ia64/xen-unstable

changeset 9834:37da8dd5d43e

This patch deletes the old shell-based security tools.

Signed-off by: Reiner Sailer <sailer@us.ibm.com>
author smh22@firebug.cl.cam.ac.uk
date Mon Apr 24 10:54:47 2006 +0100 (2006-04-24)
parents 65ce9bf4a86f
children cf20dbbf5c2b
files
line diff
     1.1 --- a/tools/security/get_decision.c	Mon Apr 24 10:52:19 2006 +0100
     1.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.3 @@ -1,176 +0,0 @@
     1.4 -/****************************************************************
     1.5 - * get_decision.c
     1.6 - *
     1.7 - * Copyright (C) 2005 IBM Corporation
     1.8 - *
     1.9 - * Authors:
    1.10 - * Reiner Sailer <sailer@watson.ibm.com>
    1.11 - *
    1.12 - * This program is free software; you can redistribute it and/or
    1.13 - * modify it under the terms of the GNU General Public License as
    1.14 - * published by the Free Software Foundation, version 2 of the
    1.15 - * License.
    1.16 - *
    1.17 - * An example program that shows how to retrieve an access control
    1.18 - * decision from the hypervisor ACM based on the currently active policy.
    1.19 - *
    1.20 - */
    1.21 -
    1.22 -#include <unistd.h>
    1.23 -#include <stdio.h>
    1.24 -#include <errno.h>
    1.25 -#include <fcntl.h>
    1.26 -#include <getopt.h>
    1.27 -#include <sys/mman.h>
    1.28 -#include <sys/types.h>
    1.29 -#include <sys/stat.h>
    1.30 -#include <stdlib.h>
    1.31 -#include <sys/ioctl.h>
    1.32 -#include <string.h>
    1.33 -#include <netinet/in.h>
    1.34 -#include <xen/acm.h>
    1.35 -#include <xen/acm_ops.h>
    1.36 -#include <xen/linux/privcmd.h>
    1.37 -
    1.38 -#define PERROR(_m, _a...) \
    1.39 -fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a ,	\
    1.40 -                errno, strerror(errno))
    1.41 -
    1.42 -void usage(char *progname)
    1.43 -{
    1.44 -    printf("Use: %s \n", progname);
    1.45 -    printf(" Test program illustrating the retrieval of\n");
    1.46 -    printf(" access control decisions from xen. At this time,\n");
    1.47 -    printf(" only sharing (STE) policy decisions are supported.\n");
    1.48 -    printf(" parameter options:\n");
    1.49 -    printf("\t -i domid -i domid\n");
    1.50 -    printf("\t -i domid -s ssidref\n");
    1.51 -    printf("\t -s ssidref -s ssidref\n\n");
    1.52 -    exit(-1);
    1.53 -}
    1.54 -
    1.55 -static inline int do_policycmd(int xc_handle, unsigned int cmd,
    1.56 -                               unsigned long data)
    1.57 -{
    1.58 -    return ioctl(xc_handle, cmd, data);
    1.59 -}
    1.60 -
    1.61 -static inline int do_xen_hypercall(int xc_handle,
    1.62 -                                   privcmd_hypercall_t * hypercall)
    1.63 -{
    1.64 -    return do_policycmd(xc_handle,
    1.65 -                        IOCTL_PRIVCMD_HYPERCALL,
    1.66 -                        (unsigned long) hypercall);
    1.67 -}
    1.68 -
    1.69 -static inline int do_acm_op(int xc_handle, struct acm_op *op)
    1.70 -{
    1.71 -    int ret = -1;
    1.72 -    privcmd_hypercall_t hypercall;
    1.73 -
    1.74 -    op->interface_version = ACM_INTERFACE_VERSION;
    1.75 -
    1.76 -    hypercall.op = __HYPERVISOR_acm_op;
    1.77 -    hypercall.arg[0] = (unsigned long) op;
    1.78 -
    1.79 -    if (mlock(op, sizeof(*op)) != 0) {
    1.80 -        PERROR("Could not lock memory for Xen policy hypercall");
    1.81 -        goto out1;
    1.82 -    }
    1.83 -
    1.84 -    if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
    1.85 -        if (errno == EACCES)
    1.86 -            fprintf(stderr, "ACM operation failed -- need to"
    1.87 -                    " rebuild the user-space tool set?\n");
    1.88 -        goto out2;
    1.89 -    }
    1.90 -
    1.91 -  out2:(void) munlock(op, sizeof(*op));
    1.92 -  out1:return ret;
    1.93 -}
    1.94 -
    1.95 -
    1.96 -/************************ get decision ******************************/
    1.97 -
    1.98 -/* this example uses two domain ids and retrieves the decision if these domains
    1.99 - * can share information (useful, i.e., to enforce policy onto network traffic in dom0
   1.100 - */
   1.101 -int acm_get_decision(int xc_handle, int argc, char *const argv[])
   1.102 -{
   1.103 -    struct acm_op op;
   1.104 -    int ret;
   1.105 -
   1.106 -    op.cmd = ACM_GETDECISION;
   1.107 -    op.interface_version = ACM_INTERFACE_VERSION;
   1.108 -    op.u.getdecision.get_decision_by1 = UNSET;
   1.109 -    op.u.getdecision.get_decision_by2 = UNSET;
   1.110 -    op.u.getdecision.hook = SHARING;
   1.111 -
   1.112 -    while (1) {
   1.113 -        int c = getopt(argc, argv, "i:s:");
   1.114 -        if (c == -1)
   1.115 -            break;
   1.116 -
   1.117 -        if (c == 'i') {
   1.118 -            if (op.u.getdecision.get_decision_by1 == UNSET) {
   1.119 -                op.u.getdecision.get_decision_by1 = DOMAINID;
   1.120 -                op.u.getdecision.id1.domainid = strtoul(optarg, NULL, 0);
   1.121 -            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
   1.122 -                op.u.getdecision.get_decision_by2 = DOMAINID;
   1.123 -                op.u.getdecision.id2.domainid = strtoul(optarg, NULL, 0);
   1.124 -            } else
   1.125 -                usage(argv[0]);
   1.126 -        } else if (c == 's') {
   1.127 -            if (op.u.getdecision.get_decision_by1 == UNSET) {
   1.128 -                op.u.getdecision.get_decision_by1 = SSIDREF;
   1.129 -                op.u.getdecision.id1.ssidref = strtoul(optarg, NULL, 0);
   1.130 -            } else if (op.u.getdecision.get_decision_by2 == UNSET) {
   1.131 -                op.u.getdecision.get_decision_by2 = SSIDREF;
   1.132 -                op.u.getdecision.id2.ssidref = strtoul(optarg, NULL, 0);
   1.133 -            } else
   1.134 -                usage(argv[0]);
   1.135 -        } else
   1.136 -            usage(argv[0]);
   1.137 -    }
   1.138 -    if ((op.u.getdecision.get_decision_by1 == UNSET) ||
   1.139 -        (op.u.getdecision.get_decision_by2 == UNSET))
   1.140 -        usage(argv[0]);
   1.141 -
   1.142 -    if ((ret = do_acm_op(xc_handle, &op))) {
   1.143 -        printf("%s: Error getting decision (%d).\n", __func__, ret);
   1.144 -        printf("%s: decision = %s.\n", __func__,
   1.145 -               (op.u.getdecision.acm_decision ==
   1.146 -                ACM_ACCESS_PERMITTED) ? "PERMITTED" : ((op.u.getdecision.
