ia64/xen-unstable

changeset 15819:7e7e0ea6a0bb

Cleanups after XSM checkin.
Signed-off-by: Keir Fraser <keir@xensource.com>
author kfraser@localhost.localdomain
date Fri Aug 31 12:05:07 2007 +0100 (2007-08-31)
parents fa4d44c9d9f6
children 16e01b0dcdbc
files .hgignore Config.mk tools/Rules.mk tools/libxc/xenctrl.h tools/python/xen/lowlevel/acm/acm.c tools/security/secpol_tool.c tools/security/secpol_xml2bin.c xen/Rules.mk xen/arch/ia64/xen/xensetup.c xen/arch/powerpc/setup.c xen/arch/x86/setup.c xen/include/acm/acm_core.h xen/include/acm/acm_endian.h xen/include/acm/acm_hooks.h xen/include/public/acm.h xen/include/public/acm_ops.h xen/include/public/xsm/acm.h xen/include/public/xsm/acm_ops.h xen/include/xen/sched.h xen/include/xsm/acm/acm_core.h xen/include/xsm/acm/acm_endian.h xen/include/xsm/acm/acm_hooks.h xen/xsm/acm/acm_chinesewall_hooks.c xen/xsm/acm/acm_core.c xen/xsm/acm/acm_null_hooks.c xen/xsm/acm/acm_ops.c xen/xsm/acm/acm_policy.c xen/xsm/acm/acm_simple_type_enforcement_hooks.c xen/xsm/acm/acm_xsm_hooks.c
line diff
     1.1 --- a/.hgignore	Fri Aug 31 11:41:49 2007 +0100
     1.2 +++ b/.hgignore	Fri Aug 31 12:05:07 2007 +0100
     1.3 @@ -151,6 +151,7 @@
     1.4  ^tools/python/build/.*$
     1.5  ^tools/security/secpol_tool$
     1.6  ^tools/security/xen/.*$
     1.7 +^tools/security/xensec_tool$
     1.8  ^tools/tests/blowfish\.bin$
     1.9  ^tools/tests/blowfish\.h$
    1.10  ^tools/tests/test_x86_emulator$
     2.1 --- a/Config.mk	Fri Aug 31 11:41:49 2007 +0100
     2.2 +++ b/Config.mk	Fri Aug 31 12:05:07 2007 +0100
     2.3 @@ -79,19 +79,9 @@ LDFLAGS += $(foreach i, $(EXTRA_LIB), -L
     2.4  CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i))
     2.5  
     2.6  # Enable XSM security module.  Enabling XSM requires selection of an 
     2.7 -# XSM security module.
     2.8 +# XSM security module (FLASK_ENABLE or ACM_SECURITY).
     2.9  XSM_ENABLE ?= n
    2.10 -ifeq ($(XSM_ENABLE),y)
    2.11  FLASK_ENABLE ?= n
    2.12 -ifeq ($(FLASK_ENABLE),y)
    2.13 -FLASK_DEVELOP ?= y
    2.14 -FLASK_BOOTPARAM ?= y
    2.15 -FLASK_AVC_STATS ?= y
    2.16 -endif
    2.17 -endif
    2.18 -
    2.19 -# If ACM_SECURITY = y, then the access control module is compiled
    2.20 -# into Xen and the policy type can be set by the boot policy file
    2.21  ACM_SECURITY ?= n
    2.22  
    2.23  # Optional components
     3.1 --- a/tools/Rules.mk	Fri Aug 31 11:41:49 2007 +0100
     3.2 +++ b/tools/Rules.mk	Fri Aug 31 12:05:07 2007 +0100
     3.3 @@ -49,6 +49,8 @@ mk-symlinks:
     3.4  	( cd xen/hvm && ln -sf ../../$(XEN_ROOT)/xen/include/public/hvm/*.h . )
     3.5  	mkdir -p xen/io
     3.6  	( cd xen/io && ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
     3.7 +	mkdir -p xen/xsm
     3.8 +	( cd xen/xsm && ln -sf ../../$(XEN_ROOT)/xen/include/public/xsm/*.h . )
     3.9  	mkdir -p xen/arch-x86
    3.10  	( cd xen/arch-x86 && ln -sf ../../$(XEN_ROOT)/xen/include/public/arch-x86/*.h . )
    3.11  	mkdir -p xen/foreign
     4.1 --- a/tools/libxc/xenctrl.h	Fri Aug 31 11:41:49 2007 +0100
     4.2 +++ b/tools/libxc/xenctrl.h	Fri Aug 31 12:05:07 2007 +0100
     4.3 @@ -26,8 +26,8 @@
     4.4  #include <xen/event_channel.h>
     4.5  #include <xen/sched.h>
     4.6  #include <xen/memory.h>
     4.7 -#include <xen/acm.h>
     4.8 -#include <xen/acm_ops.h>
     4.9 +#include <xen/xsm/acm.h>
    4.10 +#include <xen/xsm/acm_ops.h>
    4.11  
    4.12  #ifdef __ia64__
    4.13  #define XC_PAGE_SHIFT           14
     5.1 --- a/tools/python/xen/lowlevel/acm/acm.c	Fri Aug 31 11:41:49 2007 +0100
     5.2 +++ b/tools/python/xen/lowlevel/acm/acm.c	Fri Aug 31 12:05:07 2007 +0100
     5.3 @@ -18,6 +18,7 @@
     5.4   *
     5.5   * indent -i4 -kr -nut
     5.6   */
     5.7 +
     5.8  #include <Python.h>
     5.9  
    5.10  #include <stdio.h>
    5.11 @@ -27,8 +28,8 @@
    5.12  #include <stdlib.h>
    5.13  #include <sys/ioctl.h>
    5.14  #include <netinet/in.h>
    5.15 -#include <xen/acm.h>
    5.16 -#include <xen/acm_ops.h>
    5.17 +#include <xen/xsm/acm.h>
    5.18 +#include <xen/xsm/acm_ops.h>
    5.19  
    5.20  #include <xenctrl.h>
    5.21  
     6.1 --- a/tools/security/secpol_tool.c	Fri Aug 31 11:41:49 2007 +0100
     6.2 +++ b/tools/security/secpol_tool.c	Fri Aug 31 12:05:07 2007 +0100
     6.3 @@ -34,8 +34,8 @@
     6.4  #include <string.h>
     6.5  #include <netinet/in.h>
     6.6  #include <stdint.h>
     6.7 -#include <xen/acm.h>
     6.8 -#include <xen/acm_ops.h>
     6.9 +#include <xen/xsm/acm.h>
    6.10 +#include <xen/xsm/acm_ops.h>
    6.11  
    6.12  #include <xenctrl.h>
    6.13  
     7.1 --- a/tools/security/secpol_xml2bin.c	Fri Aug 31 11:41:49 2007 +0100
     7.2 +++ b/tools/security/secpol_xml2bin.c	Fri Aug 31 12:05:07 2007 +0100
     7.3 @@ -22,6 +22,7 @@
     7.4   *
     7.5   * indent -i4 -kr -nut
     7.6   */
     7.7 +
     7.8  #include <stdio.h>
     7.9  #include <stdlib.h>
    7.10  #include <string.h>
    7.11 @@ -38,7 +39,7 @@
    7.12  #include <libxml/tree.h>
    7.13  #include <libxml/xmlreader.h>
    7.14  #include <stdint.h>
    7.15 -#include <xen/acm.h>
    7.16 +#include <xen/xsm/acm.h>
    7.17  
    7.18  #include "secpol_xml2bin.h"
    7.19  
     8.1 --- a/xen/Rules.mk	Fri Aug 31 11:41:49 2007 +0100
     8.2 +++ b/xen/Rules.mk	Fri Aug 31 12:05:07 2007 +0100
     8.3 @@ -57,11 +57,9 @@ ALL_OBJS-y               += $(BASEDIR)/a
     8.4  
     8.5  CFLAGS-y                += -g -D__XEN__
     8.6  CFLAGS-$(XSM_ENABLE)    += -DXSM_ENABLE
     8.7 -CFLAGS-$(FLASK_ENABLE)    += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
     8.8 -CFLAGS-$(FLASK_DEVELOP)   += -DFLASK_DEVELOP
     8.9 -CFLAGS-$(FLASK_BOOTPARAM) += -DFLASK_BOOTPARAM
    8.10 -CFLAGS-$(FLASK_AVC_STATS) += -DFLASK_AVC_STATS
    8.11 -CFLAGS-$(ACM_SECURITY)    += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100
    8.12 +CFLAGS-$(FLASK_ENABLE)  += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
    8.13 +CFLAGS-$(FLASK_ENABLE)  += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
    8.14 +CFLAGS-$(ACM_SECURITY)  += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100
    8.15  CFLAGS-$(verbose)       += -DVERBOSE
    8.16  CFLAGS-$(crash_debug)   += -DCRASH_DEBUG
    8.17  CFLAGS-$(perfc)         += -DPERF_COUNTERS
     9.1 --- a/xen/arch/ia64/xen/xensetup.c	Fri Aug 31 11:41:49 2007 +0100
     9.2 +++ b/xen/arch/ia64/xen/xensetup.c	Fri Aug 31 12:05:07 2007 +0100
     9.3 @@ -28,7 +28,7 @@
     9.4  #include <asm/iosapic.h>
     9.5  #include <xen/softirq.h>
     9.6  #include <xen/rcupdate.h>
     9.7 -#include <acm/acm_hooks.h>
     9.8 +#include <xsm/acm/acm_hooks.h>
     9.9  #include <asm/sn/simulator.h>
    9.10  
    9.11  unsigned long xenheap_phys_end, total_pages;
    10.1 --- a/xen/arch/powerpc/setup.c	Fri Aug 31 11:41:49 2007 +0100
    10.2 +++ b/xen/arch/powerpc/setup.c	Fri Aug 31 12:05:07 2007 +0100
    10.3 @@ -38,7 +38,7 @@
    10.4  #include <xen/numa.h>
    10.5  #include <xen/rcupdate.h>
    10.6  #include <xen/version.h>
    10.7 -#include <acm/acm_hooks.h>
    10.8 +#include <xsm/acm/acm_hooks.h>
    10.9  #include <public/version.h>
   10.10  #include <asm/mpic.h>
   10.11  #include <asm/processor.h>
    11.1 --- a/xen/arch/x86/setup.c	Fri Aug 31 11:41:49 2007 +0100
    11.2 +++ b/xen/arch/x86/setup.c	Fri Aug 31 12:05:07 2007 +0100
    11.3 @@ -32,7 +32,7 @@
    11.4  #include <asm/desc.h>
    11.5  #include <asm/paging.h>
    11.6  #include <asm/e820.h>
    11.7 -#include <acm/acm_hooks.h>
    11.8 +#include <xsm/acm/acm_hooks.h>
    11.9  #include <xen/kexec.h>
   11.10  #include <asm/edd.h>
   11.11  #include <xsm/xsm.h>
    12.1 --- a/xen/include/acm/acm_core.h	Fri Aug 31 11:41:49 2007 +0100
    12.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    12.3 @@ -1,196 +0,0 @@
    12.4 -/****************************************************************
    12.5 - * acm_core.h 
    12.6 - * 
    12.7 - * Copyright (C) 2005 IBM Corporation
    12.8 - *
    12.9 - * Author:
   12.10 - * Reiner Sailer <sailer@watson.ibm.com>
   12.11 - *
   12.12 - * This program is free software; you can redistribute it and/or
   12.13 - * modify it under the terms of the GNU General Public License as
   12.14 - * published by the Free Software Foundation, version 2 of the
   12.15 - * License.
