Index: root/xen-unstable.hg/tools/security/policies/security_policy.xsd
===================================================================
--- root.orig/xen-unstable.hg/tools/security/policies/security_policy.xsd
+++ root/xen-unstable.hg/tools/security/policies/security_policy.xsd
@@ -22,6 +22,8 @@
+
+
@@ -116,4 +118,17 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
Index: root/xen-unstable.hg/xen/include/acm/acm_core.h
===================================================================
--- root.orig/xen-unstable.hg/xen/include/acm/acm_core.h
+++ root/xen-unstable.hg/xen/include/acm/acm_core.h
@@ -29,6 +29,7 @@ struct acm_binary_policy {
char *policy_reference_name;
u16 primary_policy_code;
u16 secondary_policy_code;
+ struct acm_policy_version xml_pol_version;
};
struct chwall_binary_policy {
Index: root/xen-unstable.hg/tools/security/secpol_xml2bin.c
===================================================================
--- root.orig/xen-unstable.hg/tools/security/secpol_xml2bin.c
+++ root/xen-unstable.hg/tools/security/secpol_xml2bin.c
@@ -108,26 +108,25 @@ char *policy_filename = NULL,
char *policy_reference_name = NULL;
+char *policy_version_string = NULL;
+
void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state);
void usage(char *prg)
{
- printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
- printf
- ("POLICYNAME is the directory name within the policy directory\n");
- printf
- ("that contains the policy files. The default policy directory\n");
- printf("is '%s' (see the '-d' option below to change it)\n",
- POLICY_DIR);
- printf
- ("The policy files contained in the POLICYNAME directory must be named:\n");
- printf("\tPOLICYNAME-security_policy.xml\n");
- printf("\tPOLICYNAME-security_label_template.xml\n\n");
- printf("OPTIONS:\n");
- printf("\t-d POLICYDIR\n");
- printf
- ("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
- printf("\t\tthe policy schema file 'security_policy.xsd'\n");
+ printf(
+ "Usage: %s [OPTIONS] POLICYNAME\n"
+ "POLICYNAME is the directory name within the policy directory\n"
+ "that contains the policy files. The default policy directory\n"
+ "is '%s' (see the '-d' option below to change it)\n"
+ "The policy files contained in the POLICYNAME directory must be named:\n"
+ "\tPOLICYNAME-security_policy.xml\n"
+ "\tPOLICYNAME-security_label_template.xml\n\n"
+ "OPTIONS:\n"
+ "\t-d POLICYDIR\n"
+ "\t\tUse POLICYDIR as the policy directory. This directory must \n"
+ "\t\tcontain the policy schema file 'security_policy.xsd'\n",
+ prg, POLICY_DIR);
exit(EXIT_FAILURE);
}
@@ -300,25 +299,50 @@ void walk_policy(xmlNode * start, xmlDoc
case XML2BIN_CHWALLTYPES:
case XML2BIN_CONFLICTSETS:
case XML2BIN_POLICYHEADER:
+ case XML2BIN_FROMPOLICY:
walk_policy(cur_node->children, doc, state | (1 << code));
break;
case XML2BIN_POLICYNAME: /* get policy reference name .... */
- if (state != XML2BIN_PN_S) {
+ if (state != XML2BIN_PN_S &&
+ state != XML2BIN_PN_frompolicy_S) {
printf("ERROR: >Url< >%s< out of context.\n",
(char *) xmlNodeListGetString(doc,
cur_node->
xmlChildrenNode, 1));
exit(EXIT_FAILURE);
}
- policy_reference_name = (char *)
- xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
- if (!policy_reference_name) {
- printf("ERROR: empty >policy reference name (Url)xmlChildrenNode, 1);
+ if (!policy_reference_name) {
+ printf("ERROR: empty >policy reference name (Url)Url< >%s< out of context.\n",
+ (char *) xmlNodeListGetString(doc,
+ cur_node->
+ xmlChildrenNode, 1));
exit(EXIT_FAILURE);
- } else
- printf("Policy Reference name (Url): %s\n",
- policy_reference_name);
+ }
+ if (state == XML2BIN_PN_S) {
+ policy_version_string = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!policy_version_string) {
+ printf("ERROR: empty >policy version string set_binary_policy(buf + offset, length))
goto error_lock_free;
