ia64/xen-unstable

changeset 14879:186e2cf99bbb

[security] When building the binary policy align its contents the same way as the
ACM module does when returning its contents.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir@xensource.com>
date Thu Apr 19 19:29:19 2007 +0100 (2007-04-19)
parents 438f3a016fd8
children ed6de46738fd
files tools/security/secpol_tool.c tools/security/secpol_xml2bin.c
line diff
     1.1 --- a/tools/security/secpol_tool.c	Thu Apr 19 19:22:12 2007 +0100
     1.2 +++ b/tools/security/secpol_tool.c	Thu Apr 19 19:29:19 2007 +0100
     1.3 @@ -43,8 +43,6 @@
     1.4  fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a ,	\
     1.5                  errno, strerror(errno))
     1.6  
     1.7 -#define ALIGN8(x)  (void *)(((long)(x) + 7) & ~7)
     1.8 -
     1.9  void usage(char *progname)
    1.10  {
    1.11      printf("Usage: %s ACTION\n"
    1.12 @@ -192,15 +190,14 @@ void acm_dump_policy_buffer(void *buf, i
    1.13             ntohl(pol->secondary_buffer_offset));
    1.14      switch (ntohl(pol->primary_policy_code)) {
    1.15      case ACM_CHINESE_WALL_POLICY:
    1.16 -        acm_dump_chinesewall_buffer(ALIGN8(buf +
    1.17 -                                     ntohl(pol->primary_buffer_offset)),
    1.18 +        acm_dump_chinesewall_buffer(buf + ntohl(pol->primary_buffer_offset),
    1.19                                      ntohl(pol->len) -
    1.20                                      ntohl(pol->primary_buffer_offset),
    1.21                                      chwall_ref);
    1.22          break;
    1.23  
    1.24      case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
    1.25 -        acm_dump_ste_buffer(ALIGN8(buf + ntohl(pol->primary_buffer_offset)),
    1.26 +        acm_dump_ste_buffer(buf + ntohl(pol->primary_buffer_offset),
    1.27                              ntohl(pol->len) -
    1.28                              ntohl(pol->primary_buffer_offset),
    1.29                              ste_ref);
    1.30 @@ -216,15 +213,14 @@ void acm_dump_policy_buffer(void *buf, i
    1.31  
    1.32      switch (ntohl(pol->secondary_policy_code)) {
    1.33      case ACM_CHINESE_WALL_POLICY:
    1.34 -        acm_dump_chinesewall_buffer(ALIGN8(buf +
    1.35 -                                     ntohl(pol->secondary_buffer_offset)),
    1.36 +        acm_dump_chinesewall_buffer(buf + ntohl(pol->secondary_buffer_offset),
    1.37                                      ntohl(pol->len) -
    1.38                                      ntohl(pol->secondary_buffer_offset),
    1.39                                      chwall_ref);
    1.40          break;
    1.41  
    1.42      case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
    1.43 -        acm_dump_ste_buffer(ALIGN8(buf + ntohl(pol->secondary_buffer_offset)),
    1.44 +        acm_dump_ste_buffer(buf + ntohl(pol->secondary_buffer_offset),
    1.45                              ntohl(pol->len) -
    1.46                              ntohl(pol->secondary_buffer_offset),
    1.47                              ste_ref);
     2.1 --- a/tools/security/secpol_xml2bin.c	Thu Apr 19 19:22:12 2007 +0100
     2.2 +++ b/tools/security/secpol_xml2bin.c	Thu Apr 19 19:29:19 2007 +0100
     2.3 @@ -46,6 +46,8 @@
     2.4  
     2.5  #define NULL_LABEL_NAME "__NULL_LABEL__"
     2.6  
     2.7 +#define ROUND8(x)   ((x + 7) & ~7)
     2.8 +
     2.9  /* primary / secondary policy component setting */
    2.10  enum policycomponent { CHWALL, STE, NULLPOLICY }
    2.11      primary = NULLPOLICY, secondary = NULLPOLICY;
    2.12 @@ -1152,6 +1154,19 @@ unsigned char *write_ste_binary(u_int32_
    2.13      return buf;                 /* for now */
    2.14  }
    2.15  
    2.16 +static ssize_t write_padded(int fd, const void *buf, size_t count)
    2.17 +{
    2.18 +    int rc;
    2.19 +    static const char padding[7] = {0,0,0,0,0,0,0};
    2.20 +    unsigned int len = ROUND8(count) - count;
    2.21 +
    2.22 +    rc = write(fd, buf, count);
    2.23 +    if (rc == count && len > 0) {
    2.24 +        write(fd, padding, len);
    2.25 +    }
    2.26 +    return rc;
    2.27 +}
    2.28 +
    2.29  int write_binary(char *filename)
    2.30  {
    2.31      struct acm_policy_buffer header;
    2.32 @@ -1183,35 +1198,37 @@ int write_binary(char *filename)
    2.33      header.xml_pol_version.major = htonl(major);
