Index: root/xen-unstable.hg/tools/security/Makefile
===================================================================
--- root.orig/xen-unstable.hg/tools/security/Makefile
+++ root/xen-unstable.hg/tools/security/Makefile
@@ -1,16 +1,19 @@
XEN_ROOT = ../..
include $(XEN_ROOT)/tools/Rules.mk
-SRCS = secpol_tool.c
CFLAGS += -Wall
CFLAGS += -Werror
CFLAGS += -O3
CFLAGS += -fno-strict-aliasing
-CFLAGS += -I. -I/usr/include/libxml2
-CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
-#if above does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm
+CFLAGS += -I.
+
+CPPFLAGS += -MMD -MF .$*.d
+PROG_DEPS = .*.d
+
XML2VERSION = $(shell xml2-config --version )
-VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi; )
+CFLAGS += $(shell xml2-config --cflags )
+CFLAGS += $(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi )
+LDFLAGS += $(shell xml2-config --libs ) # if this does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm
ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY)
POLICY=null
@@ -24,48 +27,71 @@ endif
ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
POLICY=chwall_ste
endif
-POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
+
+SRCS_TOOL = secpol_tool.c
+OBJS_TOOL := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
+SRCS_XML2BIN = secpol_xml2bin.c secpol_xml2bin.h
+OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
+SRCS_GETD = get_decision.c
+OBJS_GETD := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
+
+ACM_INST_TOOLS = xensec_tool xensec_xml2bin
+ACM_NOINST_TOOLS = get_decision
+ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
+ACM_SCRIPTS = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
+
+ACM_CONFIG_DIR = /etc/xen/acm-security
+ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies
+ACM_SCRIPT_DIR = $(ACM_CONFIG_DIR)/scripts
+
+ACM_SCHEMA = security_policy.xsd
+ACM_EXAMPLES = null chwall ste chwall_ste
+ACM_POLICY_SUFFIX = security_policy.xml
+ACM_LABEL_SUFFIX = security_label_template.xml
ifeq ($(ACM_SECURITY),y)
all: build
-install:all
-
-default:all
+install: all $(ACM_CONFIG_FILE)
+ $(INSTALL_DIR) -p $(DESTDIR)/usr/sbin
+ $(INSTALL_PROG) -p $(ACM_INST_TOOLS) $(DESTDIR)/usr/sbin
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
+ $(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
+ for i in $(ACM_EXAMPLES); do \
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+ $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+ $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+ done
+ $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
+ $(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
else
all:
install:
-
-default:
endif
-build: mk-symlinks
- $(MAKE) secpol_tool
- $(MAKE) secpol_xml2bin
- $(MAKE) get_decision
- chmod 700 ./setlabel.sh
- chmod 700 ./updategrub.sh
- chmod 700 ./getlabel.sh
-
-secpol_tool : secpol_tool.c
- $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
+build: mk-symlinks $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS)
+ chmod 700 $(ACM_SCRIPTS)
-secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h
- $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ $<
+xensec_tool: $(OBJS_TOOL)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
-clean:
- rm -rf secpol_tool secpol_xml2bin xen get_decision
+xensec_xml2bin: $(OBJS_XML2BIN)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
-policy_clean:
- rm -rf policies/*/*.bin policies/*/*.map
+get_decision: $(OBJS_GETD)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
-mrproper: clean policy_clean
+clean:
+ $(RM) $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS)
+ $(RM) $(ACM_OBJS)
+ $(RM) $(PROG_DEPS)
+ $(RM) -r xen
+mrproper: clean
-$(POLICYFILE) : build
- @./secpol_xml2bin $(POLICY) > /dev/null
+boot_install: install
+ $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
-boot_install: $(POLICYFILE)
- @cp $(POLICYFILE) /boot
- @./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
+-include $(PROG_DEPS)
Index: root/xen-unstable.hg/tools/security/example.txt
===================================================================
--- root.orig/xen-unstable.hg/tools/security/example.txt
+++ root/xen-unstable.hg/tools/security/example.txt
@@ -9,23 +9,23 @@
# and to label domains and resources.
##
-We will show how to install and use the chwall_ste policy.
