ia64/xen-unstable

changeset 14666:4434d1039a65

acm: Provide the possibility to choose the VM label of domain-0 in the
kernel line in grub.conf. The format is
ssidref=<ssidref>:sHype:<policy name>:<vm label>. The name of the
policy specified here must be the same name as the in the policy
provided as a module during boot, otherwise the policy will not be
accepted and the system then starts without a policy. The user tool
for 'xm dumppolicy' has been adapted to show which entry in the binary
policy is used by domain-0.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author kfraser@localhost.localdomain
date Thu Mar 29 19:26:13 2007 +0100 (2007-03-29)
parents 4a240d458db9
children dc1654ada984
files tools/security/secpol_tool.c tools/security/secpol_xml2bin.c xen/acm/acm_chinesewall_hooks.c xen/acm/acm_core.c xen/acm/acm_null_hooks.c xen/acm/acm_policy.c xen/acm/acm_simple_type_enforcement_hooks.c xen/include/acm/acm_core.h xen/include/acm/acm_hooks.h
line diff
     1.1 --- a/tools/security/secpol_tool.c	Thu Mar 29 19:23:41 2007 +0100
     1.2 +++ b/tools/security/secpol_tool.c	Thu Mar 29 19:26:13 2007 +0100
     1.3 @@ -57,7 +57,7 @@ void usage(char *progname)
     1.4  
     1.5  /*************************** DUMPS *******************************/
     1.6  
     1.7 -void acm_dump_chinesewall_buffer(void *buf, int buflen)
     1.8 +void acm_dump_chinesewall_buffer(void *buf, int buflen, uint16_t chwall_ref)
     1.9  {
    1.10  
    1.11      struct acm_chwall_policy_buffer *cwbuf =
    1.12 @@ -91,6 +91,8 @@ void acm_dump_chinesewall_buffer(void *b
    1.13          for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
    1.14              printf("%02x ",
    1.15                     ntohs(ssids[i * ntohl(cwbuf->chwall_max_types) + j]));
    1.16 +        if (i == chwall_ref)
    1.17 +            printf(" <-- Domain-0");
    1.18      }
    1.19      printf("\n\nConfict Sets:\n");
    1.20      conflicts =
    1.21 @@ -131,7 +133,7 @@ void acm_dump_chinesewall_buffer(void *b
    1.22      }
    1.23  }
    1.24  
    1.25 -void acm_dump_ste_buffer(void *buf, int buflen)
    1.26 +void acm_dump_ste_buffer(void *buf, int buflen, uint16_t ste_ref)
    1.27  {
    1.28  
    1.29      struct acm_ste_policy_buffer *stebuf =
    1.30 @@ -158,11 +160,14 @@ void acm_dump_ste_buffer(void *buf, int 
    1.31          for (j = 0; j < ntohl(stebuf->ste_max_types); j++)
    1.32              printf("%02x ",
    1.33                     ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j]));
    1.34 +        if (i == ste_ref)
    1.35 +            printf(" <-- Domain-0");
    1.36      }
    1.37      printf("\n\n");
    1.38  }
    1.39  
    1.40 -void acm_dump_policy_buffer(void *buf, int buflen)
    1.41 +void acm_dump_policy_buffer(void *buf, int buflen,
    1.42 +                            uint16_t chwall_ref, uint16_t ste_ref)
    1.43  {
    1.44      struct acm_policy_buffer *pol = (struct acm_policy_buffer *) buf;
    1.45      char *policy_reference_name =
    1.46 @@ -190,13 +195,15 @@ void acm_dump_policy_buffer(void *buf, i
    1.47          acm_dump_chinesewall_buffer(ALIGN8(buf +
    1.48                                       ntohl(pol->primary_buffer_offset)),
    1.49                                      ntohl(pol->len) -
    1.50 -                                    ntohl(pol->primary_buffer_offset));
    1.51 +                                    ntohl(pol->primary_buffer_offset),
