ia64/xen-unstable

changeset 6598:02e104bf03c0

New scripts I missed from previous security patch.
author kaf24@firebug.cl.cam.ac.uk
date Fri Sep 02 08:06:59 2005 +0000 (2005-09-02)
parents 0161d68cff37
children 95cfc001ddd1
files tools/security/getlabel.sh tools/security/labelfuncs.sh
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/tools/security/getlabel.sh	Fri Sep 02 08:06:59 2005 +0000
     1.3 @@ -0,0 +1,130 @@
     1.4 +#!/bin/sh
     1.5 +# *
     1.6 +# * getlabel
     1.7 +# *
     1.8 +# * Copyright (C) 2005 IBM Corporation
     1.9 +# *
    1.10 +# * Authors:
    1.11 +# * Stefan Berger <stefanb@us.ibm.com>
    1.12 +# *
    1.13 +# * This program is free software; you can redistribute it and/or
    1.14 +# * modify it under the terms of the GNU General Public License as
    1.15 +# * published by the Free Software Foundation, version 2 of the
    1.16 +# * License.
    1.17 +# *
    1.18 +# * 'getlabel' tries to find the labels corresponding to the ssidref
    1.19 +# *
    1.20 +# * 'getlabel -?' shows the usage of the program
    1.21 +# *
    1.22 +# * 'getlabel -sid <ssidref> [<policy name>]' lists the label corresponding
    1.23 +# *                              to the given ssidref.
    1.24 +# *
    1.25 +# * 'getlabel -dom <domain id> [<policy name>]' lists the label of the
    1.26 +# *                              domain with given id
    1.27 +# *
    1.28 +#
    1.29 +
    1.30 +if [ -z "$runbash" ]; then
    1.31 +	runbash="1"
    1.32 +	export runbash
    1.33 +	exec sh -c "bash $0 $*"
    1.34 +fi
    1.35 +
    1.36 +
    1.37 +export PATH=$PATH:.
    1.38 +source labelfuncs.sh
    1.39 +
    1.40 +usage ()
    1.41 +{
    1.42 +	echo "Usage: $0 -sid <ssidref> [<policy name>] or"
    1.43 +	echo "       $0 -dom <domid>   [<policy name>]  "
    1.44 +	echo ""
    1.45 +	echo "policy name : the name of the policy, i.e. 'chwall'"
    1.46 +	echo "              If the policy name is omitted, the grub.conf"
    1.47 +	echo "              entry of the running system is tried to be read"
    1.48 +	echo "              and the policy name determined from there."
    1.49 +	echo "ssidref     : an ssidref in hex or decimal format, i.e., '0x00010002'"
    1.50 +	echo "              or '65538'"
    1.51 +	echo "domid       : id of the domain, i.e., '1'; Use numbers from the 2nd"
    1.52 +	echo "              column shown when invoking 'xm list'"
    1.53 +	echo ""
    1.54 +}
    1.55 +
    1.56 +
    1.57 +
    1.58 +if [ "$1" == "-?" ]; then
    1.59 +	mode="usage"
    1.60 +elif [ "$1" == "-dom" ]; then
    1.61 +	mode="domid"
    1.62 +	shift
    1.63 +elif [ "$1" == "-sid" ]; then
    1.64 +	mode="sid"
    1.65 +	shift
    1.66 +elif [ "$1" == "" ]; then
    1.67 +	usage
    1.68 +	exit -1
    1.69 +fi
    1.70 +
    1.71 +
    1.72 +if [ "$mode" == "usage" ]; then
    1.73 +	usage
    1.74 +elif [ "$mode" == "domid" ]; then
    1.75 +	if [ "$2" == "" ]; then
    1.76 +		findGrubConf
    1.77 +		ret=$?
    1.78 +		if [ $ret -eq 0 ]; then
    1.79 +			echo "Could not find grub.conf"
    1.80 +			exit -1;
    1.81 +		fi
    1.82 +		findPolicyInGrub $grubconf
    1.83 +		if [ "$policy" != "" ]; then
    1.84 +			echo "Assuming policy to be '$policy'.";
    1.85 +		else
    1.86 +			echo "Could not find policy."
    1.87 +			exit -1;
    1.88 +		fi
    1.89 +	else
    1.90 +		policy=$2
    1.91 +	fi
    1.92 +	findMapFile $policy
    1.93 +	res=$?
    1.94 +	if [ "$res" != "0" ]; then
    1.95 +		getSSIDUsingSecpolTool $1
    1.96 +		res=$?
