /* allocate array */
-  int numOfSlot = slotSsid.size();
-
-  if (0 == numOfSlot) 
-  {
-       printDebug(" gVS:: slot: binary ==> zero");
-        return new byte[0];
-  }
-
-  int totalSize = (numOfSlot * slotEntrySz);  
-
-  byte[] slotArray = new byte[totalSize];
-
-  int index = 0;
-
-  Enumeration e = slotSsid.elements(); 
-  while (e.hasMoreElements())
-  {
-       SsidsEntry entry = (SsidsEntry) e.nextElement(); 
-       System.out.println(" gSS:: bus slot: " + entry.bus + " " + entry.slot + 
" ste ssid: " + entry.ste);
-
-       /* Write bus */
-       writeShortToStream(slotArray,(short)entry.bus,index);
-       index = index + u16Size;
-
-       /* Write slot */ 
-       writeShortToStream(slotArray,(short)entry.slot,index);
-       index = index + u16Size;
-
-       /* Write ste ssid */
-       writeShortToStream(slotArray,(short) entry.ste,index);
-       index = index + u16Size;
-
-  }
-   
-  printDebug(" gSS:: slot: num of vlans  " + numOfSlot);
-  printDebug(" gSS:: slot: binary ==> Length "+ slotArray.length);
-
-  if (debug) 
-        printHex(slotArray,slotArray.length);
-  printDebug("\n");
-
-  return slotArray; 
-
- }  
-
- public byte[] generatePartSsids(Vector bagOfSsids, Vector bagOfChwSsids)
-  throws Exception
- {
-  /**
-        typedef struct {
-        u16 id;
-        u16 ssid_ste;
-        u16 ssid_chwall;
-        } acm_partition_entry_t;
-
-  **/
-  Hashtable  partSsid = new Hashtable();
-  printDebug(" gPS::Size of bagOfSsids: "+ bagOfSsids.size());
-
-  /* Find the number of VMs */ 
-  for (int i = 0; i < bagOfSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
-
-       if (null == entry.ids)
-         continue;
-
-       Enumeration e = entry.ids.elements(); 
-       while (e.hasMoreElements())
-       {
-         String id = (String) e.nextElement(); 
-         printDebug(" gPS:: part: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-         if (-1 == entry.steSsidPosition)
-               continue;  
-
-         SsidsEntry  ssidsObj = new SsidsEntry();
-
-         ssidsObj.id = Integer.parseInt(id); 
-         ssidsObj.ste = entry.steSsidPosition;
-
-         if (partSsid.contains(id))
-               printDebug(" gPS:: Error already in the Hash part:" + 
ssidsObj.id);
-         else 
-               partSsid.put(id, ssidsObj);
-               printDebug(" gPS:: added part: " + id + "has ste ssid: " + 
entry.steSsidPosition);
-       }
-
-  }
-
-  for (int i = 0; i < bagOfChwSsids.size(); i++)
-  {
-       SecurityLabel entry = (SecurityLabel) bagOfChwSsids.elementAt(i);
-
-       Enumeration e = entry.chwIDs.elements(); 
-       while (e.hasMoreElements())
-       {
-         String id = (String) e.nextElement(); 
-         printDebug(" gPS:: part: " + id + "has chw ssid: " + 
entry.chwSsidPosition);
-         if (partSsid.containsKey(id))
-         {
-               SsidsEntry item = (SsidsEntry) partSsid.get(id);
-               item.chw = entry.chwSsidPosition;
-               printDebug(" gPS:: added :" + item.id +" chw: " + item.chw);
-         }
-         else 
-         {
-               printDebug(" gPS:: creating :" + id +" chw: " + 
entry.chwSsidPosition);
-               SsidsEntry  ssidsObj = new SsidsEntry();
-               ssidsObj.id = Integer.parseInt(id); 
-               ssidsObj.chw = entry.chwSsidPosition;
-               partSsid.put(id, ssidsObj);
-
-         }
-       }
-  }      
-
-  /* Allocate array */
-  int numOfPar = partSsid.size();
-  int totalSize =  (numOfPar * partitionEntrySz);  
-
-  if (0 == numOfPar) 
-  {
-       printDebug(" gPS:: part: binary ==> zero");
-        return new byte[0];
-  }
-
-  byte[] partArray = new byte[totalSize];
-
-  int index = 0;
-
-  Enumeration e = partSsid.elements(); 
-  while (e.hasMoreElements())
-  {
-       SsidsEntry entry = (SsidsEntry) e.nextElement(); 
-       printDebug(" gPS:: part: " + entry.id + " ste ssid: " + entry.ste + " 
chw ssid: "+ entry.chw);
-
-       /* Write id */
-       writeShortToStream(partArray,(short)entry.id,index);
-       index = index + u16Size;
-
-       /* Write ste ssid */
-       writeShortToStream(partArray,(short) entry.ste,index);
-       index = index + u16Size;
-
-       /* Write chw ssid */
-       writeShortToStream(partArray,(short) entry.chw,index);
-       index = index + u16Size;
-  }
-
-  printDebug(" gPS:: part: num of partitions  " + numOfPar);
-  printDebug(" gPS:: part: binary ==> Length " + partArray.length);
-
-  if (debug) 
-       printHex(partArray,partArray.length);
-  printDebug("\n");
-   
-   return partArray; 
- }
-
- public  byte[] GenBinaryPolicyBuffer(byte[] chwPolicy, byte[] stePolicy, byte 
[] partMap, byte[] vlanMap, byte[] slotMap)
- {
-  byte[] binBuffer;
-  short chwSize =0;
-  short steSize =0;
-  int  index = 0;
-
-  /* Builds data structure acm_policy_buffer_t */
-  /* Get number of colorTypes */
-  if (null != chwPolicy)
-       chwSize = (short) chwPolicy.length;
-
-  if (null != stePolicy)
-       steSize = (short) stePolicy.length;
-
-  int totalDataSize = chwSize + steSize + resourceOffsetSz +  3 *(2 * u16Size);
-
-  /*  Add vlan and slot */ 
-  totalDataSize = totalDataSize +partMap.length + vlanMap.length + 
slotMap.length; 
-  binBuffer = new byte[binaryBufferHeaderSz +totalDataSize];
-       
-
-  try {
-         index = 0;
-         /* fill in General Policy Version */
-         writeIntToStream(binBuffer, ACM_POLICY_VERSION, index);
-         index += u32Size;
-
-         /* Write magic */
-         writeIntToStream(binBuffer, ACM_MAGIC, index);
-         index += u32Size;
-
-         /* write len */
-         writeIntToStream(binBuffer, binBuffer.length, index);
-         index += u32Size;
-
-  } catch (IOException ee) {
-         System.out.println(" GBPB:: got exception : " + ee);
-         return null;
-  }
-
-  int offset, address;
-  address = index;
-
-  if (null != partMap) 
-         offset = binaryBufferHeaderSz + resourceOffsetSz;
-  else
-         offset = binaryBufferHeaderSz;
-
-  try {
-         int skip = 0;
-
-         /* init with NULL policy setting */
-         writeIntToStream(binBuffer, ACM_NULL_POLICY, index);
-         writeIntToStream(binBuffer, 0, index + u32Size);
-         writeIntToStream(binBuffer, ACM_NULL_POLICY, index + 2*u32Size);
-         writeIntToStream(binBuffer, 0, index + 3*u32Size);
-         
-         index = address;
-         if (null != chwPolicy) {
-         
-                 /* Write policy name */
-                 writeIntToStream(binBuffer, ACM_CHINESE_WALL_POLICY, index);
-                 index += u32Size;
-
-                 /* Write offset */
-                 writeIntToStream(binBuffer, offset, index);
-                 index += u32Size;
-
