ia64/xen-unstable

changeset 8295:8aac8746047b

The attached patch makes a couple of changes to the ACM security tools
and installation. Particularly it does the following:
- the Makefile installs the ACM security-related tools
into /etc/xen/acm-security
- improves and cleans up some of the tools
- updates the documentation

Signed-off-by: Tom Lendacky <toml@us.ibm.com>
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author emellor@leeni.uk.xensource.com
date Thu Dec 08 18:21:05 2005 +0000 (2005-12-08)
parents 3ab6a6c4b6ed
children 9f13f5a4ba9c
files tools/security/Makefile tools/security/example.txt tools/security/getlabel.sh tools/security/install.txt tools/security/labelfuncs.sh tools/security/secpol_tool.c tools/security/secpol_xml2bin.c tools/security/secpol_xml2bin.h tools/security/setlabel.sh tools/security/updategrub.sh
line diff
     1.1 --- a/tools/security/Makefile	Thu Dec 08 18:19:24 2005 +0000
     1.2 +++ b/tools/security/Makefile	Thu Dec 08 18:21:05 2005 +0000
     1.3 @@ -1,16 +1,19 @@
     1.4  XEN_ROOT = ../..
     1.5  include $(XEN_ROOT)/tools/Rules.mk
     1.6  
     1.7 -SRCS     = secpol_tool.c
     1.8  CFLAGS   += -Wall
     1.9  CFLAGS   += -Werror
    1.10  CFLAGS   += -O3
    1.11  CFLAGS   += -fno-strict-aliasing
    1.12 -CFLAGS   += -I. -I/usr/include/libxml2
    1.13 -CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
    1.14 -#if above does not work, try  -L/usr/lib -lxml2 -lz -lpthread -lm
    1.15 +CFLAGS   += -I.
    1.16 +
    1.17 +CPPFLAGS += -MMD -MF .$*.d
    1.18 +PROG_DEPS = .*.d
    1.19 +
    1.20  XML2VERSION = $(shell xml2-config --version )
    1.21 -VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi; )
    1.22 +CFLAGS     += $(shell xml2-config --cflags )
    1.23 +CFLAGS     += $(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi )
    1.24 +LDFLAGS    += $(shell xml2-config --libs ) # if this does not work, try -L/usr/lib -lxml2 -lz -lpthread -lm
    1.25  
    1.26  ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY)
    1.27  POLICY=null
    1.28 @@ -24,48 +27,71 @@ endif
    1.29  ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
    1.30  POLICY=chwall_ste
    1.31  endif
    1.32 -POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
    1.33 +
    1.34 +SRCS_TOOL     = secpol_tool.c
    1.35 +OBJS_TOOL    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
    1.36 +SRCS_XML2BIN  = secpol_xml2bin.c secpol_xml2bin.h
    1.37 +OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
    1.38 +SRCS_GETD     = get_decision.c
    1.39 +OBJS_GETD    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
    1.40 +
    1.41 +ACM_INST_TOOLS    = xensec_tool xensec_xml2bin
    1.42 +ACM_NOINST_TOOLS  = get_decision
    1.43 +ACM_OBJS          = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
    1.44 +ACM_SCRIPTS       = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
    1.45 +
    1.46 +ACM_CONFIG_DIR    = /etc/xen/acm-security
    1.47 +ACM_POLICY_DIR    = $(ACM_CONFIG_DIR)/policies
    1.48 +ACM_SCRIPT_DIR    = $(ACM_CONFIG_DIR)/scripts
    1.49 +
    1.50 +ACM_SCHEMA        = security_policy.xsd
    1.51 +ACM_EXAMPLES      = null chwall ste chwall_ste
    1.52 +ACM_POLICY_SUFFIX = security_policy.xml
    1.53 +ACM_LABEL_SUFFIX  = security_label_template.xml
    1.54  
    1.55  ifeq ($(ACM_SECURITY),y)
    1.56  all: build
    1.57  
    1.58 -install:all
    1.59 -
    1.60 -default:all
    1.61 +install: all $(ACM_CONFIG_FILE)
    1.62 +	$(INSTALL_DIR) -p $(DESTDIR)/usr/sbin
    1.63 +	$(INSTALL_PROG) -p $(ACM_INST_TOOLS) $(DESTDIR)/usr/sbin
    1.64 +	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
    1.65 +	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
    1.66 +	$(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
    1.67 +	for i in $(ACM_EXAMPLES); do \
    1.68 +		$(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
    1.69 +		$(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
    1.70 +		$(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
    1.71 +	done
    1.72 +	$(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
    1.73 +	$(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
    1.74  else
    1.75  all:
    1.76  
    1.77  install:
    1.78 -
    1.79 -default:
    1.80  endif
    1.81  
    1.82 -build: mk-symlinks
    1.83 -	$(MAKE) secpol_tool
    1.84 -	$(MAKE) secpol_xml2bin
    1.85 -	$(MAKE) get_decision
    1.86 -	chmod 700 ./setlabel.sh
    1.87 -	chmod 700 ./updategrub.sh
    1.88 -	chmod 700 ./getlabel.sh
    1.89 +build: mk-symlinks $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS)
    1.90 +	chmod 700 $(ACM_SCRIPTS)
    1.91  
    1.92 -secpol_tool : secpol_tool.c
    1.93 -	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
    1.94 +xensec_tool: $(OBJS_TOOL)
    1.95 +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
    1.96  
    1.97 -secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h
    1.98 -	$(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ $<
    1.99 +xensec_xml2bin: $(OBJS_XML2BIN)
   1.100 +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
   1.101 +
   1.102 +get_decision: $(OBJS_GETD)
   1.103 +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
   1.104  
   1.105  clean:
   1.106 -	rm -rf secpol_tool secpol_xml2bin xen get_decision
   1.107 -
   1.108 -policy_clean:
   1.109 -	rm -rf policies/*/*.bin policies/*/*.map
   1.110 -
   1.111 -mrproper: clean policy_clean
   1.112 +	$(RM) $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS)
   1.113 +	$(RM) $(ACM_OBJS)
   1.114 +	$(RM) $(PROG_DEPS)
   1.115 +	$(RM) -r xen
   1.116  
   1.117 +mrproper: clean
   1.118  
   1.119 -$(POLICYFILE) : build
   1.120 -	@./secpol_xml2bin $(POLICY) > /dev/null
   1.121 +boot_install: install
   1.122 +	$(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
   1.123  
   1.124 -boot_install: $(POLICYFILE)
   1.125 -	@cp $(POLICYFILE) /boot
   1.126 -	@./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
   1.127 +-include $(PROG_DEPS)
     2.1 --- a/tools/security/example.txt	Thu Dec 08 18:19:24 2005 +0000
     2.2 +++ b/tools/security/example.txt	Thu Dec 08 18:21:05 2005 +0000
     2.3 @@ -9,23 +9,23 @@
     2.4  # and to label domains and resources.
     2.5  ##
     2.6  
     2.7 -We will show how to install and use the chwall_ste policy.
     2.8 +We will show how to install and use the example chwall_ste policy.
     2.9  Other policies work similarly. Feedback welcome!
    2.10  
    2.11  
    2.12  
    2.13 -1. Using secpol_xml2bin to translate the chwall_ste policy:
    2.14 +1. Using xensec_xml2bin to translate the chwall_ste policy:
    2.15  ===========================================================
    2.16  
    2.17 -#tools/security/secpol_xml2bin chwall_ste
    2.18 +#xensec_xml2bin chwall_ste
    2.19  
    2.20  Successful execution should print:
    2.21  
    2.22 -    [root@laptopxn security]# ./secpol_xml2bin chwall_ste
    2.23 -    Validating label file policies/chwall_ste/chwall_ste-security_label_template.xml...