+We will show how to install and use the example chwall_ste policy.
Other policies work similarly. Feedback welcome!
-1. Using secpol_xml2bin to translate the chwall_ste policy:
+1. Using xensec_xml2bin to translate the chwall_ste policy:
===========================================================
-#tools/security/secpol_xml2bin chwall_ste
+#xensec_xml2bin chwall_ste
Successful execution should print:
- [root@laptopxn security]# ./secpol_xml2bin chwall_ste
- Validating label file policies/chwall_ste/chwall_ste-security_label_template.xml...
- XML Schema policies/security_policy.xsd valid.
- Validating policy file policies/chwall_ste/chwall_ste-security_policy.xml...
- XML Schema policies/security_policy.xsd valid.
+ [root@laptopxn security]# xensec_xml2bin chwall_ste
+ Validating label file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_label_template.xml...
+ XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
+ Validating policy file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_policy.xml...
+ XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
Creating ssid mappings ...
Creating label mappings ...
Max chwall labels: 7
@@ -35,10 +35,15 @@ Successful execution should print:
Max ste-types: 6
Max ste-ssids: 10
-The tool looks in directory policies/chwall_ste for
+By default, the tool looks in directory /etc/xen/acm-security/policies
+for a directory that matches the policy name (i.e. chwall_ste) to find
the label and policy files.
+The '-d' option can be used to override the /etc/xen/acm-security/policies
+directory, for example if running the tool in the Xen security tool build
+directory.
-The default policy directory structure under tools/security looks like:
+The default policy directory structure under /etc/xen/acm-security (and
+the Xen security tool build directory - tools/security) looks like:
policies
|-- security_policy.xsd
@@ -55,25 +60,25 @@ policies
|-- ste-security_label_template.xml
`-- ste-security_policy.xml
-policies/security_policy.xsd contains the schema against which both the
+The security_policy.xsd file contains the schema against which both the
label-template and the policy files must validate during translation.
-policies/chwall_ste/chwall_ste-security_policy.xml defines the
-policies and the types known to the policies.
+The files ending in -security_policy.xml define the policies and the
+types known to the policies.
-policies/chwall_ste/chwall_ste-security_label_template.xml contains
-label definitions that group chwall and ste types together and make
-them easier to use for users
-
-After executing the above secpol_xml2bin command, you will find 2 new
-files in the policies/chwall_ste sub-directory:
-
-policies/chwall_ste/chwall_ste.map ... this file includes the mapping
-of names from the xml files into their binary code representation.
-
-policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
-the result of parsing the xml files and using the mapping to extract a
-binary version that can be loaded into the hypervisor.
+The files ending in -security_label_template.xml contain the label
+definitions that group types together and make them easier to use for
+users.
+
+After executing the above xensec_xml2bin command, you will find 2 new
+files in the /etc/xen/acm-security/policies/chwall_ste sub-directory:
+
+ chwall_ste.map ... this file includes the mapping
+ of names from the xml files into their binary code representation.
+
+ chwall_ste.bin ... this is the binary policy file,
+ the result of parsing the xml files and using the mapping to extract a
+ binary version that can be loaded into the hypervisor.
@@ -85,13 +90,13 @@ please refer to install.txt for instruct
To activate the policy from the command line (assuming that the
currently established policy is the minimal boot-policy that is
-hard-coded into the hypervisor:
+hard-coded into the hypervisor):
-# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
+# xensec_tool loadpolicy /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin
To activate the policy at next reboot:
-# cp policies/chwall_ste/chwall_ste.bin /boot
+# cp /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin /boot
Add a module line to your /boot/grub/grub.conf Xen entry.
My boot entry with chwall_ste enabled looks like this:
@@ -129,12 +134,12 @@ assign labels to user domains.
To show available labels for the chwall_ste policy:
-#tools/security/setlabel.sh -l
+# /etc/xen/acm-security/scripts/setlabel.sh -l
lists all available labels. For the default chwall_ste it should print
the following:
- [root@laptopxn security]# ./setlabel.sh -l chwall_ste
+ [root@laptopxn security]# /etc/xen/acm-security/scripts/setlabel.sh -l chwall_ste
The following labels are available:
dom_SystemManagement
dom_HomeBanking
@@ -156,8 +161,8 @@ Setlabel.sh only prints VM labels (which
since only those are used at this time.