-                 /* Write payload. No need increment index */
-                 address = offset;
-                 System.arraycopy(chwPolicy, 0, binBuffer,address, 
chwPolicy.length);
-                 address = address + chwPolicy.length;
-         } else
-                 skip += 2*u32Size;
-
-         if (null != stePolicy) 
-         {     
-               /* Write policy name */
-               writeIntToStream(binBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
index);
-               index += u32Size;
-
-               /* Write offset */
-               writeIntToStream(binBuffer, address, index);
-               index += u32Size;
-
-               /* Copy array */
-               System.arraycopy(stePolicy, 0, binBuffer,address, 
stePolicy.length);
-               /* Update address */
-               address = address + stePolicy.length;
-         } else
-                skip += 2*u32Size;
-
-         /* Skip writing policy name and offset for each null policy*/
-         index +=  skip;
-
-         int size;
-         /* Assumes that you will always have a partition defined in policy */
-         if ( 0 < partMap.length) {
-                 writeIntToStream(binBuffer, address, index);
-                 index = address;
-
-                 /* Compute num of VMs */
-                 size = partMap.length / (3 * u16Size);
-
-                 writeShortToStream(binBuffer, (short)size,index);
-                 index = index + u16Size;
-
-                 /* part, vlan and slot: each one consists of two entries */
-                 offset = 3 * (2 * u16Size);
-                 writeShortToStream(binBuffer, (short) offset,index);
-
-                 /* Write partition array at offset */
-                 System.arraycopy(partMap, 0, binBuffer,(offset + address), 
partMap.length);
-                 index = index + u16Size;
-                 offset = offset + partMap.length;
-         }
-
-         if ( 0 < vlanMap.length) {
-                 size = vlanMap.length / (2 * u16Size);
-                 writeShortToStream(binBuffer, (short) size,index);
-                 index = index + u16Size;
-
-                 writeShortToStream(binBuffer, (short) offset,index);
-                 index = index + u16Size;
-                 System.arraycopy(vlanMap, 0, binBuffer,(offset + address), 
vlanMap.length);
-         } else {
-                 /* Write vlan max */
-                 writeShortToStream(binBuffer, (short) 0,index);
-                 index = index + u16Size;
- 
-                 /* Write vlan offset */
-                 writeShortToStream(binBuffer, (short) 0,index);
-                 index = index + u16Size;
-         }
-
-         offset = offset + vlanMap.length;
-         if ( 0 < slotMap.length) {
-                 size = slotMap.length / (3 * u16Size);
-                 writeShortToStream(binBuffer, (short) size,index);
-                 index = index + u16Size;
-
-                 writeShortToStream(binBuffer, (short) offset,index);
-                 index = index + u16Size;
-                 System.arraycopy(slotMap, 0, binBuffer,(offset + address), 
slotMap.length);
-         }
-  } catch (IOException ee) {
-         System.out.println(" GBPB:: got exception : " + ee);
-         return null;
-  }
-
-  printDebug(" GBP:: Binary Policy ==> length " + binBuffer.length);
-  if (debug)
-         printHex(binBuffer,binBuffer.length);
-
-  return  binBuffer;
- } 
-
- public  byte[] generateChwBuffer(Vector Ssids, Vector ConflictSsids, Vector 
ColorTypes)
- {
-  byte[] chwBuffer;
-  int index = 0;
-  int position = 0;
-
-  /* Get number of rTypes */
-  int maxTypes = ColorTypes.size();
-
-  /* Get number of SSids entry */
-  int maxSsids = Ssids.size();
-
-  /* Get number of conflict sets */
-  int maxConflict = ConflictSsids.size();
-
-   
-  if (maxTypes * maxSsids == 0)
-       return null; 
-  /*
-     data structure acm_chwall_policy_buffer
-     se XmlToBinInterface.java
-  */
-  int totalBytes = chwHeaderSize  + u16Size *(maxTypes * (maxSsids + 
maxConflict)); 
-
-  chwBuffer = new byte[ totalBytes ];
-  int address = chwHeaderSize + (u16Size * maxTypes * maxSsids );
-
-  printDebug(" gCB:: chwall totalbytes : "+totalBytes); 
-
-  try {
-         index = 0;
-         /* fill in General Policy Version */
-         writeIntToStream(chwBuffer, ACM_CHWALL_VERSION, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, ACM_CHINESE_WALL_POLICY, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, maxTypes, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, maxSsids, index);
-         index += u32Size;
-
-         writeIntToStream(chwBuffer, maxConflict, index);
-         index += u32Size;
-
-         /*  Write chwall_ssid_offset */
-         writeIntToStream(chwBuffer, chwHeaderSize, index);
-         index += u32Size;
-
-         /* Write chwall_conflict_sets_offset */
-         writeIntToStream(chwBuffer, address, index);
-         index += u32Size;
-
-         /*  Write chwall_running_types_offset */
-         writeIntToStream(chwBuffer, 0, index);
-         index += u32Size;
-
-         /*  Write chwall_conflict_aggregate_offset */
-         writeIntToStream(chwBuffer, 0, index);
-         index += u32Size;
-
-  } catch (IOException ee) {
-       System.out.println(" gCB:: got exception : " + ee); 
-       return null;
-  }
-  int markPos = 0;
-
-  /* Create the SSids entry */
-  for (int i = 0; i < maxSsids; i++)
-  {
-       SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
-       /* Get chwall types */
-       ssidEntry.chwSsidPosition = i;
-       Enumeration e = ssidEntry.chwTypes.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         printDebug(" gCB:: Ssid "+ i+ ": has type : " + typeName);
-         position = ColorTypes.indexOf(typeName);
-
-         if (position < 0) 
-         {
-               System.out.println (" gCB:: Error type : " + typeName + " not 
found in ColorTypes"); 
-               return null; 
-         }
-         printDebug(" GCB:: type : " + typeName + "  found in ColorTypes at 
position: " + position); 
-         markPos = ((i * maxTypes + position) * u16Size) + index;      
-
-         try {
-               writeShortToStream(chwBuffer,markSymbol,markPos);
-         } catch (IOException ee) {
-               System.out.println(" gCB:: got exception : "); 
-               return null; 
-         }
-       }
-  }
-
-  if (debug) 
-      printHex(chwBuffer,chwBuffer.length);
-
-  /* Add conflict set */
-  index = address;
-  for (int i = 0; i < maxConflict; i++)
-  {
-       /* Get ste types */
-       Vector entry = (Vector) ConflictSsids.elementAt(i);
-       Enumeration e = entry.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         printDebug (" GCB:: conflict Ssid "+ i+ ": has type : " + typeName);