    1.52 +                                    chwall_ref);
    1.53          break;
    1.54  
    1.55      case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
    1.56          acm_dump_ste_buffer(ALIGN8(buf + ntohl(pol->primary_buffer_offset)),
    1.57                              ntohl(pol->len) -
    1.58 -                            ntohl(pol->primary_buffer_offset));
    1.59 +                            ntohl(pol->primary_buffer_offset),
    1.60 +                            ste_ref);
    1.61          break;
    1.62  
    1.63      case ACM_NULL_POLICY:
    1.64 @@ -212,13 +219,15 @@ void acm_dump_policy_buffer(void *buf, i
    1.65          acm_dump_chinesewall_buffer(ALIGN8(buf +
    1.66                                       ntohl(pol->secondary_buffer_offset)),
    1.67                                      ntohl(pol->len) -
    1.68 -                                    ntohl(pol->secondary_buffer_offset));
    1.69 +                                    ntohl(pol->secondary_buffer_offset),
    1.70 +                                    chwall_ref);
    1.71          break;
    1.72  
    1.73      case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY:
    1.74          acm_dump_ste_buffer(ALIGN8(buf + ntohl(pol->secondary_buffer_offset)),
    1.75                              ntohl(pol->len) -
    1.76 -                            ntohl(pol->secondary_buffer_offset));
    1.77 +                            ntohl(pol->secondary_buffer_offset),
    1.78 +                            ste_ref);
    1.79          break;
    1.80  
    1.81      case ACM_NULL_POLICY:
    1.82 @@ -230,6 +239,27 @@ void acm_dump_policy_buffer(void *buf, i
    1.83      }
    1.84  }
    1.85  
    1.86 +/************************** get dom0 ssidref *****************************/
    1.87 +int acm_get_ssidref(int xc_handle, int domid, uint16_t *chwall_ref,
    1.88 +                    uint16_t *ste_ref)
    1.89 +{
    1.90 +    int ret;
    1.91 +    struct acm_getssid getssid;
    1.92 +    char buf[4096];
    1.93 +    struct acm_ssid_buffer *ssid = (struct acm_ssid_buffer *)buf;
    1.94 +    getssid.interface_version = ACM_INTERFACE_VERSION;
    1.95 +    set_xen_guest_handle(getssid.ssidbuf, buf);
    1.96 +    getssid.ssidbuf_size = sizeof(buf);
    1.97 +    getssid.get_ssid_by = ACM_GETBY_domainid;
    1.98 +    getssid.id.domainid = domid;
    1.99 +    ret = xc_acm_op(xc_handle, ACMOP_getssid, &getssid, sizeof(getssid));
   1.100 +    if (ret == 0) {
   1.101 +        *chwall_ref = ssid->ssidref  & 0xffff;
   1.102 +        *ste_ref    = ssid->ssidref >> 16;
   1.103 +    }
   1.104 +    return ret;
   1.105 +}
   1.106 +
   1.107  /******************************* get policy ******************************/
   1.108  
   1.109  #define PULL_CACHE_SIZE		8192
   1.110 @@ -239,12 +269,16 @@ int acm_domain_getpolicy(int xc_handle)
   1.111  {
   1.112      struct acm_getpolicy getpolicy;
   1.113      int ret;
   1.114 +    uint16_t chwall_ref, ste_ref;
   1.115  
   1.116      memset(pull_buffer, 0x00, sizeof(pull_buffer));
   1.117      getpolicy.interface_version = ACM_INTERFACE_VERSION;
   1.118      set_xen_guest_handle(getpolicy.pullcache, pull_buffer);
   1.119      getpolicy.pullcache_size = sizeof(pull_buffer);
   1.120      ret = xc_acm_op(xc_handle, ACMOP_getpolicy, &getpolicy, sizeof(getpolicy));
   1.121 +    if (ret >= 0) {
   1.122 +        ret = acm_get_ssidref(xc_handle, 0, &chwall_ref, &ste_ref);
