ia64/xen-unstable
changeset 9832:ad30019015a2
This patch adds support in the hypervisor for the policy name attribute
introduced into security policies. It also fixes a minor problem related
to handling unsupported boot policies.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
introduced into security policies. It also fixes a minor problem related
to handling unsupported boot policies.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
| author | smh22@firebug.cl.cam.ac.uk |
|---|---|
| date | Mon Apr 24 10:51:50 2006 +0100 (2006-04-24) |
| parents | 0a5183b3e7bb |
| children | 65ce9bf4a86f |
| files | tools/security/Makefile tools/security/secpol_tool.c tools/security/secpol_xml2bin.c tools/security/secpol_xml2bin.h |
line diff
1.1 --- a/tools/security/Makefile Mon Apr 24 10:51:20 2006 +0100 1.2 +++ b/tools/security/Makefile Mon Apr 24 10:51:50 2006 +0100 1.3 @@ -30,28 +30,23 @@ SRCS_TOOL = secpol_tool.c 1.4 OBJS_TOOL := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL))) 1.5 SRCS_XML2BIN = secpol_xml2bin.c secpol_xml2bin.h 1.6 OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN))) 1.7 -SRCS_GETD = get_decision.c 1.8 -OBJS_GETD := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD))) 1.9 1.10 ACM_INST_TOOLS = xensec_tool xensec_xml2bin xensec_gen 1.11 -ACM_NOINST_TOOLS = get_decision 1.12 ACM_OBJS = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD) 1.13 -ACM_SCRIPTS = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh 1.14 +ACM_SCRIPTS = python/xensec_tools/acm_getlabel python/xensec_tools/acm_getdecision 1.15 1.16 ACM_CONFIG_DIR = /etc/xen/acm-security 1.17 ACM_POLICY_DIR = $(ACM_CONFIG_DIR)/policies 1.18 ACM_SCRIPT_DIR = $(ACM_CONFIG_DIR)/scripts 1.19 1.20 ACM_INST_HTML = python/xensec_gen/index.html 1.21 -ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi \ 1.22 - python/xensec_gen/cgi-bin/policylabel.cgi 1.23 +ACM_INST_CGI = python/xensec_gen/cgi-bin/policy.cgi 1.24 ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen 1.25 ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin 1.26 1.27 ACM_SCHEMA = security_policy.xsd 1.28 -ACM_EXAMPLES = null chwall ste chwall_ste 1.29 +ACM_EXAMPLES = chwall ste chwall_ste 1.30 ACM_POLICY_SUFFIX = security_policy.xml 1.31 -ACM_LABEL_SUFFIX = security_label_template.xml 1.32 1.33 ifeq ($(ACM_SECURITY),y) 1.34 .PHONY: all 1.35 @@ -64,10 +59,10 @@ install: all $(ACM_CONFIG_FILE) 1.36 $(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR) 1.37 $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR) 1.38 $(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR) 1.39 + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example 1.40 for i in $(ACM_EXAMPLES); do \ 1.41 - $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \ 1.42 - $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \ 1.43 - $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \ 1.44 + $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \ 1.45 + $(INSTALL_DATA) -p policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \ 1.46 done 1.47 $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR) 1.48 $(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR) 1.49 @@ -99,9 +94,6 @@ xensec_tool: $(OBJS_TOOL) 1.50 xensec_xml2bin: $(OBJS_XML2BIN) 1.51 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 1.52 1.53 -get_decision: $(OBJS_GETD) 1.54 - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ 1.55 - 1.56 xensec_gen: xensec_gen.py 1.57 cp -f $^ $@ 1.58 1.59 @@ -116,8 +108,4 @@ clean: 1.60 .PHONY: mrproper 1.61 mrproper: clean 1.62 1.63 -.PHONY: boot_install 1.64 -boot_install: install 1.65 - $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION) 1.66 - 1.67 -include $(PROG_DEPS)
2.1 --- a/tools/security/secpol_tool.c Mon Apr 24 10:51:20 2006 +0100 2.2 +++ b/tools/security/secpol_tool.c Mon Apr 24 10:51:50 2006 +0100 2.3 @@ -48,9 +48,7 @@ void usage(char *progname) 2.4 "ACTION is one of:\n" 2.5 "\t getpolicy\n" 2.6 "\t dumpstats\n" 2.7 - "\t loadpolicy <binary policy file>\n" 2.8 - "\t getssid -d <domainid> [-f]\n" 2.9 - "\t getssid -s <ssidref> [-f]\n", progname); 2.10 + "\t loadpolicy <binary policy file>\n", progname); 2.11 exit(-1); 2.12 } 2.13 2.14 @@ -68,7 +66,7 @@ static inline int do_xen_hypercall(int x 2.15 (unsigned long) hypercall); 2.16 } 2.17 2.18 -static inline int do_acm_op(int xc_handle, struct acm_op * op) 2.19 +static inline int do_acm_op(int xc_handle, struct acm_op *op) 2.20 { 2.21 int ret = -1; 2.22 privcmd_hypercall_t hypercall; 2.23 @@ -78,15 +76,13 @@ static inline int do_acm_op(int xc_handl 2.24 hypercall.op = __HYPERVISOR_acm_op; 2.25 hypercall.arg[0] = (unsigned long) op; 2.26 2.27 - if (mlock(op, sizeof(*op)) != 0) 2.28 - { 2.29 + if (mlock(op, sizeof(*op)) != 0) { 2.30 PERROR("Could not lock memory for Xen policy hypercall"); 2.31 goto out1; 2.32 } 2.33 2.34 - if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) 2.35 - { 2.36 - printf( "ACM operation failed: errno=%d\n", errno ); 2.37 + if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) { 2.38 + printf("ACM operation failed: errno=%d\n", errno); 2.39 if (errno == EACCES) 2.40 fprintf(stderr, "ACM operation failed -- need to" 2.41 " rebuild the user-space tool set?\n"); 2.42 @@ -108,8 +104,7 @@ void acm_dump_chinesewall_buffer(void *b 2.43 int i, j; 2.44 2.45 2.46 - if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY) 2.47 - { 2.48 + if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY) { 2.49 printf("CHINESE WALL POLICY CODE not found ERROR!!\n"); 2.50 return; 2.51 } 2.52 @@ -129,8 +124,7 @@ void acm_dump_chinesewall_buffer(void *b 2.53 printf("\nSSID To CHWALL-Type matrix:\n"); 2.54 2.55 ssids = (domaintype_t *) (buf + ntohl(cwbuf->chwall_ssid_offset)); 2.56 - for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++) 2.57 - { 2.58 + for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++) { 2.59 printf("\n ssidref%2x: ", i); 2.60 for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++) 2.61 printf("%02x ", 2.62 @@ -139,8 +133,7 @@ void acm_dump_chinesewall_buffer(void *b 2.63 printf("\n\nConfict Sets:\n"); 2.64 conflicts = 2.65 (domaintype_t *) (buf + ntohl(cwbuf->chwall_conflict_sets_offset)); 2.66 - for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++) 2.67 - { 2.68 + for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++) { 2.69 printf("\n c-set%2x: ", i); 2.70 for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++) 2.71 printf("%02x ", 2.72 @@ -150,13 +143,11 @@ void acm_dump_chinesewall_buffer(void *b 2.73 printf("\n"); 2.74 2.75 printf("\nRunning\nTypes: "); 2.76 - if (ntohl(cwbuf->chwall_running_types_offset)) 2.77 - { 2.78 + if (ntohl(cwbuf->chwall_running_types_offset)) { 2.79 running_types = 2.80 (domaintype_t *) (buf + 2.81 ntohl(cwbuf->chwall_running_types_offset)); 2.82 - for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) 2.83 - { 2.84 + for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) { 2.85 printf("%02x ", ntohs(running_types[i])); 2.86 } 2.87 printf("\n"); 2.88 @@ -164,13 +155,12 @@ void acm_dump_chinesewall_buffer(void *b 2.89 printf("Not Reported!\n"); 2.90 } 2.91 printf("\nConflict\nAggregate Set: "); 2.92 - if (ntohl(cwbuf->chwall_conflict_aggregate_offset)) 2.93 - { 2.94 + if (ntohl(cwbuf->chwall_conflict_aggregate_offset)) { 2.95 conflict_aggregate = 2.96 (domaintype_t *) (buf + 2.97 - ntohl(cwbuf->chwall_conflict_aggregate_offset)); 2.98 - for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) 2.99 - { 2.100 + ntohl(cwbuf-> 2.101 + chwall_conflict_aggregate_offset)); 2.102 + for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) { 2.103 printf("%02x ", ntohs(conflict_aggregate[i])); 2.104 } 2.105 printf("\n\n"); 2.106 @@ -201,11 +191,11 @@ void acm_dump_ste_buffer(void *buf, int 2.107 printf("\nSSID To STE-Type matrix:\n"); 2.108 2.109 ssids = (domaintype_t *) (buf + ntohl(stebuf->ste_ssid_offset)); 2.110 - for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++) 2.111 - { 2.112 + for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++) { 2.113 printf("\n ssidref%2x: ", i); 2.114 for (j = 0; j < ntohl(stebuf->ste_max_types); j++) 2.115 - printf("%02x ", ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j])); 2.116 + printf("%02x ", 2.117 + ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j])); 2.118 } 2.119 printf("\n\n"); 2.120 } 2.121 @@ -213,9 +203,12 @@ void acm_dump_ste_buffer(void *buf, int 2.122 void acm_dump_policy_buffer(void *buf, int buflen) 2.123 { 2.124 struct acm_policy_buffer *pol = (struct acm_policy_buffer *) buf; 2.125 - 2.126 + char *policy_reference_name = 2.127 + (buf + ntohl(pol->policy_reference_offset) + 2.128 + sizeof(struct acm_policy_reference_buffer)); 2.129 printf("\nPolicy dump:\n"); 2.130 printf("============\n"); 2.131 + printf("POLICY REFERENCE = %s.