    1.97 +		if [ "$res" != "0" ]; then
    1.98 +			translateSSIDREF $ssid $mapfile
    1.99 +		else
   1.100 +			echo "Could not determine the SSID of the domain."
   1.101 +		fi
   1.102 +	else
   1.103 +		echo "Could not find map file for policy '$policy'."
   1.104 +	fi
   1.105 +elif [ "$mode" == "sid" ]; then
   1.106 +	if [ "$2" == "" ]; then
   1.107 +		findGrubConf
   1.108 +		ret=$?
   1.109 +		if [ $ret -eq 0 ]; then
   1.110 +			echo "Could not find grub.conf"
   1.111 +			exit -1;
   1.112 +		fi
   1.113 +		findPolicyInGrub $grubconf
   1.114 +		if [ "$policy" != "" ]; then
   1.115 +			echo "Assuming policy to be '$policy'.";
   1.116 +		else
   1.117 +			echo "Could not find policy."
   1.118 +			exit -1;
   1.119 +		fi
   1.120 +	else
   1.121 +		policy=$2
   1.122 +	fi
   1.123 +	findMapFile $policy
   1.124 +	res=$?
   1.125 +	if [ "$res" != "0" ]; then
   1.126 +		translateSSIDREF $1 $mapfile
   1.127 +	else
   1.128 +		echo "Could not find map file for policy '$policy'."
   1.129 +	fi
   1.130 +
   1.131 +else
   1.132 +    usage
   1.133 +fi
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/tools/security/labelfuncs.sh	Fri Sep 02 08:06:59 2005 +0000
     2.3 @@ -0,0 +1,675 @@
     2.4 +# *
     2.5 +# * labelfuncs.sh
     2.6 +# *
     2.7 +# * Copyright (C) 2005 IBM Corporation
     2.8 +# *
     2.9 +# * Authors:
    2.10 +# * Stefan Berger <stefanb@us.ibm.com>
    2.11 +# *
    2.12 +# * This program is free software; you can redistribute it and/or
    2.13 +# * modify it under the terms of the GNU General Public License as
    2.14 +# * published by the Free Software Foundation, version 2 of the
    2.15 +# * License.
    2.16 +# *
    2.17 +# *
    2.18 +# * A collection of functions to handle polcies, mapfiles,
    2.19 +# * and ssidrefs.
    2.20 +#
    2.21 +
    2.22 +
    2.23 +# Find the mapfile given a policy nmame
    2.24 +# Parameters:
    2.25 +# 1st : the name of the policy whose map file is to be found, i.e.,
    2.26 +#       chwall
    2.27 +# Results:
    2.28 +# The variable mapfile will hold the realtive path to the mapfile
    2.29 +# for the given policy.
    2.30 +# In case the mapfile could be found, the functions returns a '1',
    2.31 +# a '0' otherwise.
    2.32 +findMapFile ()
    2.33 +{
    2.34 +	mapfile="./$1.map"
    2.35 +	if [ -r "$mapfile" ]; then
    2.36 +		return 1
    2.37 +	fi
    2.38 +
    2.39 +	mapfile="./policies/$1/$1.map"
    2.40 +	if [ -r "$mapfile" ]; then
    2.41 +		return 1
    2.42 +	fi
    2.43 +
    2.44 +	return 0
    2.45 +}
    2.46 +
    2.47 +
    2.48 +# Determine the name of the primary policy
    2.49 +# Parameters
    2.50 +# 1st : the path to the mapfile; the path may be relative
    2.51 +#       to the current directory
    2.52 +# Results
    2.53 +# The variable primary will hold the name of the primary policy
    2.54 +getPrimaryPolicy ()
    2.55 +{
    2.56 +	mapfile=$1
    2.57 +	primary=`cat $mapfile  |   \
    2.58 +	         awk '             \
    2.59 +	          {                \
    2.60 +	            if ( $1 == "PRIMARY" ) { \
    2.61 +	              res=$2;                \
    2.62 +	            }                        \
    2.63 +	          } END {                    \
    2.64 +	            print res;               \
    2.65 +	          } '`
    2.66 +}
    2.67 +
    2.68 +
    2.69 +# Determine the name of the secondary policy
    2.70 +# Parameters
    2.71 +# 1st : the path to the mapfile; the path may be relative
    2.72 +#       to the current directory
    2.73 +# Results
    2.74 +# The variable secondary will hold the name of the secondary policy
    2.75 +getSecondaryPolicy ()
    2.76 +{
    2.77 +	mapfile=$1
    2.78 +	secondary=`cat $mapfile  |   \
    2.79 +	         awk '             \
    2.80 +	          {                \
    2.81 +	            if ( $1 == "SECONDARY" ) { \
    2.82 +	              res=$2;                \
    2.83 +	            }                        \
    2.84 +	          } END {                    \
    2.85 +	            print res;               \
    2.86 +	          } '`
    2.87 +}
    2.88 +
    2.89 +
    2.90 +#Return where the grub.conf file is.