If you would like to assign the dom_HomeBanking label to one of your
-user domains (which you hopefully keep clean), look at an example
-domain configuration homebanking.xm:
+user domains (which you hopefully keep clean), look at the hypothetical
+domain configuration contained in /etc/xen/homebanking.xm:
#------HOMEBANKING---------
kernel = "/boot/vmlinuz-2.6.12-xenU"
@@ -172,7 +177,7 @@ domain configuration homebanking.xm:
Now we label this domain
-[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking chwall_ste
+[root@laptopxn security]# /etc/xen/acm-securit/scripts/setlabel.sh /etc/xen/homebanking.xm dom_HomeBanking chwall_ste
Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
The domain configuration my look now like:
@@ -223,9 +228,8 @@ because of the defined conflict set
cw_Distrusted
-(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
-that only one of the types cw_sensitive and cw_Distrusted can run at a
-time.
+(in chwall_ste-security_policy.xml), which says that only one of the
+types cw_Sensitive and cw_Distrusted can run at a time.
If you save or shutdown the HomeBanking domain, you will be able to
start the "Fun" domain. You can look into the Xen log to see if a
@@ -255,15 +259,15 @@ a) the policy definition (types etc.) fi
b) the label template definition (labels etc.) file
If your policy name is "mypolicy", you need to create a
-subdirectory mypolicy in tools/security/policies.
+subdirectory mypolicy in /etc/xen/acm-security/policies.
Then you create
-tools/security/policies/mypolicy/mypolicy-security_policy.xml and
-tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
+/etc/xen/acm-security/policies/mypolicy/mypolicy-security_policy.xml and
+/etc/xen/acm-security/policies/mypolicy/mypolicy-security_label_template.xml.
You need to keep to the schema as defined in
-tools/security/security_policy.xsd since the translation tool
-secpol_xml2bin is written against this schema.
+/etc/xen/acm-security/security_policy.xsd since the translation tool
+xensec_xml2bin is written against this schema.
If you keep to the security policy schema, then you can use all the
tools described above. Refer to install.txt to install it.
Index: root/xen-unstable.hg/tools/security/getlabel.sh
===================================================================
--- root.orig/xen-unstable.hg/tools/security/getlabel.sh
+++ root/xen-unstable.hg/tools/security/getlabel.sh
@@ -32,20 +32,24 @@ fi
export PATH=$PATH:.
-source labelfuncs.sh
+dir=`dirname $0`
+source $dir/labelfuncs.sh
usage ()
{
+ prg=`basename $0`
echo "Use this tool to display the label of a domain or the label that is
corresponding to an ssidref given the name of the running policy.
-Usage: $0 -sid [] or
- $0 -dom []
+Usage: $prg -sid [ []] or
+ $prg -dom [ []]
policy name : the name of the policy, i.e. 'chwall'
If the policy name is omitted, the grub.conf
entry of the running system is tried to be read
and the policy name determined from there.
+policy dir : the directory where the policy is located
+ The default location is '/etc/xen/acm-security/policies'
ssidref : an ssidref in hex or decimal format, i.e., '0x00010002'
or '65538'
domid : id of the domain, i.e., '1'; Use numbers from the 2nd
@@ -55,79 +59,36 @@ domid : id of the domain, i.e., '1
-if [ "$1" == "-?" ]; then
- mode="usage"
+if [ "$1" == "-h" ]; then
+ usage
+ exit 0
elif [ "$1" == "-dom" ]; then
mode="domid"
shift
elif [ "$1" == "-sid" ]; then
mode="sid"
shift
-elif [ "$1" == "" ]; then
+else
usage
exit -1
fi
+setPolicyVars $2 $3
+findMapFile $policy $policydir
+ret=$?
+if [ $ret -eq 0 ]; then
+ echo "Could not find map file for policy '$policy'."