   12.16 - *
   12.17 - * sHype header file describing core data types and constants
   12.18 - *    for the access control module and relevant policies
   12.19 - *
   12.20 - */
   12.21 -
   12.22 -#ifndef _ACM_CORE_H
   12.23 -#define _ACM_CORE_H
   12.24 -
   12.25 -#include <xen/spinlock.h>
   12.26 -#include <xen/list.h>
   12.27 -#include <public/acm.h>
   12.28 -#include <public/acm_ops.h>
   12.29 -#include <acm/acm_endian.h>
   12.30 -
   12.31 -#define ACM_DEFAULT_SECURITY_POLICY \
   12.32 -        ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   12.33 -
   12.34 -/* Xen-internal representation of the binary policy */
   12.35 -struct acm_binary_policy {
   12.36 -    char *policy_reference_name;
   12.37 -    u16 primary_policy_code;
   12.38 -    u16 secondary_policy_code;
   12.39 -    struct acm_policy_version xml_pol_version;
   12.40 -};
   12.41 -
   12.42 -struct chwall_binary_policy {
   12.43 -    u32 max_types;
   12.44 -    u32 max_ssidrefs;
   12.45 -    u32 max_conflictsets;
   12.46 -    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
   12.47 -    domaintype_t *conflict_aggregate_set;  /* [max_types]      */
   12.48 -    domaintype_t *running_types;    /* [max_types]      */
   12.49 -    domaintype_t *conflict_sets;   /* [max_conflictsets][max_types]*/
   12.50 -};
   12.51 -
   12.52 -struct ste_binary_policy {
   12.53 -    u32 max_types;
   12.54 -    u32 max_ssidrefs;
   12.55 -    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
   12.56 -    atomic_t ec_eval_count, gt_eval_count;
   12.57 -    atomic_t ec_denied_count, gt_denied_count;
   12.58 -    atomic_t ec_cachehit_count, gt_cachehit_count;
   12.59 -};
   12.60 -
   12.61 -/* global acm policy */
   12.62 -extern u16 acm_active_security_policy;
   12.63 -extern struct acm_binary_policy acm_bin_pol;
   12.64 -extern struct chwall_binary_policy chwall_bin_pol;
   12.65 -extern struct ste_binary_policy ste_bin_pol;
   12.66 -/* use the lock when reading / changing binary policy ! */
   12.67 -extern rwlock_t acm_bin_pol_rwlock;
   12.68 -extern rwlock_t ssid_list_rwlock;
   12.69 -
   12.70 -/* subject and object type definitions */
   12.71 -#define ACM_DATATYPE_domain 1
   12.72 -
   12.73 -/* defines number of access decisions to other domains can be cached
   12.74 - * one entry per domain, TE does not distinguish evtchn or grant_table */
   12.75 -#define ACM_TE_CACHE_SIZE 8
   12.76 -#define ACM_STE_valid 0
   12.77 -#define ACM_STE_free  1
   12.78 -
   12.79 -/* cache line:
   12.80 - * if cache_line.valid==ACM_STE_valid, then
   12.81 - *    STE decision is cached as "permitted" 
   12.82 - *                 on domain cache_line.id
   12.83 - */
   12.84 -struct acm_ste_cache_line {
   12.85 -    int valid; /* ACM_STE_* */
   12.86 -    domid_t id;
   12.87 -};
   12.88 -
   12.89 -/* general definition of a subject security id */
   12.90 -struct acm_ssid_domain {
   12.91 -    struct list_head node; /* all are chained together */
   12.92 -    int datatype;          /* type of subject (e.g., partition): ACM_DATATYPE_* */
   12.93 -    ssidref_t ssidref;     /* combined security reference */
   12.94 -    ssidref_t old_ssidref; /* holds previous value of ssidref during relabeling */
   12.95 -    void *primary_ssid;    /* primary policy ssid part (e.g. chinese wall) */
   12.96 -    void *secondary_ssid;  /* secondary policy ssid part (e.g. type enforcement) */
   12.97 -    struct domain *subject;/* backpointer to subject structure */
   12.98 -    domid_t domainid;      /* replicate id */
   12.99 -};
  12.100 -
  12.101 -/* chinese wall ssid type */
  12.102 -struct chwall_ssid {
  12.103 -    ssidref_t chwall_ssidref;
  12.104 -};
  12.105 -
  12.106 -/* simple type enforcement ssid type */
  12.107 -struct ste_ssid {
  12.108 -    ssidref_t ste_ssidref;
  12.109 -    struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */
  12.110 -};
  12.111 -
  12.112 -/* macros to access ssidref for primary / secondary policy 
  12.113 - * primary ssidref   = lower 16 bit
  12.114 - *  secondary ssidref = higher 16 bit
  12.115 - */
  12.116 -#define ACM_PRIMARY(ssidref) \
  12.117 - ((ssidref) & 0xffff)
  12.118 -
  12.119 -#define ACM_SECONDARY(ssidref) \
  12.120 - ((ssidref) >> 16)
  12.121 -
  12.122 -#define GET_SSIDREF(POLICY, ssidref) \
  12.123 - ((POLICY) == acm_bin_pol.primary_policy_code) ? \
  12.124 - ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
  12.125 -
  12.126 -/* macros to access ssid pointer for primary / secondary policy */
  12.127 -#define GET_SSIDP(POLICY, ssid) \
  12.128 - ((POLICY) == acm_bin_pol.primary_policy_code) ? \
  12.129 - ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
  12.130 -
  12.131 -#define ACM_INVALID_SSIDREF  (0xffffffff)
  12.132 -
  12.133 -struct acm_sized_buffer
  12.134 -{
  12.135 -    uint32_t *array;
  12.136 -    uint num_items;
  12.137 -    uint position;
  12.138 -};
  12.139 -
  12.140 -static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
  12.141 -                                         uint32_t a, uint32_t b)
  12.142 -{
  12.143 -    uint i;
  12.144 -    if (buf == NULL)
  12.145 -        return 0;
  12.146 -
  12.147 -    i = buf->position;
  12.148 -
  12.149 -    if ((i + 2) > buf->num_items)
  12.150 -        return 0;
  12.151 -
  12.152 -    buf->array[i]   = cpu_to_be32(a);
  12.153 -    buf->array[i+1] = cpu_to_be32(b);
  12.154 -    buf->position += 2;
  12.155 -    return 1;
  12.156 -}
  12.157 -
  12.158 -/* protos */
  12.159 -int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
  12.160 -void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
  12.161 -int acm_init_binary_policy(u32 policy_code);
  12.162 -int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
  12.163 -int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
  12.164 -                      struct acm_sized_buffer *, struct acm_sized_buffer *,
  12.165 -                      struct acm_sized_buffer *);
  12.166 -int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
  12.167 -int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
  12.168 -int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
  12.169 -int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
  12.170 -int acm_set_policy_reference(u8 * buf, u32 buf_size);
  12.171 -int acm_dump_policy_reference(u8 *buf, u32 buf_size);
  12.172 -int acm_change_policy(struct acm_change_policy *);
  12.173 -int acm_relabel_domains(struct acm_relabel_doms *);
  12.174 -int do_chwall_init_state_curr(struct acm_sized_buffer *);
  12.175 -int do_ste_init_state_curr(struct acm_sized_buffer *);
  12.176 -
  12.177 -/* variables */
  12.178 -extern ssidref_t dom0_chwall_ssidref;
  12.179 -extern ssidref_t dom0_ste_ssidref;
  12.180 -#define ACM_MAX_NUM_TYPES   (256)
  12.181 -
  12.182 -/* traversing the list of ssids */
  12.183 -extern struct list_head ssid_list;
  12.184 -#define for_each_acmssid( N )                               \
  12.185 -   for ( N =  (struct acm_ssid_domain *)ssid_list.next;     \
  12.186 -         N != (struct acm_ssid_domain *)&ssid_list;         \
  12.187 -         N =  (struct acm_ssid_domain *)N->node.next     )
  12.188 -
  12.189 -#endif
  12.190 -
  12.191 -/*
  12.192 - * Local variables:
  12.193 - * mode: C
  12.194 - * c-set-style: "BSD"
  12.195 - * c-basic-offset: 4
  12.196 - * tab-width: 4
  12.197 - * indent-tabs-mode: nil
  12.198 - * End:
  12.199 - */
    13.1 --- a/xen/include/acm/acm_endian.h	Fri Aug 31 11:41:49 2007 +0100
    13.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    13.3 @@ -1,69 +0,0 @@
    13.4 -/****************************************************************
    13.5 - * acm_endian.h 
    13.6 - * 
    13.7 - * Copyright (C) 2005 IBM Corporation
    13.8 - *
    13.9 - * Author:
   13.10 - * Stefan Berger <stefanb@watson.ibm.com>
   13.11 - * 
   13.12 - * Contributions:
   13.13 - * Reiner Sailer <sailer@watson.ibm.com>
   13.14 - *
   13.15 - * This program is free software; you can redistribute it and/or
   13.16 - * modify it under the terms of the GNU General Public License as
   13.17 - * published by the Free Software Foundation, version 2 of the
   13.18 - * License.
   13.19 - *
   13.20 - * sHype header file defining endian-dependent functions for the
   13.21 - * big-endian policy interface
   13.22 - *
   13.23 - */
   13.24 -
   13.25 -#ifndef _ACM_ENDIAN_H
   13.26 -#define _ACM_ENDIAN_H
   13.27 -
   13.28 -#include <asm/byteorder.h>
   13.29 -
   13.30 -static inline void arrcpy16(u16 *dest, const u16 *src, size_t n)
   13.31 -{
   13.32 -    unsigned int i;
   13.33 -    for ( i = 0; i < n; i++ )
   13.34 -        dest[i] = cpu_to_be16(src[i]);
   13.35 -}
   13.36 -
   13.37 -static inline void arrcpy32(u32 *dest, const u32 *src, size_t n)
   13.38 -{
   13.39 -    unsigned int i;
   13.40 -    for ( i = 0; i < n; i++ )
   13.41 -        dest[i] = cpu_to_be32(src[i]);
   13.42 -}
   13.43 -
   13.44 -static inline void arrcpy(
   13.45 -    void *dest, const void *src, unsigned int elsize, size_t n)
   13.46 -{
   13.47 -    switch ( elsize )
   13.48 -    {
   13.49 -    case sizeof(u16):
   13.50 -        arrcpy16((u16 *)dest, (u16 *)src, n);
   13.51 -        break;
   13.52 -
   13.53 -    case sizeof(u32):
   13.54 -        arrcpy32((u32 *)dest, (u32 *)src, n);
   13.55 -        break;
   13.56 -
   13.57 -    default:
   13.58 -        memcpy(dest, src, elsize*n);
   13.59 -    }
   13.60 -}
   13.61 -
   13.62 -#endif
   13.63 -
   13.64 -/*
   13.65 - * Local variables:
   13.66 - * mode: C
   13.67 - * c-set-style: "BSD"
   13.68 - * c-basic-offset: 4
   13.69 - * tab-width: 4
   13.70 - * indent-tabs-mode: nil
   13.71 - * End:
   13.72 - */
    14.1 --- a/xen/include/acm/acm_hooks.h	Fri Aug 31 11:41:49 2007 +0100
    14.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    14.3 @@ -1,349 +0,0 @@
    14.4 -/****************************************************************
    14.5 - * acm_hooks.h 
    14.6 - * 
    14.7 - * Copyright (C) 2005 IBM Corporation
    14.8 - *
    14.9 - * Author:
   14.10 - * Reiner Sailer <sailer@watson.ibm.com>
   14.11 - *
   14.12 - * This program is free software; you can redistribute it and/or
   14.13 - * modify it under the terms of the GNU General Public License as
   14.14 - * published by the Free Software Foundation, version 2 of the
   14.15 - * License.
   14.16 - *
   14.17 - * acm header file implementing the global (policy-independent)
   14.18 - *      sHype hooks that are called throughout Xen.
   14.19 - * 
   14.20 - */
   14.21 -
   14.22 -#ifndef _ACM_HOOKS_H
   14.23 -#define _ACM_HOOKS_H
   14.24 -
   14.25 -#include <xen/config.h>
   14.26 -#include <xen/errno.h>
   14.27 -#include <xen/types.h>
   14.28 -#include <xen/lib.h>
   14.29 -#include <xen/delay.h>
   14.30 -#include <xen/sched.h>
   14.31 -#include <xen/multiboot.h>
   14.32 -#include <public/acm.h>
   14.33 -#include <acm/acm_core.h>
   14.34 -#include <public/domctl.h>
   14.35 -#include <public/event_channel.h>
   14.36 -#include <asm/current.h>
   14.37 -
   14.38 -/*
   14.39 - * HOOK structure and meaning (justifies a few words about our model):
   14.40 - * 
   14.41 - * General idea: every policy-controlled system operation is reflected in a 
   14.42 - *               transaction in the system's security state
   14.43 - *
   14.44 - *      Keeping the security state consistent requires "atomic" transactions.
   14.45 - *      The name of the hooks to place around policy-controlled transactions
   14.46 - *      reflects this. If authorizations do not involve security state changes,
   14.47 - *      then and only then POST and FAIL hooks remain empty since we don't care
   14.48 - *      about the eventual outcome of the operation from a security viewpoint.
   14.49 - *
   14.50 - *      PURPOSE of hook types:
   14.51 - *      ======================
   14.52 - *      PRE-Hooks
   14.53 - *       a) general authorization to guard a controlled system operation
   14.54 - *       b) prepare security state change
   14.55 - *          (means: fail hook must be able to "undo" this)
   14.56 - *
   14.57 - *      POST-Hooks
   14.58 - *       a) commit prepared state change
   14.59 - *
   14.60 - *      FAIL-Hooks
   14.61 - *       a) roll-back prepared security state change from PRE-Hook
   14.62 - *
   14.63 - *
   14.64 - *      PLACEMENT of hook types:
   14.65 - *      ========================
   14.66 - *      PRE-Hooks must be called before a guarded/controlled system operation
   14.67 - *      is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
   14.68 - *      error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
   14.69 - *
   14.70 - *      POST-Hooks must be called after a successful system operation.
   14.71 - *      There is no return value: commit never fails.
   14.72 - *
   14.73 - *      FAIL-Hooks must be called:
   14.74 - *       a) if system transaction (operation) fails after calling the PRE-hook
   14.75 - *       b) if another (secondary) policy denies access in its PRE-Hook
   14.76 - *          (policy layering is useful but requires additional handling)
   14.77 - *
   14.78 - * Hook model from a security transaction viewpoint:
   14.79 - *   start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
   14.80 - *                   (pre-hook)  \           (post-hook)
   14.81 - *                                \
   14.82 - *                               fail
   14.83 - *                                   \
   14.84 - *                                    \
   14.85 - *                                  roll-back
   14.86 - *                                 (fail-hook)
   14.87 - *                                        \
   14.88 - *                                       sys-ops error
   14.89 - *
   14.90 - */
   14.91 -
   14.92 -struct acm_operations {
   14.93 -    /* policy management functions (must always be defined!) */
   14.94 -    int  (*init_domain_ssid)           (void **ssid, ssidref_t ssidref);
   14.95 -    void (*free_domain_ssid)           (void *ssid);
   14.96 -    int  (*dump_binary_policy)         (u8 *buffer, u32 buf_size);
   14.97 -    int  (*test_binary_policy)         (u8 *buffer, u32 buf_size,
   14.98 -                                        int is_bootpolicy,
   14.99 -                                        struct acm_sized_buffer *);
  14.100 -    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size);
  14.101 -    int  (*dump_statistics)            (u8 *buffer, u16 buf_size);
  14.102 -    int  (*dump_ssid_types)            (ssidref_t ssidref, u8 *buffer, u16 buf_size);
  14.103 -    /* domain management control hooks (can be NULL) */
  14.104 -    int  (*domain_create)              (void *subject_ssid, ssidref_t ssidref,
  14.105 -                                        domid_t domid);
  14.106 -    void (*domain_destroy)             (void *object_ssid, struct domain *d);
  14.107 -    /* event channel control hooks  (can be NULL) */
  14.108 -    int  (*pre_eventchannel_unbound)      (domid_t id1, domid_t id2);
  14.109 -    void (*fail_eventchannel_unbound)     (domid_t id1, domid_t id2);
  14.110 -    int  (*pre_eventchannel_interdomain)  (domid_t id);
  14.111 -    void (*fail_eventchannel_interdomain) (domid_t id);
  14.112 -    /* grant table control hooks (can be NULL)  */
  14.113 -    int  (*pre_grant_map_ref)          (domid_t id);
  14.114 -    void (*fail_grant_map_ref)         (domid_t id);
  14.115 -    int  (*pre_grant_setup)            (domid_t id);
  14.116 -    void (*fail_grant_setup)           (domid_t id);
  14.117 -    /* generic domain-requested decision hooks (can be NULL) */
  14.118 -    int (*sharing)                     (ssidref_t ssidref1,
  14.119 -                                        ssidref_t ssidref2);
  14.120 -    int (*authorization)               (ssidref_t ssidref1,
  14.121 -                                        ssidref_t ssidref2);
  14.122 -    /* determine whether the default policy is installed */
  14.123 -    int (*is_default_policy)           (void);
  14.124 -};
  14.125 -
  14.126 -/* global variables */
  14.127 -extern struct acm_operations *acm_primary_ops;
  14.128 -extern struct acm_operations *acm_secondary_ops;
  14.129 -
  14.130 -/* if ACM_TRACE_MODE defined, all hooks should
  14.131 - * print a short trace message */
  14.132 -/* #define ACM_TRACE_MODE */
  14.133 -
  14.134 -#ifdef ACM_TRACE_MODE
  14.135 -# define traceprintk(fmt, args...) printk(fmt,## args)
  14.136 -#else
  14.137 -# define traceprintk(fmt, args...)