   1.147 -                                                        acm_decision ==
   1.148 -                                                        ACM_ACCESS_DENIED)
   1.149 -                                                       ? "DENIED" :
   1.150 -                                                       "ERROR"));
   1.151 -        return ret;
   1.152 -    }
   1.153 -    return op.u.getdecision.acm_decision;
   1.154 -}
   1.155 -
   1.156 -/***************************** main **************************************/
   1.157 -
   1.158 -int main(int argc, char **argv)
   1.159 -{
   1.160 -
   1.161 -    int acm_cmd_fd, ret = 0;
   1.162 -
   1.163 -    if (argc < 5)
   1.164 -        usage(argv[0]);
   1.165 -
   1.166 -    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
   1.167 -        printf("ERROR: Could not open xen privcmd device!\n");
   1.168 -        exit(-1);
   1.169 -    }
   1.170 -
   1.171 -    ret = acm_get_decision(acm_cmd_fd, argc, argv);
   1.172 -
   1.173 -    printf("Decision: %s (%d)\n",
   1.174 -           (ret == ACM_ACCESS_PERMITTED) ? "PERMITTED" :
   1.175 -           ((ret == ACM_ACCESS_DENIED) ? "DENIED" : "ERROR"), ret);
   1.176 -
   1.177 -    close(acm_cmd_fd);
   1.178 -    return ret;
   1.179 -}
     2.1 --- a/tools/security/getlabel.sh	Mon Apr 24 10:52:19 2006 +0100
     2.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.3 @@ -1,94 +0,0 @@
     2.4 -#!/bin/sh
     2.5 -# *
     2.6 -# * getlabel
     2.7 -# *
     2.8 -# * Copyright (C) 2005 IBM Corporation
     2.9 -# *
    2.10 -# * Authors:
    2.11 -# * Stefan Berger <stefanb@us.ibm.com>
    2.12 -# *
    2.13 -# * This program is free software; you can redistribute it and/or
    2.14 -# * modify it under the terms of the GNU General Public License as
    2.15 -# * published by the Free Software Foundation, version 2 of the
    2.16 -# * License.
    2.17 -# *
    2.18 -# * 'getlabel' tries to find the labels corresponding to the ssidref
    2.19 -# *
    2.20 -# * 'getlabel -?' shows the usage of the program
    2.21 -# *
    2.22 -# * 'getlabel -sid <ssidref> [<policy name>]' lists the label corresponding
    2.23 -# *                              to the given ssidref.
    2.24 -# *
    2.25 -# * 'getlabel -dom <domain id> [<policy name>]' lists the label of the
    2.26 -# *                              domain with given id
    2.27 -# *
    2.28 -#
    2.29 -
    2.30 -if [ -z "$runbash" ]; then
    2.31 -	runbash="1"
    2.32 -	export runbash
    2.33 -	exec sh -c "bash $0 $*"
    2.34 -fi
    2.35 -
    2.36 -
    2.37 -export PATH=$PATH:.
    2.38 -dir=`dirname $0`
    2.39 -source $dir/labelfuncs.sh
    2.40 -
    2.41 -usage ()
    2.42 -{
    2.43 -	prg=`basename $0`
    2.44 -echo "Use this tool to display the label of a domain or the label that is
    2.45 -corresponding to an ssidref given the name of the running policy.
    2.46 -
    2.47 -Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or
    2.48 -       $prg -dom <domid>   [<policy name> [<policy dir>]]
    2.49 -
    2.50 -policy name : the name of the policy, i.e. 'chwall'
    2.51 -              If the policy name is omitted, the grub.conf
    2.52 -              entry of the running system is tried to be read
    2.53 -              and the policy name determined from there.
    2.54 -policy dir  : the directory where the <policy name> policy is located
    2.55 -              The default location is '/etc/xen/acm-security/policies'
    2.56 -ssidref     : an ssidref in hex or decimal format, i.e., '0x00010002'
    2.57 -              or '65538'
    2.58 -domid       : id of the domain, i.e., '1'; Use numbers from the 2nd
    2.59 -              column shown when invoking 'xm list'
    2.60 -"
    2.61 -}
    2.62 -
    2.63 -
    2.64 -
    2.65 -if [ "$1" == "-h" ]; then
    2.66 -	usage
    2.67 -	exit 0
    2.68 -elif [ "$1" == "-dom" ]; then
    2.69 -	mode="domid"
    2.70 -	shift
    2.71 -elif [ "$1" == "-sid" ]; then
    2.72 -	mode="sid"
    2.73 -	shift
    2.74 -else
    2.75 -	usage
    2.76 -	exit -1
    2.77 -fi
    2.78 -
    2.79 -setPolicyVars $2 $3
    2.80 -findMapFile $policy $policydir
    2.81 -ret=$?
    2.82 -if [ $ret -eq 0 ]; then
    2.83 -	echo "Could not find map file for policy '$policy'."
    2.84 -	exit -1
    2.85 -fi
    2.86 -
    2.87 -if [ "$mode" == "domid" ]; then
    2.88 -	getSSIDUsingSecpolTool $1
    2.89 -	ret=$?
    2.90 -	if [ $ret -eq 0 ]; then
    2.91 -		echo "Could not determine the SSID of the domain."
    2.92 -		exit -1
    2.93 -	fi
    2.94 -	translateSSIDREF $ssid $mapfile
    2.95 -else # mode == sid
    2.96 -	translateSSIDREF $1 $mapfile
    2.97 -fi
     3.1 --- a/tools/security/labelfuncs.sh	Mon Apr 24 10:52:19 2006 +0100
     3.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.3 @@ -1,799 +0,0 @@
     3.4 -# *
     3.5 -# * labelfuncs.sh
     3.6 -# *
     3.7 -# * Copyright (C) 2005 IBM Corporation
     3.8 -# *
     3.9 -# * Authors:
    3.10 -# * Stefan Berger <stefanb@us.ibm.com>
    3.11 -# *
    3.12 -# * This program is free software; you can redistribute it and/or
    3.13 -# * modify it under the terms of the GNU General Public License as
    3.14 -# * published by the Free Software Foundation, version 2 of the
    3.15 -# * License.
    3.16 -# *
    3.17 -# *
    3.18 -# * A collection of functions to handle polcies, mapfiles,
    3.19 -# * and ssidrefs.
