[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] The attached patch makes a couple of changes to the ACM security tools
# HG changeset patch # User emellor@xxxxxxxxxxxxxxxxxxxxxx # Node ID 8aac8746047ba585801cac6e8e08be843b96853f # Parent 3ab6a6c4b6edda2bc4f7d920de581cb542d3d36c The attached patch makes a couple of changes to the ACM security tools and installation. Particularly it does the following: - the Makefile installs the ACM security-related tools into /etc/xen/acm-security - improves and cleans up some of the tools - updates the documentation Signed-off-by: Tom Lendacky <toml@xxxxxxxxxx> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx> diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/Makefile --- a/tools/security/Makefile Thu Dec 8 18:19:24 2005 +++ b/tools/security/Makefile Thu Dec 8 18:21:05 2005 @@ -1,16 +1,19 @@ XEN_ROOT = ../.. include $(XEN_ROOT)/tools/Rules.mk -SRCS = secpol_tool.c CFLAGS += -Wall CFLAGS += -Werror CFLAGS += -O3 CFLAGS += -fno-strict-aliasing -CFLAGS += -I. -I/usr/include/libxml2 -CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs ) -#if above does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm +CFLAGS += -I. + +CPPFLAGS += -MMD -MF .$*.d +PROG_DEPS = .*.d + XML2VERSION = $(shell xml2-config --version ) -VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi; ) +CFLAGS += $(shell xml2-config --cflags ) +CFLAGS += $(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi ) +LDFLAGS += $(shell xml2-config --libs ) # if this does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY) POLICY=null @@ -24,48 +27,71 @@ ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY) POLICY=chwall_ste endif -POLICYFILE=./policies/$(POLICY)/$(POLICY).bin + +SRCS_TOOL = secpol_tool.c +OBJS_TOOL := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL))) +SRCS_XML2BIN = secpol_xml2bin.c secpol_xml2bin.h +OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN))) +SRCS_GETD = get_decision.c +OBJS_GETD := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD))) + +ACM_INST_TOOLS = xensec_tool xensec_xml2bin +ACM_NOINST_TOOLS = get_decision +ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD) +ACM_SCRIPTS = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh + +ACM_CONFIG_DIR = /etc/xen/acm-security +ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies +ACM_SCRIPT_DIR = $(ACM_CONFIG_DIR)/scripts + +ACM_SCHEMA = security_policy.xsd +ACM_EXAMPLES = null chwall ste chwall_ste +ACM_POLICY_SUFFIX = security_policy.xml +ACM_LABEL_SUFFIX = security_label_template.xml ifeq ($(ACM_SECURITY),y) all: build -install:all - -default:all +install: all $(ACM_CONFIG_FILE) + $(INSTALL_DIR) -p $(DESTDIR)/usr/sbin + $(INSTALL_PROG) -p $(ACM_INST_TOOLS) $(DESTDIR)/usr/sbin + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR) + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR) + $(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR) + for i in $(ACM_EXAMPLES); do \ + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \ + $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \ + $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \ + done + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR) + $(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR) else all: install: - -default: endif -build: mk-symlinks - $(MAKE) secpol_tool - $(MAKE) secpol_xml2bin - $(MAKE) get_decision - chmod 700 ./setlabel.sh - chmod 700 ./updategrub.sh - chmod 700 ./getlabel.sh +build: mk-symlinks $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS) + chmod 700 $(ACM_SCRIPTS) -secpol_tool : secpol_tool.c - $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $< +xensec_tool: $(OBJS_TOOL) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h - $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ $< +xensec_xml2bin: $(OBJS_XML2BIN) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< + +get_decision: $(OBJS_GETD) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< clean: - rm -rf secpol_tool secpol_xml2bin xen get_decision + $(RM) $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS) + $(RM) $(ACM_OBJS) + $(RM) $(PROG_DEPS) + $(RM) -r xen -policy_clean: - rm -rf policies/*/*.bin policies/*/*.map +mrproper: clean -mrproper: clean policy_clean +boot_install: install + $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION) - -$(POLICYFILE) : build - @./secpol_xml2bin $(POLICY) > /dev/null - -boot_install: $(POLICYFILE) - @cp $(POLICYFILE) /boot - @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT) +-include $(PROG_DEPS) diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/example.txt --- a/tools/security/example.txt Thu