    2.91 +#I only know of one place it can be.
    2.92 +findGrubConf()
    2.93 +{
    2.94 +	grubconf="/boot/grub/grub.conf"
    2.95 +	if [ -w $grubconf ]; then
    2.96 +		return 1
    2.97 +	fi
    2.98 +	if [ -r $grubconf ]; then
    2.99 +		return 2
   2.100 +	fi
   2.101 +	return 0
   2.102 +}
   2.103 +
   2.104 +
   2.105 +# This function sets the global variable 'linux'
   2.106 +# to the name and version of the Linux kernel that was compiled
   2.107 +# for domain 0.
   2.108 +# If this variable could not be found, the variable 'linux'
   2.109 +# will hold a pattern
   2.110 +# Parameters:
   2.111 +# 1st: the path to reach the root directory of the XEN build tree
   2.112 +#      where linux-*-xen0 is located at
   2.113 +# Results:
   2.114 +# The variable linux holds then name and version of the compiled
   2.115 +# kernel, i.e., 'vmlinuz-2.6.12-xen0'
   2.116 +getLinuxVersion ()
   2.117 +{
   2.118 +	path=$1
   2.119 +	linux=""
   2.120 +	for f in $path/linux-*-xen0 ; do
   2.121 +		versionfile=$f/include/linux/version.h
   2.122 +		if [ -r $versionfile ]; then
   2.123 +			lnx=`cat $versionfile | \
   2.124 +			     grep UTS_RELEASE | \
   2.125 +			     awk '{             \
   2.126 +			       len=length($3);  \
   2.127 +			       print substr($3,2,len-2) }'`
   2.128 +		fi
   2.129 +		if [ "$lnx" != "" ]; then
   2.130 +			linux="[./0-9a-zA-z]*$lnx"
   2.131 +			return;
   2.132 +		fi
   2.133 +	done
   2.134 +
   2.135 +	#Last resort.
   2.136 +	linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
   2.137 +}
   2.138 +
   2.139 +
   2.140 +# Find out with which policy the hypervisor was booted with.
   2.141 +# Parameters
   2.142 +# 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
   2.143 +#
   2.144 +findPolicyInGrub ()
   2.145 +{
   2.146 +	grubconf=$1
   2.147 +	linux=`uname -r`
   2.148 +	policy=`cat $grubconf |                        \
   2.149 +	         awk -vlinux=$linux '{                 \
   2.150 +	           if ( $1 == "title" ) {              \
   2.151 +	             kernelfound = 0;                  \
   2.152 +	             policymaycome = 0;                \
   2.153 +	           }                                   \
   2.154 +	           else if ( $1 == "kernel" ) {        \
   2.155 +	             if ( match($2,"xen.gz$") ) {      \
   2.156 +	               pathlen=RSTART;                 \
   2.157 +	               kernelfound = 1;                \
   2.158 +	             }                                 \
   2.159 +	           }                                   \
   2.160 +	           else if ( $1 == "module" &&         \
   2.161 +	                     kernelfound == 1 &&       \
   2.162 +	                     match($2,linux) ) {       \
   2.163 +	              policymaycome = 1;               \
   2.164 +	           }                                   \
   2.165 +	           else if ( $1 == "module" &&         \
   2.166 +	                     kernelfound == 1 &&       \
   2.167 +	                     policymaycome == 1 &&     \
   2.168 +	                     match($2,"[0-9a-zA-Z_]*.bin$") ) { \
   2.169 +	              policymaycome = 0;               \
   2.170 +	              kernelfound = 0;                 \
   2.171 +	              polname = substr($2,pathlen);    \
   2.172 +	              len=length(polname);             \
   2.173 +	              polname = substr(polname,0,len-4); \
   2.174 +	           }                                   \
   2.175 +	         } END {                               \
   2.176 +	           print polname                       \
   2.177 +	         }'`
   2.178 +}
   2.179 +
   2.180 +
   2.181 +# Get the SSID of a domain
   2.182 +# Parameters:
   2.183 +# 1st : domain ID, i.e. '1'
   2.184 +# Results
   2.185 +# If the ssid could be found, the variable 'ssid' will hold
   2.186 +# the currently used ssid in the hex format, i.e., '0x00010001'.