+ exit -1
+fi
-if [ "$mode" == "usage" ]; then
- usage
-elif [ "$mode" == "domid" ]; then
- if [ "$2" == "" ]; then
- findGrubConf
- ret=$?
- if [ $ret -eq 0 ]; then
- echo "Could not find grub.conf"
- exit -1;
- fi
- findPolicyInGrub $grubconf
- if [ "$policy" != "" ]; then
- echo "Assuming policy to be '$policy'.";
- else
- echo "Could not find policy."
- exit -1;
- fi
- else
- policy=$2
+if [ "$mode" == "domid" ]; then
+ getSSIDUsingSecpolTool $1
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Could not determine the SSID of the domain."
+ exit -1
fi
- findMapFile $policy
- res=$?
- if [ "$res" != "0" ]; then
- getSSIDUsingSecpolTool $1
- res=$?
- if [ "$res" != "0" ]; then
- translateSSIDREF $ssid $mapfile
- else
- echo "Could not determine the SSID of the domain."
- fi
- else
- echo "Could not find map file for policy '$policy'."
- fi
-elif [ "$mode" == "sid" ]; then
- if [ "$2" == "" ]; then
- findGrubConf
- ret=$?
- if [ $ret -eq 0 ]; then
- echo "Could not find grub.conf"
- exit -1;
- fi
- findPolicyInGrub $grubconf
- if [ "$policy" != "" ]; then
- echo "Assuming policy to be '$policy'.";
- else
- echo "Could not find policy."
- exit -1;
- fi
- else
- policy=$2
- fi
- findMapFile $policy
- res=$?
- if [ "$res" != "0" ]; then
- translateSSIDREF $1 $mapfile
- else
- echo "Could not find map file for policy '$policy'."
- fi
-
-else
- usage
+ translateSSIDREF $ssid $mapfile
+else # mode == sid
+ translateSSIDREF $1 $mapfile
fi
Index: root/xen-unstable.hg/tools/security/install.txt
===================================================================
--- root.orig/xen-unstable.hg/tools/security/install.txt
+++ root/xen-unstable.hg/tools/security/install.txt
@@ -41,11 +41,11 @@ exclusively (chwall_ste --> {chwall, ste
# make
manual steps (alternative to make boot_install):
- #./secpol_xml2bin chwall_ste
- #cp policies/chwall_ste/chwall_ste.bin /boot
- #edit /boot/grub/grub.conf
+ # ./xensec_xml2bin -d policies/ chwall_ste
+ # cp policies/chwall_ste/chwall_ste.bin /boot
+ # edit /boot/grub/grub.conf
add the follwoing line to your xen boot entry:
- "module chwall_ste.bin"
+ "module /boot/chwall_ste.bin"
alternatively, you can try our automatic translation and
installation of the policy:
@@ -61,9 +61,9 @@ exclusively (chwall_ste --> {chwall, ste
3. reboot into the newly compiled hypervisor
after boot
- #xm dmesg should show an entry about the policy being loaded
+ # xm dmesg should show an entry about the policy being loaded
during the boot process
- #tools/security/secpol_tool getpolicy
+ # xensec_tool getpolicy
should print the new chwall_ste binary policy representation
Index: root/xen-unstable.hg/tools/security/labelfuncs.sh
===================================================================
--- root.orig/xen-unstable.hg/tools/security/labelfuncs.sh
+++ root/xen-unstable.hg/tools/security/labelfuncs.sh
@@ -17,10 +17,53 @@
#
+#Some global variables for tools using this module
+ACM_DEFAULT_ROOT="/etc/xen/acm-security"
+
+# Set the policy and policydir variables
+# Parameters:
+# 1st : possible policy name
+# 2nd : possible policy directory
+# Results:
+# The variables policy and policydir will hold the values for locating
+# policy information
+# If there are no errors, the functions returns a '1',
+# a '0' otherwise.
+setPolicyVars ()
+{
+ local ret
+ # Set default values
+ policydir="$ACM_DEFAULT_ROOT/policies"
+ policy=""
+
+ if [ "$1" == "" ]; then
+ findGrubConf
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Could not find grub.conf."