-         position = ColorTypes.indexOf(typeName);
-
-         if (position < 0) 
-         {
-               System.out.println (" GCB:: Error type : " + typeName + " not 
found in ColorTypes"); 
-               return null; 
-         }
-         printDebug(" GCB:: type : " + typeName + "  found in ColorTypes at 
position: " + position); 
-         markPos = ((i * maxTypes + position) * u16Size) + index;      
-
-         try {
-               writeShortToStream(chwBuffer,markSymbol,markPos);
-         } catch (IOException ee) {
-               System.out.println(" GCB:: got exception : "); 
-               return null; 
-         }
-       }
-               
-  } 
-  printDebug(" gSB:: chw binary  ==> Length " + chwBuffer.length); 
-  if (debug) 
-       printHex(chwBuffer,chwBuffer.length);
-  printDebug("\n");
-
-  return chwBuffer;
- }
-
-/**********************************************************************
- Generate byte representation of policy using type information
- <p>
- @param Ssids                  Vector
- @param ColorTypes             Vector
- <p>
- @return bytes represenation of simple type enforcement policy 
-**********************************************************************/
- public  byte[] generateSteBuffer(Vector Ssids, Vector ColorTypes)
- {
-  byte[] steBuffer;
-  int index = 0;
-  int position = 0;
-
-  /* Get number of colorTypes */
-  int numColorTypes = ColorTypes.size();
-
-  /* Get number of SSids entry */
-  int numSsids = Ssids.size();
-   
-  if (numColorTypes * numSsids == 0)
-       return null; 
-
-  /* data structure: acm_ste_policy_buffer
-   * see XmlToBinInterface.java
-   * total bytes: steHeaderSize * 2B + colorTypes(size) * Ssids(size)
-   * 
-  */
-  steBuffer = new byte[ steHeaderSize + (numColorTypes * numSsids) * 2];
-
-  try {
-       
-         index = 0;
-         writeIntToStream(steBuffer, ACM_STE_VERSION, index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, 
index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, numColorTypes, index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, numSsids, index);
-         index += u32Size;
-
-         writeIntToStream(steBuffer, steHeaderSize, index);
-         index += u32Size;
-
-
-  } catch (IOException ee) {
-       System.out.println(" gSB:: got exception : " + ee); 
-       return null; 
-  }
-  int markPos = 0;
-  for (int i = 0; i < numSsids; i++)
-  {
-       
-       SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
-       ssidEntry.steSsidPosition = i;
-       /* Get ste types */
-       Enumeration e = ssidEntry.steTypes.elements(); 
-       while (e.hasMoreElements())
-       {
-         String typeName = (String) e.nextElement(); 
-         printDebug (" gSB:: Ssid "+ i+ ": has type : " + typeName);
-         position = ColorTypes.indexOf(typeName);
-
-         if (position < 0) 
-         {
-               printDebug(" gSB:: Error type : " + typeName + " not found in 
ColorTypes"); 
-               return null; 
-         }
-         printDebug(" gSB:: type : " + typeName + "  found in ColorTypes at 
position: " + position); 
-         markPos = ((i * numColorTypes + position) * u16Size) + index; 
-
-         try {
-               writeShortToStream(steBuffer,markSymbol,markPos);
-         } catch (IOException ee)
-         {
-               System.out.println(" gSB:: got exception : "); 
-               return null; 
-         }
-       }
-               
-  } 
-
-  printDebug(" gSB:: ste binary  ==> Length " + steBuffer.length); 
-  if (debug) 
-       printHex(steBuffer,steBuffer.length);
-  printDebug("\n");
-
-  return steBuffer;
- }
-
- public static  void printHex(byte [] dataArray, int length)
- {
-  char[] hexChars = {'0', '1', '2', '3', '4', '5', '6', '7',
-                '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
-  int hexIndex;
-  int value;
-  int arraylength;
-
-  arraylength = length;
-
-  if (dataArray == null)
-  {
-        System.err.print("printHex: input byte array is null");
-  }
-
-  if (length > dataArray.length || length < 0)
-        arraylength = dataArray.length;
-
-  System.out.print("\n\t");
-
-  int i;
-  for(i = 0; i < arraylength; )
-  {
-        value = dataArray[i] & 0xFF;
-        hexIndex = (value >>> 4);
-        System.out.print(hexChars[hexIndex]);
-        hexIndex = (value & 0x0F);
-        System.out.print(hexChars[hexIndex]);
-
-        i++;
-        /* if done, print a final newline */
-        if (i == arraylength) {
-            if (arraylength < dataArray.length) {
-                System.out.print("...");
-            }
-            System.out.println();
-        }
-        else if ((i % 24) == 0) {
-            System.out.print("\n\t");
-        }
-        else if ((i % 4) == 0) {
-                System.out.print(" ");
-        }
-  }
-
-  return;
- }
-
-  
- private void writeShortToStream(byte[] stream, short value, int index)
-  throws IOException
- {
-  int littleEndian = 0;
-  int byteVal;
-
-  if (index + 2 > stream.length)
-  {
-      throw new IOException("Writing beyond stream length: " +
-                            stream.length + " writing at locations from: " + 
index + " to " + (index + 4));
-  }
-
-  if (!LittleEndian)
-  {
-
-       byteVal = value >> 8;
-       stream[index ] = (byte) byteVal;
-
-       byteVal = value;
-       stream[index + 1] = (byte) byteVal;
-  } else {
-       stream[index]  = (byte) ((value & 0x00ff) );
-       stream[index + 1]  = (byte) ((value & 0xff00) >> 8);
- }
-  return;
- }
-
- private void writeIntToStream(byte[] stream, int value, int index)
-  throws IOException
- {
-  int littleEndian = 0;
-  int byteVal;
-
-  if (4 > stream.length)
-  {
-      throw new IOException("writeIntToStream: stream length less than 4 bytes 
" +
-                            stream.length);
-  }
-
-  /* Do not Write beyond range */
-  if (index + 4 > stream.length)
-  {
-      throw new IOException("writeIntToStream: writing beyond stream length: " 
+
-                            stream.length + " writing at locations from: " + 
index + " to " + (index + 4));
-  }
-  if (!LittleEndian)
-  {
-       byteVal = value >>> 24;
-       stream[index] = (byte) byteVal;
-
-       byteVal = value >> 16;
-       stream[index + 1] = (byte) byteVal;
-
-       byteVal = value >> 8;
-       stream[index + 2] = (byte) byteVal;
-
-       byteVal = value;
-       stream[index + 3] = (byte) byteVal;
-  } else {
-       stream[index] = (byte) value;
-       stream[index + 1]  = (byte) ((value & 0x0000ff00) >> 8);
-       stream[index + 2]  = (byte) ((value & 0x00ff0000) >> 16);
-       stream[index + 3] = (byte) ( value >>> 24);
-  }
-  return;
- }
-
- public Document getDomTree(String xmlFileName)