   2.187 +# The funtion returns '1' on success, '0' on failure
   2.188 +getSSIDUsingSecpolTool ()
   2.189 +{
   2.190 +	domid=$1
   2.191 +	export PATH=$PATH:.
   2.192 +	ssid=`secpol_tool getssid -d $domid -f | \
   2.193 +	        grep -E "SSID:" |          \
   2.194 +	        awk '{ print $4 }'`
   2.195 +
   2.196 +	if [ "$ssid" != "" ]; then
   2.197 +		return 1
   2.198 +	fi
   2.199 +	return 0
   2.200 +}
   2.201 +
   2.202 +
   2.203 +# Break the ssid identifier into its high and low values,
   2.204 +# which are equal to the secondary and primary policy references.
   2.205 +# Parameters:
   2.206 +# 1st: ssid to break into high and low value, i.e., '0x00010002'
   2.207 +# Results:
   2.208 +# The variable ssidlo_int and ssidhi_int will hold the low and
   2.209 +# high ssid values as integers.
   2.210 +getSSIDLOHI ()
   2.211 +{
   2.212 +	ssid=$1
   2.213 +	ssidlo_int=`echo $ssid | awk          \
   2.214 +	            '{                        \
   2.215 +	               len=length($0);        \
   2.216 +	               beg=substr($0,1,2);    \
   2.217 +	               if ( beg == "0x" ) {   \
   2.218 +	                   dig = len - 2;     \
   2.219 +	                   if (dig <= 0) {    \
   2.220 +	                     exit;            \
   2.221 +	                   }                  \
   2.222 +	                   if (dig > 4) {     \
   2.223 +	                     dig=4;           \
   2.224 +	                   }                  \
   2.225 +	                   lo=sprintf("0x%s",substr($0,len-dig+1,dig)); \
   2.226 +	                   print strtonum(lo);\
   2.227 +	               } else {               \
   2.228 +	                   lo=strtonum($0);   \
   2.229 +	                   if (lo < 65536) {  \
   2.230 +	                     print lo;        \
   2.231 +	                   } else {           \
   2.232 +	                     hi=lo;           \
   2.233 +	                     hi2= (hi / 65536);\
   2.234 +	                     hi2_str=sprintf("%d",hi2); \
   2.235 +	                     hi2=strtonum(hi2_str);\
   2.236 +	                     lo=hi-(hi2*65536); \
   2.237 +	                     printf("%d",lo); \
   2.238 +	                   }                  \
   2.239 +			}                     \
   2.240 +	            }'`
   2.241 +	ssidhi_int=`echo $ssid | awk          \
   2.242 +	            '{                        \
   2.243 +	               len=length($0);        \
   2.244 +	               beg=substr($0,1,2);    \
   2.245 +	               if ( beg == "0x" ) {   \
   2.246 +	                   dig = len - 2;     \
   2.247 +	                   if (dig <= 0 ||    \
   2.248 +	                     dig >  8) {      \
   2.249 +	                     exit;            \
   2.250 +	                   }                  \
   2.251 +	                   if (dig < 4) {     \
   2.252 +	                     print 0;         \
   2.253 +	                     exit;            \
   2.254 +	                   }                  \
   2.255 +	                   dig -= 4;          \
   2.256 +	                   hi=sprintf("0x%s",substr($0,len-4-dig+1,dig)); \
   2.257 +	                   print strtonum(hi);\
   2.258 +	               } else {               \
   2.259 +	                   hi=strtonum($0);   \
   2.260 +	                   if (hi >= 65536) { \
   2.261 +	                     hi = hi / 65536; \
   2.262 +	                     printf ("%d",hi);\
   2.263 +	                   } else {           \
   2.264 +	                     printf ("0");    \
   2.265 +	                   }                  \
   2.266 +	               }                      \
   2.267 +	            }'`
   2.268 +	if [ "$ssidhi_int" == "" -o \
   2.269 +	     "$ssidlo_int" == "" ]; then
   2.270 +		return 0;
   2.271 +	fi
   2.272 +	return 1
   2.273 +}
   2.274 +
   2.275 +
   2.276 +#Update the grub configuration file.