Dec 8 18:19:24 2005 +++ b/tools/security/example.txt Thu Dec 8 18:21:05 2005 @@ -9,23 +9,23 @@ # and to label domains and resources. ## -We will show how to install and use the chwall_ste policy. +We will show how to install and use the example chwall_ste policy. Other policies work similarly. Feedback welcome! -1. Using secpol_xml2bin to translate the chwall_ste policy: +1. Using xensec_xml2bin to translate the chwall_ste policy: =========================================================== -#tools/security/secpol_xml2bin chwall_ste +#xensec_xml2bin chwall_ste Successful execution should print: - [root@laptopxn security]# ./secpol_xml2bin chwall_ste - Validating label file policies/chwall_ste/chwall_ste-security_label_template.xml... - XML Schema policies/security_policy.xsd valid. - Validating policy file policies/chwall_ste/chwall_ste-security_policy.xml... - XML Schema policies/security_policy.xsd valid. + [root@laptopxn security]# xensec_xml2bin chwall_ste + Validating label file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_label_template.xml... + XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid. + Validating policy file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_policy.xml... + XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid. Creating ssid mappings ... Creating label mappings ... Max chwall labels: 7 @@ -35,10 +35,15 @@ Max ste-types: 6 Max ste-ssids: 10 -The tool looks in directory policies/chwall_ste for +By default, the tool looks in directory /etc/xen/acm-security/policies +for a directory that matches the policy name (i.e. chwall_ste) to find the label and policy files. - -The default policy directory structure under tools/security looks like: +The '-d' option can be used to override the /etc/xen/acm-security/policies +directory, for example if running the tool in the Xen security tool build +directory. + +The default policy directory structure under /etc/xen/acm-security (and +the Xen security tool build directory - tools/security) looks like: policies |-- security_policy.xsd @@ -55,25 +60,25 @@ |-- ste-security_label_template.xml `-- ste-security_policy.xml -policies/security_policy.xsd contains the schema against which both the +The security_policy.xsd file contains the schema against which both the label-template and the policy files must validate during translation. -policies/chwall_ste/chwall_ste-security_policy.xml defines the -policies and the types known to the policies. - -policies/chwall_ste/chwall_ste-security_label_template.xml contains -label definitions that group chwall and ste types together and make -them easier to use for users - -After executing the above secpol_xml2bin command, you will find 2 new -files in the policies/chwall_ste sub-directory: - -policies/chwall_ste/chwall_ste.map ... this file includes the mapping -of names from the xml files into their binary code representation. - -policies/chwall_ste/chwall_ste.bin ... this is the binary policy file, -the result of parsing the xml files and using the mapping to extract a -binary version that can be loaded into the hypervisor. +The files ending in -security_policy.xml define the policies and the +types known to the policies. + +The files ending in -security_label_template.xml contain the label +definitions that group types together and make them easier to use for +users. + +After executing the above xensec_xml2bin command, you will find 2 new +files in the /etc/xen/acm-security/policies/chwall_ste sub-directory: + + chwall_ste.map ... this file includes the mapping + of names from the xml files into their binary code representation. + + chwall_ste.bin ... this is the binary policy file, + the result of parsing the xml files and using the mapping to extract a + binary version that can be loaded into the hypervisor. @@ -85,13 +90,13 @@ To activate the policy from the command line (assuming that the currently established policy is the minimal boot-policy that is -hard-coded into the hypervisor: - -# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin +hard-coded into the hypervisor): + +# xensec_tool loadpolicy /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin To activate the policy at next reboot: -# cp policies/chwall_ste/chwall_ste.bin /boot +# cp /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin /boot Add a module line to your /boot/grub/grub.conf Xen entry. My boot entry with chwall_ste enabled looks like this: @@ -129,12 +134,12 @@ To show available labels for the chwall_ste policy: -#tools/security/setlabel.sh -l +# /etc/xen/acm-security/scripts/setlabel.sh -l lists all available labels. For the default chwall_ste it should