    3.20 -#
    3.21 -
    3.22 -
    3.23 -#Some global variables for tools using this module
    3.24 -ACM_DEFAULT_ROOT="/etc/xen/acm-security"
    3.25 -
    3.26 -# Set the policy and policydir variables
    3.27 -# Parameters:
    3.28 -# 1st : possible policy name
    3.29 -# 2nd : possible policy directory
    3.30 -# Results:
    3.31 -# The variables policy and policydir will hold the values for locating
    3.32 -# policy information
    3.33 -# If there are no errors, the functions returns a '1',
    3.34 -# a '0' otherwise.
    3.35 -setPolicyVars ()
    3.36 -{
    3.37 -	local ret
    3.38 -	# Set default values
    3.39 -	policydir="$ACM_DEFAULT_ROOT/policies"
    3.40 -	policy=""
    3.41 -
    3.42 -	if [ "$1" == "" ]; then
    3.43 -		findGrubConf
    3.44 -		ret=$?
    3.45 -		if [ $ret -eq 0 ]; then
    3.46 -			echo "Could not find grub.conf."
    3.47 -			return 0;
    3.48 -		fi
    3.49 -		findPolicyInGrub $grubconf
    3.50 -		if [ "$policy" == "" ]; then
    3.51 -			echo "Could not find policy in grub.conf. Looked for entry using kernel $linux."
    3.52 -			return 0;
    3.53 -		fi
    3.54 -		echo "Assuming policy to be '$policy'.";
    3.55 -	else
    3.56 -		policy=$1
    3.57 -		if [ "$2" != "" ]; then
    3.58 -			policydir=$2
    3.59 -		fi
    3.60 -	fi
    3.61 -
    3.62 -	return 1
    3.63 -}
    3.64 -
    3.65 -# Find the mapfile given a policy nmame
    3.66 -# Parameters:
    3.67 -# 1st : the name of the policy whose map file is to be found, i.e.,
    3.68 -#       chwall
    3.69 -# 2nd : the policy directory for locating the map file
    3.70 -# Results:
    3.71 -# The variable mapfile will hold the realtive path to the mapfile
    3.72 -# for the given policy.
    3.73 -# In case the mapfile could be found, the functions returns a '1',
    3.74 -# a '0' otherwise.
    3.75 -findMapFile ()
    3.76 -{
    3.77 -	mapfile="$2/$1/$1.map"
    3.78 -	if [ -r "$mapfile" ]; then
    3.79 -		return 1
    3.80 -	fi
    3.81 -	return 0
    3.82 -}
    3.83 -
    3.84 -
    3.85 -# Determine the name of the primary policy
    3.86 -# Parameters
    3.87 -# 1st : the path to the mapfile; the path may be relative
    3.88 -#       to the current directory
    3.89 -# Results
    3.90 -# The variable primary will hold the name of the primary policy
    3.91 -getPrimaryPolicy ()
    3.92 -{
    3.93 -	local mapfile=$1
    3.94 -	primary=`cat $mapfile  |   \
    3.95 -	         awk '             \
    3.96 -	          {                \
    3.97 -	            if ( $1 == "PRIMARY" ) { \
    3.98 -	              res=$2;                \
    3.99 -	            }                        \
   3.100 -	          } END {                    \
   3.101 -	            print res;               \
   3.102 -	          } '`
   3.103 -}
   3.104 -
   3.105 -
   3.106 -# Determine the name of the secondary policy
   3.107 -# Parameters
   3.108 -# 1st : the path to the mapfile; the path may be relative
   3.109 -#       to the current directory
   3.110 -# Results
   3.111 -# The variable secondary will hold the name of the secondary policy
   3.112 -getSecondaryPolicy ()
   3.113 -{
   3.114 -	local mapfile=$1
   3.115 -	secondary=`cat $mapfile  |   \
   3.116 -	         awk '             \
   3.117 -	          {                \
   3.118 -	            if ( $1 == "SECONDARY" ) { \
   3.119 -	              res=$2;                \
   3.120 -	            }                        \
   3.121 -	          } END {                    \
   3.122 -	            print res;               \
   3.123 -	          } '`
   3.124 -}
   3.125 -
   3.126 -
   3.127 -#Return where the grub.conf file is.
   3.128 -#I only know of one place it can be.
   3.129 -#Returns:
   3.130 -# 1 : if the file is writeable and readable
   3.131 -# 2 : if the file is only readable
   3.132 -# 0 : if the file does not exist
   3.133 -findGrubConf()
   3.134 -{
   3.135 -	grubconf="/boot/grub/grub.conf"
   3.136 -	if [ -w $grubconf ]; then
   3.137 -		return 1
   3.138 -	fi
   3.139 -	if [ -r $grubconf ]; then
   3.140 -		return 2
   3.141 -	fi
   3.142 -	return 0
   3.143 -}
   3.144 -
   3.145 -
   3.146 -# This function sets the global variable 'linux'
   3.147 -# to the name and version of the Linux kernel that was compiled
   3.148 -# for domain 0.
   3.149 -# If this variable could not be found, the variable 'linux'
   3.150 -# will hold a pattern
   3.151 -# Parameters:
   3.152 -# 1st: the path to reach the root directory of the XEN build tree
   3.153 -#      where linux-*-xen is located at
   3.154 -# Results:
   3.155 -# The variable linux holds then name and version of the compiled
   3.156 -# kernel, i.e., 'vmlinuz-2.6.12-xen'
   3.157 -getLinuxVersion ()
   3.158 -{
   3.159 -	local path
   3.160 -	local versionfile
   3.161 -	local lnx
   3.162 -	if [ "$1" == "" ]; then
   3.163 -		path="/lib/modules/*-xen"
   3.164 -	else
   3.165 -		path="/lib/modules/$1"
   3.166 -	fi
   3.167 -
   3.168 -	linux=""
   3.169 -	for f in $path ; do
   3.170 -		versionfile=$f/build/include/linux/version.h
   3.171 -		if [ -r $versionfile ]; then
   3.172 -			lnx=`cat $versionfile | \
   3.173 -			     grep UTS_RELEASE | \
   3.174 -			     awk '{             \
   3.175 -			       len=length($3);  \
   3.176 -			       version=substr($3,2,len-2);     \
   3.177 -			       split(version,numbers,".");     \
   3.178 -			       if (numbers[4]=="") {           \
   3.179 -			         printf("%s.%s.%s",            \
   3.180 -			                 numbers[1],           \
   3.181 -			                 numbers[2],           \
   3.182 -			                 numbers[3]);          \
   3.183 -			       } else {                        \
   3.184 -			         printf("%s.%s.%s[.0-9]*-xen", \
   3.185 -			                numbers[1],            \
   3.186 -			                numbers[2],            \
   3.187 -			                numbers[3]);           \
   3.188 -			       }                               \
   3.189 -			     }'`
   3.190 -		fi
   3.191 -		if [ "$lnx" != "" ]; then
   3.192 -			linux="[./0-9a-zA-z]*$lnx"
   3.193 -			return;
   3.194 -		fi
   3.195 -	done
   3.196 -
   3.197 -	#Last resort.