  14.138 -#endif
  14.139 -
  14.140 -
  14.141 -#ifndef ACM_SECURITY
  14.142 -
  14.143 -static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
  14.144 -{ return 0; }
  14.145 -static inline int acm_pre_eventchannel_interdomain(domid_t id)
  14.146 -{ return 0; }
  14.147 -static inline int acm_pre_grant_map_ref(domid_t id) 
  14.148 -{ return 0; }
  14.149 -static inline int acm_pre_grant_setup(domid_t id) 
  14.150 -{ return 0; }
  14.151 -static inline int acm_is_policy(char *buf, unsigned long len)
  14.152 -{ return 0; }
  14.153 -static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
  14.154 -{ return 0; }
  14.155 -static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
  14.156 -{ return 0; }
  14.157 -static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
  14.158 -{ return 0; }
  14.159 -static inline void acm_domain_destroy(struct domain *d)
  14.160 -{ return; }
  14.161 -
  14.162 -#define DOM0_SSIDREF 0x0
  14.163 -
  14.164 -#else
  14.165 -
  14.166 -static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid)
  14.167 -{
  14.168 -    write_lock(&ssid_list_rwlock);
  14.169 -    list_add(&ssid->node, &ssid_list);
  14.170 -    write_unlock(&ssid_list_rwlock);
  14.171 -}
  14.172 -
  14.173 -static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid)
  14.174 -{
  14.175 -    write_lock(&ssid_list_rwlock);
  14.176 -    list_del(&ssid->node);
  14.177 -    write_unlock(&ssid_list_rwlock);
  14.178 -}
  14.179 -
  14.180 -static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
  14.181 -{
  14.182 -    if ((acm_primary_ops->pre_eventchannel_unbound != NULL) && 
  14.183 -        acm_primary_ops->pre_eventchannel_unbound(id1, id2))
  14.184 -        return ACM_ACCESS_DENIED;
  14.185 -    else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) && 
  14.186 -             acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) {
  14.187 -        /* roll-back primary */
  14.188 -        if (acm_primary_ops->fail_eventchannel_unbound != NULL)
  14.189 -            acm_primary_ops->fail_eventchannel_unbound(id1, id2);
  14.190 -        return ACM_ACCESS_DENIED;
  14.191 -    } else
  14.192 -        return ACM_ACCESS_PERMITTED;
  14.193 -}
  14.194 -
  14.195 -static inline int acm_pre_eventchannel_interdomain(domid_t id)
  14.196 -{
  14.197 -    if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
  14.198 -        acm_primary_ops->pre_eventchannel_interdomain(id))
  14.199 -        return ACM_ACCESS_DENIED;
  14.200 -    else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
  14.201 -             acm_secondary_ops->pre_eventchannel_interdomain(id)) {
  14.202 -        /* roll-back primary */
  14.203 -        if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
  14.204 -            acm_primary_ops->fail_eventchannel_interdomain(id);
  14.205 -        return ACM_ACCESS_DENIED;
  14.206 -    } else
  14.207 -        return ACM_ACCESS_PERMITTED;
  14.208 -}
  14.209 -
  14.210 -
  14.211 -static inline int acm_pre_grant_map_ref(domid_t id)
  14.212 -{
  14.213 -    if ( (acm_primary_ops->pre_grant_map_ref != NULL) &&
  14.214 -         acm_primary_ops->pre_grant_map_ref(id) )
  14.215 -    {
  14.216 -        return ACM_ACCESS_DENIED;
  14.217 -    }
  14.218 -    else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) &&
  14.219 -              acm_secondary_ops->pre_grant_map_ref(id) )
  14.220 -    {
  14.221 -        /* roll-back primary */
  14.222 -        if ( acm_primary_ops->fail_grant_map_ref != NULL )
  14.223 -            acm_primary_ops->fail_grant_map_ref(id);
  14.224 -        return ACM_ACCESS_DENIED;
  14.225 -    }
  14.226 -    else
  14.227 -    {
  14.228 -        return ACM_ACCESS_PERMITTED;
  14.229 -    }
  14.230 -}
  14.231 -
  14.232 -static inline int acm_pre_grant_setup(domid_t id)
  14.233 -{
  14.234 -    if ( (acm_primary_ops->pre_grant_setup != NULL) &&
  14.235 -         acm_primary_ops->pre_grant_setup(id) )
  14.236 -    {
  14.237 -        return ACM_ACCESS_DENIED;
  14.238 -    }
  14.239 -    else if ( (acm_secondary_ops->pre_grant_setup != NULL) &&
  14.240 -              acm_secondary_ops->pre_grant_setup(id) )
  14.241 -    {
  14.242 -        /* roll-back primary */
  14.243 -        if (acm_primary_ops->fail_grant_setup != NULL)
  14.244 -            acm_primary_ops->fail_grant_setup(id);
  14.245 -        return ACM_ACCESS_DENIED;
  14.246 -    }
  14.247 -    else
  14.248 -    {
  14.249 -        return ACM_ACCESS_PERMITTED;
  14.250 -    }
  14.251 -}
  14.252 -
  14.253 -
  14.254 -static inline void acm_domain_destroy(struct domain *d)
  14.255 -{
  14.256 -    void *ssid = d->ssid;
  14.257 -    if (ssid != NULL) {
  14.258 -        if (acm_primary_ops->domain_destroy != NULL)
  14.259 -            acm_primary_ops->domain_destroy(ssid, d);
  14.260 -        if (acm_secondary_ops->domain_destroy != NULL)
  14.261 -            acm_secondary_ops->domain_destroy(ssid, d);
  14.262 -        /* free security ssid for the destroyed domain (also if null policy */
  14.263 -        acm_domain_ssid_off_list(ssid);
  14.264 -        acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
  14.265 -    }
  14.266 -}
  14.267 -
  14.268 -
  14.269 -static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
  14.270 -{
  14.271 -    void *subject_ssid = current->domain->ssid;
  14.272 -    domid_t domid = d->domain_id;
  14.273 -    int rc;
  14.274 -
  14.275 -    read_lock(&acm_bin_pol_rwlock);
  14.276 -    /*
  14.277 -       To be called when a domain is created; returns '0' if the
  14.278 -       domain is allowed to be created, != '0' if not.
  14.279 -     */
  14.280 -    rc = acm_init_domain_ssid(d, ssidref);
  14.281 -    if (rc != ACM_OK)
  14.282 -        goto error_out;
  14.283 -
  14.284 -    if ((acm_primary_ops->domain_create != NULL) &&
  14.285 -        acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) {
  14.286 -        rc = ACM_ACCESS_DENIED;
  14.287 -    } else if ((acm_secondary_ops->domain_create != NULL) &&
  14.288 -                acm_secondary_ops->domain_create(subject_ssid, ssidref,
  14.289 -                                                 domid)) {
  14.290 -        /* roll-back primary */
  14.291 -        if (acm_primary_ops->domain_destroy != NULL)
  14.292 -            acm_primary_ops->domain_destroy(d->ssid, d);
  14.293 -        rc = ACM_ACCESS_DENIED;
  14.294 -    }
  14.295 -
  14.296 -    if ( rc == ACM_OK )
  14.297 -    {
  14.298 -        acm_domain_ssid_onto_list(d->ssid);
  14.299 -    } else {
  14.300 -        acm_free_domain_ssid(d->ssid);
  14.301 -    }
  14.302 -
  14.303 -error_out:
  14.304 -    read_unlock(&acm_bin_pol_rwlock);
  14.305 -    return rc;
  14.306 -}
  14.307 -
  14.308 -
  14.309 -static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
  14.310 -{
  14.311 -    if ((acm_primary_ops->sharing != NULL) &&
  14.312 -        acm_primary_ops->sharing(ssidref1, ssidref2))
  14.313 -        return ACM_ACCESS_DENIED;
  14.314 -    else if ((acm_secondary_ops->sharing != NULL) &&
  14.315 -             acm_secondary_ops->sharing(ssidref1, ssidref2)) {
  14.316 -        return ACM_ACCESS_DENIED;
  14.317 -    } else
  14.318 -        return ACM_ACCESS_PERMITTED;
  14.319 -}
  14.320 -
  14.321 -
  14.322 -static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
  14.323 -{
  14.324 -    if ((acm_primary_ops->authorization != NULL) &&
  14.325 -        acm_primary_ops->authorization(ssidref1, ssidref2))
  14.326 -        return ACM_ACCESS_DENIED;
  14.327 -    else if ((acm_secondary_ops->authorization != NULL) &&
  14.328 -             acm_secondary_ops->authorization(ssidref1, ssidref2)) {
  14.329 -        return ACM_ACCESS_DENIED;
  14.330 -    } else
  14.331 -        return ACM_ACCESS_PERMITTED;
  14.332 -}
  14.333 -
  14.334 -
  14.335 -/* Return true iff buffer has an acm policy magic number.  */
  14.336 -extern int acm_is_policy(char *buf, unsigned long len);
  14.337 -
  14.338 -#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref)
  14.339 -
  14.340 -#endif
  14.341 -
  14.342 -#endif
  14.343 -
  14.344 -/*
  14.345 - * Local variables:
  14.346 - * mode: C
  14.347 - * c-set-style: "BSD"
  14.348 - * c-basic-offset: 4
  14.349 - * tab-width: 4
  14.350 - * indent-tabs-mode: nil
  14.351 - * End:
  14.352 - */
    15.1 --- a/xen/include/public/acm.h	Fri Aug 31 11:41:49 2007 +0100
    15.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    15.3 @@ -1,229 +0,0 @@
    15.4 -/*
    15.5 - * acm.h: Xen access control module interface defintions
    15.6 - *
    15.7 - * Permission is hereby granted, free of charge, to any person obtaining a copy
    15.8 - * of this software and associated documentation files (the "Software"), to
    15.9 - * deal in the Software without restriction, including without limitation the
   15.10 - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
   15.11 - * sell copies of the Software, and to permit persons to whom the Software is
   15.12 - * furnished to do so, subject to the following conditions:
   15.13 - *
   15.14 - * The above copyright notice and this permission notice shall be included in
   15.15 - * all copies or substantial portions of the Software.
   15.16 - *
   15.17 - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
   15.18 - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   15.19 - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
   15.20 - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
   15.21 - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
   15.22 - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
   15.23 - * DEALINGS IN THE SOFTWARE.
   15.24 - *
   15.25 - * Reiner Sailer <sailer@watson.ibm.com>
   15.26 - * Copyright (c) 2005, International Business Machines Corporation.
   15.27 - */
   15.28 -
   15.29 -#ifndef _XEN_PUBLIC_ACM_H
   15.30 -#define _XEN_PUBLIC_ACM_H
   15.31 -
   15.32 -#include "xen.h"
   15.33 -
   15.34 -/* if ACM_DEBUG defined, all hooks should
   15.35 - * print a short trace message (comment it out
   15.36 - * when not in testing mode )
   15.37 - */
   15.38 -/* #define ACM_DEBUG */
   15.39 -
   15.40 -#ifdef ACM_DEBUG
   15.41 -#  define printkd(fmt, args...) printk(fmt,## args)
   15.42 -#else
   15.43 -#  define printkd(fmt, args...)
   15.44 -#endif
   15.45 -
   15.46 -/* default ssid reference value if not supplied */
   15.47 -#define ACM_DEFAULT_SSID  0x0
   15.48 -#define ACM_DEFAULT_LOCAL_SSID  0x0
   15.49 -
   15.50 -/* Internal ACM ERROR types */
   15.51 -#define ACM_OK     0
   15.52 -#define ACM_UNDEF   -1
   15.53 -#define ACM_INIT_SSID_ERROR  -2
   15.54 -#define ACM_INIT_SOID_ERROR  -3
   15.55 -#define ACM_ERROR          -4
   15.56 -
   15.57 -/* External ACCESS DECISIONS */
   15.58 -#define ACM_ACCESS_PERMITTED        0
   15.59 -#define ACM_ACCESS_DENIED           -111
   15.60 -#define ACM_NULL_POINTER_ERROR      -200
   15.61 -
   15.62 -/*
   15.63 -   Error codes reported in when trying to test for a new policy
   15.64 -   These error codes are reported in an array of tuples where
   15.65 -   each error code is followed by a parameter describing the error
   15.66 -   more closely, such as a domain id.