+ return 0;
+ fi
+ findPolicyInGrub $grubconf
+ if [ "$policy" == "" ]; then
+ echo "Could not find policy in grub.conf. Looked for entry using kernel $linux."
+ return 0;
+ fi
+ echo "Assuming policy to be '$policy'.";
+ else
+ policy=$1
+ if [ "$2" != "" ]; then
+ policydir=$2
+ fi
+ fi
+
+ return 1
+}
+
# Find the mapfile given a policy nmame
# Parameters:
# 1st : the name of the policy whose map file is to be found, i.e.,
# chwall
+# 2nd : the policy directory for locating the map file
# Results:
# The variable mapfile will hold the realtive path to the mapfile
# for the given policy.
@@ -28,16 +71,10 @@
# a '0' otherwise.
findMapFile ()
{
- mapfile="./$1.map"
- if [ -r "$mapfile" ]; then
- return 1
- fi
-
- mapfile="./policies/$1/$1.map"
+ mapfile="$2/$1/$1.map"
if [ -r "$mapfile" ]; then
return 1
fi
-
return 0
}
@@ -50,7 +87,7 @@ findMapFile ()
# The variable primary will hold the name of the primary policy
getPrimaryPolicy ()
{
- mapfile=$1
+ local mapfile=$1
primary=`cat $mapfile | \
awk ' \
{ \
@@ -71,7 +108,7 @@ getPrimaryPolicy ()
# The variable secondary will hold the name of the secondary policy
getSecondaryPolicy ()
{
- mapfile=$1
+ local mapfile=$1
secondary=`cat $mapfile | \
awk ' \
{ \
@@ -86,6 +123,10 @@ getSecondaryPolicy ()
#Return where the grub.conf file is.
#I only know of one place it can be.
+#Returns:
+# 1 : if the file is writeable and readable
+# 2 : if the file is only readable
+# 0 : if the file does not exist
findGrubConf()
{
grubconf="/boot/grub/grub.conf"
@@ -112,16 +153,37 @@ findGrubConf()
# kernel, i.e., 'vmlinuz-2.6.12-xen0'
getLinuxVersion ()
{
- path=$1
+ local path
+ local versionfile
+ local lnx
+ if [ "$1" == "" ]; then
+ path="/lib/modules/*-xen0"
+ else
+ path="/lib/modules/$1"
+ fi
+
linux=""
for f in $path/linux-*-xen0 ; do
- versionfile=$f/include/linux/version.h
+ versionfile=$f/build/include/linux/version.h
if [ -r $versionfile ]; then
lnx=`cat $versionfile | \
grep UTS_RELEASE | \
awk '{ \
len=length($3); \
- print substr($3,2,len-2) }'`
+ version=substr($3,2,len-2); \
+ split(version,numbers,"."); \
+ if (numbers[4]=="") { \
+ printf("%s.%s.%s", \
+ numbers[1], \
+ numbers[2], \
+ numbers[3]); \
+ } else { \
+ printf("%s.%s.%s[.0-9]*-xen0",\
+ numbers[1], \
+ numbers[2], \
+ numbers[3]); \
+ } \
+ }'`
fi
if [ "$lnx" != "" ]; then
linux="[./0-9a-zA-z]*$lnx"
@@ -137,11 +199,12 @@ getLinuxVersion ()
# Find out with which policy the hypervisor was booted with.
# Parameters
# 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
-#
+# Result:
+# Sets the variable 'policy' to the name of the policy
findPolicyInGrub ()
{
- grubconf=$1
- linux=`uname -r`
+ local grubconf=$1
+ local linux=`uname -r`
policy=`cat $grubconf | \
awk -vlinux=$linux '{ \
if ( $1 == "title" ) { \
@@ -184,9 +247,9 @@ findPolicyInGrub ()
# The funtion returns '1' on success, '0' on failure
getSSIDUsingSecpolTool ()
{
- domid=$1
+ local domid=$1
export PATH=$PATH:.