\n", policy_reference_name); 2.132 printf("PolicyVer = %x.\n", ntohl(pol->policy_version)); 2.133 printf("Magic = %x.\n", ntohl(pol->magic)); 2.134 printf("Len = %x.\n", ntohl(pol->len)); 2.135 @@ -227,8 +220,7 @@ void acm_dump_policy_buffer(void *buf, i 2.136 ACM_POLICY_NAME(ntohl(pol->secondary_policy_code)), 2.137 ntohl(pol->secondary_policy_code), 2.138 ntohl(pol->secondary_buffer_offset)); 2.139 - switch (ntohl(pol->primary_policy_code)) 2.140 - { 2.141 + switch (ntohl(pol->primary_policy_code)) { 2.142 case ACM_CHINESE_WALL_POLICY: 2.143 acm_dump_chinesewall_buffer(buf + 2.144 ntohl(pol->primary_buffer_offset), 2.145 @@ -250,8 +242,7 @@ void acm_dump_policy_buffer(void *buf, i 2.146 printf("UNKNOWN POLICY!\n"); 2.147 } 2.148 2.149 - switch (ntohl(pol->secondary_policy_code)) 2.150 - { 2.151 + switch (ntohl(pol->secondary_policy_code)) { 2.152 case ACM_CHINESE_WALL_POLICY: 2.153 acm_dump_chinesewall_buffer(buf + 2.154 ntohl(pol->secondary_buffer_offset), 2.155 @@ -303,26 +294,22 @@ int acm_domain_loadpolicy(int xc_handle, 2.156 off_t len; 2.157 uint8_t *buffer; 2.158 2.159 - if ((ret = stat(filename, &mystat))) 2.160 - { 2.161 + if ((ret = stat(filename, &mystat))) { 2.162 printf("File %s not found.\n", filename); 2.163 goto out; 2.164 } 2.165 2.166 len = mystat.st_size; 2.167 - if ((buffer = malloc(len)) == NULL) 2.168 - { 2.169 + if ((buffer = malloc(len)) == NULL) { 2.170 ret = -ENOMEM; 2.171 goto out; 2.172 } 2.173 - if ((fd = open(filename, O_RDONLY)) <= 0) 2.174 - { 2.175 + if ((fd = open(filename, O_RDONLY)) <= 0) { 2.176 ret = -ENOENT; 2.177 printf("File %s not found.\n", filename); 2.178 goto free_out; 2.179 } 2.180 - if (len == read(fd, buffer, len)) 2.181 - { 2.182 + if (len == read(fd, buffer, len)) { 2.183 struct acm_op op; 2.184 /* dump it and then push it down into xen/acm */ 2.185 acm_dump_policy_buffer(buffer, len); 2.186 @@ -334,7 +321,7 @@ int acm_domain_loadpolicy(int xc_handle, 2.187 2.188 if (ret) 2.189 printf 2.190 - ("ERROR setting policy. Try 'xm dmesg' to see details.\n"); 2.191 + ("ERROR setting policy.\n"); 2.192 else 2.193 printf("Successfully changed policy.\n"); 2.194 2.195 @@ -382,9 +369,9 @@ int acm_domain_dumpstats(int xc_handle) 2.196 op.u.dumpstats.pullcache_size = sizeof(stats_buffer); 2.197 ret = do_acm_op(xc_handle, &op); 2.198 2.199 - if (ret < 0) 2.200 - { 2.201 - printf("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n"); 2.202 + if (ret < 0) { 2.203 + printf 2.204 + ("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n"); 2.205 return ret; 2.206 } 2.207 stats = (struct acm_stats_buffer *) stats_buffer; 2.208 @@ -394,8 +381,7 @@ int acm_domain_dumpstats(int xc_handle) 2.209 printf("Magic = %x.\n", ntohl(stats->magic)); 2.210 printf("Len = %x.\n", ntohl(stats->len)); 2.211 2.212 - switch (ntohl(stats->primary_policy_code)) 2.213 - { 2.214 + switch (ntohl(stats->primary_policy_code)) { 2.215 case ACM_NULL_POLICY: 2.216 printf("NULL Policy: No statistics apply.\n"); 2.217 break; 2.218 @@ -414,8 +400,7 @@ int acm_domain_dumpstats(int xc_handle) 2.219 printf("UNKNOWN PRIMARY POLICY ERROR!\n"); 2.220 } 2.221 2.222 - switch (ntohl(stats->secondary_policy_code)) 2.223 - { 2.224 + switch (ntohl(stats->secondary_policy_code)) { 2.225 case ACM_NULL_POLICY: 2.226 printf("NULL Policy: No statistics apply.\n"); 2.227 break; 2.228 @@ -435,119 +420,6 @@ int acm_domain_dumpstats(int xc_handle) 2.229 } 2.230 return ret; 2.231 } 2.232 -/************************ get ssidref & types ******************************/ 2.233 -/* 2.234 - * the ssid (types) can be looked up either by domain id or by ssidref 2.235 - */ 2.236 -int acm_domain_getssid(int xc_handle, int argc, char * const argv[]) 2.237 -{ 2.238 - /* this includes header and a set of types */ 2.239 - #define MAX_SSIDBUFFER 2000 2.240 - int ret, i; 2.241 - struct acm_op op; 2.242 - struct acm_ssid_buffer *hdr; 2.243 - unsigned char *buf; 2.244 - int nice_print = 1; 2.245 - 2.246 - op.cmd = ACM_GETSSID; 2.247 - op.interface_version = ACM_INTERFACE_VERSION; 2.248 - op.u.getssid.get_ssid_by = UNSET; 2.249 - /* arguments 2.250 - -d ... domain id to look up 2.251 - -s ... ssidref number to look up 2.252 - -f ... formatted print (scripts depend on this format) 2.253 - */ 2.254 - while (1) 2.255 - { 2.256 - int c = getopt(argc, argv, "d:s:f"); 2.257 - if (c == -1) 2.258 - break; 2.259 - if (c == 'd') 2.260 - { 2.261 - if (op.u.getssid.get_ssid_by != UNSET) 2.262 - usage(argv[0]); 2.263 - op.u.getssid.get_ssid_by = DOMAINID; 2.264 - op.u.getssid.id.domainid = strtoul(optarg, NULL, 0); 2.265 - } 2.266 - else if (c== 's') 2.267 - { 2.268 - if (op.u.getssid.get_ssid_by != UNSET) 2.269 - usage(argv[0]); 2.270 - op.u.getssid.get_ssid_by = SSIDREF; 2.271 - op.u.getssid.id.ssidref = strtoul(optarg, NULL, 0); 2.272 - } 2.273 - else if (c== 'f') 2.274 - { 2.275 - nice_print = 0; 2.276 - } 2.277 - else 2.278 - usage(argv[0]); 2.279 - } 2.280 - if (op.u.getssid.get_ssid_by == UNSET) 2.281 - usage(argv[0]); 2.282 - 2.283 - buf = malloc(MAX_SSIDBUFFER); 2.284 - if (!buf) 2.285 - return -ENOMEM; 2.286 - 2.287 - /* dump it and then push it down into xen/acm */ 2.288 - op.u.getssid.ssidbuf = buf; /* out */ 2.289 - op.u.getssid.ssidbuf_size = MAX_SSIDBUFFER; 2.290 - ret = do_acm_op(xc_handle, &op); 2.291 - 2.292 - if (ret) 2.293 - { 2.294 - printf("ERROR getting ssidref. Try 'xm dmesg' to see details.\n"); 2.295 - goto out; 2.296 - } 2.297 - hdr = (struct acm_ssid_buffer *)buf; 2.298 - if (hdr->len > MAX_SSIDBUFFER) 2.299 - { 2.300 - printf("ERROR: Buffer length inconsistent (ret=%d, hdr->len=%d)!\n", 2.301 - ret, hdr->len); 2.302 - return -EIO; 2.303 - } 2.304 - if (nice_print) 2.305 - { 2.306 - printf("SSID: ssidref = 0x%08x \n", hdr->ssidref); 2.307 - printf(" P: %s, max_types = %d\n", 2.308 - ACM_POLICY_NAME(hdr->primary_policy_code), hdr->primary_max_types); 2.309 - printf(" Types: "); 2.310 - for (i=0; i< hdr->primary_max_types; i++) 2.311 - if (buf[hdr->primary_types_offset + i]) 2.312 - printf("%02x ", i); 2.313 - else 2.314 - printf("-- "); 2.315 - printf("\n"); 2.316 - 2.317 - printf(" S: %s, max_types = %d\n", 2.318 - ACM_POLICY_NAME(hdr->secondary_policy_code), hdr->secondary_max_types); 2.319 - printf(" Types: "); 2.320 - for (i=0; i< hdr->secondary_max_types; i++) 2.321 - if (buf[hdr->secondary_types_offset + i]) 2.322 - printf("%02x ", i); 2.323 - else 2.324 - printf("-- "); 2.325 - printf("\n"); 2.326 - } 2.327 - else 2.328 - { 2.329 - /* formatted print for use with scripts (.sh) 2.330 - * update scripts when updating here (usually 2.331 - * used in combination with -d to determine a 2.332 - * running domain's label 2.333 - */ 2.334 - printf("SSID: ssidref = 0x%08x \n", hdr->ssidref); 2.335 - } 2.336 - 2.337 - /* return ste ssidref */ 2.338 - if (hdr->primary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) 2.339 - ret = (hdr->ssidref) & 0xffff; 2.340 - else if (hdr->secondary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) 2.341 - ret = (hdr->ssidref) >> 16; 2.342 - out: 2.343 - return ret; 2.344 -} 2.345 2.346 /***************************** main **************************************/ 2.347 2.348 @@ -559,8 +431,7 @@ int main(int argc, char **argv) 2.349 if (argc < 2) 2.350 usage(argv[0]); 2.351 2.352 - if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) 2.353 - { 2.354 + if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) { 2.355 printf("ERROR: Could not open xen privcmd device!\n"); 2.356 exit(-1); 2.357 } 2.358 @@ -577,8 +448,6 @@ int main(int argc, char **argv) 2.359 if (argc != 2) 2.360 usage(argv[0]); 2.361 ret = acm_domain_dumpstats(acm_cmd_fd); 2.362 - } else if (!strcmp(argv[1], "getssid")) { 2.363 - ret = acm_domain_getssid(acm_cmd_fd, argc, argv); 2.364 } else 2.365 usage(argv[0]); 2.366