   15.67 -*/
   15.68 -#define ACM_EVTCHN_SHARING_VIOLATION       0x100
   15.69 -#define ACM_GNTTAB_SHARING_VIOLATION       0x101
   15.70 -#define ACM_DOMAIN_LOOKUP                  0x102
   15.71 -#define ACM_CHWALL_CONFLICT                0x103
   15.72 -#define ACM_SSIDREF_IN_USE                 0x104
   15.73 -
   15.74 -
   15.75 -/* primary policy in lower 4 bits */
   15.76 -#define ACM_NULL_POLICY 0
   15.77 -#define ACM_CHINESE_WALL_POLICY 1
   15.78 -#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
   15.79 -#define ACM_POLICY_UNDEFINED 15
   15.80 -
   15.81 -/* combinations have secondary policy component in higher 4bit */
   15.82 -#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
   15.83 -    ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
   15.84 -
   15.85 -/* policy: */
   15.86 -#define ACM_POLICY_NAME(X) \
   15.87 - ((X) == (ACM_NULL_POLICY)) ? "NULL" :                        \
   15.88 -    ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" :        \
   15.89 -    ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" : \
   15.90 -    ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT" : \
   15.91 -     "UNDEFINED"
   15.92 -
   15.93 -/* the following policy versions must be increased
   15.94 - * whenever the interpretation of the related
   15.95 - * policy's data structure changes
   15.96 - */
   15.97 -#define ACM_POLICY_VERSION 3
   15.98 -#define ACM_CHWALL_VERSION 1
   15.99 -#define ACM_STE_VERSION  1
  15.100 -
  15.101 -/* defines a ssid reference used by xen */
  15.102 -typedef uint32_t ssidref_t;
  15.103 -
  15.104 -/* hooks that are known to domains */
  15.105 -#define ACMHOOK_none          0
  15.106 -#define ACMHOOK_sharing       1
  15.107 -#define ACMHOOK_authorization 2
  15.108 -
  15.109 -/* -------security policy relevant type definitions-------- */
  15.110 -
  15.111 -/* type identifier; compares to "equal" or "not equal" */
  15.112 -typedef uint16_t domaintype_t;
  15.113 -
  15.114 -/* CHINESE WALL POLICY DATA STRUCTURES
  15.115 - *
  15.116 - * current accumulated conflict type set:
  15.117 - * When a domain is started and has a type that is in
  15.118 - * a conflict set, the conflicting types are incremented in
  15.119 - * the aggregate set. When a domain is destroyed, the 
  15.120 - * conflicting types to its type are decremented.
  15.121 - * If a domain has multiple types, this procedure works over
  15.122 - * all those types.
  15.123 - *
  15.124 - * conflict_aggregate_set[i] holds the number of
  15.125 - *   running domains that have a conflict with type i.
  15.126 - *
  15.127 - * running_types[i] holds the number of running domains
  15.128 - *        that include type i in their ssidref-referenced type set
  15.129 - *
  15.130 - * conflict_sets[i][j] is "0" if type j has no conflict
  15.131 - *    with type i and is "1" otherwise.
  15.132 - */
  15.133 -/* high-16 = version, low-16 = check magic */
  15.134 -#define ACM_MAGIC  0x0001debc
  15.135 -
  15.136 -/* each offset in bytes from start of the struct they
  15.137 - * are part of */
  15.138 -
  15.139 -/* V3 of the policy buffer aded a version structure */
  15.140 -struct acm_policy_version
  15.141 -{
  15.142 -    uint32_t major;
  15.143 -    uint32_t minor;
  15.144 -};
  15.145 -
  15.146 -
  15.147 -/* each buffer consists of all policy information for
  15.148 - * the respective policy given in the policy code
  15.149 - *
  15.150 - * acm_policy_buffer, acm_chwall_policy_buffer,
  15.151 - * and acm_ste_policy_buffer need to stay 32-bit aligned
  15.152 - * because we create binary policies also with external
  15.153 - * tools that assume packed representations (e.g. the java tool)
  15.154 - */
  15.155 -struct acm_policy_buffer {
  15.156 -    uint32_t magic;
  15.157 -    uint32_t policy_version; /* ACM_POLICY_VERSION */
  15.158 -    uint32_t len;
  15.159 -    uint32_t policy_reference_offset;
  15.160 -    uint32_t primary_policy_code;
  15.161 -    uint32_t primary_buffer_offset;
  15.162 -    uint32_t secondary_policy_code;
  15.163 -    uint32_t secondary_buffer_offset;
  15.164 -    struct acm_policy_version xml_pol_version; /* add in V3 */
  15.165 -};
  15.166 -
  15.167 -
  15.168 -struct acm_policy_reference_buffer {
  15.169 -    uint32_t len;
  15.170 -};
  15.171 -
  15.172 -struct acm_chwall_policy_buffer {
  15.173 -    uint32_t policy_version; /* ACM_CHWALL_VERSION */
  15.174 -    uint32_t policy_code;
  15.175 -    uint32_t chwall_max_types;
  15.176 -    uint32_t chwall_max_ssidrefs;
  15.177 -    uint32_t chwall_max_conflictsets;
  15.178 -    uint32_t chwall_ssid_offset;
  15.179 -    uint32_t chwall_conflict_sets_offset;
  15.180 -    uint32_t chwall_running_types_offset;
  15.181 -    uint32_t chwall_conflict_aggregate_offset;
  15.182 -};
  15.183 -
  15.184 -struct acm_ste_policy_buffer {
  15.185 -    uint32_t policy_version; /* ACM_STE_VERSION */
  15.186 -    uint32_t policy_code;
  15.187 -    uint32_t ste_max_types;
  15.188 -    uint32_t ste_max_ssidrefs;
  15.189 -    uint32_t ste_ssid_offset;
  15.190 -};
  15.191 -
  15.192 -struct acm_stats_buffer {
  15.193 -    uint32_t magic;
  15.194 -    uint32_t len;
  15.195 -    uint32_t primary_policy_code;
  15.196 -    uint32_t primary_stats_offset;
  15.197 -    uint32_t secondary_policy_code;
  15.198 -    uint32_t secondary_stats_offset;
  15.199 -};
  15.200 -
  15.201 -struct acm_ste_stats_buffer {
  15.202 -    uint32_t ec_eval_count;
  15.203 -    uint32_t gt_eval_count;
  15.204 -    uint32_t ec_denied_count;
  15.205 -    uint32_t gt_denied_count;
  15.206 -    uint32_t ec_cachehit_count;
  15.207 -    uint32_t gt_cachehit_count;
  15.208 -};
  15.209 -
  15.210 -struct acm_ssid_buffer {
  15.211 -    uint32_t len;
  15.212 -    ssidref_t ssidref;
  15.213 -    uint32_t policy_reference_offset;
  15.214 -    uint32_t primary_policy_code;
  15.215 -    uint32_t primary_max_types;
  15.216 -    uint32_t primary_types_offset;
  15.217 -    uint32_t secondary_policy_code;
  15.218 -    uint32_t secondary_max_types;
  15.219 -    uint32_t secondary_types_offset;
  15.220 -};
  15.221 -
  15.222 -#endif
  15.223 -
  15.224 -/*
  15.225 - * Local variables:
  15.226 - * mode: C
  15.227 - * c-set-style: "BSD"
  15.228 - * c-basic-offset: 4
  15.229 - * tab-width: 4
  15.230 - * indent-tabs-mode: nil
  15.231 - * End:
  15.232 - */
    16.1 --- a/xen/include/public/acm_ops.h	Fri Aug 31 11:41:49 2007 +0100
    16.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    16.3 @@ -1,159 +0,0 @@
    16.4 -/*
    16.5 - * acm_ops.h: Xen access control module hypervisor commands
    16.6 - *
    16.7 - * Permission is hereby granted, free of charge, to any person obtaining a copy
    16.8 - * of this software and associated documentation files (the "Software"), to
    16.9 - * deal in the Software without restriction, including without limitation the
   16.10 - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
   16.11 - * sell copies of the Software, and to permit persons to whom the Software is
   16.12 - * furnished to do so, subject to the following conditions:
   16.13 - *
   16.14 - * The above copyright notice and this permission notice shall be included in
   16.15 - * all copies or substantial portions of the Software.
   16.16 - *
   16.17 - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
   16.18 - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   16.19 - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
   16.20 - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
   16.21 - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
   16.22 - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
   16.23 - * DEALINGS IN THE SOFTWARE.
   16.24 - *
   16.25 - * Reiner Sailer <sailer@watson.ibm.com>
   16.26 - * Copyright (c) 2005,2006 International Business Machines Corporation.
   16.27 - */
   16.28 -
   16.29 -#ifndef __XEN_PUBLIC_ACM_OPS_H__
   16.30 -#define __XEN_PUBLIC_ACM_OPS_H__
   16.31 -
   16.32 -#include "xen.h"
   16.33 -#include "acm.h"
   16.34 -
   16.35 -/*
   16.36 - * Make sure you increment the interface version whenever you modify this file!
   16.37 - * This makes sure that old versions of acm tools will stop working in a
   16.38 - * well-defined way (rather than crashing the machine, for instance).
   16.39 - */
   16.40 -#define ACM_INTERFACE_VERSION   0xAAAA000A
   16.41 -
   16.42 -/************************************************************************/
   16.43 -
   16.44 -/*
   16.45 - * Prototype for this hypercall is:
   16.46 - *  int acm_op(int cmd, void *args)
   16.47 - * @cmd  == ACMOP_??? (access control module operation).
   16.48 - * @args == Operation-specific extra arguments (NULL if none).
   16.49 - */
   16.50 -
   16.51 -
   16.52 -#define ACMOP_setpolicy         1
   16.53 -struct acm_setpolicy {
   16.54 -    /* IN */
   16.55 -    XEN_GUEST_HANDLE_64(void) pushcache;
   16.56 -    uint32_t pushcache_size;
   16.57 -};
   16.58 -
   16.59 -
   16.60 -#define ACMOP_getpolicy         2
   16.61 -struct acm_getpolicy {
   16.62 -    /* IN */
   16.63 -    XEN_GUEST_HANDLE_64(void) pullcache;
   16.64 -    uint32_t pullcache_size;
   16.65 -};
   16.66 -
   16.67 -
   16.68 -#define ACMOP_dumpstats         3
   16.69 -struct acm_dumpstats {
   16.70 -    /* IN */
   16.71 -    XEN_GUEST_HANDLE_64(void) pullcache;
   16.72 -    uint32_t pullcache_size;
   16.73 -};
   16.74 -
   16.75 -
   16.76 -#define ACMOP_getssid           4
   16.77 -#define ACM_GETBY_ssidref  1
   16.78 -#define ACM_GETBY_domainid 2
   16.79 -struct acm_getssid {
   16.80 -    /* IN */
   16.81 -    uint32_t get_ssid_by; /* ACM_GETBY_* */
   16.82 -    union {
   16.83 -        domaintype_t domainid;
   16.84 -        ssidref_t    ssidref;
   16.85 -    } id;
   16.86 -    XEN_GUEST_HANDLE_64(void) ssidbuf;
   16.87 -    uint32_t ssidbuf_size;
   16.88 -};
   16.89 -
   16.90 -#define ACMOP_getdecision      5
   16.91 -struct acm_getdecision {
   16.92 -    /* IN */
   16.93 -    uint32_t get_decision_by1; /* ACM_GETBY_* */
   16.94 -    uint32_t get_decision_by2; /* ACM_GETBY_* */
   16.95 -    union {
   16.96 -        domaintype_t domainid;
   16.97 -        ssidref_t    ssidref;
   16.98 -    } id1;
   16.99 -    union {
  16.100 -        domaintype_t domainid;
  16.101 -        ssidref_t    ssidref;
  16.102 -    } id2;
  16.103 -    uint32_t hook;
  16.104 -    /* OUT */
  16.105 -    uint32_t acm_decision;
  16.106 -};
  16.107 -
  16.108 -
  16.109 -#define ACMOP_chgpolicy        6
  16.110 -struct acm_change_policy {
  16.111 -    /* IN */
  16.112 -    XEN_GUEST_HANDLE_64(void) policy_pushcache;
  16.113 -    uint32_t policy_pushcache_size;
  16.114 -    XEN_GUEST_HANDLE_64(void) del_array;
  16.115 -    uint32_t delarray_size;
  16.116 -    XEN_GUEST_HANDLE_64(void) chg_array;
  16.117 -    uint32_t chgarray_size;
  16.118 -    /* OUT */
  16.119 -    /* array with error code */
  16.120 -    XEN_GUEST_HANDLE_64(void) err_array;
  16.121 -    uint32_t errarray_size;
  16.122 -};
  16.123 -
  16.124 -#define ACMOP_relabeldoms       7
  16.125 -struct acm_relabel_doms {
  16.126 -    /* IN */
  16.127 -    XEN_GUEST_HANDLE_64(void) relabel_map;
  16.128 -    uint32_t relabel_map_size;
  16.129 -    /* OUT */
  16.130 -    XEN_GUEST_HANDLE_64(void) err_array;
  16.131 -    uint32_t errarray_size;
  16.132 -};
  16.133 -
  16.134 -/* future interface to Xen */
  16.135 -struct xen_acmctl {
  16.136 -    uint32_t cmd;
  16.137 -    uint32_t interface_version;
  16.138 -    union {
  16.139 -        struct acm_setpolicy     setpolicy;
  16.140 -        struct acm_getpolicy     getpolicy;
  16.141 -        struct acm_dumpstats     dumpstats;
  16.142 -        struct acm_getssid       getssid;
  16.143 -        struct acm_getdecision   getdecision;
  16.144 -        struct acm_change_policy change_policy;
  16.145 -        struct acm_relabel_doms  relabel_doms;
  16.146 -    } u;
  16.147 -};
  16.148 -
  16.149 -typedef struct xen_acmctl xen_acmctl_t;
  16.150 -DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t);
  16.151 -
  16.152 -#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
  16.153 -
  16.154 -/*
  16.155 - * Local variables:
  16.156 - * mode: C
  16.157 - * c-set-style: "BSD"
  16.158 - * c-basic-offset: 4
  16.159 - * tab-width: 4
  16.160 - * indent-tabs-mode: nil
  16.161 - * End:
  16.162 - */
    17.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    17.2 +++ b/xen/include/public/xsm/acm.h	Fri Aug 31 12:05:07 2007 +0100
    17.3 @@ -0,0 +1,229 @@
    17.4 +/*
    17.5 + * acm.h: Xen access control module interface defintions
    17.6 + *
    17.7 + * Permission is hereby granted, free of charge, to any person obtaining a copy
    17.8 + * of this software and associated documentation files (the "Software"), to
    17.9 + * deal in the Software without restriction, including without limitation the
   17.10 + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
   17.11 + * sell copies of the Software, and to permit persons to whom the Software is
   17.12 + * furnished to do so, subject to the following conditions:
   17.13 + *
   17.14 + * The above copyright notice and this permission notice shall be included in
   17.15 + * all copies or substantial portions of the Software.