+ memcpy(&acm_bin_pol.xml_pol_version,
+ &pol->xml_pol_version,
+ sizeof(acm_bin_pol.xml_pol_version));
+
write_unlock(&acm_bin_pol_rwlock);
return ACM_OK;
@@ -132,7 +136,7 @@ acm_get_policy(XEN_GUEST_HANDLE(void) bu
u8 *policy_buffer;
int ret;
struct acm_policy_buffer *bin_pol;
-
+
if (buf_size < sizeof(struct acm_policy_buffer))
return -EFAULT;
@@ -151,6 +155,10 @@ acm_get_policy(XEN_GUEST_HANDLE(void) bu
bin_pol->primary_buffer_offset = cpu_to_be32(be32_to_cpu(bin_pol->len));
bin_pol->secondary_buffer_offset = cpu_to_be32(be32_to_cpu(bin_pol->len));
+ memcpy(&bin_pol->xml_pol_version,
+ &acm_bin_pol.xml_pol_version,
+ sizeof(struct acm_policy_version));
+
ret = acm_dump_policy_reference(policy_buffer + be32_to_cpu(bin_pol->policy_reference_offset),
buf_size - be32_to_cpu(bin_pol->policy_reference_offset));
if (ret < 0)
Index: root/xen-unstable.hg/xen/include/public/acm.h
===================================================================
--- root.orig/xen-unstable.hg/xen/include/public/acm.h
+++ root/xen-unstable.hg/xen/include/public/acm.h
@@ -78,7 +78,7 @@
* whenever the interpretation of the related
* policy's data structure changes
*/
-#define ACM_POLICY_VERSION 2
+#define ACM_POLICY_VERSION 3
#define ACM_CHWALL_VERSION 1
#define ACM_STE_VERSION 1
@@ -119,6 +119,14 @@ typedef uint16_t domaintype_t;
/* each offset in bytes from start of the struct they
* are part of */
+/* V3 of the policy buffer aded a version structure */
+struct acm_policy_version
+{
+ uint32_t major;
+ uint32_t minor;
+} __attribute__((packed));
+
+
/* each buffer consists of all policy information for
* the respective policy given in the policy code
*
@@ -136,11 +144,13 @@ struct acm_policy_buffer {
uint32_t primary_buffer_offset;
uint32_t secondary_policy_code;
uint32_t secondary_buffer_offset;
-};
+ struct acm_policy_version xml_pol_version; /* add in V3 */
+} __attribute__((packed));
+
struct acm_policy_reference_buffer {
uint32_t len;
-};
+} __attribute__((packed));
struct acm_chwall_policy_buffer {
uint32_t policy_version; /* ACM_CHWALL_VERSION */
@@ -152,7 +162,7 @@ struct acm_chwall_policy_buffer {
uint32_t chwall_conflict_sets_offset;
uint32_t chwall_running_types_offset;
uint32_t chwall_conflict_aggregate_offset;
-};
+} __attribute__((packed));
struct acm_ste_policy_buffer {
uint32_t policy_version; /* ACM_STE_VERSION */
@@ -160,7 +170,7 @@ struct acm_ste_policy_buffer {
uint32_t ste_max_types;
uint32_t ste_max_ssidrefs;
uint32_t ste_ssid_offset;
-};
+} __attribute__((packed));
struct acm_stats_buffer {
uint32_t magic;
@@ -169,7 +179,7 @@ struct acm_stats_buffer {
uint32_t primary_stats_offset;
uint32_t secondary_policy_code;
uint32_t secondary_stats_offset;
-};
+} __attribute__((packed));
struct acm_ste_stats_buffer {
uint32_t ec_eval_count;
@@ -178,7 +188,7 @@ struct acm_ste_stats_buffer {
uint32_t gt_denied_count;
uint32_t ec_cachehit_count;
uint32_t gt_cachehit_count;
-};
+} __attribute__((packed));
struct acm_ssid_buffer {
uint32_t len;
@@ -190,7 +200,7 @@ struct acm_ssid_buffer {
uint32_t secondary_policy_code;
uint32_t secondary_max_types;
uint32_t secondary_types_offset;
-};
+} __attribute__((packed));
#endif
Index: root/xen-unstable.hg/tools/security/secpol_tool.c
===================================================================
--- root.orig/xen-unstable.hg/tools/security/secpol_tool.c
+++ root/xen-unstable.hg/tools/security/secpol_tool.c
@@ -172,6 +172,9 @@ void acm_dump_policy_buffer(void *buf, i
printf("============\n");
printf("POLICY REFERENCE = %s.\n", policy_reference_name);
printf("PolicyVer = %x.\n", ntohl(pol->policy_version));
+ printf("XML Vers. = %d.%d\n",
+ ntohl(pol->xml_pol_version.major),
+ ntohl(pol->xml_pol_version.minor));
printf("Magic = %x.\n", ntohl(pol->magic));
printf("Len = %x.\n", ntohl(pol->len));
printf("Primary = %s (c=%x, off=%x).\n",