    2.24 -    XML Schema policies/security_policy.xsd valid.
    2.25 -    Validating policy file policies/chwall_ste/chwall_ste-security_policy.xml...
    2.26 -    XML Schema policies/security_policy.xsd valid.
    2.27 +    [root@laptopxn security]# xensec_xml2bin chwall_ste
    2.28 +    Validating label file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_label_template.xml...
    2.29 +    XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
    2.30 +    Validating policy file /etc/xen/acm-security/policies/chwall_ste/chwall_ste-security_policy.xml...
    2.31 +    XML Schema /etc/xen/acm-security/policies/security_policy.xsd valid.
    2.32      Creating ssid mappings ...
    2.33      Creating label mappings ...
    2.34      Max chwall labels:  7
    2.35 @@ -35,10 +35,15 @@ Successful execution should print:
    2.36      Max ste-types:      6
    2.37      Max ste-ssids:      10
    2.38  
    2.39 -The tool looks in directory policies/chwall_ste for
    2.40 +By default, the tool looks in directory /etc/xen/acm-security/policies
    2.41 +for a directory that matches the policy name (i.e. chwall_ste) to find
    2.42  the label and policy files.
    2.43 +The '-d' option can be used to override the /etc/xen/acm-security/policies
    2.44 +directory, for example if running the tool in the Xen security tool build
    2.45 +directory.
    2.46  
    2.47 -The default policy directory structure under tools/security looks like:
    2.48 +The default policy directory structure under /etc/xen/acm-security (and
    2.49 +the Xen security tool build directory - tools/security) looks like:
    2.50  
    2.51  policies
    2.52  |-- security_policy.xsd
    2.53 @@ -55,25 +60,25 @@ policies
    2.54      |-- ste-security_label_template.xml
    2.55      `-- ste-security_policy.xml
    2.56  
    2.57 -policies/security_policy.xsd contains the schema against which both the
    2.58 +The security_policy.xsd file contains the schema against which both the
    2.59  label-template and the policy files must validate during translation.
    2.60  
    2.61 -policies/chwall_ste/chwall_ste-security_policy.xml defines the
    2.62 -policies and the types known to the policies.
    2.63 -
    2.64 -policies/chwall_ste/chwall_ste-security_label_template.xml contains
    2.65 -label definitions that group chwall and ste types together and make
    2.66 -them easier to use for users
    2.67 +The files ending in -security_policy.xml define the policies and the
    2.68 +types known to the policies.
    2.69  
    2.70 -After executing the above secpol_xml2bin command, you will find 2 new
    2.71 -files in the policies/chwall_ste sub-directory:
    2.72 +The files ending in -security_label_template.xml contain the label
    2.73 +definitions that group types together and make them easier to use for
    2.74 +users.
    2.75  
    2.76 -policies/chwall_ste/chwall_ste.map ... this file includes the mapping
    2.77 -of names from the xml files into their binary code representation.
    2.78 +After executing the above xensec_xml2bin command, you will find 2 new
    2.79 +files in the /etc/xen/acm-security/policies/chwall_ste sub-directory:
    2.80  
    2.81 -policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
    2.82 -the result of parsing the xml files and using the mapping to extract a
    2.83 -binary version that can be loaded into the hypervisor.
    2.84 +  chwall_ste.map ... this file includes the mapping
    2.85 +    of names from the xml files into their binary code representation.
    2.86 +
    2.87 +  chwall_ste.bin ... this is the binary policy file,
    2.88 +    the result of parsing the xml files and using the mapping to extract a
    2.89 +    binary version that can be loaded into the hypervisor.
    2.90  
    2.91  
    2.92  
    2.93 @@ -85,13 +90,13 @@ please refer to install.txt for instruct
    2.94  
    2.95  To activate the policy from the command line (assuming that the
    2.96  currently established policy is the minimal boot-policy that is
    2.97 -hard-coded into the hypervisor:
    2.98 +hard-coded into the hypervisor):
    2.99  
   2.100 -# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
   2.101 +# xensec_tool loadpolicy /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin
   2.102  
   2.103  To activate the policy at next reboot:
   2.104  
   2.105 -# cp policies/chwall_ste/chwall_ste.bin /boot
   2.106 +# cp /etc/xen/acm-security/policies/chwall_ste/chwall_ste.bin /boot
   2.107  
   2.108  Add a module line to your /boot/grub/grub.conf Xen entry.
   2.109  My boot entry with chwall_ste enabled looks like this:
   2.110 @@ -129,12 +134,12 @@ assign labels to user domains.
   2.111  
   2.112  To show available labels for the chwall_ste policy:
   2.113  
   2.114 -#tools/security/setlabel.sh -l
   2.115 +# /etc/xen/acm-security/scripts/setlabel.sh -l
   2.116  
   2.117  lists all available labels. For the default chwall_ste it should print
   2.118  the following:
   2.119  
   2.120 -    [root@laptopxn security]# ./setlabel.sh -l chwall_ste
   2.121 +    [root@laptopxn security]# /etc/xen/acm-security/scripts/setlabel.sh -l chwall_ste
   2.122      The following labels are available:
   2.123      dom_SystemManagement
   2.124      dom_HomeBanking
   2.125 @@ -156,8 +161,8 @@ Setlabel.sh only prints VM labels (which
   2.126  since only those are used at this time.
   2.127  
   2.128  If you would like to assign the dom_HomeBanking label to one of your
   2.129 -user domains (which you hopefully keep clean), look at an example
   2.130 -domain configuration homebanking.xm:
   2.131 +user domains (which you hopefully keep clean), look at the hypothetical
   2.132 +domain configuration contained in /etc/xen/homebanking.xm:
   2.133  
   2.134      #------HOMEBANKING---------
   2.135      kernel = "/boot/vmlinuz-2.6.12-xenU"
   2.136 @@ -172,7 +177,7 @@ domain configuration homebanking.xm:
   2.137  
   2.138  Now we label this domain
   2.139  
   2.140 -[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking chwall_ste
   2.141 +[root@laptopxn security]# /etc/xen/acm-securit/scripts/setlabel.sh /etc/xen/homebanking.xm dom_HomeBanking chwall_ste
   2.142  Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
   2.143  
   2.144  The domain configuration my look now like:
   2.145 @@ -223,9 +228,8 @@ because of the defined conflict set
   2.146  				<type>cw_Distrusted</type>
   2.147  			</conflictset>
   2.148  
   2.149 -(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
   2.150 -that only one of the types cw_sensitive and cw_Distrusted can run at a
   2.151 -time.
   2.152 +(in chwall_ste-security_policy.xml), which says that only one of the
   2.153 +types cw_Sensitive and cw_Distrusted can run at a time.
   2.154  
   2.155  If you save or shutdown the HomeBanking domain, you will be able to
   2.156  start the "Fun" domain. You can look into the Xen log to see if a
   2.157 @@ -255,15 +259,15 @@ a) the policy definition (types etc.) fi
   2.158  b) the label template definition (labels etc.) file
   2.159  
   2.160  If your policy name is "mypolicy", you need to create a
   2.161 -subdirectory mypolicy in tools/security/policies.
   2.162 +subdirectory mypolicy in /etc/xen/acm-security/policies.
   2.163  
   2.164  Then you create
   2.165 -tools/security/policies/mypolicy/mypolicy-security_policy.xml and
   2.166 -tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
   2.167 +/etc/xen/acm-security/policies/mypolicy/mypolicy-security_policy.xml and
   2.168 +/etc/xen/acm-security/policies/mypolicy/mypolicy-security_label_template.xml.
   2.169  
   2.170  You need to keep to the schema as defined in
   2.171 -tools/security/security_policy.xsd since the translation tool
   2.172 -secpol_xml2bin is written against this schema.