   2.277 +#Search for existing entries and replace the current
   2.278 +#policy entry with the policy passed to this script
   2.279 +#
   2.280 +#Arguments passed to this function
   2.281 +# 1st : the grub configuration file with full path
   2.282 +# 2nd : the binary policy file name, i.e. chwall.bin
   2.283 +# 3rd : the name or pattern of the linux kernel name to match
   2.284 +#       (this determines where the module entry will be made)
   2.285 +#
   2.286 +# The algorithm here is based on pattern matching
   2.287 +# and is working correctly if
   2.288 +# - under a title a line beginning with 'kernel' is found
   2.289 +#   whose following item ends with "xen.gz"
   2.290 +#   Example:  kernel /xen.gz dom0_mem=....
   2.291 +# - a module line matching the 3rd parameter is found
   2.292 +#
   2.293 +updateGrub ()
   2.294 +{
   2.295 +	grubconf=$1
   2.296 +	policyfile=$2
   2.297 +	linux=$3
   2.298 +
   2.299 +	tmpfile="/tmp/new_grub.conf"
   2.300 +
   2.301 +	cat $grubconf |                                \
   2.302 +	         awk -vpolicy=$policyfile              \
   2.303 +	             -vlinux=$linux '{                 \
   2.304 +	           if ( $1 == "title" ) {              \
   2.305 +	             kernelfound = 0;                  \
   2.306 +	             if ( policymaycome == 1 ){        \
   2.307 +	               printf ("\tmodule %s%s\n", path, policy);      \
   2.308 +	             }                                 \
   2.309 +	             policymaycome = 0;                \
   2.310 +	           }                                   \
   2.311 +	           else if ( $1 == "kernel" ) {        \
   2.312 +	             if ( match($2,"xen.gz$") ) {      \
   2.313 +	               path=substr($2,1,RSTART-1);     \
   2.314 +	               kernelfound = 1;                \
   2.315 +	             }                                 \
   2.316 +	           }                                   \
   2.317 +	           else if ( $1 == "module" &&         \
   2.318 +	                     kernelfound == 1 &&       \
   2.319 +	                     match($2,linux) ) {       \
   2.320 +	              policymaycome = 1;               \
   2.321 +	           }                                   \
   2.322 +	           else if ( $1 == "module" &&         \
   2.323 +	                     kernelfound == 1 &&       \
   2.324 +	                     policymaycome == 1 &&     \
   2.325 +	                     match($2,"[0-9a-zA-Z]*.bin$") ) { \
   2.326 +	              printf ("\tmodule %s%s\n", path, policy); \
   2.327 +	              policymaycome = 0;               \
   2.328 +	              kernelfound = 0;                 \
   2.329 +	              dontprint = 1;                   \
   2.330 +	           }                                   \
   2.331 +	           else if ( $1 == "" &&               \
   2.332 +	                     kernelfound == 1 &&       \
   2.333 +	                     policymaycome == 1) {     \
   2.334 +	              dontprint = 1;                   \
   2.335 +	           }                                   \
   2.336 +	           if (dontprint == 0) {               \
   2.337 +	             printf ("%s\n", $0);              \
   2.338 +	           }                                   \
   2.339 +	           dontprint = 0;                      \
   2.340 +	         } END {                               \
   2.341 +	           if ( policymaycome == 1 ) {         \
   2.342 +	             printf ("\tmodule %s%s\n", path, policy);  \
   2.343 +	           }                                   \
   2.344 +	         }' > $tmpfile
   2.345 +	if [ ! -r $tmpfile ]; then
   2.346 +		echo "Could not create temporary file! Aborting."
   2.347 +		exit -1
   2.348 +	fi
   2.349 +	mv -f $tmpfile $grubconf
   2.350 +}
   2.351 +
   2.352 +
   2.353 +# Display all the labels in a given mapfile
   2.354 +# Parameters
   2.355 +# 1st: Full or relative path to the policy's mapfile
   2.356 +showLabels ()
   2.357 +{
   2.358 +	mapfile=$1
   2.359 +	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   2.360 +		echo "Cannot read from vm configuration file $vmfile."