   1.123 +    }
   1.124  
   1.125      if (ret < 0) {
   1.126          printf("ACM operation failed: errno=%d\n", errno);
   1.127 @@ -254,7 +288,9 @@ int acm_domain_getpolicy(int xc_handle)
   1.128      }
   1.129  
   1.130      /* dump policy  */
   1.131 -    acm_dump_policy_buffer(pull_buffer, sizeof(pull_buffer));
   1.132 +    acm_dump_policy_buffer(pull_buffer, sizeof(pull_buffer),
   1.133 +                           chwall_ref, ste_ref);
   1.134 +
   1.135      return ret;
   1.136  }
   1.137  
   1.138 @@ -266,6 +302,7 @@ int acm_domain_loadpolicy(int xc_handle,
   1.139      int ret, fd;
   1.140      off_t len;
   1.141      uint8_t *buffer;
   1.142 +    uint16_t chwall_ssidref, ste_ssidref;
   1.143  
   1.144      if ((ret = stat(filename, &mystat))) {
   1.145          printf("File %s not found.\n", filename);
   1.146 @@ -282,10 +319,14 @@ int acm_domain_loadpolicy(int xc_handle,
   1.147          printf("File %s not found.\n", filename);
   1.148          goto free_out;
   1.149      }
   1.150 +    ret =acm_get_ssidref(xc_handle, 0, &chwall_ssidref, &ste_ssidref);
   1.151 +    if (ret < 0) {
   1.152 +        goto free_out;
   1.153 +    }
   1.154      if (len == read(fd, buffer, len)) {
   1.155          struct acm_setpolicy setpolicy;
   1.156          /* dump it and then push it down into xen/acm */
   1.157 -        acm_dump_policy_buffer(buffer, len);
   1.158 +        acm_dump_policy_buffer(buffer, len, chwall_ssidref, ste_ssidref);
   1.159          setpolicy.interface_version = ACM_INTERFACE_VERSION;
   1.160          set_xen_guest_handle(setpolicy.pushcache, buffer);
   1.161          setpolicy.pushcache_size = len;
     2.1 --- a/tools/security/secpol_xml2bin.c	Thu Mar 29 19:23:41 2007 +0100
     2.2 +++ b/tools/security/secpol_xml2bin.c	Thu Mar 29 19:26:13 2007 +0100
     2.3 @@ -1163,7 +1163,8 @@ int write_binary(char *filename)
     2.4  
     2.5      u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0;  /* length of policy components */
     2.6  
     2.7 -    sscanf(policy_version_string,"%d.%d", &major, &minor);
     2.8 +    if (policy_version_string)
     2.9 +        sscanf(policy_version_string,"%d.%d", &major, &minor);
    2.10  
    2.11      /* open binary file */
    2.12      if ((fd =
     3.1 --- a/xen/acm/acm_chinesewall_hooks.c	Thu Mar 29 19:23:41 2007 +0100
     3.2 +++ b/xen/acm/acm_chinesewall_hooks.c	Thu Mar 29 19:26:13 2007 +0100
     3.3 @@ -41,6 +41,9 @@
     3.4  #include <acm/acm_core.h>
     3.5  #include <acm/acm_hooks.h>
     3.6  #include <acm/acm_endian.h>
     3.7 +#include <acm/acm_core.h>
     3.8 +
     3.9 +ssidref_t dom0_chwall_ssidref = 0x0001;
    3.10  
    3.11  /* local cache structures for chinese wall policy */
    3.12  struct chwall_binary_policy chwall_bin_pol;
    3.13 @@ -53,7 +56,7 @@ int acm_init_chwall_policy(void)
    3.14  {
    3.15      /* minimal startup policy; policy write-locked already */
    3.16      chwall_bin_pol.max_types = 1;
    3.17 -    chwall_bin_pol.max_ssidrefs = 2;
    3.18 +    chwall_bin_pol.max_ssidrefs = 1 + dom0_chwall_ssidref;
    3.19      chwall_bin_pol.max_conflictsets = 1;
    3.20      chwall_bin_pol.ssidrefs =
    3.21          (domaintype_t *) xmalloc_array(domaintype_t,
    3.22 @@ -254,7 +257,7 @@ chwall_init_state(struct acm_chwall_poli
    3.23       * more than one type is currently running */
    3.24  }
    3.25  