-  throws Exception, SAXException, ParserConfigurationException
- {
-  javax.xml.parsers.DocumentBuilderFactory dbf = 
-       javax.xml.parsers.DocumentBuilderFactory.newInstance();
-
-  /* Turn on namespace aware and validation */
-  dbf.setNamespaceAware(true); 
-  dbf.setValidating(true);     
-  dbf.setAttribute(JAXP_SCHEMA_LANGUAGE,W3C_XML_SCHEMA);
-
-  /* Checks that the document is well-formed */
-  javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
-
-  myHandler errHandler= new myHandler();
-  db.setErrorHandler(errHandler);
-  Document doc = db.parse(xmlFileName);
-
-  /* Checks for validation errors */
-  if (errHandler.isValid)
-       printDebug(" gDT:: Xml file: " + xmlFileName + " is valid");
-   else
-      throw new Exception("Xml file: " + xmlFileName + " is NOT valid");
-
-  return doc;
- }  
-
- public void processDomTree(
-       Document doc,
-       Vector bagOfSsids,      
-       Vector bagOfTypes, 
-       Vector bagOfChwSsids, 
-       Vector bagOfChwTypes, 
-       Vector bagOfConflictSsids)
-  throws Exception, SAXException, ParserConfigurationException
- {
-  boolean found;
-
-  /* print the root Element */
-  Element root = doc.getDocumentElement();
-  printDebug ("\n pDT:: Document Element: Name = " + root.getNodeName() + 
",Value = " + root.getNodeValue());
-
-  /* Go through the list of the root Element's Attributes */
-  NamedNodeMap nnm = root.getAttributes();
-  printDebug (" pDT:: # of Attributes: " + nnm.getLength());
-  for (int i = 0; i < nnm.getLength(); i++)
-  {
-         Node n = nnm.item (i);
-        printDebug (" pDT:: Attribute: Name = " + n.getNodeName() + ", Value = 
" 
-             + n.getNodeValue());
-  }
-
-  /* Retrieve the policy definition */ 
-  NodeList elementList = root.getElementsByTagName ("url");
-  String definitionFileName = 
elementList.item(0).getFirstChild().getNodeValue();  
-
-  String definitionHash = null;
-
-  /* Note that SecurityPolicySpec.xsd allows for 0 hash value! */
-  elementList = root.getElementsByTagName ("hash");
-  if (0 != elementList.getLength())
-       definitionHash = elementList.item(0).getFirstChild().getNodeValue();  
-
-  Document definitionDoc = 
pGetDomDefinition(definitionFileName,definitionHash);
-  pGetTypes(definitionDoc,bagOfTypes, bagOfChwTypes, bagOfConflictSsids);
-
-
-  /* Get VM security information */
-  elementList = root.getElementsByTagName ("VM");
-  printDebug ("\n pDT:: partition length of NodeList:" + 
elementList.getLength());
-  /* Add default Ssid to Ste and Chw bags */                   
-  SecurityLabel defEntry = new SecurityLabel();
-
-  defEntry.chwTypes = new Vector();
-  defEntry.steTypes = new Vector();
-  defEntry.chwIDs = new Vector();
-  defEntry.ids = new Vector();
-
-  defEntry.steSsidPosition =0;
-  defEntry.chwSsidPosition =0;
-  bagOfChwSsids.add(defEntry);
-  bagOfSsids.add(defEntry);
-
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       found = false;
-
-        Node node = elementList.item (x);          
-
-       if (node.getNodeType() == Node.ELEMENT_NODE)
-       {
-         printDebug (" pDT:: child: " + x + " is an element node" );
-         Element e1 = (Element) node;
-
-         /* Get id */
-         NodeList elist = e1.getElementsByTagName ("id");
-         String idStr = elist.item(0).getFirstChild().getNodeValue();  
-         printDebug (" pDT:: id:" + idStr);
-
-         /* Get TE */
-         Vector colorTypes = new Vector();
-         pConflictEntries(e1, "TE", bagOfTypes, colorTypes);
-
-         Enumeration e = bagOfSsids.elements();
-         while (e.hasMoreElements())
-         {
-               SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-               if ( elem.steTypes.size() == colorTypes.size() && 
elem.steTypes.containsAll(colorTypes))
-               {
-                 found = true;
-                 elem.ids.add(idStr);
-               }
-               
-         }
-               if (!found && (0 < colorTypes.size()))
-               {
-                SecurityLabel entry = new SecurityLabel();
-                entry.steTypes = colorTypes;
-                entry.ids = new Vector();
-                entry.ids.add(idStr);
-                bagOfSsids.add(entry);
-               }
-
-               /* Get Chinese wall type */
-               Vector chwTypes = new Vector();
-               pConflictEntries(e1, "ChWall", bagOfChwTypes, chwTypes);
-
-               found = false;
-               e = bagOfChwSsids.elements();
-
-               while (e.hasMoreElements())
-               {
-                 SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-                 if ( elem.chwTypes.size() == chwTypes.size() && 
elem.chwTypes.containsAll(chwTypes))
-                 {
-                   found = true;
-                   elem.chwIDs.add(idStr);
-                 }
-               
-               }
-
-               if (!found && (0 < chwTypes.size()))
-               {
-                SecurityLabel entry = new SecurityLabel();
-                entry.chwTypes = chwTypes;
-                entry.chwIDs = new Vector();
-                entry.chwIDs.add(idStr);
-                bagOfChwSsids.add(entry);
-               }
-      }
-  } 
-  return;
- }
-
- public Document pGetDomDefinition(
-       String definitionFileName, 
-       String definitionHash) 
-  throws Exception, SAXException, ParserConfigurationException
- {
-  printDebug("\n pGDD:: definition file name: " + definitionFileName);
-  printDebug("\n pGDD:: definition file hash: " + definitionHash);
-  
-  Document doc =  getDomTree(definitionFileName);
-  return doc; 
- }
-
- public void pGetTypes(
-       Document defDoc,
-       Vector bagOfTypes, 
-       Vector bagOfChwTypes, 
-       Vector bagOfConflictSsids)
-  throws Exception
- {
-
-
-  if (null == defDoc)
-      throw new Exception(" pGT:: definition file DOM is null ");
-
-  Element root = defDoc.getDocumentElement();
-
-  /* Get list of TE types */
-  NodeList elementList = root.getElementsByTagName ("Types");
-  printDebug ("\n pGT:: Types length of NodeList:" + elementList.getLength());
-  Element e1 = (Element) elementList.item (0);          
-  pGetEntries(e1,"TE",bagOfTypes);
-
-  /* Get list of Chinese types */
-  elementList = root.getElementsByTagName ("ChWallTypes");
-  printDebug ("\n pGT:: ChwTypes length of NodeList:" + 
elementList.getLength());
-  if (0 ==  elementList.getLength())
-  {
-       printDebug ("\n pGT:: ChWallTypes has zero length: :" + 
elementList.getLength());
-  } else {
-       e1 = (Element) elementList.item (0);          
-       pGetEntries(e1,"ChWall",bagOfChwTypes);
-  }
-  printDebug (" pGT:: Total number of unique chw types: " + 
bagOfChwTypes.size());
-