   17.16 + *
   17.17 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
   17.18 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   17.19 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
   17.20 + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
   17.21 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
   17.22 + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
   17.23 + * DEALINGS IN THE SOFTWARE.
   17.24 + *
   17.25 + * Reiner Sailer <sailer@watson.ibm.com>
   17.26 + * Copyright (c) 2005, International Business Machines Corporation.
   17.27 + */
   17.28 +
   17.29 +#ifndef _XEN_PUBLIC_ACM_H
   17.30 +#define _XEN_PUBLIC_ACM_H
   17.31 +
   17.32 +#include "../xen.h"
   17.33 +
   17.34 +/* if ACM_DEBUG defined, all hooks should
   17.35 + * print a short trace message (comment it out
   17.36 + * when not in testing mode )
   17.37 + */
   17.38 +/* #define ACM_DEBUG */
   17.39 +
   17.40 +#ifdef ACM_DEBUG
   17.41 +#  define printkd(fmt, args...) printk(fmt,## args)
   17.42 +#else
   17.43 +#  define printkd(fmt, args...)
   17.44 +#endif
   17.45 +
   17.46 +/* default ssid reference value if not supplied */
   17.47 +#define ACM_DEFAULT_SSID  0x0
   17.48 +#define ACM_DEFAULT_LOCAL_SSID  0x0
   17.49 +
   17.50 +/* Internal ACM ERROR types */
   17.51 +#define ACM_OK     0
   17.52 +#define ACM_UNDEF   -1
   17.53 +#define ACM_INIT_SSID_ERROR  -2
   17.54 +#define ACM_INIT_SOID_ERROR  -3
   17.55 +#define ACM_ERROR          -4
   17.56 +
   17.57 +/* External ACCESS DECISIONS */
   17.58 +#define ACM_ACCESS_PERMITTED        0
   17.59 +#define ACM_ACCESS_DENIED           -111
   17.60 +#define ACM_NULL_POINTER_ERROR      -200
   17.61 +
   17.62 +/*
   17.63 +   Error codes reported in when trying to test for a new policy
   17.64 +   These error codes are reported in an array of tuples where
   17.65 +   each error code is followed by a parameter describing the error
   17.66 +   more closely, such as a domain id.
   17.67 +*/
   17.68 +#define ACM_EVTCHN_SHARING_VIOLATION       0x100
   17.69 +#define ACM_GNTTAB_SHARING_VIOLATION       0x101
   17.70 +#define ACM_DOMAIN_LOOKUP                  0x102
   17.71 +#define ACM_CHWALL_CONFLICT                0x103
   17.72 +#define ACM_SSIDREF_IN_USE                 0x104
   17.73 +
   17.74 +
   17.75 +/* primary policy in lower 4 bits */
   17.76 +#define ACM_NULL_POLICY 0
   17.77 +#define ACM_CHINESE_WALL_POLICY 1
   17.78 +#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
   17.79 +#define ACM_POLICY_UNDEFINED 15
   17.80 +
   17.81 +/* combinations have secondary policy component in higher 4bit */
   17.82 +#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
   17.83 +    ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
   17.84 +
   17.85 +/* policy: */
   17.86 +#define ACM_POLICY_NAME(X) \
   17.87 + ((X) == (ACM_NULL_POLICY)) ? "NULL" :                        \
   17.88 +    ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" :        \
   17.89 +    ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT" : \
   17.90 +    ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE WALL AND SIMPLE TYPE ENFORCEMENT" : \
   17.91 +     "UNDEFINED"
   17.92 +
   17.93 +/* the following policy versions must be increased
   17.94 + * whenever the interpretation of the related
   17.95 + * policy's data structure changes
   17.96 + */
   17.97 +#define ACM_POLICY_VERSION 3
   17.98 +#define ACM_CHWALL_VERSION 1
   17.99 +#define ACM_STE_VERSION  1
  17.100 +
  17.101 +/* defines a ssid reference used by xen */
  17.102 +typedef uint32_t ssidref_t;
  17.103 +
  17.104 +/* hooks that are known to domains */
  17.105 +#define ACMHOOK_none          0
  17.106 +#define ACMHOOK_sharing       1
  17.107 +#define ACMHOOK_authorization 2
  17.108 +
  17.109 +/* -------security policy relevant type definitions-------- */
  17.110 +
  17.111 +/* type identifier; compares to "equal" or "not equal" */
  17.112 +typedef uint16_t domaintype_t;
  17.113 +
  17.114 +/* CHINESE WALL POLICY DATA STRUCTURES
  17.115 + *
  17.116 + * current accumulated conflict type set:
  17.117 + * When a domain is started and has a type that is in
  17.118 + * a conflict set, the conflicting types are incremented in
  17.119 + * the aggregate set. When a domain is destroyed, the 
  17.120 + * conflicting types to its type are decremented.
  17.121 + * If a domain has multiple types, this procedure works over
  17.122 + * all those types.
  17.123 + *
  17.124 + * conflict_aggregate_set[i] holds the number of
  17.125 + *   running domains that have a conflict with type i.
  17.126 + *
  17.127 + * running_types[i] holds the number of running domains
  17.128 + *        that include type i in their ssidref-referenced type set
  17.129 + *
  17.130 + * conflict_sets[i][j] is "0" if type j has no conflict
  17.131 + *    with type i and is "1" otherwise.
  17.132 + */
  17.133 +/* high-16 = version, low-16 = check magic */
  17.134 +#define ACM_MAGIC  0x0001debc
  17.135 +
  17.136 +/* each offset in bytes from start of the struct they
  17.137 + * are part of */
  17.138 +
  17.139 +/* V3 of the policy buffer aded a version structure */
  17.140 +struct acm_policy_version
  17.141 +{
  17.142 +    uint32_t major;
  17.143 +    uint32_t minor;
  17.144 +};
  17.145 +
  17.146 +
  17.147 +/* each buffer consists of all policy information for
  17.148 + * the respective policy given in the policy code
  17.149 + *
  17.150 + * acm_policy_buffer, acm_chwall_policy_buffer,
  17.151 + * and acm_ste_policy_buffer need to stay 32-bit aligned
  17.152 + * because we create binary policies also with external
  17.153 + * tools that assume packed representations (e.g. the java tool)
  17.154 + */
  17.155 +struct acm_policy_buffer {
  17.156 +    uint32_t magic;
  17.157 +    uint32_t policy_version; /* ACM_POLICY_VERSION */
  17.158 +    uint32_t len;
  17.159 +    uint32_t policy_reference_offset;
  17.160 +    uint32_t primary_policy_code;
  17.161 +    uint32_t primary_buffer_offset;
  17.162 +    uint32_t secondary_policy_code;
  17.163 +    uint32_t secondary_buffer_offset;
  17.164 +    struct acm_policy_version xml_pol_version; /* add in V3 */
  17.165 +};
  17.166 +
  17.167 +
  17.168 +struct acm_policy_reference_buffer {
  17.169 +    uint32_t len;
  17.170 +};
  17.171 +
  17.172 +struct acm_chwall_policy_buffer {
  17.173 +    uint32_t policy_version; /* ACM_CHWALL_VERSION */
  17.174 +    uint32_t policy_code;
  17.175 +    uint32_t chwall_max_types;
  17.176 +    uint32_t chwall_max_ssidrefs;
  17.177 +    uint32_t chwall_max_conflictsets;
  17.178 +    uint32_t chwall_ssid_offset;
  17.179 +    uint32_t chwall_conflict_sets_offset;
  17.180 +    uint32_t chwall_running_types_offset;
  17.181 +    uint32_t chwall_conflict_aggregate_offset;
  17.182 +};
  17.183 +
  17.184 +struct acm_ste_policy_buffer {
  17.185 +    uint32_t policy_version; /* ACM_STE_VERSION */
  17.186 +    uint32_t policy_code;
  17.187 +    uint32_t ste_max_types;
  17.188 +    uint32_t ste_max_ssidrefs;
  17.189 +    uint32_t ste_ssid_offset;
  17.190 +};
  17.191 +
  17.192 +struct acm_stats_buffer {
  17.193 +    uint32_t magic;
  17.194 +    uint32_t len;
  17.195 +    uint32_t primary_policy_code;
  17.196 +    uint32_t primary_stats_offset;
  17.197 +    uint32_t secondary_policy_code;
  17.198 +    uint32_t secondary_stats_offset;
  17.199 +};
  17.200 +
  17.201 +struct acm_ste_stats_buffer {
  17.202 +    uint32_t ec_eval_count;
  17.203 +    uint32_t gt_eval_count;
  17.204 +    uint32_t ec_denied_count;
  17.205 +    uint32_t gt_denied_count;
  17.206 +    uint32_t ec_cachehit_count;
  17.207 +    uint32_t gt_cachehit_count;
  17.208 +};
  17.209 +
  17.210 +struct acm_ssid_buffer {
  17.211 +    uint32_t len;
  17.212 +    ssidref_t ssidref;
  17.213 +    uint32_t policy_reference_offset;
  17.214 +    uint32_t primary_policy_code;
  17.215 +    uint32_t primary_max_types;
  17.216 +    uint32_t primary_types_offset;
  17.217 +    uint32_t secondary_policy_code;
  17.218 +    uint32_t secondary_max_types;
  17.219 +    uint32_t secondary_types_offset;
  17.220 +};
  17.221 +
  17.222 +#endif
  17.223 +
  17.224 +/*
  17.225 + * Local variables:
  17.226 + * mode: C
  17.227 + * c-set-style: "BSD"
  17.228 + * c-basic-offset: 4
  17.229 + * tab-width: 4
  17.230 + * indent-tabs-mode: nil
  17.231 + * End:
  17.232 + */
    18.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    18.2 +++ b/xen/include/public/xsm/acm_ops.h	Fri Aug 31 12:05:07 2007 +0100
    18.3 @@ -0,0 +1,159 @@
    18.4 +/*
    18.5 + * acm_ops.h: Xen access control module hypervisor commands
    18.6 + *
    18.7 + * Permission is hereby granted, free of charge, to any person obtaining a copy
    18.8 + * of this software and associated documentation files (the "Software"), to
    18.9 + * deal in the Software without restriction, including without limitation the
   18.10 + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
   18.11 + * sell copies of the Software, and to permit persons to whom the Software is
   18.12 + * furnished to do so, subject to the following conditions:
   18.13 + *
   18.14 + * The above copyright notice and this permission notice shall be included in
   18.15 + * all copies or substantial portions of the Software.
   18.16 + *
   18.17 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
   18.18 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   18.19 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
   18.20 + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
   18.21 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
   18.22 + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
   18.23 + * DEALINGS IN THE SOFTWARE.
   18.24 + *
   18.25 + * Reiner Sailer <sailer@watson.ibm.com>
   18.26 + * Copyright (c) 2005,2006 International Business Machines Corporation.
   18.27 + */
   18.28 +
   18.29 +#ifndef __XEN_PUBLIC_ACM_OPS_H__
   18.30 +#define __XEN_PUBLIC_ACM_OPS_H__
   18.31 +
   18.32 +#include "../xen.h"
   18.33 +#include "acm.h"
   18.34 +
   18.35 +/*
   18.36 + * Make sure you increment the interface version whenever you modify this file!
   18.37 + * This makes sure that old versions of acm tools will stop working in a
   18.38 + * well-defined way (rather than crashing the machine, for instance).
   18.39 + */
   18.40 +#define ACM_INTERFACE_VERSION   0xAAAA000A
   18.41 +
   18.42 +/************************************************************************/
   18.43 +
   18.44 +/*
   18.45 + * Prototype for this hypercall is:
   18.46 + *  int acm_op(int cmd, void *args)
   18.47 + * @cmd  == ACMOP_??? (access control module operation).
   18.48 + * @args == Operation-specific extra arguments (NULL if none).