    3.26 -static int chwall_set_policy(u8 * buf, u32 buf_size)
    3.27 +static int chwall_set_policy(u8 * buf, u32 buf_size, int is_bootpolicy)
    3.28  {
    3.29      /* policy write-locked already */
    3.30      struct acm_chwall_policy_buffer *chwall_buf =
    3.31 @@ -286,6 +289,12 @@ static int chwall_set_policy(u8 * buf, u
    3.32          (chwall_buf->policy_version != ACM_CHWALL_VERSION))
    3.33          return -EINVAL;
    3.34  
    3.35 +    /* during boot dom0_chwall_ssidref is set */
    3.36 +    if (is_bootpolicy &&
    3.37 +        (dom0_chwall_ssidref >= chwall_buf->chwall_max_ssidrefs)) {
    3.38 +        goto error_free;
    3.39 +    }
    3.40 +
    3.41      /* 1. allocate new buffers */
    3.42      ssids =
    3.43          xmalloc_array(domaintype_t,
     4.1 --- a/xen/acm/acm_core.c	Thu Mar 29 19:23:41 2007 +0100
     4.2 +++ b/xen/acm/acm_core.c	Thu Mar 29 19:26:13 2007 +0100
     4.3 @@ -62,18 +62,63 @@ struct acm_binary_policy acm_bin_pol;
     4.4  /* acm binary policy lock */
     4.5  DEFINE_RWLOCK(acm_bin_pol_rwlock);
     4.6  
     4.7 +/* ACM's only accepted policy name */
     4.8 +char polname[80];
     4.9 +char *acm_accepted_boot_policy_name = NULL;
    4.10 +
    4.11 +static void __init set_dom0_ssidref(const char *val)
    4.12 +{
    4.13 +    /* expected format:
    4.14 +         ssidref=<hex number>:<policy name>
    4.15 +         Policy name must not have a 'space'.
    4.16 +     */
    4.17 +    const char *c;
    4.18 +    int lo, hi;
    4.19 +    int i;
    4.20 +    int dom0_ssidref = simple_strtoull(val, &c, 0);
    4.21 +
    4.22 +    if (!strncmp(&c[0],":sHype:", 7)) {
    4.23 +        lo = dom0_ssidref & 0xffff;
    4.24 +        if (lo < ACM_MAX_NUM_TYPES && lo >= 1)
    4.25 +            dom0_chwall_ssidref = lo;
    4.26 +        hi = dom0_ssidref >> 16;
    4.27 +        if (hi < ACM_MAX_NUM_TYPES && hi >= 1)
    4.28 +            dom0_ste_ssidref = hi;
    4.29 +        for (i = 0; i < sizeof(polname); i++) {
    4.30 +            polname[i] = c[7+i];
    4.31 +            if (polname[i] == '\0' || polname[i] == '\t' ||
    4.32 +                polname[i] == '\n' || polname[i] == ' '  ||
    4.33 +                polname[i] == ':') {
    4.34 +                break;
    4.35 +            }
    4.36 +        }
    4.37 +        polname[i] = 0;
    4.38 +        acm_accepted_boot_policy_name = polname;
    4.39 +    }
    4.40 +}
    4.41 +
    4.42 +custom_param("ssidref", set_dom0_ssidref);
    4.43 +
    4.44  int
    4.45  acm_set_policy_reference(u8 *buf, u32 buf_size)
    4.46  {
    4.47 +    char *name = (char *)(buf + sizeof(struct acm_policy_reference_buffer));
    4.48      struct acm_policy_reference_buffer *pr = (struct acm_policy_reference_buffer *)buf;
    4.49 +
    4.50 +    if (acm_accepted_boot_policy_name != NULL) {
    4.51 +        if (strcmp(acm_accepted_boot_policy_name, name)) {
    4.52 +            printk("Policy's name '%s' is not the expected one '%s'.\n",
    4.53 +                   name, acm_accepted_boot_policy_name);
    4.54 +            return ACM_ERROR;
    4.55 +        }
    4.56 +    }
    4.57 +
    4.58      acm_bin_pol.policy_reference_name = (char *)xmalloc_array(u8, be32_to_cpu(pr->len));
    4.59  
    4.60      if (!acm_bin_pol.policy_reference_name)
    4.61          return -ENOMEM;
    4.62 +    strlcpy(acm_bin_pol.policy_reference_name, name, be32_to_cpu(pr->len));
    4.63  