    2.34      header.xml_pol_version.minor = htonl(minor);
    2.35  
    2.36 -    len = sizeof(struct acm_policy_buffer);
    2.37 +    len = ROUND8(sizeof(struct acm_policy_buffer));
    2.38      if (have_chwall)
    2.39 -        len += len_chwall;
    2.40 +        len += ROUND8(len_chwall);
    2.41      if (have_ste)
    2.42 -        len += len_ste;
    2.43 -    len += len_pr;              /* policy reference is mandatory */
    2.44 +        len += ROUND8(len_ste);
    2.45 +    len += ROUND8(len_pr);           /* policy reference is mandatory */
    2.46      header.len = htonl(len);
    2.47  
    2.48      header.policy_reference_offset =
    2.49 -        htonl(sizeof(struct acm_policy_buffer));
    2.50 +        htonl(ROUND8(sizeof(struct acm_policy_buffer)));
    2.51  
    2.52      header.primary_buffer_offset =
    2.53 -        htonl(sizeof(struct acm_policy_buffer) + len_pr);
    2.54 +        htonl(ROUND8(sizeof(struct acm_policy_buffer)) +
    2.55 +              ROUND8(len_pr));
    2.56      if (primary == CHWALL) {
    2.57          header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
    2.58          header.secondary_buffer_offset =
    2.59 -            htonl((sizeof(struct acm_policy_buffer)) + len_pr +
    2.60 -                  len_chwall);
    2.61 +            htonl(ROUND8(sizeof(struct acm_policy_buffer)) +
    2.62 +                  ROUND8(len_pr) +
    2.63 +                  ROUND8(len_chwall));
    2.64      } else if (primary == STE) {
    2.65          header.primary_policy_code =
    2.66              htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
    2.67          header.secondary_buffer_offset =
    2.68 -            htonl((sizeof(struct acm_policy_buffer)) + len_pr +
    2.69 -                  len_ste);
    2.70 +            htonl(ROUND8(sizeof(struct acm_policy_buffer)) +
    2.71 +                  ROUND8(len_pr) +
    2.72 +                  ROUND8(len_ste));
    2.73      } else {
    2.74          /* null policy */
    2.75          header.primary_policy_code = htonl(ACM_NULL_POLICY);
    2.76 -        header.secondary_buffer_offset =
    2.77 -            htonl(header.primary_buffer_offset);
    2.78 +        header.secondary_buffer_offset = header.primary_buffer_offset;
    2.79      }
    2.80  
    2.81      if (secondary == CHWALL)
    2.82 @@ -1222,25 +1239,25 @@ int write_binary(char *filename)
    2.83      else
    2.84          header.secondary_policy_code = htonl(ACM_NULL_POLICY);
    2.85  
    2.86 -    if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
    2.87 +    if (write_padded(fd, (void *) &header, sizeof(struct acm_policy_buffer))
    2.88          != sizeof(struct acm_policy_buffer)) {
    2.89          ret = -EIO;
    2.90          goto out1;
    2.91      }
    2.92  
    2.93      /* write label reference name */
    2.94 -    if (write(fd, policy_reference_buffer, len_pr) != len_pr) {
    2.95 +    if (write_padded(fd, policy_reference_buffer, len_pr) != len_pr) {
    2.96          ret = -EIO;
    2.97          goto out1;
    2.98      }
    2.99      /* write primary policy component */
   2.100      if (primary == CHWALL) {
   2.101 -        if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
   2.102 +        if (write_padded(fd, chwall_buffer, len_chwall) != len_chwall) {
   2.103              ret = -EIO;
   2.104              goto out1;
   2.105          }
   2.106      } else if (primary == STE) {
   2.107 -        if (write(fd, ste_buffer, len_ste) != len_ste) {
   2.108 +        if (write_padded(fd, ste_buffer, len_ste) != len_ste) {
   2.109              ret = -EIO;
   2.110              goto out1;
   2.111          }
   2.112 @@ -1248,12 +1265,12 @@ int write_binary(char *filename)
   2.113  
   2.114      /* write secondary policy component */
   2.115      if (secondary == CHWALL) {
   2.116 -        if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
   2.117 +        if (write_padded(fd, chwall_buffer, len_chwall) != len_chwall) {
   2.118              ret = -EIO;
   2.119              goto out1;
   2.120          }
   2.121      } else if (secondary == STE) {
   2.122 -        if (write(fd, ste_buffer, len_ste) != len_ste) {
   2.123 +        if (write_padded(fd, ste_buffer, len_ste) != len_ste) {
   2.124              ret = -EIO;
   2.125              goto out1;
   2.126          }