   18.49 + */
   18.50 +
   18.51 +
   18.52 +#define ACMOP_setpolicy         1
   18.53 +struct acm_setpolicy {
   18.54 +    /* IN */
   18.55 +    XEN_GUEST_HANDLE_64(void) pushcache;
   18.56 +    uint32_t pushcache_size;
   18.57 +};
   18.58 +
   18.59 +
   18.60 +#define ACMOP_getpolicy         2
   18.61 +struct acm_getpolicy {
   18.62 +    /* IN */
   18.63 +    XEN_GUEST_HANDLE_64(void) pullcache;
   18.64 +    uint32_t pullcache_size;
   18.65 +};
   18.66 +
   18.67 +
   18.68 +#define ACMOP_dumpstats         3
   18.69 +struct acm_dumpstats {
   18.70 +    /* IN */
   18.71 +    XEN_GUEST_HANDLE_64(void) pullcache;
   18.72 +    uint32_t pullcache_size;
   18.73 +};
   18.74 +
   18.75 +
   18.76 +#define ACMOP_getssid           4
   18.77 +#define ACM_GETBY_ssidref  1
   18.78 +#define ACM_GETBY_domainid 2
   18.79 +struct acm_getssid {
   18.80 +    /* IN */
   18.81 +    uint32_t get_ssid_by; /* ACM_GETBY_* */
   18.82 +    union {
   18.83 +        domaintype_t domainid;
   18.84 +        ssidref_t    ssidref;
   18.85 +    } id;
   18.86 +    XEN_GUEST_HANDLE_64(void) ssidbuf;
   18.87 +    uint32_t ssidbuf_size;
   18.88 +};
   18.89 +
   18.90 +#define ACMOP_getdecision      5
   18.91 +struct acm_getdecision {
   18.92 +    /* IN */
   18.93 +    uint32_t get_decision_by1; /* ACM_GETBY_* */
   18.94 +    uint32_t get_decision_by2; /* ACM_GETBY_* */
   18.95 +    union {
   18.96 +        domaintype_t domainid;
   18.97 +        ssidref_t    ssidref;
   18.98 +    } id1;
   18.99 +    union {
  18.100 +        domaintype_t domainid;
  18.101 +        ssidref_t    ssidref;
  18.102 +    } id2;
  18.103 +    uint32_t hook;
  18.104 +    /* OUT */
  18.105 +    uint32_t acm_decision;
  18.106 +};
  18.107 +
  18.108 +
  18.109 +#define ACMOP_chgpolicy        6
  18.110 +struct acm_change_policy {
  18.111 +    /* IN */
  18.112 +    XEN_GUEST_HANDLE_64(void) policy_pushcache;
  18.113 +    uint32_t policy_pushcache_size;
  18.114 +    XEN_GUEST_HANDLE_64(void) del_array;
  18.115 +    uint32_t delarray_size;
  18.116 +    XEN_GUEST_HANDLE_64(void) chg_array;
  18.117 +    uint32_t chgarray_size;
  18.118 +    /* OUT */
  18.119 +    /* array with error code */
  18.120 +    XEN_GUEST_HANDLE_64(void) err_array;
  18.121 +    uint32_t errarray_size;
  18.122 +};
  18.123 +
  18.124 +#define ACMOP_relabeldoms       7
  18.125 +struct acm_relabel_doms {
  18.126 +    /* IN */
  18.127 +    XEN_GUEST_HANDLE_64(void) relabel_map;
  18.128 +    uint32_t relabel_map_size;
  18.129 +    /* OUT */
  18.130 +    XEN_GUEST_HANDLE_64(void) err_array;
  18.131 +    uint32_t errarray_size;
  18.132 +};
  18.133 +
  18.134 +/* future interface to Xen */
  18.135 +struct xen_acmctl {
  18.136 +    uint32_t cmd;
  18.137 +    uint32_t interface_version;
  18.138 +    union {
  18.139 +        struct acm_setpolicy     setpolicy;
  18.140 +        struct acm_getpolicy     getpolicy;
  18.141 +        struct acm_dumpstats     dumpstats;
  18.142 +        struct acm_getssid       getssid;
  18.143 +        struct acm_getdecision   getdecision;
  18.144 +        struct acm_change_policy change_policy;
  18.145 +        struct acm_relabel_doms  relabel_doms;
  18.146 +    } u;
  18.147 +};
  18.148 +
  18.149 +typedef struct xen_acmctl xen_acmctl_t;
  18.150 +DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t);
  18.151 +
  18.152 +#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
  18.153 +
  18.154 +/*
  18.155 + * Local variables:
  18.156 + * mode: C
  18.157 + * c-set-style: "BSD"
  18.158 + * c-basic-offset: 4
  18.159 + * tab-width: 4
  18.160 + * indent-tabs-mode: nil
  18.161 + * End:
  18.162 + */
    19.1 --- a/xen/include/xen/sched.h	Fri Aug 31 11:41:49 2007 +0100
    19.2 +++ b/xen/include/xen/sched.h	Fri Aug 31 12:05:07 2007 +0100
    19.3 @@ -10,7 +10,7 @@
    19.4  #include <public/xen.h>
    19.5  #include <public/domctl.h>
    19.6  #include <public/vcpu.h>
    19.7 -#include <public/acm.h>
    19.8 +#include <public/xsm/acm.h>
    19.9  #include <xen/time.h>
   19.10  #include <xen/timer.h>
   19.11  #include <xen/grant_table.h>
   19.12 @@ -63,6 +63,9 @@ struct evtchn
   19.13          u16 pirq;      /* state == ECS_PIRQ */
   19.14          u16 virq;      /* state == ECS_VIRQ */
   19.15      } u;
   19.16 +#ifdef FLASK_ENABLE
   19.17 +    void *ssid;
   19.18 +#endif
   19.19  };
   19.20  
   19.21  int  evtchn_init(struct domain *d);
    20.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    20.2 +++ b/xen/include/xsm/acm/acm_core.h	Fri Aug 31 12:05:07 2007 +0100
    20.3 @@ -0,0 +1,196 @@
    20.4 +/****************************************************************
    20.5 + * acm_core.h 
    20.6 + * 
    20.7 + * Copyright (C) 2005 IBM Corporation
    20.8 + *
    20.9 + * Author:
   20.10 + * Reiner Sailer <sailer@watson.ibm.com>
   20.11 + *
   20.12 + * This program is free software; you can redistribute it and/or
   20.13 + * modify it under the terms of the GNU General Public License as
   20.14 + * published by the Free Software Foundation, version 2 of the
   20.15 + * License.
   20.16 + *
   20.17 + * sHype header file describing core data types and constants
   20.18 + *    for the access control module and relevant policies
   20.19 + *
   20.20 + */
   20.21 +
   20.22 +#ifndef _ACM_CORE_H
   20.23 +#define _ACM_CORE_H
   20.24 +
   20.25 +#include <xen/spinlock.h>
   20.26 +#include <xen/list.h>
   20.27 +#include <public/xsm/acm.h>
   20.28 +#include <public/xsm/acm_ops.h>
   20.29 +#include <xsm/acm/acm_endian.h>
   20.30 +
   20.31 +#define ACM_DEFAULT_SECURITY_POLICY \
   20.32 +        ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   20.33 +
   20.34 +/* Xen-internal representation of the binary policy */
   20.35 +struct acm_binary_policy {
   20.36 +    char *policy_reference_name;
   20.37 +    u16 primary_policy_code;
   20.38 +    u16 secondary_policy_code;
   20.39 +    struct acm_policy_version xml_pol_version;
   20.40 +};
   20.41 +
   20.42 +struct chwall_binary_policy {
   20.43 +    u32 max_types;
   20.44 +    u32 max_ssidrefs;
   20.45 +    u32 max_conflictsets;
   20.46 +    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
   20.47 +    domaintype_t *conflict_aggregate_set;  /* [max_types]      */
   20.48 +    domaintype_t *running_types;    /* [max_types]      */
   20.49 +    domaintype_t *conflict_sets;   /* [max_conflictsets][max_types]*/
   20.50 +};
   20.51 +
   20.52 +struct ste_binary_policy {
   20.53 +    u32 max_types;
   20.54 +    u32 max_ssidrefs;
   20.55 +    domaintype_t *ssidrefs;     /* [max_ssidrefs][max_types]  */
   20.56 +    atomic_t ec_eval_count, gt_eval_count;
   20.57 +    atomic_t ec_denied_count, gt_denied_count;
   20.58 +    atomic_t ec_cachehit_count, gt_cachehit_count;
   20.59 +};
   20.60 +
   20.61 +/* global acm policy */
   20.62 +extern u16 acm_active_security_policy;
   20.63 +extern struct acm_binary_policy acm_bin_pol;
   20.64 +extern struct chwall_binary_policy chwall_bin_pol;
   20.65 +extern struct ste_binary_policy ste_bin_pol;
   20.66 +/* use the lock when reading / changing binary policy ! */
   20.67 +extern rwlock_t acm_bin_pol_rwlock;
   20.68 +extern rwlock_t ssid_list_rwlock;
   20.69 +
   20.70 +/* subject and object type definitions */
   20.71 +#define ACM_DATATYPE_domain 1
   20.72 +
   20.73 +/* defines number of access decisions to other domains can be cached
   20.74 + * one entry per domain, TE does not distinguish evtchn or grant_table */
   20.75 +#define ACM_TE_CACHE_SIZE 8
   20.76 +#define ACM_STE_valid 0
   20.77 +#define ACM_STE_free  1
   20.78 +
   20.79 +/* cache line:
   20.80 + * if cache_line.valid==ACM_STE_valid, then
   20.81 + *    STE decision is cached as "permitted" 
   20.82 + *                 on domain cache_line.id
   20.83 + */
   20.84 +struct acm_ste_cache_line {
   20.85 +    int valid; /* ACM_STE_* */
   20.86 +    domid_t id;
   20.87 +};
   20.88 +
   20.89 +/* general definition of a subject security id */
   20.90 +struct acm_ssid_domain {
   20.91 +    struct list_head node; /* all are chained together */
   20.92 +    int datatype;          /* type of subject (e.g., partition): ACM_DATATYPE_* */
   20.93 +    ssidref_t ssidref;     /* combined security reference */
   20.94 +    ssidref_t old_ssidref; /* holds previous value of ssidref during relabeling */
   20.95 +    void *primary_ssid;    /* primary policy ssid part (e.g. chinese wall) */
   20.96 +    void *secondary_ssid;  /* secondary policy ssid part (e.g. type enforcement) */
   20.97 +    struct domain *subject;/* backpointer to subject structure */
   20.98 +    domid_t domainid;      /* replicate id */
   20.99 +};
  20.100 +
  20.101 +/* chinese wall ssid type */
  20.102 +struct chwall_ssid {
  20.103 +    ssidref_t chwall_ssidref;
  20.104 +};
  20.105 +
  20.106 +/* simple type enforcement ssid type */
  20.107 +struct ste_ssid {
  20.108 +    ssidref_t ste_ssidref;
  20.109 +    struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache */
  20.110 +};
  20.111 +
  20.112 +/* macros to access ssidref for primary / secondary policy 
  20.113 + * primary ssidref   = lower 16 bit
  20.114 + *  secondary ssidref = higher 16 bit
  20.115 + */
  20.116 +#define ACM_PRIMARY(ssidref) \
  20.117 + ((ssidref) & 0xffff)
  20.118 +
  20.119 +#define ACM_SECONDARY(ssidref) \
  20.120 + ((ssidref) >> 16)
  20.121 +
  20.122 +#define GET_SSIDREF(POLICY, ssidref) \
  20.123 + ((POLICY) == acm_bin_pol.primary_policy_code) ? \
  20.124 + ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
  20.125 +
  20.126 +/* macros to access ssid pointer for primary / secondary policy */
  20.127 +#define GET_SSIDP(POLICY, ssid) \
  20.128 + ((POLICY) == acm_bin_pol.primary_policy_code) ? \
  20.129 + ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
  20.130 +
  20.131 +#define ACM_INVALID_SSIDREF  (0xffffffff)
  20.132 +
  20.133 +struct acm_sized_buffer
  20.134 +{
  20.135 +    uint32_t *array;
  20.136 +    uint num_items;
  20.137 +    uint position;
  20.138 +};
  20.139 +
  20.140 +static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
  20.141 +                                         uint32_t a, uint32_t b)
  20.142 +{
  20.143 +    uint i;
  20.144 +    if (buf == NULL)
  20.145 +        return 0;
  20.146 +
  20.147 +    i = buf->position;
  20.148 +
  20.149 +    if ((i + 2) > buf->num_items)
  20.150 +        return 0;
  20.151 +
  20.152 +    buf->array[i]   = cpu_to_be32(a);
  20.153 +    buf->array[i+1] = cpu_to_be32(b);
  20.154 +    buf->position += 2;
  20.155 +    return 1;
  20.156 +}
  20.157 +
  20.158 +/* protos */
  20.159 +int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
  20.160 +void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
  20.161 +int acm_init_binary_policy(u32 policy_code);
  20.162 +int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
  20.163 +int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
  20.164 +                      struct acm_sized_buffer *, struct acm_sized_buffer *,
  20.165 +                      struct acm_sized_buffer *);
  20.166 +int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
  20.167 +int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
  20.168 +int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
  20.169 +int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
  20.170 +int acm_set_policy_reference(u8 * buf, u32 buf_size);
  20.171 +int acm_dump_policy_reference(u8 *buf, u32 buf_size);
  20.172 +int acm_change_policy(struct acm_change_policy *);
  20.173 +int acm_relabel_domains(struct acm_relabel_doms *);
  20.174 +int do_chwall_init_state_curr(struct acm_sized_buffer *);
  20.175 +int do_ste_init_state_curr(struct acm_sized_buffer *);
  20.176 +
  20.177 +/* variables */
  20.178 +extern ssidref_t dom0_chwall_ssidref;
  20.179 +extern ssidref_t dom0_ste_ssidref;
  20.180 +#define ACM_MAX_NUM_TYPES   (256)
  20.181 +
  20.182 +/* traversing the list of ssids */
  20.183 +extern struct list_head ssid_list;
  20.184 +#define for_each_acmssid( N )                               \
  20.185 +   for ( N =  (struct acm_ssid_domain *)ssid_list.next;     \
  20.186 +         N != (struct acm_ssid_domain *)&ssid_list;         \
  20.187 +         N =  (struct acm_ssid_domain *)N->node.next     )
  20.188 +
  20.189 +#endif
  20.190 +
  20.191 +/*
  20.192 + * Local variables:
  20.193 + * mode: C
  20.194 + * c-set-style: "BSD"
  20.195 + * c-basic-offset: 4
  20.196 + * tab-width: 4
  20.197 + * indent-tabs-mode: nil
  20.198 + * End:
  20.199 + */
    21.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    21.2 +++ b/xen/include/xsm/acm/acm_endian.h	Fri Aug 31 12:05:07 2007 +0100
    21.3 @@ -0,0 +1,69 @@
    21.4 +/****************************************************************
    21.5 + * acm_endian.h 
    21.6 + * 
    21.7 + * Copyright (C) 2005 IBM Corporation
    21.8 + *
    21.9 + * Author:
   21.10 + * Stefan Berger <stefanb@watson.ibm.com>
   21.11 + * 
   21.12 + * Contributions:
   21.13 + * Reiner Sailer <sailer@watson.ibm.com>
   21.14 + *
   21.15 + * This program is free software; you can redistribute it and/or
   21.16 + * modify it under the terms of the GNU General Public License as
   21.17 + * published by the Free Software Foundation, version 2 of the
   21.18 + * License.