   3.198 -	linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen$"
   3.199 -}
   3.200 -
   3.201 -
   3.202 -# Find out with which policy the hypervisor was booted with.
   3.203 -# Parameters
   3.204 -# 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
   3.205 -# Result:
   3.206 -# Sets the variable 'policy' to the name of the policy
   3.207 -findPolicyInGrub ()
   3.208 -{
   3.209 -	local grubconf=$1
   3.210 -	local linux=`uname -r`
   3.211 -	policy=`cat $grubconf |                        \
   3.212 -	         awk -vlinux=$linux '{                 \
   3.213 -	           if ( $1 == "title" ) {              \
   3.214 -	             kernelfound = 0;                  \
   3.215 -	             policymaycome = 0;                \
   3.216 -	           }                                   \
   3.217 -	           else if ( $1 == "kernel" ) {        \
   3.218 -	             if ( match($2,"xen.gz$") ) {      \
   3.219 -	               pathlen=RSTART;                 \
   3.220 -	               kernelfound = 1;                \
   3.221 -	             }                                 \
   3.222 -	           }                                   \
   3.223 -	           else if ( $1 == "module" &&         \
   3.224 -	                     kernelfound == 1 &&       \
   3.225 -	                     match($2,linux) ) {       \
   3.226 -	              policymaycome = 1;               \
   3.227 -	           }                                   \
   3.228 -	           else if ( $1 == "module" &&         \
   3.229 -	                     kernelfound == 1 &&       \
   3.230 -	                     policymaycome == 1 &&     \
   3.231 -	                     match($2,"[0-9a-zA-Z_]*.bin$") ) { \
   3.232 -	              policymaycome = 0;               \
   3.233 -	              kernelfound = 0;                 \
   3.234 -	              polname = substr($2,pathlen);    \
   3.235 -	              len=length(polname);             \
   3.236 -	              polname = substr(polname,0,len-4); \
   3.237 -	           }                                   \
   3.238 -	         } END {                               \
   3.239 -	           print polname                       \
   3.240 -	         }'`
   3.241 -}
   3.242 -
   3.243 -
   3.244 -# Get the SSID of a domain
   3.245 -# Parameters:
   3.246 -# 1st : domain ID, i.e. '1'
   3.247 -# Results
   3.248 -# If the ssid could be found, the variable 'ssid' will hold
   3.249 -# the currently used ssid in the hex format, i.e., '0x00010001'.
   3.250 -# The funtion returns '1' on success, '0' on failure
   3.251 -getSSIDUsingSecpolTool ()
   3.252 -{
   3.253 -	local domid=$1
   3.254 -	export PATH=$PATH:.
   3.255 -	ssid=`xensec_tool getssid -d $domid -f | \
   3.256 -	        grep -E "SSID:" |          \
   3.257 -	        awk '{ print $4 }'`
   3.258 -
   3.259 -	if [ "$ssid" != "" ]; then
   3.260 -		return 1
   3.261 -	fi
   3.262 -	return 0
   3.263 -}
   3.264 -
   3.265 -
   3.266 -# Break the ssid identifier into its high and low values,
   3.267 -# which are equal to the secondary and primary policy references.
   3.268 -# Parameters:
   3.269 -# 1st: ssid to break into high and low value, i.e., '0x00010002'
   3.270 -# Results:
   3.271 -# The variable ssidlo_int and ssidhi_int will hold the low and
   3.272 -# high ssid values as integers.
   3.273 -getSSIDLOHI ()
   3.274 -{
   3.275 -	local ssid=$1
   3.276 -	ssidlo_int=`echo $ssid | awk          \
   3.277 -	            '{                        \
   3.278 -	               len=length($0);        \
   3.279 -	               beg=substr($0,1,2);    \
   3.280 -	               if ( beg == "0x" ) {   \
   3.281 -	                   dig = len - 2;     \
   3.282 -	                   if (dig <= 0) {    \
   3.283 -	                     exit;            \
   3.284 -	                   }                  \
   3.285 -	                   if (dig > 4) {     \
   3.286 -	                     dig=4;           \
   3.287 -	                   }                  \
   3.288 -	                   lo=sprintf("0x%s",substr($0,len-dig+1,dig)); \
   3.289 -	                   print strtonum(lo);\
   3.290 -	               } else {               \
   3.291 -	                   lo=strtonum($0);   \
   3.292 -	                   if (lo < 65536) {  \
   3.293 -	                     print lo;        \
   3.294 -	                   } else {           \
   3.295 -	                     hi=lo;           \
   3.296 -	                     hi2= (hi / 65536);\
   3.297 -	                     hi2_str=sprintf("%d",hi2); \
   3.298 -	                     hi2=strtonum(hi2_str);\
   3.299 -	                     lo=hi-(hi2*65536); \
   3.300 -	                     printf("%d",lo); \
   3.301 -	                   }                  \
   3.302 -			}                     \
   3.303 -	            }'`
   3.304 -	ssidhi_int=`echo $ssid | awk          \
   3.305 -	            '{                        \
   3.306 -	               len=length($0);        \
   3.307 -	               beg=substr($0,1,2);    \
   3.308 -	               if ( beg == "0x" ) {   \
   3.309 -	                   dig = len - 2;     \
   3.310 -	                   if (dig <= 0 ||    \
   3.311 -	                     dig >  8) {      \
   3.312 -	                     exit;            \
   3.313 -	                   }                  \
   3.314 -	                   if (dig < 4) {     \
   3.315 -	                     print 0;         \
   3.316 -	                     exit;            \
   3.317 -	                   }                  \
   3.318 -	                   dig -= 4;          \
   3.319 -	                   hi=sprintf("0x%s",substr($0,len-4-dig+1,dig)); \
   3.320 -	                   print strtonum(hi);\
   3.321 -	               } else {               \
   3.322 -	                   hi=strtonum($0);   \
   3.323 -	                   if (hi >= 65536) { \
   3.324 -	                     hi = hi / 65536; \
   3.325 -	                     printf ("%d",hi);\
   3.326 -	                   } else {           \
   3.327 -	                     printf ("0");    \
   3.328 -	                   }                  \
   3.329 -	               }                      \
   3.330 -	            }'`
   3.331 -	if [ "$ssidhi_int" == "" -o \
   3.332 -	     "$ssidlo_int" == "" ]; then
   3.333 -		return 0;
   3.334 -	fi
   3.335 -	return 1
   3.336 -}
   3.337 -
   3.338 -
   3.339 -#Update the grub configuration file.
   3.340 -#Search for existing entries and replace the current
   3.341 -#policy entry with the policy passed to this script
   3.342 -#
   3.343 -#Arguments passed to this function
   3.344 -# 1st : the grub configuration file with full path
   3.345 -# 2nd : the binary policy file name, i.e. chwall.bin
   3.346 -# 3rd : the name or pattern of the linux kernel name to match
   3.347 -#       (this determines where the module entry will be made)
   3.348 -#
   3.349 -# The algorithm here is based on pattern matching
   3.350 -# and is working correctly if
   3.351 -# - under a title a line beginning with 'kernel' is found
   3.352 -#   whose following item ends with "xen.gz"
   3.353 -#   Example:  kernel /xen.gz dom0_mem=....