-  /* Get Chinese type conflict sets */
-  elementList = root.getElementsByTagName ("ConflictSet");
-  printDebug ("\n pGT:: Conflict sets length of NodeList:" + 
elementList.getLength());
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       Vector conflictEntry  = new Vector();
-       e1 = (Element) elementList.item (x);          
-       printDebug ("\n pGT:: Conflict sets : " + x);
-
-       pConflictEntries(e1, "ChWall", bagOfChwTypes, conflictEntry);
-
-       if (conflictEntry.size() > 0)
-       {
-         boolean found = false;
-         Enumeration e = bagOfConflictSsids.elements();
-       
-         while (e.hasMoreElements())
-         {
-               Vector elem = (Vector) e.nextElement(); 
-               if (elem.size() == conflictEntry.size() && 
elem.containsAll(conflictEntry))
-               {
-                 found = true;
-               }
-               
-         }
-         if (!found)
-         {
-               bagOfConflictSsids.add(conflictEntry);
-         }
-       }
-  }
-
- }
-
- public void  pGetEntries(Element doc, String tag, Vector typeBag)
-  throws Exception
- {
-
-  if (null == doc)
-      throw new Exception(" pGE:: Element doc is null");
-
-  if (null == typeBag)
-      throw new Exception(" pGE:: typeBag  is null");
-
-  NodeList elist = doc.getElementsByTagName (tag);
-  for (int j = 0; j < elist.getLength(); j++)
-  {
-       Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-       printDebug (" pGT:: "+ tag +" type: " + value);
-
-        /* Check if value is known */
-       if (!typeBag.contains(value))
-               typeBag.addElement(value);
-  }
- }
-
- public void  pConflictEntries(Element doc, String tag, Vector typeBag, Vector 
conflictEntry)
-  throws Exception
- {
-
-  if (null == doc)
-      throw new Exception(" pGE:: Element doc is null");
-
-  if (null == typeBag)
-      throw new Exception(" pGE:: typeBag  is null");
-
-  if (null == conflictEntry)
-      throw new Exception(" pGE:: typeBag  is null");
-
-
-  NodeList elist = doc.getElementsByTagName (tag);
-
-  for (int j = 0; j < elist.getLength(); j++)
-  {
-       Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-       printDebug (" pGE:: "+ tag +" type: " + value);
-
-        /* Check if value is known */
-       if (!typeBag.contains(value))
-               throw new Exception(" pCE:: found undefined type set " + value);
-
-       if (!conflictEntry.contains(value))
-               conflictEntry.addElement(value);
-
-  }
- }
-
-  public void processDomTreeVlanSlot(
-       Document doc,
-       Vector bagOfSsids,      
-       Vector bagOfTypes)      
-  throws Exception
- {
-      boolean found;
-
-  printDebug(" pDTVS::Size of bagOfSsids: "+ bagOfSsids.size());
-  Element root = doc.getDocumentElement();
-
-  NodeList elementList = root.getElementsByTagName ("Vlan");
-  printDebug("\n pDTVS:: Vlan length of NodeList:" + elementList.getLength());
-
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       found = false;
-
-        Node node = elementList.item (x);          
-
-       if (node.getNodeType() == Node.ELEMENT_NODE)
-       {
-         printDebug(" pDTVS:: child: " + x + " is an element node" );
-         Element e1 = (Element) node;
-
-         /* Get vid */
-         NodeList elist = e1.getElementsByTagName ("vid");
-         String idStr = elist.item(0).getFirstChild().getNodeValue();  
-         printDebug (" pDTVS:: vid:" + idStr);
-
-         /* Get TE */
-         elist = e1.getElementsByTagName ("TE");
-          printDebug (" pDTVS:: Total ste types: " + elist.getLength());
-
-         Vector colorTypes = new Vector();
-         for (int j = 0; j < elist.getLength(); j++)
-         {
-               Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-               printDebug (" pDT:: My color is: " + value);
-               if (!bagOfTypes.contains(value))
-               {
-                 throw new IOException("pDT:: Vlan: " + idStr+ " has unknown 
type : "+ value);
-               }
-
-               if (!colorTypes.contains(value))
-                 colorTypes.addElement(value);
-         }
-         Enumeration e = bagOfSsids.elements();
-         while (e.hasMoreElements())
-         {
-               SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-               if ( elem.steTypes.size() == colorTypes.size() && 
elem.steTypes.containsAll(colorTypes))
-               {
-                 found = true;
-                 if (null == elem.vlans)
-                       elem.vlans = new Vector();
-                  elem.vlans.add(idStr);
-               }
-               
-         }
-         if (!found && (0 < colorTypes.size()))
-         {
-                SecurityLabel entry = new SecurityLabel();
-                entry.steTypes = colorTypes;
-                entry.vlans = new Vector();
-                entry.vlans.add(idStr);
-                bagOfSsids.add(entry);
-         }
-
-       }
-  } 
-  printDebug(" pDTVS::After slot Size of bagOfSsids: "+ bagOfSsids.size());
-
-  elementList = root.getElementsByTagName ("Slot");
-  printDebug ("\n pDTVS:: Slot length of NodeList:" + elementList.getLength());
-
-  for (int x = 0; x < elementList.getLength(); x++)
-  {
-       found = false;
-
-        Node node = elementList.item (x);          
-
-       if (node.getNodeType() == Node.ELEMENT_NODE)
-       {
-         printDebug(" pDT:: child: " + x + " is an element node" );
-         Element e1 = (Element) node;
-
-
-         /* Get slot and bus */
-         SlotInfo item = new SlotInfo();
-
-         NodeList elist = e1.getElementsByTagName ("bus");
-         item.bus = elist.item(0).getFirstChild().getNodeValue();  
-         elist = e1.getElementsByTagName ("slot");
-         item.slot = elist.item(0).getFirstChild().getNodeValue();  
-         printDebug (" pDT:: bus and slot:" + item.bus + " "+ item.slot);
-
-         /* Get TE */
-         elist = e1.getElementsByTagName ("TE");
-          printDebug (" pDT:: Total ste types: " + elist.getLength());
-
-         Vector colorTypes = new Vector();
-         for (int j = 0; j < elist.getLength(); j++)
-         {
-               Node knode = elist.item (j);          
-               Node childNode = knode.getFirstChild();     
-               String value = childNode.getNodeValue();
-
-               printDebug (" pDT:: My color is: " + value);
-               if (!bagOfTypes.contains(value))
-               {
-                 throw new IOException("pDT:: bus: " + item.bus + " slot: "+ 
item.slot + " has unknown type : "+ value);
-               }
-
-               if (!colorTypes.contains(value))
-                 colorTypes.addElement(value);
-               }
-
-               Enumeration e = bagOfSsids.elements();