   21.19 + *
   21.20 + * sHype header file defining endian-dependent functions for the
   21.21 + * big-endian policy interface
   21.22 + *
   21.23 + */
   21.24 +
   21.25 +#ifndef _ACM_ENDIAN_H
   21.26 +#define _ACM_ENDIAN_H
   21.27 +
   21.28 +#include <asm/byteorder.h>
   21.29 +
   21.30 +static inline void arrcpy16(u16 *dest, const u16 *src, size_t n)
   21.31 +{
   21.32 +    unsigned int i;
   21.33 +    for ( i = 0; i < n; i++ )
   21.34 +        dest[i] = cpu_to_be16(src[i]);
   21.35 +}
   21.36 +
   21.37 +static inline void arrcpy32(u32 *dest, const u32 *src, size_t n)
   21.38 +{
   21.39 +    unsigned int i;
   21.40 +    for ( i = 0; i < n; i++ )
   21.41 +        dest[i] = cpu_to_be32(src[i]);
   21.42 +}
   21.43 +
   21.44 +static inline void arrcpy(
   21.45 +    void *dest, const void *src, unsigned int elsize, size_t n)
   21.46 +{
   21.47 +    switch ( elsize )
   21.48 +    {
   21.49 +    case sizeof(u16):
   21.50 +        arrcpy16((u16 *)dest, (u16 *)src, n);
   21.51 +        break;
   21.52 +
   21.53 +    case sizeof(u32):
   21.54 +        arrcpy32((u32 *)dest, (u32 *)src, n);
   21.55 +        break;
   21.56 +
   21.57 +    default:
   21.58 +        memcpy(dest, src, elsize*n);
   21.59 +    }
   21.60 +}
   21.61 +
   21.62 +#endif
   21.63 +
   21.64 +/*
   21.65 + * Local variables:
   21.66 + * mode: C
   21.67 + * c-set-style: "BSD"
   21.68 + * c-basic-offset: 4
   21.69 + * tab-width: 4
   21.70 + * indent-tabs-mode: nil
   21.71 + * End:
   21.72 + */
    22.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    22.2 +++ b/xen/include/xsm/acm/acm_hooks.h	Fri Aug 31 12:05:07 2007 +0100
    22.3 @@ -0,0 +1,349 @@
    22.4 +/****************************************************************
    22.5 + * acm_hooks.h 
    22.6 + * 
    22.7 + * Copyright (C) 2005 IBM Corporation
    22.8 + *
    22.9 + * Author:
   22.10 + * Reiner Sailer <sailer@watson.ibm.com>
   22.11 + *
   22.12 + * This program is free software; you can redistribute it and/or
   22.13 + * modify it under the terms of the GNU General Public License as
   22.14 + * published by the Free Software Foundation, version 2 of the
   22.15 + * License.
   22.16 + *
   22.17 + * acm header file implementing the global (policy-independent)
   22.18 + *      sHype hooks that are called throughout Xen.
   22.19 + * 
   22.20 + */
   22.21 +
   22.22 +#ifndef _ACM_HOOKS_H
   22.23 +#define _ACM_HOOKS_H
   22.24 +
   22.25 +#include <xen/config.h>
   22.26 +#include <xen/errno.h>
   22.27 +#include <xen/types.h>
   22.28 +#include <xen/lib.h>
   22.29 +#include <xen/delay.h>
   22.30 +#include <xen/sched.h>
   22.31 +#include <xen/multiboot.h>
   22.32 +#include <public/xsm/acm.h>
   22.33 +#include <xsm/acm/acm_core.h>
   22.34 +#include <public/domctl.h>
   22.35 +#include <public/event_channel.h>
   22.36 +#include <asm/current.h>
   22.37 +
   22.38 +/*
   22.39 + * HOOK structure and meaning (justifies a few words about our model):
   22.40 + * 
   22.41 + * General idea: every policy-controlled system operation is reflected in a 
   22.42 + *               transaction in the system's security state
   22.43 + *
   22.44 + *      Keeping the security state consistent requires "atomic" transactions.
   22.45 + *      The name of the hooks to place around policy-controlled transactions
   22.46 + *      reflects this. If authorizations do not involve security state changes,
   22.47 + *      then and only then POST and FAIL hooks remain empty since we don't care
   22.48 + *      about the eventual outcome of the operation from a security viewpoint.
   22.49 + *
   22.50 + *      PURPOSE of hook types:
   22.51 + *      ======================
   22.52 + *      PRE-Hooks
   22.53 + *       a) general authorization to guard a controlled system operation
   22.54 + *       b) prepare security state change
   22.55 + *          (means: fail hook must be able to "undo" this)
   22.56 + *
   22.57 + *      POST-Hooks
   22.58 + *       a) commit prepared state change
   22.59 + *
   22.60 + *      FAIL-Hooks
   22.61 + *       a) roll-back prepared security state change from PRE-Hook
   22.62 + *
   22.63 + *
   22.64 + *      PLACEMENT of hook types:
   22.65 + *      ========================
   22.66 + *      PRE-Hooks must be called before a guarded/controlled system operation
   22.67 + *      is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
   22.68 + *      error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
   22.69 + *
   22.70 + *      POST-Hooks must be called after a successful system operation.
   22.71 + *      There is no return value: commit never fails.
   22.72 + *
   22.73 + *      FAIL-Hooks must be called:
   22.74 + *       a) if system transaction (operation) fails after calling the PRE-hook
   22.75 + *       b) if another (secondary) policy denies access in its PRE-Hook
   22.76 + *          (policy layering is useful but requires additional handling)
   22.77 + *
   22.78 + * Hook model from a security transaction viewpoint:
   22.79 + *   start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
   22.80 + *                   (pre-hook)  \           (post-hook)
   22.81 + *                                \
   22.82 + *                               fail
   22.83 + *                                   \
   22.84 + *                                    \
   22.85 + *                                  roll-back
   22.86 + *                                 (fail-hook)
   22.87 + *                                        \
   22.88 + *                                       sys-ops error
   22.89 + *
   22.90 + */
   22.91 +
   22.92 +struct acm_operations {
   22.93 +    /* policy management functions (must always be defined!) */
   22.94 +    int  (*init_domain_ssid)           (void **ssid, ssidref_t ssidref);
   22.95 +    void (*free_domain_ssid)           (void *ssid);
   22.96 +    int  (*dump_binary_policy)         (u8 *buffer, u32 buf_size);
   22.97 +    int  (*test_binary_policy)         (u8 *buffer, u32 buf_size,
   22.98 +                                        int is_bootpolicy,
   22.99 +                                        struct acm_sized_buffer *);
  22.100 +    int  (*set_binary_policy)          (u8 *buffer, u32 buf_size);
  22.101 +    int  (*dump_statistics)            (u8 *buffer, u16 buf_size);
  22.102 +    int  (*dump_ssid_types)            (ssidref_t ssidref, u8 *buffer, u16 buf_size);
  22.103 +    /* domain management control hooks (can be NULL) */
  22.104 +    int  (*domain_create)              (void *subject_ssid, ssidref_t ssidref,
  22.105 +                                        domid_t domid);
  22.106 +    void (*domain_destroy)             (void *object_ssid, struct domain *d);
  22.107 +    /* event channel control hooks  (can be NULL) */
  22.108 +    int  (*pre_eventchannel_unbound)      (domid_t id1, domid_t id2);
  22.109 +    void (*fail_eventchannel_unbound)     (domid_t id1, domid_t id2);
  22.110 +    int  (*pre_eventchannel_interdomain)  (domid_t id);
  22.111 +    void (*fail_eventchannel_interdomain) (domid_t id);
  22.112 +    /* grant table control hooks (can be NULL)  */
  22.113 +    int  (*pre_grant_map_ref)          (domid_t id);
  22.114 +    void (*fail_grant_map_ref)         (domid_t id);
  22.115 +    int  (*pre_grant_setup)            (domid_t id);
  22.116 +    void (*fail_grant_setup)           (domid_t id);
  22.117 +    /* generic domain-requested decision hooks (can be NULL) */
  22.118 +    int (*sharing)                     (ssidref_t ssidref1,
  22.119 +                                        ssidref_t ssidref2);
  22.120 +    int (*authorization)               (ssidref_t ssidref1,
  22.121 +                                        ssidref_t ssidref2);
  22.122 +    /* determine whether the default policy is installed */
  22.123 +    int (*is_default_policy)           (void);
  22.124 +};
  22.125 +
  22.126 +/* global variables */
  22.127 +extern struct acm_operations *acm_primary_ops;
  22.128 +extern struct acm_operations *acm_secondary_ops;
  22.129 +
  22.130 +/* if ACM_TRACE_MODE defined, all hooks should
  22.131 + * print a short trace message */
  22.132 +/* #define ACM_TRACE_MODE */
  22.133 +
  22.134 +#ifdef ACM_TRACE_MODE
  22.135 +# define traceprintk(fmt, args...) printk(fmt,## args)
  22.136 +#else
  22.137 +# define traceprintk(fmt, args...)
  22.138 +#endif
  22.139 +
  22.140 +
  22.141 +#ifndef ACM_SECURITY
  22.142 +
  22.143 +static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
  22.144 +{ return 0; }
  22.145 +static inline int acm_pre_eventchannel_interdomain(domid_t id)
  22.146 +{ return 0; }
  22.147 +static inline int acm_pre_grant_map_ref(domid_t id) 
  22.148 +{ return 0; }
  22.149 +static inline int acm_pre_grant_setup(domid_t id) 
  22.150 +{ return 0; }
  22.151 +static inline int acm_is_policy(char *buf, unsigned long len)
  22.152 +{ return 0; }
  22.153 +static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
  22.154 +{ return 0; }
  22.155 +static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
  22.156 +{ return 0; }
  22.157 +static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
  22.158 +{ return 0; }
  22.159 +static inline void acm_domain_destroy(struct domain *d)
  22.160 +{ return; }
  22.161 +
  22.162 +#define DOM0_SSIDREF 0x0
  22.163 +
  22.164 +#else
  22.165 +
  22.166 +static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid)
  22.167 +{
  22.168 +    write_lock(&ssid_list_rwlock);
  22.169 +    list_add(&ssid->node, &ssid_list);
  22.170 +    write_unlock(&ssid_list_rwlock);
  22.171 +}
  22.172 +
  22.173 +static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid)
  22.174 +{
  22.175 +    write_lock(&ssid_list_rwlock);
  22.176 +    list_del(&ssid->node);
  22.177 +    write_unlock(&ssid_list_rwlock);
  22.178 +}
  22.179 +
  22.180 +static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
  22.181 +{
  22.182 +    if ((acm_primary_ops->pre_eventchannel_unbound != NULL) && 
  22.183 +        acm_primary_ops->pre_eventchannel_unbound(id1, id2))
  22.184 +        return ACM_ACCESS_DENIED;
  22.185 +    else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) && 
  22.186 +             acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) {
  22.187 +        /* roll-back primary */
  22.188 +        if (acm_primary_ops->fail_eventchannel_unbound != NULL)
  22.189 +            acm_primary_ops->fail_eventchannel_unbound(id1, id2);
  22.190 +        return ACM_ACCESS_DENIED;
  22.191 +    } else
  22.192 +        return ACM_ACCESS_PERMITTED;
  22.193 +}
  22.194 +
  22.195 +static inline int acm_pre_eventchannel_interdomain(domid_t id)
  22.196 +{
  22.197 +    if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
  22.198 +        acm_primary_ops->pre_eventchannel_interdomain(id))
  22.199 +        return ACM_ACCESS_DENIED;
  22.200 +    else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
  22.201 +             acm_secondary_ops->pre_eventchannel_interdomain(id)) {
  22.202 +        /* roll-back primary */
  22.203 +        if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
  22.204 +            acm_primary_ops->fail_eventchannel_interdomain(id);
  22.205 +        return ACM_ACCESS_DENIED;
  22.206 +    } else
  22.207 +        return ACM_ACCESS_PERMITTED;
  22.208 +}
  22.209 +
  22.210 +
  22.211 +static inline int acm_pre_grant_map_ref(domid_t id)
  22.212 +{
  22.213 +    if ( (acm_primary_ops->pre_grant_map_ref != NULL) &&
  22.214 +         acm_primary_ops->pre_grant_map_ref(id) )
  22.215 +    {
  22.216 +        return ACM_ACCESS_DENIED;
  22.217 +    }
  22.218 +    else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) &&
  22.219 +              acm_secondary_ops->pre_grant_map_ref(id) )
  22.220 +    {
  22.221 +        /* roll-back primary */
  22.222 +        if ( acm_primary_ops->fail_grant_map_ref != NULL )
  22.223 +            acm_primary_ops->fail_grant_map_ref(id);
  22.224 +        return ACM_ACCESS_DENIED;
  22.225 +    }
  22.226 +    else
  22.227 +    {
  22.228 +        return ACM_ACCESS_PERMITTED;
  22.229 +    }
  22.230 +}
  22.231 +
  22.232 +static inline int acm_pre_grant_setup(domid_t id)
  22.233 +{
  22.234 +    if ( (acm_primary_ops->pre_grant_setup != NULL) &&
  22.235 +         acm_primary_ops->pre_grant_setup(id) )
  22.236 +    {
  22.237 +        return ACM_ACCESS_DENIED;
  22.238 +    }
  22.239 +    else if ( (acm_secondary_ops->pre_grant_setup != NULL) &&
  22.240 +              acm_secondary_ops->pre_grant_setup(id) )
  22.241 +    {
  22.242 +        /* roll-back primary */
  22.243 +        if (acm_primary_ops->fail_grant_setup != NULL)
  22.244 +            acm_primary_ops->fail_grant_setup(id);
  22.245 +        return ACM_ACCESS_DENIED;
  22.246 +    }
  22.247 +    else
  22.248 +    {
  22.249 +        return ACM_ACCESS_PERMITTED;
  22.250 +    }
  22.251 +}
  22.252 +
  22.253 +
  22.254 +static inline void acm_domain_destroy(struct domain *d)
  22.255 +{
  22.256 +    void *ssid = d->ssid;
  22.257 +    if (ssid != NULL) {
  22.258 +        if (acm_primary_ops->domain_destroy != NULL)
  22.259 +            acm_primary_ops->domain_destroy(ssid, d);
  22.260 +        if (acm_secondary_ops->domain_destroy != NULL)
  22.261 +            acm_secondary_ops->domain_destroy(ssid, d);
  22.262 +        /* free security ssid for the destroyed domain (also if null policy */
  22.263 +        acm_domain_ssid_off_list(ssid);
  22.264 +        acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
  22.265 +    }
  22.266 +}
  22.267 +
  22.268 +
  22.269 +static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
  22.270 +{
  22.271 +    void *subject_ssid = current->domain->ssid;
  22.272 +    domid_t domid = d->domain_id;
  22.273 +    int rc;
  22.274 +
  22.275 +    read_lock(&acm_bin_pol_rwlock);
  22.276 +    /*
  22.277 +       To be called when a domain is created; returns '0' if the
  22.278 +       domain is allowed to be created, != '0' if not.