3.1 --- a/tools/security/secpol_xml2bin.c Mon Apr 24 10:51:20 2006 +0100 3.2 +++ b/tools/security/secpol_xml2bin.c Mon Apr 24 10:51:50 2006 +0100 3.3 @@ -101,22 +101,30 @@ int have_chwall = 0; 3.4 3.5 /* input/output file names */ 3.6 char *policy_filename = NULL, 3.7 - *label_filename = NULL, 3.8 - *binary_filename = NULL, *mapping_filename = NULL, 3.9 - *schema_filename = NULL; 3.10 + *binary_filename = NULL, 3.11 + *mapping_filename = NULL, *schema_filename = NULL; 3.12 + 3.13 +char *policy_reference_name = NULL; 3.14 + 3.15 +void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state); 3.16 3.17 void usage(char *prg) 3.18 { 3.19 printf("Usage: %s [OPTIONS] POLICYNAME\n", prg); 3.20 - printf("POLICYNAME is the directory name within the policy directory\n"); 3.21 - printf("that contains the policy files. The default policy directory\n"); 3.22 - printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR); 3.23 - printf("The policy files contained in the POLICYNAME directory must be named:\n"); 3.24 + printf 3.25 + ("POLICYNAME is the directory name within the policy directory\n"); 3.26 + printf 3.27 + ("that contains the policy files. The default policy directory\n"); 3.28 + printf("is '%s' (see the '-d' option below to change it)\n", 3.29 + POLICY_DIR); 3.30 + printf 3.31 + ("The policy files contained in the POLICYNAME directory must be named:\n"); 3.32 printf("\tPOLICYNAME-security_policy.xml\n"); 3.33 printf("\tPOLICYNAME-security_label_template.xml\n\n"); 3.34 printf("OPTIONS:\n"); 3.35 printf("\t-d POLICYDIR\n"); 3.36 - printf("\t\tUse POLICYDIR as the policy directory. This directory must contain\n"); 3.37 + printf 3.38 + ("\t\tUse POLICYDIR as the policy directory. This directory must contain\n"); 3.39 printf("\t\tthe policy schema file 'security_policy.xsd'\n"); 3.40 exit(EXIT_FAILURE); 3.41 } 3.42 @@ -147,8 +155,7 @@ struct type_entry *lookup(struct tailhea 3.43 int add_entry(struct tailhead *head, char *name, type_t mapping) 3.44 { 3.45 struct type_entry *e; 3.46 - if (lookup(head, name)) 3.47 - { 3.48 + if (lookup(head, name)) { 3.49 printf("Error: Type >%s< defined more than once.\n", name); 3.50 return -EFAULT; /* already in the list */ 3.51 } 3.52 @@ -204,16 +211,14 @@ int register_type(xmlNode * cur_node, xm 3.53 3.54 3.55 text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); 3.56 - if (!text) 3.57 - { 3.58 + if (!text) { 3.59 printf("Error reading type name!\n"); 3.60 return -EFAULT; 3.61 } 3.62 3.63 switch (state) { 3.64 case XML2BIN_stetype_S: 3.65 - if (add_entry(&ste_head, (char *) text, max_ste_types)) 3.66 - { 3.67 + if (add_entry(&ste_head, (char *) text, max_ste_types)) { 3.68 xmlFree(text); 3.69 return -EFAULT; 3.70 } 3.71 @@ -221,8 +226,7 @@ int register_type(xmlNode * cur_node, xm 3.72 break; 3.73 3.74 case XML2BIN_chwalltype_S: 3.75 - if (add_entry(&chwall_head, (char *) text, max_chwall_types)) 3.76 - { 3.77 + if (add_entry(&chwall_head, (char *) text, max_chwall_types)) { 3.78 xmlFree(text); 3.79 return -EFAULT; 3.80 } 3.81 @@ -232,16 +236,15 @@ int register_type(xmlNode * cur_node, xm 3.82 case XML2BIN_conflictsettype_S: 3.83 /* a) search the type in the chwall_type list */ 3.84 e = lookup(&chwall_head, (char *) text); 3.85 - if (e == NULL) 3.86 - { 3.87 + if (e == NULL) { 3.88 printf("CS type >%s< not a CHWALL type.\n", text); 3.89 xmlFree(text); 3.90 return -EFAULT; 3.91 } 3.92 /* b) add type entry to the current cs set */ 3.93 - if (current_conflictset_p->row[e->mapping]) 3.94 - { 3.95 - printf("ERROR: Double entry of type >%s< in conflict set %d.\n", 3.96 + if (current_conflictset_p->row[e->mapping]) { 3.97 + printf 3.98 + ("ERROR: Double entry of type >%s< in conflict set %d.\n", 3.99 text, current_conflictset_p->num); 3.100 xmlFree(text); 3.101 return -EFAULT; 3.102 @@ -262,16 +265,15 @@ void set_component_type(xmlNode * cur_no 3.103 { 3.104 xmlChar *order; 3.105 3.106 - if ((order = xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) { 3.107 - if (strcmp((char *) order, PRIMARY_COMPONENT)) 3.108 - { 3.109 + if ((order = 3.110 + xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) { 3.111 + if (strcmp((char *) order, PRIMARY_COMPONENT)) { 3.112 printf("ERROR: Illegal attribut value >order=%s<.\n", 3.113 (char *) order); 3.114 xmlFree(order); 3.115 exit(EXIT_FAILURE); 3.116 } 3.117 - if (primary != NULLPOLICY) 3.118 - { 3.119 + if (primary != NULLPOLICY) { 3.120 printf("ERROR: Primary Policy Component set twice!\n"); 3.121 exit(EXIT_FAILURE); 3.122 } 3.123 @@ -285,10 +287,8 @@ void walk_policy(xmlNode * start, xmlDoc 3.124 xmlNode *cur_node = NULL; 3.125 int code; 3.126 3.127 - for (cur_node = start; cur_node; cur_node = cur_node->next) 3.128 - { 3.129 - if ((code = totoken((char *) cur_node->name)) < 0) 3.130 - { 3.131 + for (cur_node = start; cur_node; cur_node = cur_node->next) { 3.132 + if ((code = totoken((char *) cur_node->name)) < 0) { 3.133 printf("Unknown token: >%s<. Aborting.\n", cur_node->name); 3.134 exit(EXIT_FAILURE); 3.135 } 3.136 @@ -297,13 +297,32 @@ void walk_policy(xmlNode * start, xmlDoc 3.137 case XML2BIN_STETYPES: 3.138 case XML2BIN_CHWALLTYPES: 3.139 case XML2BIN_CONFLICTSETS: 3.140 + case XML2BIN_POLICYHEADER: 3.141 walk_policy(cur_node->children, doc, state | (1 << code)); 3.142 break; 3.143 3.144 + case XML2BIN_POLICYNAME: /* get policy reference name .... */ 3.145 + if (state != XML2BIN_PN_S) { 3.146 + printf("ERROR: >Url< >%s< out of context.\n", 3.147 + (char *) xmlNodeListGetString(doc, 3.148 + cur_node-> 3.149 + xmlChildrenNode, 1)); 3.150 + exit(EXIT_FAILURE); 3.151 + } 3.152 + policy_reference_name = (char *) 3.153 + xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); 3.154 + if (!policy_reference_name) { 3.155 + printf("ERROR: empty >policy reference name (Url)<!\n"); 3.156 + exit(EXIT_FAILURE); 3.157 + } else 3.158 + printf("Policy Reference name (Url): %s\n", 3.159 + policy_reference_name); 3.160 + break; 3.161 + 3.162 case XML2BIN_STE: 3.163 - if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION) 3.164 - { 3.165 - printf("ERROR: This program was written against another STE version.\n"); 3.166 + if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION) { 3.167 + printf 3.168 + ("ERROR: This program was written against another STE version.\n"); 3.169 exit(EXIT_FAILURE); 3.170 } 3.171 have_ste = 1; 3.172 @@ -312,9 +331,9 @@ void walk_policy(xmlNode * start, xmlDoc 3.173 break; 3.174 3.175 case XML2BIN_CHWALL: 3.176 - if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) 3.177 - { 3.178 - printf("ERROR: This program was written against another CHWALL version.\n"); 3.179 + if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) { 3.180 + printf 3.181 + ("ERROR: This program was written against another CHWALL version.\n"); 3.182 exit(EXIT_FAILURE); 3.183 } 3.184 have_chwall = 1; 3.185 @@ -328,8 +347,7 @@ void walk_policy(xmlNode * start, xmlDoc 3.186 if (!current_conflictset_name) 3.187 current_conflictset_name = ""; 3.188 3.189 - if (init_next_conflictset()) 3.190 - { 3.191 + if (init_next_conflictset()) { 3.192 printf 3.193 ("ERROR: creating new conflictset structure failed.