- ssid=`secpol_tool getssid -d $domid -f | \
+ ssid=`xensec_tool getssid -d $domid -f | \
grep -E "SSID:" | \
awk '{ print $4 }'`
@@ -206,7 +269,7 @@ getSSIDUsingSecpolTool ()
# high ssid values as integers.
getSSIDLOHI ()
{
- ssid=$1
+ local ssid=$1
ssidlo_int=`echo $ssid | awk \
'{ \
len=length($0); \
@@ -289,11 +352,11 @@ getSSIDLOHI ()
#
updateGrub ()
{
- grubconf=$1
- policyfile=$2
- linux=$3
+ local grubconf=$1
+ local policyfile=$2
+ local linux=$3
- tmpfile="/tmp/new_grub.conf"
+ local tmpfile="/tmp/new_grub.conf"
cat $grubconf | \
awk -vpolicy=$policyfile \
@@ -343,7 +406,59 @@ updateGrub ()
echo "Could not create temporary file! Aborting."
exit -1
fi
- mv -f $tmpfile $grubconf
+ diff $tmpfile $grubconf > /dev/null
+ RES=$?
+ if [ "$RES" == "0" ]; then
+ echo "No changes were made to $grubconf."
+ else
+ echo "Successfully updated $grubconf."
+ mv -f $tmpfile $grubconf
+ fi
+}
+
+
+#Compile a policy into its binary representation
+# Parameters:
+# 1st: The directory where the ./policies directory is located at
+# 2nd: The name of the policy
+genBinPolicy ()
+{
+ local root=$1
+ local policy=$2
+ pushd $root > /dev/null
+ xensec_xml2bin -d policies $policy > /dev/null
+ popd > /dev/null
+}
+
+
+# Copy the bootpolicy into the destination directory
+# Generate the policy's .bin and .map files if necessary
+# Parameters:
+# 1st: Destination directory
+# 2nd: The root directory of the security tools; this is where the
+# policies directory is located at
+# 3rd: The policy name
+# Returns '1' on success, '0' on failure.
+cpBootPolicy ()
+{
+ local dest=$1
+ local root=$2
+ local policy=$3
+ local binfile=$root/policies/$policy/$policy.bin
+ local dstfile=$dest/$policy.bin
+ if [ ! -e $binfile ]; then
+ genBinPolicy $root $policy
+ if [ ! -e $binfile ]; then
+ echo "Could not compile policy '$policy'."
+ return 0
+ fi
+ fi
+
+ if [ ! -e $dstfile -o \
+ $binfile -nt $dstfile ]; then
+ cp -f $binfile $dstfile
+ fi
+ return 1
}
@@ -352,7 +467,11 @@ updateGrub ()
# 1st: Full or relative path to the policy's mapfile
showLabels ()
{
- mapfile=$1
+ local mapfile=$1
+ local line
+ local ITEM
+ local found=0
+
if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
echo "Cannot read from vm configuration file $vmfile."
return -1
@@ -417,8 +536,8 @@ showLabels ()
# 2nd: the name of the policy
getDefaultSsid ()
{
- mapfile=$1
- pol=$2
+ local mapfile=$1
+ local pol=$2
RES=`cat $mapfile \
awk -vpol=$pol \
{ \
@@ -446,10 +565,13 @@ getDefaultSsid ()
# other : Prompts the user whether to proceed
relabel ()
{
- vmfile=$1
- label=$2
- mapfile=$3
- mode=$4
+ local vmfile=$1
+ local label=$2
+ local mapfile=$3
+ local mode=$4
+ local SSIDLO
+ local SSIDHI
+ local RES
if [ ! -r "$vmfile" ]; then
echo "Cannot read from vm configuration file $vmfile."
@@ -556,8 +678,8 @@ relabel ()
fi
#Write the output
- vmtmp1="/tmp/__setlabel.tmp1"
- vmtmp2="/tmp/__setlabel.tmp2"
+ local vmtmp1="/tmp/__setlabel.tmp1"
+ local vmtmp2="/tmp/__setlabel.tmp2"
touch $vmtmp1
touch $vmtmp2
if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
@@ -584,8 +706,10 @@ relabel ()
# 2nd: Full or relative path to the policy's mapfile
translateSSIDREF ()
{
- ssidref=$1
- mapfile=$2
+ local ssidref=$1
+ local mapfile=$2
+ local line1
+ local line2
if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
echo "Cannot read from vm configuration file $vmfile."