   3.354 -# - a module line matching the 3rd parameter is found
   3.355 -#
   3.356 -updateGrub ()
   3.357 -{
   3.358 -	local grubconf=$1
   3.359 -	local policyfile=$2
   3.360 -	local linux=$3
   3.361 -
   3.362 -	local tmpfile="/tmp/new_grub.conf"
   3.363 -
   3.364 -	cat $grubconf |                                \
   3.365 -	         awk -vpolicy=$policyfile              \
   3.366 -	             -vlinux=$linux '{                 \
   3.367 -	           if ( $1 == "title" ) {              \
   3.368 -	             kernelfound = 0;                  \
   3.369 -	             if ( policymaycome == 1 ){        \
   3.370 -	               printf ("\tmodule %s%s\n", path, policy);      \
   3.371 -	             }                                 \
   3.372 -	             policymaycome = 0;                \
   3.373 -	           }                                   \
   3.374 -	           else if ( $1 == "kernel" ) {        \
   3.375 -	             if ( match($2,"xen.gz$") ) {      \
   3.376 -	               path=substr($2,1,RSTART-1);     \
   3.377 -	               kernelfound = 1;                \
   3.378 -	             }                                 \
   3.379 -	           }                                   \
   3.380 -	           else if ( $1 == "module" &&         \
   3.381 -	                     kernelfound == 1 &&       \
   3.382 -	                     match($2,linux) ) {       \
   3.383 -	              policymaycome = 1;               \
   3.384 -	           }                                   \
   3.385 -	           else if ( $1 == "module" &&         \
   3.386 -	                     kernelfound == 1 &&       \
   3.387 -	                     policymaycome == 1 &&     \
   3.388 -	                     match($2,"[0-9a-zA-Z]*.bin$") ) { \
   3.389 -	              printf ("\tmodule %s%s\n", path, policy); \
   3.390 -	              policymaycome = 0;               \
   3.391 -	              kernelfound = 0;                 \
   3.392 -	              dontprint = 1;                   \
   3.393 -	           }                                   \
   3.394 -	           else if ( $1 == "" &&               \
   3.395 -	                     kernelfound == 1 &&       \
   3.396 -	                     policymaycome == 1) {     \
   3.397 -	              dontprint = 1;                   \
   3.398 -	           }                                   \
   3.399 -	           if (dontprint == 0) {               \
   3.400 -	             printf ("%s\n", $0);              \
   3.401 -	           }                                   \
   3.402 -	           dontprint = 0;                      \
   3.403 -	         } END {                               \
   3.404 -	           if ( policymaycome == 1 ) {         \
   3.405 -	             printf ("\tmodule %s%s\n", path, policy);  \
   3.406 -	           }                                   \
   3.407 -	         }' > $tmpfile
   3.408 -	if [ ! -r $tmpfile ]; then
   3.409 -		echo "Could not create temporary file! Aborting."
   3.410 -		exit -1
   3.411 -	fi
   3.412 -	diff $tmpfile $grubconf > /dev/null
   3.413 -	RES=$?
   3.414 -	if [ "$RES" == "0" ]; then
   3.415 -		echo "No changes were made to $grubconf."
   3.416 -	else
   3.417 -		echo "Successfully updated $grubconf."
   3.418 -		mv -f $tmpfile $grubconf
   3.419 -	fi
   3.420 -}
   3.421 -
   3.422 -
   3.423 -#Compile a policy into its binary representation
   3.424 -# Parameters:
   3.425 -# 1st: The directory where the ./policies directory is located at
   3.426 -# 2nd: The name of the policy
   3.427 -genBinPolicy ()
   3.428 -{
   3.429 -	local root=$1
   3.430 -	local policy=$2
   3.431 -	pushd $root > /dev/null
   3.432 -	xensec_xml2bin -d policies $policy > /dev/null
   3.433 -	popd > /dev/null
   3.434 -}
   3.435 -
   3.436 -
   3.437 -# Copy the bootpolicy into the destination directory
   3.438 -# Generate the policy's .bin and .map files if necessary
   3.439 -# Parameters:
   3.440 -# 1st: Destination directory
   3.441 -# 2nd: The root directory of the security tools; this is where the
   3.442 -#      policies directory is located at
   3.443 -# 3rd: The policy name
   3.444 -# Returns  '1' on success, '0' on failure.
   3.445 -cpBootPolicy ()
   3.446 -{
   3.447 -	local dest=$1
   3.448 -	local root=$2
   3.449 -	local policy=$3
   3.450 -	local binfile=$root/policies/$policy/$policy.bin
   3.451 -	local dstfile=$dest/$policy.bin
   3.452 -	if [ ! -e $binfile ]; then
   3.453 -		genBinPolicy $root $policy
   3.454 -		if [ ! -e $binfile ]; then
   3.455 -			echo "Could not compile policy '$policy'."
   3.456 -			return 0
   3.457 -		fi
   3.458 -	fi
   3.459 -
   3.460 -	if [ ! -e $dstfile -o \
   3.461 -	     $binfile -nt $dstfile ]; then
   3.462 -		cp -f $binfile $dstfile
   3.463 -	fi
   3.464 -	return 1
   3.465 -}
   3.466 -
   3.467 -
   3.468 -# Display all the labels in a given mapfile
   3.469 -# Parameters
   3.470 -# 1st: Full or relative path to the policy's mapfile
   3.471 -showLabels ()
   3.472 -{
   3.473 -	local mapfile=$1
   3.474 -	local line
   3.475 -	local ITEM
   3.476 -	local found=0
   3.477 -
   3.478 -	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   3.479 -		echo "Cannot read from vm configuration file $vmfile."
   3.480 -		return -1
   3.481 -	fi
   3.482 -
   3.483 -	getPrimaryPolicy $mapfile
   3.484 -	getSecondaryPolicy $mapfile
   3.485 -
   3.486 -	echo "The following labels are available:"
   3.487 -	let line=1
   3.488 -	while [ 1 ]; do
   3.489 -		ITEM=`cat $mapfile |         \
   3.490 -		      awk -vline=$line       \
   3.491 -		          -vprimary=$primary \
   3.492 -		      '{                     \
   3.493 -		         if ($1 == "LABEL->SSID" &&  \
   3.494 -		             $2 == "VM" &&           \
   3.495 -		             $3 == primary ) {       \
   3.496 -		           ctr++;                    \
   3.497 -		           if (ctr == line) {        \
   3.498 -		             print $4;               \
   3.499 -		           }                         \
   3.500 -		         }                           \
   3.501 -		       } END {                       \
   3.502 -		       }'`
   3.503 -
   3.504 -		if [ "$ITEM" == "" ]; then
   3.505 -			break
   3.506 -		fi
   3.507 -		if [ "$secondary" != "NULL" ]; then
   3.508 -			LABEL=`cat $mapfile |     \
   3.509 -			       awk -vitem=$ITEM   \
   3.510 -			       '{
   3.511 -			          if ($1 == "LABEL->SSID" && \
   3.512 -			              $2 == "VM" &&          \
   3.513 -			              $3 == "CHWALL" &&      \
   3.514 -			              $4 == item ) {         \
   3.515 -			            result = item;           \
   3.516 -			          }                          \
   3.517 -			        } END {                      \
   3.518 -			            print result             \
   3.519 -			        }'`
   3.520 -		else
   3.521 -			LABEL=$ITEM
   3.522 -		fi
   3.523 -
   3.524 -		if [ "$LABEL" != "" ]; then
   3.525 -			echo "$LABEL"
   3.526 -			found=1
   3.527 -		fi
   3.528 -		let line=line+1
   3.529 -	done
   3.530 -	if [ "$found" != "1" ]; then
   3.531 -		echo "No labels found."