   2.361 +		return -1
   2.362 +	fi
   2.363 +
   2.364 +	getPrimaryPolicy $mapfile
   2.365 +	getSecondaryPolicy $mapfile
   2.366 +
   2.367 +	echo "The following labels are available:"
   2.368 +	let line=1
   2.369 +	while [ 1 ]; do
   2.370 +		ITEM=`cat $mapfile |         \
   2.371 +		      awk -vline=$line       \
   2.372 +		          -vprimary=$primary \
   2.373 +		      '{                     \
   2.374 +		         if ($1 == "LABEL->SSID" &&  \
   2.375 +		             $2 == "VM" &&           \
   2.376 +		             $3 == primary ) {       \
   2.377 +		           ctr++;                    \
   2.378 +		           if (ctr == line) {        \
   2.379 +		             print $4;               \
   2.380 +		           }                         \
   2.381 +		         }                           \
   2.382 +		       } END {                       \
   2.383 +		       }'`
   2.384 +
   2.385 +		if [ "$ITEM" == "" ]; then
   2.386 +			break
   2.387 +		fi
   2.388 +		if [ "$secondary" != "NULL" ]; then
   2.389 +			LABEL=`cat $mapfile |     \
   2.390 +			       awk -vitem=$ITEM   \
   2.391 +			       '{
   2.392 +			          if ($1 == "LABEL->SSID" && \
   2.393 +			              $2 == "VM" &&          \
   2.394 +			              $3 == "CHWALL" &&      \
   2.395 +			              $4 == item ) {         \
   2.396 +			            result = item;           \
   2.397 +			          }                          \
   2.398 +			        } END {                      \
   2.399 +			            print result             \
   2.400 +			        }'`
   2.401 +		else
   2.402 +			LABEL=$ITEM
   2.403 +		fi
   2.404 +
   2.405 +		if [ "$LABEL" != "" ]; then
   2.406 +			echo "$LABEL"
   2.407 +			found=1
   2.408 +		fi
   2.409 +		let line=line+1
   2.410 +	done
   2.411 +	if [ "$found" != "1" ]; then
   2.412 +		echo "No labels found."
   2.413 +	fi
   2.414 +}
   2.415 +
   2.416 +
   2.417 +# Get the default SSID given a mapfile and the policy name
   2.418 +# Parameters
   2.419 +# 1st: Full or relative path to the policy's mapfile
   2.420 +# 2nd: the name of the policy
   2.421 +getDefaultSsid ()
   2.422 +{
   2.423 +	mapfile=$1
   2.424 +	pol=$2
   2.425 +	RES=`cat $mapfile    \
   2.426 +	     awk -vpol=$pol  \
   2.427 +	      {              \
   2.428 +	        if ($1 == "LABEL->SSID" && \
   2.429 +	            $2 == "ANY"         && \
   2.430 +	            $3 == pol           && \
   2.431 +	            $4 == "DEFAULT"       ) {\
   2.432 +	              res=$5;                \
   2.433 +	        }                            \
   2.434 +	      } END {                        \
   2.435 +	        printf "%04x", strtonum(res) \
   2.436 +	     }'`
   2.437 +	echo "default NULL mapping is $RES"
   2.438 +	defaultssid=$RES
   2.439 +}
   2.440 +
   2.441 +
   2.442 +#Relabel a VM configuration file
   2.443 +# Parameters
   2.444 +# 1st: Full or relative path to the VM configuration file
   2.445 +# 2nd: The label to translate into an ssidref
   2.446 +# 3rd: Full or relative path to the policy's map file
   2.447 +# 4th: The mode this function is supposed to operate in:
   2.448 +#      'relabel' : Relabels the file without querying the user
   2.449 +#      other     : Prompts the user whether to proceed
   2.450 +relabel ()
   2.451 +{
   2.452 +	vmfile=$1
   2.453 +	label=$2
   2.454 +	mapfile=$3
   2.455 +	mode=$4
   2.456 +
   2.457 +	if [ ! -r "$vmfile" ]; then
   2.458 +		echo "Cannot read from vm configuration file $vmfile."
   2.459 +		return -1
   2.460 +	fi
   2.461 +
   2.462 +	if [ ! -w "$vmfile" ]; then
   2.463 +		echo "Cannot write to vm configuration file $vmfile."
   2.464 +		return -1
   2.465 +	fi
   2.466 +
   2.467 +	if [ ! -r "$mapfile" ] ; then
   2.468 +		echo "Cannot read mapping file $mapfile."
   2.469 +		return -1
   2.470 +	fi
   2.471 +
   2.472 +	# Determine which policy is primary, which sec.