  22.279 +     */
  22.280 +    rc = acm_init_domain_ssid(d, ssidref);
  22.281 +    if (rc != ACM_OK)
  22.282 +        goto error_out;
  22.283 +
  22.284 +    if ((acm_primary_ops->domain_create != NULL) &&
  22.285 +        acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) {
  22.286 +        rc = ACM_ACCESS_DENIED;
  22.287 +    } else if ((acm_secondary_ops->domain_create != NULL) &&
  22.288 +                acm_secondary_ops->domain_create(subject_ssid, ssidref,
  22.289 +                                                 domid)) {
  22.290 +        /* roll-back primary */
  22.291 +        if (acm_primary_ops->domain_destroy != NULL)
  22.292 +            acm_primary_ops->domain_destroy(d->ssid, d);
  22.293 +        rc = ACM_ACCESS_DENIED;
  22.294 +    }
  22.295 +
  22.296 +    if ( rc == ACM_OK )
  22.297 +    {
  22.298 +        acm_domain_ssid_onto_list(d->ssid);
  22.299 +    } else {
  22.300 +        acm_free_domain_ssid(d->ssid);
  22.301 +    }
  22.302 +
  22.303 +error_out:
  22.304 +    read_unlock(&acm_bin_pol_rwlock);
  22.305 +    return rc;
  22.306 +}
  22.307 +
  22.308 +
  22.309 +static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
  22.310 +{
  22.311 +    if ((acm_primary_ops->sharing != NULL) &&
  22.312 +        acm_primary_ops->sharing(ssidref1, ssidref2))
  22.313 +        return ACM_ACCESS_DENIED;
  22.314 +    else if ((acm_secondary_ops->sharing != NULL) &&
  22.315 +             acm_secondary_ops->sharing(ssidref1, ssidref2)) {
  22.316 +        return ACM_ACCESS_DENIED;
  22.317 +    } else
  22.318 +        return ACM_ACCESS_PERMITTED;
  22.319 +}
  22.320 +
  22.321 +
  22.322 +static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
  22.323 +{
  22.324 +    if ((acm_primary_ops->authorization != NULL) &&
  22.325 +        acm_primary_ops->authorization(ssidref1, ssidref2))
  22.326 +        return ACM_ACCESS_DENIED;
  22.327 +    else if ((acm_secondary_ops->authorization != NULL) &&
  22.328 +             acm_secondary_ops->authorization(ssidref1, ssidref2)) {
  22.329 +        return ACM_ACCESS_DENIED;
  22.330 +    } else
  22.331 +        return ACM_ACCESS_PERMITTED;
  22.332 +}
  22.333 +
  22.334 +
  22.335 +/* Return true iff buffer has an acm policy magic number.  */
  22.336 +extern int acm_is_policy(char *buf, unsigned long len);
  22.337 +
  22.338 +#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref)
  22.339 +
  22.340 +#endif
  22.341 +
  22.342 +#endif
  22.343 +
  22.344 +/*
  22.345 + * Local variables:
  22.346 + * mode: C
  22.347 + * c-set-style: "BSD"
  22.348 + * c-basic-offset: 4
  22.349 + * tab-width: 4
  22.350 + * indent-tabs-mode: nil
  22.351 + * End:
  22.352 + */
    23.1 --- a/xen/xsm/acm/acm_chinesewall_hooks.c	Fri Aug 31 11:41:49 2007 +0100
    23.2 +++ b/xen/xsm/acm/acm_chinesewall_hooks.c	Fri Aug 31 12:05:07 2007 +0100
    23.3 @@ -36,12 +36,11 @@
    23.4  #include <xen/lib.h>
    23.5  #include <xen/delay.h>
    23.6  #include <xen/sched.h>
    23.7 -#include <public/acm.h>
    23.8 +#include <public/xsm/acm.h>
    23.9  #include <asm/atomic.h>
   23.10 -#include <acm/acm_core.h>
   23.11 -#include <acm/acm_hooks.h>
   23.12 -#include <acm/acm_endian.h>
   23.13 -#include <acm/acm_core.h>
   23.14 +#include <xsm/acm/acm_core.h>
   23.15 +#include <xsm/acm/acm_hooks.h>
   23.16 +#include <xsm/acm/acm_endian.h>
   23.17  
   23.18  ssidref_t dom0_chwall_ssidref = 0x0001;
   23.19  
    24.1 --- a/xen/xsm/acm/acm_core.c	Fri Aug 31 11:41:49 2007 +0100
    24.2 +++ b/xen/xsm/acm/acm_core.c	Fri Aug 31 12:05:07 2007 +0100
    24.3 @@ -1,4 +1,4 @@
    24.4 -/****************************************************************
    24.5 +#/****************************************************************
    24.6   * acm_core.c
    24.7   * 
    24.8   * Copyright (C) 2005 IBM Corporation
    24.9 @@ -29,16 +29,16 @@
   24.10  #include <xen/delay.h>
   24.11  #include <xen/sched.h>
   24.12  #include <xen/multiboot.h>
   24.13 -#include <acm/acm_hooks.h>
   24.14 -#include <acm/acm_endian.h>
   24.15 +#include <xsm/acm/acm_hooks.h>
   24.16 +#include <xsm/acm/acm_endian.h>
   24.17  #include <xsm/xsm.h>
   24.18  
   24.19  /* debug: 
   24.20 - *   include/acm/acm_hooks.h defines a constant ACM_TRACE_MODE;
   24.21 + *   include/xsm/acm/acm_hooks.h defines a constant ACM_TRACE_MODE;
   24.22   *   define/undefine this constant to receive / suppress any
   24.23   *   security hook debug output of sHype
   24.24   *
   24.25 - *   include/public/acm.h defines a constant ACM_DEBUG
   24.26 + *   include/public/xsm/acm.h defines a constant ACM_DEBUG
   24.27   *   define/undefine this constant to receive non-hook-related
   24.28   *   debug output.
   24.29   */
    25.1 --- a/xen/xsm/acm/acm_null_hooks.c	Fri Aug 31 11:41:49 2007 +0100
    25.2 +++ b/xen/xsm/acm/acm_null_hooks.c	Fri Aug 31 12:05:07 2007 +0100
    25.3 @@ -12,7 +12,7 @@
    25.4   * License.
    25.5   */
    25.6  
    25.7 -#include <acm/acm_hooks.h>
    25.8 +#include <xsm/acm/acm_hooks.h>
    25.9  
   25.10  static int
   25.11  null_init_domain_ssid(void **ssid, ssidref_t ssidref)
    26.1 --- a/xen/xsm/acm/acm_ops.c	Fri Aug 31 11:41:49 2007 +0100
    26.2 +++ b/xen/xsm/acm/acm_ops.c	Fri Aug 31 12:05:07 2007 +0100
    26.3 @@ -18,14 +18,14 @@
    26.4  #include <xen/types.h>
    26.5  #include <xen/lib.h>
    26.6  #include <xen/mm.h>
    26.7 -#include <public/acm.h>
    26.8 -#include <public/acm_ops.h>
    26.9 +#include <public/xsm/acm.h>
   26.10 +#include <public/xsm/acm_ops.h>
   26.11  #include <xen/sched.h>
   26.12  #include <xen/event.h>
   26.13  #include <xen/trace.h>
   26.14  #include <xen/console.h>
   26.15  #include <xen/guest_access.h>
   26.16 -#include <acm/acm_hooks.h>
   26.17 +#include <xsm/acm/acm_hooks.h>
   26.18  
   26.19  #ifndef ACM_SECURITY
   26.20  
    27.1 --- a/xen/xsm/acm/acm_policy.c	Fri Aug 31 11:41:49 2007 +0100
    27.2 +++ b/xen/xsm/acm/acm_policy.c	Fri Aug 31 12:05:07 2007 +0100
    27.3 @@ -28,10 +28,10 @@
    27.4  #include <xen/sched.h>
    27.5  #include <xen/guest_access.h>
    27.6  #include <public/xen.h>
    27.7 -#include <acm/acm_core.h>
    27.8 -#include <public/acm_ops.h>
    27.9 -#include <acm/acm_hooks.h>
   27.10 -#include <acm/acm_endian.h>
   27.11 +#include <xsm/acm/acm_core.h>
   27.12 +#include <public/xsm/acm_ops.h>
   27.13 +#include <xsm/acm/acm_hooks.h>
   27.14 +#include <xsm/acm/acm_endian.h>
   27.15  #include <asm/current.h>
   27.16  
   27.17  static int acm_check_deleted_ssidrefs(struct acm_sized_buffer *dels,
    28.1 --- a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c	Fri Aug 31 11:41:49 2007 +0100
    28.2 +++ b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c	Fri Aug 31 12:05:07 2007 +0100
    28.3 @@ -28,10 +28,10 @@
    28.4  #include <xen/lib.h>
    28.5  #include <asm/types.h>
    28.6  #include <asm/current.h>
    28.7 -#include <acm/acm_hooks.h>
    28.8  #include <asm/atomic.h>
    28.9 -#include <acm/acm_endian.h>
   28.10 -#include <acm/acm_core.h>
   28.11 +#include <xsm/acm/acm_hooks.h>
   28.12 +#include <xsm/acm/acm_endian.h>
   28.13 +#include <xsm/acm/acm_core.h>
   28.14  
   28.15  ssidref_t dom0_ste_ssidref = 0x0001;
   28.16  
    29.1 --- a/xen/xsm/acm/acm_xsm_hooks.c	Fri Aug 31 11:41:49 2007 +0100
    29.2 +++ b/xen/xsm/acm/acm_xsm_hooks.c	Fri Aug 31 12:05:07 2007 +0100
    29.3 @@ -20,34 +20,36 @@
    29.4   */
    29.5  
    29.6  #include <xsm/xsm.h>
    29.7 -#include <acm/acm_hooks.h>
    29.8 -#include <public/acm.h>
    29.9 +#include <xsm/acm/acm_hooks.h>
   29.10 +#include <public/xsm/acm.h>
   29.11  
   29.12 -static int acm_grant_mapref (struct domain *ld, struct domain *rd,
   29.13 -                                                                 uint32_t flags) 
   29.14 +static int acm_grant_mapref(
   29.15 +    struct domain *ld, struct domain *rd, uint32_t flags) 
   29.16  {
   29.17      domid_t id = rd->domain_id;
   29.18  
   29.19      return acm_pre_grant_map_ref(id);
   29.20  }
   29.21  
   29.22 -static int acm_evtchn_unbound (struct domain *d1, struct evtchn *chn1, domid_t id2) 
   29.23 +static int acm_evtchn_unbound(
   29.24 +    struct domain *d1, struct evtchn *chn1, domid_t id2) 
   29.25  {
   29.26      domid_t id1 = d1->domain_id;
   29.27      
   29.28      return acm_pre_eventchannel_unbound(id1, id2);
   29.29  }
   29.30  
   29.31 -static int acm_evtchn_interdomain (struct domain *d1, struct evtchn *chn1, 
   29.32 -                                        struct domain *d2, struct evtchn *chn2) 
   29.33 +static int acm_evtchn_interdomain(
   29.34 +    struct domain *d1, struct evtchn *chn1, 
   29.35 +    struct domain *d2, struct evtchn *chn2) 
   29.36  {
   29.37      domid_t id2 = d2->domain_id;
   29.38  
   29.39      return acm_pre_eventchannel_interdomain(id2);
   29.40  }
   29.41  
   29.42 -static void acm_security_domaininfo (struct domain *d, 
   29.43 -                                        struct xen_domctl_getdomaininfo *info)
   29.44 +static void acm_security_domaininfo(
   29.45 +    struct domain *d, struct xen_domctl_getdomaininfo *info)
   29.46  {
   29.47      if ( d->ssid != NULL )
   29.48          info->ssidref = ((struct acm_ssid_domain *)d->ssid)->ssidref;