   3.532 -	fi
   3.533 -}
   3.534 -
   3.535 -
   3.536 -# Get the default SSID given a mapfile and the policy name
   3.537 -# Parameters
   3.538 -# 1st: Full or relative path to the policy's mapfile
   3.539 -# 2nd: the name of the policy
   3.540 -getDefaultSsid ()
   3.541 -{
   3.542 -	local mapfile=$1
   3.543 -	local pol=$2
   3.544 -	RES=`cat $mapfile    \
   3.545 -	     awk -vpol=$pol  \
   3.546 -	      {              \
   3.547 -	        if ($1 == "LABEL->SSID" && \
   3.548 -	            $2 == "ANY"         && \
   3.549 -	            $3 == pol           && \
   3.550 -	            $4 == "DEFAULT"       ) {\
   3.551 -	              res=$5;                \
   3.552 -	        }                            \
   3.553 -	      } END {                        \
   3.554 -	        printf "%04x", strtonum(res) \
   3.555 -	     }'`
   3.556 -	echo "default NULL mapping is $RES"
   3.557 -	defaultssid=$RES
   3.558 -}
   3.559 -
   3.560 -
   3.561 -#Relabel a VM configuration file
   3.562 -# Parameters
   3.563 -# 1st: Full or relative path to the VM configuration file
   3.564 -# 2nd: The label to translate into an ssidref
   3.565 -# 3rd: Full or relative path to the policy's map file
   3.566 -# 4th: The mode this function is supposed to operate in:
   3.567 -#      'relabel' : Relabels the file without querying the user
   3.568 -#      other     : Prompts the user whether to proceed
   3.569 -relabel ()
   3.570 -{
   3.571 -	local vmfile=$1
   3.572 -	local label=$2
   3.573 -	local mapfile=$3
   3.574 -	local mode=$4
   3.575 -	local SSIDLO
   3.576 -	local SSIDHI
   3.577 -	local RES
   3.578 -
   3.579 -	if [ ! -r "$vmfile" ]; then
   3.580 -		echo "Cannot read from vm configuration file $vmfile."
   3.581 -		return -1
   3.582 -	fi
   3.583 -
   3.584 -	if [ ! -w "$vmfile" ]; then
   3.585 -		echo "Cannot write to vm configuration file $vmfile."
   3.586 -		return -1
   3.587 -	fi
   3.588 -
   3.589 -	if [ ! -r "$mapfile" ] ; then
   3.590 -		echo "Cannot read mapping file $mapfile."
   3.591 -		return -1
   3.592 -	fi
   3.593 -
   3.594 -	# Determine which policy is primary, which sec.
   3.595 -	getPrimaryPolicy $mapfile
   3.596 -	getSecondaryPolicy $mapfile
   3.597 -
   3.598 -	# Calculate the primary policy's SSIDREF
   3.599 -	if [ "$primary" == "NULL" ]; then
   3.600 -		SSIDLO="0001"
   3.601 -	else
   3.602 -		SSIDLO=`cat $mapfile |                    \
   3.603 -		        awk -vlabel=$label                \
   3.604 -		            -vprimary=$primary            \
   3.605 -		           '{                             \
   3.606 -		              if ( $1 == "LABEL->SSID" && \
   3.607 -		                   $2 == "VM" &&          \
   3.608 -		                   $3 == primary  &&      \
   3.609 -		                   $4 == label ) {        \
   3.610 -		                result=$5                 \
   3.611 -		              }                           \
   3.612 -		           } END {                        \
   3.613 -		             if (result != "" )           \
   3.614 -		               {printf "%04x", strtonum(result)}\
   3.615 -		           }'`
   3.616 -	fi
   3.617 -
   3.618 -	# Calculate the secondary policy's SSIDREF
   3.619 -	if [ "$secondary" == "NULL" ]; then
   3.620 -		if [ "$primary" == "NULL" ]; then
   3.621 -			SSIDHI="0001"
   3.622 -		else
   3.623 -			SSIDHI="0000"
   3.624 -		fi
   3.625 -	else
   3.626 -		SSIDHI=`cat $mapfile |                    \
   3.627 -		        awk -vlabel=$label                \
   3.628 -		            -vsecondary=$secondary        \
   3.629 -		           '{                             \
   3.630 -		              if ( $1 == "LABEL->SSID" && \
   3.631 -		                   $2 == "VM"          && \
   3.632 -		                   $3 == secondary     && \
   3.633 -		                   $4 == label ) {        \
   3.634 -		                result=$5                 \
   3.635 -		              }                           \
   3.636 -		            }  END {                      \
   3.637 -		              if (result != "" )          \
   3.638 -		                {printf "%04x", strtonum(result)}\
   3.639 -		            }'`
   3.640 -	fi
   3.641 -
   3.642 -	if [ "$SSIDLO" == "" -o \
   3.643 -	     "$SSIDHI" == "" ]; then
   3.644 -		echo "Could not map the given label '$label'."
   3.645 -		return -1
   3.646 -	fi
   3.647 -
   3.648 -	ACM_POLICY=`cat $mapfile |             \
   3.649 -	    awk ' { if ( $1 == "POLICY" ) {    \
   3.650 -	              result=$2                \
   3.651 -	            }                          \
   3.652 -	          }                            \
   3.653 -	          END {                        \
   3.654 -	            if (result != "") {        \
   3.655 -	              printf result            \
   3.656 -	            }                          \
   3.657 -	          }'`
   3.658 -
   3.659 -	if [ "$ACM_POLICY" == "" ]; then
   3.660 -		echo "Could not find 'POLICY' entry in map file."
   3.661 -		return -1
   3.662 -	fi
   3.663 -
   3.664 -	SSIDREF="0x$SSIDHI$SSIDLO"
   3.665 -
   3.666 -	if [ "$mode" != "relabel" ]; then
   3.667 -		RES=`cat $vmfile |  \
   3.668 -		     awk '{         \
   3.669 -		       if ( substr($1,0,7) == "ssidref" ) {\
   3.670 -		         print $0;             \
   3.671 -		       }                       \
   3.672 -		     }'`
   3.673 -		if [ "$RES" != "" ]; then
   3.674 -			echo "Do you want to overwrite the existing mapping ($RES)? (y/N)"
   3.675 -			read user
   3.676 -			if [ "$user" != "y" -a "$user" != "Y" ]; then
   3.677 -				echo "Aborted."