print the following: - [root@laptopxn security]# ./setlabel.sh -l chwall_ste + [root@laptopxn security]# /etc/xen/acm-security/scripts/setlabel.sh -l chwall_ste The following labels are available: dom_SystemManagement dom_HomeBanking @@ -156,8 +161,8 @@ since only those are used at this time. If you would like to assign the dom_HomeBanking label to one of your -user domains (which you hopefully keep clean), look at an example -domain configuration homebanking.xm: +user domains (which you hopefully keep clean), look at the hypothetical +domain configuration contained in /etc/xen/homebanking.xm: #------HOMEBANKING--------- kernel = "/boot/vmlinuz-2.6.12-xenU" @@ -172,7 +177,7 @@ Now we label this domain -[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking chwall_ste +[root@laptopxn security]# /etc/xen/acm-securit/scripts/setlabel.sh /etc/xen/homebanking.xm dom_HomeBanking chwall_ste Mapped label 'dom_HomeBanking' to ssidref '0x00020002'. The domain configuration my look now like: @@ -223,9 +228,8 @@ <type>cw_Distrusted</type> </conflictset> -(in policies/chwall_ste/chwall_ste-security_policy.xml), which says -that only one of the types cw_sensitive and cw_Distrusted can run at a -time. +(in chwall_ste-security_policy.xml), which says that only one of the +types cw_Sensitive and cw_Distrusted can run at a time. If you save or shutdown the HomeBanking domain, you will be able to start the "Fun" domain. You can look into the Xen log to see if a @@ -255,15 +259,15 @@ b) the label template definition (labels etc.) file If your policy name is "mypolicy", you need to create a -subdirectory mypolicy in tools/security/policies. +subdirectory mypolicy in /etc/xen/acm-security/policies. Then you create -tools/security/policies/mypolicy/mypolicy-security_policy.xml and -tools/security/policies/mypolicy/mypolicy-security_label_template.xml. +/etc/xen/acm-security/policies/mypolicy/mypolicy-security_policy.xml and +/etc/xen/acm-security/policies/mypolicy/mypolicy-security_label_template.xml. You need to keep to the schema as defined in -tools/security/security_policy.xsd since the translation tool -secpol_xml2bin is written against this schema. +/etc/xen/acm-security/security_policy.xsd since the translation tool +xensec_xml2bin is written against this schema. If you keep to the security policy schema, then you can use all the tools described above. Refer to install.txt to install it. diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/getlabel.sh --- a/tools/security/getlabel.sh Thu Dec 8 18:19:24 2005 +++ b/tools/security/getlabel.sh Thu Dec 8 18:21:05 2005 @@ -32,20 +32,24 @@ export PATH=$PATH:. -source labelfuncs.sh +dir=`dirname $0` +source $dir/labelfuncs.sh usage () { + prg=`basename $0` echo "Use this tool to display the label of a domain or the label that is corresponding to an ssidref given the name of the running policy. -Usage: $0 -sid <ssidref> [<policy name>] or - $0 -dom <domid> [<policy name>] +Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or + $prg -dom <domid> [<policy name> [<policy dir>]] policy name : the name of the policy, i.e. 'chwall' If the policy name is omitted, the grub.conf entry of the running system is tried to be read and the policy name determined from there. +policy dir : the directory where the <policy name> policy is located + The default location is '/etc/xen/acm-security/policies' ssidref : an ssidref in hex or decimal format, i.e., '0x00010002' or '65538' domid : id of the domain, i.e., '1'; Use numbers from the 2nd @@ -55,79 +59,36 @@ -if [ "$1" == "-?" ]; then - mode="usage" +if [ "$1" == "-h" ]; then + usage + exit 0 elif [ "$1" == "-dom" ]; then mode="domid" shift elif [ "$1" == "-sid" ]; then mode="sid" shift -elif [ "$1" == "" ]; then +else usage exit -1 fi +setPolicyVars $2 $3 +findMapFile $policy $policydir +ret=$? +if [ $ret -eq 0 ]; then + echo "Could not find map file for policy '$policy'." + exit -1 +fi -if [ "$mode" == "usage" ]; then - usage -elif [ "$mode" == "domid" ]; then - if [ "$2" == "" ]; then - findGrubConf - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find grub.conf" - exit -1; - fi - findPolicyInGrub $grubconf - if [ "$policy" != "" ]; then - echo "Assuming policy to be '$policy'."; - else - echo "Could not find policy." - exit -1; - fi - else - policy=$2 +if [ "$mode" == "domid" ]; then + getSSIDUsingSecpolTool $1 + ret=$? + if [ $ret -eq 0 ]; then + echo "Could not determine the SSID of the domain." + exit -1 fi - findMapFile $policy - res=$? - if [ "$res" != "0" ]; then - getSSIDUsingSecpolTool $1 - res=$? - if [ "$res" != "0" ]; then - translateSSIDREF $ssid $mapfile - else - echo "Could