   2.173 +/etc/xen/acm-security/security_policy.xsd since the translation tool
   2.174 +xensec_xml2bin is written against this schema.
   2.175  
   2.176  If you keep to the security policy schema, then you can use all the
   2.177  tools described above. Refer to install.txt to install it.
     3.1 --- a/tools/security/getlabel.sh	Thu Dec 08 18:19:24 2005 +0000
     3.2 +++ b/tools/security/getlabel.sh	Thu Dec 08 18:21:05 2005 +0000
     3.3 @@ -32,20 +32,24 @@ fi
     3.4  
     3.5  
     3.6  export PATH=$PATH:.
     3.7 -source labelfuncs.sh
     3.8 +dir=`dirname $0`
     3.9 +source $dir/labelfuncs.sh
    3.10  
    3.11  usage ()
    3.12  {
    3.13 +	prg=`basename $0`
    3.14  echo "Use this tool to display the label of a domain or the label that is
    3.15  corresponding to an ssidref given the name of the running policy.
    3.16  
    3.17 -Usage: $0 -sid <ssidref> [<policy name>] or
    3.18 -       $0 -dom <domid>   [<policy name>]
    3.19 +Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or
    3.20 +       $prg -dom <domid>   [<policy name> [<policy dir>]]
    3.21  
    3.22  policy name : the name of the policy, i.e. 'chwall'
    3.23                If the policy name is omitted, the grub.conf
    3.24                entry of the running system is tried to be read
    3.25                and the policy name determined from there.
    3.26 +policy dir  : the directory where the <policy name> policy is located
    3.27 +              The default location is '/etc/xen/acm-security/policies'
    3.28  ssidref     : an ssidref in hex or decimal format, i.e., '0x00010002'
    3.29                or '65538'
    3.30  domid       : id of the domain, i.e., '1'; Use numbers from the 2nd
    3.31 @@ -55,79 +59,36 @@ domid       : id of the domain, i.e., '1
    3.32  
    3.33  
    3.34  
    3.35 -if [ "$1" == "-?" ]; then
    3.36 -	mode="usage"
    3.37 +if [ "$1" == "-h" ]; then
    3.38 +	usage
    3.39 +	exit 0
    3.40  elif [ "$1" == "-dom" ]; then
    3.41  	mode="domid"
    3.42  	shift
    3.43  elif [ "$1" == "-sid" ]; then
    3.44  	mode="sid"
    3.45  	shift
    3.46 -elif [ "$1" == "" ]; then
    3.47 +else
    3.48  	usage
    3.49  	exit -1
    3.50  fi
    3.51  
    3.52 +setPolicyVars $2 $3
    3.53 +findMapFile $policy $policydir
    3.54 +ret=$?
    3.55 +if [ $ret -eq 0 ]; then
    3.56 +	echo "Could not find map file for policy '$policy'."
    3.57 +	exit -1
    3.58 +fi
    3.59  
    3.60 -if [ "$mode" == "usage" ]; then
    3.61 -	usage
    3.62 -elif [ "$mode" == "domid" ]; then
    3.63 -	if [ "$2" == "" ]; then
    3.64 -		findGrubConf
    3.65 -		ret=$?
    3.66 -		if [ $ret -eq 0 ]; then
    3.67 -			echo "Could not find grub.conf"
    3.68 -			exit -1;
    3.69 -		fi
    3.70 -		findPolicyInGrub $grubconf
    3.71 -		if [ "$policy" != "" ]; then
    3.72 -			echo "Assuming policy to be '$policy'.";
    3.73 -		else
    3.74 -			echo "Could not find policy."
    3.75 -			exit -1;
    3.76 -		fi
    3.77 -	else
    3.78 -		policy=$2
    3.79 +if [ "$mode" == "domid" ]; then
    3.80 +	getSSIDUsingSecpolTool $1
    3.81 +	ret=$?
    3.82 +	if [ $ret -eq 0 ]; then
    3.83 +		echo "Could not determine the SSID of the domain."
    3.84 +		exit -1
    3.85  	fi
    3.86 -	findMapFile $policy
    3.87 -	res=$?
    3.88 -	if [ "$res" != "0" ]; then
    3.89 -		getSSIDUsingSecpolTool $1
    3.90 -		res=$?
    3.91 -		if [ "$res" != "0" ]; then
    3.92 -			translateSSIDREF $ssid $mapfile
    3.93 -		else
    3.94 -			echo "Could not determine the SSID of the domain."
    3.95 -		fi
    3.96 -	else
    3.97 -		echo "Could not find map file for policy '$policy'."
    3.98 -	fi
    3.99 -elif [ "$mode" == "sid" ]; then
   3.100 -	if [ "$2" == "" ]; then
   3.101 -		findGrubConf
   3.102 -		ret=$?
   3.103 -		if [ $ret -eq 0 ]; then
   3.104 -			echo "Could not find grub.conf"
   3.105 -			exit -1;
   3.106 -		fi
   3.107 -		findPolicyInGrub $grubconf
   3.108 -		if [ "$policy" != "" ]; then
   3.109 -			echo "Assuming policy to be '$policy'.";
   3.110 -		else
   3.111 -			echo "Could not find policy."
   3.112 -			exit -1;
   3.113 -		fi
   3.114 -	else
   3.115 -		policy=$2
   3.116 -	fi
   3.117 -	findMapFile $policy
   3.118 -	res=$?
   3.119 -	if [ "$res" != "0" ]; then
   3.120 -		translateSSIDREF $1 $mapfile
   3.121 -	else
   3.122 -		echo "Could not find map file for policy '$policy'."
   3.123 -	fi
   3.124 -
   3.125 -else
   3.126 -    usage
   3.127 +	translateSSIDREF $ssid $mapfile
   3.128 +else # mode == sid
   3.129 +	translateSSIDREF $1 $mapfile
   3.130  fi
     4.1 --- a/tools/security/install.txt	Thu Dec 08 18:19:24 2005 +0000
     4.2 +++ b/tools/security/install.txt	Thu Dec 08 18:21:05 2005 +0000
     4.3 @@ -41,11 +41,11 @@ 2. compile the policy from xml to a bina
     4.4         # make
     4.5  
     4.6         manual steps (alternative to make boot_install):
     4.7 -       #./secpol_xml2bin chwall_ste
     4.8 -       #cp policies/chwall_ste/chwall_ste.bin /boot
     4.9 -       #edit /boot/grub/grub.conf
    4.10 +       # ./xensec_xml2bin -d policies/ chwall_ste
    4.11 +       # cp policies/chwall_ste/chwall_ste.bin /boot
    4.12 +       # edit /boot/grub/grub.conf
    4.13          add the follwoing line to your xen boot entry:
    4.14 -       "module chwall_ste.bin"
    4.15 +       "module /boot/chwall_ste.bin"
    4.16  
    4.17         alternatively, you can try our automatic translation and
    4.18         installation of the policy:
    4.19 @@ -61,9 +61,9 @@ 2. compile the policy from xml to a bina
    4.20  3. reboot into the newly compiled hypervisor
    4.21  
    4.22          after boot
    4.23 -	#xm dmesg should show an entry about the policy being loaded
    4.24 +	# xm dmesg should show an entry about the policy being loaded
    4.25              during the boot process
    4.26  
    4.27 -        #tools/security/secpol_tool getpolicy
    4.28 +        # xensec_tool getpolicy
    4.29              should print the new chwall_ste binary policy representation
    4.30  
     5.1 --- a/tools/security/labelfuncs.sh	Thu Dec 08 18:19:24 2005 +0000
     5.2 +++ b/tools/security/labelfuncs.sh	Thu Dec 08 18:21:05 2005 +0000
     5.3 @@ -17,10 +17,53 @@
     5.4  #
     5.5  
     5.6  
     5.7 +#Some global variables for tools using this module
     5.8 +ACM_DEFAULT_ROOT="/etc/xen/acm-security"
     5.9 +
    5.10 +# Set the policy and policydir variables
    5.11 +# Parameters:
    5.12 +# 1st : possible policy name
    5.13 +# 2nd : possible policy directory
    5.14 +# Results:
    5.15 +# The variables policy and policydir will hold the values for locating
    5.16 +# policy information
    5.17 +# If there are no errors, the functions returns a '1',
    5.18 +# a '0' otherwise.