    4.64 -    strlcpy(acm_bin_pol.policy_reference_name,
    4.65 -            (char *)(buf + sizeof(struct acm_policy_reference_buffer)),
    4.66 -            be32_to_cpu(pr->len));
    4.67      printk("%s: Activating policy %s\n", __func__,
    4.68             acm_bin_pol.policy_reference_name);
    4.69      return 0;
    4.70 @@ -190,7 +235,8 @@ acm_is_policy(char *buf, unsigned long l
    4.71  
    4.72  static int
    4.73  acm_setup(char *policy_start,
    4.74 -          unsigned long policy_len)
    4.75 +          unsigned long policy_len,
    4.76 +          int is_bootpolicy)
    4.77  {
    4.78      int rc = ACM_OK;
    4.79      struct acm_policy_buffer *pol;
    4.80 @@ -202,7 +248,8 @@ acm_setup(char *policy_start,
    4.81      if (be32_to_cpu(pol->magic) != ACM_MAGIC)
    4.82          return rc;
    4.83  
    4.84 -    rc = do_acm_set_policy((void *)policy_start, (u32)policy_len);
    4.85 +    rc = do_acm_set_policy((void *)policy_start, (u32)policy_len,
    4.86 +                           is_bootpolicy);
    4.87      if (rc == ACM_OK)
    4.88      {
    4.89          printkd("Policy len  0x%lx, start at %p.\n",policy_len,policy_start);
    4.90 @@ -224,7 +271,10 @@ acm_init(char *policy_start,
    4.91      int ret = ACM_OK;
    4.92  
    4.93      /* first try to load the boot policy (uses its own locks) */
    4.94 -    acm_setup(policy_start, policy_len);
    4.95 +    acm_setup(policy_start, policy_len, 1);
    4.96 +
    4.97 +    /* a user-provided policy may have any name; only matched during boot */
    4.98 +    acm_accepted_boot_policy_name = NULL;
    4.99  
   4.100      if (acm_active_security_policy != ACM_POLICY_UNDEFINED)
   4.101      {
   4.102 @@ -236,6 +286,9 @@ acm_init(char *policy_start,
   4.103      printk("%s: Loading default policy (%s).\n",
   4.104             __func__, ACM_POLICY_NAME(ACM_DEFAULT_SECURITY_POLICY));
   4.105  
   4.106 +    /* (re-)set dom-0 ssidref to default */
   4.107 +    dom0_ste_ssidref = dom0_chwall_ssidref = 0x0001;
   4.108 +
   4.109      if (acm_init_binary_policy(ACM_DEFAULT_SECURITY_POLICY)) {
   4.110          ret = -EINVAL;
   4.111          goto out;
     5.1 --- a/xen/acm/acm_null_hooks.c	Thu Mar 29 19:23:41 2007 +0100
     5.2 +++ b/xen/acm/acm_null_hooks.c	Thu Mar 29 19:26:13 2007 +0100
     5.3 @@ -33,7 +33,7 @@ null_dump_binary_policy(u8 *buf, u32 buf
     5.4  }
     5.5  
     5.6  static int
     5.7 -null_set_binary_policy(u8 *buf, u32 buf_size)
     5.8 +null_set_binary_policy(u8 *buf, u32 buf_size, int is_bootpolicy)
     5.9  { 
    5.10      return ACM_OK;
    5.11  }
     6.1 --- a/xen/acm/acm_policy.c	Thu Mar 29 19:23:41 2007 +0100
     6.2 +++ b/xen/acm/acm_policy.c	Thu Mar 29 19:26:13 2007 +0100
     6.3 @@ -50,7 +50,7 @@ acm_set_policy(XEN_GUEST_HANDLE(void) bu
     6.4          printk("%s: Error copying!\n",__func__);
     6.5          goto error_free;
     6.6      }
     6.7 -    ret = do_acm_set_policy(policy_buffer, buf_size);
     6.8 +    ret = do_acm_set_policy(policy_buffer, buf_size, 0);
     6.9  
    6.10   error_free:
    6.11      xfree(policy_buffer);
    6.12 @@ -59,7 +59,7 @@ acm_set_policy(XEN_GUEST_HANDLE(void) bu
    6.13  
    6.14  
    6.15  int
    6.16 -do_acm_set_policy(void *buf, u32 buf_size)
    6.17 +do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy)
    6.18  {
    6.19      struct acm_policy_buffer *pol = (struct acm_policy_buffer *)buf;