not determine the SSID of the domain." - fi - else - echo "Could not find map file for policy '$policy'." - fi -elif [ "$mode" == "sid" ]; then - if [ "$2" == "" ]; then - findGrubConf - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find grub.conf" - exit -1; - fi - findPolicyInGrub $grubconf - if [ "$policy" != "" ]; then - echo "Assuming policy to be '$policy'."; - else - echo "Could not find policy." - exit -1; - fi - else - policy=$2 - fi - findMapFile $policy - res=$? - if [ "$res" != "0" ]; then - translateSSIDREF $1 $mapfile - else - echo "Could not find map file for policy '$policy'." - fi - -else - usage + translateSSIDREF $ssid $mapfile +else # mode == sid + translateSSIDREF $1 $mapfile fi diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/install.txt --- a/tools/security/install.txt Thu Dec 8 18:19:24 2005 +++ b/tools/security/install.txt Thu Dec 8 18:21:05 2005 @@ -41,11 +41,11 @@ # make manual steps (alternative to make boot_install): - #./secpol_xml2bin chwall_ste - #cp policies/chwall_ste/chwall_ste.bin /boot - #edit /boot/grub/grub.conf + # ./xensec_xml2bin -d policies/ chwall_ste + # cp policies/chwall_ste/chwall_ste.bin /boot + # edit /boot/grub/grub.conf add the follwoing line to your xen boot entry: - "module chwall_ste.bin" + "module /boot/chwall_ste.bin" alternatively, you can try our automatic translation and installation of the policy: @@ -61,9 +61,9 @@ 3. reboot into the newly compiled hypervisor after boot - #xm dmesg should show an entry about the policy being loaded + # xm dmesg should show an entry about the policy being loaded during the boot process - #tools/security/secpol_tool getpolicy + # xensec_tool getpolicy should print the new chwall_ste binary policy representation diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/labelfuncs.sh --- a/tools/security/labelfuncs.sh Thu Dec 8 18:19:24 2005 +++ b/tools/security/labelfuncs.sh Thu Dec 8 18:21:05 2005 @@ -17,10 +17,53 @@ # +#Some global variables for tools using this module +ACM_DEFAULT_ROOT="/etc/xen/acm-security" + +# Set the policy and policydir variables +# Parameters: +# 1st : possible policy name +# 2nd : possible policy directory +# Results: +# The variables policy and policydir will hold the values for locating +# policy information +# If there are no errors, the functions returns a '1', +# a '0' otherwise. +setPolicyVars () +{ + local ret + # Set default values + policydir="$ACM_DEFAULT_ROOT/policies" + policy="" + + if [ "$1" == "" ]; then + findGrubConf + ret=$? + if [ $ret -eq 0 ]; then + echo "Could not find grub.conf." + return 0; + fi + findPolicyInGrub $grubconf + if [ "$policy" == "" ]; then + echo "Could not find policy in grub.conf. Looked for entry using kernel $linux." + return 0; + fi + echo "Assuming policy to be '$policy'."; + else + policy=$1 + if [ "$2" != "" ]; then + policydir=$2 + fi + fi + + return 1 +} + # Find the mapfile given a policy nmame # Parameters: # 1st : the name of the policy whose map file is to be found, i.e., # chwall +# 2nd : the policy directory for locating the map file # Results: # The variable mapfile will hold the realtive path to the mapfile # for the given policy. @@ -28,16 +71,10 @@ # a '0' otherwise. findMapFile () { - mapfile="./$1.map" + mapfile="$2/$1/$1.map" if [ -r "$mapfile" ]; then return 1 fi - - mapfile="./policies/$1/$1.map" - if [ -r "$mapfile" ]; then - return 1 - fi - return 0 } @@ -50,7 +87,7 @@ # The variable primary will hold the name of the primary policy getPrimaryPolicy () { - mapfile=$1 + local mapfile=$1 primary=`cat $mapfile | \ awk ' \ { \ @@ -71,7 +108,7 @@ # The variable secondary will hold the name of the secondary policy getSecondaryPolicy () { - mapfile=$1 + local mapfile=$1 secondary=`cat $mapfile | \ awk ' \ { \ @@ -86,6 +123,10 @@ #Return where the grub.conf file is. #I only know of one place it can be. +#Returns: +# 1 : if the file is writeable and readable +# 2 : if the file is only readable +# 0 : if the file does not exist findGrubConf() { grubconf="/boot/grub/grub.conf" @@ -112,16 +153,37 @@ # kernel, i.e., 'vmlinuz-2.6.12-xen0' getLinuxVersion () { - path=$1 + local path + local versionfile + local lnx + if [ "$1" == "" ]; then + path="/lib/modules/*-xen0" + else + path="/lib/modules/$1" + fi + linux="" for f in $path/linux-*-xen0 ; do - versionfile=$f/include/linux/version.h + versionfile=$f/build/include/linux/version.h if [ -r $versionfile ]; then lnx=`cat $versionfile | \ grep UTS_RELEASE | \ awk '{ \ len=length($3); \ - print substr($3,2,len-2) }'` + version=substr($3,2,len-2); \ + split(version,numbers,"."); \ + if (numbers[4]=="") { \ + printf("%s.%s.