\n"); 3.194 exit(EXIT_FAILURE); 3.195 @@ -343,14 +361,18 @@ void walk_policy(xmlNode * start, xmlDoc 3.196 /* type leaf */ 3.197 break; 3.198 3.199 + case XML2BIN_LABELTEMPLATE: /* handle in second pass */ 3.200 case XML2BIN_TEXT: 3.201 case XML2BIN_COMMENT: 3.202 - case XML2BIN_POLICYHEADER: 3.203 + case XML2BIN_DATE: 3.204 + case XML2BIN_REFERENCE: 3.205 + case XML2BIN_NSURL: /* for future use: where to find global label / type name mappings */ 3.206 + case XML2BIN_URL: /* for future use: where to find policy */ 3.207 /* leaf - nothing to do */ 3.208 break; 3.209 3.210 default: 3.211 - printf("Unkonwn token Error (%d)\n", code); 3.212 + printf("Unkonwn token Error (%d) in Policy\n", code); 3.213 exit(EXIT_FAILURE); 3.214 } 3.215 3.216 @@ -358,21 +380,21 @@ void walk_policy(xmlNode * start, xmlDoc 3.217 return; 3.218 } 3.219 3.220 -int create_type_mapping(xmlDocPtr doc) 3.221 +void init_type_mapping(void) 3.222 { 3.223 - xmlNode *root_element = xmlDocGetRootElement(doc); 3.224 - struct type_entry *te; 3.225 - struct ssid_entry *se; 3.226 - int i; 3.227 - 3.228 printf("Creating ssid mappings ...\n"); 3.229 3.230 /* initialize the ste and chwall type lists */ 3.231 TAILQ_INIT(&ste_head); 3.232 TAILQ_INIT(&chwall_head); 3.233 TAILQ_INIT(&conflictsets_head); 3.234 +} 3.235 3.236 - walk_policy(root_element, doc, XML2BIN_NULL); 3.237 +void post_type_mapping(void) 3.238 +{ 3.239 + struct type_entry *te; 3.240 + struct ssid_entry *se; 3.241 + int i; 3.242 3.243 /* determine primary/secondary policy component orders */ 3.244 if ((primary == NULLPOLICY) && have_chwall) 3.245 @@ -400,19 +422,17 @@ int create_type_mapping(xmlDocPtr doc) 3.246 } 3.247 3.248 if (!DEBUG) 3.249 - return 0; 3.250 + return; 3.251 3.252 /* print queues */ 3.253 - if (have_ste) 3.254 - { 3.255 + if (have_ste) { 3.256 printf("STE-Type queue (%s):\n", 3.257 (primary == STE) ? "PRIMARY" : "SECONDARY"); 3.258 for (te = ste_head.tqh_first; te != NULL; 3.259 te = te->entries.tqe_next) 3.260 printf("name=%22s, map=%x\n", te->name, te->mapping); 3.261 } 3.262 - if (have_chwall) 3.263 - { 3.264 + if (have_chwall) { 3.265 printf("CHWALL-Type queue (%s):\n", 3.266 (primary == CHWALL) ? "PRIMARY" : "SECONDARY"); 3.267 for (te = chwall_head.tqh_first; te != NULL; 3.268 @@ -421,8 +441,7 @@ int create_type_mapping(xmlDocPtr doc) 3.269 3.270 printf("Conflictset queue (max=%d):\n", max_conflictsets); 3.271 for (se = conflictsets_head.tqh_first; se != NULL; 3.272 - se = se->entries.tqe_next) 3.273 - { 3.274 + se = se->entries.tqe_next) { 3.275 printf("conflictset name >%s<\n", 3.276 se->name ? se->name : "NONAME"); 3.277 for (i = 0; i < max_chwall_types; i++) 3.278 @@ -431,7 +450,6 @@ int create_type_mapping(xmlDocPtr doc) 3.279 printf("\n"); 3.280 } 3.281 } 3.282 - return 0; 3.283 } 3.284 3.285 3.286 @@ -554,8 +572,7 @@ int add_type(xmlNode * cur_node, xmlDocP 3.287 struct type_entry *e; 3.288 3.289 text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); 3.290 - if (!text) 3.291 - { 3.292 + if (!text) { 3.293 printf("Error reading type name!\n"); 3.294 return -EFAULT; 3.295 } 3.296 @@ -564,8 +581,7 @@ int add_type(xmlNode * cur_node, xmlDocP 3.297 case XML2BIN_VM_STE_S: 3.298 case XML2BIN_RES_STE_S: 3.299 /* lookup the type mapping and include the type mapping into the array */ 3.300 - if (!(e = lookup(&ste_head, (char *) text))) 3.301 - { 3.302 + if (!(e = lookup(&ste_head, (char *) text))) { 3.303 printf("ERROR: unknown VM STE type >%s<.\n", text); 3.304 exit(EXIT_FAILURE); 3.305 } 3.306 @@ -577,8 +593,7 @@ int add_type(xmlNode * cur_node, xmlDocP 3.307 3.308 case XML2BIN_VM_CHWALL_S: 3.309 /* lookup the type mapping and include the type mapping into the array */ 3.310 - if (!(e = lookup(&chwall_head, (char *) text))) 3.311 - { 3.312 + if (!(e = lookup(&chwall_head, (char *) text))) { 3.313 printf("ERROR: unknown VM CHWALL type >%s<.\n", text); 3.314 exit(EXIT_FAILURE); 3.315 } 3.316 @@ -602,8 +617,9 @@ void set_bootstrap_label(xmlNode * cur_n 3.317 { 3.318 xmlChar *order; 3.319 3.320 - if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME))) 3.321 - bootstrap_label = (char *)order; 3.322 + if ((order = 3.323 + xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME))) 3.324 + bootstrap_label = (char *) order; 3.325 else { 3.326 printf("ERROR: No bootstrap label defined!\n"); 3.327 exit(EXIT_FAILURE); 3.328 @@ -615,45 +631,40 @@ void walk_labels(xmlNode * start, xmlDoc 3.329 xmlNode *cur_node = NULL; 3.330 int code; 3.331 3.332 - for (cur_node = start; cur_node; cur_node = cur_node->next) 3.333 - { 3.334 - if ((code = totoken((char *) cur_node->name)) < 0) 3.335 - { 3.336 + for (cur_node = start; cur_node; cur_node = cur_node->next) { 3.337 + if ((code = totoken((char *) cur_node->name)) < 0) { 3.338 printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name); 3.339 exit(EXIT_FAILURE); 3.340 } 3.341 switch (code) { /* adjust state to new state */ 3.342 - 3.343 case XML2BIN_SUBJECTS: 3.344 set_bootstrap_label(cur_node); 3.345 /* fall through */ 3.346 + case XML2BIN_SECPOL: 3.347 + case XML2BIN_LABELTEMPLATE: 3.348 case XML2BIN_VM: 3.349 case XML2BIN_RES: 3.350 - case XML2BIN_SECTEMPLATE: 3.351 case XML2BIN_OBJECTS: 3.352 walk_labels(cur_node->children, doc, state | (1 << code)); 3.353 break; 3.354 3.355 case XML2BIN_STETYPES: 3.356 /* create new ssid entry to use and point current to it */ 3.357 - if (init_next_ste_ssid(state)) 3.358 - { 3.359 + if (init_next_ste_ssid(state)) { 3.360 printf("ERROR: creating new ste ssid structure failed.\n"); 3.361 exit(EXIT_FAILURE); 3.362 } 3.363 walk_labels(cur_node->children, doc, state | (1 << code)); 3.364 - 3.365 break; 3.366 3.367 case XML2BIN_CHWALLTYPES: 3.368 /* create new ssid entry to use and point current to it */ 3.369 - if (init_next_chwall_ssid(state)) 3.370 - { 3.371 - printf("ERROR: creating new chwall ssid structure failed.\n"); 3.372 + if (init_next_chwall_ssid(state)) { 3.373 + printf 3.374 + ("ERROR: creating new chwall ssid structure failed.\n"); 3.375 exit(EXIT_FAILURE); 3.376 } 3.377 walk_labels(cur_node->children, doc, state | (1 << code)); 3.378 - 3.379 break; 3.380 3.381 case XML2BIN_TYPE: 3.382 @@ -663,115 +674,66 @@ void walk_labels(xmlNode * start, xmlDoc 3.383 break; 3.384 3.385 case XML2BIN_NAME: 3.386 - if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S)) 3.387 - { 3.388 - printf("ERROR: >name< out of VM/RES context.\n"); 3.389 - exit(EXIT_FAILURE); 3.390 - } 3.391 - current_ssid_name = (char *) 3.392 - xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1); 3.393 - 3.394 - if (!current_ssid_name) 3.395 - { 3.396 - printf("ERROR: empty >name<!\n"); 3.397 + if ((state == XML2BIN_VM_S) || (state == XML2BIN_RES_S)) { 3.398 + current_ssid_name = (char *) 3.399 + xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 3.400 + 1); 3.401 + if (!current_ssid_name) { 3.402 + printf("ERROR: empty >vm/res name<!\n"); 3.403 + exit(EXIT_FAILURE); 3.404 + } 3.405 + } else { 3.406 + printf 3.407 + ("ERROR: >name< >%s< out of context (state = 0x%lx.\n", 3.408 + (char *) xmlNodeListGetString(doc, 3.409 + cur_node-> 3.410 + xmlChildrenNode, 1), 3.411 + state); 3.412 exit(EXIT_FAILURE); 3.413 } 3.414 break; 3.415 3.416 case XML2BIN_TEXT: 3.417 case XML2BIN_COMMENT: 3.418 - case XML2BIN_LABELHEADER: 3.419 + case XML2BIN_POLICYHEADER: 3.420 + case XML2BIN_STE: 3.421 + case XML2BIN_CHWALL: 3.422 break; 3.423 3.424 default: 3.425 - printf("Unkonwn token Error (%d)\n", code); 3.426 + printf("Unkonwn token Error (%d) in Label Template\n", code); 3.427 exit(EXIT_FAILURE); 3.428 } 3.429 - 3.430 } 3.431 return; 3.432 } 3.433 3.434 -/* this function walks through a ssid queue 3.435 - * and transforms double entries into references 3.436 - * of the first definition (we need to keep the 3.437 - * entry to map labels but we don't want double 3.438 - * ssids in the binary policy 3.439 - */ 3.440 -void 3.441 -remove_doubles(struct tailhead_ssid *head, 3.442 - u_int32_t max_types, u_int32_t * max_ssids) 3.443 -{ 3.444 - struct ssid_entry *np, *ni; 3.445 - 3.446 - /* walk once through the list */ 3.447 - for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) 3.448 - { 3.449 - /* now search from the start until np for the same entry */ 3.450 - for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next) 3.451 - { 3.452 - if (ni->is_ref) 3.453 - continue; 3.454 - if (memcmp(np->row, ni->row, max_types)) 3.455 - continue; 3.456 - /* found one, set np reference to ni */ 3.457 - np->is_ref = 1; 3.458 - np->num = ni->num; 3.459 - (*max_ssids)--; 3.460 - } 3.461 - } 3.462 - 3.463 - /* now minimize the ssid numbers used (doubles introduce holes) */ 3.464 - (*max_ssids) = 0; /* reset */ 3.465 - 3.466 - for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) 3.467 - { 3.468 - if (np->is_ref) 3.469 - continue; 3.470 - 3.471 - if (np->num != (*max_ssids)) { 3.472 - /* first reset all later references to the new max_ssid */ 3.473 - for (ni = np->entries.tqe_next; ni != NULL; ni = ni->entries.tqe_next) 3.474 - { 3.475 - if (ni->num == np->num) 3.476 - ni->num = (*max_ssids); 3.477 - } 3.478 - /* now reset num */ 3.479 - np->num = (*max_ssids)++; 3.480 - } 3.481 - else 3.482 - (*max_ssids)++; 3.483 - } 3.484 -} 3.485 - 3.486 /* 3.487 * will go away as soon as we have non-static bootstrap ssidref for dom0 3.488 */ 3.489 void fixup_bootstrap_label(struct tailhead_ssid *head, 3.490 - u_int32_t max_types, u_int32_t * max_ssids) 3.491 + u_int32_t max_types, u_int32_t * max_ssids) 3.492 { 3.493 struct ssid_entry *np; 3.494 int i; 3.495 3.496 /* should not happen if xml / xsd checks work */ 3.497 - if (!bootstrap_label) 3.498 - { 3.499 + if (!bootstrap_label) { 3.500 printf("ERROR: No bootstrap label defined.\n"); 3.501 exit(EXIT_FAILURE); 3.502 } 3.503 3.504 /* search bootstrap_label */ 3.505 - for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) 3.506 - { 3.507 - if (!strcmp(np->name, bootstrap_label)) 3.508 - { 3.509 + for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) { 3.510 + if (!strcmp(np->name, bootstrap_label)) { 3.511 break; 3.512 } 3.513 } 3.514 3.515 if (!np) { 3.516 /* bootstrap label not found */ 3.517 - printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label); 3.518 + printf("ERROR: Bootstrap label >%s< not found.\n", 3.519 + bootstrap_label); 3.520 exit(EXIT_FAILURE); 3.521 } 3.522 3.523 @@ -781,16 +743,14 @@ void fixup_bootstrap_label(struct tailhe 3.524 TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries); 3.525 3.526 /* renumber the ssids (we could also just switch places with 1st element) */ 3.527 - for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++) 3.528 - np->num = i; 3.529 + for (np = head->tqh_first, i = 0; np != NULL; 3.530 + np = np->entries.tqe_next, i++) 3.531 + np->num = i; 3.532 3.533 } 3.534 3.535 -int create_ssid_mapping(xmlDocPtr doc) 3.536 +void init_label_mapping(void) 3.537 { 3.538 - xmlNode *root_element = xmlDocGetRootElement(doc); 3.539 - struct ssid_entry *np; 3.540 - int i; 3.541 3.542 printf("Creating label mappings ...\n"); 3.543 /* initialize the ste and chwall type lists */ 3.544 @@ -798,14 +758,16 @@ int create_ssid_mapping(xmlDocPtr doc) 3.545 TAILQ_INIT(&ste_ssid_head); 3.546 3.547 /* init with default ssids */ 3.548 - if (init_ssid_queues()) 3.549 - { 3.550 + if (init_ssid_queues()) { 3.551 printf("ERROR adding default ssids.\n"); 3.552 exit(EXIT_FAILURE); 3.553 } 3.554 +} 3.555 3.556 - /* now walk the template DOM tree and fill in ssids */ 3.557 - walk_labels(root_element, doc, XML2BIN_NULL); 3.558 +void post_label_mapping(void) 3.559 +{ 3.560 + struct ssid_entry *np; 3.561 + int i; 3.562 3.563 /* 3.564 * now sort bootstrap label to the head of the list 3.565 @@ -814,30 +776,20 @@ int create_ssid_mapping(xmlDocPtr doc) 3.566 */ 3.567 if (have_chwall) 3.568 fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types, 3.569 - &max_chwall_ssids); 3.570 + &max_chwall_ssids); 3.571 if (have_ste) 3.572 fixup_bootstrap_label(&ste_ssid_head, max_ste_types, 3.573 - &max_ste_ssids); 3.574 - 3.575 - /* remove any double entries (insert reference instead) */ 3.576 - if (have_chwall) 3.577 - remove_doubles(&chwall_ssid_head, max_chwall_types, 3.578 - &max_chwall_ssids); 3.579 - if (have_ste) 3.580 - remove_doubles(&ste_ssid_head, max_ste_types, 3.581 - &max_ste_ssids); 3.582 + &max_ste_ssids); 3.583 3.584 if (!DEBUG) 3.585 - return 0; 3.586 + return; 3.587 3.588 /* print queues */ 3.589 - if (have_chwall) 3.590 - { 3.591 + if (have_chwall) { 3.592 printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids); 3.593 np = NULL; 3.594 for (np = chwall_ssid_head.tqh_first; np != NULL; 3.595 - np = np->entries.tqe_next) 3.596 - { 3.597 + np = np->entries.tqe_next) { 3.598 printf("SSID #%02u (Label=%s)\n", np->num, np->name); 3.599 if (np->is_ref) 3.600 printf("REFERENCE"); 3.601 @@ -848,13 +800,11 @@ int create_ssid_mapping(xmlDocPtr doc) 3.602 printf("\n\n"); 3.603 } 3.604 } 3.605 - if (have_ste) 3.606 - { 3.607 + if (have_ste) { 3.608 printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids); 3.609 np = NULL; 3.610 for (np = ste_ssid_head.tqh_first; np != NULL; 3.611 - np = np->entries.tqe_next) 3.612 - { 3.613 + np = np->entries.tqe_next) { 3.614 printf("SSID #%02u (Label=%s)\n", np->num, np->name); 3.615 if (np->is_ref) 3.616 printf("REFERENCE"); 3.617 @@ -865,7 +815,19 @@ int create_ssid_mapping(xmlDocPtr doc) 3.618 printf("\n\n"); 3.619 } 3.620 } 3.621 - return 0; 3.622 +} 3.623 + 3.624 +void create_mappings(xmlDocPtr doc) 3.625 +{ 3.626 + xmlNode *doc_root_node = xmlDocGetRootElement(doc); 3.627 + 3.628 + /* walk the XML policy tree and fill in types and labels */ 3.629 + init_type_mapping(); 3.630 + walk_policy(doc_root_node, doc, XML2BIN_NULL); /* first pass: types */ 3.631 + post_type_mapping(); 3.632 + init_label_mapping(); 3.633 + walk_labels(doc_root_node, doc, XML2BIN_NULL); /* second pass: labels */ 3.634 + post_label_mapping(); 3.635 } 3.636 3.637 /***************** writing the binary policy *********************/ 3.638 @@ -888,19 +850,16 @@ int write_mapping(char *filename) 3.639 if ((file = fopen(filename, "w")) == NULL) 3.640 return -EIO; 3.641 3.642 + fprintf(file, "POLICYREFERENCENAME %s\n", policy_reference_name); 3.643 fprintf(file, "MAGIC %08x\n", ACM_MAGIC); 3.644 - fprintf(file, "POLICY %s\n", 3.645 - basename(policy_filename)); 3.646 - fprintf(file, "BINARY %s\n", 3.647 - basename(binary_filename)); 3.648 - if (have_chwall) 3.649 - { 3.650 + fprintf(file, "POLICY FILE %s\n", policy_filename); 3.651 + fprintf(file, "BINARY FILE %s\n", binary_filename); 3.652 + if (have_chwall) { 3.653 fprintf(file, "MAX-CHWALL-TYPES %08x\n", max_chwall_types); 3.654 fprintf(file, "MAX-CHWALL-SSIDS %08x\n", max_chwall_ssids); 3.655 fprintf(file, "MAX-CHWALL-LABELS %08x\n", max_chwall_labels); 3.656 } 3.657 - if (have_ste) 3.658 - { 3.659 + if (have_ste) { 3.660 fprintf(file, "MAX-STE-TYPES %08x\n", max_ste_types); 3.661 fprintf(file, "MAX-STE-SSIDS %08x\n", max_ste_ssids); 3.662 fprintf(file, "MAX-STE-LABELS %08x\n", max_ste_labels); 3.663 @@ -939,11 +898,9 @@ int write_mapping(char *filename) 3.664 fprintf(file, "\n"); 3.665 3.666 /* first labels to ssid mappings */ 3.667 - if (have_chwall) 3.668 - { 3.669 + if (have_chwall) { 3.670 for (e = chwall_ssid_head.tqh_first; e != NULL; 3.671 - e = e->entries.tqe_next) 3.672 - { 3.673 + e = e->entries.tqe_next) { 3.674 fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n", 3.675 (e->type == 3.676 VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"), 3.677 @@ -951,11 +908,9 @@ int write_mapping(char *filename) 3.678 } 3.679 fprintf(file, "\n"); 3.680 } 3.681 - if (have_ste) 3.682 - { 3.683 + if (have_ste) { 3.684 for (e = ste_ssid_head.tqh_first; e != NULL; 3.685 - e = e->entries.tqe_next) 3.686 - { 3.687 + e = e->entries.tqe_next) { 3.688 fprintf(file, "LABEL->SSID %s STE %-25s %8x\n", 3.689 (e->type == 3.690 VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"), 3.691 @@ -965,11 +920,9 @@ int write_mapping(char *filename) 3.692 } 3.693 3.694 /* second ssid to type mappings */ 3.695 - if (have_chwall) 3.696 - { 3.697 + if (have_chwall) { 3.698 for (e = chwall_ssid_head.tqh_first; e != NULL; 3.699 - e = e->entries.tqe_next) 3.700 - { 3.701 + e = e->entries.tqe_next) { 3.702 if (e->is_ref) 3.703 continue; 3.704 3.705 @@ -985,8 +938,7 @@ int write_mapping(char *filename) 3.706 } 3.707 if (have_ste) { 3.708 for (e = ste_ssid_head.tqh_first; e != NULL; 3.709 - e = e->entries.tqe_next) 3.710 - { 3.711 + e = e->entries.tqe_next) { 3.712 if (e->is_ref) 3.713 continue; 3.714 3.715 @@ -1001,18 +953,15 @@ int write_mapping(char *filename) 3.716 fprintf(file, "\n"); 3.717 } 3.718 /* third type mappings */ 3.719 - if (have_chwall) 3.720 - { 3.721 - for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next) 3.722 - { 3.723 + if (have_chwall) { 3.724 + for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next) { 3.725 fprintf(file, "TYPE CHWALL %-25s %8x\n", 3.726 t->name, t->mapping); 3.727 } 3.728 fprintf(file, "\n"); 3.729 } 3.730 if (have_ste) { 3.731 - for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next) 3.732 - { 3.733 + for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next) { 3.734 fprintf(file, "TYPE STE %-25s %8x\n", 3.735 t->name, t->mapping); 3.736 } 3.737 @@ -1022,6 +971,38 @@ int write_mapping(char *filename) 3.738 return 0; 3.739 } 3.740 3.741 + 3.742 +unsigned char *write_policy_reference_binary(u_int32_t * len_pr) 3.743 +{ 3.744 + unsigned char *buf, *ptr; 3.745 + struct acm_policy_reference_buffer *pr_header; 3.746 + u_int32_t len; 3.747 + 3.748 + if (policy_reference_name == NULL) { 3.749 + printf("ERROR: No policy reference name found.