ia64/xen-unstable

view tools/security/setlabel.sh @ 6552:a9873d384da4

Merge.
author adsharma@los-vmm.sc.intel.com
date Thu Aug 25 12:24:48 2005 -0700 (2005-08-25)
parents 112d44270733 fa0754a9f64f
children dfaf788ab18c
line source
1 #!/bin/sh
2 # *
3 # * setlabel
4 # *
5 # * Copyright (C) 2005 IBM Corporation
6 # *
7 # * Authors:
8 # * Stefan Berger <stefanb@us.ibm.com>
9 # *
10 # * This program is free software; you can redistribute it and/or
11 # * modify it under the terms of the GNU General Public License as
12 # * published by the Free Software Foundation, version 2 of the
13 # * License.
14 # *
15 # * 'setlabel' labels virtual machine (domain) configuration files with
16 # * security identifiers that can be enforced in Xen.
17 # *
18 # * 'setlabel -?' shows the usage of the program
19 # *
20 # * 'setlabel -l vmconfig-file' lists all available labels (only VM
21 # * labels are used right now)
22 # *
23 # * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
24 # * that corresponds to the security-label under the
25 # * current policy (if policy changes, 'label'
26 # * must be re-run over the configuration files;
27 # * map-file is created during policy translation and
28 # * is found in the policy's directory
29 #
31 if [ -z "$runbash" ]; then
32 runbash="1"
33 export runbash
34 exec sh -c "bash $0 $*"
35 fi
38 usage ()
39 {
40 echo "Usage: $0 [Option] <vmfile> <label> <policy name> "
41 echo " or $0 -l <policy name>"
42 echo ""
43 echo "Valid Options are:"
44 echo "-r : to relabel a file without being prompted"
45 echo ""
46 echo "vmfile : XEN vm configuration file"
47 echo "label : the label to map"
48 echo "policy name : the name of the policy, i.e. 'chwall'"
49 echo ""
50 echo "-l <policy name> is used to show valid labels in the map file"
51 echo ""
52 }
55 findMapFile ()
56 {
57 mapfile="./$1.map"
58 if [ -r "$mapfile" ]; then
59 return 1
60 fi
62 mapfile="./policies/$1/$1.map"
63 if [ -r "$mapfile" ]; then
64 return 1
65 fi
67 return 0
68 }
70 showLabels ()
71 {
72 mapfile=$1
73 if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
74 echo "Cannot read from vm configuration file $vmfile."
75 return -1
76 fi
78 getPrimaryPolicy $mapfile
79 getSecondaryPolicy $mapfile
81 echo "The following labels are available:"
82 let line=1
83 while [ 1 ]; do
84 ITEM=`cat $mapfile | \
85 awk -vline=$line \
86 -vprimary=$primary \
87 '{ \
88 if ($1 == "LABEL->SSID" && \
89 $2 == "VM" && \
90 $3 == primary ) { \
91 ctr++; \
92 if (ctr == line) { \
93 print $4; \
94 } \
95 } \
96 } END { \
97 }'`
99 if [ "$ITEM" == "" ]; then
100 break
101 fi
102 if [ "$secondary" != "NULL" ]; then
103 LABEL=`cat $mapfile | \
104 awk -vitem=$ITEM \
105 '{
106 if ($1 == "LABEL->SSID" && \
107 $2 == "VM" && \
108 $3 == "CHWALL" && \
109 $4 == item ) { \
110 result = item; \
111 } \
112 } END { \
113 print result \
114 }'`
115 else
116 LABEL=$ITEM
117 fi
119 if [ "$LABEL" != "" ]; then
120 echo "$LABEL"
121 found=1
122 fi
123 let line=line+1
124 done
125 if [ "$found" != "1" ]; then
126 echo "No labels found."
127 fi
128 }
130 getPrimaryPolicy ()
131 {
132 mapfile=$1
133 primary=`cat $mapfile | \
134 awk ' \
135 { \
136 if ( $1 == "PRIMARY" ) { \
137 res=$2; \
138 } \
139 } END { \
140 print res; \
141 } '`
142 }
144 getSecondaryPolicy ()
145 {
146 mapfile=$1
147 secondary=`cat $mapfile | \
148 awk ' \
149 { \
150 if ( $1 == "SECONDARY" ) { \
151 res=$2; \
152 } \
153 } END { \
154 print res; \
155 } '`
156 }
159 getDefaultSsid ()
160 {
161 mapfile=$1
162 pol=$2
163 RES=`cat $mapfile \
164 awk -vpol=$pol \
165 { \
166 if ($1 == "LABEL->SSID" && \
167 $2 == "ANY" && \
168 $3 == pol && \
169 $4 == "DEFAULT" ) {\
170 res=$5; \
171 } \
172 } END { \
173 printf "%04x", strtonum(res) \
174 }'`
175 echo "default NULL mapping is $RES"
176 defaultssid=$RES
177 }
179 relabel ()
180 {
181 vmfile=$1
182 label=$2
183 mapfile=$3
184 mode=$4
186 if [ ! -r "$vmfile" ]; then
187 echo "Cannot read from vm configuration file $vmfile."