   3.678 -				return 0
   3.679 -			fi
   3.680 -		fi
   3.681 -	fi
   3.682 -
   3.683 -	#Write the output
   3.684 -	local vmtmp1="/tmp/__setlabel.tmp1"
   3.685 -	local vmtmp2="/tmp/__setlabel.tmp2"
   3.686 -	touch $vmtmp1
   3.687 -	touch $vmtmp2
   3.688 -	if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
   3.689 -		echo "Cannot create temporary files. Aborting."
   3.690 -		return -1
   3.691 -	fi
   3.692 -	RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
   3.693 -	RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
   3.694 -	RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
   3.695 -	echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
   3.696 -	echo "#ACM_LABEL=$label" >> $vmtmp1
   3.697 -	echo "ssidref = $SSIDREF" >> $vmtmp1
   3.698 -	mv -f $vmtmp1 $vmfile
   3.699 -	rm -rf $vmtmp1 $vmtmp2
   3.700 -	echo "Mapped label '$label' to ssidref '$SSIDREF'."
   3.701 -}
   3.702 -
   3.703 -
   3.704 -# Translate an ssidref into its label. This does the reverse lookup
   3.705 -# to the relabel function above.
   3.706 -# This function displays the results.
   3.707 -# Parameters:
   3.708 -# 1st: The ssidref to translate; must be in the form '0x00010002'
   3.709 -# 2nd: Full or relative path to the policy's mapfile
   3.710 -translateSSIDREF ()
   3.711 -{
   3.712 -	local ssidref=$1
   3.713 -	local mapfile=$2
   3.714 -	local line1
   3.715 -	local line2
   3.716 -
   3.717 -	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   3.718 -		echo "Cannot read from vm configuration file $vmfile."
   3.719 -		return -1
   3.720 -	fi
   3.721 -
   3.722 -	getPrimaryPolicy $mapfile
   3.723 -	getSecondaryPolicy $mapfile
   3.724 -
   3.725 -	if [ "$primary" == "NULL" -a "$secondary" == "NULL" ]; then
   3.726 -		echo "There are no labels for the NULL policy."
   3.727 -		return
   3.728 -	fi
   3.729 -
   3.730 -	getSSIDLOHI $ssidref
   3.731 -	ret=$?
   3.732 -	if [ $ret -ne 1 ]; then
   3.733 -		echo "Error while parsing the ssid ref number '$ssidref'."
   3.734 -	fi;
   3.735 -
   3.736 -	let line1=0
   3.737 -	let line2=0
   3.738 -	while [ 1 ]; do
   3.739 -		ITEM1=`cat $mapfile |                       \
   3.740 -		      awk -vprimary=$primary                \
   3.741 -		          -vssidlo=$ssidlo_int              \
   3.742 -		          -vline=$line1                     \
   3.743 -		      '{                                    \
   3.744 -		         if ( $1 == "LABEL->SSID" &&        \
   3.745 -		              $3 == primary &&              \
   3.746 -		              int($5) == ssidlo     ) {     \
   3.747 -		             if (l == line) {               \
   3.748 -		                 print $4;                  \
   3.749 -		                 exit;                      \
   3.750 -		             }                              \
   3.751 -		             l++;                           \
   3.752 -		         }                                  \
   3.753 -		       }'`
   3.754 -
   3.755 -		ITEM2=`cat $mapfile |                       \
   3.756 -		      awk -vsecondary=$secondary            \
   3.757 -		          -vssidhi=$ssidhi_int              \
   3.758 -		          -vline=$line2                     \
   3.759 -		      '{                                    \
   3.760 -		         if ( $1 == "LABEL->SSID" &&        \
   3.761 -		              $3 == secondary &&            \
   3.762 -		              int($5) == ssidhi     ) {     \
   3.763 -		             if (l == line) {               \
   3.764 -		                 print $4;                  \
   3.765 -		                 exit;                      \
   3.766 -		             }                              \
   3.767 -		             l++;                           \
   3.768 -		         }                                  \
   3.769 -		       }'`
   3.770 -
   3.771 -		if [ "$secondary" != "NULL" ]; then
   3.772 -			if [ "$ITEM1" == "" ]; then
   3.773 -				let line1=0
   3.774 -				let line2=line2+1
   3.775 -			else
   3.776 -				let line1=line1+1
   3.777 -			fi
   3.778 -
   3.779 -			if [ "$ITEM1" == "" -a \
   3.780 -			     "$ITEM2" == "" ]; then
   3.781 -				echo "Could not determine the referenced label."
   3.782 -				break
   3.783 -			fi
   3.784 -
   3.785 -			if [ "$ITEM1" == "$ITEM2" ]; then
   3.786 -				echo "Label: $ITEM1"
   3.787 -				break
   3.788 -			fi
   3.789 -		else
   3.790 -			if [ "$ITEM1" != "" ]; then
   3.791 -				echo "Label: $ITEM1"
   3.792 -			else
   3.793 -				if [ "$found" == "0" ]; then
   3.794 -					found=1
   3.795 -				else
   3.796 -					break
   3.797 -				fi
   3.798 -			fi
   3.799 -			let line1=line1+1
   3.800 -		fi
   3.801 -	done
   3.802 -}
     4.1 --- a/tools/security/setlabel.sh	Mon Apr 24 10:52:19 2006 +0100
     4.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.3 @@ -1,106 +0,0 @@
     4.4 -#!/bin/sh
     4.5 -# *
     4.6 -# * setlabel
     4.7 -# *
     4.8 -# * Copyright (C) 2005 IBM Corporation
     4.9 -# *
    4.10 -# * Authors:
    4.11 -# * Stefan Berger <stefanb@us.ibm.com>
    4.12 -# *
    4.13 -# * This program is free software; you can redistribute it and/or
    4.14 -# * modify it under the terms of the GNU General Public License as
    4.15 -# * published by the Free Software Foundation, version 2 of the
    4.16 -# * License.
    4.17 -# *
    4.18 -# * 'setlabel' labels virtual machine (domain) configuration files with
    4.19 -# * security identifiers that can be enforced in Xen.
    4.20 -# *
    4.21 -# * 'setlabel -?' shows the usage of the program
    4.22 -# *
    4.23 -# * 'setlabel -l vmconfig-file' lists all available labels (only VM
    4.24 -# *            labels are used right now)
    4.25 -# *
    4.26 -# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
    4.27 -# *                       that corresponds to the security-label under the
    4.28 -# *                       current policy (if policy changes, 'label'
    4.29 -# *                       must be re-run over the configuration files;
    4.30 -# *                       map-file is created during policy translation and
    4.31 -# *                       is found in the policy's directory
    4.32 -#
    4.33 -
    4.34 -if [ -z "$runbash" ]; then
    4.35 -	runbash="1"
    4.36 -	export runbash
    4.37 -	exec sh -c "bash $0 $*"
    4.38 -fi
    4.39 -
    4.40 -export PATH=$PATH:.