%s", \ + numbers[1], \ + numbers[2], \ + numbers[3]); \ + } else { \ + printf("%s.%s.%s[.0-9]*-xen0",\ + numbers[1], \ + numbers[2], \ + numbers[3]); \ + } \ + }'` fi if [ "$lnx" != "" ]; then linux="[./0-9a-zA-z]*$lnx" @@ -137,11 +199,12 @@ # Find out with which policy the hypervisor was booted with. # Parameters # 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf -# +# Result: +# Sets the variable 'policy' to the name of the policy findPolicyInGrub () { - grubconf=$1 - linux=`uname -r` + local grubconf=$1 + local linux=`uname -r` policy=`cat $grubconf | \ awk -vlinux=$linux '{ \ if ( $1 == "title" ) { \ @@ -184,9 +247,9 @@ # The funtion returns '1' on success, '0' on failure getSSIDUsingSecpolTool () { - domid=$1 + local domid=$1 export PATH=$PATH:. - ssid=`secpol_tool getssid -d $domid -f | \ + ssid=`xensec_tool getssid -d $domid -f | \ grep -E "SSID:" | \ awk '{ print $4 }'` @@ -206,7 +269,7 @@ # high ssid values as integers. getSSIDLOHI () { - ssid=$1 + local ssid=$1 ssidlo_int=`echo $ssid | awk \ '{ \ len=length($0); \ @@ -289,11 +352,11 @@ # updateGrub () { - grubconf=$1 - policyfile=$2 - linux=$3 - - tmpfile="/tmp/new_grub.conf" + local grubconf=$1 + local policyfile=$2 + local linux=$3 + + local tmpfile="/tmp/new_grub.conf" cat $grubconf | \ awk -vpolicy=$policyfile \ @@ -343,7 +406,59 @@ echo "Could not create temporary file! Aborting." exit -1 fi - mv -f $tmpfile $grubconf + diff $tmpfile $grubconf > /dev/null + RES=$? + if [ "$RES" == "0" ]; then + echo "No changes were made to $grubconf." + else + echo "Successfully updated $grubconf." + mv -f $tmpfile $grubconf + fi +} + + +#Compile a policy into its binary representation +# Parameters: +# 1st: The directory where the ./policies directory is located at +# 2nd: The name of the policy +genBinPolicy () +{ + local root=$1 + local policy=$2 + pushd $root > /dev/null + xensec_xml2bin -d policies $policy > /dev/null + popd > /dev/null +} + + +# Copy the bootpolicy into the destination directory +# Generate the policy's .bin and .map files if necessary +# Parameters: +# 1st: Destination directory +# 2nd: The root directory of the security tools; this is where the +# policies directory is located at +# 3rd: The policy name +# Returns '1' on success, '0' on failure. +cpBootPolicy () +{ + local dest=$1 + local root=$2 + local policy=$3 + local binfile=$root/policies/$policy/$policy.bin + local dstfile=$dest/$policy.bin + if [ ! -e $binfile ]; then + genBinPolicy $root $policy + if [ ! -e $binfile ]; then + echo "Could not compile policy '$policy'." + return 0 + fi + fi + + if [ ! -e $dstfile -o \ + $binfile -nt $dstfile ]; then + cp -f $binfile $dstfile + fi + return 1 } @@ -352,7 +467,11 @@ # 1st: Full or relative path to the policy's mapfile showLabels () { - mapfile=$1 + local mapfile=$1 + local line + local ITEM + local found=0 + if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then echo "Cannot read from vm configuration file $vmfile." return -1 @@ -417,8 +536,8 @@ # 2nd: the name of the policy getDefaultSsid () { - mapfile=$1 - pol=$2 + local mapfile=$1 + local pol=$2 RES=`cat $mapfile \ awk -vpol=$pol \ { \ @@ -446,10 +565,13 @@ # other : Prompts the user whether to proceed relabel () { - vmfile=$1 - label=$2 - mapfile=$3 - mode=$4 + local vmfile=$1 + local label=$2 + local mapfile=$3 + local mode=$4 + local SSIDLO + local SSIDHI + local RES if [ ! -r "$vmfile" ]; then echo "Cannot read from vm configuration file $vmfile." @@ -556,8 +678,8 @@ fi #Write the output - vmtmp1="/tmp/__setlabel.tmp1" - vmtmp2="/tmp/__setlabel.tmp2" + local vmtmp1="/tmp/__setlabel.tmp1" + local vmtmp2="/tmp/__setlabel.tmp2" touch $vmtmp1 touch $vmtmp2 if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then @@ -584,8 +706,10 @@ # 2nd: Full or relative path to the policy's mapfile translateSSIDREF () { - ssidref=$1 - mapfile=$2 + local ssidref=$1 + local mapfile=$2 + local line1 + local line2 if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then echo "Cannot read from vm configuration file $vmfile." diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/secpol_tool.c --- a/tools/security/secpol_tool.c Thu Dec 8 18:19:24 2005 +++ b/tools/security/secpol_tool.c Thu Dec 8 18:21:05 2005 @@ -44,12 +44,13 @@ void usage(char *progname) { - printf("Use: %s \n" + printf("Usage: %s ACTION\n" + "ACTION is one of:\n" "\t getpolicy\n" "\t dumpstats\n" "\t loadpolicy <binary policy file>\n" "\t getssid -d <domainid> [-f]\n" - "\t getssid -s <ssidref> [-f]\n", progname); + "\t getssid -s <ssidref> [-f]\n", progname); exit(-1); } @@ -85,6 +86,7 @@ if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) { + printf( "ACM operation failed: errno=%d\n", errno ); if (errno == EACCES) fprintf(stderr, "ACM operation failed -- need to" " rebuild the user-space tool set?