   2.473 +	getPrimaryPolicy $mapfile
   2.474 +	getSecondaryPolicy $mapfile
   2.475 +
   2.476 +	# Calculate the primary policy's SSIDREF
   2.477 +	if [ "$primary" == "NULL" ]; then
   2.478 +		SSIDLO="0001"
   2.479 +	else
   2.480 +		SSIDLO=`cat $mapfile |                    \
   2.481 +		        awk -vlabel=$label                \
   2.482 +		            -vprimary=$primary            \
   2.483 +		           '{                             \
   2.484 +		              if ( $1 == "LABEL->SSID" && \
   2.485 +		                   $2 == "VM" &&          \
   2.486 +		                   $3 == primary  &&      \
   2.487 +		                   $4 == label ) {        \
   2.488 +		                result=$5                 \
   2.489 +		              }                           \
   2.490 +		           } END {                        \
   2.491 +		             if (result != "" )           \
   2.492 +		               {printf "%04x", strtonum(result)}\
   2.493 +		           }'`
   2.494 +	fi
   2.495 +
   2.496 +	# Calculate the secondary policy's SSIDREF
   2.497 +	if [ "$secondary" == "NULL" ]; then
   2.498 +		if [ "$primary" == "NULL" ]; then
   2.499 +			SSIDHI="0001"
   2.500 +		else
   2.501 +			SSIDHI="0000"
   2.502 +		fi
   2.503 +	else
   2.504 +		SSIDHI=`cat $mapfile |                    \
   2.505 +		        awk -vlabel=$label                \
   2.506 +		            -vsecondary=$secondary        \
   2.507 +		           '{                             \
   2.508 +		              if ( $1 == "LABEL->SSID" && \
   2.509 +		                   $2 == "VM"          && \
   2.510 +		                   $3 == secondary     && \
   2.511 +		                   $4 == label ) {        \
   2.512 +		                result=$5                 \
   2.513 +		              }                           \
   2.514 +		            }  END {                      \
   2.515 +		              if (result != "" )          \
   2.516 +		                {printf "%04x", strtonum(result)}\
   2.517 +		            }'`
   2.518 +	fi
   2.519 +
   2.520 +	if [ "$SSIDLO" == "" -o \
   2.521 +	     "$SSIDHI" == "" ]; then
   2.522 +		echo "Could not map the given label '$label'."
   2.523 +		return -1
   2.524 +	fi
   2.525 +
   2.526 +	ACM_POLICY=`cat $mapfile |             \
   2.527 +	    awk ' { if ( $1 == "POLICY" ) {    \
   2.528 +	              result=$2                \
   2.529 +	            }                          \
   2.530 +	          }                            \
   2.531 +	          END {                        \
   2.532 +	            if (result != "") {        \
   2.533 +	              printf result            \
   2.534 +	            }                          \
   2.535 +	          }'`
   2.536 +
   2.537 +	if [ "$ACM_POLICY" == "" ]; then
   2.538 +		echo "Could not find 'POLICY' entry in map file."
   2.539 +		return -1
   2.540 +	fi
   2.541 +
   2.542 +	SSIDREF="0x$SSIDHI$SSIDLO"
   2.543 +
   2.544 +	if [ "$mode" != "relabel" ]; then
   2.545 +		RES=`cat $vmfile |  \
   2.546 +		     awk '{         \
   2.547 +		       if ( substr($1,0,7) == "ssidref" ) {\
   2.548 +		         print $0;             \
   2.549 +		       }                       \
   2.550 +		     }'`
   2.551 +		if [ "$RES" != "" ]; then
   2.552 +			echo "Do you want to overwrite the existing mapping ($RES)? (y/N)"
   2.553 +			read user
   2.554 +			if [ "$user" != "y" -a "$user" != "Y" ]; then
   2.555 +				echo "Aborted."
   2.556 +				return 0
   2.557 +			fi
   2.558 +		fi
   2.559 +	fi
   2.560 +
   2.561 +	#Write the output
   2.562 +	vmtmp1="/tmp/__setlabel.tmp1"
   2.563 +	vmtmp2="/tmp/__setlabel.tmp2"
   2.564 +	touch $vmtmp1
   2.565 +	touch $vmtmp2
   2.566 +	if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
   2.567 +		echo "Cannot create temporary files. Aborting."