    5.19 +setPolicyVars ()
    5.20 +{
    5.21 +	local ret
    5.22 +	# Set default values
    5.23 +	policydir="$ACM_DEFAULT_ROOT/policies"
    5.24 +	policy=""
    5.25 +
    5.26 +	if [ "$1" == "" ]; then
    5.27 +		findGrubConf
    5.28 +		ret=$?
    5.29 +		if [ $ret -eq 0 ]; then
    5.30 +			echo "Could not find grub.conf."
    5.31 +			return 0;
    5.32 +		fi
    5.33 +		findPolicyInGrub $grubconf
    5.34 +		if [ "$policy" == "" ]; then
    5.35 +			echo "Could not find policy in grub.conf. Looked for entry using kernel $linux."
    5.36 +			return 0;
    5.37 +		fi
    5.38 +		echo "Assuming policy to be '$policy'.";
    5.39 +	else
    5.40 +		policy=$1
    5.41 +		if [ "$2" != "" ]; then
    5.42 +			policydir=$2
    5.43 +		fi
    5.44 +	fi
    5.45 +
    5.46 +	return 1
    5.47 +}
    5.48 +
    5.49  # Find the mapfile given a policy nmame
    5.50  # Parameters:
    5.51  # 1st : the name of the policy whose map file is to be found, i.e.,
    5.52  #       chwall
    5.53 +# 2nd : the policy directory for locating the map file
    5.54  # Results:
    5.55  # The variable mapfile will hold the realtive path to the mapfile
    5.56  # for the given policy.
    5.57 @@ -28,16 +71,10 @@
    5.58  # a '0' otherwise.
    5.59  findMapFile ()
    5.60  {
    5.61 -	mapfile="./$1.map"
    5.62 +	mapfile="$2/$1/$1.map"
    5.63  	if [ -r "$mapfile" ]; then
    5.64  		return 1
    5.65  	fi
    5.66 -
    5.67 -	mapfile="./policies/$1/$1.map"
    5.68 -	if [ -r "$mapfile" ]; then
    5.69 -		return 1
    5.70 -	fi
    5.71 -
    5.72  	return 0
    5.73  }
    5.74  
    5.75 @@ -50,7 +87,7 @@ findMapFile ()
    5.76  # The variable primary will hold the name of the primary policy
    5.77  getPrimaryPolicy ()
    5.78  {
    5.79 -	mapfile=$1
    5.80 +	local mapfile=$1
    5.81  	primary=`cat $mapfile  |   \
    5.82  	         awk '             \
    5.83  	          {                \
    5.84 @@ -71,7 +108,7 @@ getPrimaryPolicy ()
    5.85  # The variable secondary will hold the name of the secondary policy
    5.86  getSecondaryPolicy ()
    5.87  {
    5.88 -	mapfile=$1
    5.89 +	local mapfile=$1
    5.90  	secondary=`cat $mapfile  |   \
    5.91  	         awk '             \
    5.92  	          {                \
    5.93 @@ -86,6 +123,10 @@ getSecondaryPolicy ()
    5.94  
    5.95  #Return where the grub.conf file is.
    5.96  #I only know of one place it can be.
    5.97 +#Returns:
    5.98 +# 1 : if the file is writeable and readable
    5.99 +# 2 : if the file is only readable
   5.100 +# 0 : if the file does not exist
   5.101  findGrubConf()
   5.102  {
   5.103  	grubconf="/boot/grub/grub.conf"
   5.104 @@ -112,16 +153,37 @@ findGrubConf()
   5.105  # kernel, i.e., 'vmlinuz-2.6.12-xen0'
   5.106  getLinuxVersion ()
   5.107  {
   5.108 -	path=$1
   5.109 +	local path
   5.110 +	local versionfile
   5.111 +	local lnx
   5.112 +	if [ "$1" == "" ]; then
   5.113 +		path="/lib/modules/*-xen0"
   5.114 +	else
   5.115 +		path="/lib/modules/$1"
   5.116 +	fi
   5.117 +
   5.118  	linux=""
   5.119  	for f in $path/linux-*-xen0 ; do
   5.120 -		versionfile=$f/include/linux/version.h
   5.121 +		versionfile=$f/build/include/linux/version.h
   5.122  		if [ -r $versionfile ]; then
   5.123  			lnx=`cat $versionfile | \
   5.124  			     grep UTS_RELEASE | \
   5.125  			     awk '{             \
   5.126  			       len=length($3);  \
   5.127 -			       print substr($3,2,len-2) }'`
   5.128 +			       version=substr($3,2,len-2);     \
   5.129 +			       split(version,numbers,".");     \
   5.130 +			       if (numbers[4]=="") {           \
   5.131 +			         printf("%s.%s.%s",            \
   5.132 +			                 numbers[1],           \
   5.133 +			                 numbers[2],           \
   5.134 +			                 numbers[3]);          \
   5.135 +			       } else {                        \
   5.136 +			         printf("%s.%s.%s[.0-9]*-xen0",\
   5.137 +			                numbers[1],            \
   5.138 +			                numbers[2],            \
   5.139 +			                numbers[3]);           \
   5.140 +			       }                               \
   5.141 +			     }'`
   5.142  		fi
   5.143  		if [ "$lnx" != "" ]; then
   5.144  			linux="[./0-9a-zA-z]*$lnx"
   5.145 @@ -137,11 +199,12 @@ getLinuxVersion ()
   5.146  # Find out with which policy the hypervisor was booted with.
   5.147  # Parameters
   5.148  # 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf
   5.149 -#
   5.150 +# Result:
   5.151 +# Sets the variable 'policy' to the name of the policy
   5.152  findPolicyInGrub ()
   5.153  {
   5.154 -	grubconf=$1
   5.155 -	linux=`uname -r`
   5.156 +	local grubconf=$1
   5.157 +	local linux=`uname -r`
   5.158  	policy=`cat $grubconf |                        \
   5.159  	         awk -vlinux=$linux '{                 \
   5.160  	           if ( $1 == "title" ) {              \
   5.161 @@ -184,9 +247,9 @@ findPolicyInGrub ()
   5.162  # The funtion returns '1' on success, '0' on failure
   5.163  getSSIDUsingSecpolTool ()
   5.164  {
   5.165 -	domid=$1
   5.166 +	local domid=$1
   5.167  	export PATH=$PATH:.
   5.168 -	ssid=`secpol_tool getssid -d $domid -f | \
   5.169 +	ssid=`xensec_tool getssid -d $domid -f | \
   5.170  	        grep -E "SSID:" |          \
   5.171  	        awk '{ print $4 }'`
   5.172  
   5.173 @@ -206,7 +269,7 @@ getSSIDUsingSecpolTool ()
   5.174  # high ssid values as integers.