-               while (e.hasMoreElements())
-               {
-                 SecurityLabel elem = (SecurityLabel) e.nextElement(); 
-                 if ( elem.steTypes.size() == colorTypes.size() && 
elem.steTypes.containsAll(colorTypes))
-                 {
-                       found = true;
-                       if (null == elem.slots)
-                         elem.slots = new Vector();
-                       elem.slots.add(item);
-
-                 }
-               
-               }
-
-               if (!found && (0 < colorTypes.size()))
-               {
-                 SecurityLabel entry = new SecurityLabel();
-                 entry.steTypes = colorTypes;
-                 entry.slots = new Vector();
-                 entry.slots.add(item);
-                 bagOfSsids.add(entry);
-               }
-
-       }
-  }
-  return;
- }
-
- public static void main (String[] args) 
- {
-  String xmlFileName = null;           /* policy file */ 
-  String outputFileName = null;        /* binary policy file */
-  String xenSsidOutputFileName = null;         /* outputfile ssid to named 
types */    
-                                       /* outputfile conflicts ssid to named 
types */  
-  String xenSsidConfOutputFileName = null;     
-
-  XmlToBin genObj = new XmlToBin(); 
-
-  policy_version active_policy = new policy_version();
-
-  if ((active_policy.ACM_POLICY_VERSION != ACM_POLICY_VERSION) ||
-      (active_policy.ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) ||
-      (active_policy.ACM_STE_VERSION != ACM_STE_VERSION)) {
-         System.out.println("ACM policy versions differ.");
-         System.out.println("Please verify that data structures are correct");
-         System.out.println("and then adjust the version numbers in 
XmlToBinInterface.java.");
-         return;
-  }
-
-
-  for (int i = 0 ; i < args.length ; i++) {
-
-       if ( args[i].equals("-help"))  {
-          printUsage();
-          System.exit(1);
-
-        } else if ( args[i].equals("-i"))  {
-          i++;
-          if (i < args.length) {
-               xmlFileName = args[i];   
-          } else  {
-                System.out.println("-i argument needs parameter");
-                System.exit(1);
-          }
-
-       } else if ( args[i].equals("-o"))  {
-          i++;
-          if (i < args.length) {
-                outputFileName = args[i];   
-          } else {
-                System.out.println("-o argument needs parameter");
-                System.exit(1);
-          }
-
-       } else if ( args[i].equals("-xssid"))  {
-          i++;
-          if (i < args.length) {
-                 xenSsidOutputFileName = args[i];   
-          } else {
-                System.out.println("-xssid argument needs parameter");
-                System.exit(1);
-          }
-
-       } else if ( args[i].equals("-xssidconf"))  {
-          i++;
-          if (i < args.length) {
-                xenSsidConfOutputFileName = args[i]; 
-          } else {
-                System.out.println("-xssidconf argument needs parameter");
-                System.exit(1);
-          }
-       } else if ( args[i].equals("-debug"))  { /* turn on debug msg */
-               genObj.setDebug(true);
-        } else {
-          System.out.println("bad command line argument: " + args[i]);
-          printUsage();
-          System.exit(1);
-        }
-
-  }
-
-  if (xmlFileName == null)
-  { 
-       System.out.println("Need to specify input file -i option");
-        printUsage();
-        System.exit(1);
-  }
-
-
-  try 
-  {
-       /* Parse and validate */
-       Document doc =  genObj.getDomTree(xmlFileName);
-
-       /* Vectors to hold sets of types */
-       Vector bagOfSsids = new Vector();
-       Vector bagOfTypes = new Vector();
-       Vector bagOfChwSsids = new Vector();
-       Vector bagOfChwTypes = new Vector();
-       Vector bagOfConflictSsids = new Vector();
-
-       Vector vlanMapSsids = new Vector();
-       Vector slotMapSsids = new Vector();
-
-       genObj.processDomTree(doc, bagOfSsids, bagOfTypes, bagOfChwSsids, 
bagOfChwTypes, bagOfConflictSsids);
-
-       genObj.processDomTreeVlanSlot(doc, bagOfSsids, bagOfTypes);
-
-       /* Get binary representation of policies */
-       byte[] stePolicy = genObj.generateSteBuffer(bagOfSsids, bagOfTypes);
-       byte[] chwPolicy = genObj.generateChwBuffer(bagOfChwSsids, 
bagOfConflictSsids,bagOfChwTypes);
-
-       byte[] binPolicy = null;
-       byte[] binaryPartionSsid = null;
-       byte[] binaryVlanSsid = null;
-       byte[] binarySlotSsid = null;
-
-       /* Get binary representation of partition to ssid mapping */
-       binaryPartionSsid = genObj.generatePartSsids(bagOfSsids,bagOfChwSsids);
-
-       /* Get binary representation of vlan to ssid mapping */
-       binaryVlanSsid = genObj.generateVlanSsids(bagOfSsids);
-
-       /* Get binary representation of slot to ssid mapping */
-       binarySlotSsid = genObj.generateSlotSsids(bagOfSsids);
-
-       /* Generate binary representation: policy, partition, slot and vlan */
-       binPolicy = genObj.GenBinaryPolicyBuffer(chwPolicy,stePolicy, 
binaryPartionSsid, binaryVlanSsid, binarySlotSsid);
-
-
-       /* Write binary policy into file */
-       if (null != outputFileName)
-       {
-               genObj.writeBinPolicy(binPolicy, outputFileName);
-       } else {
-               System.out.println (" No binary policy generated, 
outputFileName:  " + outputFileName);
-       }
-
-       /* Print total number of types */
-       System.out.println (" Total number of unique ste types: " + 
bagOfTypes.size());
-       System.out.println (" Total number of Ssids : " + bagOfSsids.size());
-       System.out.println (" Total number of unique chw types: " + 
bagOfChwTypes.size());
-       System.out.println (" Total number of conflict ssids : " + 
bagOfConflictSsids.size());
-       System.out.println (" Total number of chw Ssids : " + 
bagOfChwSsids.size());
-
-       if (null != xenSsidOutputFileName)
-               genObj.writeXenTypeFile(bagOfSsids, xenSsidOutputFileName, 
true);
-
-       if (null != xenSsidConfOutputFileName)
-               genObj.writeXenTypeFile(bagOfChwSsids, 
xenSsidConfOutputFileName, false);
-    } 
-    catch (Exception e) 
-    {
-      e.printStackTrace();
-    }
-  }
-}
diff -r 3d45fb64b064 -r 509316987d65 
tools/misc/policyprocessor/XmlToBinInterface.java
--- a/tools/misc/policyprocessor/XmlToBinInterface.java Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,138 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: XmlToBinInterface.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * XmlToBinInterface Class.  
- * <p>
- *
- * Defines constants used by XmToBin.