\n"); diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/secpol_xml2bin.c --- a/tools/security/secpol_xml2bin.c Thu Dec 8 18:19:24 2005 +++ b/tools/security/secpol_xml2bin.c Thu Dec 8 18:21:05 2005 @@ -17,7 +17,7 @@ * sHype policy translation tool. This tool takes an XML * policy specification as input and produces a binary * policy file that can be loaded into Xen through the - * ACM operations (secpol_tool loadpolicy) interface or at + * ACM operations (xensec_tool loadpolicy) interface or at * boot time (grub module parameter) * * indent -i4 -kr -nut @@ -102,12 +102,22 @@ /* input/output file names */ char *policy_filename = NULL, *label_filename = NULL, - *binary_filename = NULL, *mapping_filename = NULL; + *binary_filename = NULL, *mapping_filename = NULL, + *schema_filename = NULL; void usage(char *prg) { - printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n", - prg); + printf("Usage: %s [OPTIONS] POLICYNAME\n", prg); + printf("POLICYNAME is the directory name within the policy directory\n"); + printf("that contains the policy files. The default policy directory\n"); + printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR); + printf("The policy files contained in the POLICYNAME directory must be named:\n"); + printf("\tPOLICYNAME-security_policy.xml\n"); + printf("\tPOLICYNAME-security_label_template.xml\n\n"); + printf("OPTIONS:\n"); + printf("\t-d POLICYDIR\n"); + printf("\t\tUse POLICYDIR as the policy directory. This directory must contain\n"); + printf("\t\tthe policy schema file 'security_policy.xsd'\n"); exit(EXIT_FAILURE); } @@ -1237,7 +1247,7 @@ xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL; xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL; - schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME); + schemaparser_ctxt = xmlSchemaNewParserCtxt(schema_filename); schema_ctxt = xmlSchemaParse(schemaparser_ctxt); schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt); @@ -1246,12 +1256,12 @@ if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) { printf("ERROR: Invalid schema file %s (err=%d)\n", - SCHEMA_FILENAME, err); + schema_filename, err); err = -EIO; goto out; } else - printf("XML Schema %s valid.\n", SCHEMA_FILENAME); + printf("XML Schema %s valid.\n", schema_filename); #endif if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) { @@ -1275,37 +1285,59 @@ char *file_prefix; int prefix_len; + int opt_char; + char *policy_dir = POLICY_DIR; + if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) { printf("ERROR: This program was written against an older ACM version.\n"); exit(EXIT_FAILURE); } - if (argc != 2) + while ((opt_char = getopt(argc, argv, "d:")) != -1) { + switch (opt_char) { + case 'd': + policy_dir = malloc(strlen(optarg) + 2); // null terminator and possibly "/" + if (!policy_dir) { + printf("ERROR allocating directory name memory.\n"); + exit(EXIT_FAILURE); + } + strcpy(policy_dir, optarg); + if (policy_dir[strlen(policy_dir) - 1] != '/') + strcat(policy_dir, "/"); + break; + + default: + usage(basename(argv[0])); + } + } + + if ((argc - optind) != 1) usage(basename(argv[0])); - prefix_len = strlen(POLICY_SUBDIR) + - strlen(argv[1]) + 1 /* "/" */ + - strlen(argv[1]) + 1 /* "/" */ ; + prefix_len = strlen(policy_dir) + + strlen(argv[optind]) + 1 /* "/" */ + + strlen(argv[optind]) + 1 /* null terminator */ ; file_prefix = malloc(prefix_len); policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION)); label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION)); binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION)); mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION)); + schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1); if (!file_prefix || !policy_filename || !label_filename || - !binary_filename || !mapping_filename) + !binary_filename || !mapping_filename || !schema_filename) { printf("ERROR allocating file name memory.\n"); goto out2; } /* create input/output filenames out of prefix */ - strcat(file_prefix, POLICY_SUBDIR); - strcat(file_prefix, argv[1]); + strcpy(file_prefix, policy_dir); + strcat(file_prefix, argv[optind]); strcat(file_prefix, "/"); - strcat(file_prefix, argv[1]); + strcat(file_prefix, argv[optind]); strcpy(policy_filename, file_prefix); strcpy(label_filename, file_prefix); @@ -1317,11 +1349,14 @@ strcat(binary_filename, BINARY_EXTENSION); strcat(mapping_filename, MAPPING_EXTENSION); + strcpy(schema_filename, policy_dir); + strcat(schema_filename, SCHEMA_FILENAME); + labeldoc = xmlParseFile(label_filename); if (labeldoc == NULL) { - printf("Error: could not parse file %s.