   5.175  getSSIDLOHI ()
   5.176  {
   5.177 -	ssid=$1
   5.178 +	local ssid=$1
   5.179  	ssidlo_int=`echo $ssid | awk          \
   5.180  	            '{                        \
   5.181  	               len=length($0);        \
   5.182 @@ -289,11 +352,11 @@ getSSIDLOHI ()
   5.183  #
   5.184  updateGrub ()
   5.185  {
   5.186 -	grubconf=$1
   5.187 -	policyfile=$2
   5.188 -	linux=$3
   5.189 +	local grubconf=$1
   5.190 +	local policyfile=$2
   5.191 +	local linux=$3
   5.192  
   5.193 -	tmpfile="/tmp/new_grub.conf"
   5.194 +	local tmpfile="/tmp/new_grub.conf"
   5.195  
   5.196  	cat $grubconf |                                \
   5.197  	         awk -vpolicy=$policyfile              \
   5.198 @@ -343,7 +406,59 @@ updateGrub ()
   5.199  		echo "Could not create temporary file! Aborting."
   5.200  		exit -1
   5.201  	fi
   5.202 -	mv -f $tmpfile $grubconf
   5.203 +	diff $tmpfile $grubconf > /dev/null
   5.204 +	RES=$?
   5.205 +	if [ "$RES" == "0" ]; then
   5.206 +		echo "No changes were made to $grubconf."
   5.207 +	else
   5.208 +		echo "Successfully updated $grubconf."
   5.209 +		mv -f $tmpfile $grubconf
   5.210 +	fi
   5.211 +}
   5.212 +
   5.213 +
   5.214 +#Compile a policy into its binary representation
   5.215 +# Parameters:
   5.216 +# 1st: The directory where the ./policies directory is located at
   5.217 +# 2nd: The name of the policy
   5.218 +genBinPolicy ()
   5.219 +{
   5.220 +	local root=$1
   5.221 +	local policy=$2
   5.222 +	pushd $root > /dev/null
   5.223 +	xensec_xml2bin -d policies $policy > /dev/null
   5.224 +	popd > /dev/null
   5.225 +}
   5.226 +
   5.227 +
   5.228 +# Copy the bootpolicy into the destination directory
   5.229 +# Generate the policy's .bin and .map files if necessary
   5.230 +# Parameters:
   5.231 +# 1st: Destination directory
   5.232 +# 2nd: The root directory of the security tools; this is where the
   5.233 +#      policies directory is located at
   5.234 +# 3rd: The policy name
   5.235 +# Returns  '1' on success, '0' on failure.
   5.236 +cpBootPolicy ()
   5.237 +{
   5.238 +	local dest=$1
   5.239 +	local root=$2
   5.240 +	local policy=$3
   5.241 +	local binfile=$root/policies/$policy/$policy.bin
   5.242 +	local dstfile=$dest/$policy.bin
   5.243 +	if [ ! -e $binfile ]; then
   5.244 +		genBinPolicy $root $policy
   5.245 +		if [ ! -e $binfile ]; then
   5.246 +			echo "Could not compile policy '$policy'."
   5.247 +			return 0
   5.248 +		fi
   5.249 +	fi
   5.250 +
   5.251 +	if [ ! -e $dstfile -o \
   5.252 +	     $binfile -nt $dstfile ]; then
   5.253 +		cp -f $binfile $dstfile
   5.254 +	fi
   5.255 +	return 1
   5.256  }
   5.257  
   5.258  
   5.259 @@ -352,7 +467,11 @@ updateGrub ()
   5.260  # 1st: Full or relative path to the policy's mapfile
   5.261  showLabels ()
   5.262  {
   5.263 -	mapfile=$1
   5.264 +	local mapfile=$1
   5.265 +	local line
   5.266 +	local ITEM
   5.267 +	local found=0
   5.268 +
   5.269  	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   5.270  		echo "Cannot read from vm configuration file $vmfile."
   5.271  		return -1
   5.272 @@ -417,8 +536,8 @@ showLabels ()
   5.273  # 2nd: the name of the policy
   5.274  getDefaultSsid ()
   5.275  {
   5.276 -	mapfile=$1
   5.277 -	pol=$2
   5.278 +	local mapfile=$1
   5.279 +	local pol=$2
   5.280  	RES=`cat $mapfile    \
   5.281  	     awk -vpol=$pol  \
   5.282  	      {              \
   5.283 @@ -446,10 +565,13 @@ getDefaultSsid ()
   5.284  #      other     : Prompts the user whether to proceed
   5.285  relabel ()
   5.286  {
   5.287 -	vmfile=$1
   5.288 -	label=$2
   5.289 -	mapfile=$3
   5.290 -	mode=$4
   5.291 +	local vmfile=$1
   5.292 +	local label=$2
   5.293 +	local mapfile=$3
   5.294 +	local mode=$4
   5.295 +	local SSIDLO
   5.296 +	local SSIDHI
   5.297 +	local RES
   5.298  
   5.299  	if [ ! -r "$vmfile" ]; then
   5.300  		echo "Cannot read from vm configuration file $vmfile."
   5.301 @@ -556,8 +678,8 @@ relabel ()
   5.302  	fi
   5.303  
   5.304  	#Write the output
   5.305 -	vmtmp1="/tmp/__setlabel.tmp1"
   5.306 -	vmtmp2="/tmp/__setlabel.tmp2"
   5.307 +	local vmtmp1="/tmp/__setlabel.tmp1"
   5.308 +	local vmtmp2="/tmp/__setlabel.tmp2"
   5.309  	touch $vmtmp1
   5.310  	touch $vmtmp2
   5.311  	if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
   5.312 @@ -584,8 +706,10 @@ relabel ()
   5.313  # 2nd: Full or relative path to the policy's mapfile
   5.314  translateSSIDREF ()
   5.315  {
   5.316 -	ssidref=$1
   5.317 -	mapfile=$2
   5.318 +	local ssidref=$1
   5.319 +	local mapfile=$2
   5.320 +	local line1
   5.321 +	local line2
   5.322  
   5.323  	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   5.324  		echo "Cannot read from vm configuration file $vmfile."