- *
- * <p>
- *
- *     policy binary structures
- *
- * struct acm_policy_buffer {
- *     u32 policy_version; * ACM_POLICY_VERSION *
- *      u32 magic;
- *     u32 len;
- *     u32 primary_policy_code;
- *     u32 primary_buffer_offset;
- *     u32 secondary_policy_code;
- *     u32 secondary_buffer_offset;
- *      +u32 resource offset (not used yet in Xen)
- * };
- *
- *
- * struct acm_ste_policy_buffer {
- *     u32 policy_version; * ACM_STE_VERSION *
- *     u32 policy_code;
- *     u32 ste_max_types;
- *     u32 ste_max_ssidrefs;
- *     u32 ste_ssid_offset;
- * };
- *
- * struct acm_chwall_policy_buffer {
- *     u32 policy_version; * ACM_CHWALL_VERSION *
- *     u32 policy_code;
- *     u32 chwall_max_types;
- *     u32 chwall_max_ssidrefs;
- *     u32 chwall_max_conflictsets;
- *     u32 chwall_ssid_offset;
- *     u32 chwall_conflict_sets_offset;
- *     u32 chwall_running_types_offset;
- *     u32 chwall_conflict_aggregate_offset;
- * };
- *
- *     typedef struct {
- *     u16 partition_max;
- *     u16 partition_offset;
- *     u16 vlan_max;
- *     u16 vlan_offset;
- *     u16 slot_max;
- *     u16 slot_offset;
- *     } acm_resource_buffer_t;
- *
- *     typedef struct {
- *     u16 id;
- *     u16 ssid_ste;
- *     u16 ssid_chwall;
- *     } acm_partition_entry_t;
- *
- *     typedef struct {
- *     u16 vlan;
- *     u16 ssid_ste;
- *     } acm_vlan_entry_t;
- *
- *     typedef struct {
- *     u16 bus;
- *     u16 slot;
- *     u16 ssid_ste;
- *     } acm_slot_entry_t;
- *
- *       
- *
- */
-public interface XmlToBinInterface
-{
-  /* policy code  (uint16) */
-  final int policyCodeSize = 2;
-
-  /* max_types    (uint16) */
-  final int maxTypesSize = 2;
-
-  /* max_ssidrefs (uint16) */
-  final int maxSsidrefSize = 2;
-
-  /* ssid_offset  (uint32) */
-  final int ssidOffsetSize = 2;
-
-  final short markSymbol = 0x0001;
-
-  final int u32Size = 4;
-  final int u16Size = 2;
-
-  /* num of bytes for acm_ste_policy_buffer_t */
-  final int steHeaderSize = (5 * u32Size);
-
-  /* byte for acm_chinese_wall_policy_buffer_t */
-  final int chwHeaderSize = (9 * u32Size);
-
-  final int primaryPolicyCodeSize = u32Size;
-  final int primaryBufferOffsetSize = u32Size ;
-
-  final int secondaryPolicyCodeSz = u32Size;
-  final int secondaryBufferOffsetSz = u32Size;
-  final int resourceOffsetSz = u32Size;
-
-  final short partitionBufferSz = (2 * u16Size);
-  final short partitionEntrySz = (3 * u16Size);
-
-  final short slotBufferSz = (2 * u16Size);
-  final short slotEntrySz = (3 * u16Size);
-
-  final short vlanBufferSz = (2 * u16Size);
-  final short vlanEntrySz = (2 * u16Size);
-
-  final int binaryBufferHeaderSz = (8 * u32Size); /* 8th not used in Xen */
-
-  /* copied directly from acm.h */
-  final int ACM_MAGIC  =  0x0001debc;
-  final int ACM_NULL_POLICY = 0;
-  final int ACM_CHINESE_WALL_POLICY = 1;
-  final int ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2;
-  final int ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY = 3;
-  final int ACM_EMPTY_POLICY = 4;
-
-  /* version for compatibility check */
-  final int ACM_POLICY_VERSION = 1;
-  final int ACM_STE_VERSION    = 1;
-  final int ACM_CHWALL_VERSION = 1;
-}
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/c2j_include.c
--- a/tools/misc/policyprocessor/c2j_include.c  Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,57 +0,0 @@
-/****************************************************************
- * c2j_include.c
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Authors:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * This tool makes some constants from acm.h available to the
- * java policyprocessor for version checking.
- */
-#include <stdio.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdint.h>
-
-typedef uint8_t  u8;
-typedef uint16_t u16;
-typedef uint32_t u32;
-typedef uint64_t u64;
-typedef int8_t   s8;
-typedef int16_t  s16;
-typedef int32_t  s32;
-typedef int64_t  s64;
-
-#include <xen/acm.h>
-
-char *filename = "policy_version.java";
-
-int main(int argc, char **argv)
-{
-
-    FILE *fd;
-    if ((fd = fopen(filename, "w")) <= 0)
-    {
-        printf("File %s not found.\n", filename);
-        exit(-ENOENT);
-    }
-
-    fprintf(fd, "/*\n * This file was automatically generated\n");
-    fprintf(fd, " * Do not change it manually!\n */\n");
-    fprintf(fd, "public class policy_version {\n");
-    fprintf(fd, "      final int ACM_POLICY_VERSION = %x;\n",
-            ACM_POLICY_VERSION);
-    fprintf(fd, "      final int ACM_CHWALL_VERSION = %x;\n",
-            ACM_CHWALL_VERSION);
-    fprintf(fd, "      final int ACM_STE_VERSION = %x;\n",
-            ACM_STE_VERSION);
-    fprintf(fd, "}\n");
-    fclose(fd);
-    return 0;
-}
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/myHandler.java
--- a/tools/misc/policyprocessor/myHandler.java Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,47 +0,0 @@
-/**
- * (C) Copyright IBM Corp. 2005
- *
- * $Id: myHandler.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
- *
- * Author: Ray Valdez
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * myHandler Class.  
- *
- * <p>
- *
- * A dummy class used for detecting XML validating/parsing errors.
- *
- * <p>
- *
- *
- */
-import org.xml.sax.helpers.*;
-import org.xml.sax.SAXParseException;
-
-class myHandler extends DefaultHandler 
-{ 
- public boolean isValid = true;
-
- /* Notification of a recoverable error. */
- public void error(SAXParseException se) 
- { 
-  isValid = false;
- } 
-
- /* Notification of a non-recoverable error. */
- public void fatalError(SAXParseException se) 
- { 
-  isValid = false;
- } 
-
- /* Notification of a warning. */
- public void warning(SAXParseException se) 
- {
-  isValid = false;
- }
-}
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/readme.install
--- a/tools/misc/policyprocessor/readme.install Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,33 +0,0 @@
-# Author: Ray Valdez, rvaldez@xxxxxxxxxx 
-# Version: 1.0
-#
-# install readme
-#
-PREREQUISITES:
-
-Prior to installation of the policy processor tool (XmlToBin) you must have...
-
- 1. Java version 1.4.2
- 2. xmlParserAPIs.jar and xercesImpl.jar
-
-The above can be obtained from the Sun Developer Network web site at
-http://java.sun.com/j2se/1.4.2/download.html.
-
-XmlParserAPIs and xercesImpl jars can be obtained from
-http://www.apache.org/dist/xml/xerces-j (Xerces-J-bin.2.6.2.tar.gz,
-for example).