Index: root/xen-unstable.hg/tools/security/secpol_tool.c
===================================================================
--- root.orig/xen-unstable.hg/tools/security/secpol_tool.c
+++ root/xen-unstable.hg/tools/security/secpol_tool.c
@@ -44,12 +44,13 @@ fprintf(stderr, "ERROR: " _m " (%d = %s)
void usage(char *progname)
{
- printf("Use: %s \n"
+ printf("Usage: %s ACTION\n"
+ "ACTION is one of:\n"
"\t getpolicy\n"
"\t dumpstats\n"
"\t loadpolicy \n"
"\t getssid -d [-f]\n"
- "\t getssid -s [-f]\n", progname);
+ "\t getssid -s [-f]\n", progname);
exit(-1);
}
@@ -85,6 +86,7 @@ static inline int do_acm_op(int xc_handl
if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0)
{
+ printf( "ACM operation failed: errno=%d\n", errno );
if (errno == EACCES)
fprintf(stderr, "ACM operation failed -- need to"
" rebuild the user-space tool set?\n");
Index: root/xen-unstable.hg/tools/security/secpol_xml2bin.c
===================================================================
--- root.orig/xen-unstable.hg/tools/security/secpol_xml2bin.c
+++ root/xen-unstable.hg/tools/security/secpol_xml2bin.c
@@ -17,7 +17,7 @@
* sHype policy translation tool. This tool takes an XML
* policy specification as input and produces a binary
* policy file that can be loaded into Xen through the
- * ACM operations (secpol_tool loadpolicy) interface or at
+ * ACM operations (xensec_tool loadpolicy) interface or at
* boot time (grub module parameter)
*
* indent -i4 -kr -nut
@@ -102,12 +102,22 @@ int have_chwall = 0;
/* input/output file names */
char *policy_filename = NULL,
*label_filename = NULL,
- *binary_filename = NULL, *mapping_filename = NULL;
+ *binary_filename = NULL, *mapping_filename = NULL,
+ *schema_filename = NULL;
void usage(char *prg)
{
- printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
- prg);
+ printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
+ printf("POLICYNAME is the directory name within the policy directory\n");
+ printf("that contains the policy files. The default policy directory\n");
+ printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR);
+ printf("The policy files contained in the POLICYNAME directory must be named:\n");
+ printf("\tPOLICYNAME-security_policy.xml\n");
+ printf("\tPOLICYNAME-security_label_template.xml\n\n");
+ printf("OPTIONS:\n");
+ printf("\t-d POLICYDIR\n");
+ printf("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
+ printf("\t\tthe policy schema file 'security_policy.xsd'\n");
exit(EXIT_FAILURE);
}
@@ -1237,7 +1247,7 @@ int is_valid(xmlDocPtr doc)
xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
- schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
+ schemaparser_ctxt = xmlSchemaNewParserCtxt(schema_filename);
schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
@@ -1246,12 +1256,12 @@ int is_valid(xmlDocPtr doc)
if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
{
printf("ERROR: Invalid schema file %s (err=%d)\n",
- SCHEMA_FILENAME, err);
+ schema_filename, err);
err = -EIO;
goto out;
}
else
- printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
+ printf("XML Schema %s valid.\n", schema_filename);
#endif
if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
{
@@ -1275,37 +1285,59 @@ int main(int argc, char **argv)
char *file_prefix;
int prefix_len;
+ int opt_char;
+ char *policy_dir = POLICY_DIR;
+
if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
{
printf("ERROR: This program was written against an older ACM version.\n");
exit(EXIT_FAILURE);
}
- if (argc != 2)