     6.1 --- a/tools/security/secpol_tool.c	Thu Dec 08 18:19:24 2005 +0000
     6.2 +++ b/tools/security/secpol_tool.c	Thu Dec 08 18:21:05 2005 +0000
     6.3 @@ -44,12 +44,13 @@ fprintf(stderr, "ERROR: " _m " (%d = %s)
     6.4  
     6.5  void usage(char *progname)
     6.6  {
     6.7 -    printf("Use: %s \n"
     6.8 +    printf("Usage: %s ACTION\n"
     6.9 +           "ACTION is one of:\n"
    6.10             "\t getpolicy\n"
    6.11             "\t dumpstats\n"
    6.12             "\t loadpolicy <binary policy file>\n"
    6.13             "\t getssid -d <domainid> [-f]\n"
    6.14 -		   "\t getssid -s <ssidref> [-f]\n", progname);
    6.15 +           "\t getssid -s <ssidref> [-f]\n", progname);
    6.16      exit(-1);
    6.17  }
    6.18  
    6.19 @@ -85,6 +86,7 @@ static inline int do_acm_op(int xc_handl
    6.20  
    6.21      if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0)
    6.22      {
    6.23 +        printf( "ACM operation failed: errno=%d\n", errno );
    6.24          if (errno == EACCES)
    6.25              fprintf(stderr, "ACM operation failed -- need to"
    6.26                      " rebuild the user-space tool set?\n");
     7.1 --- a/tools/security/secpol_xml2bin.c	Thu Dec 08 18:19:24 2005 +0000
     7.2 +++ b/tools/security/secpol_xml2bin.c	Thu Dec 08 18:21:05 2005 +0000
     7.3 @@ -17,7 +17,7 @@
     7.4   * sHype policy translation tool. This tool takes an XML
     7.5   * policy specification as input and produces a binary
     7.6   * policy file that can be loaded into Xen through the
     7.7 - * ACM operations (secpol_tool loadpolicy) interface or at
     7.8 + * ACM operations (xensec_tool loadpolicy) interface or at
     7.9   * boot time (grub module parameter)
    7.10   *
    7.11   * indent -i4 -kr -nut
    7.12 @@ -102,12 +102,22 @@ int have_chwall = 0;
    7.13  /* input/output file names */
    7.14  char *policy_filename = NULL,
    7.15      *label_filename = NULL,
    7.16 -    *binary_filename = NULL, *mapping_filename = NULL;
    7.17 +    *binary_filename = NULL, *mapping_filename = NULL,
    7.18 +    *schema_filename = NULL;
    7.19  
    7.20  void usage(char *prg)
    7.21  {
    7.22 -    printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
    7.23 -         prg);
    7.24 +    printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
    7.25 +    printf("POLICYNAME is the directory name within the policy directory\n");
    7.26 +    printf("that contains the policy files.  The default policy directory\n");
    7.27 +    printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR);
    7.28 +    printf("The policy files contained in the POLICYNAME directory must be named:\n");
    7.29 +    printf("\tPOLICYNAME-security_policy.xml\n");
    7.30 +    printf("\tPOLICYNAME-security_label_template.xml\n\n");
    7.31 +    printf("OPTIONS:\n");
    7.32 +    printf("\t-d POLICYDIR\n");
    7.33 +    printf("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
    7.34 +    printf("\t\tthe policy schema file 'security_policy.xsd'\n");
    7.35      exit(EXIT_FAILURE);
    7.36  }
    7.37  
    7.38 @@ -1237,7 +1247,7 @@ int is_valid(xmlDocPtr doc)
    7.39      xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
    7.40      xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
    7.41  
    7.42 -    schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
    7.43 +    schemaparser_ctxt = xmlSchemaNewParserCtxt(schema_filename);
    7.44      schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
    7.45      schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
    7.46  
    7.47 @@ -1246,12 +1256,12 @@ int is_valid(xmlDocPtr doc)
    7.48      if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
    7.49      {
    7.50          printf("ERROR: Invalid schema file %s (err=%d)\n",
    7.51 -               SCHEMA_FILENAME, err);
    7.52 +               schema_filename, err);
    7.53          err = -EIO;
    7.54          goto out;
    7.55      }
    7.56      else
    7.57 -        printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
    7.58 +        printf("XML Schema %s valid.\n", schema_filename);
    7.59  #endif
    7.60      if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
    7.61      {
    7.62 @@ -1275,37 +1285,59 @@ int main(int argc, char **argv)
    7.63      char *file_prefix;
    7.64      int prefix_len;
    7.65  
    7.66 +    int opt_char;
    7.67 +    char *policy_dir = POLICY_DIR;
    7.68 +
    7.69      if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
    7.70      {
    7.71          printf("ERROR: This program was written against an older ACM version.\n");
    7.72          exit(EXIT_FAILURE);
    7.73      }
    7.74  
    7.75 -    if (argc != 2)
    7.76 +    while ((opt_char = getopt(argc, argv, "d:")) != -1) {
    7.77 +        switch (opt_char) {
    7.78 +        case 'd':
    7.79 +            policy_dir = malloc(strlen(optarg) + 2); // null terminator and possibly "/"
    7.80 +            if (!policy_dir) {
    7.81 +                printf("ERROR allocating directory name memory.\n");
    7.82 +                exit(EXIT_FAILURE);
    7.83 +            }
    7.84 +            strcpy(policy_dir, optarg);
    7.85 +            if (policy_dir[strlen(policy_dir) - 1] != '/')
    7.86 +                strcat(policy_dir, "/");
    7.87 +            break;
    7.88 +
    7.89 +        default:
    7.90 +            usage(basename(argv[0]));
    7.91 +        }
    7.92 +    }
    7.93 +
    7.94 +    if ((argc - optind) != 1)
    7.95          usage(basename(argv[0]));
    7.96  
    7.97 -    prefix_len = strlen(POLICY_SUBDIR) +
    7.98 -        strlen(argv[1]) + 1 /* "/" */  +
    7.99 -        strlen(argv[1]) + 1 /* "/" */ ;
   7.100 +    prefix_len = strlen(policy_dir) +
   7.101 +        strlen(argv[optind]) + 1 /* "/" */  +
   7.102 +        strlen(argv[optind]) + 1 /* null terminator */ ;
   7.103  
   7.104      file_prefix = malloc(prefix_len);
   7.105      policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
   7.106      label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
   7.107      binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
   7.108      mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
   7.109 +    schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
   7.110  
   7.111      if (!file_prefix || !policy_filename || !label_filename ||
   7.112 -        !binary_filename || !mapping_filename)
   7.113 +        !binary_filename || !mapping_filename || !schema_filename)
   7.114      {
   7.115          printf("ERROR allocating file name memory.\n");
   7.116          goto out2;
   7.117      }
   7.118  
   7.119      /* create input/output filenames out of prefix */
   7.120 -    strcat(file_prefix, POLICY_SUBDIR);
   7.121 -    strcat(file_prefix, argv[1]);
   7.122 +    strcpy(file_prefix, policy_dir);
   7.123 +    strcat(file_prefix, argv[optind]);
   7.124      strcat(file_prefix, "/");
   7.125 -    strcat(file_prefix, argv[1]);
   7.126 +    strcat(file_prefix, argv[optind]);
   7.127  
   7.128      strcpy(policy_filename, file_prefix);
   7.129      strcpy(label_filename, file_prefix);
   7.130 @@ -1317,11 +1349,14 @@ int main(int argc, char **argv)
   7.131      strcat(binary_filename, BINARY_EXTENSION);
   7.132      strcat(mapping_filename, MAPPING_EXTENSION);
   7.133  
   7.134 +    strcpy(schema_filename, policy_dir);
   7.135 +    strcat(schema_filename, SCHEMA_FILENAME);
   7.136 +
   7.137      labeldoc = xmlParseFile(label_filename);
   7.138  
   7.139      if (labeldoc == NULL)
   7.140      {
   7.141 -        printf("Error: could not parse file %s.\n", argv[1]);
   7.142 +        printf("Error: could not parse file %s.\n", argv[optind]);
   7.143          goto out2;
   7.144      }
   7.145  
   7.146 @@ -1337,7 +1372,7 @@ int main(int argc, char **argv)
   7.147  
   7.148      if (policydoc == NULL)
   7.149      {
   7.150 -        printf("Error: could not parse file %s.\n", argv[1]);
   7.151 +        printf("Error: could not parse file %s.\n", argv[optind]);
   7.152          goto out1;
   7.153      }
   7.154  
     8.1 --- a/tools/security/secpol_xml2bin.h	Thu Dec 08 18:19:24 2005 +0000
     8.2 +++ b/tools/security/secpol_xml2bin.h	Thu Dec 08 18:21:05 2005 +0000
     8.3 @@ -12,7 +12,7 @@
     8.4   * License.
     8.5   *
     8.6   */
     8.7 -#define POLICY_SUBDIR       "policies/"
     8.8 +#define POLICY_DIR          "/etc/xen/acm-security/policies/"
     8.9  #define POLICY_EXTENSION    "-security_policy.xml"
    8.10  #define LABEL_EXTENSION     "-security_label_template.xml"
    8.11  #define BINARY_EXTENSION    ".bin"
    8.12 @@ -20,7 +20,7 @@
    8.13  #define PRIMARY_COMPONENT_ATTR_NAME "order"
    8.14  #define BOOTSTRAP_LABEL_ATTR_NAME   "bootstrap"
    8.15  #define PRIMARY_COMPONENT   "PrimaryPolicyComponent"
    8.16 -#define SCHEMA_FILENAME     "policies/security_policy.xsd"
    8.17 +#define SCHEMA_FILENAME     "security_policy.xsd"
    8.18  
    8.19  /* basic states (used as 1 << X) */
    8.20  #define XML2BIN_SECPOL		    0   /* policy tokens */
     9.1 --- a/tools/security/setlabel.sh	Thu Dec 08 18:19:24 2005 +0000
     9.2 +++ b/tools/security/setlabel.sh	Thu Dec 08 18:21:05 2005 +0000
     9.3 @@ -35,102 +35,72 @@ if [ -z "$runbash" ]; then
     9.4  fi
     9.5  
     9.6  export PATH=$PATH:.