   2.568 +		return -1
   2.569 +	fi
   2.570 +	RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
   2.571 +	RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
   2.572 +	RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
   2.573 +	echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
   2.574 +	echo "#ACM_LABEL=$label" >> $vmtmp1
   2.575 +	echo "ssidref = $SSIDREF" >> $vmtmp1
   2.576 +	mv -f $vmtmp1 $vmfile
   2.577 +	rm -rf $vmtmp1 $vmtmp2
   2.578 +	echo "Mapped label '$label' to ssidref '$SSIDREF'."
   2.579 +}
   2.580 +
   2.581 +
   2.582 +# Translate an ssidref into its label. This does the reverse lookup
   2.583 +# to the relabel function above.
   2.584 +# This function displays the results.
   2.585 +# Parameters:
   2.586 +# 1st: The ssidref to translate; must be in the form '0x00010002'
   2.587 +# 2nd: Full or relative path to the policy's mapfile
   2.588 +translateSSIDREF ()
   2.589 +{
   2.590 +	ssidref=$1
   2.591 +	mapfile=$2
   2.592 +
   2.593 +	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   2.594 +		echo "Cannot read from vm configuration file $vmfile."
   2.595 +		return -1
   2.596 +	fi
   2.597 +
   2.598 +	getPrimaryPolicy $mapfile
   2.599 +	getSecondaryPolicy $mapfile
   2.600 +
   2.601 +	if [ "$primary" == "NULL" -a "$secondary" == "NULL" ]; then
   2.602 +		echo "There are no labels for the NULL policy."
   2.603 +		return
   2.604 +	fi
   2.605 +
   2.606 +	getSSIDLOHI $ssidref
   2.607 +	ret=$?
   2.608 +	if [ $ret -ne 1 ]; then
   2.609 +		echo "Error while parsing the ssid ref number '$ssidref'."
   2.610 +	fi;
   2.611 +
   2.612 +	let line1=0
   2.613 +	let line2=0
   2.614 +	while [ 1 ]; do
   2.615 +		ITEM1=`cat $mapfile |                       \
   2.616 +		      awk -vprimary=$primary                \
   2.617 +		          -vssidlo=$ssidlo_int              \
   2.618 +		          -vline=$line1                     \
   2.619 +		      '{                                    \
   2.620 +		         if ( $1 == "LABEL->SSID" &&        \
   2.621 +		              $3 == primary &&              \
   2.622 +		              int($5) == ssidlo     ) {     \
   2.623 +		             if (l == line) {               \
   2.624 +		                 print $4;                  \
   2.625 +		                 exit;                      \
   2.626 +		             }                              \
   2.627 +		             l++;                           \
   2.628 +		         }                                  \
   2.629 +		       }'`
   2.630 +
   2.631 +		ITEM2=`cat $mapfile |                       \
   2.632 +		      awk -vsecondary=$secondary            \
   2.633 +		          -vssidhi=$ssidhi_int              \
   2.634 +		          -vline=$line2                     \
   2.635 +		      '{                                    \
   2.636 +		         if ( $1 == "LABEL->SSID" &&        \
   2.637 +		              $3 == secondary &&            \
   2.638 +		              int($5) == ssidhi     ) {     \
   2.639 +		             if (l == line) {               \
   2.640 +		                 print $4;                  \
   2.641 +		                 exit;                      \
   2.642 +		             }                              \
   2.643 +		             l++;                           \
   2.644 +		         }                                  \
   2.645 +		       }'`
   2.646 +
   2.647 +		if [ "$secondary" != "NULL" ]; then
   2.648 +			if [ "$ITEM1" == "" ]; then
   2.649 +				let line1=0
   2.650 +				let line2=line2+1
   2.651 +			else
   2.652 +				let line1=line1+1
   2.653 +			fi
   2.654 +
   2.655 +			if [ "$ITEM1" == "" -a \
   2.656 +			     "$ITEM2" == "" ]; then
   2.657 +				echo "Could not determine the referenced label."
   2.658 +				break
   2.659 +			fi
   2.660 +
   2.661 +			if [ "$ITEM1" == "$ITEM2" ]; then
   2.662 +				echo "Label: $ITEM1"
   2.663 +				break
   2.664 +			fi
   2.665 +		else
   2.666 +			if [ "$ITEM1" != "" ]; then
   2.667 +				echo "Label: $ITEM1"
   2.668 +			else
   2.669 +				if [ "$found" == "0" ]; then
   2.670 +					found=1
   2.671 +				else
   2.672 +					break
   2.673 +				fi
   2.674 +			fi
   2.675 +			let line1=line1+1
   2.676 +		fi
   2.677 +	done
   2.678 +}