\n"); 3.750 + exit(EXIT_FAILURE); 3.751 + } 3.752 + len = (sizeof(struct acm_policy_reference_buffer) + 3.753 + strlen(policy_reference_name) + 1); 3.754 + buf = malloc(len); 3.755 + ptr = buf; 3.756 + 3.757 + if (!buf) { 3.758 + printf 3.759 + ("ERROR: out of memory allocating label reference buffer.\n"); 3.760 + exit(EXIT_FAILURE); 3.761 + } 3.762 + pr_header = (struct acm_policy_reference_buffer *) buf; 3.763 + pr_header->len = 3.764 + htonl(strlen(policy_reference_name) + 1 /* strend \'0' */ ); 3.765 + ptr += sizeof(struct acm_policy_reference_buffer); 3.766 + strcpy((char *) ptr, policy_reference_name); 3.767 + 3.768 + (*len_pr) = len; 3.769 + return buf; 3.770 +} 3.771 + 3.772 + 3.773 unsigned char *write_chwall_binary(u_int32_t * len_chwall) 3.774 { 3.775 unsigned char *buf, *ptr; 3.776 @@ -1040,8 +1021,7 @@ unsigned char *write_chwall_binary(u_int 3.777 buf = malloc(len); 3.778 ptr = buf; 3.779 3.780 - if (!buf) 3.781 - { 3.782 + if (!buf) { 3.783 printf("ERROR: out of memory allocating chwall buffer.\n"); 3.784 exit(EXIT_FAILURE); 3.785 } 3.786 @@ -1058,14 +1038,13 @@ unsigned char *write_chwall_binary(u_int 3.787 chwall_header->chwall_conflict_sets_offset = 3.788 htonl(ntohl(chwall_header->chwall_ssid_offset) + 3.789 sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types); 3.790 - chwall_header->chwall_running_types_offset = 0; /* not set, only retrieved */ 3.791 - chwall_header->chwall_conflict_aggregate_offset = 0; /* not set, only retrieved */ 3.792 + chwall_header->chwall_running_types_offset = 0; 3.793 + chwall_header->chwall_conflict_aggregate_offset = 0; 3.794 ptr += sizeof(struct acm_chwall_policy_buffer); 3.795 3.796 /* types */ 3.797 for (e = chwall_ssid_head.tqh_first; e != NULL; 3.798 - e = e->entries.tqe_next) 3.799 - { 3.800 + e = e->entries.tqe_next) { 3.801 if (e->is_ref) 3.802 continue; 3.803 3.804 @@ -1077,16 +1056,14 @@ unsigned char *write_chwall_binary(u_int 3.805 3.806 /* conflictsets */ 3.807 for (e = conflictsets_head.tqh_first; e != NULL; 3.808 - e = e->entries.tqe_next) 3.809 - { 3.810 + e = e->entries.tqe_next) { 3.811 for (i = 0; i < max_chwall_types; i++) 3.812 ((type_t *) ptr)[i] = htons((type_t) e->row[i]); 3.813 3.814 ptr += sizeof(type_t) * max_chwall_types; 3.815 } 3.816 3.817 - if ((ptr - buf) != len) 3.818 - { 3.819 + if ((ptr - buf) != len) { 3.820 printf("ERROR: wrong lengths in %s.\n", __func__); 3.821 exit(EXIT_FAILURE); 3.822 } 3.823 @@ -1112,8 +1089,7 @@ unsigned char *write_ste_binary(u_int32_ 3.824 buf = malloc(len); 3.825 ptr = buf; 3.826 3.827 - if (!buf) 3.828 - { 3.829 + if (!buf) { 3.830 printf("ERROR: out of memory allocating chwall buffer.\n"); 3.831 exit(EXIT_FAILURE); 3.832 } 3.833 @@ -1130,8 +1106,7 @@ unsigned char *write_ste_binary(u_int32_ 3.834 ptr += sizeof(struct acm_ste_policy_buffer); 3.835 3.836 /* types */ 3.837 - for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next) 3.838 - { 3.839 + for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next) { 3.840 if (e->is_ref) 3.841 continue; 3.842 3.843 @@ -1141,8 +1116,7 @@ unsigned char *write_ste_binary(u_int32_ 3.844 ptr += sizeof(type_t) * max_ste_types; 3.845 } 3.846 3.847 - if ((ptr - buf) != len) 3.848 - { 3.849 + if ((ptr - buf) != len) { 3.850 printf("ERROR: wrong lengths in %s.\n", __func__); 3.851 exit(EXIT_FAILURE); 3.852 } 3.853 @@ -1153,16 +1127,21 @@ unsigned char *write_ste_binary(u_int32_ 3.854 int write_binary(char *filename) 3.855 { 3.856 struct acm_policy_buffer header; 3.857 - unsigned char *ste_buffer = NULL, *chwall_buffer = NULL; 3.858 + unsigned char *ste_buffer = NULL, *chwall_buffer = 3.859 + NULL, *policy_reference_buffer = NULL; 3.860 u_int32_t len; 3.861 - int fd; 3.862 + int fd, ret = 0; 3.863 3.864 - u_int32_t len_ste = 0, len_chwall = 0; /* length of policy components */ 3.865 + u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0; /* length of policy components */ 3.866 3.867 /* open binary file */ 3.868 - if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) <= 0) 3.869 - return -EIO; 3.870 - 3.871 + if ((fd = 3.872 + open(filename, O_WRONLY | O_CREAT | O_TRUNC, 3.873 + S_IRUSR | S_IWUSR)) <= 0) { 3.874 + ret = -EIO; 3.875 + goto out1; 3.876 + } 3.877 + policy_reference_buffer = write_policy_reference_binary(&len_pr); 3.878 ste_buffer = write_ste_binary(&len_ste); 3.879 chwall_buffer = write_chwall_binary(&len_chwall); 3.880 3.881 @@ -1175,24 +1154,26 @@ int write_binary(char *filename) 3.882 len += len_chwall; 3.883 if (have_ste) 3.884 len += len_ste; 3.885 + len += len_pr; /* policy reference is mandatory */ 3.886 header.len = htonl(len); 3.887 3.888 - header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer)); 3.889 - if (primary == CHWALL) 3.890 - { 3.891 + header.policy_reference_offset = 3.892 + htonl(sizeof(struct acm_policy_buffer)); 3.893 + 3.894 + header.primary_buffer_offset = 3.895 + htonl(sizeof(struct acm_policy_buffer) + len_pr); 3.896 + if (primary == CHWALL) { 3.897 header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY); 3.898 header.secondary_buffer_offset = 3.899 - htonl((sizeof(struct acm_policy_buffer)) + len_chwall); 3.900 - } 3.901 - else if (primary == STE) 3.902 - { 3.903 + htonl((sizeof(struct acm_policy_buffer)) + len_pr + 3.904 + len_chwall); 3.905 + } else if (primary == STE) { 3.906 header.primary_policy_code = 3.907 htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); 3.908 header.secondary_buffer_offset = 3.909 - htonl((sizeof(struct acm_policy_buffer)) + len_ste); 3.910 - } 3.911 - else 3.912 - { 3.913 + htonl((sizeof(struct acm_policy_buffer)) + len_pr + 3.914 + len_ste); 3.915 + } else { 3.916 /* null policy */ 3.917 header.primary_policy_code = htonl(ACM_NULL_POLICY); 3.918 header.secondary_buffer_offset = 3.919 @@ -1208,36 +1189,52 @@ int write_binary(char *filename) 3.920 header.secondary_policy_code = htonl(ACM_NULL_POLICY); 3.921 3.922 if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer)) 3.923 - != sizeof(struct acm_policy_buffer)) 3.924 - return -EIO; 3.925 + != sizeof(struct acm_policy_buffer)) { 3.926 + ret = -EIO; 3.927 + goto out1; 3.928 + } 3.929 3.930 + /* write label reference name */ 3.931 + if (write(fd, policy_reference_buffer, len_pr) != len_pr) { 3.932 + ret = -EIO; 3.933 + goto out1; 3.934 + } 3.935 /* write primary policy component */ 3.936 - if (primary == CHWALL) 3.937 - { 3.938 - if (write(fd, chwall_buffer, len_chwall) != len_chwall) 3.939 - return -EIO; 3.940 - } 3.941 - else if (primary == STE) 3.942 - { 3.943 - if (write(fd, ste_buffer, len_ste) != len_ste) 3.944 - return -EIO; 3.945 - } else 3.946 - ; /* NULL POLICY has no policy data */ 3.947 + if (primary == CHWALL) { 3.948 + if (write(fd, chwall_buffer, len_chwall) != len_chwall) { 3.949 + ret = -EIO; 3.950 + goto out1; 3.951 + } 3.952 + } else if (primary == STE) { 3.953 + if (write(fd, ste_buffer, len_ste) != len_ste) { 3.954 + ret = -EIO; 3.955 + goto out1; 3.956 + } 3.957 + } else; /* NULL POLICY has no policy data */ 3.958 3.959 /* write secondary policy component */ 3.960 - if (secondary == CHWALL) 3.961 - { 3.962 - if (write(fd, chwall_buffer, len_chwall) != len_chwall) 3.963 - return -EIO; 3.964 - } 3.965 - else if (secondary == STE) 3.966 - { 3.967 - if (write(fd, ste_buffer, len_ste) != len_ste) 3.968 - return -EIO; 3.969 + if (secondary == CHWALL) { 3.970 + if (write(fd, chwall_buffer, len_chwall) != len_chwall) { 3.971 + ret = -EIO; 3.972 + goto out1; 3.973 + } 3.974 + } else if (secondary == STE) { 3.975 + if (write(fd, ste_buffer, len_ste) != len_ste) { 3.976 + ret = -EIO; 3.977 + goto out1; 3.978 + } 3.979 } else; /* NULL POLICY has no policy data */ 3.980 3.981 + out1: 3.982 + /* cleanup */ 3.983 + if (policy_reference_buffer) 3.984 + free(policy_reference_buffer); 3.985 + if (chwall_buffer) 3.986 + free(chwall_buffer); 3.987 + if (ste_buffer) 3.988 + free(ste_buffer); 3.989 close(fd); 3.990 - return 0; 3.991 + return ret; 3.992 } 3.993 3.994 int is_valid(xmlDocPtr doc) 3.995 @@ -1253,18 +1250,15 @@ int is_valid(xmlDocPtr doc) 3.996 3.997 #ifdef VALIDATE_SCHEMA 3.998 /* only tested to be available from libxml2-2.6.20 upwards */ 3.999 - if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) 3.1000 - { 3.1001 + if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) { 3.1002 printf("ERROR: Invalid schema file %s (err=%d)\n", 3.1003 schema_filename, err); 3.1004 err = -EIO; 3.1005 goto out; 3.1006 - } 3.1007 - else 3.1008 + } else 3.1009 printf("XML Schema %s valid.\n", schema_filename); 3.1010 #endif 3.1011 - if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) 3.1012 - { 3.1013 + if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) { 3.1014 err = -EIO; 3.1015 goto out; 3.1016 } 3.1017 @@ -1277,10 +1271,9 @@ int is_valid(xmlDocPtr doc) 3.1018 3.1019 int main(int argc, char **argv) 3.1020 { 3.1021 - xmlDocPtr labeldoc = NULL; 3.1022 xmlDocPtr policydoc = NULL; 3.1023 3.1024 - int err = EXIT_SUCCESS; 3.1025 + int err = EXIT_FAILURE; 3.1026 3.1027 char *file_prefix; 3.1028 int prefix_len; 3.1029 @@ -1288,16 +1281,18 @@ int main(int argc, char **argv) 3.1030 int opt_char; 3.1031 char *policy_dir = POLICY_DIR; 3.1032 3.1033 - if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) 3.1034 - { 3.1035 - printf("ERROR: This program was written against an older ACM version.\n"); 3.1036 + if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) { 3.1037 + printf 3.1038 + ("ERROR: This program was written against an older ACM version.\n"); 3.1039 + printf("ERROR: ACM_POLICY_VERSION=%d, WRITTEN AGAINST= %d.\n", 3.1040 + ACM_POLICY_VERSION, WRITTEN_AGAINST_ACM_POLICY_VERSION); 3.1041 exit(EXIT_FAILURE); 3.1042 } 3.1043 3.1044 while ((opt_char = getopt(argc, argv, "d:")) != -1) { 3.1045 switch (opt_char) { 3.1046 case 'd': 3.1047 - policy_dir = malloc(strlen(optarg) + 2); // null terminator and possibly "/" 3.1048 + policy_dir = malloc(strlen(optarg) + 2); /* null terminator and possibly "/" */ 3.1049 if (!policy_dir) { 3.1050 printf("ERROR allocating directory name memory.\n"); 3.1051 exit(EXIT_FAILURE); 3.1052 @@ -1315,20 +1310,21 @@ int main(int argc, char **argv) 3.1053 if ((argc - optind) != 1) 3.1054 usage(basename(argv[0])); 3.1055 3.1056 - prefix_len = strlen(policy_dir) + 3.1057 - strlen(argv[optind]) + 1 /* "/" */ + 3.1058 - strlen(argv[optind]) + 1 /* null terminator */ ; 3.1059 + printf("arg=%s\n", argv[optind]); 3.1060 + 3.1061 + prefix_len = 3.1062 + strlen(policy_dir) + strlen(argv[optind]) + 3.1063 + 1 /* null terminator */ ; 3.1064 3.1065 file_prefix = malloc(prefix_len); 3.1066 policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION)); 3.1067 - label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION)); 3.1068 binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION)); 3.1069 mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION)); 3.1070 - schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1); 3.1071 + schema_filename = 3.1072 + malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1); 3.1073 3.1074 - if (!file_prefix || !policy_filename || !label_filename || 3.1075 - !binary_filename || !mapping_filename || !schema_filename) 3.1076 - { 3.1077 + if (!file_prefix || !policy_filename || 3.1078 + !binary_filename || !mapping_filename || !schema_filename) { 3.1079 printf("ERROR allocating file name memory.\n"); 3.1080 goto out2; 3.1081 } 3.1082 @@ -1336,85 +1332,56 @@ int main(int argc, char **argv) 3.1083 /* create input/output filenames out of prefix */ 3.1084 strcpy(file_prefix, policy_dir); 3.1085 strcat(file_prefix, argv[optind]); 3.1086 - strcat(file_prefix, "/"); 3.1087 - strcat(file_prefix, argv[optind]); 3.1088 3.1089 strcpy(policy_filename, file_prefix); 3.1090 - strcpy(label_filename, file_prefix); 3.1091 strcpy(binary_filename, file_prefix); 3.1092 strcpy(mapping_filename, file_prefix); 3.1093 3.1094 strcat(policy_filename, POLICY_EXTENSION); 3.1095 - strcat(label_filename, LABEL_EXTENSION); 3.1096 strcat(binary_filename, BINARY_EXTENSION); 3.1097 strcat(mapping_filename, MAPPING_EXTENSION); 3.1098 3.1099 strcpy(schema_filename, policy_dir); 3.1100 strcat(schema_filename, SCHEMA_FILENAME); 3.1101 3.1102 - labeldoc = xmlParseFile(label_filename); 3.1103 - 3.1104 - if (labeldoc == NULL) 3.1105 - { 3.1106 - printf("Error: could not parse file %s.\n", argv[optind]); 3.1107 - goto out2; 3.1108 - } 3.1109 - 3.1110 - printf("Validating label file %s...\n", label_filename); 3.1111 - if (!is_valid(labeldoc)) 3.1112 - { 3.1113 - printf("ERROR: Failed schema-validation for file %s (err=%d)\n", 3.1114 - label_filename, err); 3.1115 - goto out1; 3.1116 - } 3.1117 - 3.1118 policydoc = xmlParseFile(policy_filename); 3.1119 3.1120 - if (policydoc == NULL) 3.1121 - { 3.1122 + if (policydoc == NULL) { 3.1123 printf("Error: could not parse file %s.\n", argv[optind]); 3.1124 - goto out1; 3.1125 + goto out; 3.1126 } 3.1127 3.1128 printf("Validating policy file %s...\n", policy_filename); 3.1129 3.1130 - if (!is_valid(policydoc)) 3.1131 - { 3.1132 + if (!is_valid(policydoc)) { 3.1133 printf("ERROR: Failed schema-validation for file %s (err=%d)\n", 3.1134 policy_filename, err); 3.1135 goto out; 3.1136 } 3.1137 3.1138 - /* Init queues and parse policy */ 3.1139 - create_type_mapping(policydoc); 3.1140 - 3.1141 - /* create ssids */ 3.1142 - create_ssid_mapping(labeldoc); 3.1143 + /* create mappings */ 3.1144 + create_mappings(policydoc); 3.1145 3.1146 /* write label mapping file */ 3.1147 - if (write_mapping(mapping_filename)) 3.1148 - { 3.1149 + if (write_mapping(mapping_filename)) { 3.1150 printf("ERROR: writing mapping file %s.\n", mapping_filename); 3.1151 goto out; 3.1152 } 3.1153 3.1154 /* write binary file */ 3.1155 - if (write_binary(binary_filename)) 3.1156 - { 3.1157 + if (write_binary(binary_filename)) { 3.1158 printf("ERROR: writing binary file %s.\n", binary_filename); 3.1159 goto out; 3.1160 } 3.1161 - 3.1162 + err = EXIT_SUCCESS; 3.1163 /* write stats */ 3.1164 - if (have_chwall) 3.1165 - { 3.1166 + if (have_chwall) { 3.1167 printf("Max chwall labels: %u\n", max_chwall_labels); 3.1168 printf("Max chwall-types: %u\n", max_chwall_types); 3.1169 printf("Max chwall-ssids: %u\n", max_chwall_ssids); 3.1170 } 3.1171 3.1172 - if (have_ste) 3.1173 - { 3.1174 + if (have_ste) { 3.1175 printf("Max ste labels: %u\n", max_ste_labels); 3.1176 printf("Max ste-types: %u\n", max_ste_types); 3.1177 printf("Max ste-ssids: %u\n", max_ste_ssids); 3.1178 @@ -1422,10 +1389,17 @@ int main(int argc, char **argv) 3.1179 /* cleanup */ 3.1180 out: 3.1181 xmlFreeDoc(policydoc); 3.1182 - out1: 3.1183 - xmlFreeDoc(labeldoc); 3.1184 out2: 3.1185 xmlCleanupParser(); 3.1186 return err; 3.1187 } 3.1188 3.1189 +/* 3.1190 + * Local variables: 3.1191 + * mode: C 3.1192 + * c-set-style: "BSD" 3.1193 + * c-basic-offset: 4 3.1194 + * tab-width: 4 3.1195 + * indent-tabs-mode: nil 3.1196 + * End: 3.1197 + */