     9.7 -source labelfuncs.sh
     9.8 +dir=`dirname $0`
     9.9 +source $dir/labelfuncs.sh
    9.10  
    9.11  usage ()
    9.12  {
    9.13 +	prg=`basename $0`
    9.14  echo "Use this tool to put the ssidref corresponding to a label of a policy into
    9.15  the VM configuration file, or use it to display all labels of a policy.
    9.16  
    9.17 -Usage: $0 [Option] <vmfile> <label> [<policy name>]
    9.18 -    or $0 -l [<policy name>]
    9.19 +Usage: $prg [-r] <vmfile> <label> [<policy name> [<policy dir>]] or
    9.20 +       $prg -l [<policy name> [<policy dir>]]
    9.21  
    9.22 -Valid options are:
    9.23  -r          : to relabel a file without being prompted
    9.24 -
    9.25 +-l          : to show the valid labels in a map file
    9.26  vmfile      : XEN vm configuration file; give complete path
    9.27  label       : the label to map to an ssidref
    9.28  policy name : the name of the policy, i.e. 'chwall'
    9.29                If the policy name is omitted, it is attempted
    9.30                to find the current policy's name in grub.conf.
    9.31 -
    9.32 --l [<policy name>] is used to show valid labels in the map file of
    9.33 -                   the given or current policy. If the policy name
    9.34 -                   is omitted, it will be tried to determine the
    9.35 -                   current policy from grub.conf (/boot/grub/grub.conf)
    9.36 -
    9.37 +policy dir  : the directory where the <policy name> policy is located
    9.38 +              The default location is '/etc/xen/acm-security/policies'
    9.39  "
    9.40  }
    9.41  
    9.42 -
    9.43  if [ "$1" == "-r" ]; then
    9.44  	mode="relabel"
    9.45  	shift
    9.46  elif [ "$1" == "-l" ]; then
    9.47  	mode="show"
    9.48  	shift
    9.49 -elif [ "$1" == "-?" ]; then
    9.50 +elif [ "$1" == "-h" ]; then
    9.51  	mode="usage"
    9.52  fi
    9.53  
    9.54 -if [ "$mode" == "show" ]; then
    9.55 -	if [ "$1" == "" ]; then
    9.56 -		findGrubConf
    9.57 -		ret=$?
    9.58 -		if [ $ret -eq 0 ]; then
    9.59 -			echo "Could not find grub.conf"
    9.60 -			exit -1;
    9.61 -		fi
    9.62 -		findPolicyInGrub $grubconf
    9.63 -		if [ "$policy" != "" ]; then
    9.64 -			echo "Assuming policy to be '$policy'.";
    9.65 -		else
    9.66 -			echo "Could not find policy."
    9.67 -			exit -1;
    9.68 -		fi
    9.69 -	else
    9.70 -		policy=$1;
    9.71 +if [ "$mode" == "usage" ]; then
    9.72 +	usage
    9.73 +elif [ "$mode" == "show" ]; then
    9.74 +	setPolicyVars $1 $2
    9.75 +	ret=$?
    9.76 +	if [ $ret -eq 0 ]; then
    9.77 +		echo "Error when trying to find policy-related information."
    9.78 +		exit -1
    9.79  	fi
    9.80 -
    9.81 -
    9.82 -	findMapFile $policy
    9.83 -	res=$?
    9.84 -	if [ "$res" != "0" ]; then
    9.85 -		showLabels $mapfile
    9.86 -	else
    9.87 +	findMapFile $policy $policydir
    9.88 +	ret=$?
    9.89 +	if [ $ret -eq 0 ]; then
    9.90  		echo "Could not find map file for policy '$policy'."
    9.91 +		exit -1
    9.92  	fi
    9.93 -elif [ "$mode" == "usage" ]; then
    9.94 -	usage
    9.95 +	showLabels $mapfile
    9.96  else
    9.97  	if [ "$2" == "" ]; then
    9.98  		usage
    9.99  		exit -1
   9.100  	fi
   9.101 -	if [ "$3" == "" ]; then
   9.102 -		findGrubConf
   9.103 -		ret=$?
   9.104 -		if [ $ret -eq 0 ]; then
   9.105 -			echo "Could not find grub.conf"
   9.106 -			exit -1;
   9.107 -		fi
   9.108 -		findPolicyInGrub $grubconf
   9.109 -		if [ "$policy" != "" ]; then
   9.110 -			echo "Assuming policy to be '$policy'.";
   9.111 -		else
   9.112 -			echo "Could not find policy."
   9.113 -			exit -1;
   9.114 -		fi
   9.115 -
   9.116 -	else
   9.117 -		policy=$3;
   9.118 +	setPolicyVars $3 $4
   9.119 +	ret=$?
   9.120 +	if [ $ret -eq 0 ]; then
   9.121 +		echo "Error when trying to find policy-related information."
   9.122 +		exit -1
   9.123  	fi
   9.124 -	findMapFile $policy
   9.125 -	res=$?
   9.126 -	if [ "$res" != "0" ]; then
   9.127 -		relabel $1 $2 $mapfile $mode
   9.128 -	else
   9.129 -		echo "Could not find map file for policy '$3'."
   9.130 +	findMapFile $policy $policydir
   9.131 +	ret=$?
   9.132 +	if [ $ret -eq 0 ]; then
   9.133 +		echo "Could not find map file for policy '$policy'."
   9.134 +		exit -1
   9.135  	fi
   9.136 -
   9.137 +	relabel $1 $2 $mapfile $mode
   9.138  fi
    10.1 --- a/tools/security/updategrub.sh	Thu Dec 08 18:19:24 2005 +0000
    10.2 +++ b/tools/security/updategrub.sh	Thu Dec 08 18:21:05 2005 +0000
    10.3 @@ -22,166 +22,49 @@ if [ -z "$runbash" ]; then
    10.4  	exit
    10.5  fi
    10.6  
    10.7 +dir=`dirname $0`
    10.8 +source $dir/labelfuncs.sh
    10.9 +
   10.10 +acmroot=$ACM_DEFAULT_ROOT
   10.11 +
   10.12  
   10.13  # Show usage of this program
   10.14  usage ()
   10.15  {
   10.16 +	prg=`basename $0`
   10.17  echo "Use this tool to add the binary policy to the Xen grub entry and
   10.18  have Xen automatically enforce the policy when starting.
   10.19  
   10.20 -Usage: $0 <policy name> <root of xen repository>
   10.21 -
   10.22 -<policy name>             : The name of the policy, i.e. xen_null
   10.23 -<root of xen repository>  : The root of the XEN repository. Give
   10.24 -                            complete path.