    6.20      uint32_t offset, length;
    6.21 @@ -106,14 +106,16 @@ do_acm_set_policy(void *buf, u32 buf_siz
    6.22      length = be32_to_cpu(pol->secondary_buffer_offset) - offset;
    6.23  
    6.24      if ( (offset + length) > buf_size ||
    6.25 -         acm_primary_ops->set_binary_policy(buf + offset, length))
    6.26 +         acm_primary_ops->set_binary_policy(buf + offset, length,
    6.27 +                                            is_bootpolicy))
    6.28          goto error_lock_free;
    6.29  
    6.30      /* set secondary policy data */
    6.31      offset = be32_to_cpu(pol->secondary_buffer_offset);
    6.32      length = be32_to_cpu(pol->len) - offset;
    6.33      if ( (offset + length) > buf_size ||
    6.34 -         acm_secondary_ops->set_binary_policy(buf + offset, length))
    6.35 +         acm_secondary_ops->set_binary_policy(buf + offset, length,
    6.36 +                                              is_bootpolicy))
    6.37          goto error_lock_free;
    6.38  
    6.39      memcpy(&acm_bin_pol.xml_pol_version,
     7.1 --- a/xen/acm/acm_simple_type_enforcement_hooks.c	Thu Mar 29 19:23:41 2007 +0100
     7.2 +++ b/xen/acm/acm_simple_type_enforcement_hooks.c	Thu Mar 29 19:26:13 2007 +0100
     7.3 @@ -31,6 +31,9 @@
     7.4  #include <acm/acm_hooks.h>
     7.5  #include <asm/atomic.h>
     7.6  #include <acm/acm_endian.h>
     7.7 +#include <acm/acm_core.h>
     7.8 +
     7.9 +ssidref_t dom0_ste_ssidref = 0x0001;
    7.10  
    7.11  /* local cache structures for STE policy */
    7.12  struct ste_binary_policy ste_bin_pol;
    7.13 @@ -74,15 +77,21 @@ int acm_init_ste_policy(void)
    7.14  {
    7.15      /* minimal startup policy; policy write-locked already */
    7.16      ste_bin_pol.max_types = 1;
    7.17 -    ste_bin_pol.max_ssidrefs = 2;
    7.18 -    ste_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, 2);
    7.19 -    memset(ste_bin_pol.ssidrefs, 0, 2);
    7.20 +    ste_bin_pol.max_ssidrefs = 1 + dom0_ste_ssidref;
    7.21 +    ste_bin_pol.ssidrefs =
    7.22 +            (domaintype_t *)xmalloc_array(domaintype_t,
    7.23 +                                          ste_bin_pol.max_types *
    7.24 +                                          ste_bin_pol.max_ssidrefs);
    7.25  
    7.26      if (ste_bin_pol.ssidrefs == NULL)
    7.27          return ACM_INIT_SSID_ERROR;
    7.28  
    7.29 - /* initialize state so that dom0 can start up and communicate with itself */
    7.30 -    ste_bin_pol.ssidrefs[1] = 1;
    7.31 +    memset(ste_bin_pol.ssidrefs, 0, sizeof(domaintype_t) *
    7.32 +                                    ste_bin_pol.max_types *
    7.33 +                                    ste_bin_pol.max_ssidrefs);
    7.34 +
    7.35 +    /* initialize state so that dom0 can start up and communicate with itself */
    7.36 +    ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref] = 1;
    7.37  
    7.38      /* init stats */
    7.39      atomic_set(&(ste_bin_pol.ec_eval_count), 0);
    7.40 @@ -274,7 +283,7 @@ ste_init_state(struct acm_ste_policy_buf
    7.41  
    7.42  /* set new policy; policy write-locked already */
    7.43  static int
    7.44 -ste_set_policy(u8 *buf, u32 buf_size)
    7.45 +ste_set_policy(u8 *buf, u32 buf_size, int is_bootpolicy)
    7.46  {
    7.47      struct acm_ste_policy_buffer *ste_buf = (struct acm_ste_policy_buffer *)buf;
    7.48      void *ssidrefsbuf;
    7.49 @@ -305,6 +314,11 @@ ste_set_policy(u8 *buf, u32 buf_size)