    4.41 -dir=`dirname $0`
    4.42 -source $dir/labelfuncs.sh
    4.43 -
    4.44 -usage ()
    4.45 -{
    4.46 -	prg=`basename $0`
    4.47 -echo "Use this tool to put the ssidref corresponding to a label of a policy into
    4.48 -the VM configuration file, or use it to display all labels of a policy.
    4.49 -
    4.50 -Usage: $prg [-r] <vmfile> <label> [<policy name> [<policy dir>]] or
    4.51 -       $prg -l [<policy name> [<policy dir>]]
    4.52 -
    4.53 --r          : to relabel a file without being prompted
    4.54 --l          : to show the valid labels in a map file
    4.55 -vmfile      : XEN vm configuration file; give complete path
    4.56 -label       : the label to map to an ssidref
    4.57 -policy name : the name of the policy, i.e. 'chwall'
    4.58 -              If the policy name is omitted, it is attempted
    4.59 -              to find the current policy's name in grub.conf.
    4.60 -policy dir  : the directory where the <policy name> policy is located
    4.61 -              The default location is '/etc/xen/acm-security/policies'
    4.62 -"
    4.63 -}
    4.64 -
    4.65 -if [ "$1" == "-r" ]; then
    4.66 -	mode="relabel"
    4.67 -	shift
    4.68 -elif [ "$1" == "-l" ]; then
    4.69 -	mode="show"
    4.70 -	shift
    4.71 -elif [ "$1" == "-h" ]; then
    4.72 -	mode="usage"
    4.73 -fi
    4.74 -
    4.75 -if [ "$mode" == "usage" ]; then
    4.76 -	usage
    4.77 -elif [ "$mode" == "show" ]; then
    4.78 -	setPolicyVars $1 $2
    4.79 -	ret=$?
    4.80 -	if [ $ret -eq 0 ]; then
    4.81 -		echo "Error when trying to find policy-related information."
    4.82 -		exit -1
    4.83 -	fi
    4.84 -	findMapFile $policy $policydir
    4.85 -	ret=$?
    4.86 -	if [ $ret -eq 0 ]; then
    4.87 -		echo "Could not find map file for policy '$policy'."
    4.88 -		exit -1
    4.89 -	fi
    4.90 -	showLabels $mapfile
    4.91 -else
    4.92 -	if [ "$2" == "" ]; then
    4.93 -		usage
    4.94 -		exit -1
    4.95 -	fi
    4.96 -	setPolicyVars $3 $4
    4.97 -	ret=$?
    4.98 -	if [ $ret -eq 0 ]; then
    4.99 -		echo "Error when trying to find policy-related information."
   4.100 -		exit -1
   4.101 -	fi
   4.102 -	findMapFile $policy $policydir
   4.103 -	ret=$?
   4.104 -	if [ $ret -eq 0 ]; then
   4.105 -		echo "Could not find map file for policy '$policy'."
   4.106 -		exit -1
   4.107 -	fi
   4.108 -	relabel $1 $2 $mapfile $mode
   4.109 -fi
     5.1 --- a/tools/security/updategrub.sh	Mon Apr 24 10:52:19 2006 +0100
     5.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     5.3 @@ -1,90 +0,0 @@
     5.4 -#!/bin/sh
     5.5 -# *
     5.6 -# * updategrub
     5.7 -# *
     5.8 -# * Copyright (C) 2005 IBM Corporation
     5.9 -# *
    5.10 -# * Authors:
    5.11 -# * Stefan Berger <stefanb@us.ibm.com>
    5.12 -# *
    5.13 -# * This program is free software; you can redistribute it and/or
    5.14 -# * modify it under the terms of the GNU General Public License as
    5.15 -# * published by the Free Software Foundation, version 2 of the
    5.16 -# * License.
    5.17 -# *
    5.18 -# *
    5.19 -#
    5.20 -
    5.21 -if [ -z "$runbash" ]; then
    5.22 -	runbash="1"
    5.23 -	export runbash
    5.24 -	exec sh -c "bash $0 $*"
    5.25 -	exit
    5.26 -fi
    5.27 -
    5.28 -dir=`dirname $0`
    5.29 -source $dir/labelfuncs.sh
    5.30 -
    5.31 -acmroot=$ACM_DEFAULT_ROOT
    5.32 -
    5.33 -
    5.34 -# Show usage of this program
    5.35 -usage ()
    5.36 -{
    5.37 -	prg=`basename $0`
    5.38 -echo "Use this tool to add the binary policy to the Xen grub entry and
    5.39 -have Xen automatically enforce the policy when starting.
    5.40 -
    5.41 -Usage: $prg [-d <policies root>] <policy name> [<kernel version>]
    5.42 -
    5.43 -<policies root>  : The directory where the policies directory is located in;
    5.44 -                   default is $acmroot
    5.45 -<policy name>    : The name of the policy, i.e. xen_null
    5.46 -<kernel version> : The version of the kernel to apply the policy
    5.47 -                   against, i.e. 2.6.16-xen
    5.48 -                   If not specified, a kernel version ending with '-xen'
    5.49 -                   will be searched for in '/lib/modules'
    5.50 -"
    5.51 -}
    5.52 -
    5.53 -
    5.54 -
    5.55 -if [ "$1" == "-h" ]; then
    5.56 -	usage
    5.57 -	exit 0
    5.58 -elif [ "$1" == "-d" ]; then
    5.59 -	shift
    5.60 -	acmroot=$1
    5.61 -	shift
    5.62 -fi
    5.63 -
    5.64 -if [ "$1" == "" ]; then
    5.65 -	echo "Error: Not enough command line parameters."
    5.66 -	echo ""
    5.67 -	usage
    5.68 -	exit -1
    5.69 -fi
    5.70 -
    5.71 -
    5.72 -policy=$1
    5.73 -policyfile=$policy.bin
    5.74 -
    5.75 -getLinuxVersion $2
    5.76 -
    5.77 -findGrubConf
    5.78 -ret=$?
    5.79 -if [ $ret -eq 0 ]; then
    5.80 -	echo "Could not find grub.conf."
    5.81 -	exit -1
    5.82 -elif [ $ret -eq 2 ]; then
    5.83 -	echo "Need to have write-access to $grubconf. Exiting."
    5.84 -	exit -1
    5.85 -fi
    5.86 -
    5.87 -cpBootPolicy /boot $acmroot $policy
    5.88 -ret=$?
    5.89 -if [ $ret -ne 1 ]; then
    5.90 -	echo "Error copying or generating the binary policy."
    5.91 -	exit -1
    5.92 -fi
    5.93 -updateGrub $grubconf $policyfile $linux