4.1 --- a/tools/security/secpol_xml2bin.h Mon Apr 24 10:51:20 2006 +0100 4.2 +++ b/tools/security/secpol_xml2bin.h Mon Apr 24 10:51:50 2006 +0100 4.3 @@ -12,37 +12,41 @@ 4.4 * License. 4.5 * 4.6 */ 4.7 -#define POLICY_DIR "/etc/xen/acm-security/policies/" 4.8 -#define POLICY_EXTENSION "-security_policy.xml" 4.9 -#define LABEL_EXTENSION "-security_label_template.xml" 4.10 -#define BINARY_EXTENSION ".bin" 4.11 -#define MAPPING_EXTENSION ".map" 4.12 -#define PRIMARY_COMPONENT_ATTR_NAME "order" 4.13 -#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap" 4.14 -#define PRIMARY_COMPONENT "PrimaryPolicyComponent" 4.15 -#define SCHEMA_FILENAME "security_policy.xsd" 4.16 +#define POLICY_DIR "/etc/xen/acm-security/policies/" 4.17 +#define POLICY_EXTENSION "-security_policy.xml" 4.18 +#define BINARY_EXTENSION ".bin" 4.19 +#define MAPPING_EXTENSION ".map" 4.20 +#define PRIMARY_COMPONENT_ATTR_NAME "order" 4.21 +#define BOOTSTRAP_LABEL_ATTR_NAME "bootstrap" 4.22 +#define PRIMARY_COMPONENT "PrimaryPolicyComponent" 4.23 +#define SCHEMA_FILENAME "security_policy.xsd" 4.24 4.25 /* basic states (used as 1 << X) */ 4.26 -#define XML2BIN_SECPOL 0 /* policy tokens */ 4.27 -#define XML2BIN_STE 1 4.28 +#define ENDOFLIST_POS 22 /* ADAPT!! this position will be NULL; stay below 32 (bit) */ 4.29 +#define XML2BIN_SECPOL 0 /* policy tokens */ 4.30 +#define XML2BIN_STE 1 4.31 #define XML2BIN_CHWALL 2 4.32 -#define XML2BIN_CONFLICTSETS 3 4.33 -#define XML2BIN_CSTYPE 4 4.34 +#define XML2BIN_CONFLICTSETS 3 4.35 +#define XML2BIN_CSTYPE 4 4.36 +#define XML2BIN_POLICYHEADER 5 4.37 +#define XML2BIN_NSURL 6 4.38 +#define XML2BIN_POLICYNAME 7 4.39 +#define XML2BIN_URL 8 4.40 +#define XML2BIN_REFERENCE 9 4.41 +#define XML2BIN_DATE 10 4.42 4.43 -#define XML2BIN_SECTEMPLATE 5 /* label tokens */ 4.44 -#define XML2BIN_POLICYHEADER 6 4.45 -#define XML2BIN_LABELHEADER 7 4.46 -#define XML2BIN_SUBJECTS 8 4.47 -#define XML2BIN_OBJECTS 9 4.48 -#define XML2BIN_VM 10 4.49 -#define XML2BIN_RES 11 4.50 +#define XML2BIN_LABELTEMPLATE 11 /* label tokens */ 4.51 +#define XML2BIN_SUBJECTS 12 4.52 +#define XML2BIN_OBJECTS 13 4.53 +#define XML2BIN_VM 14 4.54 +#define XML2BIN_RES 15 4.55 +#define XML2BIN_NAME 16 4.56 4.57 -#define XML2BIN_STETYPES 12 /* shared tokens */ 4.58 -#define XML2BIN_CHWALLTYPES 13 4.59 -#define XML2BIN_TYPE 14 4.60 -#define XML2BIN_NAME 15 4.61 -#define XML2BIN_TEXT 16 4.62 -#define XML2BIN_COMMENT 17 4.63 +#define XML2BIN_STETYPES 17 /* shared tokens */ 4.64 +#define XML2BIN_CHWALLTYPES 18 4.65 +#define XML2BIN_TYPE 19 4.66 +#define XML2BIN_TEXT 20 4.67 +#define XML2BIN_COMMENT 21 4.68 4.69 /* type "data type" (currently 16bit) */ 4.70 typedef u_int16_t type_t; 4.71 @@ -51,27 +55,34 @@ typedef u_int16_t type_t; 4.72 * state constants and token positions must be * 4.73 * in sync for correct state recognition */ 4.74 4.75 -char *token[20] = /* parser triggers */ 4.76 +char *token[32] = /* parser triggers */ 4.77 { 4.78 - [0] = "SecurityPolicyDefinition", /* policy xml */ 4.79 - [1] = "SimpleTypeEnforcement", 4.80 - [2] = "ChineseWall", 4.81 - [3] = "ConflictSets", 4.82 - [4] = "Conflict", /* label-template xml */ 4.83 - [5] = "SecurityLabelTemplate", 4.84 - [6] = "PolicyHeader", 4.85 - [7] = "LabelHeader", 4.86 - [8] = "SubjectLabels", 4.87 - [9] = "ObjectLabels", 4.88 - [10] = "VirtualMachineLabel", 4.89 - [11] = "ResourceLabel", 4.90 - [12] = "SimpleTypeEnforcementTypes", /* common tags */ 4.91 - [13] = "ChineseWallTypes", 4.92 - [14] = "Type", 4.93 - [15] = "Name", 4.94 - [16] = "text", 4.95 - [17] = "comment", 4.96 - [18] = NULL, 4.97 + [XML2BIN_SECPOL] = "SecurityPolicyDefinition", /* policy xml */ 4.98 + [XML2BIN_STE] = "SimpleTypeEnforcement", 4.99 + [XML2BIN_CHWALL] = "ChineseWall", 4.100 + [XML2BIN_CONFLICTSETS] = "ConflictSets", 4.101 + [XML2BIN_CSTYPE] = "Conflict", 4.102 + [XML2BIN_POLICYHEADER] = "PolicyHeader", 4.103 + [XML2BIN_NSURL] = "NameSpaceUrl", 4.104 + [XML2BIN_POLICYNAME] = "PolicyName", 4.105 + [XML2BIN_URL] = "PolicyUrl", 4.106 + [XML2BIN_REFERENCE] = "Reference", 4.107 + [XML2BIN_DATE] = "Date", 4.108 + 4.109 + [XML2BIN_LABELTEMPLATE] = "SecurityLabelTemplate", /* label-template xml */ 4.110 + [XML2BIN_SUBJECTS] = "SubjectLabels", 4.111 + [XML2BIN_OBJECTS] = "ObjectLabels", 4.112 + [XML2BIN_VM] = "VirtualMachineLabel", 4.113 + [XML2BIN_RES] = "ResourceLabel", 4.114 + [XML2BIN_NAME] = "Name", 4.115 + 4.116 + [XML2BIN_STETYPES] = "SimpleTypeEnforcementTypes", /* common tags */ 4.117 + [XML2BIN_CHWALLTYPES] = "ChineseWallTypes", 4.118 + [XML2BIN_TYPE] = "Type", 4.119 + [XML2BIN_TEXT] = "text", 4.120 + [XML2BIN_COMMENT] = "comment", 4.121 + [ENDOFLIST_POS] = NULL /* End of LIST, adapt ENDOFLIST_POS 4.122 + when adding entries */ 4.123 }; 4.124 4.125 /* important combined states */ 4.126 @@ -82,47 +93,53 @@ char *token[20] = 4.127 /* e.g., here we are in a <secpol,ste,stetypes> environment, * 4.128 * so when finding a type element, we know where to put it */ 4.129 #define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \ 4.130 - (1 << XML2BIN_STE) | \ 4.131 - (1 << XML2BIN_STETYPES)) 4.132 + (1 << XML2BIN_STE) | \ 4.133 + (1 << XML2BIN_STETYPES)) 4.134 4.135 #define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \ 4.136 - (1 << XML2BIN_CHWALL) | \ 4.137 - (1 << XML2BIN_CHWALLTYPES)) 4.138 + (1 << XML2BIN_CHWALL) | \ 4.139 + (1 << XML2BIN_CHWALLTYPES)) 4.140 4.141 #define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \ 4.142 - (1 << XML2BIN_CHWALL) | \ 4.143 - (1 << XML2BIN_CONFLICTSETS)) 4.144 + (1 << XML2BIN_CHWALL) | \ 4.145 + (1 << XML2BIN_CONFLICTSETS)) 4.146 4.147 #define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \ 4.148 - (1 << XML2BIN_CHWALL) | \ 4.149 - (1 << XML2BIN_CONFLICTSETS) | \ 4.150 - (1 << XML2BIN_CSTYPE)) 4.151 + (1 << XML2BIN_CHWALL) | \ 4.152 + (1 << XML2BIN_CONFLICTSETS) | \ 4.153 + (1 << XML2BIN_CSTYPE)) 4.154 4.155 +#define XML2BIN_PN_S ((1 << XML2BIN_SECPOL) | \ 4.156 + (1 << XML2BIN_POLICYHEADER)) 4.157 4.158 /* label xml states */ 4.159 -#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \ 4.160 - (1 << XML2BIN_SUBJECTS) | \ 4.161 - (1 << XML2BIN_VM)) 4.162 +#define XML2BIN_VM_S ((1 << XML2BIN_SECPOL) | \ 4.163 + (1 << XML2BIN_LABELTEMPLATE) | \ 4.164 + (1 << XML2BIN_SUBJECTS) | \ 4.165 + (1 << XML2BIN_VM)) 4.166 4.167 -#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \ 4.168 - (1 << XML2BIN_OBJECTS) | \ 4.169 - (1 << XML2BIN_RES)) 4.170 +#define XML2BIN_RES_S ((1 << XML2BIN_SECPOL) | \ 4.171 + (1 << XML2BIN_LABELTEMPLATE) | \ 4.172 + (1 << XML2BIN_OBJECTS) | \ 4.173 + (1 << XML2BIN_RES)) 4.174 4.175 -#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \ 4.176 - (1 << XML2BIN_SUBJECTS) | \ 4.177 - (1 << XML2BIN_VM) | \ 4.178 - (1 << XML2BIN_STETYPES)) 4.179 +#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECPOL) | \ 4.180 + (1 << XML2BIN_LABELTEMPLATE) | \ 4.181 + (1 << XML2BIN_SUBJECTS) | \ 4.182 + (1 << XML2BIN_VM) | \ 4.183 + (1 << XML2BIN_STETYPES)) 4.184 4.185 -#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \ 4.186 - (1 << XML2BIN_SUBJECTS) | \ 4.187 - (1 << XML2BIN_VM) | \ 4.188 - (1 << XML2BIN_CHWALLTYPES)) 4.189 +#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECPOL) | \ 4.190 + (1 << XML2BIN_LABELTEMPLATE) | \ 4.191 + (1 << XML2BIN_SUBJECTS) | \ 4.192 + (1 << XML2BIN_VM) | \ 4.193 + (1 << XML2BIN_CHWALLTYPES)) 4.194 4.195 -#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \ 4.196 - (1 << XML2BIN_OBJECTS) | \ 4.197 - (1 << XML2BIN_RES) | \ 4.198 - (1 << XML2BIN_STETYPES)) 4.199 - 4.200 +#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECPOL) | \ 4.201 + (1 << XML2BIN_LABELTEMPLATE) | \ 4.202 + (1 << XML2BIN_OBJECTS) | \ 4.203 + (1 << XML2BIN_RES) | \ 4.204 + (1 << XML2BIN_STETYPES)) 4.205 4.206 4.207 /* check versions of headers against which the 4.208 @@ -130,7 +147,7 @@ char *token[20] = 4.209 */ 4.210 4.211 /* protects from unnoticed changes in struct acm_policy_buffer */ 4.212 -#define WRITTEN_AGAINST_ACM_POLICY_VERSION 1 4.213 +#define WRITTEN_AGAINST_ACM_POLICY_VERSION 2 4.214 4.215 /* protects from unnoticed changes in struct acm_chwall_policy_buffer */ 4.216 #define WRITTEN_AGAINST_ACM_CHWALL_VERSION 1