+ while ((opt_char = getopt(argc, argv, "d:")) != -1) {
+ switch (opt_char) {
+ case 'd':
+ policy_dir = malloc(strlen(optarg) + 2); // null terminator and possibly "/"
+ if (!policy_dir) {
+ printf("ERROR allocating directory name memory.\n");
+ exit(EXIT_FAILURE);
+ }
+ strcpy(policy_dir, optarg);
+ if (policy_dir[strlen(policy_dir) - 1] != '/')
+ strcat(policy_dir, "/");
+ break;
+
+ default:
+ usage(basename(argv[0]));
+ }
+ }
+
+ if ((argc - optind) != 1)
usage(basename(argv[0]));
- prefix_len = strlen(POLICY_SUBDIR) +
- strlen(argv[1]) + 1 /* "/" */ +
- strlen(argv[1]) + 1 /* "/" */ ;
+ prefix_len = strlen(policy_dir) +
+ strlen(argv[optind]) + 1 /* "/" */ +
+ strlen(argv[optind]) + 1 /* null terminator */ ;
file_prefix = malloc(prefix_len);
policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
+ schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
if (!file_prefix || !policy_filename || !label_filename ||
- !binary_filename || !mapping_filename)
+ !binary_filename || !mapping_filename || !schema_filename)
{
printf("ERROR allocating file name memory.\n");
goto out2;
}
/* create input/output filenames out of prefix */
- strcat(file_prefix, POLICY_SUBDIR);
- strcat(file_prefix, argv[1]);
+ strcpy(file_prefix, policy_dir);
+ strcat(file_prefix, argv[optind]);
strcat(file_prefix, "/");
- strcat(file_prefix, argv[1]);
+ strcat(file_prefix, argv[optind]);
strcpy(policy_filename, file_prefix);
strcpy(label_filename, file_prefix);
@@ -1317,11 +1349,14 @@ int main(int argc, char **argv)
strcat(binary_filename, BINARY_EXTENSION);
strcat(mapping_filename, MAPPING_EXTENSION);
+ strcpy(schema_filename, policy_dir);
+ strcat(schema_filename, SCHEMA_FILENAME);
+
labeldoc = xmlParseFile(label_filename);
if (labeldoc == NULL)
{
- printf("Error: could not parse file %s.\n", argv[1]);
+ printf("Error: could not parse file %s.\n", argv[optind]);
goto out2;
}
@@ -1337,7 +1372,7 @@ int main(int argc, char **argv)
if (policydoc == NULL)
{
- printf("Error: could not parse file %s.\n", argv[1]);
+ printf("Error: could not parse file %s.\n", argv[optind]);
goto out1;
}
Index: root/xen-unstable.hg/tools/security/secpol_xml2bin.h
===================================================================
--- root.orig/xen-unstable.hg/tools/security/secpol_xml2bin.h
+++ root/xen-unstable.hg/tools/security/secpol_xml2bin.h
@@ -12,7 +12,7 @@
* License.
*
*/
-#define POLICY_SUBDIR "policies/"
+#define POLICY_DIR "/etc/xen/acm-security/policies/"
#define POLICY_EXTENSION "-security_policy.xml"
#define LABEL_EXTENSION "-security_label_template.xml"
#define BINARY_EXTENSION ".bin"
@@ -20,7 +20,7 @@
#define PRIMARY_COMPONENT_ATTR_NAME "order"
#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap"
#define PRIMARY_COMPONENT "PrimaryPolicyComponent"
-#define SCHEMA_FILENAME "policies/security_policy.xsd"
+#define SCHEMA_FILENAME "security_policy.xsd"
/* basic states (used as 1 << X) */
#define XML2BIN_SECPOL 0 /* policy tokens */
Index: root/xen-unstable.hg/tools/security/setlabel.sh
===================================================================
--- root.orig/xen-unstable.hg/tools/security/setlabel.sh
+++ root/xen-unstable.hg/tools/security/setlabel.sh
@@ -35,102 +35,72 @@ if [ -z "$runbash" ]; then
fi
export PATH=$PATH:.
-source labelfuncs.sh
+dir=`dirname $0`
+source $dir/labelfuncs.sh
usage ()
{
+ prg=`basename $0`
echo "Use this tool to put the ssidref corresponding to a label of a policy into
the VM configuration file, or use it to display all labels of a policy.
-Usage: $0 [Option]