   10.25 -
   10.26 -"
   10.27 -}
   10.28 +Usage: $prg [-d <policies root>] <policy name> [<kernel version>]
   10.29  
   10.30 -# This function sets the global variable 'linux'
   10.31 -# to the name of the linux kernel that was compiled
   10.32 -# For now a pattern should do the trick
   10.33 -getLinuxVersion ()
   10.34 -{
   10.35 -	path=$1
   10.36 -	linux=""
   10.37 -	for f in $path/linux-*-xen0 ; do
   10.38 -		versionfile=$f/include/linux/version.h
   10.39 -		if [ -r $versionfile ]; then
   10.40 -			lnx=`cat $versionfile |                \
   10.41 -			     grep UTS_RELEASE |                \
   10.42 -			     awk '{                            \
   10.43 -			       len=length($3);                 \
   10.44 -			       version=substr($3,2,len-2);     \
   10.45 -			       split(version,numbers,".");     \
   10.46 -			       if (numbers[4]=="") {           \
   10.47 -			         printf("%s.%s.%s",            \
   10.48 -			                 numbers[1],           \
   10.49 -			                 numbers[2],           \
   10.50 -			                 numbers[3]);          \
   10.51 -			       } else {                        \
   10.52 -			         printf("%s.%s.%s[.0-9]*-xen0",\
   10.53 -			                numbers[1],            \
   10.54 -			                numbers[2],            \
   10.55 -			                numbers[3]);           \
   10.56 -			       }                               \
   10.57 -			     }'`
   10.58 -		fi
   10.59 -		if [ "$lnx" != "" ]; then
   10.60 -			linux="[./0-9a-zA-z]*$lnx"
   10.61 -			return;
   10.62 -		fi
   10.63 -	done
   10.64 -
   10.65 -	#Last resort.
   10.66 -	linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
   10.67 -}
   10.68 -
   10.69 -#Return where the grub.conf file is.
   10.70 -#I only know of one place it can be.
   10.71 -findGrubConf()
   10.72 -{
   10.73 -	grubconf="/boot/grub/grub.conf"
   10.74 -	if [ -w $grubconf ]; then
   10.75 -		return 1
   10.76 -	fi
   10.77 -	return 0
   10.78 +<policies root>  : The directory where the policies directory is located in;
   10.79 +                   default is $acmroot
   10.80 +<policy name>    : The name of the policy, i.e. xen_null
   10.81 +<kernel version> : The version of the kernel to apply the policy
   10.82 +                   against, i.e. 2.6.12.6-xen0
   10.83 +                   If not specified, a kernel version ending with '-xen0'
   10.84 +                   will be searched for in '/lib/modules'
   10.85 +"
   10.86  }
   10.87  
   10.88  
   10.89 -#Update the grub configuration file.
   10.90 -#Search for existing entries and replace the current
   10.91 -#policy entry with the policy passed to this script
   10.92 -#
   10.93 -#Arguments passed to this function
   10.94 -# 1st : the grub configuration file
   10.95 -# 2nd : the binary policy file name
   10.96 -# 3rd : the name or pattern of the linux kernel name to match
   10.97 -#
   10.98 -# The algorithm here is based on pattern matching
   10.99 -# and is working correctly if
  10.100 -# - under a title a line beginning with 'kernel' is found
  10.101 -#   whose following item ends with "xen.gz"
  10.102 -#   Example:  kernel /xen.gz dom0_mem=....
  10.103 -# - a module line matching the 3rd parameter is found
  10.104 -#
  10.105 -updateGrub ()
  10.106 -{
  10.107 -	grubconf=$1
  10.108 -	policyfile=$2
  10.109 -	linux=$3
  10.110 -
  10.111 -	tmpfile="/tmp/new_grub.conf"
  10.112  
  10.113 -	cat $grubconf |                                \
  10.114 -	         awk -vpolicy=$policyfile              \
  10.115 -	             -vlinux=$linux '{                 \
  10.116 -	           if ( $1 == "title" ) {              \
  10.117 -	             kernelfound = 0;                  \
  10.118 -	             if ( policymaycome == 1 ){        \
  10.119 -	               printf ("\tmodule %s%s\n", path, policy);      \
  10.120 -	             }                                 \
  10.121 -	             policymaycome = 0;                \
  10.122 -	           }                                   \
  10.123 -	           else if ( $1 == "kernel" ) {        \
  10.124 -	             if ( match($2,"xen.gz$") ) {      \
  10.125 -	               path=substr($2,1,RSTART-1);     \
  10.126 -	               kernelfound = 1;                \
  10.127 -	             }                                 \
  10.128 -	           }                                   \
  10.129 -	           else if ( $1 == "module" &&         \
  10.130 -	                     kernelfound == 1 &&       \
  10.131 -	                     match($2,linux) ) {       \
  10.132 -	              policymaycome = 1;               \
  10.133 -	           }                                   \
  10.134 -	           else if ( $1 == "module" &&         \
  10.135 -	                     kernelfound == 1 &&       \
  10.136 -	                     policymaycome == 1 &&     \
  10.137 -	                     match($2,"[0-9a-zA-Z]*.bin$") ) { \
  10.138 -	              printf ("\tmodule %s%s\n", path, policy); \
  10.139 -	              policymaycome = 0;               \
  10.140 -	              kernelfound = 0;                 \
  10.141 -	              dontprint = 1;                   \
  10.142 -	           }                                   \
  10.143 -	           else if ( $1 == "" &&               \
  10.144 -	                     kernelfound == 1 &&       \
  10.145 -	                     policymaycome == 1) {     \
  10.146 -	              dontprint = 1;                   \
  10.147 -	           }                                   \
  10.148 -	           if (dontprint == 0) {               \
  10.149 -	             printf ("%s\n", $0);              \
  10.150 -	           }                                   \
  10.151 -	           dontprint = 0;                      \
  10.152 -	         } END {                               \
  10.153 -	           if ( policymaycome == 1 ) {         \
  10.154 -	             printf ("\tmodule %s%s\n", path, policy);  \
  10.155 -	           }                                   \
  10.156 -	         }' > $tmpfile
  10.157 -	if [ ! -r $tmpfile ]; then
  10.158 -		echo "Could not create temporary file! Aborting."
  10.159 -		exit -1
  10.160 -	fi
  10.161 -	diff $tmpfile $grubconf > /dev/null
  10.162 -	RES=$?
  10.163 -	if [ "$RES" == "0" ]; then
  10.164 -		echo "No changes were made to $grubconf."
  10.165 -	else
  10.166 -		echo "Successfully updated $grubconf."
  10.167 -		mv -f $tmpfile $grubconf
  10.168 -	fi
  10.169 -}
  10.170 +if [ "$1" == "-h" ]; then
  10.171 +	usage
  10.172 +	exit 0
  10.173 +elif [ "$1" == "-d" ]; then
  10.174 +	shift
  10.175 +	acmroot=$1
  10.176 +	shift
  10.177 +fi
  10.178  
  10.179 -if [ "$1" == "" -o "$2" == "" ]; then
  10.180 +if [ "$1" == "" ]; then
  10.181  	echo "Error: Not enough command line parameters."
  10.182  	echo ""
  10.183  	usage
  10.184  	exit -1
  10.185  fi
  10.186  
  10.187 -if [ "$1" == "-?" ]; then
  10.188 -	usage
  10.189 -	exit 0
  10.190 -fi
  10.191  
  10.192  policy=$1
  10.193  policyfile=$policy.bin
  10.194 @@ -189,10 +72,19 @@ policyfile=$policy.bin
  10.195  getLinuxVersion $2
  10.196  
  10.197  findGrubConf
  10.198 -ERR=$?
  10.199 -if [ $ERR -eq 0 ]; then
  10.200 -	echo "Could not find grub.conf. Aborting."
  10.201 +ret=$?
  10.202 +if [ $ret -eq 0 ]; then
  10.203 +	echo "Could not find grub.conf."
  10.204 +	exit -1
  10.205 +elif [ $ret -eq 2 ]; then
  10.206 +	echo "Need to have write-access to $grubconf. Exiting."
  10.207  	exit -1
  10.208  fi
  10.209  
  10.210 +cpBootPolicy /boot $acmroot $policy
  10.211 +ret=$?
  10.212 +if [ $ret -ne 1 ]; then
  10.213 +	echo "Error copying or generating the binary policy."
  10.214 +	exit -1
  10.215 +fi
  10.216  updateGrub $grubconf $policyfile $linux