188 return -1
189 fi
191 if [ ! -w "$vmfile" ]; then
192 echo "Cannot write to vm configuration file $vmfile."
193 return -1
194 fi
196 if [ ! -r "$mapfile" ] ; then
197 echo "Cannot read mapping file $mapfile."
198 return -1
199 fi
201 # Determine which policy is primary, which sec.
202 getPrimaryPolicy $mapfile
203 getSecondaryPolicy $mapfile
205 # Calculate the primary policy's SSIDREF
206 if [ "$primary" == "NULL" ]; then
207 SSIDLO="0000"
208 else
209 SSIDLO=`cat $mapfile | \
210 awk -vlabel=$label \
211 -vprimary=$primary \
212 '{ \
213 if ( $1 == "LABEL->SSID" && \
214 $2 == "VM" && \
215 $3 == primary && \
216 $4 == label ) { \
217 result=$5 \
218 } \
219 } END { \
220 if (result != "" ) \
221 {printf "%04x", strtonum(result)}\
222 }'`
223 fi
225 # Calculate the secondary policy's SSIDREF
226 if [ "$secondary" == "NULL" ]; then
227 SSIDHI="0000"
228 else
229 SSIDHI=`cat $mapfile | \
230 awk -vlabel=$label \
231 -vsecondary=$secondary \
232 '{ \
233 if ( $1 == "LABEL->SSID" && \
234 $2 == "VM" && \
235 $3 == secondary && \
236 $4 == label ) { \
237 result=$5 \
238 } \
239 } END { \
240 if (result != "" ) \
241 {printf "%04x", strtonum(result)}\
242 }'`
243 fi
245 if [ "$SSIDLO" == "" -o \
246 "$SSIDHI" == "" ]; then
247 echo "Could not map the given label '$label'."
248 return -1
249 fi
251 ACM_POLICY=`cat $mapfile | \
252 awk ' { if ( $1 == "POLICY" ) { \
253 result=$2 \
254 } \
255 } \
256 END { \
257 if (result != "") { \
258 printf result \
259 } \
260 }'`
262 if [ "$ACM_POLICY" == "" ]; then
263 echo "Could not find 'POLICY' entry in map file."
264 return -1
265 fi
267 SSIDREF="0x$SSIDHI$SSIDLO"
269 if [ "$mode" != "relabel" ]; then
270 RES=`cat $vmfile | \
271 awk '{ \
272 if ( substr($1,0,7) == "ssidref" ) {\
273 print $0; \
274 } \
275 }'`
276 if [ "$RES" != "" ]; then
277 echo "Do you want to overwrite the existing mapping ($RES)? (y/N)"
278 read user
279 if [ "$user" != "y" -a "$user" != "Y" ]; then
280 echo "Aborted."
281 return 0
282 fi
283 fi
284 fi
286 #Write the output
287 vmtmp1="/tmp/__setlabel.tmp1"
288 vmtmp2="/tmp/__setlabel.tmp2"
289 touch $vmtmp1
290 touch $vmtmp2
291 if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
292 echo "Cannot create temporary files. Aborting."
293 return -1
294 fi
295 RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
296 RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
297 RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
298 echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
299 echo "#ACM_LABEL=$label" >> $vmtmp1
300 echo "ssidref = $SSIDREF" >> $vmtmp1
301 mv -f $vmtmp1 $vmfile
302 rm -rf $vmtmp1 $vmtmp2
303 echo "Mapped label '$label' to ssidref '$SSIDREF'."
304 }
308 if [ "$1" == "-r" ]; then
309 mode="relabel"
310 shift
311 elif [ "$1" == "-l" ]; then
312 mode="show"
313 shift
314 elif [ "$1" == "-?" ]; then
315 mode="usage"
316 fi
318 if [ "$mode" == "show" ]; then
319 if [ "$1" == "" ]; then
320 usage
321 exit -1;
322 fi
323 findMapFile $1
324 res=$?
325 if [ "$res" != "0" ]; then
326 showLabels $mapfile
327 else
328 echo "Could not find map file for policy '$1'."
329 fi
330 elif [ "$mode" == "usage" ]; then
331 usage
332 else
333 if [ "$3" == "" ]; then
334 usage
335 exit -1;
336 fi
337 findMapFile $3
338 res=$?
339 if [ "$res" != "0" ]; then
340 relabel $1 $2 $mapfile $mode
341 else
342 echo "Could not find map file for policy '$3'."
343 fi
345 fi