\n", argv[1]); + printf("Error: could not parse file %s.\n", argv[optind]); goto out2; } @@ -1337,7 +1372,7 @@ if (policydoc == NULL) { - printf("Error: could not parse file %s.\n", argv[1]); + printf("Error: could not parse file %s.\n", argv[optind]); goto out1; } diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/secpol_xml2bin.h --- a/tools/security/secpol_xml2bin.h Thu Dec 8 18:19:24 2005 +++ b/tools/security/secpol_xml2bin.h Thu Dec 8 18:21:05 2005 @@ -12,7 +12,7 @@ * License. * */ -#define POLICY_SUBDIR "policies/" +#define POLICY_DIR "/etc/xen/acm-security/policies/" #define POLICY_EXTENSION "-security_policy.xml" #define LABEL_EXTENSION "-security_label_template.xml" #define BINARY_EXTENSION ".bin" @@ -20,7 +20,7 @@ #define PRIMARY_COMPONENT_ATTR_NAME "order" #define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap" #define PRIMARY_COMPONENT "PrimaryPolicyComponent" -#define SCHEMA_FILENAME "policies/security_policy.xsd" +#define SCHEMA_FILENAME "security_policy.xsd" /* basic states (used as 1 << X) */ #define XML2BIN_SECPOL 0 /* policy tokens */ diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/setlabel.sh --- a/tools/security/setlabel.sh Thu Dec 8 18:19:24 2005 +++ b/tools/security/setlabel.sh Thu Dec 8 18:21:05 2005 @@ -35,33 +35,29 @@ fi export PATH=$PATH:. -source labelfuncs.sh +dir=`dirname $0` +source $dir/labelfuncs.sh usage () { + prg=`basename $0` echo "Use this tool to put the ssidref corresponding to a label of a policy into the VM configuration file, or use it to display all labels of a policy. -Usage: $0 [Option] <vmfile> <label> [<policy name>] - or $0 -l [<policy name>] +Usage: $prg [-r] <vmfile> <label> [<policy name> [<policy dir>]] or + $prg -l [<policy name> [<policy dir>]] -Valid options are: -r : to relabel a file without being prompted - +-l : to show the valid labels in a map file vmfile : XEN vm configuration file; give complete path label : the label to map to an ssidref policy name : the name of the policy, i.e. 'chwall' If the policy name is omitted, it is attempted to find the current policy's name in grub.conf. - --l [<policy name>] is used to show valid labels in the map file of - the given or current policy. If the policy name - is omitted, it will be tried to determine the - current policy from grub.conf (/boot/grub/grub.conf) - +policy dir : the directory where the <policy name> policy is located + The default location is '/etc/xen/acm-security/policies' " } - if [ "$1" == "-r" ]; then mode="relabel" @@ -69,68 +65,42 @@ elif [ "$1" == "-l" ]; then mode="show" shift -elif [ "$1" == "-?" ]; then +elif [ "$1" == "-h" ]; then mode="usage" fi -if [ "$mode" == "show" ]; then - if [ "$1" == "" ]; then - findGrubConf - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find grub.conf" - exit -1; - fi - findPolicyInGrub $grubconf - if [ "$policy" != "" ]; then - echo "Assuming policy to be '$policy'."; - else - echo "Could not find policy." - exit -1; - fi - else - policy=$1; +if [ "$mode" == "usage" ]; then + usage +elif [ "$mode" == "show" ]; then + setPolicyVars $1 $2 + ret=$? + if [ $ret -eq 0 ]; then + echo "Error when trying to find policy-related information." + exit -1 fi - - - findMapFile $policy - res=$? - if [ "$res" != "0" ]; then - showLabels $mapfile - else + findMapFile $policy $policydir + ret=$? + if [ $ret -eq 0 ]; then echo "Could not find map file for policy '$policy'." + exit -1 fi -elif [ "$mode" == "usage" ]; then - usage + showLabels $mapfile else if [ "$2" == "" ]; then usage exit -1 fi - if [ "$3" == "" ]; then - findGrubConf - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find grub.conf" - exit -1; - fi - findPolicyInGrub $grubconf - if [ "$policy" != "" ]; then - echo "Assuming policy to be '$policy'."; - else - echo "Could not find policy." - exit -1; - fi - - else - policy=$3; + setPolicyVars $3 $4 + ret=$? + if [ $ret -eq 0 ]; then + echo "Error when trying to find policy-related information." + exit -1 fi - findMapFile $policy - res=$? - if [ "$res" != "0" ]; then - relabel $1 $2 $mapfile $mode - else - echo "Could not find map file for policy '$3'." + findMapFile $policy $policydir + ret=$? + if [ $ret -eq 0 ]; then + echo "Could not find map file for policy '$policy'." + exit -1 fi - + relabel $1 $2 $mapfile $mode fi diff -r 3ab6a6c4b6ed -r 8aac8746047b tools/security/updategrub.sh --- a/tools/security/updategrub.sh Thu Dec 8 18:19:24 2005 +++ b/tools/security/updategrub.sh Thu Dec 8 18:21:05 2005 @@ -22,166 +22,49 @@ exit fi +dir=`dirname $0` +source $dir/labelfuncs.sh + +acmroot=$ACM_DEFAULT_ROOT + # Show