-
-The tool has been tested with J2SE v1.4.2_08 JRE on Linux (32-bit
-INTEL).
-
-INSTALLATION
-
-1. Set PATH to include $HOME_JAVA/bin and $HOME_JAVA/jre/bin
-   where $HOME_JAVA is your java installation directory
-
-2. Compile XmlToBin:
-   javac XmlToBin.java
-       
-USAGE
-
- See readme.xen
diff -r 3d45fb64b064 -r 509316987d65 tools/misc/policyprocessor/readme.xen
--- a/tools/misc/policyprocessor/readme.xen     Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,65 +0,0 @@
-# Author: Ray Valdez, rvaldez@xxxxxxxxxx 
-# Version: 1.0
-#
-# This readme describes the policy processor tool for sHype.
-#
-
-Java program:
-
- java XmlToBin -i [file.xml] -o <file.bin> -xssid <SsidFile> -xssidconf 
<SsidConf>
-
- Command line options:
-
-        -i              inputFile:      name of policyfile (.xml)
-        -o              outputFile:     name of binary policy file (Big Endian)
-        -xssid          SsidFile:       xen ssids to named types text file
-        -xssidconf      SsidConf:      xen conflict ssids to types text file
-        -debug                          turn on debug messages
-        -help                           help. This printout
-
-Where:
-
-file.xml is the (input) xml policy file to be parsed and validated.
-The syntax for file.xml is defined in the SecurityPolicySpec.xsd file.
-file.bin is the (output) binary policy file generated by XmlToBin.
-This binary policy can be activated in sHype. The binary policy file
-is laid out in network byte order (i.e., big endian).  The SsidFile
-file contains the mapping of type enforcement (TE) ssids to the "named
-types".  Similarly, the SsidConf file contains the mapping of Chinese
-Wall (ChWall) ssids to conflict named types. The ssidFile and SsidConf
-files are used by Xen.
-
-Xml Schema and policy:
-
-The SecurityPolicySpec.xsd defines the syntax of a policy file. It
-declares the tags that are used by XmlToBin to generate the binary
-policy file. The tags that XmlToBin keys on are TE, ChWall, id, vid,
-etc.  The xml files that describe a policy are simple.  Semantic
-checking of a policy is performed mostly by XmlToBin.  A type, for
-example, is a string. No fixed values are defined for types in Xml.
-  
-A policy consists of two Xml files: definition and policy. The
-definition Xml declares the types that are permitted in the policy
-Xml.  The policy Xml contains the assignment of labels to
-subject/object (e.g., vm). This Xml file contains an explicit
-reference to the definition Xml (e.g., <url>xen_sample_def.xml</url>).
-The policy Xml is the one provided as a command line argument.
-
-
-Files:
-
-*.java                 - policy processor source 
-xen_sample_policy.xml  - sample xml policy file
-xen_sample_def.xml     - sample user defined types
-SecurityPolicySpec.xsd         - schema definition file
-
-
-To generate the sample binary policy: 
-
-export CLASSPATH=$XERCES_HOME/xercesImpl.jar:$XERCES_HOME/xmlParserAPIs.jar:.
-
-java XmlToBin -i xen_sample_policy.xml -o xen_sample_policy.bin
-
-where $XERCES_HOME is the installation directory of the Apache Xerces-J
-
-
diff -r 3d45fb64b064 -r 509316987d65 
tools/misc/policyprocessor/xen_sample_def.xml
--- a/tools/misc/policyprocessor/xen_sample_def.xml     Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,46 +0,0 @@
-<?xml version="1.0"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- example policy type definition -->
-<SecurityPolicySpec
-xmlns="http://www.ibm.com";
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
-xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
-
-<Definition>
-<!-- an example of a simple type enforcement type definition -->
-  <Types>
-        <TE>LOCAL-management</TE>
-        <TE>R-Company-development</TE>
-        <TE>S-Company-order</TE>
-        <TE>T-Company-advertising</TE>
-        <TE>U-Company-computing</TE>
-                <!-- TE nondevelopment  -->
-  </Types>
-
-<!-- an example of a chinese wall type definition along with conflict sets-->
-  <ChWallTypes>
-                <ChWall>Q-Company</ChWall>
-                <ChWall>R-Company</ChWall>
-                <ChWall>S-Company</ChWall>
-                <ChWall>T-Company</ChWall>
-                <ChWall>U-Company</ChWall>
-                <ChWall>V-Company</ChWall>
-                <ChWall>W-Company</ChWall>
-                <ChWall>X-Company</ChWall>
-                <ChWall>Y-Company</ChWall>
-                <ChWall>Z-Company</ChWall>
-  </ChWallTypes>
-
-  <ConflictSet>
-                <ChWall>T-Company</ChWall>
-                <ChWall>S-Company</ChWall>
-   </ConflictSet>
-
-   <ConflictSet>
-                <ChWall>R-Company</ChWall>
-                <ChWall>V-Company</ChWall>
-                <ChWall>W-Company</ChWall>
-   </ConflictSet>
-
-</Definition>
-</SecurityPolicySpec>
diff -r 3d45fb64b064 -r 509316987d65 
tools/misc/policyprocessor/xen_sample_policy.xml
--- a/tools/misc/policyprocessor/xen_sample_policy.xml  Fri Aug 19 10:18:53 2005
+++ /dev/null   Fri Aug 19 10:50:15 2005
@@ -1,58 +0,0 @@
-<?xml version="1.0"?>
-<!-- Author: Ray Valdez, rvaldez@xxxxxxxxxx -->
-<!-- example xen policy file -->
-
-<SecurityPolicySpec
-xmlns="http://www.ibm.com";
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
-xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
-<Policy>
- <PolicyHeader>
-        <Name>xen sample policy</Name>
-        <DateTime>2005-05-20T16:56:00</DateTime>
-        <Tag>foobar</Tag>
-        <TypeDefinition>
-          <url>xen_sample_def.xml</url>
-          <hash>abcdef123456abcdef</hash>
-        </TypeDefinition>
- </PolicyHeader>
-
- <VM>
-        <id> 0 </id>
-        <TE>LOCAL-management</TE>
-        <TE>R-Company-development</TE>
-        <TE>S-Company-order</TE>
-        <TE>T-Company-advertising</TE>
-        <TE>U-Company-computing</TE>
-                <ChWall>Q-Company</ChWall>
- </VM>
-
- <VM>
-        <id> 1 </id>
-        <TE>R-Company-development</TE>
-                <ChWall>R-Company</ChWall>
- </VM>
-
- <VM>
-        <id> 2 </id>
-        <TE>S-Company-order</TE>
-                <ChWall>S-Company</ChWall>
-
- </VM>
-
- <VM>
-        <id> 3 </id>
-        <TE>T-Company-advertising</TE>
-                <ChWall>T-Company</ChWall>
- </VM>
-
-
- <VM>
-        <id> 4 </id>
-        <TE>U-Company-computing</TE>
-                <ChWall>U-Company</ChWall>
- </VM>
-
-
-</Policy>
-</SecurityPolicySpec>

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.