    7.50      if (ste_buf->ste_ssid_offset + sizeof(domaintype_t) * ste_buf->ste_max_ssidrefs*ste_buf->ste_max_types > buf_size)
    7.51          goto error_free;
    7.52  
    7.53 +    /* during boot dom0_chwall_ssidref is set */
    7.54 +    if (is_bootpolicy && (dom0_ste_ssidref >= ste_buf->ste_max_ssidrefs)) {
    7.55 +        goto error_free;
    7.56 +    }
    7.57 +
    7.58      arrcpy(ssidrefsbuf, 
    7.59             buf + ste_buf->ste_ssid_offset,
    7.60             sizeof(domaintype_t),
     8.1 --- a/xen/include/acm/acm_core.h	Thu Mar 29 19:23:41 2007 +0100
     8.2 +++ b/xen/include/acm/acm_core.h	Thu Mar 29 19:26:13 2007 +0100
     8.3 @@ -123,13 +123,20 @@ int acm_init_domain_ssid(domid_t id, ssi
     8.4  void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
     8.5  int acm_init_binary_policy(u32 policy_code);
     8.6  int acm_set_policy(XEN_GUEST_HANDLE(void) buf, u32 buf_size);
     8.7 -int do_acm_set_policy(void *buf, u32 buf_size);
     8.8 +int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy);
     8.9  int acm_get_policy(XEN_GUEST_HANDLE(void) buf, u32 buf_size);
    8.10  int acm_dump_statistics(XEN_GUEST_HANDLE(void) buf, u16 buf_size);
    8.11  int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE(void) buf, u16 buf_size);
    8.12  int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
    8.13  int acm_set_policy_reference(u8 * buf, u32 buf_size);
    8.14  int acm_dump_policy_reference(u8 *buf, u32 buf_size);
    8.15 +
    8.16 +
    8.17 +/* variables */
    8.18 +extern ssidref_t dom0_chwall_ssidref;
    8.19 +extern ssidref_t dom0_ste_ssidref;
    8.20 +#define ACM_MAX_NUM_TYPES   (256)
    8.21 +
    8.22  #endif
    8.23  
    8.24  /*
     9.1 --- a/xen/include/acm/acm_hooks.h	Thu Mar 29 19:23:41 2007 +0100
     9.2 +++ b/xen/include/acm/acm_hooks.h	Thu Mar 29 19:26:13 2007 +0100
     9.3 @@ -91,7 +91,8 @@ struct acm_operations {
     9.4      int  (*init_domain_ssid)           (void **ssid, ssidref_t ssidref);
     9.5      void (*free_domain_ssid)           (void *ssid);
     9.6      int  (*dump_binary_policy)         (u8 *buffer, u32 buf_size);
     9.7 -    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size);
     9.8 +    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size,
     9.9 +                                        int is_bootpolicy);
    9.10      int  (*dump_statistics)            (u8 *buffer, u16 buf_size);
    9.11      int  (*dump_ssid_types)            (ssidref_t ssidref, u8 *buffer, u16 buf_size);
    9.12      /* domain management control hooks (can be NULL) */
    9.13 @@ -347,14 +348,13 @@ static inline int acm_pre_grant_setup(do
    9.14      }
    9.15  }
    9.16  
    9.17 -/* predefined ssidref for DOM0 used by xen when creating DOM0 */
    9.18 -#define ACM_DOM0_SSIDREF       0x00010001 
    9.19 -
    9.20  static inline void acm_post_domain0_create(domid_t domid)
    9.21  {
    9.22      /* initialialize shared sHype security labels for new domain */
    9.23 -    acm_init_domain_ssid(domid, ACM_DOM0_SSIDREF);
    9.24 -    acm_post_domain_create(domid, ACM_DOM0_SSIDREF);
    9.25 +    int dom0_ssidref = dom0_ste_ssidref << 16 | dom0_chwall_ssidref;
    9.26 +
    9.27 +    acm_init_domain_ssid(domid, dom0_ssidref);
    9.28 +    acm_post_domain_create(domid, dom0_ssidref);
    9.29  }
    9.30  
    9.31  static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)