usage of this program usage () { + prg=`basename $0` echo "Use this tool to add the binary policy to the Xen grub entry and have Xen automatically enforce the policy when starting. -Usage: $0 <policy name> <root of xen repository> +Usage: $prg [-d <policies root>] <policy name> [<kernel version>] -<policy name> : The name of the policy, i.e. xen_null -<root of xen repository> : The root of the XEN repository. Give - complete path. - +<policies root> : The directory where the policies directory is located in; + default is $acmroot +<policy name> : The name of the policy, i.e. xen_null +<kernel version> : The version of the kernel to apply the policy + against, i.e. 2.6.12.6-xen0 + If not specified, a kernel version ending with '-xen0' + will be searched for in '/lib/modules' " } -# This function sets the global variable 'linux' -# to the name of the linux kernel that was compiled -# For now a pattern should do the trick -getLinuxVersion () -{ - path=$1 - linux="" - for f in $path/linux-*-xen0 ; do - versionfile=$f/include/linux/version.h - if [ -r $versionfile ]; then - lnx=`cat $versionfile | \ - grep UTS_RELEASE | \ - awk '{ \ - len=length($3); \ - version=substr($3,2,len-2); \ - split(version,numbers,"."); \ - if (numbers[4]=="") { \ - printf("%s.%s.%s", \ - numbers[1], \ - numbers[2], \ - numbers[3]); \ - } else { \ - printf("%s.%s.%s[.0-9]*-xen0",\ - numbers[1], \ - numbers[2], \ - numbers[3]); \ - } \ - }'` - fi - if [ "$lnx" != "" ]; then - linux="[./0-9a-zA-z]*$lnx" - return; - fi - done - - #Last resort. - linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$" -} - -#Return where the grub.conf file is. -#I only know of one place it can be. -findGrubConf() -{ - grubconf="/boot/grub/grub.conf" - if [ -w $grubconf ]; then - return 1 - fi - return 0 -} -#Update the grub configuration file. -#Search for existing entries and replace the current -#policy entry with the policy passed to this script -# -#Arguments passed to this function -# 1st : the grub configuration file -# 2nd : the binary policy file name -# 3rd : the name or pattern of the linux kernel name to match -# -# The algorithm here is based on pattern matching -# and is working correctly if -# - under a title a line beginning with 'kernel' is found -# whose following item ends with "xen.gz" -# Example: kernel /xen.gz dom0_mem=.... -# - a module line matching the 3rd parameter is found -# -updateGrub () -{ - grubconf=$1 - policyfile=$2 - linux=$3 +if [ "$1" == "-h" ]; then + usage + exit 0 +elif [ "$1" == "-d" ]; then + shift + acmroot=$1 + shift +fi - tmpfile="/tmp/new_grub.conf" - - cat $grubconf | \ - awk -vpolicy=$policyfile \ - -vlinux=$linux '{ \ - if ( $1 == "title" ) { \ - kernelfound = 0; \ - if ( policymaycome == 1 ){ \ - printf ("\tmodule %s%s\n", path, policy); \ - } \ - policymaycome = 0; \ - } \ - else if ( $1 == "kernel" ) { \ - if ( match($2,"xen.gz$") ) { \ - path=substr($2,1,RSTART-1); \ - kernelfound = 1; \ - } \ - } \ - else if ( $1 == "module" && \ - kernelfound == 1 && \ - match($2,linux) ) { \ - policymaycome = 1; \ - } \ - else if ( $1 == "module" && \ - kernelfound == 1 && \ - policymaycome == 1 && \ - match($2,"[0-9a-zA-Z]*.bin$") ) { \ - printf ("\tmodule %s%s\n", path, policy); \ - policymaycome = 0; \ - kernelfound = 0; \ - dontprint = 1; \ - } \ - else if ( $1 == "" && \ - kernelfound == 1 && \ - policymaycome == 1) { \ - dontprint = 1; \ - } \ - if (dontprint == 0) { \ - printf ("%s\n", $0); \ - } \ - dontprint = 0; \ - } END { \ - if ( policymaycome == 1 ) { \ - printf ("\tmodule %s%s\n", path, policy); \ - } \ - }' > $tmpfile - if [ ! -r $tmpfile ]; then - echo "Could not create temporary file! Aborting." - exit -1 - fi - diff $tmpfile $grubconf > /dev/null - RES=$? - if [ "$RES" == "0" ]; then - echo "No changes were made to $grubconf." - else - echo "Successfully updated $grubconf." - mv -f $tmpfile $grubconf - fi -} - -if [ "$1" == "" -o "$2" == "" ]; then +if [ "$1" == "" ]; then echo "Error: Not enough command line parameters." echo "" usage exit -1 fi -if [ "$1" == "-?" ]; then - usage - exit 0 -fi policy=$1 policyfile=$policy.bin @@ -189,10 +72,19 @@ getLinuxVersion $2 findGrubConf -ERR=$? -if [ $ERR -eq 0 ]; then - echo "Could not find grub.conf. Aborting." +ret=$? +if [ $ret -eq 0 ]; then + echo "Could not find grub.conf." + exit -1 +elif [ $ret -eq 2 ]; then + echo "Need to have write-access to $grubconf. Exiting." exit -1 fi +cpBootPolicy /boot $acmroot $policy +ret=$? +if [ $ret -ne 1 ]; then + echo "Error copying or generating the binary policy." + exit -1 +fi updateGrub $grubconf $policyfile $linux _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |