ia64/xen-unstable

changeset 6280:bf1746842c46

merge?
author cl349@firebug.cl.cam.ac.uk
date Fri Aug 19 12:22:27 2005 +0000 (2005-08-19)
parents a86fb4df3bdd 7b6f55756f9c
children 188c782fa9bb
files Config.mk docs/src/user.tex linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c linux-2.6-xen-sparse/arch/xen/kernel/reboot.c linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c linux-2.6-xen-sparse/drivers/xen/blkback/Makefile linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c linux-2.6-xen-sparse/drivers/xen/blkback/common.h linux-2.6-xen-sparse/drivers/xen/blkback/interface.c linux-2.6-xen-sparse/drivers/xen/blkback/vbd.c linux-2.6-xen-sparse/drivers/xen/blkfront/blkfront.c linux-2.6-xen-sparse/drivers/xen/blkfront/block.h linux-2.6-xen-sparse/drivers/xen/blkfront/vbd.c patches/linux-2.6.12/workaround_double_br_del_if.patch tools/python/xen/xend/XendDomainInfo.py tools/security/Makefile tools/security/example.txt tools/security/install.txt tools/security/policies/chwall/chwall-security_label_template.xml tools/security/policies/chwall/chwall-security_policy.xml tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml tools/security/policies/chwall_ste/chwall_ste-security_policy.xml tools/security/policies/null/null-security_label_template.xml tools/security/policies/null/null-security_policy.xml tools/security/policies/security_policy.xsd tools/security/policies/ste/ste-security_label_template.xml tools/security/policies/ste/ste-security_policy.xml tools/security/policy.txt tools/security/readme.txt tools/security/secpol_compat.h tools/security/secpol_tool.c tools/security/secpol_xml2bin.c tools/security/secpol_xml2bin.h tools/security/setlabel.sh tools/security/updategrub.sh xen/Rules.mk xen/arch/x86/domain_build.c xen/common/lib.c xen/include/public/io/blkif.h
line diff
     1.1 --- a/Config.mk	Fri Aug 19 12:21:29 2005 +0000
     1.2 +++ b/Config.mk	Fri Aug 19 12:22:27 2005 +0000
     1.3 @@ -35,3 +35,11 @@ CFLAGS += $(foreach i, $(EXTRA_INCLUDES)
     1.4  
     1.5  # Choose the best mirror to download linux kernel
     1.6  KERNEL_REPO = http://www.kernel.org
     1.7 +
     1.8 +# ACM_USE_SECURITY_POLICY is set to security policy of Xen
     1.9 +# Supported models are:
    1.10 +#	ACM_NULL_POLICY (ACM will not be built with this policy)
    1.11 +#	ACM_CHINESE_WALL_POLICY
    1.12 +#	ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
    1.13 +#	ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
    1.14 +ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
     2.1 --- a/docs/misc/shype4xen_readme.txt	Fri Aug 19 12:21:29 2005 +0000
     2.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.3 @@ -1,588 +0,0 @@
     2.4 -Copyright: IBM Corporation (C)
     2.5 -20 June 2005
     2.6 -Author: Reiner Sailer
     2.7 -
     2.8 -This document is a very short introduction into the sHype access control 
     2.9 -security architecture implementation and how it is perceived by users. It 
    2.10 -is a very preliminary draft  for the courageous ones to get "their feet wet" 
    2.11 -and to be able to give feedback (via the xen-devel/xense-devel mailing lists).
    2.12 -
    2.13 -Install:
    2.14 -
    2.15 -cd into xeno-unstable.bk 
    2.16 -(use --dry-run option if you want to test the patch only)
    2.17 -patch -p1 -g0 < *tools.diff
    2.18 -patch -p1 -g0 < *xen.diff
    2.19 -
    2.20 -(no rejects, probably some line offsets)
    2.21 -
    2.22 -make uninstall; make mrproper; make; ./install.sh should install the default 
    2.23 -sHype into Xen (rebuild your initrd images if necessary). Reboot.
    2.24 -
    2.25 -Debug output: there are two triggers for debug output:
    2.26 -a) General sHype debug:
    2.27 -    xeno-unstable.bk/xen/include/public/acm.h
    2.28 -    undefine ACM_DEBUG to switch this debug off
    2.29 -
    2.30 -b) sHype enforcement hook trace: This prints a small trace for each enforcement 
    2.31 -hook that is executed. The trigger is in
    2.32 -    xeno-unstable.bk/xen/include/acm/acm_hooks.h
    2.33 -    undefine ACM_TRACE_MODE to switch this debug off
    2.34 -
    2.35 -1. The default NULL policy
    2.36 -***************************
    2.37 -When you apply the patches and startup xen, you should at first not notice any 
    2.38 -difference because the default policy is the "NULL" policy, which as the name 
    2.39 -implies does not enforce anything.
    2.40 -
    2.41 -To display the currently enforced policy, use the policy tool under xeno-
    2.42 -unstable.bk/tools/policy: policy_tool getpolicy. You should see output like the 
    2.43 -one below.
    2.44 -
    2.45 -[root@laptop policy]#./policy_tool getpolicy
    2.46 -
    2.47 -Policy dump:
    2.48 -============
    2.49 -Magic     = 1debc.
    2.50 -PolVer    = aaaa0000.
    2.51 -Len       = 14.
    2.52 -Primary   = NULL policy (c=0, off=14).
    2.53 -Secondary = NULL policy (c=0, off=14).
    2.54 -No primary policy (NULL).
    2.55 -No secondary policy (NULL).
    2.56 -
    2.57 -Policy dump End.
    2.58 -
    2.59 -Since this is a dump of a binary policy, it's not pretty. The important parts 
    2.60 -are the "Primary" and "Secondary" policy fields set to "NULL policy". sHype 
    2.61 -currently allows to set two independent policies; thus the two SSID-REF parts 
    2.62 -shown in 'xm list'. Right here: primary policy only means this policy is 
    2.63 -checked first, the secondary policy is checked if the primary results in 
    2.64 -"permitted access". The result of the combined policy is "permitted" if both 
    2.65 -policies return permitted (NULL policy always returns permitted). The result is 
    2.66 -"denied" if at least one of the policies returns "denied". Look into xeno-
    2.67 -unstable.bk/xen/include/acm/acm_hooks.h for the general hook structure 
    2.68 -integrating the policy decisions (if you like, you won't need it for the rest 
    2.69 -of the Readme file).
    2.70 -
    2.71 -2. Setting Chinese Wall and Simple Type Enforcement policies:
    2.72 -*************************************************************
    2.73 -
    2.74 -We'll get fast to the point. However, in order to understand what we are doing, 
    2.75 -we must at least understand the purpose of the policies that we are going to 
    2.76 -enforce. The two policies presented here are just examples and the 
    2.77 -implementation encourages adding new policies easily.
    2.78 -
    2.79 -2.1. Chinese Wall policy: "decides whether a domain can be started based on 
    2.80 -this domain's ssidref and the ssidrefs of the currently running domains". 
    2.81 -Generally, the Chinese wall policy allows specifying certain types (or classes 
    2.82 -or categories, whatever the preferred word) that conflict; we usually assign a 
    2.83 -type to a workload and the set of types of those workloads running in a domain 
    2.84 -make up the type set for this domain.  Each domain is assigned a set of types 
    2.85 -through its SSID-REF (we register Chinese Wall as primary policy, so the 
    2.86 -ssidref used for determining the Chinese Wall types is the one annotated with 
    2.87 -"p:" in xm list) since each SSID-REF points at a set of types. We'll see how 
    2.88 -SSIDREFs are represented in Xen later when we will look at the policy. (A good 
    2.89 -read for Chinese Wall is: Brewer/Nash The Chinese Wall Security Policy 1989.)
    2.90 -
    2.91 -So let's assume the Chinese Wall policy we are running distinguishes 10 types: 
    2.92 -t0 ... t9. Let us assume further that each SSID-REF points to a set that 
    2.93 -includes exactly one type (attached to domains that run workloads of a single 
    2.94 -type). SSID-REF 0 points to {t0}, ssidref 1 points to {t1} ... 9 points to 
    2.95 -{t9}. [This is actually the example policy we are going to push into xen later]
    2.96 -
    2.97 -Now the Chinese Wall policy allows you to define "Conflict type sets" and it 
    2.98 -guarantees that of any conflict set at most one type is "running" at any time. 
    2.99 -As an example, we have defined 2 conflict set: {t2, t3} and {t0, t5, t6}. 
   2.100 -Specifying these conflict sets, sHype ensures that at most one type of each set 
   2.101 -is running (either t2 or t3 but not both; either t0 or t5 or t6 but not 
   2.102 -multiple of them).
   2.103 -
   2.104 -The effect is that administrators can define which workload types cannot run 
   2.105 -simultaneously on a single Xen system. This is useful to limit the covert 
   2.106 -timing channels between such payloads or to ensure that payloads don't 
   2.107 -interfere with each other through existing resource dependencies.
   2.108 -
   2.109 -2.2. Simple Type Enforcement (ste) policy: "decides whether two domains can 
   2.110 -share data, e.g., setup event channels or grant tables to each other, based on 
   2.111 -the two domains' ssidref. This, as the name says, is a simple policy. Think of 
   2.112 -each type as of a single color. Each domain has one or more colors, i.e., the 
   2.113 -domains ssid for the ste policy points to a set that has set one or multiple 
   2.114 -types. Let us assume in our example policy we differentiate 5 colors (types) 
   2.115 -and define 5 different ssids referenced by ssidref=0..4. Each ssid shall have 
   2.116 -exactly one type set, i.e., describes a uni-color. Only ssid(0) has all types 
   2.117 -set, i.e., has all defined colors.
   2.118 -
   2.119 -Sharing is enforced by the ste policy by requiring that two domains that want 
   2.120 -to establish an event channel or grant pages to each other must have a common 
   2.121 -color. Currently all domains communicate through DOM0 by default; i.e., Domain0 
   2.122 -will necessarily have all colors to be able to create domains (thus, we will 
   2.123 -assign ssidref(0) to Domain0 in our example below.
   2.124 -
   2.125 -More complex mandatory access control policies governing sharing will follow; 
   2.126 -such policies are more sophisticated than the "color" scheme above by allowing 
   2.127 -more flexible (and complex :_) access control decisions than "share a color" or 
   2.128 -"don't share a color" and will be able to express finer-grained policies.
   2.129 -
   2.130 -
   2.131 -2.3 Binary Policy:
   2.132 -In the future, we will have a policy tool that takes as input a more humane 
   2.133 -policy description, using types such as development, home-banking, donated-
   2.134 -Grid, CorpA-Payload ... and translates the respective policy into what we see 
   2.135 -today as the binary policy using 1s and 0s and sets of them. For now, we must 
   2.136 -live with the binary policy when working with sHype.
   2.137 -
   2.138 -    
   2.139 -2.4 Exemplary use of a real sHype policy on Xen. To activate a real policy, 
   2.140 -edit the file (yes, this will soon be a compile option):
   2.141 -  xeno-unstable.bk/xen/include/public/acm.h
   2.142 -  Change: #define ACM_USE_SECURITY_POLICY ACM_NULL_POLICY
   2.143 -   To : #define ACM_USE_SECURITY_POLICY ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   2.144 -   cd xeno-unstable.bk
   2.145 -   make mrproper
   2.146 -   make uninstall (manually remove /etc/xen.old if necessary)
   2.147 -   make
   2.148 -   ./install.sh      (recreate your kernel initrd's if necessary)
   2.149 -   Reboot into new xen.gz
   2.150 -     
   2.151 -After booting, check out 'xm dmesg'; should show somewhere in the middle:
   2.152 -
   2.153 -(XEN) acm_init: Enforcing Primary CHINESE WALL policy, Secondary SIMPLE TYPE 
   2.154 -ENFORCEMENT policy.
   2.155 -
   2.156 -Even though you can activate those policies in any combination and also 
   2.157 -independently, the policy tool currently only supports setting the policy for 
   2.158 -the above combination.
   2.159 -
   2.160 -Now look at the minimal startup policy with:
   2.161 -                xeno-unstable.bk/tools/policytool getpolicy
   2.162 -
   2.163 -You should see something like:
   2.164 -
   2.165 -[root@laptop policy]# ./policy_tool getpolicy
   2.166 -
   2.167 -Policy dump:
   2.168 -============
   2.169 -Magic     = 1debc.
   2.170 -PolVer    = aaaa0000.
   2.171 -Len       = 36.
   2.172 -Primary   = CHINESE WALL policy (c=1, off=14).
   2.173 -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=2c).
   2.174 -
   2.175 -
   2.176 -Chinese Wall policy:
   2.177 -====================
   2.178 -Max Types     = 1.
   2.179 -Max Ssidrefs  = 1.
   2.180 -Max ConfSets  = 1.
   2.181 -Ssidrefs Off  = 10.
   2.182 -Conflicts Off = 12.
   2.183 -Runing T. Off = 14.
   2.184 -C. Agg. Off   = 16.
   2.185 -
   2.186 -SSID To CHWALL-Type matrix:
   2.187 -
   2.188 -   ssidref 0:  00 
   2.189 -
   2.190 -Confict Sets:
   2.191 -
   2.192 -   c-set 0:    00 
   2.193 -
   2.194 -Running
   2.195 -Types:         00 
   2.196 -
   2.197 -Conflict
   2.198 -Aggregate Set: 00 
   2.199 -
   2.200 -
   2.201 -Simple Type Enforcement policy:
   2.202 -===============================
   2.203 -Max Types     = 1.
   2.204 -Max Ssidrefs  = 1.
   2.205 -Ssidrefs Off  = 8.
   2.206 -
   2.207 -SSID To STE-Type matrix:
   2.208 -
   2.209 -   ssidref 0: 01 
   2.210 -
   2.211 -
   2.212 -Policy dump End.
   2.213 -
   2.214 -This is a minimal policy (of little use), except it will disable starting any 
   2.215 -domain that does not have ssidref set to 0x0. The Chinese Wall policy has 
   2.216 -nothing to enforce and the ste policy only knows one type, which is set for the 
   2.217 -only defined ssidref.
   2.218 -
   2.219 -The item that defines the ssidref in a domain configuration is:
   2.220 -
   2.221 -ssidref = 0x12345678
   2.222 -
   2.223 -Where ssidref is interpreted as a 32bit number, where the lower 16bits become 
   2.224 -the ssidref for the primary policy and the higher 16bits become the ssidref for 
   2.225 -the secondary policy. sHype currently supports two policies but this is an 
   2.226 -implementation decision and can be extended if necessary.
   2.227 -
   2.228 -This reference defines the security information of a domain. The meaning of the 
   2.229 -SSID-REF depends on the policy, so we explain it when we explain the real 
   2.230 -policies.
   2.231 -
   2.232 -
   2.233 -Setting a new Security Policy:
   2.234 -******************************
   2.235 -The policy tool with all its current limitations has one usable example policy 
   2.236 -compiled-in. Please try at this time to use the setpolicy command:
   2.237 -       xeno-unstable.bk/tools/policy/policy_tool setpolicy
   2.238 -
   2.239 -You should see a dump of the policy you are setting. It should say at the very 
   2.240 -end: 
   2.241 -
   2.242 -Policy successfully set.
   2.243 -
   2.244 -Now try to dump the currently enforced policy, which is the policy we have just 
   2.245 -set and the dynamic security state information of this policy 
   2.246 -(<<< ... some additional explanations)
   2.247 -
   2.248 -[root@laptop policy]# ./policy_tool getpolicy
   2.249 -
   2.250 -Policy dump:
   2.251 -============
   2.252 -Magic     = 1debc.
   2.253 -PolVer    = aaaa0000.
   2.254 -Len       = 112.
   2.255 -Primary   = CHINESE WALL policy (c=1, off=14).
   2.256 -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
   2.257 -
   2.258 -
   2.259 -Chinese Wall policy:
   2.260 -====================
   2.261 -Max Types     = a.
   2.262 -Max Ssidrefs  = 5.
   2.263 -Max ConfSets  = 2.
   2.264 -Ssidrefs Off  = 10.
   2.265 -Conflicts Off = 74.
   2.266 -Runing T. Off = 9c.
   2.267 -C. Agg. Off   = b0.
   2.268 -
   2.269 -SSID To CHWALL-Type matrix:
   2.270 -
   2.271 -   ssidref 0:  01 00 00 00 00 00 00 00 00 00  <<< type0 is set for ssidref0
   2.272 -   ssidref 1:  00 01 00 00 00 00 00 00 00 00 
   2.273 -   ssidref 2:  00 00 01 00 00 00 00 00 00 00 
   2.274 -   ssidref 3:  00 00 00 01 00 00 00 00 00 00 
   2.275 -   ssidref 4:  00 00 00 00 01 00 00 00 00 00  <<< type4 is set for ssidref4
   2.276 -                                              <<< types 5-9 are unused
   2.277 -Confict Sets:
   2.278 -
   2.279 -   c-set 0:    00 00 01 01 00 00 00 00 00 00  <<< type2 and type3 never run together
   2.280 -   c-set 1:    01 00 00 00 00 01 01 00 00 00  <<< only one of types 0, 5 or 6 
   2.281 -                                              <<<   can run simultaneously
   2.282 -Running
   2.283 -Types:         01 00 00 00 00 00 00 00 00 00  <<< ref-count for types of running domains
   2.284 -
   2.285 -Conflict
   2.286 -Aggregate Set: 00 00 00 00 00 01 01 00 00 00  <<< aggregated set of types that                  
   2.287 -                                              <<< cannot run because they 
   2.288 -                                              <<< are in conflict set 1 and
   2.289 -                                              <<< (domain 0 is running w t0)
   2.290 -                                             
   2.291 -
   2.292 -Simple Type Enforcement policy:
   2.293 -===============================
   2.294 -Max Types     = 5.
   2.295 -Max Ssidrefs  = 5.
   2.296 -Ssidrefs Off  = 8.
   2.297 -
   2.298 -SSID To STE-Type matrix:
   2.299 -
   2.300 -   ssidref 0: 01 01 01 01 01                  <<< ssidref0 points to a set that                  
   2.301 -                                              <<< has all types set (colors)
   2.302 -   ssidref 1: 00 01 00 00 00                  <<< ssidref1 has color1 set
   2.303 -   ssidref 2: 00 00 01 00 00                  <<< ...
   2.304 -   ssidref 3: 00 00 00 01 00 
   2.305 -   ssidref 4: 00 00 00 00 01 
   2.306 -
   2.307 -
   2.308 -Policy dump End.
   2.309 -
   2.310 -
   2.311 -This is a small example policy with which we will demonstrate the enforcement.
   2.312 -
   2.313 -Starting Domains with policy enforcement
   2.314 -========================================
   2.315 -Now let us play with this policy. 
   2.316 -
   2.317 -Define 3 or 4 domain configurations. I use the following config using a ramdisk 
   2.318 -only and about 8MBytes of memory for each DomU (test purposes):
   2.319 -
   2.320 -#-------configuration xmsec1-------------------------
   2.321 -kernel = "/boot/vmlinuz-2.6.11-xenU"
   2.322 -ramdisk="/boot/U1_ramdisk.img"
   2.323 -#security reference identifier
   2.324 -ssidref= 0x00010001
   2.325 -memory = 10
   2.326 -name = "xmsec1"
   2.327 -cpu = -1   # leave to Xen to pick
   2.328 -# Number of network interfaces. Default is 1.
   2.329 -nics=1
   2.330 -dhcp="dhcp"
   2.331 -#-----------------------------------------------------
   2.332 -
   2.333 -xmsec2 and xmsec3 look the same except for the name and the ssidref line. Use 
   2.334 -your domain config file and add "ssidref = 0x00010001" to the first (xmsec1),  
   2.335 -"ssidref= 0x00020002" to the second (call it xmsec2), and "ssidref=0x00030003"  
   2.336 -to the third (we will call this one xmsec3).
   2.337 -
   2.338 -First start xmsec1: xm create -c xmsec1 (succeeds)
   2.339 -
   2.340 -Then
   2.341 -[root@laptop policy]# xm list 
   2.342 -Name              Id  Mem(MB)  CPU  State  Time(s)  Console  
   2.343 -Domain-0           0      620   0  r----     42.3            s:00/p:00
   2.344 -xmnosec            1        9   0  -b---      0.3    9601    s:00/p:05
   2.345 -xmsec1             2        9   0  -b---      0.2    9602    s:01/p:01
   2.346 -
   2.347 -Shows a new domain xmsec1 running with primary (here: chinese wall) ssidref 1 
   2.348 -and secondary (here: simple type enforcement) ssidref 1. The ssidrefs are  
   2.349 -independent and can differ for a domain.
   2.350 -
   2.351 -[root@laptop policy]# ./policy_tool getpolicy
   2.352 -
   2.353 -Policy dump:
   2.354 -============
   2.355 -Magic     = 1debc.
   2.356 -PolVer    = aaaa0000.
   2.357 -Len       = 112.
   2.358 -Primary   = CHINESE WALL policy (c=1, off=14).
   2.359 -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
   2.360 -
   2.361 -
   2.362 -Chinese Wall policy:
   2.363 -====================
   2.364 -Max Types     = a.
   2.365 -Max Ssidrefs  = 5.
   2.366 -Max ConfSets  = 2.
   2.367 -Ssidrefs Off  = 10.
   2.368 -Conflicts Off = 74.
   2.369 -Runing T. Off = 9c.
   2.370 -C. Agg. Off   = b0.
   2.371 -
   2.372 -SSID To CHWALL-Type matrix:
   2.373 -
   2.374 -   ssidref 0:  01 00 00 00 00 00 00 00 00 00
   2.375 -   ssidref 1:  00 01 00 00 00 00 00 00 00 00
   2.376 -   ssidref 2:  00 00 01 00 00 00 00 00 00 00
   2.377 -   ssidref 3:  00 00 00 01 00 00 00 00 00 00
   2.378 -   ssidref 4:  00 00 00 00 01 00 00 00 00 00
   2.379 -
   2.380 -Confict Sets:
   2.381 -
   2.382 -   c-set 0:    00 00 01 01 00 00 00 00 00 00
   2.383 -   c-set 1:    01 00 00 00 00 01 01 00 00 00   <<< t1 is not part of any c-set
   2.384 -
   2.385 -Running
   2.386 -Types:         01 01 00 00 00 00 00 00 00 00   <<< xmsec1 has ssidref 1->type1
   2.387 -                  ^^                           <<< ref-count at position 1 incr
   2.388 -Conflict
   2.389 -Aggregate Set: 00 00 00 00 00 01 01 00 00 00   <<< domain 1 was allowed to       
   2.390 -                                               <<< start since type 1 was not
   2.391 -                                               <<< in conflict with running 
   2.392 -                                               <<< types
   2.393 -                                            
   2.394 -Simple Type Enforcement policy:
   2.395 -===============================
   2.396 -Max Types     = 5.
   2.397 -Max Ssidrefs  = 5.
   2.398 -Ssidrefs Off  = 8.
   2.399 -
   2.400 -SSID To STE-Type matrix:
   2.401 -
   2.402 -   ssidref 0: 01 01 01 01 01           <<< the ste policy does not maintain; we
   2.403 -   ssidref 1: 00 01 00 00 00   <--     <<< see that domain xmsec1 has ste 
   2.404 -   ssidref 2: 00 00 01 00 00           <<< ssidref1->type1 and has this type in
   2.405 -   ssidref 3: 00 00 00 01 00           <<< common with dom0
   2.406 -   ssidref 4: 00 00 00 00 01
   2.407 -
   2.408 -
   2.409 -Policy dump End.
   2.410 -
   2.411 -Look at sHype output in xen dmesg:
   2.412 -
   2.413 -[root@laptop xen]# xm dmesg
   2.414 -.
   2.415 -.
   2.416 -[somewhere near the very end]
   2.417 -(XEN) chwall_init_domain_ssid: determined chwall_ssidref to 1.
   2.418 -(XEN) ste_init_domain_ssid.
   2.419 -(XEN) ste_init_domain_ssid: determined ste_ssidref to 1.
   2.420 -(XEN) acm_init_domain_ssid: Instantiated individual ssid for domain 0x01.
   2.421 -(XEN) chwall_post_domain_create.
   2.422 -(XEN) ste_pre_eventchannel_interdomain.
   2.423 -(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
   2.424 -(XEN) shype_authorize_domops.
   2.425 -(XEN) ste_pre_eventchannel_interdomain.
   2.426 -(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
   2.427 -(XEN) ste_pre_eventchannel_interdomain.
   2.428 -(XEN) ste_pre_eventchannel_interdomain: (evtchn 0 --> 1) common type #01.
   2.429 -
   2.430 -
   2.431 -You can see that the chinese wall policy does not complain and that the ste 
   2.432 -policy makes three access control decisions for three event-channels setup 
   2.433 -between domain 0 and the new domain 1. Each time, the two domains share the 
   2.434 -type1 and setting up the eventchannel is permitted.
   2.435 -
   2.436 -
   2.437 -Starting up a second domain xmsec2:
   2.438 -
   2.439 -[root@laptop xen]# xm create -c xmsec2
   2.440 -Using config file "xmsec2".
   2.441 -Started domain xmsec2, console on port 9602
   2.442 -************ REMOTE CONSOLE: CTRL-] TO QUIT ********
   2.443 -Linux version 2.6.11-xenU (root@laptop.home.org) (gcc version 3.4.2 20041017 
   2.444 -(Red Hat 3.4.2-6.fc3)) #1 Wed Mar 30 13:14:31 EST 2005
   2.445 -.
   2.446 -.
   2.447 -.
   2.448 -[root@laptop policy]# xm list
   2.449 -Name              Id  Mem(MB)  CPU  State  Time(s)  Console  
   2.450 -Domain-0           0      620   0  r----     71.7            s:00/p:00
   2.451 -xmsec1             1        9   0  -b---      0.3    9601    s:01/p:01
   2.452 -xmsec2             2        7   0  -b---      0.3    9602    s:02/p:02   << our domain runs both policies with ssidref 2
   2.453 -
   2.454 -
   2.455 -[root@laptop policy]# ./policy_tool getpolicy
   2.456 -
   2.457 -Policy dump:
   2.458 -============
   2.459 -Magic     = 1debc.
   2.460 -PolVer    = aaaa0000.
   2.461 -Len       = 112.
   2.462 -Primary   = CHINESE WALL policy (c=1, off=14).
   2.463 -Secondary = SIMPLE TYPE ENFORCEMENT policy (c=2, off=d8).
   2.464 -
   2.465 -
   2.466 -Chinese Wall policy:
   2.467 -====================
   2.468 -Max Types     = a.
   2.469 -Max Ssidrefs  = 5.
   2.470 -Max ConfSets  = 2.
   2.471 -Ssidrefs Off  = 10.
   2.472 -Conflicts Off = 74.
   2.473 -Runing T. Off = 9c.
   2.474 -C. Agg. Off   = b0.
   2.475 -
   2.476 -SSID To CHWALL-Type matrix:
   2.477 -
   2.478 -   ssidref 0:  01 00 00 00 00 00 00 00 00 00
   2.479 -   ssidref 1:  00 01 00 00 00 00 00 00 00 00
   2.480 -   ssidref 2:  00 00 01 00 00 00 00 00 00 00   <<< our domain has type 2 set
   2.481 -   ssidref 3:  00 00 00 01 00 00 00 00 00 00
   2.482 -   ssidref 4:  00 00 00 00 01 00 00 00 00 00
   2.483 -
   2.484 -Confict Sets:
   2.485 -
   2.486 -   c-set 0:    00 00 01 01 00 00 00 00 00 00   <<< t2 is in c-set0 with type 3
   2.487 -   c-set 1:    01 00 00 00 00 01 01 00 00 00
   2.488 -
   2.489 -Running
   2.490 -Types:         01 01 01 00 00 00 00 00 00 00   <<< t2 is running since the 
   2.491 -                     ^^                        <<< current aggregate conflict
   2.492 -                                               <<< set (see above) does not 
   2.493 -                                               <<< include type 2
   2.494 -Conflict
   2.495 -Aggregate Set: 00 00 00 01 00 01 01 00 00 00   <<< type 3 is added to the 
   2.496 -                                               <<< conflict aggregate
   2.497 -
   2.498 -
   2.499 -Simple Type Enforcement policy:
   2.500 -===============================
   2.501 -Max Types     = 5.
   2.502 -Max Ssidrefs  = 5.
   2.503 -Ssidrefs Off  = 8.
   2.504 -
   2.505 -SSID To STE-Type matrix:
   2.506 -
   2.507 -   ssidref 0: 01 01 01 01 01
   2.508 -   ssidref 1: 00 01 00 00 00
   2.509 -   ssidref 2: 00 00 01 00 00
   2.510 -   ssidref 3: 00 00 00 01 00
   2.511 -   ssidref 4: 00 00 00 00 01
   2.512 -
   2.513 -
   2.514 -Policy dump End.
   2.515 -
   2.516 -
   2.517 -The sHype xen dmesg output looks similar to the one above when starting the 
   2.518 -first domain.
   2.519 -
   2.520 -Now we start xmsec3 and it has ssidref3. Thus, it tries to run as type3 which 
   2.521 -conflicts with running type2 (from xmsec2). As expected, creating this domain 
   2.522 -fails for security policy enforcement reasons.
   2.523 -
   2.524 -[root@laptop xen]# xm create -c xmsec3
   2.525 -Using config file "xmsec3".
   2.526 -Error: Error creating domain: (22, 'Invalid argument')
   2.527 -[root@laptop xen]#
   2.528 -
   2.529 -[root@laptop xen]# xm dmesg
   2.530 -.
   2.531 -.
   2.532 -[somewhere near the very end]
   2.533 -(XEN) chwall_pre_domain_create.
   2.534 -(XEN) chwall_pre_domain_create: CHINESE WALL CONFLICT in type 03.
   2.535 -
   2.536 -xmsec3 ssidref3 points to type3, which is in the current conflict aggregate 
   2.537 -set. This domain cannot start until domain xmsec2 is destroyed, at which time 
   2.538 -the aggregate conflict set is reduced and type3 is excluded from it. Then, 
   2.539 -xmsec3 can start. Of course, afterwards, xmsec2 cannot be restarted. Try it.
   2.540 -
   2.541 -3. Policy tool
   2.542 -**************
   2.543 -toos/policy/policy_tool.c
   2.544 -
   2.545 -a) ./policy_tool getpolicy
   2.546 -      prints the currently enforced policy
   2.547 -      (see for example section 1.)
   2.548 -
   2.549 -b) ./policy_tool setpolicy
   2.550 -      sets a predefined and hardcoded security
   2.551 -      policy (the one described in section 2.)
   2.552 -
   2.553 -c) ./policy_tool dumpstats
   2.554 -      prints some status information about the caching
   2.555 -      of access control decisions (number of cache hits
   2.556 -      and number of policy evaluations for grant_table
   2.557 -      and event channels).
   2.558 -
   2.559 -d) ./policy_tool loadpolicy <binary_policy_file>
   2.560 -      sets the policy defined in the <binary_policy_file>
   2.561 -      please use the policy_processor that is posted to this
   2.562 -      mailing list to create such a binary policy from an XML
   2.563 -      policy description
   2.564 -
   2.565 -4. Policy interface:
   2.566 -********************
   2.567 -The Policy interface is working in "network-byte-order" (big endian). The reason for this
   2.568 -is that policy files/management should be portable and independent of the platforms.
   2.569 -
   2.570 -Our policy interface enables managers to create a single binary policy file in a trusted
   2.571 -environment and distributed it to multiple systems for enforcement.
   2.572 -
   2.573 -5. Booting with a binary policy:
   2.574 -********************************
   2.575 -The grub configuration file can be adapted to boot the hypervisor with an
   2.576 -already active policy. To do this, a binary policy file - this can be
   2.577 -the same file as used by the policy_tool - should be placed into the boot
   2.578 -partition. The following entry from the grub configuration file shows how
   2.579 -a binary policy can be added to the system during boot time. Note that the 
   2.580 -binary policy must be of the same type that the hypervisor was compiled 
   2.581 -for. The policy module line should also only be added as the last module
   2.582 -line if XEN was compiled with the access control module (ACM).
   2.583 -
   2.584 -title XEN0 3.0 Devel
   2.585 -	kernel /xen.gz dom0_mem=400000
   2.586 -	module /vmlinuz-2.6.12-xen0 root=/dev/hda2 ro console=tty0
   2.587 -	module /initrd-2.6.12-xen0.img
   2.588 -	module /xen_sample_policy.bin
   2.589 -
   2.590 -
   2.591 -====================end-of file=======================================
     3.1 --- a/docs/src/user.tex	Fri Aug 19 12:21:29 2005 +0000
     3.2 +++ b/docs/src/user.tex	Fri Aug 19 12:22:27 2005 +0000
     3.3 @@ -1763,7 +1763,7 @@ editing \path{grub.conf}.
     3.4   physical address in the memory map will be ignored. This parameter
     3.5   may be specified with a B, K, M or G suffix, representing bytes,
     3.6   kilobytes, megabytes and gigabytes respectively. The
     3.7 - default unit, if no suffix is specified, is bytes.
     3.8 + default unit, if no suffix is specified, is kilobytes.
     3.9  
    3.10  \item [dom0\_mem=xxx ] 
    3.11   Set the amount of memory to be allocated to domain0. In Xen 3.x the parameter
     4.1 --- a/linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c	Fri Aug 19 12:21:29 2005 +0000
     4.2 +++ b/linux-2.6-xen-sparse/arch/xen/i386/kernel/swiotlb.c	Fri Aug 19 12:22:27 2005 +0000
     4.3 @@ -94,9 +94,6 @@ setup_io_tlb_npages(char *str)
     4.4  		iotlb_nslabs = simple_strtoul(str, &str, 0) <<
     4.5  			(20 - IO_TLB_SHIFT);
     4.6  		iotlb_nslabs = ALIGN(iotlb_nslabs, IO_TLB_SEGSIZE);
     4.7 -		/* Round up to power of two (xen_create_contiguous_region). */
     4.8 -		while (iotlb_nslabs & (iotlb_nslabs-1))
     4.9 -			iotlb_nslabs += iotlb_nslabs & ~(iotlb_nslabs-1);
    4.10  	}
    4.11  	if (*str == ',')
    4.12  		++str;
    4.13 @@ -123,9 +120,6 @@ swiotlb_init_with_default_size (size_t d
    4.14  	if (!iotlb_nslabs) {
    4.15  		iotlb_nslabs = (default_size >> IO_TLB_SHIFT);
    4.16  		iotlb_nslabs = ALIGN(iotlb_nslabs, IO_TLB_SEGSIZE);
    4.17 -		/* Round up to power of two (xen_create_contiguous_region). */
    4.18 -		while (iotlb_nslabs & (iotlb_nslabs-1))
    4.19 -			iotlb_nslabs += iotlb_nslabs & ~(iotlb_nslabs-1);
    4.20  	}
    4.21  
    4.22  	bytes = iotlb_nslabs * (1UL << IO_TLB_SHIFT);
    4.23 @@ -135,10 +129,14 @@ swiotlb_init_with_default_size (size_t d
    4.24  	 */
    4.25  	iotlb_virt_start = alloc_bootmem_low_pages(bytes);
    4.26  	if (!iotlb_virt_start)
    4.27 -		panic("Cannot allocate SWIOTLB buffer");
    4.28 +		panic("Cannot allocate SWIOTLB buffer!\n"
    4.29 +		      "Use dom0_mem Xen boot parameter to reserve\n"
    4.30 +		      "some DMA memory (e.g., dom0_mem=-128M).\n");
    4.31  
    4.32 -	xen_create_contiguous_region(
    4.33 -		(unsigned long)iotlb_virt_start, get_order(bytes));
    4.34 +	for (i = 0; i < iotlb_nslabs; i += IO_TLB_SEGSIZE)
    4.35 +		xen_create_contiguous_region(
    4.36 +			(unsigned long)iotlb_virt_start + (i << IO_TLB_SHIFT),
    4.37 +			get_order(IO_TLB_SEGSIZE << IO_TLB_SHIFT));
    4.38  
    4.39  	iotlb_virt_end = iotlb_virt_start + bytes;
    4.40  
     6.1 --- a/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c	Fri Aug 19 12:21:29 2005 +0000
     6.2 +++ b/linux-2.6-xen-sparse/arch/xen/x86_64/kernel/setup64.c	Fri Aug 19 12:22:27 2005 +0000
     6.3 @@ -280,19 +280,16 @@ void __init cpu_init (void)
     6.4  	if (cpu) {
     6.5  		memcpy(cpu_gdt_table[cpu], cpu_gdt_table[0], GDT_SIZE);
     6.6  	}	
     6.7 -#endif
     6.8  
     6.9  	cpu_gdt_descr[cpu].size = GDT_SIZE;
    6.10  	cpu_gdt_descr[cpu].address = (unsigned long)cpu_gdt_table[cpu];
    6.11  
    6.12 -        cpu_gdt_init(&cpu_gdt_descr[cpu]);
    6.13 -
    6.14 -#ifndef CONFIG_XEN 
    6.15  	memcpy(me->thread.tls_array, cpu_gdt_table[cpu], GDT_ENTRY_TLS_ENTRIES * 8);
    6.16 -
    6.17  #else
    6.18   	memcpy(me->thread.tls_array, &get_cpu_gdt_table(cpu)[GDT_ENTRY_TLS_MIN],
    6.19  	    GDT_ENTRY_TLS_ENTRIES * 8);
    6.20 +
    6.21 +    cpu_gdt_init(&cpu_gdt_descr[cpu]);
    6.22  #endif
    6.23         
    6.24  	/*
    15.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    15.2 +++ b/patches/linux-2.6.12/workaround_double_br_del_if.patch	Fri Aug 19 12:22:27 2005 +0000
    15.3 @@ -0,0 +1,11 @@
    15.4 +--- linux-2.6.12/net/bridge/br_if.c	2005-06-17 14:48:29.000000000 -0500
    15.5 ++++ linux-2.6.12-xen0-smp/net/bridge/br_if.c	2005-08-18 15:17:27.302615846 -0500
    15.6 +@@ -382,7 +382,7 @@
    15.7 + {
    15.8 + 	struct net_bridge_port *p = dev->br_port;
    15.9 + 	
   15.10 +-	if (!p || p->br != br) 
   15.11 ++	if (!p || p->br != br || p->state == BR_STATE_DISABLED)
   15.12 + 		return -EINVAL;
   15.13 + 
   15.14 + 	br_sysfs_removeif(p);
    16.1 --- a/tools/misc/policyprocessor/Makefile	Fri Aug 19 12:21:29 2005 +0000
    16.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    16.3 @@ -1,42 +0,0 @@
    16.4 -XEN_ROOT = ../../..
    16.5 -include $(XEN_ROOT)/tools/Rules.mk
    16.6 -
    16.7 -CFLAGS   += -static
    16.8 -CFLAGS   += -Wall
    16.9 -CFLAGS   += -Werror
   16.10 -CFLAGS   += -O3
   16.11 -CFLAGS   += -fno-strict-aliasing
   16.12 -CFLAGS   += -I.
   16.13 -
   16.14 -all: build
   16.15 -
   16.16 -build: mk-symlinks
   16.17 -	$(MAKE) xml_to_bin
   16.18 -
   16.19 -default: all
   16.20 -
   16.21 -install: all
   16.22 -
   16.23 -xml_to_bin : make_include XmlToBin.java XmlToBinInterface.java SsidsEntry.java SecurityLabel.java myHandler.java
   16.24 -	javac XmlToBin.java
   16.25 -
   16.26 -make_include : c2j_include
   16.27 -	./c2j_include
   16.28 -
   16.29 -c2j_include: c2j_include.c
   16.30 -	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
   16.31 -
   16.32 -clean:
   16.33 -	rm -rf *.class xen c2j_include policy_version.java *.bin
   16.34 -
   16.35 -
   16.36 -LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
   16.37 -mk-symlinks:
   16.38 -	[ -e xen/linux ] || mkdir -p xen/linux
   16.39 -	[ -e xen/io ]    || mkdir -p xen/io
   16.40 -	( cd xen >/dev/null ; \
   16.41 -	  ln -sf ../$(XEN_ROOT)/xen/include/public/*.h . )
   16.42 -	( cd xen/io >/dev/null ; \
   16.43 -	  ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
   16.44 -	( cd xen/linux >/dev/null ; \
   16.45 -	  ln -sf ../../$(LINUX_ROOT)/include/asm-xen/linux-public/*.h . )
    17.1 --- a/tools/misc/policyprocessor/SecurityLabel.java	Fri Aug 19 12:21:29 2005 +0000
    17.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    17.3 @@ -1,34 +0,0 @@
    17.4 -/**
    17.5 - * (C) Copyright IBM Corp. 2005
    17.6 - *
    17.7 - * $Id: SecurityLabel.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
    17.8 - *
    17.9 - * Author: Ray Valdez
   17.10 - *
   17.11 - * This program is free software; you can redistribute it and/or
   17.12 - * modify it under the terms of the GNU General Public License as
   17.13 - * published by the Free Software Foundation, version 2 of the
   17.14 - * License.
   17.15 - *
   17.16 - * SecurityLabel Class.  
   17.17 - *
   17.18 - * <p>
   17.19 - *
   17.20 - * Keeps track of types.
   17.21 - *
   17.22 - * <p>
   17.23 - *
   17.24 - *
   17.25 - */
   17.26 -import java.util.*;
   17.27 -public class SecurityLabel
   17.28 -{
   17.29 - Vector ids;
   17.30 - Vector vlans;
   17.31 - Vector slots;
   17.32 - Vector steTypes;
   17.33 - int steSsidPosition;
   17.34 - Vector chwIDs;
   17.35 - Vector chwTypes;
   17.36 - int chwSsidPosition;
   17.37 -}
    18.1 --- a/tools/misc/policyprocessor/SecurityPolicySpec.xsd	Fri Aug 19 12:21:29 2005 +0000
    18.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    18.3 @@ -1,115 +0,0 @@
    18.4 -<?xml version="1.0" encoding="UTF-8"?>
    18.5 -<!-- Author: Ray Valdez, rvaldez@us.ibm.com -->
    18.6 -<!-- xml schema definition for xen xml policies -->
    18.7 -<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    18.8 -targetNamespace="http://www.ibm.com"
    18.9 -xmlns="http://www.ibm.com" 
   18.10 -elementFormDefault="qualified">
   18.11 -
   18.12 -<xsd:element name="TE" type="xsd:string" />
   18.13 -<xsd:element name="ChWall" type="xsd:string" />
   18.14 -
   18.15 -<xsd:element name="Definition">
   18.16 -  <xsd:complexType>
   18.17 - 	<xsd:sequence>
   18.18 -
   18.19 -	  <!-- simple type enforcement -->
   18.20 -	  <xsd:element name="Types" minOccurs ="0" maxOccurs="1">
   18.21 -		<xsd:complexType>
   18.22 -		  <xsd:sequence>
   18.23 -			<xsd:element ref="TE" minOccurs ="1" maxOccurs ="unbounded"/>
   18.24 -		  </xsd:sequence>
   18.25 -		</xsd:complexType>
   18.26 -	  </xsd:element>
   18.27 -
   18.28 -	  <!-- chinese wall -->
   18.29 -	  <!--   type definition -->
   18.30 -	  <xsd:element name="ChWallTypes" minOccurs ="0" maxOccurs="1">
   18.31 -		<xsd:complexType>
   18.32 -		  <xsd:sequence>
   18.33 -			<xsd:element ref="ChWall"  minOccurs ="1" maxOccurs ="unbounded"/>
   18.34 -
   18.35 -      	   	</xsd:sequence>
   18.36 -          </xsd:complexType>
   18.37 -	</xsd:element>
   18.38 -
   18.39 -  	<!--   conflict set -->
   18.40 -	  <xsd:element name="ConflictSet" minOccurs ="0" maxOccurs="unbounded">
   18.41 -		<xsd:complexType>
   18.42 -		  <xsd:sequence>
   18.43 -			<xsd:element ref="ChWall"  minOccurs ="2" maxOccurs ="unbounded"/>
   18.44 -		  </xsd:sequence>
   18.45 -		</xsd:complexType>
   18.46 -	</xsd:element>
   18.47 -
   18.48 -	</xsd:sequence>
   18.49 -  </xsd:complexType>
   18.50 -</xsd:element>
   18.51 -
   18.52 -<xsd:element name="Policy">
   18.53 -    <xsd:complexType>
   18.54 -      <xsd:sequence>
   18.55 -
   18.56 -	<xsd:element name="PolicyHeader">
   18.57 -    	<xsd:complexType>
   18.58 -      	   <xsd:all>
   18.59 -		<xsd:element name = "Name" type="xsd:string"/>
   18.60 -		<xsd:element name = "DateTime" type="xsd:dateTime"/>
   18.61 -		<xsd:element name = "Tag" minOccurs ="1" maxOccurs ="1" type="xsd:string"/>
   18.62 -		<xsd:element name = "TypeDefinition">
   18.63 -    		<xsd:complexType>
   18.64 -      	   	  <xsd:all>
   18.65 -			<xsd:element name = "url" type="xsd:string"/>
   18.66 -			<xsd:element name = "hash" minOccurs ="0" maxOccurs ="1" type="xsd:string"/>
   18.67 -      	   	  </xsd:all>
   18.68 -    		</xsd:complexType>
   18.69 -		</xsd:element>
   18.70 -
   18.71 -      	   </xsd:all>
   18.72 -    	</xsd:complexType>
   18.73 -	</xsd:element>
   18.74 -
   18.75 -	<xsd:element name="VM" minOccurs ="1" maxOccurs="unbounded">
   18.76 -    	  <xsd:complexType>
   18.77 -      	   <xsd:sequence>
   18.78 -		<xsd:element name="id" type="xsd:integer"/>
   18.79 -		<xsd:element ref="TE" minOccurs="0" maxOccurs="unbounded" />
   18.80 -		<xsd:element ref="ChWall" minOccurs ="0" maxOccurs="unbounded"/>
   18.81 -      	   </xsd:sequence>
   18.82 -    	  </xsd:complexType>
   18.83 -	</xsd:element>
   18.84 -
   18.85 -	<xsd:element name="Vlan" minOccurs ="0" maxOccurs="unbounded">
   18.86 -    	  <xsd:complexType>
   18.87 -      	   <xsd:sequence>
   18.88 -		<xsd:element name="vid" type="xsd:integer"/>
   18.89 -		<xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
   18.90 -      	   </xsd:sequence>
   18.91 -    	  </xsd:complexType>
   18.92 -	</xsd:element>
   18.93 -
   18.94 -	<xsd:element name="Slot" minOccurs ="0" maxOccurs="unbounded">
   18.95 -    	  <xsd:complexType>
   18.96 -      	   <xsd:sequence>
   18.97 -		<xsd:element name="bus" type="xsd:integer"/>
   18.98 -		<xsd:element name="slot" type="xsd:integer"/>
   18.99 -		<xsd:element ref="TE" minOccurs="1" maxOccurs="unbounded" />
  18.100 -      	   </xsd:sequence>
  18.101 -    	  </xsd:complexType>
  18.102 -	</xsd:element>
  18.103 -
  18.104 -
  18.105 -      </xsd:sequence>
  18.106 -    </xsd:complexType>
  18.107 -</xsd:element>
  18.108 -
  18.109 -<!-- root element -->
  18.110 -<xsd:element name="SecurityPolicySpec">
  18.111 -    <xsd:complexType>
  18.112 -      <xsd:choice>
  18.113 -		<xsd:element ref="Definition" minOccurs ="1" maxOccurs="unbounded"/>
  18.114 -		<xsd:element ref="Policy" minOccurs ="1" maxOccurs="unbounded"/>
  18.115 -      </xsd:choice>
  18.116 -    </xsd:complexType>
  18.117 -</xsd:element>
  18.118 -</xsd:schema>
    19.1 --- a/tools/misc/policyprocessor/SsidsEntry.java	Fri Aug 19 12:21:29 2005 +0000
    19.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    19.3 @@ -1,29 +0,0 @@
    19.4 -/**
    19.5 - * (C) Copyright IBM Corp. 2005
    19.6 - *
    19.7 - * $Id: SsidsEntry.java,v 1.2 2005/06/17 20:02:40 rvaldez Exp $
    19.8 - *
    19.9 - * Author: Ray Valdez
   19.10 - * 
   19.11 - * This program is free software; you can redistribute it and/or
   19.12 - * modify it under the terms of the GNU General Public License as
   19.13 - * published by the Free Software Foundation, version 2 of the
   19.14 - * License.
   19.15 - *
   19.16 - * SsidsEntry Class.  
   19.17 - * <p>
   19.18 - *
   19.19 - * Holds ssid information.
   19.20 - *
   19.21 - * <p>
   19.22 - *
   19.23 - *
   19.24 - */
   19.25 -public class SsidsEntry 
   19.26 - {
   19.27 -  int id;	/* used for partition and vlan */
   19.28 -  int bus;	/* used for slots */
   19.29 -  int slot;
   19.30 -  int ste = 0xffffffff;
   19.31 -  int chw = 0xffffffff;
   19.32 - }
    20.1 --- a/tools/misc/policyprocessor/XmlToBin.java	Fri Aug 19 12:21:29 2005 +0000
    20.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    20.3 @@ -1,1570 +0,0 @@
    20.4 -/**
    20.5 - * (C) Copyright IBM Corp. 2005
    20.6 - *
    20.7 - * $Id: XmlToBin.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
    20.8 - *
    20.9 - * Author: Ray Valdez
   20.10 - *
   20.11 - * Contributors:
   20.12 - *         Reiner Sailer - adjust type-lengths
   20.13 - *
   20.14 - * This program is free software; you can redistribute it and/or
   20.15 - * modify it under the terms of the GNU General Public License as
   20.16 - * published by the Free Software Foundation, version 2 of the
   20.17 - * License.
   20.18 - *
   20.19 - * XmlToBin  Class.  
   20.20 - * <p>
   20.21 - *
   20.22 - * Translates a xml representation of a SHYPE policy into a binary  
   20.23 - * format.  The class processes an xml policy file based on elment tags 
   20.24 - * defined in a schema definition files: SecurityPolicySpec.xsd.
   20.25 - *
   20.26 - * XmlToBin Command line Options: 
   20.27 - *
   20.28 - *      -i              inputFile:      name of policyfile (.xml)
   20.29 - *      -o              outputFile:     name of binary policy file (Big Endian)
   20.30 - *      -xssid          SsidFile:       xen ssids to types text file
   20.31 - *      -xssidconf      SsidConf:   	xen conflict ssids to types text file
   20.32 - *      -debug                          turn on debug messages
   20.33 - *      -help                           help. This printout
   20.34 - *
   20.35 - * <p>
   20.36 - *
   20.37 - *
   20.38 - */
   20.39 -import java.util.*;
   20.40 -import java.io.*;
   20.41 -import java.io.IOException;
   20.42 -import java.io.FileNotFoundException;
   20.43 -import org.w3c.dom.Document;
   20.44 -import org.w3c.dom.Element;
   20.45 -import org.w3c.dom.Node;
   20.46 -import org.w3c.dom.Attr;
   20.47 -import org.w3c.dom.NodeList;
   20.48 -import org.w3c.dom.NamedNodeMap;
   20.49 -import org.xml.sax.*;
   20.50 -import javax.xml.parsers.*;
   20.51 -import org.xml.sax.helpers.*;
   20.52 -
   20.53 -public class XmlToBin 
   20.54 - implements XmlToBinInterface
   20.55 -{
   20.56 -  class SlotInfo {
   20.57 -	String bus;
   20.58 -	String slot;
   20.59 -  }
   20.60 -
   20.61 - boolean LittleEndian = false;
   20.62 - boolean debug = false;
   20.63 -
   20.64 - static final String JAXP_SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";
   20.65 -
   20.66 - static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";
   20.67 -
   20.68 - public static void printUsage()
   20.69 - {
   20.70 -  System.out.println("XmlToBin Command line Options: ");
   20.71 -  System.out.println("\t-i\t\tinputFile:\tname of policyfile (.xml)");
   20.72 -  System.out.println("\t-o\t\toutputFile:\tname of binary policy file (Big Endian)");
   20.73 -  System.out.println("\t-xssid\t\tSsidFile:\tXen ssids to named types text file");
   20.74 -  System.out.println("\t-xssidconf\tSsidConfFile:\tXen conflict ssids to named types text file");
   20.75 -  System.out.println("\t-debug\t\t\t\tturn on debug messages");
   20.76 -  System.out.println("\t-help\t\t\t\thelp. This printout");
   20.77 -  return;
   20.78 - }
   20.79 -
   20.80 - public void printDebug(String message) 
   20.81 - {
   20.82 -  if (debug)
   20.83 -    System.out.println(message);
   20.84 - }
   20.85 -
   20.86 - public void writeBinPolicy(byte[] binPolicy, String outputFileName)
   20.87 -  throws Exception
   20.88 - {
   20.89 -    if (debug) 
   20.90 -    	printHex(binPolicy,binPolicy.length);
   20.91 -
   20.92 -    DataOutputStream writeObj = new DataOutputStream(
   20.93 -                                new FileOutputStream(outputFileName));
   20.94 -
   20.95 -    writeObj.write(binPolicy);
   20.96 -    writeObj.flush();
   20.97 -    writeObj.close();
   20.98 -    System.out.println(" wBP:: wrote outputfile: " + outputFileName);
   20.99 -
  20.100 -    return; 
  20.101 - }  
  20.102 -
  20.103 - public void writeXenTypeVectorFile(Vector list, String outputFileName)
  20.104 -  throws Exception
  20.105 - {
  20.106 -  PrintWriter out;
  20.107 -
  20.108 -  if (0 == list.size())
  20.109 -  {
  20.110 -   	printDebug(" wSTF : size of input is zero when writing :" + outputFileName); 
  20.111 -	return;
  20.112 -  }
  20.113 - out = new PrintWriter(
  20.114 -	 	new BufferedWriter(
  20.115 -                      new FileWriter(outputFileName)));
  20.116 -
  20.117 -
  20.118 -  for (int i = 0; i < list.size(); i++)
  20.119 -  {
  20.120 -	Vector	ee = (Vector) list.elementAt(i);
  20.121 -   	out.println(i + " " +ee.toString());
  20.122 -  } 
  20.123 -    out.close();
  20.124 -   
  20.125 -    return; 
  20.126 - }
  20.127 -
  20.128 - public void writeXenTypeFile(Vector list, String outputFileName, boolean slabel)
  20.129 -  throws Exception
  20.130 - {
  20.131 -  Vector entry; 
  20.132 -  String strTypes = "";
  20.133 -  SecurityLabel ee;
  20.134 -  PrintWriter out;
  20.135 -
  20.136 -  if (0 == list.size())
  20.137 -  {
  20.138 -   	printDebug(" wSTF : size of input is zero when writing :" + outputFileName); 
  20.139 -	return;
  20.140 -  }
  20.141 -  out = new PrintWriter(
  20.142 -	 	new BufferedWriter(
  20.143 -                      new FileWriter(outputFileName)));
  20.144 -
  20.145 -  for (int i = 0; i < list.size(); i++)
  20.146 -  {
  20.147 -	ee = (SecurityLabel) list.elementAt(i);
  20.148 -
  20.149 -	if (slabel)
  20.150 -	{
  20.151 -		entry = ee.steTypes; 
  20.152 -	} else {
  20.153 -
  20.154 -		entry = ee.chwTypes; 
  20.155 -	}
  20.156 -	if (null == entry) continue;
  20.157 -
  20.158 -	Enumeration e = entry.elements(); 
  20.159 -	while (e.hasMoreElements())
  20.160 -	{
  20.161 -  	  String typeName = (String) e.nextElement(); 
  20.162 -	  strTypes = strTypes + " " + typeName;
  20.163 -        }
  20.164 -    	  printDebug(" WXTF:: ssid : "+i +" :"+strTypes); 
  20.165 -   	  out.println(i +" "+strTypes);
  20.166 -	  strTypes = "";
  20.167 -  } 
  20.168 -  out.close();
  20.169 -   
  20.170 -  return; 
  20.171 - }
  20.172 -
  20.173 - public void setDebug(boolean value)
  20.174 - {
  20.175 -  debug=value;
  20.176 - }
  20.177 -
  20.178 - public void setEndian(boolean value)
  20.179 - {
  20.180 -  LittleEndian = value;
  20.181 - }
  20.182 -
  20.183 - public byte[] generateVlanSsids(Vector bagOfSsids)
  20.184 -  throws Exception
  20.185 - {
  20.186 -  /**
  20.187 -        typedef struct {
  20.188 -        u16 vlan;
  20.189 -        u16 ssid_ste;
  20.190 -        } acm_vlan_entry_t;
  20.191 -  **/
  20.192 -
  20.193 -  Hashtable  vlanSsid = new Hashtable();
  20.194 -  printDebug(" gVS::Size of bagOfSsids: "+ bagOfSsids.size());
  20.195 -
  20.196 -  /* Get the number of partitions */
  20.197 -  for (int i = 0; i < bagOfSsids.size(); i++)
  20.198 -  {
  20.199 -	SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
  20.200 -
  20.201 -	if (null == entry.vlans)
  20.202 -	  continue;
  20.203 -
  20.204 -	Enumeration e = entry.vlans.elements(); 
  20.205 -	while (e.hasMoreElements())
  20.206 -	{
  20.207 -  	  String id = (String) e.nextElement(); 
  20.208 -      	  printDebug(" gVS:: vlan: " + id + "has ste ssid: " + entry.steSsidPosition);
  20.209 -	  if (-1 == entry.steSsidPosition)
  20.210 -		continue;  
  20.211 -
  20.212 -	  /* Only use ste for vlan */
  20.213 -	  SsidsEntry  ssidsObj = new SsidsEntry();
  20.214 -
  20.215 -	  ssidsObj.id = Integer.parseInt(id); 
  20.216 -	  ssidsObj.ste = entry.steSsidPosition;
  20.217 -
  20.218 -	  if (vlanSsid.contains(id))
  20.219 -      	  	printDebug(" gVS:: Error already in the Hash part:" + ssidsObj.id);
  20.220 -	  else 
  20.221 - 		vlanSsid.put(id, ssidsObj);
  20.222 -      	  	printDebug(" gVS:: added part: " + id + "has ste ssid: " + entry.steSsidPosition);
  20.223 -	}
  20.224 -  }
  20.225 -
  20.226 -  /* allocate array */ 
  20.227 -  int numOfVlan = vlanSsid.size();
  20.228 -  int totalSize = (numOfVlan * vlanEntrySz);  
  20.229 -
  20.230 -  if (0 == numOfVlan) 
  20.231 -  {
  20.232 -  	printDebug(" gVS:: vlan: binary ==> zero");
  20.233 -        return new byte[0];
  20.234 -  }
  20.235 -
  20.236 -  byte[] vlanArray = new byte[totalSize];
  20.237 -
  20.238 -  int index = 0;
  20.239 -
  20.240 -  Enumeration e = vlanSsid.elements(); 
  20.241 -  while (e.hasMoreElements())
  20.242 -  {
  20.243 -  	SsidsEntry entry = (SsidsEntry) e.nextElement(); 
  20.244 -      	printDebug(" gVS:: part: " + entry.id + " ste ssid: " + entry.ste);
  20.245 -
  20.246 -	/* Write id */
  20.247 -   	writeShortToStream(vlanArray,(short)entry.id,index);
  20.248 -	index = index + u16Size;
  20.249 -
  20.250 -	/* write ste ssid */
  20.251 -   	writeShortToStream(vlanArray,(short) entry.ste,index);
  20.252 -	index = index + u16Size;
  20.253 -  }
  20.254 -
  20.255 -  printDebug(" gVS:: vlan: num of vlans  " + numOfVlan);
  20.256 -  printDebug(" gVS:: vlan: binary ==> Length "+ vlanArray.length);
  20.257 -
  20.258 -  if (debug) 
  20.259 -	printHex(vlanArray,vlanArray.length);
  20.260 -  printDebug("\n");
  20.261 -
  20.262 -  return vlanArray; 
  20.263 - }  
  20.264 -
  20.265 - public byte[] generateSlotSsids(Vector bagOfSsids)
  20.266 -  throws Exception
  20.267 - {
  20.268 -  /**
  20.269 -        typedef struct {
  20.270 -        u16 slot_max;
  20.271 -        u16 slot_offset;
  20.272 -        } acm_slot_buffer_t;
  20.273 -
  20.274 -        typedef struct {
  20.275 -        u16 bus;
  20.276 -        u16 slot;
  20.277 -        u16 ssid_ste;
  20.278 -        } acm_slot_entry_t;
  20.279 -  **/
  20.280 -  Hashtable  slotSsid = new Hashtable();
  20.281 -  printDebug(" gSS::Size of bagOfSsids: "+ bagOfSsids.size());
  20.282 -
  20.283 -  /* Find the number of VMs */ 
  20.284 -  for (int i = 0; i < bagOfSsids.size(); i++)
  20.285 -  {
  20.286 -	SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
  20.287 -
  20.288 -	if (null == entry.slots)
  20.289 -	  continue;
  20.290 -
  20.291 -	Enumeration e = entry.slots.elements(); 
  20.292 -	while (e.hasMoreElements())
  20.293 -	{
  20.294 -  	  SlotInfo item = (SlotInfo) e.nextElement(); 
  20.295 -      	  printDebug(" gSS:: bus slot: " + item.bus + " "+ item.slot + " " +  entry.steSsidPosition);
  20.296 -	  if (-1 == entry.steSsidPosition)
  20.297 -		continue;  
  20.298 -
  20.299 -	  SsidsEntry  ssidsObj = new SsidsEntry();
  20.300 -
  20.301 -	  String id = item.bus +" "+item.slot;
  20.302 -	  ssidsObj.bus = Integer.parseInt(item.bus); 
  20.303 -	  ssidsObj.slot = Integer.parseInt(item.slot); 
  20.304 -	  /* set ste ssid */
  20.305 -	  ssidsObj.ste = entry.steSsidPosition;
  20.306 -
  20.307 -	  if (slotSsid.contains(id))
  20.308 -      	  	printDebug(" gSS:: Error already in the Hash part:" + id);
  20.309 -	  else 
  20.310 -	  	slotSsid.put(id, ssidsObj);
  20.311 -
  20.312 -      	  	printDebug(" gSS:: added slot: " + id + "has ste ssid: " + entry.steSsidPosition);
  20.313 -	}
  20.314 -  }
  20.315 -
  20.316 -  /* allocate array */
  20.317 -  int numOfSlot = slotSsid.size();
  20.318 -
  20.319 -  if (0 == numOfSlot) 
  20.320 -  {
  20.321 -  	printDebug(" gVS:: slot: binary ==> zero");
  20.322 -        return new byte[0];
  20.323 -  }
  20.324 -
  20.325 -  int totalSize = (numOfSlot * slotEntrySz);  
  20.326 -
  20.327 -  byte[] slotArray = new byte[totalSize];
  20.328 -
  20.329 -  int index = 0;
  20.330 -
  20.331 -  Enumeration e = slotSsid.elements(); 
  20.332 -  while (e.hasMoreElements())
  20.333 -  {
  20.334 -  	SsidsEntry entry = (SsidsEntry) e.nextElement(); 
  20.335 -      	System.out.println(" gSS:: bus slot: " + entry.bus + " " + entry.slot + " ste ssid: " + entry.ste);
  20.336 -
  20.337 -	/* Write bus */
  20.338 -   	writeShortToStream(slotArray,(short)entry.bus,index);
  20.339 -	index = index + u16Size;
  20.340 -
  20.341 -	/* Write slot */ 
  20.342 -   	writeShortToStream(slotArray,(short)entry.slot,index);
  20.343 -	index = index + u16Size;
  20.344 -
  20.345 -	/* Write ste ssid */
  20.346 -   	writeShortToStream(slotArray,(short) entry.ste,index);
  20.347 -	index = index + u16Size;
  20.348 -
  20.349 -  }
  20.350 -   
  20.351 -  printDebug(" gSS:: slot: num of vlans  " + numOfSlot);
  20.352 -  printDebug(" gSS:: slot: binary ==> Length "+ slotArray.length);
  20.353 -
  20.354 -  if (debug) 
  20.355 - 	 printHex(slotArray,slotArray.length);
  20.356 -  printDebug("\n");
  20.357 -
  20.358 -  return slotArray; 
  20.359 -
  20.360 - }  
  20.361 -
  20.362 - public byte[] generatePartSsids(Vector bagOfSsids, Vector bagOfChwSsids)
  20.363 -  throws Exception
  20.364 - {
  20.365 -  /**
  20.366 -        typedef struct {
  20.367 -        u16 id;
  20.368 -        u16 ssid_ste;
  20.369 -        u16 ssid_chwall;
  20.370 -        } acm_partition_entry_t;
  20.371 -
  20.372 -  **/
  20.373 -  Hashtable  partSsid = new Hashtable();
  20.374 -  printDebug(" gPS::Size of bagOfSsids: "+ bagOfSsids.size());
  20.375 -
  20.376 -  /* Find the number of VMs */ 
  20.377 -  for (int i = 0; i < bagOfSsids.size(); i++)
  20.378 -  {
  20.379 -	SecurityLabel entry = (SecurityLabel) bagOfSsids.elementAt(i);
  20.380 -
  20.381 -	if (null == entry.ids)
  20.382 -	  continue;
  20.383 -
  20.384 -	Enumeration e = entry.ids.elements(); 
  20.385 -	while (e.hasMoreElements())
  20.386 -	{
  20.387 -  	  String id = (String) e.nextElement(); 
  20.388 -      	  printDebug(" gPS:: part: " + id + "has ste ssid: " + entry.steSsidPosition);
  20.389 -	  if (-1 == entry.steSsidPosition)
  20.390 -		continue;  
  20.391 -
  20.392 -	  SsidsEntry  ssidsObj = new SsidsEntry();
  20.393 -
  20.394 -	  ssidsObj.id = Integer.parseInt(id); 
  20.395 -	  ssidsObj.ste = entry.steSsidPosition;
  20.396 -
  20.397 -	  if (partSsid.contains(id))
  20.398 -      	  	printDebug(" gPS:: Error already in the Hash part:" + ssidsObj.id);
  20.399 -	  else 
  20.400 - 		partSsid.put(id, ssidsObj);
  20.401 -      	  	printDebug(" gPS:: added part: " + id + "has ste ssid: " + entry.steSsidPosition);
  20.402 -	}
  20.403 -
  20.404 -  }
  20.405 -
  20.406 -  for (int i = 0; i < bagOfChwSsids.size(); i++)
  20.407 -  {
  20.408 -	SecurityLabel entry = (SecurityLabel) bagOfChwSsids.elementAt(i);
  20.409 -
  20.410 -	Enumeration e = entry.chwIDs.elements(); 
  20.411 -	while (e.hasMoreElements())
  20.412 -	{
  20.413 -  	  String id = (String) e.nextElement(); 
  20.414 -      	  printDebug(" gPS:: part: " + id + "has chw ssid: " + entry.chwSsidPosition);
  20.415 -	  if (partSsid.containsKey(id))
  20.416 -	  {
  20.417 -		SsidsEntry item = (SsidsEntry) partSsid.get(id);
  20.418 -		item.chw = entry.chwSsidPosition;
  20.419 -      	  	printDebug(" gPS:: added :" + item.id +" chw: " + item.chw);
  20.420 -	  }
  20.421 -	  else 
  20.422 -	  {
  20.423 -      	  	printDebug(" gPS:: creating :" + id +" chw: " + entry.chwSsidPosition);
  20.424 -	  	SsidsEntry  ssidsObj = new SsidsEntry();
  20.425 -	  	ssidsObj.id = Integer.parseInt(id); 
  20.426 -	  	ssidsObj.chw = entry.chwSsidPosition;
  20.427 - 		partSsid.put(id, ssidsObj);
  20.428 -
  20.429 -	  }
  20.430 -	}
  20.431 -  }	  
  20.432 -
  20.433 -  /* Allocate array */
  20.434 -  int numOfPar = partSsid.size();
  20.435 -  int totalSize =  (numOfPar * partitionEntrySz);  
  20.436 -
  20.437 -  if (0 == numOfPar) 
  20.438 -  {
  20.439 -  	printDebug(" gPS:: part: binary ==> zero");
  20.440 -        return new byte[0];
  20.441 -  }
  20.442 -
  20.443 -  byte[] partArray = new byte[totalSize];
  20.444 -
  20.445 -  int index = 0;
  20.446 -
  20.447 -  Enumeration e = partSsid.elements(); 
  20.448 -  while (e.hasMoreElements())
  20.449 -  {
  20.450 -  	SsidsEntry entry = (SsidsEntry) e.nextElement(); 
  20.451 -      	printDebug(" gPS:: part: " + entry.id + " ste ssid: " + entry.ste + " chw ssid: "+ entry.chw);
  20.452 -
  20.453 -	/* Write id */
  20.454 -   	writeShortToStream(partArray,(short)entry.id,index);
  20.455 -	index = index + u16Size;
  20.456 -
  20.457 -	/* Write ste ssid */
  20.458 -   	writeShortToStream(partArray,(short) entry.ste,index);
  20.459 -	index = index + u16Size;
  20.460 -
  20.461 -	/* Write chw ssid */
  20.462 -   	writeShortToStream(partArray,(short) entry.chw,index);
  20.463 -	index = index + u16Size;
  20.464 -  }
  20.465 -
  20.466 -  printDebug(" gPS:: part: num of partitions  " + numOfPar);
  20.467 -  printDebug(" gPS:: part: binary ==> Length " + partArray.length);
  20.468 -
  20.469 -  if (debug) 
  20.470 -	printHex(partArray,partArray.length);
  20.471 -  printDebug("\n");
  20.472 -   
  20.473 -   return partArray; 
  20.474 - }
  20.475 -
  20.476 - public  byte[] GenBinaryPolicyBuffer(byte[] chwPolicy, byte[] stePolicy, byte [] partMap, byte[] vlanMap, byte[] slotMap)
  20.477 - {
  20.478 -  byte[] binBuffer;
  20.479 -  short chwSize =0;
  20.480 -  short steSize =0;
  20.481 -  int	index = 0;
  20.482 -
  20.483 -  /* Builds data structure acm_policy_buffer_t */
  20.484 -  /* Get number of colorTypes */
  20.485 -  if (null != chwPolicy)
  20.486 -	chwSize = (short) chwPolicy.length;
  20.487 -
  20.488 -  if (null != stePolicy)
  20.489 -    	steSize = (short) stePolicy.length;
  20.490 -
  20.491 -  int totalDataSize = chwSize + steSize + resourceOffsetSz +  3 *(2 * u16Size);
  20.492 -
  20.493 -  /*  Add vlan and slot */ 
  20.494 -  totalDataSize = totalDataSize +partMap.length + vlanMap.length + slotMap.length; 
  20.495 -  binBuffer = new byte[binaryBufferHeaderSz +totalDataSize];
  20.496 -	
  20.497 -
  20.498 -  try {
  20.499 -	  index = 0;
  20.500 -	  /* fill in General Policy Version */
  20.501 -	  writeIntToStream(binBuffer, ACM_POLICY_VERSION, index);
  20.502 -	  index += u32Size;
  20.503 -
  20.504 -	  /* Write magic */
  20.505 -	  writeIntToStream(binBuffer, ACM_MAGIC, index);
  20.506 -	  index += u32Size;
  20.507 -
  20.508 -	  /* write len */
  20.509 -	  writeIntToStream(binBuffer, binBuffer.length, index);
  20.510 -	  index += u32Size;
  20.511 -
  20.512 -  } catch (IOException ee) {
  20.513 -	  System.out.println(" GBPB:: got exception : " + ee);
  20.514 -	  return null;
  20.515 -  }
  20.516 -
  20.517 -  int offset, address;
  20.518 -  address = index;
  20.519 -
  20.520 -  if (null != partMap) 
  20.521 -	  offset = binaryBufferHeaderSz + resourceOffsetSz;
  20.522 -  else
  20.523 -	  offset = binaryBufferHeaderSz;
  20.524 -
  20.525 -  try {
  20.526 -	  int skip = 0;
  20.527 -
  20.528 -	  /* init with NULL policy setting */
  20.529 -	  writeIntToStream(binBuffer, ACM_NULL_POLICY, index);
  20.530 -	  writeIntToStream(binBuffer, 0, index + u32Size);
  20.531 -	  writeIntToStream(binBuffer, ACM_NULL_POLICY, index + 2*u32Size);
  20.532 -	  writeIntToStream(binBuffer, 0, index + 3*u32Size);
  20.533 -	  
  20.534 -	  index = address;
  20.535 -	  if (null != chwPolicy) {
  20.536 -	  
  20.537 -		  /* Write policy name */
  20.538 -		  writeIntToStream(binBuffer, ACM_CHINESE_WALL_POLICY, index);
  20.539 -		  index += u32Size;
  20.540 -
  20.541 -		  /* Write offset */
  20.542 -		  writeIntToStream(binBuffer, offset, index);
  20.543 -		  index += u32Size;
  20.544 -
  20.545 -		  /* Write payload. No need increment index */
  20.546 -		  address = offset;
  20.547 -		  System.arraycopy(chwPolicy, 0, binBuffer,address, chwPolicy.length);
  20.548 -		  address = address + chwPolicy.length;
  20.549 -	  } else
  20.550 -		  skip += 2*u32Size;
  20.551 -
  20.552 -	  if (null != stePolicy) 
  20.553 -	  {	
  20.554 -	  	/* Write policy name */
  20.555 -	  	writeIntToStream(binBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, index);
  20.556 -  	  	index += u32Size;
  20.557 -
  20.558 -	  	/* Write offset */
  20.559 -	  	writeIntToStream(binBuffer, address, index);
  20.560 -  	  	index += u32Size;
  20.561 -
  20.562 -		/* Copy array */
  20.563 -	  	System.arraycopy(stePolicy, 0, binBuffer,address, stePolicy.length);
  20.564 -		/* Update address */
  20.565 -		address = address + stePolicy.length;
  20.566 -	  } else
  20.567 -		 skip += 2*u32Size;
  20.568 -
  20.569 -	  /* Skip writing policy name and offset for each null policy*/
  20.570 -	  index +=  skip;
  20.571 -
  20.572 -	  int size;
  20.573 -	  /* Assumes that you will always have a partition defined in policy */
  20.574 -	  if ( 0 < partMap.length) {
  20.575 -		  writeIntToStream(binBuffer, address, index);
  20.576 -		  index = address;
  20.577 -
  20.578 -		  /* Compute num of VMs */
  20.579 -		  size = partMap.length / (3 * u16Size);
  20.580 -
  20.581 -		  writeShortToStream(binBuffer, (short)size,index);
  20.582 -		  index = index + u16Size;
  20.583 -
  20.584 -		  /* part, vlan and slot: each one consists of two entries */
  20.585 -		  offset = 3 * (2 * u16Size);
  20.586 -		  writeShortToStream(binBuffer, (short) offset,index);
  20.587 -
  20.588 -		  /* Write partition array at offset */
  20.589 -		  System.arraycopy(partMap, 0, binBuffer,(offset + address), partMap.length);
  20.590 -		  index = index + u16Size;
  20.591 -		  offset = offset + partMap.length;
  20.592 -	  }
  20.593 -
  20.594 -	  if ( 0 < vlanMap.length) {
  20.595 -		  size = vlanMap.length / (2 * u16Size);
  20.596 -		  writeShortToStream(binBuffer, (short) size,index);
  20.597 -		  index = index + u16Size;
  20.598 -
  20.599 -		  writeShortToStream(binBuffer, (short) offset,index);
  20.600 -		  index = index + u16Size;
  20.601 -		  System.arraycopy(vlanMap, 0, binBuffer,(offset + address), vlanMap.length);
  20.602 -	  } else {
  20.603 -		  /* Write vlan max */
  20.604 -		  writeShortToStream(binBuffer, (short) 0,index);
  20.605 -		  index = index + u16Size;
  20.606 - 
  20.607 -		  /* Write vlan offset */
  20.608 -		  writeShortToStream(binBuffer, (short) 0,index);
  20.609 -		  index = index + u16Size;
  20.610 -	  }
  20.611 -
  20.612 -	  offset = offset + vlanMap.length;
  20.613 -	  if ( 0 < slotMap.length) {
  20.614 -		  size = slotMap.length / (3 * u16Size);
  20.615 -		  writeShortToStream(binBuffer, (short) size,index);
  20.616 -		  index = index + u16Size;
  20.617 -
  20.618 -		  writeShortToStream(binBuffer, (short) offset,index);
  20.619 -		  index = index + u16Size;
  20.620 -		  System.arraycopy(slotMap, 0, binBuffer,(offset + address), slotMap.length);
  20.621 -	  }
  20.622 -  } catch (IOException ee) {
  20.623 -	  System.out.println(" GBPB:: got exception : " + ee);
  20.624 -	  return null;
  20.625 -  }
  20.626 -
  20.627 -  printDebug(" GBP:: Binary Policy ==> length " + binBuffer.length);
  20.628 -  if (debug)
  20.629 -	  printHex(binBuffer,binBuffer.length);
  20.630 -
  20.631 -  return  binBuffer;
  20.632 - } 
  20.633 -
  20.634 - public  byte[] generateChwBuffer(Vector Ssids, Vector ConflictSsids, Vector ColorTypes)
  20.635 - {
  20.636 -  byte[] chwBuffer;
  20.637 -  int index = 0;
  20.638 -  int position = 0;
  20.639 -
  20.640 -  /* Get number of rTypes */
  20.641 -  int maxTypes = ColorTypes.size();
  20.642 -
  20.643 -  /* Get number of SSids entry */
  20.644 -  int maxSsids = Ssids.size();
  20.645 -
  20.646 -  /* Get number of conflict sets */
  20.647 -  int maxConflict = ConflictSsids.size();
  20.648 -
  20.649 -   
  20.650 -  if (maxTypes * maxSsids == 0)
  20.651 -	return null; 
  20.652 -  /*
  20.653 -     data structure acm_chwall_policy_buffer
  20.654 -     se XmlToBinInterface.java
  20.655 -  */
  20.656 -  int totalBytes = chwHeaderSize  + u16Size *(maxTypes * (maxSsids + maxConflict)); 
  20.657 -
  20.658 -  chwBuffer = new byte[ totalBytes ];
  20.659 -  int address = chwHeaderSize + (u16Size * maxTypes * maxSsids );
  20.660 -
  20.661 -  printDebug(" gCB:: chwall totalbytes : "+totalBytes); 
  20.662 -
  20.663 -  try {
  20.664 -	  index = 0;
  20.665 -	  /* fill in General Policy Version */
  20.666 -	  writeIntToStream(chwBuffer, ACM_CHWALL_VERSION, index);
  20.667 -	  index += u32Size;
  20.668 -
  20.669 -	  writeIntToStream(chwBuffer, ACM_CHINESE_WALL_POLICY, index);
  20.670 -	  index += u32Size;
  20.671 -
  20.672 -	  writeIntToStream(chwBuffer, maxTypes, index);
  20.673 -	  index += u32Size;
  20.674 -
  20.675 -	  writeIntToStream(chwBuffer, maxSsids, index);
  20.676 -	  index += u32Size;
  20.677 -
  20.678 -	  writeIntToStream(chwBuffer, maxConflict, index);
  20.679 -	  index += u32Size;
  20.680 -
  20.681 -	  /*  Write chwall_ssid_offset */
  20.682 -	  writeIntToStream(chwBuffer, chwHeaderSize, index);
  20.683 -	  index += u32Size;
  20.684 -
  20.685 -	  /* Write chwall_conflict_sets_offset */
  20.686 -	  writeIntToStream(chwBuffer, address, index);
  20.687 -	  index += u32Size;
  20.688 -
  20.689 -	  /*  Write chwall_running_types_offset */
  20.690 -	  writeIntToStream(chwBuffer, 0, index);
  20.691 -	  index += u32Size;
  20.692 -
  20.693 -	  /*  Write chwall_conflict_aggregate_offset */
  20.694 -	  writeIntToStream(chwBuffer, 0, index);
  20.695 -	  index += u32Size;
  20.696 -
  20.697 -  } catch (IOException ee) {
  20.698 -    	System.out.println(" gCB:: got exception : " + ee); 
  20.699 -	return null;
  20.700 -  }
  20.701 -  int markPos = 0;
  20.702 -
  20.703 -  /* Create the SSids entry */
  20.704 -  for (int i = 0; i < maxSsids; i++)
  20.705 -  {
  20.706 -	SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
  20.707 -   	/* Get chwall types */
  20.708 -	ssidEntry.chwSsidPosition = i;
  20.709 -	Enumeration e = ssidEntry.chwTypes.elements(); 
  20.710 -	while (e.hasMoreElements())
  20.711 -	{
  20.712 -  	  String typeName = (String) e.nextElement(); 
  20.713 -      	  printDebug(" gCB:: Ssid "+ i+ ": has type : " + typeName);
  20.714 -	  position = ColorTypes.indexOf(typeName);
  20.715 -
  20.716 -	  if (position < 0) 
  20.717 -	  {
  20.718 -      	  	System.out.println (" gCB:: Error type : " + typeName + " not found in ColorTypes"); 
  20.719 -		return null; 
  20.720 -	  }
  20.721 -   	  printDebug(" GCB:: type : " + typeName + "  found in ColorTypes at position: " + position); 
  20.722 -	  markPos = ((i * maxTypes + position) * u16Size) + index;	
  20.723 -
  20.724 -	  try {
  20.725 -	  	writeShortToStream(chwBuffer,markSymbol,markPos);
  20.726 -  	  } catch (IOException ee) {
  20.727 -   	  	System.out.println(" gCB:: got exception : "); 
  20.728 -		return null; 
  20.729 -  	  }
  20.730 -	}
  20.731 -  }
  20.732 -
  20.733 -  if (debug) 
  20.734 -      printHex(chwBuffer,chwBuffer.length);
  20.735 -
  20.736 -  /* Add conflict set */
  20.737 -  index = address;
  20.738 -  for (int i = 0; i < maxConflict; i++)
  20.739 -  {
  20.740 -   	/* Get ste types */
  20.741 -	Vector entry = (Vector) ConflictSsids.elementAt(i);
  20.742 -	Enumeration e = entry.elements(); 
  20.743 -	while (e.hasMoreElements())
  20.744 -	{
  20.745 -  	  String typeName = (String) e.nextElement(); 
  20.746 -      	  printDebug (" GCB:: conflict Ssid "+ i+ ": has type : " + typeName);
  20.747 -	  position = ColorTypes.indexOf(typeName);
  20.748 -
  20.749 -	  if (position < 0) 
  20.750 -	  {
  20.751 -      	  	System.out.println (" GCB:: Error type : " + typeName + " not found in ColorTypes"); 
  20.752 -		return null; 
  20.753 -	  }
  20.754 -   	  printDebug(" GCB:: type : " + typeName + "  found in ColorTypes at position: " + position); 
  20.755 -	  markPos = ((i * maxTypes + position) * u16Size) + index;	
  20.756 -
  20.757 -	  try {
  20.758 -	  	writeShortToStream(chwBuffer,markSymbol,markPos);
  20.759 -  	  } catch (IOException ee) {
  20.760 -   	  	System.out.println(" GCB:: got exception : "); 
  20.761 -		return null; 
  20.762 -  	  }
  20.763 -	}
  20.764 -		
  20.765 -  } 
  20.766 -  printDebug(" gSB:: chw binary  ==> Length " + chwBuffer.length); 
  20.767 -  if (debug) 
  20.768 -   	printHex(chwBuffer,chwBuffer.length);
  20.769 -  printDebug("\n");
  20.770 -
  20.771 -  return chwBuffer;
  20.772 - }
  20.773 -
  20.774 -/**********************************************************************
  20.775 - Generate byte representation of policy using type information
  20.776 - <p>
  20.777 - @param Ssids    	      	Vector
  20.778 - @param ColorTypes         	Vector
  20.779 - <p>
  20.780 - @return bytes represenation of simple type enforcement policy 
  20.781 -**********************************************************************/
  20.782 - public  byte[] generateSteBuffer(Vector Ssids, Vector ColorTypes)
  20.783 - {
  20.784 -  byte[] steBuffer;
  20.785 -  int index = 0;
  20.786 -  int position = 0;
  20.787 -
  20.788 -  /* Get number of colorTypes */
  20.789 -  int numColorTypes = ColorTypes.size();
  20.790 -
  20.791 -  /* Get number of SSids entry */
  20.792 -  int numSsids = Ssids.size();
  20.793 -   
  20.794 -  if (numColorTypes * numSsids == 0)
  20.795 -	return null; 
  20.796 -
  20.797 -  /* data structure: acm_ste_policy_buffer
  20.798 -   * see XmlToBinInterface.java
  20.799 -   * total bytes: steHeaderSize * 2B + colorTypes(size) * Ssids(size)
  20.800 -   * 
  20.801 -  */
  20.802 -  steBuffer = new byte[ steHeaderSize + (numColorTypes * numSsids) * 2];
  20.803 -
  20.804 -  try {
  20.805 -	
  20.806 -	  index = 0;
  20.807 -	  writeIntToStream(steBuffer, ACM_STE_VERSION, index);
  20.808 -	  index += u32Size;
  20.809 -
  20.810 -	  writeIntToStream(steBuffer, ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, index);
  20.811 -	  index += u32Size;
  20.812 -
  20.813 -	  writeIntToStream(steBuffer, numColorTypes, index);
  20.814 -	  index += u32Size;
  20.815 -
  20.816 -	  writeIntToStream(steBuffer, numSsids, index);
  20.817 -	  index += u32Size;
  20.818 -
  20.819 -	  writeIntToStream(steBuffer, steHeaderSize, index);
  20.820 -	  index += u32Size;
  20.821 -
  20.822 -
  20.823 -  } catch (IOException ee) {
  20.824 -	System.out.println(" gSB:: got exception : " + ee); 
  20.825 -	return null; 
  20.826 -  }
  20.827 -  int markPos = 0;
  20.828 -  for (int i = 0; i < numSsids; i++)
  20.829 -  {
  20.830 -	
  20.831 -	SecurityLabel ssidEntry = (SecurityLabel) Ssids.elementAt(i);
  20.832 -	ssidEntry.steSsidPosition = i;
  20.833 -   	/* Get ste types */
  20.834 -	Enumeration e = ssidEntry.steTypes.elements(); 
  20.835 -	while (e.hasMoreElements())
  20.836 -	{
  20.837 -  	  String typeName = (String) e.nextElement(); 
  20.838 -      	  printDebug (" gSB:: Ssid "+ i+ ": has type : " + typeName);
  20.839 -	  position = ColorTypes.indexOf(typeName);
  20.840 -
  20.841 -	  if (position < 0) 
  20.842 -	  {
  20.843 -      	  	printDebug(" gSB:: Error type : " + typeName + " not found in ColorTypes"); 
  20.844 -		return null; 
  20.845 -	  }
  20.846 -   	  printDebug(" gSB:: type : " + typeName + "  found in ColorTypes at position: " + position); 
  20.847 -	  markPos = ((i * numColorTypes + position) * u16Size) + index;	
  20.848 -
  20.849 -	  try {
  20.850 -	  	writeShortToStream(steBuffer,markSymbol,markPos);
  20.851 -  	  } catch (IOException ee)
  20.852 -  	  {
  20.853 -   	  	System.out.println(" gSB:: got exception : "); 
  20.854 -		return null; 
  20.855 -  	  }
  20.856 -	}
  20.857 -		
  20.858 -  } 
  20.859 -
  20.860 -  printDebug(" gSB:: ste binary  ==> Length " + steBuffer.length); 
  20.861 -  if (debug) 
  20.862 - 	printHex(steBuffer,steBuffer.length);
  20.863 -  printDebug("\n");
  20.864 -
  20.865 -  return steBuffer;
  20.866 - }
  20.867 -
  20.868 - public static  void printHex(byte [] dataArray, int length)
  20.869 - {
  20.870 -  char[] hexChars = {'0', '1', '2', '3', '4', '5', '6', '7',
  20.871 -                '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
  20.872 -  int hexIndex;
  20.873 -  int value;
  20.874 -  int arraylength;
  20.875 -
  20.876 -  arraylength = length;
  20.877 -
  20.878 -  if (dataArray == null)
  20.879 -  {
  20.880 -        System.err.print("printHex: input byte array is null");
  20.881 -  }
  20.882 -
  20.883 -  if (length > dataArray.length || length < 0)
  20.884 -        arraylength = dataArray.length;
  20.885 -
  20.886 -  System.out.print("\n\t");
  20.887 -
  20.888 -  int i;
  20.889 -  for(i = 0; i < arraylength; )
  20.890 -  {
  20.891 -        value = dataArray[i] & 0xFF;
  20.892 -        hexIndex = (value >>> 4);
  20.893 -        System.out.print(hexChars[hexIndex]);
  20.894 -        hexIndex = (value & 0x0F);
  20.895 -        System.out.print(hexChars[hexIndex]);
  20.896 -
  20.897 -        i++;
  20.898 -        /* if done, print a final newline */
  20.899 -        if (i == arraylength) {
  20.900 -            if (arraylength < dataArray.length) {
  20.901 -                System.out.print("...");
  20.902 -            }
  20.903 -            System.out.println();
  20.904 -        }
  20.905 -        else if ((i % 24) == 0) {
  20.906 -            System.out.print("\n\t");
  20.907 -        }
  20.908 -        else if ((i % 4) == 0) {
  20.909 -                System.out.print(" ");
  20.910 -        }
  20.911 -  }
  20.912 -
  20.913 -  return;
  20.914 - }
  20.915 -
  20.916 -  
  20.917 - private void writeShortToStream(byte[] stream, short value, int index)
  20.918 -  throws IOException
  20.919 - {
  20.920 -  int littleEndian = 0;
  20.921 -  int byteVal;
  20.922 -
  20.923 -  if (index + 2 > stream.length)
  20.924 -  {
  20.925 -      throw new IOException("Writing beyond stream length: " +
  20.926 -                            stream.length + " writing at locations from: " + index + " to " + (index + 4));
  20.927 -  }
  20.928 -
  20.929 -  if (!LittleEndian)
  20.930 -  {
  20.931 -
  20.932 -	byteVal = value >> 8;
  20.933 -	stream[index ] = (byte) byteVal;
  20.934 -
  20.935 -	byteVal = value;
  20.936 -	stream[index + 1] = (byte) byteVal;
  20.937 -  } else {
  20.938 -	stream[index]  = (byte) ((value & 0x00ff) );
  20.939 -	stream[index + 1]  = (byte) ((value & 0xff00) >> 8);
  20.940 - }
  20.941 -  return;
  20.942 - }
  20.943 -
  20.944 - private void writeIntToStream(byte[] stream, int value, int index)
  20.945 -  throws IOException
  20.946 - {
  20.947 -  int littleEndian = 0;
  20.948 -  int byteVal;
  20.949 -
  20.950 -  if (4 > stream.length)
  20.951 -  {
  20.952 -      throw new IOException("writeIntToStream: stream length less than 4 bytes " +
  20.953 -                            stream.length);
  20.954 -  }
  20.955 -
  20.956 -  /* Do not Write beyond range */
  20.957 -  if (index + 4 > stream.length)
  20.958 -  {
  20.959 -      throw new IOException("writeIntToStream: writing beyond stream length: " +
  20.960 -                            stream.length + " writing at locations from: " + index + " to " + (index + 4));
  20.961 -  }
  20.962 -  if (!LittleEndian)
  20.963 -  {
  20.964 -	byteVal = value >>> 24;
  20.965 -	stream[index] = (byte) byteVal;
  20.966 -
  20.967 -	byteVal = value >> 16;
  20.968 -	stream[index + 1] = (byte) byteVal;
  20.969 -
  20.970 -	byteVal = value >> 8;
  20.971 -	stream[index + 2] = (byte) byteVal;
  20.972 -
  20.973 -	byteVal = value;
  20.974 -	stream[index + 3] = (byte) byteVal;
  20.975 -  } else {
  20.976 -	stream[index] = (byte) value;
  20.977 -	stream[index + 1]  = (byte) ((value & 0x0000ff00) >> 8);
  20.978 -	stream[index + 2]  = (byte) ((value & 0x00ff0000) >> 16);
  20.979 -	stream[index + 3] = (byte) ( value >>> 24);
  20.980 -  }
  20.981 -  return;
  20.982 - }
  20.983 -
  20.984 - public Document getDomTree(String xmlFileName)
  20.985 -  throws Exception, SAXException, ParserConfigurationException
  20.986 - {
  20.987 -  javax.xml.parsers.DocumentBuilderFactory dbf = 
  20.988 -	javax.xml.parsers.DocumentBuilderFactory.newInstance();
  20.989 -
  20.990 -  /* Turn on namespace aware and validation */
  20.991 -  dbf.setNamespaceAware(true);	
  20.992 -  dbf.setValidating(true);	
  20.993 -  dbf.setAttribute(JAXP_SCHEMA_LANGUAGE,W3C_XML_SCHEMA);
  20.994 -
  20.995 -  /* Checks that the document is well-formed */
  20.996 -  javax.xml.parsers.DocumentBuilder db = dbf.newDocumentBuilder();
  20.997 -
  20.998 -  myHandler errHandler= new myHandler();
  20.999 -  db.setErrorHandler(errHandler);
 20.1000 -  Document doc = db.parse(xmlFileName);
 20.1001 -
 20.1002 -  /* Checks for validation errors */
 20.1003 -  if (errHandler.isValid)
 20.1004 -       printDebug(" gDT:: Xml file: " + xmlFileName + " is valid");
 20.1005 -   else
 20.1006 -      throw new Exception("Xml file: " + xmlFileName + " is NOT valid");
 20.1007 -
 20.1008 -  return doc;
 20.1009 - }  
 20.1010 -
 20.1011 - public void processDomTree(
 20.1012 -	Document doc,
 20.1013 -	Vector bagOfSsids, 	
 20.1014 -	Vector bagOfTypes, 
 20.1015 -	Vector bagOfChwSsids, 
 20.1016 -	Vector bagOfChwTypes, 
 20.1017 -	Vector bagOfConflictSsids)
 20.1018 -  throws Exception, SAXException, ParserConfigurationException
 20.1019 - {
 20.1020 -  boolean found;
 20.1021 -
 20.1022 -  /* print the root Element */
 20.1023 -  Element root = doc.getDocumentElement();
 20.1024 -  printDebug ("\n pDT:: Document Element: Name = " + root.getNodeName() + ",Value = " + root.getNodeValue());
 20.1025 -
 20.1026 -  /* Go through the list of the root Element's Attributes */
 20.1027 -  NamedNodeMap nnm = root.getAttributes();
 20.1028 -  printDebug (" pDT:: # of Attributes: " + nnm.getLength());
 20.1029 -  for (int i = 0; i < nnm.getLength(); i++)
 20.1030 -  {
 20.1031 -         Node n = nnm.item (i);
 20.1032 -        printDebug (" pDT:: Attribute: Name = " + n.getNodeName() + ", Value = " 
 20.1033 -             + n.getNodeValue());
 20.1034 -  }
 20.1035 -
 20.1036 -  /* Retrieve the policy definition */ 
 20.1037 -  NodeList elementList = root.getElementsByTagName ("url");
 20.1038 -  String definitionFileName = elementList.item(0).getFirstChild().getNodeValue();  
 20.1039 -
 20.1040 -  String definitionHash = null;
 20.1041 -
 20.1042 -  /* Note that SecurityPolicySpec.xsd allows for 0 hash value! */
 20.1043 -  elementList = root.getElementsByTagName ("hash");
 20.1044 -  if (0 != elementList.getLength())
 20.1045 -      	definitionHash = elementList.item(0).getFirstChild().getNodeValue();  
 20.1046 -
 20.1047 -  Document definitionDoc = pGetDomDefinition(definitionFileName,definitionHash);
 20.1048 -  pGetTypes(definitionDoc,bagOfTypes, bagOfChwTypes, bagOfConflictSsids);
 20.1049 -
 20.1050 -
 20.1051 -  /* Get VM security information */
 20.1052 -  elementList = root.getElementsByTagName ("VM");
 20.1053 -  printDebug ("\n pDT:: partition length of NodeList:" + elementList.getLength());
 20.1054 -  /* Add default Ssid to Ste and Chw bags */			
 20.1055 -  SecurityLabel defEntry = new SecurityLabel();
 20.1056 -
 20.1057 -  defEntry.chwTypes = new Vector();
 20.1058 -  defEntry.steTypes = new Vector();
 20.1059 -  defEntry.chwIDs = new Vector();
 20.1060 -  defEntry.ids = new Vector();
 20.1061 -
 20.1062 -  defEntry.steSsidPosition =0;
 20.1063 -  defEntry.chwSsidPosition =0;
 20.1064 -  bagOfChwSsids.add(defEntry);
 20.1065 -  bagOfSsids.add(defEntry);
 20.1066 -
 20.1067 -  for (int x = 0; x < elementList.getLength(); x++)
 20.1068 -  {
 20.1069 -	found = false;
 20.1070 -
 20.1071 -        Node node = elementList.item (x);          
 20.1072 -
 20.1073 -	if (node.getNodeType() == Node.ELEMENT_NODE)
 20.1074 -	{
 20.1075 -	  printDebug (" pDT:: child: " + x + " is an element node" );
 20.1076 -	  Element e1 = (Element) node;
 20.1077 -
 20.1078 -  	  /* Get id */
 20.1079 -      	  NodeList elist = e1.getElementsByTagName ("id");
 20.1080 -      	  String idStr = elist.item(0).getFirstChild().getNodeValue();  
 20.1081 -      	  printDebug (" pDT:: id:" + idStr);
 20.1082 -
 20.1083 -	  /* Get TE */
 20.1084 -	  Vector colorTypes = new Vector();
 20.1085 -	  pConflictEntries(e1, "TE", bagOfTypes, colorTypes);
 20.1086 -
 20.1087 -	  Enumeration e = bagOfSsids.elements();
 20.1088 -	  while (e.hasMoreElements())
 20.1089 -	  {
 20.1090 -		SecurityLabel elem = (SecurityLabel) e.nextElement(); 
 20.1091 -		if ( elem.steTypes.size() == colorTypes.size() && elem.steTypes.containsAll(colorTypes))
 20.1092 -		{
 20.1093 -		  found = true;
 20.1094 -		  elem.ids.add(idStr);
 20.1095 -		}
 20.1096 -		
 20.1097 -	  }
 20.1098 -		if (!found && (0 < colorTypes.size()))
 20.1099 -		{
 20.1100 -		 SecurityLabel entry = new SecurityLabel();
 20.1101 -		 entry.steTypes = colorTypes;
 20.1102 -		 entry.ids = new Vector();
 20.1103 -		 entry.ids.add(idStr);
 20.1104 -		 bagOfSsids.add(entry);
 20.1105 -		}
 20.1106 -
 20.1107 -		/* Get Chinese wall type */
 20.1108 -	 	Vector chwTypes = new Vector();
 20.1109 -		pConflictEntries(e1, "ChWall", bagOfChwTypes, chwTypes);
 20.1110 -
 20.1111 -	        found = false;
 20.1112 -		e = bagOfChwSsids.elements();
 20.1113 -
 20.1114 -		while (e.hasMoreElements())
 20.1115 -		{
 20.1116 -  		  SecurityLabel elem = (SecurityLabel) e.nextElement(); 
 20.1117 -		  if ( elem.chwTypes.size() == chwTypes.size() && elem.chwTypes.containsAll(chwTypes))
 20.1118 -		  {
 20.1119 -		    found = true;
 20.1120 -		    elem.chwIDs.add(idStr);
 20.1121 -		  }
 20.1122 -		
 20.1123 -		}
 20.1124 -
 20.1125 -		if (!found && (0 < chwTypes.size()))
 20.1126 -		{
 20.1127 -		 SecurityLabel entry = new SecurityLabel();
 20.1128 -		 entry.chwTypes = chwTypes;
 20.1129 -		 entry.chwIDs = new Vector();
 20.1130 -		 entry.chwIDs.add(idStr);
 20.1131 -		 bagOfChwSsids.add(entry);
 20.1132 -		}
 20.1133 -      }
 20.1134 -  } 
 20.1135 -  return;
 20.1136 - }
 20.1137 -
 20.1138 - public Document pGetDomDefinition(
 20.1139 -	String definitionFileName, 
 20.1140 -	String definitionHash) 
 20.1141 -  throws Exception, SAXException, ParserConfigurationException
 20.1142 - {
 20.1143 -  printDebug("\n pGDD:: definition file name: " + definitionFileName);
 20.1144 -  printDebug("\n pGDD:: definition file hash: " + definitionHash);
 20.1145 -  
 20.1146 -  Document doc =  getDomTree(definitionFileName);
 20.1147 -  return doc; 
 20.1148 - }
 20.1149 -
 20.1150 - public void pGetTypes(
 20.1151 -	Document defDoc,
 20.1152 -	Vector bagOfTypes, 
 20.1153 -	Vector bagOfChwTypes, 
 20.1154 -	Vector bagOfConflictSsids)
 20.1155 -  throws Exception
 20.1156 - {
 20.1157 -
 20.1158 -
 20.1159 -  if (null == defDoc)
 20.1160 -      throw new Exception(" pGT:: definition file DOM is null ");
 20.1161 -
 20.1162 -  Element root = defDoc.getDocumentElement();
 20.1163 -
 20.1164 -  /* Get list of TE types */
 20.1165 -  NodeList elementList = root.getElementsByTagName ("Types");
 20.1166 -  printDebug ("\n pGT:: Types length of NodeList:" + elementList.getLength());
 20.1167 -  Element e1 = (Element) elementList.item (0);          
 20.1168 -  pGetEntries(e1,"TE",bagOfTypes);
 20.1169 -
 20.1170 -  /* Get list of Chinese types */
 20.1171 -  elementList = root.getElementsByTagName ("ChWallTypes");
 20.1172 -  printDebug ("\n pGT:: ChwTypes length of NodeList:" + elementList.getLength());
 20.1173 -  if (0 ==  elementList.getLength())
 20.1174 -  {
 20.1175 -  	printDebug ("\n pGT:: ChWallTypes has zero length: :" + elementList.getLength());
 20.1176 -  } else {
 20.1177 -	e1 = (Element) elementList.item (0);          
 20.1178 -	pGetEntries(e1,"ChWall",bagOfChwTypes);
 20.1179 -  }
 20.1180 -  printDebug (" pGT:: Total number of unique chw types: " + bagOfChwTypes.size());
 20.1181 -
 20.1182 -  /* Get Chinese type conflict sets */
 20.1183 -  elementList = root.getElementsByTagName ("ConflictSet");
 20.1184 -  printDebug ("\n pGT:: Conflict sets length of NodeList:" + elementList.getLength());
 20.1185 -  for (int x = 0; x < elementList.getLength(); x++)
 20.1186 -  {
 20.1187 - 	Vector conflictEntry  = new Vector();
 20.1188 -  	e1 = (Element) elementList.item (x);          
 20.1189 -  	printDebug ("\n pGT:: Conflict sets : " + x);
 20.1190 -
 20.1191 -	pConflictEntries(e1, "ChWall", bagOfChwTypes, conflictEntry);
 20.1192 -
 20.1193 -	if (conflictEntry.size() > 0)
 20.1194 -	{
 20.1195 -	  boolean found = false;
 20.1196 -	  Enumeration e = bagOfConflictSsids.elements();
 20.1197 -	
 20.1198 -	  while (e.hasMoreElements())
 20.1199 -	  {
 20.1200 -		Vector elem = (Vector) e.nextElement(); 
 20.1201 -		if (elem.size() == conflictEntry.size() && elem.containsAll(conflictEntry))
 20.1202 -	  	{
 20.1203 -	    	  found = true;
 20.1204 -	  	}
 20.1205 -		
 20.1206 -	  }
 20.1207 -	  if (!found)
 20.1208 -	  {
 20.1209 -		bagOfConflictSsids.add(conflictEntry);
 20.1210 -	  }
 20.1211 -  	}
 20.1212 -  }
 20.1213 -
 20.1214 - }
 20.1215 -
 20.1216 - public void  pGetEntries(Element doc, String tag, Vector typeBag)
 20.1217 -  throws Exception
 20.1218 - {
 20.1219 -
 20.1220 -  if (null == doc)
 20.1221 -      throw new Exception(" pGE:: Element doc is null");
 20.1222 -
 20.1223 -  if (null == typeBag)
 20.1224 -      throw new Exception(" pGE:: typeBag  is null");
 20.1225 -
 20.1226 -  NodeList elist = doc.getElementsByTagName (tag);
 20.1227 -  for (int j = 0; j < elist.getLength(); j++)
 20.1228 -  {
 20.1229 -  	Node knode = elist.item (j);          
 20.1230 -       	Node childNode = knode.getFirstChild();     
 20.1231 -       	String value = childNode.getNodeValue();
 20.1232 -
 20.1233 -	printDebug (" pGT:: "+ tag +" type: " + value);
 20.1234 -
 20.1235 -        /* Check if value is known */
 20.1236 -	if (!typeBag.contains(value))
 20.1237 -		typeBag.addElement(value);
 20.1238 -  }
 20.1239 - }
 20.1240 -
 20.1241 - public void  pConflictEntries(Element doc, String tag, Vector typeBag, Vector conflictEntry)
 20.1242 -  throws Exception
 20.1243 - {
 20.1244 -
 20.1245 -  if (null == doc)
 20.1246 -      throw new Exception(" pGE:: Element doc is null");
 20.1247 -
 20.1248 -  if (null == typeBag)
 20.1249 -      throw new Exception(" pGE:: typeBag  is null");
 20.1250 -
 20.1251 -  if (null == conflictEntry)
 20.1252 -      throw new Exception(" pGE:: typeBag  is null");
 20.1253 -
 20.1254 -
 20.1255 -  NodeList elist = doc.getElementsByTagName (tag);
 20.1256 -
 20.1257 -  for (int j = 0; j < elist.getLength(); j++)
 20.1258 -  {
 20.1259 -  	Node knode = elist.item (j);          
 20.1260 -       	Node childNode = knode.getFirstChild();     
 20.1261 -       	String value = childNode.getNodeValue();
 20.1262 -
 20.1263 -	printDebug (" pGE:: "+ tag +" type: " + value);
 20.1264 -
 20.1265 -        /* Check if value is known */
 20.1266 -	if (!typeBag.contains(value))
 20.1267 -      		throw new Exception(" pCE:: found undefined type set " + value);
 20.1268 -
 20.1269 -	if (!conflictEntry.contains(value))
 20.1270 -		conflictEntry.addElement(value);
 20.1271 -
 20.1272 -  }
 20.1273 - }
 20.1274 -
 20.1275 -  public void processDomTreeVlanSlot(
 20.1276 -	Document doc,
 20.1277 -	Vector bagOfSsids, 	
 20.1278 -	Vector bagOfTypes) 	
 20.1279 -  throws Exception
 20.1280 - {
 20.1281 -      boolean found;
 20.1282 -
 20.1283 -  printDebug(" pDTVS::Size of bagOfSsids: "+ bagOfSsids.size());
 20.1284 -  Element root = doc.getDocumentElement();
 20.1285 -
 20.1286 -  NodeList elementList = root.getElementsByTagName ("Vlan");
 20.1287 -  printDebug("\n pDTVS:: Vlan length of NodeList:" + elementList.getLength());
 20.1288 -
 20.1289 -  for (int x = 0; x < elementList.getLength(); x++)
 20.1290 -  {
 20.1291 -	found = false;
 20.1292 -
 20.1293 -        Node node = elementList.item (x);          
 20.1294 -
 20.1295 -	if (node.getNodeType() == Node.ELEMENT_NODE)
 20.1296 -	{
 20.1297 -	  printDebug(" pDTVS:: child: " + x + " is an element node" );
 20.1298 -	  Element e1 = (Element) node;
 20.1299 -
 20.1300 -	  /* Get vid */
 20.1301 -      	  NodeList elist = e1.getElementsByTagName ("vid");
 20.1302 -      	  String idStr = elist.item(0).getFirstChild().getNodeValue();  
 20.1303 -      	  printDebug (" pDTVS:: vid:" + idStr);
 20.1304 -
 20.1305 -	  /* Get TE */
 20.1306 -      	  elist = e1.getElementsByTagName ("TE");
 20.1307 -          printDebug (" pDTVS:: Total ste types: " + elist.getLength());
 20.1308 -
 20.1309 -	  Vector colorTypes = new Vector();
 20.1310 -	  for (int j = 0; j < elist.getLength(); j++)
 20.1311 -	  {
 20.1312 -		Node knode = elist.item (j);          
 20.1313 -        	Node childNode = knode.getFirstChild();     
 20.1314 -        	String value = childNode.getNodeValue();
 20.1315 -
 20.1316 -		printDebug (" pDT:: My color is: " + value);
 20.1317 -		if (!bagOfTypes.contains(value))
 20.1318 -		{
 20.1319 -      		  throw new IOException("pDT:: Vlan: " + idStr+ " has unknown type : "+ value);
 20.1320 -		}
 20.1321 -
 20.1322 -		if (!colorTypes.contains(value))
 20.1323 -		  colorTypes.addElement(value);
 20.1324 -	  }
 20.1325 -	  Enumeration e = bagOfSsids.elements();
 20.1326 -	  while (e.hasMoreElements())
 20.1327 -	  {
 20.1328 -		SecurityLabel elem = (SecurityLabel) e.nextElement(); 
 20.1329 -		if ( elem.steTypes.size() == colorTypes.size() && elem.steTypes.containsAll(colorTypes))
 20.1330 -		{
 20.1331 -		  found = true;
 20.1332 -		  if (null == elem.vlans)
 20.1333 -			elem.vlans = new Vector();
 20.1334 -		   elem.vlans.add(idStr);
 20.1335 -		}
 20.1336 -		
 20.1337 -	  }
 20.1338 -	  if (!found && (0 < colorTypes.size()))
 20.1339 -	  {
 20.1340 -		 SecurityLabel entry = new SecurityLabel();
 20.1341 -		 entry.steTypes = colorTypes;
 20.1342 -		 entry.vlans = new Vector();
 20.1343 -		 entry.vlans.add(idStr);
 20.1344 -		 bagOfSsids.add(entry);
 20.1345 -	  }
 20.1346 -
 20.1347 -	}
 20.1348 -  } 
 20.1349 -  printDebug(" pDTVS::After slot Size of bagOfSsids: "+ bagOfSsids.size());
 20.1350 -
 20.1351 -  elementList = root.getElementsByTagName ("Slot");
 20.1352 -  printDebug ("\n pDTVS:: Slot length of NodeList:" + elementList.getLength());
 20.1353 -
 20.1354 -  for (int x = 0; x < elementList.getLength(); x++)
 20.1355 -  {
 20.1356 -	found = false;
 20.1357 -
 20.1358 -        Node node = elementList.item (x);          
 20.1359 -
 20.1360 -	if (node.getNodeType() == Node.ELEMENT_NODE)
 20.1361 -	{
 20.1362 -	  printDebug(" pDT:: child: " + x + " is an element node" );
 20.1363 -	  Element e1 = (Element) node;
 20.1364 -
 20.1365 -
 20.1366 -	  /* Get slot and bus */
 20.1367 -	  SlotInfo item = new SlotInfo();
 20.1368 -
 20.1369 -	  NodeList elist = e1.getElementsByTagName ("bus");
 20.1370 -	  item.bus = elist.item(0).getFirstChild().getNodeValue();  
 20.1371 -      	  elist = e1.getElementsByTagName ("slot");
 20.1372 -      	  item.slot = elist.item(0).getFirstChild().getNodeValue();  
 20.1373 -      	  printDebug (" pDT:: bus and slot:" + item.bus + " "+ item.slot);
 20.1374 -
 20.1375 -	  /* Get TE */
 20.1376 -      	  elist = e1.getElementsByTagName ("TE");
 20.1377 -          printDebug (" pDT:: Total ste types: " + elist.getLength());
 20.1378 -
 20.1379 -	  Vector colorTypes = new Vector();
 20.1380 -	  for (int j = 0; j < elist.getLength(); j++)
 20.1381 -	  {
 20.1382 -        	Node knode = elist.item (j);          
 20.1383 -        	Node childNode = knode.getFirstChild();     
 20.1384 -        	String value = childNode.getNodeValue();
 20.1385 -
 20.1386 -		printDebug (" pDT:: My color is: " + value);
 20.1387 -		if (!bagOfTypes.contains(value))
 20.1388 -		{
 20.1389 -		  throw new IOException("pDT:: bus: " + item.bus + " slot: "+ item.slot + " has unknown type : "+ value);
 20.1390 -		}
 20.1391 -
 20.1392 -		if (!colorTypes.contains(value))
 20.1393 -		  colorTypes.addElement(value);
 20.1394 -		}
 20.1395 -
 20.1396 -		Enumeration e = bagOfSsids.elements();
 20.1397 -		while (e.hasMoreElements())
 20.1398 -		{
 20.1399 -  		  SecurityLabel elem = (SecurityLabel) e.nextElement(); 
 20.1400 -		  if ( elem.steTypes.size() == colorTypes.size() && elem.steTypes.containsAll(colorTypes))
 20.1401 -		  {
 20.1402 -			found = true;
 20.1403 -			if (null == elem.slots)
 20.1404 -			  elem.slots = new Vector();
 20.1405 -			elem.slots.add(item);
 20.1406 -
 20.1407 -		  }
 20.1408 -		
 20.1409 -		}
 20.1410 -
 20.1411 -		if (!found && (0 < colorTypes.size()))
 20.1412 -		{
 20.1413 -		  SecurityLabel entry = new SecurityLabel();
 20.1414 -		  entry.steTypes = colorTypes;
 20.1415 -		  entry.slots = new Vector();
 20.1416 -		  entry.slots.add(item);
 20.1417 -		  bagOfSsids.add(entry);
 20.1418 -		}
 20.1419 -
 20.1420 -	}
 20.1421 -  }
 20.1422 -  return;
 20.1423 - }
 20.1424 -
 20.1425 - public static void main (String[] args) 
 20.1426 - {
 20.1427 -  String xmlFileName = null;        	/* policy file */ 
 20.1428 -  String outputFileName = null;     	/* binary policy file */
 20.1429 -  String xenSsidOutputFileName = null; 	/* outputfile ssid to named types */	
 20.1430 -					/* outputfile conflicts ssid to named types */	
 20.1431 -  String xenSsidConfOutputFileName = null; 	
 20.1432 -
 20.1433 -  XmlToBin genObj = new XmlToBin(); 
 20.1434 -
 20.1435 -  policy_version active_policy = new policy_version();
 20.1436 -
 20.1437 -  if ((active_policy.ACM_POLICY_VERSION != ACM_POLICY_VERSION) ||
 20.1438 -      (active_policy.ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) ||
 20.1439 -      (active_policy.ACM_STE_VERSION != ACM_STE_VERSION)) {
 20.1440 -	  System.out.println("ACM policy versions differ.");
 20.1441 -	  System.out.println("Please verify that data structures are correct");
 20.1442 -	  System.out.println("and then adjust the version numbers in XmlToBinInterface.java.");
 20.1443 -	  return;
 20.1444 -  }
 20.1445 -
 20.1446 -
 20.1447 -  for (int i = 0 ; i < args.length ; i++) {
 20.1448 -
 20.1449 -	if ( args[i].equals("-help"))  {
 20.1450 -          printUsage();
 20.1451 -          System.exit(1);
 20.1452 -
 20.1453 -        } else if ( args[i].equals("-i"))  {
 20.1454 -          i++;
 20.1455 -          if (i < args.length) {
 20.1456 -               xmlFileName = args[i];   
 20.1457 -          } else  {
 20.1458 -                System.out.println("-i argument needs parameter");
 20.1459 -                System.exit(1);
 20.1460 -          }
 20.1461 -
 20.1462 -	} else if ( args[i].equals("-o"))  {
 20.1463 -          i++;
 20.1464 -          if (i < args.length) {
 20.1465 -                outputFileName = args[i];   
 20.1466 -          } else {
 20.1467 -                System.out.println("-o argument needs parameter");
 20.1468 -                System.exit(1);
 20.1469 -          }
 20.1470 -
 20.1471 -	} else if ( args[i].equals("-xssid"))  {
 20.1472 -          i++;
 20.1473 -          if (i < args.length) {
 20.1474 -                 xenSsidOutputFileName = args[i];   
 20.1475 -          } else {
 20.1476 -                System.out.println("-xssid argument needs parameter");
 20.1477 -                System.exit(1);
 20.1478 -          }
 20.1479 -
 20.1480 -	} else if ( args[i].equals("-xssidconf"))  {
 20.1481 -          i++;
 20.1482 -          if (i < args.length) {
 20.1483 -                xenSsidConfOutputFileName = args[i]; 
 20.1484 -          } else {
 20.1485 -                System.out.println("-xssidconf argument needs parameter");
 20.1486 -                System.exit(1);
 20.1487 -          }
 20.1488 -	} else if ( args[i].equals("-debug"))  { /* turn on debug msg */
 20.1489 -	 	genObj.setDebug(true);
 20.1490 -        } else {
 20.1491 -          System.out.println("bad command line argument: " + args[i]);
 20.1492 -          printUsage();
 20.1493 -          System.exit(1);
 20.1494 -        }
 20.1495 -
 20.1496 -  }
 20.1497 -
 20.1498 -  if (xmlFileName == null)
 20.1499 -  { 
 20.1500 -	System.out.println("Need to specify input file -i option");
 20.1501 -        printUsage();
 20.1502 -        System.exit(1);
 20.1503 -  }
 20.1504 -
 20.1505 -
 20.1506 -  try 
 20.1507 -  {
 20.1508 -	/* Parse and validate */
 20.1509 - 	Document doc =  genObj.getDomTree(xmlFileName);
 20.1510 -
 20.1511 -	/* Vectors to hold sets of types */
 20.1512 -	Vector bagOfSsids = new Vector();
 20.1513 -	Vector bagOfTypes = new Vector();
 20.1514 -	Vector bagOfChwSsids = new Vector();
 20.1515 -	Vector bagOfChwTypes = new Vector();
 20.1516 -	Vector bagOfConflictSsids = new Vector();
 20.1517 -
 20.1518 -	Vector vlanMapSsids = new Vector();
 20.1519 -	Vector slotMapSsids = new Vector();
 20.1520 -
 20.1521 -	genObj.processDomTree(doc, bagOfSsids, bagOfTypes, bagOfChwSsids, bagOfChwTypes, bagOfConflictSsids);
 20.1522 -
 20.1523 -	genObj.processDomTreeVlanSlot(doc, bagOfSsids, bagOfTypes);
 20.1524 -
 20.1525 -	/* Get binary representation of policies */
 20.1526 -  	byte[] stePolicy = genObj.generateSteBuffer(bagOfSsids, bagOfTypes);
 20.1527 -  	byte[] chwPolicy = genObj.generateChwBuffer(bagOfChwSsids, bagOfConflictSsids,bagOfChwTypes);
 20.1528 -
 20.1529 -  	byte[] binPolicy = null;
 20.1530 - 	byte[] binaryPartionSsid = null;
 20.1531 -  	byte[] binaryVlanSsid = null;
 20.1532 -  	byte[] binarySlotSsid = null;
 20.1533 -
 20.1534 -	/* Get binary representation of partition to ssid mapping */
 20.1535 -  	binaryPartionSsid = genObj.generatePartSsids(bagOfSsids,bagOfChwSsids);
 20.1536 -
 20.1537 -	/* Get binary representation of vlan to ssid mapping */
 20.1538 -  	binaryVlanSsid = genObj.generateVlanSsids(bagOfSsids);
 20.1539 -
 20.1540 -	/* Get binary representation of slot to ssid mapping */
 20.1541 -  	binarySlotSsid = genObj.generateSlotSsids(bagOfSsids);
 20.1542 -
 20.1543 -	/* Generate binary representation: policy, partition, slot and vlan */
 20.1544 -  	binPolicy = genObj.GenBinaryPolicyBuffer(chwPolicy,stePolicy, binaryPartionSsid, binaryVlanSsid, binarySlotSsid);
 20.1545 -
 20.1546 -
 20.1547 -	/* Write binary policy into file */
 20.1548 -	if (null != outputFileName)
 20.1549 -	{
 20.1550 -  		genObj.writeBinPolicy(binPolicy, outputFileName);
 20.1551 -	} else {
 20.1552 -		System.out.println (" No binary policy generated, outputFileName:  " + outputFileName);
 20.1553 -	}
 20.1554 -
 20.1555 -	/* Print total number of types */
 20.1556 -	System.out.println (" Total number of unique ste types: " + bagOfTypes.size());
 20.1557 -	System.out.println (" Total number of Ssids : " + bagOfSsids.size());
 20.1558 -	System.out.println (" Total number of unique chw types: " + bagOfChwTypes.size());
 20.1559 -	System.out.println (" Total number of conflict ssids : " + bagOfConflictSsids.size());
 20.1560 -	System.out.println (" Total number of chw Ssids : " + bagOfChwSsids.size());
 20.1561 -
 20.1562 -   	if (null != xenSsidOutputFileName)
 20.1563 -  		genObj.writeXenTypeFile(bagOfSsids, xenSsidOutputFileName, true);
 20.1564 -
 20.1565 -   	if (null != xenSsidConfOutputFileName)
 20.1566 -  		genObj.writeXenTypeFile(bagOfChwSsids, xenSsidConfOutputFileName, false);
 20.1567 -    } 
 20.1568 -    catch (Exception e) 
 20.1569 -    {
 20.1570 -      e.printStackTrace();
 20.1571 -    }
 20.1572 -  }
 20.1573 -}
    21.1 --- a/tools/misc/policyprocessor/XmlToBinInterface.java	Fri Aug 19 12:21:29 2005 +0000
    21.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    21.3 @@ -1,138 +0,0 @@
    21.4 -/**
    21.5 - * (C) Copyright IBM Corp. 2005
    21.6 - *
    21.7 - * $Id: XmlToBinInterface.java,v 1.3 2005/06/20 21:07:37 rvaldez Exp $
    21.8 - *
    21.9 - * Author: Ray Valdez
   21.10 - *
   21.11 - * This program is free software; you can redistribute it and/or
   21.12 - * modify it under the terms of the GNU General Public License as
   21.13 - * published by the Free Software Foundation, version 2 of the
   21.14 - * License.
   21.15 - *
   21.16 - * XmlToBinInterface Class.  
   21.17 - * <p>
   21.18 - *
   21.19 - * Defines constants used by XmToBin.
   21.20 - *
   21.21 - * <p>
   21.22 - *
   21.23 - *	policy binary structures
   21.24 - *
   21.25 - * struct acm_policy_buffer {
   21.26 - *	u32 policy_version; * ACM_POLICY_VERSION *
   21.27 - *      u32 magic;
   21.28 - *	u32 len;
   21.29 - *	u32 primary_policy_code;
   21.30 - *	u32 primary_buffer_offset;
   21.31 - *	u32 secondary_policy_code;
   21.32 - *	u32 secondary_buffer_offset;
   21.33 - *      +u32 resource offset (not used yet in Xen)
   21.34 - * };
   21.35 - *
   21.36 - *
   21.37 - * struct acm_ste_policy_buffer {
   21.38 - *	u32 policy_version; * ACM_STE_VERSION *
   21.39 - *	u32 policy_code;
   21.40 - *	u32 ste_max_types;
   21.41 - *	u32 ste_max_ssidrefs;
   21.42 - *	u32 ste_ssid_offset;
   21.43 - * };
   21.44 - *
   21.45 - * struct acm_chwall_policy_buffer {
   21.46 - *	u32 policy_version; * ACM_CHWALL_VERSION *
   21.47 - *	u32 policy_code;
   21.48 - *	u32 chwall_max_types;
   21.49 - *	u32 chwall_max_ssidrefs;
   21.50 - *	u32 chwall_max_conflictsets;
   21.51 - *	u32 chwall_ssid_offset;
   21.52 - *	u32 chwall_conflict_sets_offset;
   21.53 - *	u32 chwall_running_types_offset;
   21.54 - *	u32 chwall_conflict_aggregate_offset;
   21.55 - * };
   21.56 - *
   21.57 - *	typedef struct {
   21.58 - *	u16 partition_max;
   21.59 - *	u16 partition_offset;
   21.60 - *	u16 vlan_max;
   21.61 - *	u16 vlan_offset;
   21.62 - *	u16 slot_max;
   21.63 - *	u16 slot_offset;
   21.64 - *	} acm_resource_buffer_t;
   21.65 - *
   21.66 - *	typedef struct {
   21.67 - *	u16 id;
   21.68 - *	u16 ssid_ste;
   21.69 - *	u16 ssid_chwall;
   21.70 - *	} acm_partition_entry_t;
   21.71 - *
   21.72 - *	typedef struct {
   21.73 - *	u16 vlan;
   21.74 - *	u16 ssid_ste;
   21.75 - *	} acm_vlan_entry_t;
   21.76 - *
   21.77 - *	typedef struct {
   21.78 - *	u16 bus;
   21.79 - *	u16 slot;
   21.80 - *	u16 ssid_ste;
   21.81 - *	} acm_slot_entry_t;
   21.82 - *
   21.83 - *       
   21.84 - *
   21.85 - */
   21.86 -public interface XmlToBinInterface
   21.87 -{
   21.88 -  /* policy code  (uint16) */
   21.89 -  final int policyCodeSize = 2;
   21.90 -
   21.91 -  /* max_types    (uint16) */
   21.92 -  final int maxTypesSize = 2;
   21.93 -
   21.94 -  /* max_ssidrefs (uint16) */
   21.95 -  final int maxSsidrefSize = 2;
   21.96 -
   21.97 -  /* ssid_offset  (uint32) */
   21.98 -  final int ssidOffsetSize = 2;
   21.99 -
  21.100 -  final short markSymbol = 0x0001;
  21.101 -
  21.102 -  final int u32Size = 4;
  21.103 -  final int u16Size = 2;
  21.104 -
  21.105 -  /* num of bytes for acm_ste_policy_buffer_t */
  21.106 -  final int steHeaderSize = (5 * u32Size);
  21.107 -
  21.108 -  /* byte for acm_chinese_wall_policy_buffer_t */
  21.109 -  final int chwHeaderSize = (9 * u32Size);
  21.110 -
  21.111 -  final int primaryPolicyCodeSize = u32Size;
  21.112 -  final int primaryBufferOffsetSize = u32Size ;
  21.113 -
  21.114 -  final int secondaryPolicyCodeSz = u32Size;
  21.115 -  final int secondaryBufferOffsetSz = u32Size;
  21.116 -  final int resourceOffsetSz = u32Size;
  21.117 -
  21.118 -  final short partitionBufferSz = (2 * u16Size);
  21.119 -  final short partitionEntrySz = (3 * u16Size);
  21.120 -
  21.121 -  final short slotBufferSz = (2 * u16Size);
  21.122 -  final short slotEntrySz = (3 * u16Size);
  21.123 -
  21.124 -  final short vlanBufferSz = (2 * u16Size);
  21.125 -  final short vlanEntrySz = (2 * u16Size);
  21.126 -
  21.127 -  final int binaryBufferHeaderSz = (8 * u32Size); /* 8th not used in Xen */
  21.128 -
  21.129 -  /* copied directly from acm.h */
  21.130 -  final int ACM_MAGIC  =  0x0001debc;
  21.131 -  final int ACM_NULL_POLICY = 0;
  21.132 -  final int ACM_CHINESE_WALL_POLICY = 1;
  21.133 -  final int ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY = 2;
  21.134 -  final int ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY = 3;
  21.135 -  final int ACM_EMPTY_POLICY = 4;
  21.136 -
  21.137 -  /* version for compatibility check */
  21.138 -  final int ACM_POLICY_VERSION = 1;
  21.139 -  final int ACM_STE_VERSION    = 1;
  21.140 -  final int ACM_CHWALL_VERSION = 1;
  21.141 -}
    22.1 --- a/tools/misc/policyprocessor/c2j_include.c	Fri Aug 19 12:21:29 2005 +0000
    22.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    22.3 @@ -1,57 +0,0 @@
    22.4 -/****************************************************************
    22.5 - * c2j_include.c
    22.6 - *
    22.7 - * Copyright (C) 2005 IBM Corporation
    22.8 - *
    22.9 - * Authors:
   22.10 - * Reiner Sailer <sailer@watson.ibm.com>
   22.11 - *
   22.12 - * This program is free software; you can redistribute it and/or
   22.13 - * modify it under the terms of the GNU General Public License as
   22.14 - * published by the Free Software Foundation, version 2 of the
   22.15 - * License.
   22.16 - *
   22.17 - * This tool makes some constants from acm.h available to the
   22.18 - * java policyprocessor for version checking.
   22.19 - */
   22.20 -#include <stdio.h>
   22.21 -#include <errno.h>
   22.22 -#include <stdlib.h>
   22.23 -#include <stdint.h>
   22.24 -
   22.25 -typedef uint8_t  u8;
   22.26 -typedef uint16_t u16;
   22.27 -typedef uint32_t u32;
   22.28 -typedef uint64_t u64;
   22.29 -typedef int8_t   s8;
   22.30 -typedef int16_t  s16;
   22.31 -typedef int32_t  s32;
   22.32 -typedef int64_t  s64;
   22.33 -
   22.34 -#include <xen/acm.h>
   22.35 -
   22.36 -char *filename = "policy_version.java";
   22.37 -
   22.38 -int main(int argc, char **argv)
   22.39 -{
   22.40 -
   22.41 -    FILE *fd;
   22.42 -    if ((fd = fopen(filename, "w")) <= 0)
   22.43 -    {
   22.44 -        printf("File %s not found.\n", filename);
   22.45 -        exit(-ENOENT);
   22.46 -    }
   22.47 -
   22.48 -    fprintf(fd, "/*\n * This file was automatically generated\n");
   22.49 -    fprintf(fd, " * Do not change it manually!\n */\n");
   22.50 -    fprintf(fd, "public class policy_version {\n");
   22.51 -    fprintf(fd, "	final int ACM_POLICY_VERSION = %x;\n",
   22.52 -            ACM_POLICY_VERSION);
   22.53 -    fprintf(fd, "	final int ACM_CHWALL_VERSION = %x;\n",
   22.54 -            ACM_CHWALL_VERSION);
   22.55 -    fprintf(fd, "	final int ACM_STE_VERSION = %x;\n",
   22.56 -            ACM_STE_VERSION);
   22.57 -    fprintf(fd, "}\n");
   22.58 -    fclose(fd);
   22.59 -    return 0;
   22.60 -}
    23.1 --- a/tools/misc/policyprocessor/myHandler.java	Fri Aug 19 12:21:29 2005 +0000
    23.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    23.3 @@ -1,47 +0,0 @@
    23.4 -/**
    23.5 - * (C) Copyright IBM Corp. 2005
    23.6 - *
    23.7 - * $Id: myHandler.java,v 1.2 2005/06/17 20:00:04 rvaldez Exp $
    23.8 - *
    23.9 - * Author: Ray Valdez
   23.10 - *
   23.11 - * This program is free software; you can redistribute it and/or
   23.12 - * modify it under the terms of the GNU General Public License as
   23.13 - * published by the Free Software Foundation, version 2 of the
   23.14 - * License.
   23.15 - *
   23.16 - * myHandler Class.  
   23.17 - *
   23.18 - * <p>
   23.19 - *
   23.20 - * A dummy class used for detecting XML validating/parsing errors.
   23.21 - *
   23.22 - * <p>
   23.23 - *
   23.24 - *
   23.25 - */
   23.26 -import org.xml.sax.helpers.*;
   23.27 -import org.xml.sax.SAXParseException;
   23.28 -
   23.29 -class myHandler extends DefaultHandler 
   23.30 -{ 
   23.31 - public boolean isValid = true;
   23.32 -
   23.33 - /* Notification of a recoverable error. */
   23.34 - public void error(SAXParseException se) 
   23.35 - { 
   23.36 -  isValid = false;
   23.37 - } 
   23.38 -
   23.39 - /* Notification of a non-recoverable error. */
   23.40 - public void fatalError(SAXParseException se) 
   23.41 - { 
   23.42 -  isValid = false;
   23.43 - } 
   23.44 -
   23.45 - /* Notification of a warning. */
   23.46 - public void warning(SAXParseException se) 
   23.47 - {
   23.48 -  isValid = false;
   23.49 - }
   23.50 -}
    24.1 --- a/tools/misc/policyprocessor/readme.install	Fri Aug 19 12:21:29 2005 +0000
    24.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    24.3 @@ -1,33 +0,0 @@
    24.4 -# Author: Ray Valdez, rvaldez@us.ibm.com 
    24.5 -# Version: 1.0
    24.6 -#
    24.7 -# install readme
    24.8 -#
    24.9 -PREREQUISITES:
   24.10 -
   24.11 -Prior to installation of the policy processor tool (XmlToBin) you must have...
   24.12 -
   24.13 - 1. Java version 1.4.2
   24.14 - 2. xmlParserAPIs.jar and xercesImpl.jar
   24.15 -
   24.16 -The above can be obtained from the Sun Developer Network web site at
   24.17 -http://java.sun.com/j2se/1.4.2/download.html.
   24.18 -
   24.19 -XmlParserAPIs and xercesImpl jars can be obtained from
   24.20 -http://www.apache.org/dist/xml/xerces-j (Xerces-J-bin.2.6.2.tar.gz,
   24.21 -for example).
   24.22 -
   24.23 -The tool has been tested with J2SE v1.4.2_08 JRE on Linux (32-bit
   24.24 -INTEL).
   24.25 -
   24.26 -INSTALLATION
   24.27 -
   24.28 -1. Set PATH to include $HOME_JAVA/bin and $HOME_JAVA/jre/bin
   24.29 -   where $HOME_JAVA is your java installation directory
   24.30 -
   24.31 -2. Compile XmlToBin:
   24.32 -   javac XmlToBin.java
   24.33 -	
   24.34 -USAGE
   24.35 -
   24.36 - See readme.xen
    25.1 --- a/tools/misc/policyprocessor/readme.xen	Fri Aug 19 12:21:29 2005 +0000
    25.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    25.3 @@ -1,65 +0,0 @@
    25.4 -# Author: Ray Valdez, rvaldez@us.ibm.com 
    25.5 -# Version: 1.0
    25.6 -#
    25.7 -# This readme describes the policy processor tool for sHype.
    25.8 -#
    25.9 -
   25.10 -Java program:
   25.11 -
   25.12 - java XmlToBin -i [file.xml] -o <file.bin> -xssid <SsidFile> -xssidconf <SsidConf>
   25.13 -
   25.14 - Command line options:
   25.15 -
   25.16 -        -i              inputFile:      name of policyfile (.xml)
   25.17 -        -o              outputFile:     name of binary policy file (Big Endian)
   25.18 -        -xssid          SsidFile:       xen ssids to named types text file
   25.19 -        -xssidconf      SsidConf:   	xen conflict ssids to types text file
   25.20 -        -debug                          turn on debug messages
   25.21 -        -help                           help. This printout
   25.22 -
   25.23 -Where:
   25.24 -
   25.25 -file.xml is the (input) xml policy file to be parsed and validated.
   25.26 -The syntax for file.xml is defined in the SecurityPolicySpec.xsd file.
   25.27 -file.bin is the (output) binary policy file generated by XmlToBin.
   25.28 -This binary policy can be activated in sHype. The binary policy file
   25.29 -is laid out in network byte order (i.e., big endian).  The SsidFile
   25.30 -file contains the mapping of type enforcement (TE) ssids to the "named
   25.31 -types".  Similarly, the SsidConf file contains the mapping of Chinese
   25.32 -Wall (ChWall) ssids to conflict named types. The ssidFile and SsidConf
   25.33 -files are used by Xen.
   25.34 -
   25.35 -Xml Schema and policy:
   25.36 -
   25.37 -The SecurityPolicySpec.xsd defines the syntax of a policy file. It
   25.38 -declares the tags that are used by XmlToBin to generate the binary
   25.39 -policy file. The tags that XmlToBin keys on are TE, ChWall, id, vid,
   25.40 -etc.  The xml files that describe a policy are simple.  Semantic
   25.41 -checking of a policy is performed mostly by XmlToBin.  A type, for
   25.42 -example, is a string. No fixed values are defined for types in Xml.
   25.43 -  
   25.44 -A policy consists of two Xml files: definition and policy. The
   25.45 -definition Xml declares the types that are permitted in the policy
   25.46 -Xml.  The policy Xml contains the assignment of labels to
   25.47 -subject/object (e.g., vm). This Xml file contains an explicit
   25.48 -reference to the definition Xml (e.g., <url>xen_sample_def.xml</url>).
   25.49 -The policy Xml is the one provided as a command line argument.
   25.50 -
   25.51 -
   25.52 -Files:
   25.53 -
   25.54 -*.java		      	- policy processor source 
   25.55 -xen_sample_policy.xml	- sample xml policy file
   25.56 -xen_sample_def.xml	- sample user defined types
   25.57 -SecurityPolicySpec.xsd 	- schema definition file
   25.58 -
   25.59 -
   25.60 -To generate the sample binary policy: 
   25.61 -
   25.62 -export CLASSPATH=$XERCES_HOME/xercesImpl.jar:$XERCES_HOME/xmlParserAPIs.jar:.
   25.63 -
   25.64 -java XmlToBin -i xen_sample_policy.xml -o xen_sample_policy.bin
   25.65 -
   25.66 -where $XERCES_HOME is the installation directory of the Apache Xerces-J
   25.67 -
   25.68 -
    26.1 --- a/tools/misc/policyprocessor/xen_sample_def.xml	Fri Aug 19 12:21:29 2005 +0000
    26.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    26.3 @@ -1,46 +0,0 @@
    26.4 -<?xml version="1.0"?>
    26.5 -<!-- Author: Ray Valdez, rvaldez@us.ibm.com -->
    26.6 -<!-- example policy type definition -->
    26.7 -<SecurityPolicySpec
    26.8 -xmlns="http://www.ibm.com"
    26.9 -xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   26.10 -xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
   26.11 -
   26.12 -<Definition>
   26.13 -<!-- an example of a simple type enforcement type definition -->
   26.14 -  <Types>
   26.15 -        <TE>LOCAL-management</TE>
   26.16 -        <TE>R-Company-development</TE>
   26.17 -        <TE>S-Company-order</TE>
   26.18 -        <TE>T-Company-advertising</TE>
   26.19 -        <TE>U-Company-computing</TE>
   26.20 -		 <!-- TE nondevelopment  -->
   26.21 -  </Types>
   26.22 -
   26.23 -<!-- an example of a chinese wall type definition along with conflict sets-->
   26.24 -  <ChWallTypes>
   26.25 -		 <ChWall>Q-Company</ChWall>
   26.26 -		 <ChWall>R-Company</ChWall>
   26.27 -		 <ChWall>S-Company</ChWall>
   26.28 -		 <ChWall>T-Company</ChWall>
   26.29 -		 <ChWall>U-Company</ChWall>
   26.30 -		 <ChWall>V-Company</ChWall>
   26.31 -		 <ChWall>W-Company</ChWall>
   26.32 -		 <ChWall>X-Company</ChWall>
   26.33 -		 <ChWall>Y-Company</ChWall>
   26.34 -		 <ChWall>Z-Company</ChWall>
   26.35 -  </ChWallTypes>
   26.36 -
   26.37 -  <ConflictSet>
   26.38 -		 <ChWall>T-Company</ChWall>
   26.39 -		 <ChWall>S-Company</ChWall>
   26.40 -   </ConflictSet>
   26.41 -
   26.42 -   <ConflictSet>
   26.43 -		 <ChWall>R-Company</ChWall>
   26.44 -		 <ChWall>V-Company</ChWall>
   26.45 -		 <ChWall>W-Company</ChWall>
   26.46 -   </ConflictSet>
   26.47 -
   26.48 -</Definition>
   26.49 -</SecurityPolicySpec>
    27.1 --- a/tools/misc/policyprocessor/xen_sample_policy.xml	Fri Aug 19 12:21:29 2005 +0000
    27.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
    27.3 @@ -1,58 +0,0 @@
    27.4 -<?xml version="1.0"?>
    27.5 -<!-- Author: Ray Valdez, rvaldez@us.ibm.com -->
    27.6 -<!-- example xen policy file -->
    27.7 -
    27.8 -<SecurityPolicySpec
    27.9 -xmlns="http://www.ibm.com"
   27.10 -xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   27.11 -xsi:schemaLocation="http://www.ibm.com SecurityPolicySpec.xsd">
   27.12 -<Policy>
   27.13 - <PolicyHeader>
   27.14 -        <Name>xen sample policy</Name>
   27.15 -        <DateTime>2005-05-20T16:56:00</DateTime>
   27.16 -        <Tag>foobar</Tag>
   27.17 -        <TypeDefinition>
   27.18 -          <url>xen_sample_def.xml</url>
   27.19 -          <hash>abcdef123456abcdef</hash>
   27.20 -        </TypeDefinition>
   27.21 - </PolicyHeader>
   27.22 -
   27.23 - <VM>
   27.24 -        <id> 0 </id>
   27.25 -        <TE>LOCAL-management</TE>
   27.26 -        <TE>R-Company-development</TE>
   27.27 -        <TE>S-Company-order</TE>
   27.28 -        <TE>T-Company-advertising</TE>
   27.29 -        <TE>U-Company-computing</TE>
   27.30 -		 <ChWall>Q-Company</ChWall>
   27.31 - </VM>
   27.32 -
   27.33 - <VM>
   27.34 -        <id> 1 </id>
   27.35 -        <TE>R-Company-development</TE>
   27.36 -		 <ChWall>R-Company</ChWall>
   27.37 - </VM>
   27.38 -
   27.39 - <VM>
   27.40 -        <id> 2 </id>
   27.41 -        <TE>S-Company-order</TE>
   27.42 -		 <ChWall>S-Company</ChWall>
   27.43 -
   27.44 - </VM>
   27.45 -
   27.46 - <VM>
   27.47 -        <id> 3 </id>
   27.48 -        <TE>T-Company-advertising</TE>
   27.49 -		 <ChWall>T-Company</ChWall>
   27.50 - </VM>
   27.51 -
   27.52 -
   27.53 - <VM>
   27.54 -        <id> 4 </id>
   27.55 -        <TE>U-Company-computing</TE>
   27.56 -		 <ChWall>U-Company</ChWall>
   27.57 - </VM>
   27.58 -
   27.59 -
   27.60 -</Policy>
   27.61 -</SecurityPolicySpec>
    29.1 --- a/tools/security/Makefile	Fri Aug 19 12:21:29 2005 +0000
    29.2 +++ b/tools/security/Makefile	Fri Aug 19 12:22:27 2005 +0000
    29.3 @@ -2,28 +2,72 @@ XEN_ROOT = ../..
    29.4  include $(XEN_ROOT)/tools/Rules.mk
    29.5  
    29.6  SRCS     = secpol_tool.c
    29.7 -CFLAGS   += -static
    29.8  CFLAGS   += -Wall
    29.9  CFLAGS   += -Werror
   29.10  CFLAGS   += -O3
   29.11  CFLAGS   += -fno-strict-aliasing
   29.12 -CFLAGS   += -I.
   29.13 +CFLAGS   += -I. -I/usr/include/libxml2
   29.14 +CFLAGS_XML2BIN += $(shell xml2-config --cflags --libs )
   29.15 +#if above does not work, try  -L/usr/lib -lxml2 -lz -lpthread -lm
   29.16 +XML2VERSION = $(shell xml2-config --version )
   29.17 +VALIDATE_SCHEMA=$(shell if [[ $(XML2VERSION) < 2.6.20 ]]; then echo ""; else echo "-DVALIDATE_SCHEMA"; fi; )
   29.18  
   29.19 +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_NULL_POLICY)
   29.20 +POLICY=null
   29.21 +endif
   29.22 +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
   29.23 +POLICY=chwall
   29.24 +endif
   29.25 +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
   29.26 +POLICY=ste
   29.27 +endif
   29.28 +ifeq ($(ACM_USE_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
   29.29 +POLICY=chwall_ste
   29.30 +endif
   29.31 +POLICYFILE=./policies/$(POLICY)/$(POLICY).bin
   29.32 +
   29.33 +ifneq ($(ACM_USE_SECURITY_POLICY), ACM_NULL_POLICY)
   29.34  all: build
   29.35 +
   29.36 +install:all
   29.37 +
   29.38 +default:all
   29.39 +else
   29.40 +all:
   29.41 +
   29.42 +install:
   29.43 +
   29.44 +default:
   29.45 +endif
   29.46 +
   29.47  build: mk-symlinks
   29.48  	$(MAKE) secpol_tool
   29.49 -
   29.50 -default: all
   29.51 +	$(MAKE) secpol_xml2bin
   29.52 +	chmod 700 ./setlabel.sh
   29.53 +	chmod 700 ./updategrub.sh
   29.54  
   29.55 -install: all
   29.56 -
   29.57 -secpol_tool : secpol_tool.c
   29.58 +secpol_tool : secpol_tool.c secpol_compat.h
   29.59  	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $<
   29.60  
   29.61 +secpol_xml2bin : secpol_xml2bin.c secpol_xml2bin.h secpol_compat.h
   29.62 +	$(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_XML2BIN) $(VALIDATE_SCHEMA) -o $@ $<
   29.63 +
   29.64  clean:
   29.65 -	rm -rf secpol_tool xen
   29.66 +	rm -rf secpol_tool secpol_xml2bin xen
   29.67 +
   29.68 +policy_clean:
   29.69 +	rm -rf policies/*/*.bin policies/*/*.map
   29.70 +
   29.71 +mrproper: clean policy_clean
   29.72  
   29.73  
   29.74 +$(POLICYFILE) : build
   29.75 +	@./secpol_xml2bin $(POLICY) > /dev/null
   29.76 +
   29.77 +boot_install: $(POLICYFILE)
   29.78 +	@cp $(POLICYFILE) /boot
   29.79 +	@./updategrub.sh $(POLICY) $(PWD)/$(XEN_ROOT)
   29.80 +
   29.81  LINUX_ROOT := $(XEN_ROOT)/linux-2.6-xen-sparse
   29.82  mk-symlinks:
   29.83  	[ -e xen/linux ] || mkdir -p xen/linux
    30.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    30.2 +++ b/tools/security/example.txt	Fri Aug 19 12:22:27 2005 +0000
    30.3 @@ -0,0 +1,269 @@
    30.4 +##
    30.5 +# example.txt <description to the xen access control architecture>
    30.6 +#
    30.7 +# Author:
    30.8 +# Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
    30.9 +#
   30.10 +#
   30.11 +# This file introduces into the tools to manage policies
   30.12 +# and to label domains and resources.
   30.13 +##
   30.14 +
   30.15 +We will show how to install and use the chwall_ste policy.
   30.16 +Other policies work similarly. Feedback welcome!
   30.17 +
   30.18 +
   30.19 +
   30.20 +1. Using secpol_xml2bin to translate the chwall_ste policy:
   30.21 +===========================================================
   30.22 +
   30.23 +#tools/security/secpol_xml2bin chwall_ste
   30.24 +
   30.25 +Successful execution should print:
   30.26 +
   30.27 +    [root@laptopxn security]# ./secpol_xml2bin chwall_ste
   30.28 +    Validating label file policies/chwall_ste/chwall_ste-security_label_template.xml...
   30.29 +    XML Schema policies/security_policy.xsd valid.
   30.30 +    Validating policy file policies/chwall_ste/chwall_ste-security_policy.xml...
   30.31 +    XML Schema policies/security_policy.xsd valid.
   30.32 +    Creating ssid mappings ...
   30.33 +    Creating label mappings ...
   30.34 +    Max chwall labels:  7
   30.35 +    Max chwall-types:   4
   30.36 +    Max chwall-ssids:   5
   30.37 +    Max ste labels:     14
   30.38 +    Max ste-types:      6
   30.39 +    Max ste-ssids:      10
   30.40 +
   30.41 +The tool looks in directory policies/chwall_ste for
   30.42 +the label and policy files.
   30.43 +
   30.44 +The default policy directory structure under tools/security looks like:
   30.45 +
   30.46 +policies
   30.47 +|-- security_policy.xsd
   30.48 +|-- chwall
   30.49 +|   |-- chwall-security_label_template.xml
   30.50 +|   `-- chwall-security_policy.xml
   30.51 +|-- chwall_ste
   30.52 +|   |-- chwall_ste-security_label_template.xml
   30.53 +|   `-- chwall_ste-security_policy.xml
   30.54 +|-- null
   30.55 +|   |-- null-security_label_template.xml
   30.56 +|   `-- null-security_policy.xml
   30.57 +`-- ste
   30.58 +    |-- ste-security_label_template.xml
   30.59 +    `-- ste-security_policy.xml
   30.60 +
   30.61 +policies/security_policy.xsd contains the schema against which both the
   30.62 +label-template and the policy files must validate during translation.
   30.63 +
   30.64 +policies/chwall_ste/chwall_ste-security_policy.xml defines the
   30.65 +policies and the types known to the policies.
   30.66 +
   30.67 +policies/chwall_ste/chwall_ste-security_label_template.xml contains
   30.68 +label definitions that group chwall and ste types together and make
   30.69 +them easier to use for users
   30.70 +
   30.71 +After executing the above secpol_xml2bin command, you will find 2 new
   30.72 +files in the policies/chwall_ste sub-directory:
   30.73 +
   30.74 +policies/chwall_ste/chwall_ste.map ... this file includes the mapping
   30.75 +of names from the xml files into their binary code representation.
   30.76 +
   30.77 +policies/chwall_ste/chwall_ste.bin ... this is the binary policy file,
   30.78 +the result of parsing the xml files and using the mapping to extract a
   30.79 +binary version that can be loaded into the hypervisor.
   30.80 +
   30.81 +
   30.82 +
   30.83 +2. Loading and activating the policy:
   30.84 +=====================================
   30.85 +
   30.86 +We assume that xen is already configured to use the chwall_ste policy;
   30.87 +please refer to install.txt for instructions.
   30.88 +
   30.89 +To activate the policy from the command line (assuming that the
   30.90 +currently established policy is the minimal boot-policy that is
   30.91 +hard-coded into the hypervisor:
   30.92 +
   30.93 +# ./secpol_tool loadpolicy policies/chwall_ste/chwall_ste.bin
   30.94 +
   30.95 +To activate the policy at next reboot:
   30.96 +
   30.97 +# cp policies/chwall_ste/chwall_ste.bin /boot
   30.98 +
   30.99 +Add a module line to your /boot/grub/grub.conf Xen entry.
  30.100 +My boot entry with chwall_ste enabled looks like this:
  30.101 +
  30.102 +    title Xen (2.6.12)
  30.103 +        root (hd0,5)
  30.104 +        kernel /boot/xen.gz dom0_mem=1200000 console=vga
  30.105 +        module /boot/vmlinuz-2.6.12-xen0 ro root=/dev/hda6 rhgb
  30.106 +        module /boot/initrd-2.6.12-xen0.img
  30.107 +        module /boot/chwall_ste.bin
  30.108 +
  30.109 +This tells the grub boot-loader to load the binary policy, which
  30.110 +the hypervisor will recognize. The hypervisor will then establish
  30.111 +this binary policy during boot instead of the minimal policy that
  30.112 +is hardcoded as default.
  30.113 +
  30.114 +If you have any trouble here, maks sure you have the access control
  30.115 +framework enabled (see: install.txt).
  30.116 +
  30.117 +
  30.118 +
  30.119 +3. Labeling domains:
  30.120 +====================
  30.121 +
  30.122 +a) Labeling Domain0:
  30.123 +
  30.124 +The chwall_ste-security_label_template.xml file includes an attribute
  30.125 +"bootstrap", which is set to the label name that will be assigned to
  30.126 +Dom0 (this label will be mapped to ssidref 1/1, the default for Dom0).
  30.127 +
  30.128 +b) Labeling User Domains:
  30.129 +
  30.130 +Use the script tools/security/setlabel.sh to choose a label and to
  30.131 +assign labels to user domains.
  30.132 +
  30.133 +To show available labels for the chwall_ste policy:
  30.134 +
  30.135 +#tools/security/setlabel.sh -l
  30.136 +
  30.137 +lists all available labels. For the default chwall_ste it should print
  30.138 +the following:
  30.139 +
  30.140 +    [root@laptopxn security]# ./setlabel.sh -l chwall_ste
  30.141 +    The following labels are available:
  30.142 +    dom_SystemManagement
  30.143 +    dom_HomeBanking
  30.144 +    dom_Fun
  30.145 +    dom_BoincClient
  30.146 +    dom_StorageDomain
  30.147 +    dom_NetworkDomain
  30.148 +
  30.149 +You need to have compiled the policy beforehand so that a .map file
  30.150 +exists. Setlabel.sh uses the mapping file created throughout the
  30.151 +policy translation to translate a user-friendly label string into a
  30.152 +ssidref-number that is eventually used by the Xen hypervisor.
  30.153 +
  30.154 +We distinguish two kinds of labels: a) VM labels (for domains) and RES
  30.155 +Labels (for resources). We are currently working on support for
  30.156 +resource labeling but will focus here on VM labels.
  30.157 +
  30.158 +Setlabel.sh only prints VM labels (which we have prefixed with "dom_")
  30.159 +since only those are used at this time.
  30.160 +
  30.161 +If you would like to assign the dom_HomeBanking label to one of your
  30.162 +user domains (which you hopefully keep clean), look at an example
  30.163 +domain configuration homebanking.xm:
  30.164 +
  30.165 +    #------HOMEBANKING---------
  30.166 +    kernel = "/boot/vmlinuz-2.6.12-xenU"
  30.167 +    ramdisk="/boot/U1_ramdisk.img"
  30.168 +    memory = 65
  30.169 +    name = "test34"
  30.170 +    cpu = -1   # leave to Xen to pick
  30.171 +    # Number of network interfaces. Default is 1.
  30.172 +    nics=1
  30.173 +    dhcp="dhcp"
  30.174 +    #-------------------------
  30.175 +
  30.176 +Now we label this domain
  30.177 +
  30.178 +[root@laptopxn security]# ./setlabel.sh homebanking.xm dom_HomeBanking chwall_ste
  30.179 +Mapped label 'dom_HomeBanking' to ssidref '0x00020002'.
  30.180 +
  30.181 +The domain configuration my look now like:
  30.182 +
  30.183 +    [root@laptopxn security]# cat homebanking.xm
  30.184 +    #------HOMEBANKING---------
  30.185 +    kernel = "/boot/vmlinuz-2.6.12-xenU"
  30.186 +    ramdisk="/boot/U1_ramdisk.img"
  30.187 +    memory = 65
  30.188 +    name = "test34"
  30.189 +    cpu = -1   # leave to Xen to pick
  30.190 +    # Number of network interfaces. Default is 1.
  30.191 +    nics=1
  30.192 +    dhcp="dhcp"
  30.193 +    #-------------------------
  30.194 +    #ACM_POLICY=chwall_ste-security_policy.xml
  30.195 +    #ACM_LABEL=dom_HomeBanking
  30.196 +    ssidref = 0x00020002
  30.197 +
  30.198 +You can see 3 new entries, two of which are comments.  The only value
  30.199 +that the hypervisor cares about is the ssidref that will reference
  30.200 +those types assigned to this label. You can look them up in the
  30.201 +xml label-template file for the chwall_ste policy.
  30.202 +
  30.203 +This script will eventually move into the domain management and will
  30.204 +be called when the domain is instantiated. For now, the setlabel
  30.205 +script must be run on domains whenever the policy files change since
  30.206 +the mapping between label names and ssidrefs can change in this case.
  30.207 +
  30.208 +
  30.209 +4. Starting a labeled domain
  30.210 +============================
  30.211 +
  30.212 +Now, start the domain:
  30.213 +    #xm create -c homebanking.xm
  30.214 +
  30.215 +
  30.216 +If you label another domain configuration as dom_Fun and try to start
  30.217 +it afterwards, its start will fail. Why?
  30.218 +
  30.219 +Because the running homebanking domain has the chinese wall type
  30.220 +"cw_Sensitive". The new domain dom_Fun has the chinese wall label
  30.221 +"cw_Distrusted". This domain is not allowed to run simultaneously
  30.222 +because of the defined conflict set
  30.223 +
  30.224 +			<conflictset name="Protection1">
  30.225 +				<type>cw_Sensitive</type>
  30.226 +				<type>cw_Distrusted</type>
  30.227 +			</conflictset>
  30.228 +
  30.229 +(in policies/chwall_ste/chwall_ste-security_policy.xml), which says
  30.230 +that only one of the types cw_sensitive and cw_Distrusted can run at a
  30.231 +time.
  30.232 +
  30.233 +If you save or shutdown the HomeBanking domain, you will be able to
  30.234 +start the "Fun" domain. You can look into the Xen log to see if a
  30.235 +domain was denied to start because of the access control framework
  30.236 +with the command 'xm dmesg'.
  30.237 +
  30.238 +It is important (and usually non-trivial) to define the labels in a
  30.239 +way that the semantics of the labels are enforced and supported by the
  30.240 +types and the conflict sets.
  30.241 +
  30.242 +Note: While the chinese wall policy enforcement is complete, the type
  30.243 +enforcement is currently enforced in the Xen hypervisor
  30.244 +only. Therefore, only point-to-point sharing with regard to the type
  30.245 +enforcement is currently controlled. We are working on enhancements to
  30.246 +Dom0 that enforce types also for network traffic that is routed
  30.247 +through Dom0 and on the enforcement of resource labeling when binding
  30.248 +resources to domains (e.g., enforcing types between domains and
  30.249 +hardware resources, such as disk partitions).
  30.250 +
  30.251 +
  30.252 +4. Adding your own policies
  30.253 +===========================
  30.254 +
  30.255 +Writing your own policy (e.g. "mypolicy") requires the following:
  30.256 +
  30.257 +a) the policy definition (types etc.) file
  30.258 +b) the label template definition (labels etc.) file
  30.259 +
  30.260 +If your policy name is "mypolicy", you need to create a
  30.261 +subdirectory mypolicy in tools/security/policies.
  30.262 +
  30.263 +Then you create
  30.264 +tools/security/policies/mypolicy/mypolicy-security_policy.xml and
  30.265 +tools/security/policies/mypolicy/mypolicy-security_label_template.xml.
  30.266 +
  30.267 +You need to keep to the schema as defined in
  30.268 +tools/security/security_policy.xsd since the translation tool
  30.269 +secpol_xml2bin is written against this schema.
  30.270 +
  30.271 +If you keep to the security policy schema, then you can use all the
  30.272 +tools described above. Refer to install.txt to install it.
    31.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    31.2 +++ b/tools/security/install.txt	Fri Aug 19 12:22:27 2005 +0000
    31.3 @@ -0,0 +1,67 @@
    31.4 +##
    31.5 +# install.txt <description to the xen access control architecture>
    31.6 +#
    31.7 +# Author:
    31.8 +# Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
    31.9 +#
   31.10 +#
   31.11 +# This file shows how to activate and install the access control
   31.12 +# framework.
   31.13 +##
   31.14 +
   31.15 +
   31.16 +INSTALLING A SECURITY POLICY IN XEN
   31.17 +===================================
   31.18 +
   31.19 +By default, the access control architecture is disabled in Xen. To
   31.20 +enable the access control architecture in Xen follow the steps below.
   31.21 +This description assumes that you want to install the Chinese Wall and
   31.22 +Simple Type Enforcement policy. Some file names need to be replaced
   31.23 +below to activate the Chinese Wall OR the Type Enforcement policy
   31.24 +exclusively (chwall_ste --> {chwall, ste}).
   31.25 +
   31.26 +1. enable access control in Xen
   31.27 +       # cd "xen_root"
   31.28 +       # edit/xemacs/vi Config.mk
   31.29 +
   31.30 +       change the line:
   31.31 +       ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
   31.32 +
   31.33 +       to:
   31.34 +       ACM_USE_SECURITY_POLICY ?= ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   31.35 +
   31.36 +       # make all
   31.37 +       # ./install.sh
   31.38 +
   31.39 +2. compile the policy from xml to a binary format that can be loaded
   31.40 +   into the hypervisor for enforcement
   31.41 +       # cd tools/security
   31.42 +       # make
   31.43 +
   31.44 +       manual steps (alternative to make boot_install):
   31.45 +       #./secpol_xml2bin chwall_ste
   31.46 +       #cp policies/chwall_ste/chwall_ste.bin /boot
   31.47 +       #edit /boot/grub/grub.conf
   31.48 +        add the follwoing line to your xen boot entry:
   31.49 +       "module chwall_ste.bin"
   31.50 +
   31.51 +       alternatively, you can try our automatic translation and
   31.52 +       installation of the policy:
   31.53 +       # make boot_install
   31.54 +
   31.55 +       [we try hard to do the right thing to the right boot entry but
   31.56 +        please verify boot entry in /boot/grub/grub.conf afterwards;
   31.57 +        your xen boot entry should have an additional module line
   31.58 +        specifying a chwall_ste.bin file with the correct directory
   31.59 +        (e.g. "/" or "/boot").]
   31.60 +
   31.61 +
   31.62 +3. reboot into the newly compiled hypervisor
   31.63 +
   31.64 +        after boot
   31.65 +	#xm dmesg should show an entry about the policy being loaded
   31.66 +            during the boot process
   31.67 +
   31.68 +        #tools/security/secpol_tool getpolicy
   31.69 +            should print the new chwall_ste binary policy representation
   31.70 +
    32.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    32.2 +++ b/tools/security/policies/chwall/chwall-security_label_template.xml	Fri Aug 19 12:22:27 2005 +0000
    32.3 @@ -0,0 +1,76 @@
    32.4 +<?xml version="1.0"?>
    32.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    32.6 +<!--              This file defines the security labels, which can  -->
    32.7 +<!--              be attached to Domains and resources. Based on    -->
    32.8 +<!--              these labels, the access control module decides   -->
    32.9 +<!--              about sharing between Domains and about access    -->
   32.10 +<!--              of Domains to real resources.                     -->
   32.11 +
   32.12 +<SecurityLabelTemplate
   32.13 + xmlns="http://www.ibm.com"
   32.14 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   32.15 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   32.16 +   <LabelHeader>
   32.17 +      <Name>chwall-security_label_template</Name>
   32.18 +      <Date>2005-08-10</Date>
   32.19 +      <PolicyName>
   32.20 +         <Url>chwall-security_policy.xml</Url>
   32.21 +         <Reference>abcdef123456abcdef</Reference>
   32.22 +      </PolicyName>
   32.23 +   </LabelHeader>
   32.24 +
   32.25 +   <SubjectLabels bootstrap="dom_SystemManagement">
   32.26 +      <!-- single ste typed domains            -->
   32.27 +      <!-- ACM enforces that only domains with -->
   32.28 +      <!-- the same type can share information -->
   32.29 +      <!--                                     -->
   32.30 +      <!-- Bootstrap label is assigned to Dom0 -->
   32.31 +      <VirtualMachineLabel>
   32.32 +      	<Name>dom_HomeBanking</Name>
   32.33 +         <ChineseWallTypes>
   32.34 +            <Type>cw_Sensitive</Type>
   32.35 +         </ChineseWallTypes>
   32.36 +      </VirtualMachineLabel>
   32.37 +
   32.38 +      <VirtualMachineLabel>
   32.39 +      	<Name>dom_Fun</Name>
   32.40 +         <ChineseWallTypes>
   32.41 +            <Type>cw_Distrusted</Type>
   32.42 +         </ChineseWallTypes>
   32.43 +      </VirtualMachineLabel>
   32.44 +
   32.45 +      <VirtualMachineLabel>
   32.46 +        <!-- donating some cycles to seti@home -->
   32.47 +      	<Name>dom_BoincClient</Name>
   32.48 +         <ChineseWallTypes>
   32.49 +            <Type>cw_Isolated</Type>
   32.50 +         </ChineseWallTypes>
   32.51 +      </VirtualMachineLabel>
   32.52 +
   32.53 +      <!-- Domains with multiple ste types services; such domains   -->
   32.54 +      <!-- must keep the types inside their domain safely confined. -->
   32.55 +      <VirtualMachineLabel>
   32.56 +      	<Name>dom_SystemManagement</Name>
   32.57 +         <ChineseWallTypes>
   32.58 +            <Type>cw_SystemManagement</Type>
   32.59 +         </ChineseWallTypes>
   32.60 +      </VirtualMachineLabel>
   32.61 +
   32.62 +      <VirtualMachineLabel>
   32.63 +        <!-- serves persistent storage to other domains -->
   32.64 +      	<Name>dom_StorageDomain</Name>
   32.65 +         <ChineseWallTypes>
   32.66 +            <Type>cw_SystemManagement</Type>
   32.67 +         </ChineseWallTypes>
   32.68 +      </VirtualMachineLabel>
   32.69 +
   32.70 +      <VirtualMachineLabel>
   32.71 +        <!-- serves network access to other domains -->
   32.72 +      	<Name>dom_NetworkDomain</Name>
   32.73 +         <ChineseWallTypes>
   32.74 +            <Type>cw_SystemManagement</Type>
   32.75 +         </ChineseWallTypes>
   32.76 +      </VirtualMachineLabel>
   32.77 +   </SubjectLabels>
   32.78 +</SecurityLabelTemplate>
   32.79 +
    33.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    33.2 +++ b/tools/security/policies/chwall/chwall-security_policy.xml	Fri Aug 19 12:22:27 2005 +0000
    33.3 @@ -0,0 +1,36 @@
    33.4 +<?xml version="1.0" encoding="UTF-8"?>
    33.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    33.6 +<!--             This file defines the security policies, which     -->
    33.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    33.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    33.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   33.10 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   33.11 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   33.12 +<PolicyHeader>
   33.13 +		<Name>chwall-security_policy</Name>
   33.14 +		<Date>2005-08-10</Date>
   33.15 +</PolicyHeader>
   33.16 +<!--                                             -->
   33.17 +<!-- example of a chinese wall type definition   -->
   33.18 +<!-- along with its conflict sets                -->
   33.19 +<!-- (typse in a confict set are exclusive, i.e. -->
   33.20 +<!--  once a Domain with one type of a set is    -->
   33.21 +<!--  running, no other Domain with another type -->
   33.22 +<!--  of the same conflict set can start.)       -->
   33.23 +	<ChineseWall priority="PrimaryPolicyComponent">
   33.24 +        <ChineseWallTypes>
   33.25 +            <Type>cw_SystemManagement</Type>
   33.26 +            <Type>cw_Sensitive</Type>
   33.27 +            <Type>cw_Isolated</Type>
   33.28 +            <Type>cw_Distrusted</Type>
   33.29 +        </ChineseWallTypes>
   33.30 +
   33.31 +        <ConflictSets>
   33.32 +        <Conflict name="Protection1">
   33.33 +            <Type>cw_Sensitive</Type>
   33.34 +            <Type>cw_Distrusted</Type>
   33.35 +        </Conflict>
   33.36 +        </ConflictSets>
   33.37 +	</ChineseWall>
   33.38 +</SecurityPolicyDefinition>
   33.39 +
    34.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    34.2 +++ b/tools/security/policies/chwall_ste/chwall_ste-security_label_template.xml	Fri Aug 19 12:22:27 2005 +0000
    34.3 @@ -0,0 +1,167 @@
    34.4 +<?xml version="1.0"?>
    34.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    34.6 +<!--              This file defines the security labels, which can  -->
    34.7 +<!--              be attached to Domains and resources. Based on    -->
    34.8 +<!--              these labels, the access control module decides   -->
    34.9 +<!--              about sharing between Domains and about access    -->
   34.10 +<!--              of Domains to real resources.                     -->
   34.11 +
   34.12 +<SecurityLabelTemplate
   34.13 + xmlns="http://www.ibm.com"
   34.14 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   34.15 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   34.16 +   <LabelHeader>
   34.17 +      <Name>chwall_ste-security_label_template</Name>
   34.18 +      <Date>2005-08-10</Date>
   34.19 +      <PolicyName>
   34.20 +         <Url>chwall_ste-security_policy.xml</Url>
   34.21 +         <Reference>abcdef123456abcdef</Reference>
   34.22 +      </PolicyName>
   34.23 +   </LabelHeader>
   34.24 +
   34.25 +   <SubjectLabels bootstrap="dom_SystemManagement">
   34.26 +      <!-- single ste typed domains            -->
   34.27 +      <!-- ACM enforces that only domains with -->
   34.28 +      <!-- the same type can share information -->
   34.29 +      <!--                                     -->
   34.30 +      <!-- Bootstrap label is assigned to Dom0 -->
   34.31 +      <VirtualMachineLabel>
   34.32 +      	<Name>dom_HomeBanking</Name>
   34.33 +         <SimpleTypeEnforcementTypes>
   34.34 +            <Type>ste_PersonalFinances</Type>
   34.35 +         </SimpleTypeEnforcementTypes>
   34.36 +
   34.37 +         <ChineseWallTypes>
   34.38 +            <Type>cw_Sensitive</Type>
   34.39 +         </ChineseWallTypes>
   34.40 +      </VirtualMachineLabel>
   34.41 +
   34.42 +      <VirtualMachineLabel>
   34.43 +      	<Name>dom_Fun</Name>
   34.44 +         <SimpleTypeEnforcementTypes>
   34.45 +            <Type>ste_InternetInsecure</Type>
   34.46 +         </SimpleTypeEnforcementTypes>
   34.47 +
   34.48 +         <ChineseWallTypes>
   34.49 +            <Type>cw_Distrusted</Type>
   34.50 +         </ChineseWallTypes>
   34.51 +      </VirtualMachineLabel>
   34.52 +
   34.53 +      <VirtualMachineLabel>
   34.54 +        <!-- donating some cycles to seti@home -->
   34.55 +      	<Name>dom_BoincClient</Name>
   34.56 +         <SimpleTypeEnforcementTypes>
   34.57 +            <Type>ste_DonatedCycles</Type>
   34.58 +         </SimpleTypeEnforcementTypes>
   34.59 +
   34.60 +         <ChineseWallTypes>
   34.61 +            <Type>cw_Isolated</Type>
   34.62 +         </ChineseWallTypes>
   34.63 +      </VirtualMachineLabel>
   34.64 +
   34.65 +      <!-- Domains with multiple ste types services; such domains   -->
   34.66 +      <!-- must keep the types inside their domain safely confined. -->
   34.67 +      <VirtualMachineLabel>
   34.68 +      	<Name>dom_SystemManagement</Name>
   34.69 +         <SimpleTypeEnforcementTypes>
   34.70 +            <!-- since dom0 needs access to every domain and -->
   34.71 +            <!-- resource right now ... -->
   34.72 +            <Type>ste_SystemManagement</Type>
   34.73 +            <Type>ste_PersonalFinances</Type>
   34.74 +            <Type>ste_InternetInsecure</Type>
   34.75 +            <Type>ste_DonatedCycles</Type>
   34.76 +            <Type>ste_PersistentStorageA</Type>
   34.77 +            <Type>ste_NetworkAdapter0</Type>
   34.78 +         </SimpleTypeEnforcementTypes>
   34.79 +
   34.80 +         <ChineseWallTypes>
   34.81 +            <Type>cw_SystemManagement</Type>
   34.82 +         </ChineseWallTypes>
   34.83 +      </VirtualMachineLabel>
   34.84 +
   34.85 +      <VirtualMachineLabel>
   34.86 +        <!-- serves persistent storage to other domains -->
   34.87 +      	<Name>dom_StorageDomain</Name>
   34.88 +         <SimpleTypeEnforcementTypes>
   34.89 +            <!-- access right to the resource (hard drive a) -->
   34.90 +            <Type>ste_PersistentStorageA</Type>
   34.91 +            <!-- can serve following types -->
   34.92 +            <Type>ste_PersonalFinances</Type>
   34.93 +            <Type>ste_InternetInsecure</Type>
   34.94 +         </SimpleTypeEnforcementTypes>
   34.95 +
   34.96 +         <ChineseWallTypes>
   34.97 +            <Type>cw_SystemManagement</Type>
   34.98 +         </ChineseWallTypes>
   34.99 +      </VirtualMachineLabel>
  34.100 +
  34.101 +      <VirtualMachineLabel>
  34.102 +        <!-- serves network access to other domains -->
  34.103 +      	<Name>dom_NetworkDomain</Name>
  34.104 +         <SimpleTypeEnforcementTypes>
  34.105 +            <!-- access right to the resource (ethernet card) -->
  34.106 +            <Type>ste_NetworkAdapter0</Type>
  34.107 +            <!-- can serve following types -->
  34.108 +            <Type>ste_PersonalFinances</Type>
  34.109 +            <Type>ste_InternetInsecure</Type>
  34.110 +            <Type>ste_DonatedCycles</Type>
  34.111 +         </SimpleTypeEnforcementTypes>
  34.112 +
  34.113 +         <ChineseWallTypes>
  34.114 +            <Type>cw_SystemManagement</Type>
  34.115 +         </ChineseWallTypes>
  34.116 +      </VirtualMachineLabel>
  34.117 +   </SubjectLabels>
  34.118 +
  34.119 +   <ObjectLabels>
  34.120 +      <ResourceLabel>
  34.121 +      	<Name>res_ManagementResource</Name>
  34.122 +         <SimpleTypeEnforcementTypes>
  34.123 +            <Type>ste_SystemManagement</Type>
  34.124 +         </SimpleTypeEnforcementTypes>
  34.125 +      </ResourceLabel>
  34.126 +
  34.127 +      <ResourceLabel>
  34.128 +      	<Name>res_HardDrive (hda)</Name>
  34.129 +         <SimpleTypeEnforcementTypes>
  34.130 +            <Type>ste_PersistentStorageA</Type>
  34.131 +         </SimpleTypeEnforcementTypes>
  34.132 +      </ResourceLabel>
  34.133 +
  34.134 +      <ResourceLabel>
  34.135 +      	<Name>res_LogicalDiskPartition1 (hda1)</Name>
  34.136 +         <SimpleTypeEnforcementTypes>
  34.137 +            <Type>ste_PersonalFinances</Type>
  34.138 +         </SimpleTypeEnforcementTypes>
  34.139 +      </ResourceLabel>
  34.140 +
  34.141 +      <ResourceLabel>
  34.142 +      	<Name>res_LogicalDiskPartition2 (hda2)</Name>
  34.143 +         <SimpleTypeEnforcementTypes>
  34.144 +            <Type>ste_InternetInsecure</Type>
  34.145 +         </SimpleTypeEnforcementTypes>
  34.146 +      </ResourceLabel>
  34.147 +
  34.148 +      <ResourceLabel>
  34.149 +      	<Name>res_EthernetCard</Name>
  34.150 +         <SimpleTypeEnforcementTypes>
  34.151 +            <Type>ste_NetworkAdapter0</Type>
  34.152 +         </SimpleTypeEnforcementTypes>
  34.153 +      </ResourceLabel>
  34.154 +
  34.155 +      <ResourceLabel>
  34.156 +      	<Name>res_SecurityToken</Name>
  34.157 +         <SimpleTypeEnforcementTypes>
  34.158 +            <Type>ste_PersonalFinances</Type>
  34.159 +         </SimpleTypeEnforcementTypes>
  34.160 +      </ResourceLabel>
  34.161 +
  34.162 +      <ResourceLabel>
  34.163 +      	<Name>res_GraphicsAdapter</Name>
  34.164 +         <SimpleTypeEnforcementTypes>
  34.165 +            <Type>ste_SystemManagement</Type>
  34.166 +         </SimpleTypeEnforcementTypes>
  34.167 +      </ResourceLabel>
  34.168 +   </ObjectLabels>
  34.169 +</SecurityLabelTemplate>
  34.170 +
    35.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    35.2 +++ b/tools/security/policies/chwall_ste/chwall_ste-security_policy.xml	Fri Aug 19 12:22:27 2005 +0000
    35.3 @@ -0,0 +1,49 @@
    35.4 +<?xml version="1.0" encoding="UTF-8"?>
    35.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    35.6 +<!--             This file defines the security policies, which     -->
    35.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    35.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    35.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   35.10 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   35.11 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   35.12 +<PolicyHeader>
   35.13 +		<Name>chwall_ste-security_policy</Name>
   35.14 +		<Date>2005-08-10</Date>
   35.15 +</PolicyHeader>
   35.16 +<!--                                                        -->
   35.17 +<!-- example of a simple type enforcement policy definition -->
   35.18 +<!--                                                        -->
   35.19 +	<SimpleTypeEnforcement>
   35.20 +        <SimpleTypeEnforcementTypes>
   35.21 +            <Type>ste_SystemManagement</Type>   <!-- machine/security management -->
   35.22 +            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
   35.23 +            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
   35.24 +            <Type>ste_DonatedCycles</Type>      <!-- donation to BOINC/seti@home -->
   35.25 +            <Type>ste_PersistentStorageA</Type> <!-- domain managing the harddrive A-->
   35.26 +            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain managing ethernet adapter 0-->
   35.27 +        </SimpleTypeEnforcementTypes>
   35.28 +	</SimpleTypeEnforcement>
   35.29 +<!--                                             -->
   35.30 +<!-- example of a chinese wall type definition   -->
   35.31 +<!-- along with its conflict sets                -->
   35.32 +<!-- (typse in a confict set are exclusive, i.e. -->
   35.33 +<!--  once a Domain with one type of a set is    -->
   35.34 +<!--  running, no other Domain with another type -->
   35.35 +<!--  of the same conflict set can start.)       -->
   35.36 +	<ChineseWall priority="PrimaryPolicyComponent">
   35.37 +        <ChineseWallTypes>
   35.38 +            <Type>cw_SystemManagement</Type>
   35.39 +            <Type>cw_Sensitive</Type>
   35.40 +            <Type>cw_Isolated</Type>
   35.41 +            <Type>cw_Distrusted</Type>
   35.42 +        </ChineseWallTypes>
   35.43 +
   35.44 +        <ConflictSets>
   35.45 +        <Conflict name="Protection1">
   35.46 +            <Type>cw_Sensitive</Type>
   35.47 +            <Type>cw_Distrusted</Type>
   35.48 +        </Conflict>
   35.49 +        </ConflictSets>
   35.50 +	</ChineseWall>
   35.51 +</SecurityPolicyDefinition>
   35.52 +
    36.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    36.2 +++ b/tools/security/policies/null/null-security_label_template.xml	Fri Aug 19 12:22:27 2005 +0000
    36.3 @@ -0,0 +1,24 @@
    36.4 +<?xml version="1.0"?>
    36.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    36.6 +<!--              This file defines the security labels, which can  -->
    36.7 +<!--              be attached to Domains and resources. Based on    -->
    36.8 +<!--              these labels, the access control module decides   -->
    36.9 +<!--              about sharing between Domains and about access    -->
   36.10 +<!--              of Domains to real resources.                     -->
   36.11 +
   36.12 +<SecurityLabelTemplate
   36.13 + xmlns="http://www.ibm.com"
   36.14 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   36.15 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   36.16 +   <LabelHeader>
   36.17 +      <Name>null-security_label_template</Name>
   36.18 +
   36.19 +      <Date>2005-08-10</Date>
   36.20 +      <PolicyName>
   36.21 +         <Url>null-security_policy.xml</Url>
   36.22 +
   36.23 +         <Reference>abcdef123456abcdef</Reference>
   36.24 +      </PolicyName>
   36.25 +   </LabelHeader>
   36.26 +</SecurityLabelTemplate>
   36.27 +
    37.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    37.2 +++ b/tools/security/policies/null/null-security_policy.xml	Fri Aug 19 12:22:27 2005 +0000
    37.3 @@ -0,0 +1,14 @@
    37.4 +<?xml version="1.0" encoding="UTF-8"?>
    37.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    37.6 +<!--             This file defines the security policies, which     -->
    37.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    37.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    37.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   37.10 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   37.11 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   37.12 +<PolicyHeader>
   37.13 +		<Name>null-security_policy</Name>
   37.14 +		<Date>2005-08-10</Date>
   37.15 +</PolicyHeader>
   37.16 +</SecurityPolicyDefinition>
   37.17 +
    38.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    38.2 +++ b/tools/security/policies/security_policy.xsd	Fri Aug 19 12:22:27 2005 +0000
    38.3 @@ -0,0 +1,138 @@
    38.4 +<?xml version="1.0" encoding="UTF-8"?>
    38.5 +<!-- Author: Ray Valdez, Reiner Sailer {rvaldez,sailer}@us.ibm.com -->
    38.6 +<!--         This file defines the schema, which is used to define -->
    38.7 +<!--         the security policy and the security labels in Xe.    -->
    38.8 +
    38.9 +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.ibm.com" xmlns="http://www.ibm.com" elementFormDefault="qualified">
   38.10 +	<xsd:element name="SecurityPolicyDefinition">
   38.11 +		<xsd:complexType>
   38.12 +			<xsd:sequence>
   38.13 +				<xsd:element ref="PolicyHeader" minOccurs="0" maxOccurs="1"></xsd:element>
   38.14 +				<xsd:element ref="SimpleTypeEnforcement" minOccurs="0" maxOccurs="1"></xsd:element>
   38.15 +				<xsd:element ref="ChineseWall" minOccurs="0" maxOccurs="1"></xsd:element>
   38.16 +			</xsd:sequence>
   38.17 +		</xsd:complexType>
   38.18 +	</xsd:element>
   38.19 +	<xsd:element name="SecurityLabelTemplate">
   38.20 +		<xsd:complexType>
   38.21 +			<xsd:sequence>
   38.22 +				<xsd:element ref="LabelHeader" minOccurs="1" maxOccurs="1"></xsd:element>
   38.23 +				<xsd:element name="SubjectLabels" minOccurs="0" maxOccurs="1">
   38.24 +					<xsd:complexType>
   38.25 +						<xsd:sequence>
   38.26 +							<xsd:element ref="VirtualMachineLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
   38.27 +						</xsd:sequence>
   38.28 +						<xsd:attribute name="bootstrap" type="xsd:string" use="required"></xsd:attribute>
   38.29 +					</xsd:complexType>
   38.30 +				</xsd:element>
   38.31 +				<xsd:element name="ObjectLabels" minOccurs="0" maxOccurs="1">
   38.32 +					<xsd:complexType>
   38.33 +						<xsd:sequence>
   38.34 +							<xsd:element ref="ResourceLabel" minOccurs="1" maxOccurs="unbounded"></xsd:element>
   38.35 +						</xsd:sequence>
   38.36 +					</xsd:complexType>
   38.37 +				</xsd:element>
   38.38 +			</xsd:sequence>
   38.39 +		</xsd:complexType>
   38.40 +	</xsd:element>
   38.41 +	<xsd:element name="PolicyHeader">
   38.42 +		<xsd:complexType>
   38.43 +			<xsd:sequence>
   38.44 +				<xsd:element ref="Name" minOccurs="1" maxOccurs="1" />
   38.45 +				<xsd:element ref="Date" minOccurs="1" maxOccurs="1" />
   38.46 +			</xsd:sequence>
   38.47 +		</xsd:complexType>
   38.48 +	</xsd:element>
   38.49 +	<xsd:element name="LabelHeader">
   38.50 +		<xsd:complexType>
   38.51 +			<xsd:sequence>
   38.52 +				<xsd:element ref="Name"></xsd:element>
   38.53 +				<xsd:element ref="Date" minOccurs="1" maxOccurs="1"></xsd:element>
   38.54 +				<xsd:element ref="PolicyName" minOccurs="1" maxOccurs="1"></xsd:element>
   38.55 +			</xsd:sequence>
   38.56 +		</xsd:complexType>
   38.57 +	</xsd:element>
   38.58 +	<xsd:element name="SimpleTypeEnforcement">
   38.59 +		<xsd:complexType>
   38.60 +			<xsd:sequence>
   38.61 +				<xsd:element ref="SimpleTypeEnforcementTypes" />
   38.62 +			</xsd:sequence>
   38.63 +			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
   38.64 +		</xsd:complexType>
   38.65 +	</xsd:element>
   38.66 +	<xsd:element name="ChineseWall">
   38.67 +		<xsd:complexType>
   38.68 +			<xsd:sequence>
   38.69 +				<xsd:element ref="ChineseWallTypes" />
   38.70 +				<xsd:element ref="ConflictSets" />
   38.71 +			</xsd:sequence>
   38.72 +			<xsd:attribute name="priority" type="PolicyOrder" use="optional"></xsd:attribute>
   38.73 +		</xsd:complexType>
   38.74 +	</xsd:element>
   38.75 +	<xsd:element name="ChineseWallTypes">
   38.76 +		<xsd:complexType>
   38.77 +			<xsd:sequence>
   38.78 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" />
   38.79 +			</xsd:sequence>
   38.80 +		</xsd:complexType>
   38.81 +	</xsd:element>
   38.82 +	<xsd:element name="ConflictSets">
   38.83 +		<xsd:complexType>
   38.84 +			<xsd:sequence>
   38.85 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Conflict" />
   38.86 +			</xsd:sequence>
   38.87 +		</xsd:complexType>
   38.88 +	</xsd:element>
   38.89 +	<xsd:element name="SimpleTypeEnforcementTypes">
   38.90 +		<xsd:complexType>
   38.91 +			<xsd:sequence>
   38.92 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" />
   38.93 +			</xsd:sequence>
   38.94 +		</xsd:complexType>
   38.95 +	</xsd:element>
   38.96 +	<xsd:element name="Conflict">
   38.97 +		<xsd:complexType>
   38.98 +			<xsd:sequence>
   38.99 +				<xsd:element maxOccurs="unbounded" minOccurs="1" ref="Type" />
  38.100 +			</xsd:sequence>
  38.101 +			<xsd:attribute name="name" type="xsd:string" use="optional"></xsd:attribute>
  38.102 +		</xsd:complexType>
  38.103 +	</xsd:element>
  38.104 +	<xsd:element name="VirtualMachineLabel">
  38.105 +		<xsd:complexType>
  38.106 +			<xsd:sequence>
  38.107 +				<xsd:element ref="Name"></xsd:element>
  38.108 +				<xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" />
  38.109 +				<xsd:element ref="ChineseWallTypes" minOccurs="0" maxOccurs="unbounded" />
  38.110 +			</xsd:sequence>
  38.111 +		</xsd:complexType>
  38.112 +	</xsd:element>
  38.113 +	<xsd:element name="ResourceLabel">
  38.114 +		<xsd:complexType>
  38.115 +			<xsd:sequence>
  38.116 +				<xsd:element ref="Name"></xsd:element>
  38.117 +				<xsd:element ref="SimpleTypeEnforcementTypes" minOccurs="0" maxOccurs="unbounded" />
  38.118 +			</xsd:sequence>
  38.119 +		</xsd:complexType>
  38.120 +	</xsd:element>
  38.121 +	<xsd:element name="PolicyName">
  38.122 +		<xsd:complexType>
  38.123 +			<xsd:sequence>
  38.124 +				<xsd:element ref="Url" />
  38.125 +				<xsd:element ref="Reference" />
  38.126 +			</xsd:sequence>
  38.127 +		</xsd:complexType>
  38.128 +	</xsd:element>
  38.129 +	<xsd:element name="Date" type="xsd:string" />
  38.130 +	<xsd:element name="Name" type="xsd:string" />
  38.131 +	<xsd:element name="Type" type="xsd:string" />
  38.132 +	<xsd:element name="Reference" type="xsd:string" />
  38.133 +	<xsd:element name="Url"></xsd:element>
  38.134 +
  38.135 +	<xsd:simpleType name="PolicyOrder">
  38.136 +		<xsd:restriction base="xsd:string">
  38.137 +			<xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration>
  38.138 +		</xsd:restriction>
  38.139 +	</xsd:simpleType>
  38.140 +
  38.141 +</xsd:schema>
    39.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    39.2 +++ b/tools/security/policies/ste/ste-security_label_template.xml	Fri Aug 19 12:22:27 2005 +0000
    39.3 @@ -0,0 +1,143 @@
    39.4 +<?xml version="1.0"?>
    39.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    39.6 +<!--              This file defines the security labels, which can  -->
    39.7 +<!--              be attached to Domains and resources. Based on    -->
    39.8 +<!--              these labels, the access control module decides   -->
    39.9 +<!--              about sharing between Domains and about access    -->
   39.10 +<!--              of Domains to real resources.                     -->
   39.11 +
   39.12 +<SecurityLabelTemplate
   39.13 + xmlns="http://www.ibm.com"
   39.14 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   39.15 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   39.16 +   <LabelHeader>
   39.17 +      <Name>ste-security_label_template</Name>
   39.18 +      <Date>2005-08-10</Date>
   39.19 +      <PolicyName>
   39.20 +         <Url>ste-security_policy.xml</Url>
   39.21 +         <Reference>abcdef123456abcdef</Reference>
   39.22 +      </PolicyName>
   39.23 +   </LabelHeader>
   39.24 +
   39.25 +   <SubjectLabels bootstrap="dom_SystemManagement">
   39.26 +      <!-- single ste typed domains            -->
   39.27 +      <!-- ACM enforces that only domains with -->
   39.28 +      <!-- the same type can share information -->
   39.29 +      <!--                                     -->
   39.30 +      <!-- Bootstrap label is assigned to Dom0 -->
   39.31 +      <VirtualMachineLabel>
   39.32 +      	<Name>dom_HomeBanking</Name>
   39.33 +         <SimpleTypeEnforcementTypes>
   39.34 +            <Type>ste_PersonalFinances</Type>
   39.35 +         </SimpleTypeEnforcementTypes>
   39.36 +      </VirtualMachineLabel>
   39.37 +
   39.38 +      <VirtualMachineLabel>
   39.39 +      	<Name>dom_Fun</Name>
   39.40 +         <SimpleTypeEnforcementTypes>
   39.41 +            <Type>ste_InternetInsecure</Type>
   39.42 +         </SimpleTypeEnforcementTypes>
   39.43 +      </VirtualMachineLabel>
   39.44 +
   39.45 +      <VirtualMachineLabel>
   39.46 +        <!-- donating some cycles to seti@home -->
   39.47 +      	<Name>dom_BoincClient</Name>
   39.48 +         <SimpleTypeEnforcementTypes>
   39.49 +            <Type>ste_DonatedCycles</Type>
   39.50 +         </SimpleTypeEnforcementTypes>
   39.51 +      </VirtualMachineLabel>
   39.52 +
   39.53 +      <!-- Domains with multiple ste types services; such domains   -->
   39.54 +      <!-- must keep the types inside their domain safely confined. -->
   39.55 +      <VirtualMachineLabel>
   39.56 +      	<Name>dom_SystemManagement</Name>
   39.57 +         <SimpleTypeEnforcementTypes>
   39.58 +            <!-- since dom0 needs access to every domain and -->
   39.59 +            <!-- resource right now ... -->
   39.60 +            <Type>ste_SystemManagement</Type>
   39.61 +            <Type>ste_PersonalFinances</Type>
   39.62 +            <Type>ste_InternetInsecure</Type>
   39.63 +            <Type>ste_DonatedCycles</Type>
   39.64 +            <Type>ste_PersistentStorageA</Type>
   39.65 +            <Type>ste_NetworkAdapter0</Type>
   39.66 +         </SimpleTypeEnforcementTypes>
   39.67 +      </VirtualMachineLabel>
   39.68 +
   39.69 +      <VirtualMachineLabel>
   39.70 +        <!-- serves persistent storage to other domains -->
   39.71 +      	<Name>dom_StorageDomain</Name>
   39.72 +         <SimpleTypeEnforcementTypes>
   39.73 +            <!-- access right to the resource (hard drive a) -->
   39.74 +            <Type>ste_PersistentStorageA</Type>
   39.75 +            <!-- can serve following types -->
   39.76 +            <Type>ste_PersonalFinances</Type>
   39.77 +            <Type>ste_InternetInsecure</Type>
   39.78 +         </SimpleTypeEnforcementTypes>
   39.79 +      </VirtualMachineLabel>
   39.80 +
   39.81 +      <VirtualMachineLabel>
   39.82 +        <!-- serves network access to other domains -->
   39.83 +      	<Name>dom_NetworkDomain</Name>
   39.84 +         <SimpleTypeEnforcementTypes>
   39.85 +            <!-- access right to the resource (ethernet card) -->
   39.86 +            <Type>ste_NetworkAdapter0</Type>
   39.87 +            <!-- can serve following types -->
   39.88 +            <Type>ste_PersonalFinances</Type>
   39.89 +            <Type>ste_InternetInsecure</Type>
   39.90 +            <Type>ste_DonatedCycles</Type>
   39.91 +         </SimpleTypeEnforcementTypes>
   39.92 +      </VirtualMachineLabel>
   39.93 +   </SubjectLabels>
   39.94 +
   39.95 +   <ObjectLabels>
   39.96 +      <ResourceLabel>
   39.97 +      	<Name>res_ManagementResource</Name>
   39.98 +         <SimpleTypeEnforcementTypes>
   39.99 +            <Type>ste_SystemManagement</Type>
  39.100 +         </SimpleTypeEnforcementTypes>
  39.101 +      </ResourceLabel>
  39.102 +
  39.103 +      <ResourceLabel>
  39.104 +      	<Name>res_HardDrive (hda)</Name>
  39.105 +         <SimpleTypeEnforcementTypes>
  39.106 +            <Type>ste_PersistentStorageA</Type>
  39.107 +         </SimpleTypeEnforcementTypes>
  39.108 +      </ResourceLabel>
  39.109 +
  39.110 +      <ResourceLabel>
  39.111 +      	<Name>res_LogicalDiskPartition1 (hda1)</Name>
  39.112 +         <SimpleTypeEnforcementTypes>
  39.113 +            <Type>ste_PersonalFinances</Type>
  39.114 +         </SimpleTypeEnforcementTypes>
  39.115 +      </ResourceLabel>
  39.116 +
  39.117 +      <ResourceLabel>
  39.118 +      	<Name>res_LogicalDiskPartition2 (hda2)</Name>
  39.119 +         <SimpleTypeEnforcementTypes>
  39.120 +            <Type>ste_InternetInsecure</Type>
  39.121 +         </SimpleTypeEnforcementTypes>
  39.122 +      </ResourceLabel>
  39.123 +
  39.124 +      <ResourceLabel>
  39.125 +      	<Name>res_EthernetCard</Name>
  39.126 +         <SimpleTypeEnforcementTypes>
  39.127 +            <Type>ste_NetworkAdapter0</Type>
  39.128 +         </SimpleTypeEnforcementTypes>
  39.129 +      </ResourceLabel>
  39.130 +
  39.131 +      <ResourceLabel>
  39.132 +      	<Name>res_SecurityToken</Name>
  39.133 +         <SimpleTypeEnforcementTypes>
  39.134 +            <Type>ste_PersonalFinances</Type>
  39.135 +         </SimpleTypeEnforcementTypes>
  39.136 +      </ResourceLabel>
  39.137 +
  39.138 +      <ResourceLabel>
  39.139 +      	<Name>res_GraphicsAdapter</Name>
  39.140 +         <SimpleTypeEnforcementTypes>
  39.141 +            <Type>ste_SystemManagement</Type>
  39.142 +         </SimpleTypeEnforcementTypes>
  39.143 +      </ResourceLabel>
  39.144 +   </ObjectLabels>
  39.145 +</SecurityLabelTemplate>
  39.146 +
    40.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    40.2 +++ b/tools/security/policies/ste/ste-security_policy.xml	Fri Aug 19 12:22:27 2005 +0000
    40.3 @@ -0,0 +1,27 @@
    40.4 +<?xml version="1.0" encoding="UTF-8"?>
    40.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
    40.6 +<!--             This file defines the security policies, which     -->
    40.7 +<!--             can be enforced by the Xen Access Control Module.  -->
    40.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
    40.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com"
   40.10 + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   40.11 + xsi:schemaLocation="http://www.ibm.com security_policy.xsd">
   40.12 +<PolicyHeader>
   40.13 +		<Name>ste-security_policy</Name>
   40.14 +		<Date>2005-08-10</Date>
   40.15 +</PolicyHeader>
   40.16 +<!--                                                        -->
   40.17 +<!-- example of a simple type enforcement policy definition -->
   40.18 +<!--                                                        -->
   40.19 +	<SimpleTypeEnforcement>
   40.20 +        <SimpleTypeEnforcementTypes>
   40.21 +            <Type>ste_SystemManagement</Type>   <!-- machine/security management -->
   40.22 +            <Type>ste_PersonalFinances</Type>   <!-- personal finances -->
   40.23 +            <Type>ste_InternetInsecure</Type>   <!-- games, active X, etc. -->
   40.24 +            <Type>ste_DonatedCycles</Type>      <!-- donation to BOINC/seti@home -->
   40.25 +            <Type>ste_PersistentStorageA</Type> <!-- domain managing the harddrive A-->
   40.26 +            <Type>ste_NetworkAdapter0</Type>    <!-- type of the domain managing ethernet adapter 0-->
   40.27 +        </SimpleTypeEnforcementTypes>
   40.28 +	</SimpleTypeEnforcement>
   40.29 +</SecurityPolicyDefinition>
   40.30 +
    41.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    41.2 +++ b/tools/security/policy.txt	Fri Aug 19 12:22:27 2005 +0000
    41.3 @@ -0,0 +1,405 @@
    41.4 +##
    41.5 +# policy.txt <description to the Xen access control architecture>
    41.6 +#
    41.7 +# Author:
    41.8 +# Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
    41.9 +#
   41.10 +#
   41.11 +# This file gives an overview of the security policies currently
   41.12 +# provided and also gives some reasoning about how to assign
   41.13 +# labels to domains.
   41.14 +##
   41.15 +
   41.16 +Xen access control policies
   41.17 +
   41.18 +
   41.19 +General explanation of supported security policies:
   41.20 +=====================================================
   41.21 +
   41.22 +We have implemented the mandatory access control architecture of our
   41.23 +hypervisor security architecture (sHype) for the Xen hypervisor. It
   41.24 +controls communication (in Xen: event channels, grant tables) between
   41.25 +Virtual Machines (from here on called domains) and through this the
   41.26 +virtual block devices, networking, and shared memory are implemented
   41.27 +on top of these communication means. While we have implemented the
   41.28 +described policies and access control architecture for other
   41.29 +hypervisor systems, we will describe below specifically its
   41.30 +implementation and use in the Xen hypervisor. The policy enforcement
   41.31 +is called mandatory regarding user domains since the policy it is
   41.32 +given by the security administration and enforced independently of the
   41.33 +user domains by the Xen hypervisor in cooperation with the domain
   41.34 +management.
   41.35 +
   41.36 +The access control architecture consists of three parts:
   41.37 +
   41.38 +i) The access control policy determines the "command set" of the ACM
   41.39 +and the hooks with which they can be configured to constrain the
   41.40 +sharing of virtual resources. The current access control architecture
   41.41 +implemented for Xen supports two policies: Chinese Wall and Simple
   41.42 +Type Enforcement, which we describe in turn below.
   41.43 +
   41.44 +
   41.45 +ii) The actually enforced policy instantiation uses the policy
   41.46 +language (i) to configure the Xen access control in a way that suits
   41.47 +the specific application (home desktop environment, company desktop,
   41.48 +Web server system, etc.). We have defined an exemplary policy
   41.49 +instantiation for Chinese Wall (chwall policy) and Simple Type
   41.50 +Enforcement (ste policy) for a desktop system. We offer these policies
   41.51 +in combination since they are controlling orthogonal events.
   41.52 +
   41.53 +
   41.54 +iii) The access control module (ACM) and related hooks are part of the
   41.55 +core hypervisor and their controls cannot be bypassed by domains. The
   41.56 +ACM and hooks are the active security components. We refer to
   41.57 +publications that describe how access control is enforced in the Xen
   41.58 +hypervisor using the ACM (access decision) and the hooks (decision
   41.59 +enforcement) inserted into the setup of event channels and grant
   41.60 +tables, and into domain operations (create, destroy, save, restore,
   41.61 +migrate). These controls decide based on the active policy
   41.62 +configuration (see i. and ii.) if the operation proceeds of if the
   41.63 +operation is aborted (denied).
   41.64 +
   41.65 +
   41.66 +In general, security policy instantiations in the Xen access control
   41.67 +framework are defined by two files:
   41.68 +
   41.69 +a) a single "policy-name"-security_policy.xml file that defines the
   41.70 +types known to the ACM and policy rules based on these types
   41.71 +
   41.72 +b) a single "policy-name"-security_label_template.xml file that
   41.73 +defines labels based on known types
   41.74 +
   41.75 +Every security policy has its own sub-directory under
   41.76 +"Xen-root"/tools/security/policies in order to simplify their
   41.77 +management and the security policy tools. We will describe those files
   41.78 +for our example policy (Chinese Wall and Simple Type Enforcement) in
   41.79 +more detail as we go along. Eventually, we will move towards a system
   41.80 +installation where the policies will reside under /etc.
   41.81 +
   41.82 +
   41.83 +CHINESE WALL
   41.84 +============
   41.85 +
   41.86 +The Chinese Wall policy enables the user to define "which workloads
   41.87 +(domain payloads) cannot run on a single physical system at the same
   41.88 +time". Why would we want to prevent workloads from running at the same
   41.89 +time on the same system? This supports requirements that can (but
   41.90 +don't have to) be rooted in the measure of trust into the isolation of
   41.91 +different domains that share the same hardware. Since the access
   41.92 +control architecture aims at high performance and non-intrusive
   41.93 +implementation, it currently does not address covert (timing) channels
   41.94 +and aims at medium assurance. Users can apply the Chinese Wall policy
   41.95 +to guarantee an air-gap between very sensitive payloads both regarding
   41.96 +covert information channels and regarding resource starvation.
   41.97 +
   41.98 +To enable the CW control, each domain is labeled with a set of Chinese
   41.99 +Wall types and CW Conflict Sets are defined which include those CW
  41.100 +types that cannot run simultaneously on the same hardware. This
  41.101 +interpretation of conflict sets is the only policy rule for the Chines
  41.102 +Wall policy.
  41.103 +
  41.104 +This is enforced by controlling the start of domains according to
  41.105 +their assigned CW worload types. Domains with Chinese Wall types that
  41.106 +appear in a common conflict set are running mutually exclusive on a
  41.107 +platform, i.e., once a domain with one of the cw-types of a conflict
  41.108 +set is running, no domain with another cw-type of the same conflict
  41.109 +set can start until the first domain is destroyed, paused, or migrated
  41.110 +away from the physical system (this assumes that such a partition can
  41.111 +no longer be observed). The idea is to assign cw-types according to
  41.112 +the type of payload that a domain runs and to use the Chinese Wall
  41.113 +policy to ensure that payload types can be differentiated by the
  41.114 +hypervisor and can be prevented from being executed on the same system
  41.115 +at the same time. Using the flexible CW policy maintains system
  41.116 +consolidation and workload-balancing while introducing guaranteed
  41.117 +constraints where necessary.
  41.118 +
  41.119 +
  41.120 +Example of a Chinese Wall Policy Instantiation
  41.121 +----------------------------------------------
  41.122 +
  41.123 +The file chwall-security_policy.xml defines the Chinese Wall types as
  41.124 +well as the conflict sets for our example policy (you find it in the
  41.125 +directory "xen_root"/tools/security/policies/chwall).
  41.126 +
  41.127 +It defines four Chinese Wall types (prefixed with cw_) with the
  41.128 +following meaning:
  41.129 +
  41.130 +* cw_SystemsManagement is a type identifying workloads for systems
  41.131 +management, e.g., domain management, device management, or hypervisor
  41.132 +management.
  41.133 +
  41.134 +* cw_Sensitive is identifying workloads that are critical to the user
  41.135 +for one reason or another.
  41.136 +
  41.137 +* cw_Distrusted is identifying workloads a user does not have much
  41.138 +confidence in. E.g. a domain used for surfing in the internet without
  41.139 +protection( i.e., active-X, java, java-script, executing web content)
  41.140 +or for (Internet) Games should be typed this way.
  41.141 +
  41.142 +* cw_Isolated is identifying workloads that are supposedly isolated by
  41.143 +use of the type enforcement policy (described below). For example, if
  41.144 +a user wants to donate cycles to seti@home, she can setup a separate
  41.145 +domain for a Boinc (http://boinc.ssl.berkeley.edu/) client, disable
  41.146 +this domain from accessing the hard drive and from communicating to
  41.147 +other local domains, and type it as cw_Isolated. We will look at a
  41.148 +specific example later.
  41.149 +
  41.150 +The example policy uses the defined types to define one conflict set:
  41.151 +Protection1 = {cw_Sensitive, cw_Distrusted}. This conflict set tells
  41.152 +the hypervisor that once a domain typed as cw_Sensitive is running, a
  41.153 +domain typed as cw_Distrusted cannot run concurrently (and the other
  41.154 +way round). With this policy, a domain typed as cw_Isolated is allowed
  41.155 +to run simultaneously with domains tagged as cw_Sensitive.
  41.156 +
  41.157 +Consequently, the access control module in the Xen hypervisor
  41.158 +distinguishes in this example policy 4 different workload types in
  41.159 +this example policy. It is the user's responsibility to type the
  41.160 +domains in a way that reflects the workloads of these domains and, in
  41.161 +the case of cw_Isolated, its properties, e.g. by configuring the
  41.162 +sharing capabilities of the domain accordingly by using the simple
  41.163 +type enforcement policy.
  41.164 +
  41.165 +Users can define their own or change the existing example policy
  41.166 +according to their working environment and security requirements. To
  41.167 +do so, replace the file chwall-security_policy.xml with the new
  41.168 +policy.
  41.169 +
  41.170 +
  41.171 +SIMPLE TYPE ENFORCEMENT
  41.172 +=======================
  41.173 +
  41.174 +The file ste-security_policy.xml defines the simple type enforcement
  41.175 +types for our example policy (you find it in the directory
  41.176 +"xen_root"/tools/security/policies/ste). The Simple Type Enforcement
  41.177 +policy defines which domains can share information with which other
  41.178 +domains. To this end, it controls
  41.179 +
  41.180 +i) inter-domain communication channels (e.g., network traffic, events,
  41.181 +and shared memory).
  41.182 +
  41.183 +ii) access of domains to physical resources (e.g., hard drive, network
  41.184 +cards, graphics adapter, keyboard).
  41.185 +
  41.186 +In order to enable the hypervisor to distinguish different domains and
  41.187 +the user to express access rules, the simple type enforcement defines
  41.188 +a set of types (ste_types).
  41.189 +
  41.190 +The policy defines that communication between domains is allowed if
  41.191 +the domains share a common STE type. As with the chwall types, STE
  41.192 +types should enable the differentiation of workloads. The simple type
  41.193 +enforcement access control implementation in the hypervisor enforces
  41.194 +that domains can only communicate (setup event channels, grant tables)
  41.195 +if they share a common type, i.e., both domains have assigned at least
  41.196 +on type in common. A domain can access a resource, if the domain and
  41.197 +the resource share a common type. Hence, assigning STE types to
  41.198 +domains and resources allows users to define constraints on sharing
  41.199 +between domains and to keep sensitive data confined from distrusted
  41.200 +domains.
  41.201 +
  41.202 +Domain <--> Domain Sharing
  41.203 +''''''''''''''''''''''''''
  41.204 +(implemented but its effective use requires factorization of Dom0)
  41.205 +
  41.206 +a) Domains with a single STE type (general user domains): Sharing
  41.207 +between such domains is enforced entirely by the hypervisor access
  41.208 +control. It is independent of the domains and does not require their
  41.209 +co-operation.
  41.210 +
  41.211 +b) Domains with multiple STE types: One example is a domain that
  41.212 +virtualizes a physical resource (e.g., hard drive) and serves it as
  41.213 +multiple virtual resources (virtual block drives) to other domains of
  41.214 +different types. The idea is that only a specific device domain has
  41.215 +assigned the type required to access the physical hard-drive. Logical
  41.216 +drives are then assigned the types of domains that have access to this
  41.217 +logical drive. Since the Xen hypervisor cannot distinguish between the
  41.218 +logical drives, the access control (type enforcement) is delegated to
  41.219 +the device domain, which has access to the types of domains requesting
  41.220 +to mount a logical drive as well as the types assigned to the
  41.221 +different available logical drives.
  41.222 +
  41.223 +Currently in Xen, Dom0 controls all hardware, needs to communicate
  41.224 +with all domains during their setup, and intercepts all communication
  41.225 +between domains. Consequently, Dom0 needs to be assigned all types
  41.226 +used and must be completely trusted to maintain the separation of
  41.227 +informatio ncoming from domains with different STE types. Thus a
  41.228 +refactoring of Dom0 is recommended for stronger confinement
  41.229 +guarantees.
  41.230 +
  41.231 +Domain --> RESOURCES Access
  41.232 +'''''''''''''''''''''''''''
  41.233 +(current work)
  41.234 +
  41.235 +We define for each resource that we want to distinguish a separate STE
  41.236 +type. Each STE type is assigned to the respective resource and to
  41.237 +those domains that are allowed to access this resource. Type
  41.238 +enforcement will guarantee that other domains cannot access this
  41.239 +resource since they don't share the resource's STE type.
  41.240 +
  41.241 +Since in the current implementation of Xen, Dom0 controls access to
  41.242 +all hardware (e.g., disk drives, network), Domain-->Resource access
  41.243 +control enforcement must be implemented in Dom0. This is possible
  41.244 +since Dom0 has access to both the domain configuration (including the
  41.245 +domain STE types) and the resource configuration (including the
  41.246 +resource STE types).
  41.247 +
  41.248 +For purposes of gaining higher assurance in the resulting system, it
  41.249 +may be desirable to reduce the size of dom0 by adding one or more
  41.250 +"device domains" (DDs). These DDs, e.g. providing storage or network
  41.251 +access, can support one or more physical devices, and manage
  41.252 +enforcement of MAC policy relevant for said devices. Security benefits
  41.253 +come from the smaller size of these DDs, as they can be more easily
  41.254 +audited than monolithic device driver domains. DDs can help to obtain
  41.255 +maximum security benefit from sHype.
  41.256 +
  41.257 +
  41.258 +Example of a Simple Type Enforcement Policy Instantiation
  41.259 +---------------------------------------------------------
  41.260 +
  41.261 +We define the following types:
  41.262 +
  41.263 +* ste_SystemManagement identifies workloads (and domains that runs
  41.264 +them) that must share information to accomplish the management of the
  41.265 +system
  41.266 +
  41.267 +* ste_PersonalFinances identifies workloads that are related to
  41.268 +sensitive programs such as HomeBanking applications or safely
  41.269 +configured web browsers for InternetBanking
  41.270 +
  41.271 +* ste_InternetInsecure identifies workloads that are very
  41.272 +function-rich and unrestricted to offer for example an environment
  41.273 +where internet games can run efficiently
  41.274 +
  41.275 +* ste_DonatedCycles identifies workloads that run on behalf of others,
  41.276 +e.g. a Boinc client
  41.277 +
  41.278 +* ste_PersistentStorage identifies workloads that have direct access
  41.279 +to persistent storage (e.g., hard drive)
  41.280 +
  41.281 +* ste_NetworkAccess identifies workload that have direct access to
  41.282 +network cards and related networks
  41.283 +
  41.284 +
  41.285 +
  41.286 +SECURITY LABEL TEMPLATES
  41.287 +========================
  41.288 +
  41.289 +We introduce security label templates because it is difficult for
  41.290 +users to ensure tagging of domains consistently and since there are
  41.291 +--as we have seen in the case of isolation-- useful dependencies
  41.292 +between the policies. Security Label Templates define type sets that
  41.293 +can be addressed by more user-friendly label names,
  41.294 +e.g. dom_Homebanking describes a typical typeset tagged to domains
  41.295 +used for sensitive Homebanking work-loads. Labels are defined in the
  41.296 +file
  41.297 +
  41.298 +Using Security Label Templates has multiple advantages:
  41.299 +a) easy reference of typical sets of type assignments
  41.300 +b) consistent interpretation of type combinations
  41.301 +c) meaningful application-level label names
  41.302 +
  41.303 +The definition of label templates depends on the combination of
  41.304 +policies that are used. We will describe some of the labels defined
  41.305 +for the Chinese Wall and Simple Type Enforcement combination.
  41.306 +
  41.307 +In the BoincClient example, the label_template file specifies that
  41.308 +this Label is assigned the Chinese Wall type cw_Isolated. We do this
  41.309 +assuming that this BoincClient is isolated against the rest of the
  41.310 +system infrastructure (no persistent memory, no sharing with local
  41.311 +domains). Since cw_Isolated is not included in any conflict set, it
  41.312 +can run at any time concurrently with any other domain. The
  41.313 +ste_DonatedCycles type assigned to the BoincClient reflect the
  41.314 +isolation assumption: it is only assigned to the dom_NetworkDomain
  41.315 +giving the BoincClient domain access to the network to communicate
  41.316 +with its BoincServer.
  41.317 +
  41.318 +The strategy for combining types into Labels is the following: First
  41.319 +we define a label for each type of general user domain
  41.320 +(workload-oriented). Then we define a new label for each physical
  41.321 +resource that shall be shared using a DD domain (e.g., disk) and for
  41.322 +each logical resource offered through this physical resource (logical
  41.323 +disk partition). We define then device domain labels (here:
  41.324 +dom_SystemManagement, dom_StorageDomain, dom_NetworkDomain) which
  41.325 +include the types of the physical resources (e.g. hda) their domains
  41.326 +need to connect to. Such physical resources can only be accessed
  41.327 +directly by device domains types with the respective device's STE
  41.328 +type. Additionally we assign to such a device domain Label the STE
  41.329 +types of those user domains that are allowed to access one of the
  41.330 +logical resources (e.g., hda1, hda2) built on top of this physical
  41.331 +resource through the device domain.
  41.332 +
  41.333 +
  41.334 +Label Construction Example:
  41.335 +---------------------------
  41.336 +
  41.337 +We define here a storage domain label for a domain that owns a real
  41.338 +disk drive and creates the logical disk partitions hda1 and hda2 which
  41.339 +it serves to domains labeled dom_HomeBanking and dom_Fun
  41.340 +respectively. The labels we refer to are defined in the label template
  41.341 +file policies/chwall_ste/chwall_ste-security-label-template.xml.
  41.342 +
  41.343 +step1: To distinguish different shared disk drives, we create a
  41.344 +separate Label and STE type for each of them. Here: we create a type
  41.345 +ste_PersistentStorageA for disk drive hda. If you have another disk
  41.346 +drive, you may define another persistent storage type
  41.347 +ste_PersistentStorageB in the chwall_ste-security_policy.xml.
  41.348 +
  41.349 +step2: To distinguish different domains, we create multiple domain
  41.350 +labels including different types. Here: label dom_HomeBanking includes
  41.351 +STE type ste_PersonalFinances, label dom_Fun includes STE type
  41.352 +ste_InternetInsecure.
  41.353 +
  41.354 +step3: The storage domain in charge of the hard drive A needs access
  41.355 +to this hard drive. Therefore the storage domain label
  41.356 +dom_StorageDomain must include the type assigned to the hard drive
  41.357 +(ste_PersistentStorageA).
  41.358 +
  41.359 +step4: In order to serve dom hda1 to domains labeled dom_HomeBanking
  41.360 +and hda2 to domains labeled dom_Fun, the storage domain label must
  41.361 +include the types of those domains as well (ste_PersonalFinance,
  41.362 +ste_InternetInsecure).
  41.363 +
  41.364 +step5: In order to keep the data for different types safely apart, the
  41.365 +different logical disk partitions must be assigned unique labels and
  41.366 +types, which are used inside the storage domain to extend the ACM
  41.367 +access enforcement to logical resources served from inside the storage
  41.368 +domain. We define labels "res_LogicalDiskPartition1 (hda1)" and assign
  41.369 +it to hda1 and "res_LogicalDiskPartition2 (hda2)" and assign it to
  41.370 +hda2. These labels must include the STE types of those domains that
  41.371 +are allowed to use them (e.g., ste_PersonalFinances for hda1).
  41.372 +
  41.373 +The overall mandatory access control is then enforced in 3 different
  41.374 +Xen components and these components use a single consistent policy to
  41.375 +co-operatively enforce the policy. In the storage domain example, we
  41.376 +have three components that co-operate:
  41.377 +
  41.378 +1. The ACM module inside the hypervisor enforces: communication between
  41.379 +user domains and the storage domain (only domains including types
  41.380 +ste_PersonalFinances or ste_InternetInsecure can communicate with the
  41.381 +storage domain and request access to logical resource). This confines
  41.382 +the sharing to the types assigned to the storage domain.
  41.383 +
  41.384 +2. The domain management will enforce (work in progress): assignment of
  41.385 +real resources (hda) to domains (storage domain) that share a
  41.386 +type with the resource.
  41.387 +
  41.388 +3. If the storage domain serves multiple STE types (as in our example),
  41.389 +it enforces (work in progress): that domains can access (mount)
  41.390 +logical resources only if they share an STE type with the respective
  41.391 +resource. In our example, domains with the STE type
  41.392 +ste_PersonalFinances can request access (mount) to logical resource
  41.393 +hda1 from the storage domain.
  41.394 +
  41.395 +If you look at the virtual machine label dom_StorageDomain, you will
  41.396 +see the minimal set of types assigned to our domain manageing disk
  41.397 +drive hda for serving logical disk partitions exclusively to
  41.398 +dom_HomeBanking and dom_Fun.
  41.399 +
  41.400 +Similary, network domains can confine access to the network or
  41.401 +network communication between user domains.
  41.402 +
  41.403 +As a result, device domains (e.g., storage domain, network domain)
  41.404 +must be simple and small to ensure their correct co-operation in the
  41.405 +type enforcement model. If such trust is not possible, then hardware
  41.406 +should be assigned exclusively to a single type (or to a single
  41.407 +partition) in which case the hypervisor ACM enforcement enforces the
  41.408 +types independently.
    42.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    42.2 +++ b/tools/security/readme.txt	Fri Aug 19 12:22:27 2005 +0000
    42.3 @@ -0,0 +1,29 @@
    42.4 +
    42.5 +##
    42.6 +# readme.txt <description to the xen access control architecture>
    42.7 +#
    42.8 +# Author:
    42.9 +# Reiner Sailer 08/15/2005 <sailer@watson.ibm.com>
   42.10 +#
   42.11 +#
   42.12 +# This file is a toc for information regarding
   42.13 +# the access control policy and tools in Xen.
   42.14 +##
   42.15 +
   42.16 +1. policy.txt:
   42.17 +
   42.18 +   describes the general reasoning and examples for access
   42.19 +   control policies in Xen
   42.20 +
   42.21 +
   42.22 +2. install.txt
   42.23 +
   42.24 +   describes the activation of the access control framework
   42.25 +   in Xen
   42.26 +
   42.27 +3. example.txt
   42.28 +
   42.29 +   describes the available tools for managing security policies
   42.30 +   in Xen and the tools to label domains
   42.31 +
   42.32 +
    43.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    43.2 +++ b/tools/security/secpol_compat.h	Fri Aug 19 12:22:27 2005 +0000
    43.3 @@ -0,0 +1,14 @@
    43.4 +/* secpol_compat.h
    43.5 + *     'translates' data types necessary to
    43.6 + *     include <xen/acm.h>
    43.7 + */
    43.8 +#include <stdint.h>
    43.9 +
   43.10 +typedef uint8_t  u8;
   43.11 +typedef uint16_t u16;
   43.12 +typedef uint32_t u32;
   43.13 +typedef uint64_t u64;
   43.14 +typedef int8_t   s8;
   43.15 +typedef int16_t  s16;
   43.16 +typedef int32_t  s32;
   43.17 +typedef int64_t  s64;
    44.1 --- a/tools/security/secpol_tool.c	Fri Aug 19 12:21:29 2005 +0000
    44.2 +++ b/tools/security/secpol_tool.c	Fri Aug 19 12:22:27 2005 +0000
    44.3 @@ -31,18 +31,8 @@
    44.4  #include <stdlib.h>
    44.5  #include <sys/ioctl.h>
    44.6  #include <string.h>
    44.7 -#include <stdint.h>
    44.8  #include <netinet/in.h>
    44.9 -
   44.10 -typedef uint8_t u8;
   44.11 -typedef uint16_t u16;
   44.12 -typedef uint32_t u32;
   44.13 -typedef uint64_t u64;
   44.14 -typedef int8_t s8;
   44.15 -typedef int16_t s16;
   44.16 -typedef int32_t s32;
   44.17 -typedef int64_t s64;
   44.18 -
   44.19 +#include "secpol_compat.h"
   44.20  #include <xen/acm.h>
   44.21  #include <xen/acm_ops.h>
   44.22  #include <xen/linux/privcmd.h>
   44.23 @@ -270,171 +260,6 @@ void acm_dump_policy_buffer(void *buf, i
   44.24      }
   44.25  }
   44.26  
   44.27 -/*************************** set policy ****************************/
   44.28 -
   44.29 -int acm_domain_set_chwallpolicy(void *bufstart, int buflen)
   44.30 -{
   44.31 -#define CWALL_MAX_SSIDREFS      	6
   44.32 -#define CWALL_MAX_TYPES             10
   44.33 -#define CWALL_MAX_CONFLICTSETS		2
   44.34 -
   44.35 -    struct acm_chwall_policy_buffer *chwall_bin_pol =
   44.36 -        (struct acm_chwall_policy_buffer *) bufstart;
   44.37 -    domaintype_t *ssidrefs, *conflicts;
   44.38 -    int ret = 0;
   44.39 -    int j;
   44.40 -
   44.41 -    chwall_bin_pol->chwall_max_types = htonl(CWALL_MAX_TYPES);
   44.42 -    chwall_bin_pol->chwall_max_ssidrefs = htonl(CWALL_MAX_SSIDREFS);
   44.43 -    chwall_bin_pol->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
   44.44 -    chwall_bin_pol->policy_version = htonl(ACM_CHWALL_VERSION);
   44.45 -    chwall_bin_pol->chwall_ssid_offset =
   44.46 -        htonl(sizeof(struct acm_chwall_policy_buffer));
   44.47 -    chwall_bin_pol->chwall_max_conflictsets =
   44.48 -        htonl(CWALL_MAX_CONFLICTSETS);
   44.49 -    chwall_bin_pol->chwall_conflict_sets_offset =
   44.50 -        htonl(ntohl(chwall_bin_pol->chwall_ssid_offset) +
   44.51 -              sizeof(domaintype_t) * CWALL_MAX_SSIDREFS * CWALL_MAX_TYPES);
   44.52 -    chwall_bin_pol->chwall_running_types_offset = 0;    /* not set */
   44.53 -    chwall_bin_pol->chwall_conflict_aggregate_offset = 0;       /* not set */
   44.54 -    ret += sizeof(struct acm_chwall_policy_buffer);
   44.55 -    /* now push example ssids into the buffer (max_ssidrefs x max_types entries) */
   44.56 -    /* check buffer size */
   44.57 -    if ((buflen - ret) <
   44.58 -        (CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t)))
   44.59 -        return -1;              /* not enough space */
   44.60 -
   44.61 -    ssidrefs = (domaintype_t *) (bufstart +
   44.62 -                          ntohl(chwall_bin_pol->chwall_ssid_offset));
   44.63 -    memset(ssidrefs, 0,
   44.64 -           CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t));
   44.65 -
   44.66 -    /* now set type j-1 for ssidref i+1 */
   44.67 -    for (j = 0; j <= CWALL_MAX_SSIDREFS; j++)
   44.68 -        if ((0 < j) && (j <= CWALL_MAX_TYPES))
   44.69 -            ssidrefs[j * CWALL_MAX_TYPES + j - 1] = htons(1);
   44.70 -
   44.71 -    ret += CWALL_MAX_TYPES * CWALL_MAX_SSIDREFS * sizeof(domaintype_t);
   44.72 -    if ((buflen - ret) <
   44.73 -        (CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES * sizeof(domaintype_t)))
   44.74 -        return -1;              /* not enough space */
   44.75 -
   44.76 -    /* now the chinese wall policy conflict sets */
   44.77 -    conflicts = (domaintype_t *) (bufstart +
   44.78 -                                  ntohl(chwall_bin_pol->
   44.79 -                                        chwall_conflict_sets_offset));
   44.80 -    memset((void *) conflicts, 0,
   44.81 -           CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES *
   44.82 -           sizeof(domaintype_t));
   44.83 -    /* just 1 conflict set [0]={2,3}, [1]={1,5,6} */
   44.84 -    if (CWALL_MAX_TYPES > 3)
   44.85 -    {
   44.86 -        conflicts[2] = htons(1);
   44.87 -        conflicts[3] = htons(1);        /* {2,3} */
   44.88 -        conflicts[CWALL_MAX_TYPES + 1] = htons(1);
   44.89 -        conflicts[CWALL_MAX_TYPES + 5] = htons(1);
   44.90 -        conflicts[CWALL_MAX_TYPES + 6] = htons(1);      /* {0,5,6} */
   44.91 -    }
   44.92 -    ret += sizeof(domaintype_t) * CWALL_MAX_CONFLICTSETS * CWALL_MAX_TYPES;
   44.93 -    return ret;
   44.94 -}
   44.95 -
   44.96 -int acm_domain_set_stepolicy(void *bufstart, int buflen)
   44.97 -{
   44.98 -#define STE_MAX_SSIDREFS        6
   44.99 -#define STE_MAX_TYPES  	        5
  44.100 -
  44.101 -    struct acm_ste_policy_buffer *ste_bin_pol =
  44.102 -        (struct acm_ste_policy_buffer *) bufstart;
  44.103 -    domaintype_t *ssidrefs;
  44.104 -    int j, ret = 0;
  44.105 -
  44.106 -    ste_bin_pol->ste_max_types = htonl(STE_MAX_TYPES);
  44.107 -    ste_bin_pol->ste_max_ssidrefs = htonl(STE_MAX_SSIDREFS);
  44.108 -    ste_bin_pol->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
  44.109 -    ste_bin_pol->policy_version = htonl(ACM_STE_VERSION);
  44.110 -    ste_bin_pol->ste_ssid_offset =
  44.111 -        htonl(sizeof(struct acm_ste_policy_buffer));
  44.112 -    ret += sizeof(struct acm_ste_policy_buffer);
  44.113 -    /* check buffer size */
  44.114 -    if ((buflen - ret) <
  44.115 -        (STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t)))
  44.116 -        return -1;              /* not enough space */
  44.117 -
  44.118 -    ssidrefs =
  44.119 -        (domaintype_t *) (bufstart + ntohl(ste_bin_pol->ste_ssid_offset));
  44.120 -    memset(ssidrefs, 0,
  44.121 -           STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t));
  44.122 -    /* all types 1 for ssidref 1 */
  44.123 -    for (j = 0; j < STE_MAX_TYPES; j++)
  44.124 -        ssidrefs[1 * STE_MAX_TYPES + j] = htons(1);
  44.125 -    /* now set type j-1 for ssidref j */
  44.126 -    for (j = 0; j < STE_MAX_SSIDREFS; j++)
  44.127 -        if ((0 < j) && (j <= STE_MAX_TYPES))
  44.128 -            ssidrefs[j * STE_MAX_TYPES + j - 1] = htons(1);
  44.129 -    ret += STE_MAX_TYPES * STE_MAX_SSIDREFS * sizeof(domaintype_t);
  44.130 -    return ret;
  44.131 -}
  44.132 -
  44.133 -#define MAX_PUSH_BUFFER 	16384
  44.134 -u8 push_buffer[MAX_PUSH_BUFFER];
  44.135 -
  44.136 -int acm_domain_setpolicy(int xc_handle)
  44.137 -{
  44.138 -    int ret;
  44.139 -    struct acm_policy_buffer *bin_pol;
  44.140 -    acm_op_t op;
  44.141 -
  44.142 -    /* future: read policy from file and set it */
  44.143 -    bin_pol = (struct acm_policy_buffer *) push_buffer;
  44.144 -    bin_pol->policy_version = htonl(ACM_POLICY_VERSION);
  44.145 -    bin_pol->magic = htonl(ACM_MAGIC);
  44.146 -    bin_pol->primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
  44.147 -    bin_pol->secondary_policy_code =
  44.148 -        htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
  44.149 -
  44.150 -    bin_pol->len = htonl(sizeof(struct acm_policy_buffer));
  44.151 -    bin_pol->primary_buffer_offset = htonl(ntohl(bin_pol->len));
  44.152 -    ret =
  44.153 -        acm_domain_set_chwallpolicy(push_buffer +
  44.154 -                                    ntohl(bin_pol->primary_buffer_offset),
  44.155 -                                    MAX_PUSH_BUFFER -
  44.156 -                                    ntohl(bin_pol->primary_buffer_offset));
  44.157 -    if (ret < 0)
  44.158 -    {
  44.159 -        printf("ERROR creating chwallpolicy buffer.\n");
  44.160 -        return -1;
  44.161 -    }
  44.162 -    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
  44.163 -    bin_pol->secondary_buffer_offset = htonl(ntohl(bin_pol->len));
  44.164 -    ret = acm_domain_set_stepolicy(push_buffer +
  44.165 -                                 ntohl(bin_pol->secondary_buffer_offset),
  44.166 -                                 MAX_PUSH_BUFFER -
  44.167 -                                 ntohl(bin_pol->secondary_buffer_offset));
  44.168 -    if (ret < 0)
  44.169 -    {
  44.170 -        printf("ERROR creating chwallpolicy buffer.\n");
  44.171 -        return -1;
  44.172 -    }
  44.173 -    bin_pol->len = htonl(ntohl(bin_pol->len) + ret);
  44.174 -
  44.175 -    /* dump it and then push it down into xen/acm */
  44.176 -    acm_dump_policy_buffer(push_buffer, ntohl(bin_pol->len));
  44.177 -
  44.178 -    op.cmd = ACM_SETPOLICY;
  44.179 -    op.interface_version = ACM_INTERFACE_VERSION;
  44.180 -    op.u.setpolicy.pushcache = (void *) push_buffer;
  44.181 -    op.u.setpolicy.pushcache_size = ntohl(bin_pol->len);
  44.182 -    ret = do_acm_op(xc_handle, &op);
  44.183 -
  44.184 -    if (ret)
  44.185 -        printf("ERROR setting policy. Use 'xm dmesg' to see details.\n");
  44.186 -    else
  44.187 -        printf("Successfully changed policy.\n");
  44.188 -
  44.189 -    return ret;
  44.190 -}
  44.191 -
  44.192  /******************************* get policy ******************************/
  44.193  
  44.194  #define PULL_CACHE_SIZE		8192
  44.195 @@ -602,7 +427,6 @@ int acm_domain_dumpstats(int xc_handle)
  44.196  void usage(char *progname)
  44.197  {
  44.198      printf("Use: %s \n"
  44.199 -           "\t setpolicy\n"
  44.200             "\t getpolicy\n"
  44.201             "\t dumpstats\n"
  44.202             "\t loadpolicy <binary policy file>\n", progname);
  44.203 @@ -623,12 +447,7 @@ int main(int argc, char **argv)
  44.204          exit(-1);
  44.205      }
  44.206  
  44.207 -    if (!strcmp(argv[1], "setpolicy"))
  44.208 -    {
  44.209 -        if (argc != 2)
  44.210 -            usage(argv[0]);
  44.211 -        ret = acm_domain_setpolicy(acm_cmd_fd);
  44.212 -    } else if (!strcmp(argv[1], "getpolicy")) {
  44.213 +    if (!strcmp(argv[1], "getpolicy")) {
  44.214          if (argc != 2)
  44.215              usage(argv[0]);
  44.216          ret = acm_domain_getpolicy(acm_cmd_fd);
    45.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    45.2 +++ b/tools/security/secpol_xml2bin.c	Fri Aug 19 12:22:27 2005 +0000
    45.3 @@ -0,0 +1,1396 @@
    45.4 +/****************************************************************
    45.5 + * secpol_xml2bin.c
    45.6 + *
    45.7 + * Copyright (C) 2005 IBM Corporation
    45.8 + *
    45.9 + * Author: Reiner Sailer <sailer@us.ibm.com>
   45.10 + *
   45.11 + * Maintained:
   45.12 + * Reiner Sailer <sailer@us.ibm.com>
   45.13 + * Ray Valdez <rvaldez@us.ibm.com>
   45.14 + *
   45.15 + * This program is free software; you can redistribute it and/or
   45.16 + * modify it under the terms of the GNU General Public License as
   45.17 + * published by the Free Software Foundation, version 2 of the
   45.18 + * License.
   45.19 + *
   45.20 + * sHype policy translation tool. This tool takes an XML
   45.21 + * policy specification as input and produces a binary
   45.22 + * policy file that can be loaded into Xen through the
   45.23 + * ACM operations (secpol_tool loadpolicy) interface or at
   45.24 + * boot time (grub module parameter)
   45.25 + *
   45.26 + * indent -i4 -kr -nut
   45.27 + */
   45.28 +#include <stdio.h>
   45.29 +#include <stdlib.h>
   45.30 +#include <string.h>
   45.31 +#include <errno.h>
   45.32 +#include <libgen.h>
   45.33 +#include <fcntl.h>
   45.34 +#include <unistd.h>
   45.35 +#include <sys/types.h>
   45.36 +#include <sys/stat.h>
   45.37 +#include <sys/queue.h>
   45.38 +#include <netinet/in.h>
   45.39 +#include <libxml/xmlschemas.h>
   45.40 +#include <libxml/parser.h>
   45.41 +#include <libxml/tree.h>
   45.42 +#include <libxml/xmlreader.h>
   45.43 +#include "secpol_compat.h"
   45.44 +#include <xen/acm.h>
   45.45 +
   45.46 +#include "secpol_xml2bin.h"
   45.47 +
   45.48 +#define DEBUG    0
   45.49 +
   45.50 +/* primary / secondary policy component setting */
   45.51 +enum policycomponent { CHWALL, STE, NULLPOLICY }
   45.52 +    primary = NULLPOLICY, secondary = NULLPOLICY;
   45.53 +
   45.54 +/* general list element for ste and chwall type queues */
   45.55 +struct type_entry {
   45.56 +    TAILQ_ENTRY(type_entry) entries;
   45.57 +    char *name;                 /* name of type from xml file */
   45.58 +    type_t mapping;             /* type mapping into 16bit */
   45.59 +};
   45.60 +
   45.61 +TAILQ_HEAD(tailhead, type_entry) ste_head, chwall_head;
   45.62 +
   45.63 +/* general list element for all label queues */
   45.64 +enum label_type { VM, RES, ANY };
   45.65 +struct ssid_entry {
   45.66 +    TAILQ_ENTRY(ssid_entry) entries;
   45.67 +    char *name;                 /* label name */
   45.68 +    enum label_type type;       /* type: VM / RESOURCE LABEL */
   45.69 +    u_int32_t num;              /* ssid or referenced ssid */
   45.70 +    int is_ref;                 /* if this entry references earlier ssid number */
   45.71 +    unsigned char *row;         /* index of types (if not a reference) */
   45.72 +};
   45.73 +
   45.74 +TAILQ_HEAD(tailhead_ssid, ssid_entry) ste_ssid_head, chwall_ssid_head,
   45.75 +    conflictsets_head;
   45.76 +struct ssid_entry *current_chwall_ssid_p = NULL;
   45.77 +struct ssid_entry *current_ste_ssid_p = NULL;
   45.78 +struct ssid_entry *current_conflictset_p = NULL;
   45.79 +
   45.80 +/* which label to assign to dom0 during boot */
   45.81 +char *bootstrap_label;
   45.82 +
   45.83 +u_int32_t max_ste_ssids = 0;
   45.84 +u_int32_t max_chwall_ssids = 0;
   45.85 +u_int32_t max_chwall_labels = 0;
   45.86 +u_int32_t max_ste_labels = 0;
   45.87 +u_int32_t max_conflictsets = 0;
   45.88 +
   45.89 +char *current_ssid_name;        /* store name until structure is allocated */
   45.90 +char *current_conflictset_name; /* store name until structure is allocated */
   45.91 +
   45.92 +/* dynamic list of type mappings for STE */
   45.93 +u_int32_t max_ste_types = 0;
   45.94 +
   45.95 +/* dynamic list of type mappings for CHWALL */
   45.96 +u_int32_t max_chwall_types = 0;
   45.97 +
   45.98 +/* dynamic list of conflict sets */
   45.99 +int max_conflict_set = 0;
  45.100 +
  45.101 +/* which policies are defined */
  45.102 +int have_ste = 0;
  45.103 +int have_chwall = 0;
  45.104 +
  45.105 +/* input/output file names */
  45.106 +char *policy_filename = NULL,
  45.107 +    *label_filename = NULL,
  45.108 +    *binary_filename = NULL, *mapping_filename = NULL;
  45.109 +
  45.110 +void usage(char *prg)
  45.111 +{
  45.112 +    printf("usage:\n%s policyname[-policy.xml/-security_label_template.xml]\n",
  45.113 +         prg);
  45.114 +    exit(EXIT_FAILURE);
  45.115 +}
  45.116 +
  45.117 +
  45.118 +/***************** policy-related parsing *********************/
  45.119 +
  45.120 +char *type_by_mapping(struct tailhead *head, u_int32_t mapping)
  45.121 +{
  45.122 +    struct type_entry *np;
  45.123 +    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
  45.124 +        if (np->mapping == mapping)
  45.125 +            return np->name;
  45.126 +    return NULL;
  45.127 +}
  45.128 +
  45.129 +
  45.130 +struct type_entry *lookup(struct tailhead *head, char *name)
  45.131 +{
  45.132 +    struct type_entry *np;
  45.133 +    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
  45.134 +        if (!(strcmp(np->name, name)))
  45.135 +            return np;
  45.136 +    return NULL;
  45.137 +}
  45.138 +
  45.139 +/* enforces single-entry lists */
  45.140 +int add_entry(struct tailhead *head, char *name, type_t mapping)
  45.141 +{
  45.142 +    struct type_entry *e;
  45.143 +    if (lookup(head, name))
  45.144 +    {
  45.145 +        printf("Error: Type >%s< defined more than once.\n", name);
  45.146 +        return -EFAULT;         /* already in the list */
  45.147 +    }
  45.148 +    if (!(e = malloc(sizeof(struct type_entry))))
  45.149 +        return -ENOMEM;
  45.150 +
  45.151 +    e->name = name;
  45.152 +    e->mapping = mapping;
  45.153 +    TAILQ_INSERT_TAIL(head, e, entries);
  45.154 +    return 0;
  45.155 +}
  45.156 +
  45.157 +int totoken(char *tok)
  45.158 +{
  45.159 +    int i;
  45.160 +    for (i = 0; token[i] != NULL; i++)
  45.161 +        if (!strcmp(token[i], tok))
  45.162 +            return i;
  45.163 +    return -EFAULT;
  45.164 +}
  45.165 +
  45.166 +/* conflictsets use the same data structure as ssids; since
  45.167 + * they are similar in structure (set of types)
  45.168 + */
  45.169 +int init_next_conflictset(void)
  45.170 +{
  45.171 +    struct ssid_entry *conflictset = malloc(sizeof(struct ssid_entry));
  45.172 +
  45.173 +    if (!conflictset)
  45.174 +        return -ENOMEM;
  45.175 +
  45.176 +    conflictset->name = current_conflictset_name;
  45.177 +    conflictset->num = max_conflictsets++;
  45.178 +    conflictset->is_ref = 0;    /* n/a for conflictsets */
  45.179 +        /**
  45.180 +         *  row: allocate one byte per type;
  45.181 +         *  [i] != 0 --> mapped type >i< is part of the conflictset
  45.182 +         */
  45.183 +    conflictset->row = malloc(max_chwall_types);
  45.184 +    if (!conflictset->row)
  45.185 +        return -ENOMEM;
  45.186 +
  45.187 +    memset(conflictset->row, 0, max_chwall_types);
  45.188 +    TAILQ_INSERT_TAIL(&conflictsets_head, conflictset, entries);
  45.189 +    current_conflictset_p = conflictset;
  45.190 +    return 0;
  45.191 +}
  45.192 +
  45.193 +int register_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
  45.194 +{
  45.195 +    xmlChar *text;
  45.196 +    struct type_entry *e;
  45.197 +
  45.198 +
  45.199 +    text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
  45.200 +    if (!text)
  45.201 +    {
  45.202 +        printf("Error reading type name!\n");
  45.203 +        return -EFAULT;
  45.204 +    }
  45.205 +
  45.206 +    switch (state) {
  45.207 +    case XML2BIN_stetype_S:
  45.208 +        if (add_entry(&ste_head, (char *) text, max_ste_types))
  45.209 +        {
  45.210 +            xmlFree(text);
  45.211 +            return -EFAULT;
  45.212 +        }
  45.213 +        max_ste_types++;
  45.214 +        break;
  45.215 +
  45.216 +    case XML2BIN_chwalltype_S:
  45.217 +        if (add_entry(&chwall_head, (char *) text, max_chwall_types))
  45.218 +        {
  45.219 +            xmlFree(text);
  45.220 +            return -EFAULT;
  45.221 +        }
  45.222 +        max_chwall_types++;
  45.223 +        break;
  45.224 +
  45.225 +    case XML2BIN_conflictsettype_S:
  45.226 +        /* a) search the type in the chwall_type list */
  45.227 +        e = lookup(&chwall_head, (char *) text);
  45.228 +        if (e == NULL)
  45.229 +        {
  45.230 +            printf("CS type >%s< not a CHWALL type.\n", text);
  45.231 +            xmlFree(text);
  45.232 +            return -EFAULT;
  45.233 +        }
  45.234 +        /* b) add type entry to the current cs set */
  45.235 +        if (current_conflictset_p->row[e->mapping])
  45.236 +        {
  45.237 +            printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
  45.238 +                 text, current_conflictset_p->num);
  45.239 +            xmlFree(text);
  45.240 +            return -EFAULT;
  45.241 +        }
  45.242 +        current_conflictset_p->row[e->mapping] = 1;
  45.243 +        break;
  45.244 +
  45.245 +    default:
  45.246 +        printf("Incorrect type environment (state = %lx, text = %s).\n",
  45.247 +               state, text);
  45.248 +        xmlFree(text);
  45.249 +        return -EFAULT;
  45.250 +    }
  45.251 +    return 0;
  45.252 +}
  45.253 +
  45.254 +void set_component_type(xmlNode * cur_node, enum policycomponent pc)
  45.255 +{
  45.256 +    xmlChar *order;
  45.257 +
  45.258 +    if ((order = xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) {
  45.259 +        if (strcmp((char *) order, PRIMARY_COMPONENT))
  45.260 +        {
  45.261 +            printf("ERROR: Illegal attribut value >order=%s<.\n",
  45.262 +                   (char *) order);
  45.263 +            xmlFree(order);
  45.264 +            exit(EXIT_FAILURE);
  45.265 +        }
  45.266 +        if (primary != NULLPOLICY)
  45.267 +        {
  45.268 +            printf("ERROR: Primary Policy Component set twice!\n");
  45.269 +            exit(EXIT_FAILURE);
  45.270 +        }
  45.271 +        primary = pc;
  45.272 +        xmlFree(order);
  45.273 +    }
  45.274 +}
  45.275 +
  45.276 +void walk_policy(xmlNode * start, xmlDocPtr doc, unsigned long state)
  45.277 +{
  45.278 +    xmlNode *cur_node = NULL;
  45.279 +    int code;
  45.280 +
  45.281 +    for (cur_node = start; cur_node; cur_node = cur_node->next)
  45.282 +    {
  45.283 +        if ((code = totoken((char *) cur_node->name)) < 0)
  45.284 +        {
  45.285 +            printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
  45.286 +            exit(EXIT_FAILURE);
  45.287 +        }
  45.288 +        switch (code) {         /* adjust state to new state */
  45.289 +        case XML2BIN_SECPOL:
  45.290 +        case XML2BIN_STETYPES:
  45.291 +        case XML2BIN_CHWALLTYPES:
  45.292 +        case XML2BIN_CONFLICTSETS:
  45.293 +            walk_policy(cur_node->children, doc, state | (1 << code));
  45.294 +            break;
  45.295 +
  45.296 +        case XML2BIN_STE:
  45.297 +            if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
  45.298 +            {
  45.299 +                printf("ERROR: This program was written against another STE version.\n");
  45.300 +                exit(EXIT_FAILURE);
  45.301 +            }
  45.302 +            have_ste = 1;
  45.303 +            set_component_type(cur_node, STE);
  45.304 +            walk_policy(cur_node->children, doc, state | (1 << code));
  45.305 +            break;
  45.306 +
  45.307 +        case XML2BIN_CHWALL:
  45.308 +            if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
  45.309 +            {
  45.310 +                printf("ERROR: This program was written against another CHWALL version.\n");
  45.311 +                exit(EXIT_FAILURE);
  45.312 +            }
  45.313 +            have_chwall = 1;
  45.314 +            set_component_type(cur_node, CHWALL);
  45.315 +            walk_policy(cur_node->children, doc, state | (1 << code));
  45.316 +            break;
  45.317 +
  45.318 +        case XML2BIN_CSTYPE:
  45.319 +            current_conflictset_name =
  45.320 +                (char *) xmlGetProp(cur_node, (xmlChar *) "name");
  45.321 +            if (!current_conflictset_name)
  45.322 +                current_conflictset_name = "";
  45.323 +
  45.324 +            if (init_next_conflictset())
  45.325 +            {
  45.326 +                printf
  45.327 +                    ("ERROR: creating new conflictset structure failed.\n");
  45.328 +                exit(EXIT_FAILURE);
  45.329 +            }
  45.330 +            walk_policy(cur_node->children, doc, state | (1 << code));
  45.331 +            break;
  45.332 +
  45.333 +        case XML2BIN_TYPE:
  45.334 +            if (register_type(cur_node, doc, state))
  45.335 +                exit(EXIT_FAILURE);
  45.336 +            /* type leaf */
  45.337 +            break;
  45.338 +
  45.339 +        case XML2BIN_TEXT:
  45.340 +        case XML2BIN_COMMENT:
  45.341 +        case XML2BIN_POLICYHEADER:
  45.342 +            /* leaf - nothing to do */
  45.343 +            break;
  45.344 +
  45.345 +        default:
  45.346 +            printf("Unkonwn token Error (%d)\n", code);
  45.347 +            exit(EXIT_FAILURE);
  45.348 +        }
  45.349 +
  45.350 +    }
  45.351 +    return;
  45.352 +}
  45.353 +
  45.354 +int create_type_mapping(xmlDocPtr doc)
  45.355 +{
  45.356 +    xmlNode *root_element = xmlDocGetRootElement(doc);
  45.357 +    struct type_entry *te;
  45.358 +    struct ssid_entry *se;
  45.359 +    int i;
  45.360 +
  45.361 +    printf("Creating ssid mappings ...\n");
  45.362 +
  45.363 +    /* initialize the ste and chwall type lists */
  45.364 +    TAILQ_INIT(&ste_head);
  45.365 +    TAILQ_INIT(&chwall_head);
  45.366 +    TAILQ_INIT(&conflictsets_head);
  45.367 +
  45.368 +    walk_policy(root_element, doc, XML2BIN_NULL);
  45.369 +
  45.370 +    /* determine primary/secondary policy component orders */
  45.371 +    if ((primary == NULLPOLICY) && have_chwall)
  45.372 +        primary = CHWALL;       /* default if not set */
  45.373 +    else if ((primary == NULLPOLICY) && have_ste)
  45.374 +        primary = STE;
  45.375 +
  45.376 +    switch (primary) {
  45.377 +
  45.378 +    case CHWALL:
  45.379 +        if (have_ste)
  45.380 +            secondary = STE;
  45.381 +        /* else default = NULLPOLICY */
  45.382 +        break;
  45.383 +
  45.384 +    case STE:
  45.385 +        if (have_chwall)
  45.386 +            secondary = CHWALL;
  45.387 +        /* else default = NULLPOLICY */
  45.388 +        break;
  45.389 +
  45.390 +    default:
  45.391 +        /* NULL/NULL policy */
  45.392 +        break;
  45.393 +    }
  45.394 +
  45.395 +    if (!DEBUG)
  45.396 +        return 0;
  45.397 +
  45.398 +    /* print queues */
  45.399 +    if (have_ste)
  45.400 +    {
  45.401 +        printf("STE-Type queue (%s):\n",
  45.402 +               (primary == STE) ? "PRIMARY" : "SECONDARY");
  45.403 +        for (te = ste_head.tqh_first; te != NULL;
  45.404 +             te = te->entries.tqe_next)
  45.405 +            printf("name=%22s, map=%x\n", te->name, te->mapping);
  45.406 +    }
  45.407 +    if (have_chwall)
  45.408 +    {
  45.409 +        printf("CHWALL-Type queue (%s):\n",
  45.410 +               (primary == CHWALL) ? "PRIMARY" : "SECONDARY");
  45.411 +        for (te = chwall_head.tqh_first; te != NULL;
  45.412 +             te = te->entries.tqe_next)
  45.413 +            printf("name=%s, map=%x\n", te->name, te->mapping);
  45.414 +
  45.415 +        printf("Conflictset queue (max=%d):\n", max_conflictsets);
  45.416 +        for (se = conflictsets_head.tqh_first; se != NULL;
  45.417 +             se = se->entries.tqe_next)
  45.418 +        {
  45.419 +            printf("conflictset name >%s<\n",
  45.420 +                   se->name ? se->name : "NONAME");
  45.421 +            for (i = 0; i < max_chwall_types; i++)
  45.422 +                if (se->row[i])
  45.423 +                    printf("#%x ", i);
  45.424 +            printf("\n");
  45.425 +        }
  45.426 +    }
  45.427 +    return 0;
  45.428 +}
  45.429 +
  45.430 +
  45.431 +/***************** template-related parsing *********************/
  45.432 +
  45.433 +/* add default ssid at head of ssid queues */
  45.434 +int init_ssid_queues(void)
  45.435 +{
  45.436 +    struct ssid_entry *default_ssid_chwall, *default_ssid_ste;
  45.437 +
  45.438 +    default_ssid_chwall = malloc(sizeof(struct ssid_entry));
  45.439 +    default_ssid_ste = malloc(sizeof(struct ssid_entry));
  45.440 +
  45.441 +    if ((!default_ssid_chwall) || (!default_ssid_ste))
  45.442 +        return -ENOMEM;
  45.443 +
  45.444 +    /* default chwall ssid */
  45.445 +    default_ssid_chwall->name = "DEFAULT";
  45.446 +    default_ssid_chwall->num = max_chwall_ssids++;
  45.447 +    default_ssid_chwall->is_ref = 0;
  45.448 +    default_ssid_chwall->type = ANY;
  45.449 +
  45.450 +    default_ssid_chwall->row = malloc(max_chwall_types);
  45.451 +
  45.452 +    if (!default_ssid_chwall->row)
  45.453 +        return -ENOMEM;
  45.454 +
  45.455 +    memset(default_ssid_chwall->row, 0, max_chwall_types);
  45.456 +
  45.457 +    TAILQ_INSERT_TAIL(&chwall_ssid_head, default_ssid_chwall, entries);
  45.458 +    current_chwall_ssid_p = default_ssid_chwall;
  45.459 +    max_chwall_labels++;
  45.460 +
  45.461 +    /* default ste ssid */
  45.462 +    default_ssid_ste->name = "DEFAULT";
  45.463 +    default_ssid_ste->num = max_ste_ssids++;
  45.464 +    default_ssid_ste->is_ref = 0;
  45.465 +    default_ssid_ste->type = ANY;
  45.466 +
  45.467 +    default_ssid_ste->row = malloc(max_ste_types);
  45.468 +
  45.469 +    if (!default_ssid_ste->row)
  45.470 +        return -ENOMEM;
  45.471 +
  45.472 +    memset(default_ssid_ste->row, 0, max_ste_types);
  45.473 +
  45.474 +    TAILQ_INSERT_TAIL(&ste_ssid_head, default_ssid_ste, entries);
  45.475 +    current_ste_ssid_p = default_ssid_ste;
  45.476 +    max_ste_labels++;
  45.477 +    return 0;
  45.478 +}
  45.479 +
  45.480 +int init_next_chwall_ssid(unsigned long state)
  45.481 +{
  45.482 +    struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
  45.483 +
  45.484 +    if (!ssid)
  45.485 +        return -ENOMEM;
  45.486 +
  45.487 +    ssid->name = current_ssid_name;
  45.488 +    ssid->num = max_chwall_ssids++;
  45.489 +    ssid->is_ref = 0;
  45.490 +
  45.491 +    if (state & (1 << XML2BIN_VM))
  45.492 +        ssid->type = VM;
  45.493 +    else
  45.494 +        ssid->type = RES;
  45.495 +        /**
  45.496 +         *  row: allocate one byte per type;
  45.497 +         *  [i] != 0 --> mapped type >i< is part of the ssid
  45.498 +         */
  45.499 +    ssid->row = malloc(max_chwall_types);
  45.500 +    if (!ssid->row)
  45.501 +        return -ENOMEM;
  45.502 +
  45.503 +    memset(ssid->row, 0, max_chwall_types);
  45.504 +    TAILQ_INSERT_TAIL(&chwall_ssid_head, ssid, entries);
  45.505 +    current_chwall_ssid_p = ssid;
  45.506 +    max_chwall_labels++;
  45.507 +    return 0;
  45.508 +}
  45.509 +
  45.510 +int init_next_ste_ssid(unsigned long state)
  45.511 +{
  45.512 +    struct ssid_entry *ssid = malloc(sizeof(struct ssid_entry));
  45.513 +
  45.514 +    if (!ssid)
  45.515 +        return -ENOMEM;
  45.516 +
  45.517 +    ssid->name = current_ssid_name;
  45.518 +    ssid->num = max_ste_ssids++;
  45.519 +    ssid->is_ref = 0;
  45.520 +
  45.521 +    if (state & (1 << XML2BIN_VM))
  45.522 +        ssid->type = VM;
  45.523 +    else
  45.524 +        ssid->type = RES;
  45.525 +
  45.526 +        /**
  45.527 +         *  row: allocate one byte per type;
  45.528 +         *  [i] != 0 --> mapped type >i< is part of the ssid
  45.529 +         */
  45.530 +    ssid->row = malloc(max_ste_types);
  45.531 +    if (!ssid->row)
  45.532 +        return -ENOMEM;
  45.533 +
  45.534 +    memset(ssid->row, 0, max_ste_types);
  45.535 +    TAILQ_INSERT_TAIL(&ste_ssid_head, ssid, entries);
  45.536 +    current_ste_ssid_p = ssid;
  45.537 +    max_ste_labels++;
  45.538 +
  45.539 +    return 0;
  45.540 +}
  45.541 +
  45.542 +
  45.543 +/* adds a type to the current ssid */
  45.544 +int add_type(xmlNode * cur_node, xmlDocPtr doc, unsigned long state)
  45.545 +{
  45.546 +    xmlChar *text;
  45.547 +    struct type_entry *e;
  45.548 +
  45.549 +    text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
  45.550 +    if (!text)
  45.551 +    {
  45.552 +        printf("Error reading type name!\n");
  45.553 +        return -EFAULT;
  45.554 +    }
  45.555 +    /* same for all: 1. lookup type mapping, 2. mark type in ssid */
  45.556 +    switch (state) {
  45.557 +    case XML2BIN_VM_STE_S:
  45.558 +    case XML2BIN_RES_STE_S:
  45.559 +        /* lookup the type mapping and include the type mapping into the array */
  45.560 +        if (!(e = lookup(&ste_head, (char *) text)))
  45.561 +        {
  45.562 +            printf("ERROR: unknown VM STE type >%s<.\n", text);
  45.563 +            exit(EXIT_FAILURE);
  45.564 +        }
  45.565 +        if (current_ste_ssid_p->row[e->mapping])
  45.566 +            printf("Warning: double entry of VM STE type >%s<.\n", text);
  45.567 +
  45.568 +        current_ste_ssid_p->row[e->mapping] = 1;
  45.569 +        break;
  45.570 +
  45.571 +    case XML2BIN_VM_CHWALL_S:
  45.572 +        /* lookup the type mapping and include the type mapping into the array */
  45.573 +        if (!(e = lookup(&chwall_head, (char *) text)))
  45.574 +        {
  45.575 +            printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
  45.576 +            exit(EXIT_FAILURE);
  45.577 +        }
  45.578 +        if (current_chwall_ssid_p->row[e->mapping])
  45.579 +            printf("Warning: double entry of VM CHWALL type >%s<.\n",
  45.580 +                   text);
  45.581 +
  45.582 +        current_chwall_ssid_p->row[e->mapping] = 1;
  45.583 +        break;
  45.584 +
  45.585 +    default:
  45.586 +        printf("Incorrect type environment (state = %lx, text = %s).\n",
  45.587 +               state, text);
  45.588 +        xmlFree(text);
  45.589 +        return -EFAULT;
  45.590 +    }
  45.591 +    return 0;
  45.592 +}
  45.593 +
  45.594 +void set_bootstrap_label(xmlNode * cur_node)
  45.595 +{
  45.596 +    xmlChar *order;
  45.597 +
  45.598 +    if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
  45.599 +        bootstrap_label = (char *)order;
  45.600 +    else {
  45.601 +        printf("ERROR: No bootstrap label defined!\n");
  45.602 +        exit(EXIT_FAILURE);
  45.603 +    }
  45.604 +}
  45.605 +
  45.606 +void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state)
  45.607 +{
  45.608 +    xmlNode *cur_node = NULL;
  45.609 +    int code;
  45.610 +
  45.611 +    for (cur_node = start; cur_node; cur_node = cur_node->next)
  45.612 +    {
  45.613 +        if ((code = totoken((char *) cur_node->name)) < 0)
  45.614 +        {
  45.615 +            printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
  45.616 +            exit(EXIT_FAILURE);
  45.617 +        }
  45.618 +        switch (code) {         /* adjust state to new state */
  45.619 +
  45.620 +        case XML2BIN_SUBJECTS:
  45.621 +            set_bootstrap_label(cur_node);
  45.622 +            /* fall through */
  45.623 +        case XML2BIN_VM:
  45.624 +        case XML2BIN_RES:
  45.625 +        case XML2BIN_SECTEMPLATE:
  45.626 +        case XML2BIN_OBJECTS:
  45.627 +            walk_labels(cur_node->children, doc, state | (1 << code));
  45.628 +            break;
  45.629 +
  45.630 +        case XML2BIN_STETYPES:
  45.631 +            /* create new ssid entry to use and point current to it */
  45.632 +            if (init_next_ste_ssid(state))
  45.633 +            {
  45.634 +                printf("ERROR: creating new ste ssid structure failed.\n");
  45.635 +                exit(EXIT_FAILURE);
  45.636 +            }
  45.637 +            walk_labels(cur_node->children, doc, state | (1 << code));
  45.638 +
  45.639 +            break;
  45.640 +
  45.641 +        case XML2BIN_CHWALLTYPES:
  45.642 +            /* create new ssid entry to use and point current to it */
  45.643 +            if (init_next_chwall_ssid(state))
  45.644 +            {
  45.645 +                printf("ERROR: creating new chwall ssid structure failed.\n");
  45.646 +                exit(EXIT_FAILURE);
  45.647 +            }
  45.648 +            walk_labels(cur_node->children, doc, state | (1 << code));
  45.649 +
  45.650 +            break;
  45.651 +
  45.652 +        case XML2BIN_TYPE:
  45.653 +            /* add type to current ssid */
  45.654 +            if (add_type(cur_node, doc, state))
  45.655 +                exit(EXIT_FAILURE);
  45.656 +            break;
  45.657 +
  45.658 +        case XML2BIN_NAME:
  45.659 +            if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
  45.660 +            {
  45.661 +                printf("ERROR: >name< out of VM/RES context.\n");
  45.662 +                exit(EXIT_FAILURE);
  45.663 +            }
  45.664 +            current_ssid_name = (char *)
  45.665 +                xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
  45.666 +
  45.667 +            if (!current_ssid_name)
  45.668 +            {
  45.669 +                printf("ERROR: empty >name<!\n");
  45.670 +                exit(EXIT_FAILURE);
  45.671 +            }
  45.672 +            break;
  45.673 +
  45.674 +        case XML2BIN_TEXT:
  45.675 +        case XML2BIN_COMMENT:
  45.676 +        case XML2BIN_LABELHEADER:
  45.677 +            break;
  45.678 +
  45.679 +        default:
  45.680 +            printf("Unkonwn token Error (%d)\n", code);
  45.681 +            exit(EXIT_FAILURE);
  45.682 +        }
  45.683 +
  45.684 +    }
  45.685 +    return;
  45.686 +}
  45.687 +
  45.688 +/* this function walks through a ssid queue
  45.689 + * and transforms double entries into references
  45.690 + * of the first definition (we need to keep the
  45.691 + * entry to map labels but we don't want double
  45.692 + * ssids in the binary policy
  45.693 + */
  45.694 +void
  45.695 +remove_doubles(struct tailhead_ssid *head,
  45.696 +                        u_int32_t max_types, u_int32_t * max_ssids)
  45.697 +{
  45.698 +    struct ssid_entry *np, *ni;
  45.699 +
  45.700 +    /* walk once through the list */
  45.701 +    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
  45.702 +    {
  45.703 +        /* now search from the start until np for the same entry */
  45.704 +        for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
  45.705 +        {
  45.706 +            if (ni->is_ref)
  45.707 +                continue;
  45.708 +            if (memcmp(np->row, ni->row, max_types))
  45.709 +                continue;
  45.710 +            /* found one, set np reference to ni */
  45.711 +            np->is_ref = 1;
  45.712 +            np->num = ni->num;
  45.713 +            (*max_ssids)--;
  45.714 +        }
  45.715 +    }
  45.716 +
  45.717 +    /* now minimize the ssid numbers used (doubles introduce holes) */
  45.718 +    (*max_ssids) = 0; /* reset */
  45.719 +
  45.720 +    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
  45.721 +    {
  45.722 +        if (np->is_ref)
  45.723 +            continue;
  45.724 +
  45.725 +        if (np->num != (*max_ssids)) {
  45.726 +                /* first reset all later references to the new max_ssid */
  45.727 +                for (ni = np->entries.tqe_next; ni != NULL; ni = ni->entries.tqe_next)
  45.728 +                {
  45.729 +                    if (ni->num == np->num)
  45.730 +                        ni->num = (*max_ssids);
  45.731 +                }
  45.732 +                /* now reset num */
  45.733 +                np->num = (*max_ssids)++;
  45.734 +        }
  45.735 +        else
  45.736 +            (*max_ssids)++;
  45.737 +    }
  45.738 +}
  45.739 +
  45.740 +/*
  45.741 + * will go away as soon as we have non-static bootstrap ssidref for dom0
  45.742 + */
  45.743 +void fixup_bootstrap_label(struct tailhead_ssid *head,
  45.744 +                         u_int32_t max_types, u_int32_t * max_ssids)
  45.745 +{
  45.746 +    struct ssid_entry *np;
  45.747 +    int i;
  45.748 +
  45.749 +    /* should not happen if xml / xsd checks work */
  45.750 +    if (!bootstrap_label)
  45.751 +    {
  45.752 +        printf("ERROR: No bootstrap label defined.\n");
  45.753 +        exit(EXIT_FAILURE);
  45.754 +    }
  45.755 +
  45.756 +    /* search bootstrap_label */
  45.757 +    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
  45.758 +    {
  45.759 +        if (!strcmp(np->name, bootstrap_label))
  45.760 +        {
  45.761 +            break;
  45.762 +        }
  45.763 +    }
  45.764 +
  45.765 +    if (!np) {
  45.766 +        /* bootstrap label not found */
  45.767 +        printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
  45.768 +        exit(EXIT_FAILURE);
  45.769 +    }
  45.770 +
  45.771 +    /* move this entry ahead in the list right after the default entry so it
  45.772 +     * receives ssidref 1/1 */
  45.773 +    TAILQ_REMOVE(head, np, entries);
  45.774 +    TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
  45.775 +
  45.776 +    /* renumber the ssids (we could also just switch places with 1st element) */
  45.777 +    for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
  45.778 +        np->num   = i;
  45.779 +
  45.780 +}
  45.781 +
  45.782 +int create_ssid_mapping(xmlDocPtr doc)
  45.783 +{
  45.784 +    xmlNode *root_element = xmlDocGetRootElement(doc);
  45.785 +    struct ssid_entry *np;
  45.786 +    int i;
  45.787 +
  45.788 +    printf("Creating label mappings ...\n");
  45.789 +    /* initialize the ste and chwall type lists */
  45.790 +    TAILQ_INIT(&chwall_ssid_head);
  45.791 +    TAILQ_INIT(&ste_ssid_head);
  45.792 +
  45.793 +    /* init with default ssids */
  45.794 +    if (init_ssid_queues())
  45.795 +    {
  45.796 +        printf("ERROR adding default ssids.\n");
  45.797 +        exit(EXIT_FAILURE);
  45.798 +    }
  45.799 +
  45.800 +    /* now walk the template DOM tree and fill in ssids */
  45.801 +    walk_labels(root_element, doc, XML2BIN_NULL);
  45.802 +
  45.803 +    /*
  45.804 +     * now sort bootstrap label to the head of the list
  45.805 +     * (for now), dom0 assumes its label in the first
  45.806 +     * defined ssidref (1/1). 0/0 is the default non-Label
  45.807 +     */
  45.808 +    if (have_chwall)
  45.809 +        fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
  45.810 +                                &max_chwall_ssids);
  45.811 +    if (have_ste)
  45.812 +        fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
  45.813 +                                &max_ste_ssids);
  45.814 +
  45.815 +    /* remove any double entries (insert reference instead) */
  45.816 +    if (have_chwall)
  45.817 +        remove_doubles(&chwall_ssid_head, max_chwall_types,
  45.818 +                       &max_chwall_ssids);
  45.819 +    if (have_ste)
  45.820 +        remove_doubles(&ste_ssid_head, max_ste_types,
  45.821 +                       &max_ste_ssids);
  45.822 +
  45.823 +    if (!DEBUG)
  45.824 +        return 0;
  45.825 +
  45.826 +    /* print queues */
  45.827 +    if (have_chwall)
  45.828 +    {
  45.829 +        printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
  45.830 +        np = NULL;
  45.831 +        for (np = chwall_ssid_head.tqh_first; np != NULL;
  45.832 +             np = np->entries.tqe_next)
  45.833 +        {
  45.834 +            printf("SSID #%02u (Label=%s)\n", np->num, np->name);
  45.835 +            if (np->is_ref)
  45.836 +                printf("REFERENCE");
  45.837 +            else
  45.838 +                for (i = 0; i < max_chwall_types; i++)
  45.839 +                    if (np->row[i])
  45.840 +                        printf("#%02d ", i);
  45.841 +            printf("\n\n");
  45.842 +        }
  45.843 +    }
  45.844 +    if (have_ste)
  45.845 +    {
  45.846 +        printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
  45.847 +        np = NULL;
  45.848 +        for (np = ste_ssid_head.tqh_first; np != NULL;
  45.849 +             np = np->entries.tqe_next)
  45.850 +        {
  45.851 +            printf("SSID #%02u (Label=%s)\n", np->num, np->name);
  45.852 +            if (np->is_ref)
  45.853 +                printf("REFERENCE");
  45.854 +            else
  45.855 +                for (i = 0; i < max_ste_types; i++)
  45.856 +                    if (np->row[i])
  45.857 +                        printf("#%02d ", i);
  45.858 +            printf("\n\n");
  45.859 +        }
  45.860 +    }
  45.861 +    return 0;
  45.862 +}
  45.863 +
  45.864 +/***************** writing the binary policy *********************/
  45.865 +
  45.866 +/*
  45.867 + * the mapping file is ascii-based since it will likely be used from
  45.868 + * within scripts (using awk, grep, etc.);
  45.869 + *
  45.870 + * We print from high-level to low-level information so that with one
  45.871 + * pass, any symbol can be resolved (e.g. Label -> types)
  45.872 + */
  45.873 +int write_mapping(char *filename)
  45.874 +{
  45.875 +
  45.876 +    struct ssid_entry *e;
  45.877 +    struct type_entry *t;
  45.878 +    int i;
  45.879 +    FILE *file;
  45.880 +
  45.881 +    if ((file = fopen(filename, "w")) == NULL)
  45.882 +        return -EIO;
  45.883 +
  45.884 +    fprintf(file, "MAGIC                  %08x\n", ACM_MAGIC);
  45.885 +    fprintf(file, "POLICY                 %s\n",
  45.886 +            basename(policy_filename));
  45.887 +    fprintf(file, "BINARY                 %s\n",
  45.888 +            basename(binary_filename));
  45.889 +    if (have_chwall)
  45.890 +    {
  45.891 +        fprintf(file, "MAX-CHWALL-TYPES       %08x\n", max_chwall_types);
  45.892 +        fprintf(file, "MAX-CHWALL-SSIDS       %08x\n", max_chwall_ssids);
  45.893 +        fprintf(file, "MAX-CHWALL-LABELS      %08x\n", max_chwall_labels);
  45.894 +    }
  45.895 +    if (have_ste)
  45.896 +    {
  45.897 +        fprintf(file, "MAX-STE-TYPES          %08x\n", max_ste_types);
  45.898 +        fprintf(file, "MAX-STE-SSIDS          %08x\n", max_ste_ssids);
  45.899 +        fprintf(file, "MAX-STE-LABELS         %08x\n", max_ste_labels);
  45.900 +    }
  45.901 +    fprintf(file, "\n");
  45.902 +
  45.903 +    /* primary / secondary order for combined ssid synthesis/analysis
  45.904 +     * if no primary is named, then chwall is primary */
  45.905 +    switch (primary) {
  45.906 +    case CHWALL:
  45.907 +        fprintf(file, "PRIMARY                CHWALL\n");
  45.908 +        break;
  45.909 +
  45.910 +    case STE:
  45.911 +        fprintf(file, "PRIMARY                STE\n");
  45.912 +        break;
  45.913 +
  45.914 +    default:
  45.915 +        fprintf(file, "PRIMARY                NULL\n");
  45.916 +        break;
  45.917 +    }
  45.918 +
  45.919 +    switch (secondary) {
  45.920 +    case CHWALL:
  45.921 +        fprintf(file, "SECONDARY              CHWALL\n");
  45.922 +        break;
  45.923 +
  45.924 +    case STE:
  45.925 +        fprintf(file, "SECONDARY              STE\n");
  45.926 +        break;
  45.927 +
  45.928 +    default:
  45.929 +        fprintf(file, "SECONDARY              NULL\n");
  45.930 +        break;
  45.931 +    }
  45.932 +    fprintf(file, "\n");
  45.933 +
  45.934 +    /* first labels to ssid mappings */
  45.935 +    if (have_chwall)
  45.936 +    {
  45.937 +        for (e = chwall_ssid_head.tqh_first; e != NULL;
  45.938 +             e = e->entries.tqe_next)
  45.939 +        {
  45.940 +            fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
  45.941 +                    (e->type ==
  45.942 +                     VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
  45.943 +                    e->name, e->num);
  45.944 +        }
  45.945 +        fprintf(file, "\n");
  45.946 +    }
  45.947 +    if (have_ste)
  45.948 +    {
  45.949 +        for (e = ste_ssid_head.tqh_first; e != NULL;
  45.950 +             e = e->entries.tqe_next)
  45.951 +        {
  45.952 +            fprintf(file, "LABEL->SSID %s STE    %-25s %8x\n",
  45.953 +                    (e->type ==
  45.954 +                     VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
  45.955 +                    e->name, e->num);
  45.956 +        }
  45.957 +        fprintf(file, "\n");
  45.958 +    }
  45.959 +
  45.960 +    /* second ssid to type mappings */
  45.961 +    if (have_chwall)
  45.962 +    {
  45.963 +        for (e = chwall_ssid_head.tqh_first; e != NULL;
  45.964 +             e = e->entries.tqe_next)
  45.965 +        {
  45.966 +            if (e->is_ref)
  45.967 +                continue;
  45.968 +
  45.969 +            fprintf(file, "SSID->TYPE CHWALL      %08x", e->num);
  45.970 +
  45.971 +            for (i = 0; i < max_chwall_types; i++)
  45.972 +                if (e->row[i])
  45.973 +                    fprintf(file, " %s", type_by_mapping(&chwall_head, i));
  45.974 +
  45.975 +            fprintf(file, "\n");
  45.976 +        }
  45.977 +        fprintf(file, "\n");
  45.978 +    }
  45.979 +    if (have_ste) {
  45.980 +        for (e = ste_ssid_head.tqh_first; e != NULL;
  45.981 +             e = e->entries.tqe_next)
  45.982 +        {
  45.983 +            if (e->is_ref)
  45.984 +                continue;
  45.985 +
  45.986 +            fprintf(file, "SSID->TYPE STE         %08x", e->num);
  45.987 +
  45.988 +            for (i = 0; i < max_ste_types; i++)
  45.989 +                if (e->row[i])
  45.990 +                    fprintf(file, " %s", type_by_mapping(&ste_head, i));
  45.991 +
  45.992 +            fprintf(file, "\n");
  45.993 +        }
  45.994 +        fprintf(file, "\n");
  45.995 +    }
  45.996 +    /* third type mappings */
  45.997 +    if (have_chwall)
  45.998 +    {
  45.999 +        for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
 45.1000 +        {
 45.1001 +            fprintf(file, "TYPE CHWALL            %-25s %8x\n",
 45.1002 +                    t->name, t->mapping);
 45.1003 +        }
 45.1004 +        fprintf(file, "\n");
 45.1005 +    }
 45.1006 +    if (have_ste) {
 45.1007 +        for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
 45.1008 +        {
 45.1009 +            fprintf(file, "TYPE STE               %-25s %8x\n",
 45.1010 +                    t->name, t->mapping);
 45.1011 +        }
 45.1012 +        fprintf(file, "\n");
 45.1013 +    }
 45.1014 +    fclose(file);
 45.1015 +    return 0;
 45.1016 +}
 45.1017 +
 45.1018 +unsigned char *write_chwall_binary(u_int32_t * len_chwall)
 45.1019 +{
 45.1020 +    unsigned char *buf, *ptr;
 45.1021 +    struct acm_chwall_policy_buffer *chwall_header;
 45.1022 +    u_int32_t len;
 45.1023 +    struct ssid_entry *e;
 45.1024 +    int i;
 45.1025 +
 45.1026 +    if (!have_chwall)
 45.1027 +        return NULL;
 45.1028 +
 45.1029 +    len = sizeof(struct acm_chwall_policy_buffer) +
 45.1030 +        sizeof(type_t) * max_chwall_types * max_chwall_ssids +
 45.1031 +        sizeof(type_t) * max_chwall_types * max_conflictsets;
 45.1032 +
 45.1033 +    buf = malloc(len);
 45.1034 +    ptr = buf;
 45.1035 +
 45.1036 +    if (!buf)
 45.1037 +    {
 45.1038 +        printf("ERROR: out of memory allocating chwall buffer.\n");
 45.1039 +        exit(EXIT_FAILURE);
 45.1040 +    }
 45.1041 +    /* chwall has 3 parts : header, types, conflictsets */
 45.1042 +
 45.1043 +    chwall_header = (struct acm_chwall_policy_buffer *) buf;
 45.1044 +    chwall_header->chwall_max_types = htonl(max_chwall_types);
 45.1045 +    chwall_header->chwall_max_ssidrefs = htonl(max_chwall_ssids);
 45.1046 +    chwall_header->policy_code = htonl(ACM_CHINESE_WALL_POLICY);
 45.1047 +    chwall_header->policy_version = htonl(ACM_CHWALL_VERSION);
 45.1048 +    chwall_header->chwall_ssid_offset =
 45.1049 +        htonl(sizeof(struct acm_chwall_policy_buffer));
 45.1050 +    chwall_header->chwall_max_conflictsets = htonl(max_conflictsets);
 45.1051 +    chwall_header->chwall_conflict_sets_offset =
 45.1052 +        htonl(ntohl(chwall_header->chwall_ssid_offset) +
 45.1053 +              sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
 45.1054 +    chwall_header->chwall_running_types_offset = 0;     /* not set, only retrieved */
 45.1055 +    chwall_header->chwall_conflict_aggregate_offset = 0;        /* not set, only retrieved */
 45.1056 +    ptr += sizeof(struct acm_chwall_policy_buffer);
 45.1057 +
 45.1058 +    /* types */
 45.1059 +    for (e = chwall_ssid_head.tqh_first; e != NULL;
 45.1060 +         e = e->entries.tqe_next)
 45.1061 +    {
 45.1062 +        if (e->is_ref)
 45.1063 +            continue;
 45.1064 +
 45.1065 +        for (i = 0; i < max_chwall_types; i++)
 45.1066 +            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
 45.1067 +
 45.1068 +        ptr += sizeof(type_t) * max_chwall_types;
 45.1069 +    }
 45.1070 +
 45.1071 +    /* conflictsets */
 45.1072 +    for (e = conflictsets_head.tqh_first; e != NULL;
 45.1073 +         e = e->entries.tqe_next)
 45.1074 +    {
 45.1075 +        for (i = 0; i < max_chwall_types; i++)
 45.1076 +            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
 45.1077 +
 45.1078 +        ptr += sizeof(type_t) * max_chwall_types;
 45.1079 +    }
 45.1080 +
 45.1081 +    if ((ptr - buf) != len)
 45.1082 +    {
 45.1083 +        printf("ERROR: wrong lengths in %s.\n", __func__);
 45.1084 +        exit(EXIT_FAILURE);
 45.1085 +    }
 45.1086 +
 45.1087 +    (*len_chwall) = len;
 45.1088 +    return buf;
 45.1089 +}
 45.1090 +
 45.1091 +unsigned char *write_ste_binary(u_int32_t * len_ste)
 45.1092 +{
 45.1093 +    unsigned char *buf, *ptr;
 45.1094 +    struct acm_ste_policy_buffer *ste_header;
 45.1095 +    struct ssid_entry *e;
 45.1096 +    u_int32_t len;
 45.1097 +    int i;
 45.1098 +
 45.1099 +    if (!have_ste)
 45.1100 +        return NULL;
 45.1101 +
 45.1102 +    len = sizeof(struct acm_ste_policy_buffer) +
 45.1103 +        sizeof(type_t) * max_ste_types * max_ste_ssids;
 45.1104 +
 45.1105 +    buf = malloc(len);
 45.1106 +    ptr = buf;
 45.1107 +
 45.1108 +    if (!buf)
 45.1109 +    {
 45.1110 +        printf("ERROR: out of memory allocating chwall buffer.\n");
 45.1111 +        exit(EXIT_FAILURE);
 45.1112 +    }
 45.1113 +
 45.1114 +    /* fill buffer */
 45.1115 +    ste_header = (struct acm_ste_policy_buffer *) buf;
 45.1116 +    ste_header->policy_version = htonl(ACM_STE_VERSION);
 45.1117 +    ste_header->policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
 45.1118 +    ste_header->ste_max_types = htonl(max_ste_types);
 45.1119 +    ste_header->ste_max_ssidrefs = htonl(max_ste_ssids);
 45.1120 +    ste_header->ste_ssid_offset =
 45.1121 +        htonl(sizeof(struct acm_ste_policy_buffer));
 45.1122 +
 45.1123 +    ptr += sizeof(struct acm_ste_policy_buffer);
 45.1124 +
 45.1125 +    /* types */
 45.1126 +    for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
 45.1127 +    {
 45.1128 +        if (e->is_ref)
 45.1129 +            continue;
 45.1130 +
 45.1131 +        for (i = 0; i < max_ste_types; i++)
 45.1132 +            ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
 45.1133 +
 45.1134 +        ptr += sizeof(type_t) * max_ste_types;
 45.1135 +    }
 45.1136 +
 45.1137 +    if ((ptr - buf) != len)
 45.1138 +    {
 45.1139 +        printf("ERROR: wrong lengths in %s.\n", __func__);
 45.1140 +        exit(EXIT_FAILURE);
 45.1141 +    }
 45.1142 +    (*len_ste) = len;
 45.1143 +    return buf;                 /* for now */
 45.1144 +}
 45.1145 +
 45.1146 +int write_binary(char *filename)
 45.1147 +{
 45.1148 +    struct acm_policy_buffer header;
 45.1149 +    unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
 45.1150 +    u_int32_t len;
 45.1151 +    int fd;
 45.1152 +
 45.1153 +    u_int32_t len_ste = 0, len_chwall = 0;      /* length of policy components */
 45.1154 +
 45.1155 +    /* open binary file */
 45.1156 +    if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) <= 0)
 45.1157 +        return -EIO;
 45.1158 +
 45.1159 +    ste_buffer = write_ste_binary(&len_ste);
 45.1160 +    chwall_buffer = write_chwall_binary(&len_chwall);
 45.1161 +
 45.1162 +    /* determine primary component (default chwall) */
 45.1163 +    header.policy_version = htonl(ACM_POLICY_VERSION);
 45.1164 +    header.magic = htonl(ACM_MAGIC);
 45.1165 +
 45.1166 +    len = sizeof(struct acm_policy_buffer);
 45.1167 +    if (have_chwall)
 45.1168 +        len += len_chwall;
 45.1169 +    if (have_ste)
 45.1170 +        len += len_ste;
 45.1171 +    header.len = htonl(len);
 45.1172 +
 45.1173 +    header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
 45.1174 +    if (primary == CHWALL)
 45.1175 +    {
 45.1176 +        header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
 45.1177 +        header.secondary_buffer_offset =
 45.1178 +            htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
 45.1179 +    }
 45.1180 +    else if (primary == STE)
 45.1181 +    {
 45.1182 +        header.primary_policy_code =
 45.1183 +            htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
 45.1184 +        header.secondary_buffer_offset =
 45.1185 +            htonl((sizeof(struct acm_policy_buffer)) + len_ste);
 45.1186 +    }
 45.1187 +    else
 45.1188 +    {
 45.1189 +        /* null policy */
 45.1190 +        header.primary_policy_code = htonl(ACM_NULL_POLICY);
 45.1191 +        header.secondary_buffer_offset =
 45.1192 +            htonl(header.primary_buffer_offset);
 45.1193 +    }
 45.1194 +
 45.1195 +    if (secondary == CHWALL)
 45.1196 +        header.secondary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
 45.1197 +    else if (secondary == STE)
 45.1198 +        header.secondary_policy_code =
 45.1199 +            htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
 45.1200 +    else
 45.1201 +        header.secondary_policy_code = htonl(ACM_NULL_POLICY);
 45.1202 +
 45.1203 +    if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
 45.1204 +        != sizeof(struct acm_policy_buffer))
 45.1205 +        return -EIO;
 45.1206 +
 45.1207 +    /* write primary policy component */
 45.1208 +    if (primary == CHWALL)
 45.1209 +    {
 45.1210 +        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
 45.1211 +            return -EIO;
 45.1212 +    }
 45.1213 +    else if (primary == STE)
 45.1214 +    {
 45.1215 +        if (write(fd, ste_buffer, len_ste) != len_ste)
 45.1216 +            return -EIO;
 45.1217 +    } else
 45.1218 +        ;                     /* NULL POLICY has no policy data */
 45.1219 +
 45.1220 +    /* write secondary policy component */
 45.1221 +    if (secondary == CHWALL)
 45.1222 +    {
 45.1223 +        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
 45.1224 +            return -EIO;
 45.1225 +    }
 45.1226 +    else if (secondary == STE)
 45.1227 +    {
 45.1228 +        if (write(fd, ste_buffer, len_ste) != len_ste)
 45.1229 +            return -EIO;
 45.1230 +    } else;                     /* NULL POLICY has no policy data */
 45.1231 +
 45.1232 +    close(fd);
 45.1233 +    return 0;
 45.1234 +}
 45.1235 +
 45.1236 +int is_valid(xmlDocPtr doc)
 45.1237 +{
 45.1238 +    int err = 0;
 45.1239 +    xmlSchemaPtr schema_ctxt = NULL;
 45.1240 +    xmlSchemaParserCtxtPtr schemaparser_ctxt = NULL;
 45.1241 +    xmlSchemaValidCtxtPtr schemavalid_ctxt = NULL;
 45.1242 +
 45.1243 +    schemaparser_ctxt = xmlSchemaNewParserCtxt(SCHEMA_FILENAME);
 45.1244 +    schema_ctxt = xmlSchemaParse(schemaparser_ctxt);
 45.1245 +    schemavalid_ctxt = xmlSchemaNewValidCtxt(schema_ctxt);
 45.1246 +
 45.1247 +#ifdef VALIDATE_SCHEMA
 45.1248 +    /* only tested to be available from libxml2-2.6.20 upwards */
 45.1249 +    if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
 45.1250 +    {
 45.1251 +        printf("ERROR: Invalid schema file %s (err=%d)\n",
 45.1252 +               SCHEMA_FILENAME, err);
 45.1253 +        err = -EIO;
 45.1254 +        goto out;
 45.1255 +    }
 45.1256 +    else
 45.1257 +        printf("XML Schema %s valid.\n", SCHEMA_FILENAME);
 45.1258 +#endif
 45.1259 +    if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
 45.1260 +    {
 45.1261 +        err = -EIO;
 45.1262 +        goto out;
 45.1263 +    }
 45.1264 +  out:
 45.1265 +    xmlSchemaFreeValidCtxt(schemavalid_ctxt);
 45.1266 +    xmlSchemaFreeParserCtxt(schemaparser_ctxt);
 45.1267 +    xmlSchemaFree(schema_ctxt);
 45.1268 +    return (err != 0) ? 0 : 1;
 45.1269 +}
 45.1270 +
 45.1271 +int main(int argc, char **argv)
 45.1272 +{
 45.1273 +    xmlDocPtr labeldoc = NULL;
 45.1274 +    xmlDocPtr policydoc = NULL;
 45.1275 +
 45.1276 +    int err = EXIT_SUCCESS;
 45.1277 +
 45.1278 +    char *file_prefix;
 45.1279 +    int prefix_len;
 45.1280 +
 45.1281 +    if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
 45.1282 +    {
 45.1283 +        printf("ERROR: This program was written against an older ACM version.\n");
 45.1284 +        exit(EXIT_FAILURE);
 45.1285 +    }
 45.1286 +
 45.1287 +    if (argc != 2)
 45.1288 +        usage(basename(argv[0]));
 45.1289 +
 45.1290 +    prefix_len = strlen(POLICY_SUBDIR) +
 45.1291 +        strlen(argv[1]) + 1 /* "/" */  +
 45.1292 +        strlen(argv[1]) + 1 /* "/" */ ;
 45.1293 +
 45.1294 +    file_prefix = malloc(prefix_len);
 45.1295 +    policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
 45.1296 +    label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
 45.1297 +    binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
 45.1298 +    mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
 45.1299 +
 45.1300 +    if (!file_prefix || !policy_filename || !label_filename ||
 45.1301 +        !binary_filename || !mapping_filename)
 45.1302 +    {
 45.1303 +        printf("ERROR allocating file name memory.\n");
 45.1304 +        goto out2;
 45.1305 +    }
 45.1306 +
 45.1307 +    /* create input/output filenames out of prefix */
 45.1308 +    strcat(file_prefix, POLICY_SUBDIR);
 45.1309 +    strcat(file_prefix, argv[1]);
 45.1310 +    strcat(file_prefix, "/");
 45.1311 +    strcat(file_prefix, argv[1]);
 45.1312 +
 45.1313 +    strcpy(policy_filename, file_prefix);
 45.1314 +    strcpy(label_filename, file_prefix);
 45.1315 +    strcpy(binary_filename, file_prefix);
 45.1316 +    strcpy(mapping_filename, file_prefix);
 45.1317 +
 45.1318 +    strcat(policy_filename, POLICY_EXTENSION);
 45.1319 +    strcat(label_filename, LABEL_EXTENSION);
 45.1320 +    strcat(binary_filename, BINARY_EXTENSION);
 45.1321 +    strcat(mapping_filename, MAPPING_EXTENSION);
 45.1322 +
 45.1323 +    labeldoc = xmlParseFile(label_filename);
 45.1324 +
 45.1325 +    if (labeldoc == NULL)
 45.1326 +    {
 45.1327 +        printf("Error: could not parse file %s.\n", argv[1]);
 45.1328 +        goto out2;
 45.1329 +    }
 45.1330 +
 45.1331 +    printf("Validating label file %s...\n", label_filename);
 45.1332 +    if (!is_valid(labeldoc))
 45.1333 +    {
 45.1334 +        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
 45.1335 +               label_filename, err);
 45.1336 +        goto out1;
 45.1337 +    }
 45.1338 +
 45.1339 +    policydoc = xmlParseFile(policy_filename);
 45.1340 +
 45.1341 +    if (policydoc == NULL)
 45.1342 +    {
 45.1343 +        printf("Error: could not parse file %s.\n", argv[1]);
 45.1344 +        goto out1;
 45.1345 +    }
 45.1346 +
 45.1347 +    printf("Validating policy file %s...\n", policy_filename);
 45.1348 +
 45.1349 +    if (!is_valid(policydoc))
 45.1350 +    {
 45.1351 +        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
 45.1352 +               policy_filename, err);
 45.1353 +        goto out;
 45.1354 +    }
 45.1355 +
 45.1356 +    /* Init queues and parse policy */
 45.1357 +    create_type_mapping(policydoc);
 45.1358 +
 45.1359 +    /* create ssids */
 45.1360 +    create_ssid_mapping(labeldoc);
 45.1361 +
 45.1362 +    /* write label mapping file */
 45.1363 +    if (write_mapping(mapping_filename))
 45.1364 +    {
 45.1365 +        printf("ERROR: writing mapping file %s.\n", mapping_filename);
 45.1366 +        goto out;
 45.1367 +    }
 45.1368 +
 45.1369 +    /* write binary file */
 45.1370 +    if (write_binary(binary_filename))
 45.1371 +    {
 45.1372 +        printf("ERROR: writing binary file %s.\n", binary_filename);
 45.1373 +        goto out;
 45.1374 +    }
 45.1375 +
 45.1376 +    /* write stats */
 45.1377 +    if (have_chwall)
 45.1378 +    {
 45.1379 +        printf("Max chwall labels:  %u\n", max_chwall_labels);
 45.1380 +        printf("Max chwall-types:   %u\n", max_chwall_types);
 45.1381 +        printf("Max chwall-ssids:   %u\n", max_chwall_ssids);
 45.1382 +    }
 45.1383 +
 45.1384 +    if (have_ste)
 45.1385 +    {
 45.1386 +        printf("Max ste labels:     %u\n", max_ste_labels);
 45.1387 +        printf("Max ste-types:      %u\n", max_ste_types);
 45.1388 +        printf("Max ste-ssids:      %u\n", max_ste_ssids);
 45.1389 +    }
 45.1390 +    /* cleanup */
 45.1391 +  out:
 45.1392 +    xmlFreeDoc(policydoc);
 45.1393 +  out1:
 45.1394 +    xmlFreeDoc(labeldoc);
 45.1395 +  out2:
 45.1396 +    xmlCleanupParser();
 45.1397 +    return err;
 45.1398 +}
 45.1399 +
    46.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    46.2 +++ b/tools/security/secpol_xml2bin.h	Fri Aug 19 12:22:27 2005 +0000
    46.3 @@ -0,0 +1,139 @@
    46.4 +/****************************************************************
    46.5 + * secpol_xml2bin.h
    46.6 + *
    46.7 + * Copyright (C) 2005 IBM Corporation
    46.8 + *
    46.9 + * Authors:
   46.10 + * Reiner Sailer <sailer@watson.ibm.com>
   46.11 + *
   46.12 + * This program is free software; you can redistribute it and/or
   46.13 + * modify it under the terms of the GNU General Public License as
   46.14 + * published by the Free Software Foundation, version 2 of the
   46.15 + * License.
   46.16 + *
   46.17 + */
   46.18 +#define POLICY_SUBDIR       "policies/"
   46.19 +#define POLICY_EXTENSION    "-security_policy.xml"
   46.20 +#define LABEL_EXTENSION     "-security_label_template.xml"
   46.21 +#define BINARY_EXTENSION    ".bin"
   46.22 +#define MAPPING_EXTENSION   ".map"
   46.23 +#define PRIMARY_COMPONENT_ATTR_NAME "order"
   46.24 +#define BOOTSTRAP_LABEL_ATTR_NAME   "bootstrap"
   46.25 +#define PRIMARY_COMPONENT   "PrimaryPolicyComponent"
   46.26 +#define SCHEMA_FILENAME     "policies/security_policy.xsd"
   46.27 +
   46.28 +/* basic states (used as 1 << X) */
   46.29 +#define XML2BIN_SECPOL		    0   /* policy tokens */
   46.30 +#define XML2BIN_STE		        1
   46.31 +#define XML2BIN_CHWALL          2
   46.32 +#define XML2BIN_CONFLICTSETS   	3
   46.33 +#define XML2BIN_CSTYPE	    	4
   46.34 +
   46.35 +#define XML2BIN_SECTEMPLATE	    5   /* label tokens */
   46.36 +#define XML2BIN_POLICYHEADER   	6
   46.37 +#define XML2BIN_LABELHEADER     7
   46.38 +#define XML2BIN_SUBJECTS        8
   46.39 +#define XML2BIN_OBJECTS  	    9
   46.40 +#define XML2BIN_VM      	    10
   46.41 +#define XML2BIN_RES          	11
   46.42 +
   46.43 +#define XML2BIN_STETYPES	    12  /* shared tokens */
   46.44 +#define XML2BIN_CHWALLTYPES	    13
   46.45 +#define XML2BIN_TYPE		    14
   46.46 +#define XML2BIN_NAME            15
   46.47 +#define XML2BIN_TEXT		    16
   46.48 +#define XML2BIN_COMMENT	    	17
   46.49 +
   46.50 +/* type "data type" (currently 16bit) */
   46.51 +typedef u_int16_t type_t;
   46.52 +
   46.53 +/* list of known elements and token equivalent  *
   46.54 + * state constants and token positions must be  *
   46.55 + * in sync for correct state recognition        */
   46.56 +
   46.57 +char *token[20] =                       /* parser triggers */
   46.58 +{
   46.59 +    [0] = "SecurityPolicyDefinition",   /* policy xml */
   46.60 +    [1] = "SimpleTypeEnforcement",
   46.61 +    [2] = "ChineseWall",
   46.62 +    [3] = "ConflictSets",
   46.63 +    [4] = "Conflict",                   /* label-template xml */
   46.64 +    [5] = "SecurityLabelTemplate",
   46.65 +    [6] = "PolicyHeader",
   46.66 +    [7] = "LabelHeader",
   46.67 +    [8] = "SubjectLabels",
   46.68 +    [9] = "ObjectLabels",
   46.69 +    [10] = "VirtualMachineLabel",
   46.70 +    [11] = "ResourceLabel",
   46.71 +    [12] = "SimpleTypeEnforcementTypes",                  /* common tags */
   46.72 +    [13] = "ChineseWallTypes",
   46.73 +    [14] = "Type",
   46.74 +    [15] = "Name",
   46.75 +    [16] = "text",
   46.76 +    [17] = "comment",
   46.77 +    [18] = NULL,
   46.78 +};
   46.79 +
   46.80 +/* important combined states */
   46.81 +#define XML2BIN_NULL 		0
   46.82 +
   46.83 +/* policy xml parsing states _S */
   46.84 +
   46.85 +/* e.g., here we are in a <secpol,ste,stetypes> environment,  *
   46.86 + * so when finding a type element, we know where to put it    */
   46.87 +#define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
   46.88 +				 (1 << XML2BIN_STE) | 	 \
   46.89 +				 (1 << XML2BIN_STETYPES))
   46.90 +
   46.91 +#define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
   46.92 +				 (1 << XML2BIN_CHWALL) | \
   46.93 +				 (1 << XML2BIN_CHWALLTYPES))
   46.94 +
   46.95 +#define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
   46.96 +				 (1 << XML2BIN_CHWALL) | \
   46.97 +				 (1 << XML2BIN_CONFLICTSETS))
   46.98 +
   46.99 +#define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
  46.100 +				 (1 << XML2BIN_CHWALL) | \
  46.101 +				 (1 << XML2BIN_CONFLICTSETS) | \
  46.102 +				 (1 << XML2BIN_CSTYPE))
  46.103 +
  46.104 +
  46.105 +/* label xml states */
  46.106 +#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
  46.107 +                      (1 << XML2BIN_SUBJECTS) |    \
  46.108 +                      (1 << XML2BIN_VM))
  46.109 +
  46.110 +#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
  46.111 +                       (1 << XML2BIN_OBJECTS) |     \
  46.112 +                       (1 << XML2BIN_RES))
  46.113 +
  46.114 +#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
  46.115 +                        (1 << XML2BIN_SUBJECTS) | \
  46.116 +                        (1 << XML2BIN_VM) | \
  46.117 +                        (1 << XML2BIN_STETYPES))
  46.118 +
  46.119 +#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
  46.120 +                           (1 << XML2BIN_SUBJECTS) | \
  46.121 +                           (1 << XML2BIN_VM) | \
  46.122 +                           (1 << XML2BIN_CHWALLTYPES))
  46.123 +
  46.124 +#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
  46.125 +                         (1 << XML2BIN_OBJECTS) | \
  46.126 +                         (1 << XML2BIN_RES) | \
  46.127 +                         (1 << XML2BIN_STETYPES))
  46.128 +
  46.129 +
  46.130 +
  46.131 +/* check versions of headers against which the
  46.132 + * xml2bin translation tool was written
  46.133 + */
  46.134 +
  46.135 +/* protects from unnoticed changes in struct acm_policy_buffer */
  46.136 +#define WRITTEN_AGAINST_ACM_POLICY_VERSION  1
  46.137 +
  46.138 +/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
  46.139 +#define WRITTEN_AGAINST_ACM_CHWALL_VERSION  1
  46.140 +
  46.141 +/* protects from unnoticed changes in struct acm_ste_policy_buffer */
  46.142 +#define WRITTEN_AGAINST_ACM_STE_VERSION     1
    47.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    47.2 +++ b/tools/security/setlabel.sh	Fri Aug 19 12:22:27 2005 +0000
    47.3 @@ -0,0 +1,345 @@
    47.4 +#!/bin/sh
    47.5 +# *
    47.6 +# * setlabel
    47.7 +# *
    47.8 +# * Copyright (C) 2005 IBM Corporation
    47.9 +# *
   47.10 +# * Authors:
   47.11 +# * Stefan Berger <stefanb@us.ibm.com>
   47.12 +# *
   47.13 +# * This program is free software; you can redistribute it and/or
   47.14 +# * modify it under the terms of the GNU General Public License as
   47.15 +# * published by the Free Software Foundation, version 2 of the
   47.16 +# * License.
   47.17 +# *
   47.18 +# * 'setlabel' labels virtual machine (domain) configuration files with
   47.19 +# * security identifiers that can be enforced in Xen.
   47.20 +# *
   47.21 +# * 'setlabel -?' shows the usage of the program
   47.22 +# *
   47.23 +# * 'setlabel -l vmconfig-file' lists all available labels (only VM
   47.24 +# *            labels are used right now)
   47.25 +# *
   47.26 +# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref'
   47.27 +# *                       that corresponds to the security-label under the
   47.28 +# *                       current policy (if policy changes, 'label'
   47.29 +# *                       must be re-run over the configuration files;
   47.30 +# *                       map-file is created during policy translation and
   47.31 +# *                       is found in the policy's directory
   47.32 +#
   47.33 +
   47.34 +if [ -z "$runbash" ]; then
   47.35 +	runbash="1"
   47.36 +	export runbash
   47.37 +	exec sh -c "bash $0 $*"
   47.38 +fi
   47.39 +
   47.40 +
   47.41 +usage ()
   47.42 +{
   47.43 +	echo "Usage: $0 [Option] <vmfile> <label> <policy name> "
   47.44 +	echo "    or $0 -l <policy name>"
   47.45 +	echo ""
   47.46 +	echo "Valid Options are:"
   47.47 +	echo "-r          : to relabel a file without being prompted"
   47.48 +	echo ""
   47.49 +	echo "vmfile      : XEN vm configuration file"
   47.50 +	echo "label       : the label to map"
   47.51 +	echo "policy name : the name of the policy, i.e. 'chwall'"
   47.52 +	echo ""
   47.53 +	echo "-l <policy name> is used to show valid labels in the map file"
   47.54 +	echo ""
   47.55 +}
   47.56 +
   47.57 +
   47.58 +findMapFile ()
   47.59 +{
   47.60 +	mapfile="./$1.map"
   47.61 +	if [ -r "$mapfile" ]; then
   47.62 +		return 1
   47.63 +	fi
   47.64 +
   47.65 +	mapfile="./policies/$1/$1.map"
   47.66 +	if [ -r "$mapfile" ]; then
   47.67 +		return 1
   47.68 +	fi
   47.69 +
   47.70 +	return 0
   47.71 +}
   47.72 +
   47.73 +showLabels ()
   47.74 +{
   47.75 +	mapfile=$1
   47.76 +	if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then
   47.77 +		echo "Cannot read from vm configuration file $vmfile."
   47.78 +		return -1
   47.79 +	fi
   47.80 +
   47.81 +	getPrimaryPolicy $mapfile
   47.82 +	getSecondaryPolicy $mapfile
   47.83 +
   47.84 +	echo "The following labels are available:"
   47.85 +	let line=1
   47.86 +	while [ 1 ]; do
   47.87 +		ITEM=`cat $mapfile |         \
   47.88 +		      awk -vline=$line       \
   47.89 +		          -vprimary=$primary \
   47.90 +		      '{                     \
   47.91 +		         if ($1 == "LABEL->SSID" &&  \
   47.92 +		             $2 == "VM" &&           \
   47.93 +		             $3 == primary ) {       \
   47.94 +		           ctr++;                    \
   47.95 +		           if (ctr == line) {        \
   47.96 +		             print $4;               \
   47.97 +		           }                         \
   47.98 +		         }                           \
   47.99 +		       } END {                       \
  47.100 +		       }'`
  47.101 +
  47.102 +		if [ "$ITEM" == "" ]; then
  47.103 +			break
  47.104 +		fi
  47.105 +		if [ "$secondary" != "NULL" ]; then
  47.106 +			LABEL=`cat $mapfile |     \
  47.107 +			       awk -vitem=$ITEM   \
  47.108 +			       '{
  47.109 +			          if ($1 == "LABEL->SSID" && \
  47.110 +			              $2 == "VM" &&          \
  47.111 +			              $3 == "CHWALL" &&      \
  47.112 +			              $4 == item ) {         \
  47.113 +			            result = item;           \
  47.114 +			          }                          \
  47.115 +			        } END {                      \
  47.116 +			            print result             \
  47.117 +			        }'`
  47.118 +		else
  47.119 +			LABEL=$ITEM
  47.120 +		fi
  47.121 +
  47.122 +		if [ "$LABEL" != "" ]; then
  47.123 +			echo "$LABEL"
  47.124 +			found=1
  47.125 +		fi
  47.126 +		let line=line+1
  47.127 +	done
  47.128 +	if [ "$found" != "1" ]; then
  47.129 +		echo "No labels found."
  47.130 +	fi
  47.131 +}
  47.132 +
  47.133 +getPrimaryPolicy ()
  47.134 +{
  47.135 +	mapfile=$1
  47.136 +	primary=`cat $mapfile  |   \
  47.137 +	         awk '             \
  47.138 +	          {                \
  47.139 +	            if ( $1 == "PRIMARY" ) { \
  47.140 +	              res=$2;                \
  47.141 +	            }                        \
  47.142 +	          } END {                    \
  47.143 +	            print res;               \
  47.144 +	          } '`
  47.145 +}
  47.146 +
  47.147 +getSecondaryPolicy ()
  47.148 +{
  47.149 +	mapfile=$1
  47.150 +	secondary=`cat $mapfile  |   \
  47.151 +	         awk '             \
  47.152 +	          {                \
  47.153 +	            if ( $1 == "SECONDARY" ) { \
  47.154 +	              res=$2;                \
  47.155 +	            }                        \
  47.156 +	          } END {                    \
  47.157 +	            print res;               \
  47.158 +	          } '`
  47.159 +}
  47.160 +
  47.161 +
  47.162 +getDefaultSsid ()
  47.163 +{
  47.164 +	mapfile=$1
  47.165 +	pol=$2
  47.166 +	RES=`cat $mapfile    \
  47.167 +	     awk -vpol=$pol  \
  47.168 +	      {              \
  47.169 +	        if ($1 == "LABEL->SSID" && \
  47.170 +	            $2 == "ANY"         && \
  47.171 +	            $3 == pol           && \
  47.172 +	            $4 == "DEFAULT"       ) {\
  47.173 +	              res=$5;                \
  47.174 +	        }                            \
  47.175 +	      } END {                        \
  47.176 +	        printf "%04x", strtonum(res) \
  47.177 +	     }'`
  47.178 +	echo "default NULL mapping is $RES"
  47.179 +	defaultssid=$RES
  47.180 +}
  47.181 +
  47.182 +relabel ()
  47.183 +{
  47.184 +	vmfile=$1
  47.185 +	label=$2
  47.186 +	mapfile=$3
  47.187 +	mode=$4
  47.188 +
  47.189 +	if [ ! -r "$vmfile" ]; then
  47.190 +		echo "Cannot read from vm configuration file $vmfile."
  47.191 +		return -1
  47.192 +	fi
  47.193 +
  47.194 +	if [ ! -w "$vmfile" ]; then
  47.195 +		echo "Cannot write to vm configuration file $vmfile."
  47.196 +		return -1
  47.197 +	fi
  47.198 +
  47.199 +	if [ ! -r "$mapfile" ] ; then
  47.200 +		echo "Cannot read mapping file $mapfile."
  47.201 +		return -1
  47.202 +	fi
  47.203 +
  47.204 +	# Determine which policy is primary, which sec.
  47.205 +	getPrimaryPolicy $mapfile
  47.206 +	getSecondaryPolicy $mapfile
  47.207 +
  47.208 +	# Calculate the primary policy's SSIDREF
  47.209 +	if [ "$primary" == "NULL" ]; then
  47.210 +		SSIDLO="0000"
  47.211 +	else
  47.212 +		SSIDLO=`cat $mapfile |                    \
  47.213 +		        awk -vlabel=$label                \
  47.214 +		            -vprimary=$primary            \
  47.215 +		           '{                             \
  47.216 +		              if ( $1 == "LABEL->SSID" && \
  47.217 +		                   $2 == "VM" &&          \
  47.218 +		                   $3 == primary  &&      \
  47.219 +		                   $4 == label ) {        \
  47.220 +		                result=$5                 \
  47.221 +		              }                           \
  47.222 +		           } END {                        \
  47.223 +		             if (result != "" )           \
  47.224 +		               {printf "%04x", strtonum(result)}\
  47.225 +		           }'`
  47.226 +	fi
  47.227 +
  47.228 +	# Calculate the secondary policy's SSIDREF
  47.229 +	if [ "$secondary" == "NULL" ]; then
  47.230 +		SSIDHI="0000"
  47.231 +	else
  47.232 +		SSIDHI=`cat $mapfile |                    \
  47.233 +		        awk -vlabel=$label                \
  47.234 +		            -vsecondary=$secondary        \
  47.235 +		           '{                             \
  47.236 +		              if ( $1 == "LABEL->SSID" && \
  47.237 +		                   $2 == "VM"          && \
  47.238 +		                   $3 == secondary     && \
  47.239 +		                   $4 == label ) {        \
  47.240 +		                result=$5                 \
  47.241 +		              }                           \
  47.242 +		            }  END {                      \
  47.243 +		              if (result != "" )          \
  47.244 +		                {printf "%04x", strtonum(result)}\
  47.245 +		            }'`
  47.246 +	fi
  47.247 +
  47.248 +	if [ "$SSIDLO" == "" -o \
  47.249 +	     "$SSIDHI" == "" ]; then
  47.250 +		echo "Could not map the given label '$label'."
  47.251 +		return -1
  47.252 +	fi
  47.253 +
  47.254 +	ACM_POLICY=`cat $mapfile |             \
  47.255 +	    awk ' { if ( $1 == "POLICY" ) {    \
  47.256 +	              result=$2                \
  47.257 +	            }                          \
  47.258 +	          }                            \
  47.259 +	          END {                        \
  47.260 +	            if (result != "") {        \
  47.261 +	              printf result            \
  47.262 +	            }                          \
  47.263 +	          }'`
  47.264 +
  47.265 +	if [ "$ACM_POLICY" == "" ]; then
  47.266 +		echo "Could not find 'POLICY' entry in map file."
  47.267 +		return -1
  47.268 +	fi
  47.269 +
  47.270 +	SSIDREF="0x$SSIDHI$SSIDLO"
  47.271 +
  47.272 +	if [ "$mode" != "relabel" ]; then
  47.273 +		RES=`cat $vmfile |  \
  47.274 +		     awk '{         \
  47.275 +		       if ( substr($1,0,7) == "ssidref" ) {\
  47.276 +		         print $0;             \
  47.277 +		       }                       \
  47.278 +		     }'`
  47.279 +		if [ "$RES" != "" ]; then
  47.280 +			echo "Do you want to overwrite the existing mapping ($RES)? (y/N)"
  47.281 +			read user
  47.282 +			if [ "$user" != "y" -a "$user" != "Y" ]; then
  47.283 +				echo "Aborted."
  47.284 +				return 0
  47.285 +			fi
  47.286 +		fi
  47.287 +	fi
  47.288 +
  47.289 +	#Write the output
  47.290 +	vmtmp1="/tmp/__setlabel.tmp1"
  47.291 +	vmtmp2="/tmp/__setlabel.tmp2"
  47.292 +	touch $vmtmp1
  47.293 +	touch $vmtmp2
  47.294 +	if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then
  47.295 +		echo "Cannot create temporary files. Aborting."
  47.296 +		return -1
  47.297 +	fi
  47.298 +	RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1`
  47.299 +	RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2`
  47.300 +	RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1`
  47.301 +	echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1
  47.302 +	echo "#ACM_LABEL=$label" >> $vmtmp1
  47.303 +	echo "ssidref = $SSIDREF" >> $vmtmp1
  47.304 +	mv -f $vmtmp1 $vmfile
  47.305 +	rm -rf $vmtmp1 $vmtmp2
  47.306 +	echo "Mapped label '$label' to ssidref '$SSIDREF'."
  47.307 +}
  47.308 +
  47.309 +
  47.310 +
  47.311 +if [ "$1" == "-r" ]; then
  47.312 +	mode="relabel"
  47.313 +	shift
  47.314 +elif [ "$1" == "-l" ]; then
  47.315 +	mode="show"
  47.316 +	shift
  47.317 +elif [ "$1" == "-?" ]; then
  47.318 +	mode="usage"
  47.319 +fi
  47.320 +
  47.321 +if [ "$mode" == "show" ]; then
  47.322 +	if [ "$1" == "" ]; then
  47.323 +		usage
  47.324 +		exit -1;
  47.325 +	fi
  47.326 +	findMapFile $1
  47.327 +	res=$?
  47.328 +	if [ "$res" != "0" ]; then
  47.329 +		showLabels $mapfile
  47.330 +	else
  47.331 +		echo "Could not find map file for policy '$1'."
  47.332 +	fi
  47.333 +elif [ "$mode" == "usage" ]; then
  47.334 +	usage
  47.335 +else
  47.336 +	if [ "$3" == "" ]; then
  47.337 +		usage
  47.338 +		exit -1;
  47.339 +	fi
  47.340 +	findMapFile $3
  47.341 +	res=$?
  47.342 +	if [ "$res" != "0" ]; then
  47.343 +		relabel $1 $2 $mapfile $mode
  47.344 +	else
  47.345 +		echo "Could not find map file for policy '$3'."
  47.346 +	fi
  47.347 +
  47.348 +fi
    48.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    48.2 +++ b/tools/security/updategrub.sh	Fri Aug 19 12:22:27 2005 +0000
    48.3 @@ -0,0 +1,171 @@
    48.4 +#!/bin/sh
    48.5 +# *
    48.6 +# * updategrub
    48.7 +# *
    48.8 +# * Copyright (C) 2005 IBM Corporation
    48.9 +# *
   48.10 +# * Authors:
   48.11 +# * Stefan Berger <stefanb@us.ibm.com>
   48.12 +# *
   48.13 +# * This program is free software; you can redistribute it and/or
   48.14 +# * modify it under the terms of the GNU General Public License as
   48.15 +# * published by the Free Software Foundation, version 2 of the
   48.16 +# * License.
   48.17 +# *
   48.18 +# *
   48.19 +#
   48.20 +
   48.21 +if [ -z "$runbash" ]; then
   48.22 +	runbash="1"
   48.23 +	export runbash
   48.24 +	exec sh -c "bash $0 $*"
   48.25 +	exit
   48.26 +fi
   48.27 +
   48.28 +
   48.29 +# Show usage of this program
   48.30 +usage ()
   48.31 +{
   48.32 +	echo "Usage: $0 <policy name> <root of xen repository>"
   48.33 +	echo ""
   48.34 +	echo "<policy name>             : The name of the policy, i.e. xen_null"
   48.35 +	echo "<root of xen repository>  : The root of the XEN repositrory."
   48.36 +	echo ""
   48.37 +}
   48.38 +
   48.39 +# This function sets the global variable 'linux'
   48.40 +# to the name of the linux kernel that was compiled
   48.41 +# For now a pattern should do the trick
   48.42 +getLinuxVersion ()
   48.43 +{
   48.44 +	path=$1
   48.45 +	linux=""
   48.46 +	for f in $path/linux-*-xen0 ; do
   48.47 +		versionfile=$f/include/linux/version.h
   48.48 +		if [ -r $versionfile ]; then
   48.49 +			lnx=`cat $versionfile | \
   48.50 +			     grep UTS_RELEASE | \
   48.51 +			     awk '{             \
   48.52 +			       len=length($3);  \
   48.53 +			       print substr($3,2,len-2) }'`
   48.54 +		fi
   48.55 +		if [ "$lnx" != "" ]; then
   48.56 +			linux="[./0-9a-zA-z]*$lnx"
   48.57 +			return;
   48.58 +		fi
   48.59 +	done
   48.60 +
   48.61 +	#Last resort.
   48.62 +	linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen0$"
   48.63 +}
   48.64 +
   48.65 +#Return where the grub.conf file is.
   48.66 +#I only know of one place it can be.
   48.67 +findGrubConf()
   48.68 +{
   48.69 +	grubconf="/boot/grub/grub.conf"
   48.70 +	if [ -w $grubconf ]; then
   48.71 +		return 1
   48.72 +	fi
   48.73 +	return 0
   48.74 +}
   48.75 +
   48.76 +
   48.77 +#Update the grub configuration file.
   48.78 +#Search for existing entries and replace the current
   48.79 +#policy entry with the policy passed to this script
   48.80 +#
   48.81 +#Arguments passed to this function
   48.82 +# 1st : the grub configuration file
   48.83 +# 2nd : the binary policy file name
   48.84 +# 3rd : the name or pattern of the linux kernel name to match
   48.85 +#
   48.86 +# The algorithm here is based on pattern matching
   48.87 +# and is working correctly if
   48.88 +# - under a title a line beginning with 'kernel' is found
   48.89 +#   whose following item ends with "xen.gz"
   48.90 +#   Example:  kernel /xen.gz dom0_mem=....
   48.91 +# - a module line matching the 3rd parameter is found
   48.92 +#
   48.93 +updateGrub ()
   48.94 +{
   48.95 +	grubconf=$1
   48.96 +	policyfile=$2
   48.97 +	linux=$3
   48.98 +
   48.99 +	tmpfile="/tmp/new_grub.conf"
  48.100 +
  48.101 +	cat $grubconf |                                \
  48.102 +	         awk -vpolicy=$policyfile              \
  48.103 +	             -vlinux=$linux '{                 \
  48.104 +	           if ( $1 == "title" ) {              \
  48.105 +	             kernelfound = 0;                  \
  48.106 +	             if ( policymaycome == 1 ){        \
  48.107 +	               printf ("\tmodule %s%s\n", path, policy);      \
  48.108 +	             }                                 \
  48.109 +	             policymaycome = 0;                \
  48.110 +	           }                                   \
  48.111 +	           else if ( $1 == "kernel" ) {        \
  48.112 +	             if ( match($2,"xen.gz$") ) {      \
  48.113 +	               path=substr($2,1,RSTART-1);     \
  48.114 +	               kernelfound = 1;                \
  48.115 +	             }                                 \
  48.116 +	           }                                   \
  48.117 +	           else if ( $1 == "module" &&         \
  48.118 +	                     kernelfound == 1 &&       \
  48.119 +	                     match($2,linux) ) {       \
  48.120 +	              policymaycome = 1;               \
  48.121 +	           }                                   \
  48.122 +	           else if ( $1 == "module" &&         \
  48.123 +	                     kernelfound == 1 &&       \
  48.124 +	                     policymaycome == 1 &&     \
  48.125 +	                     match($2,"[0-9a-zA-Z]*.bin$") ) { \
  48.126 +	              printf ("\tmodule %s%s\n", path, policy); \
  48.127 +	              policymaycome = 0;               \
  48.128 +	              kernelfound = 0;                 \
  48.129 +	              dontprint = 1;                   \
  48.130 +	           }                                   \
  48.131 +	           else if ( $1 == "" &&               \
  48.132 +	                     kernelfound == 1 &&       \
  48.133 +	                     policymaycome == 1) {     \
  48.134 +	              dontprint = 1;                   \
  48.135 +	           }                                   \
  48.136 +	           if (dontprint == 0) {               \
  48.137 +	             printf ("%s\n", $0);              \
  48.138 +	           }                                   \
  48.139 +	           dontprint = 0;                      \
  48.140 +	         } END {                               \
  48.141 +	           if ( policymaycome == 1 ) {         \
  48.142 +	             printf ("\tmodule %s%s\n", path, policy);  \
  48.143 +	           }                                   \
  48.144 +	         }' > $tmpfile
  48.145 +	if [ ! -r $tmpfile ]; then
  48.146 +		echo "Could not create temporary file! Aborting."
  48.147 +		exit -1
  48.148 +	fi
  48.149 +	mv -f $tmpfile $grubconf
  48.150 +}
  48.151 +
  48.152 +if [ "$1" == "" -o "$2" == "" ]; then
  48.153 +	usage
  48.154 +	exit -1
  48.155 +fi
  48.156 +
  48.157 +if [ "$1" == "-?" ]; then
  48.158 +	usage
  48.159 +	exit 0
  48.160 +fi
  48.161 +
  48.162 +policy=$1
  48.163 +policyfile=$policy.bin
  48.164 +
  48.165 +getLinuxVersion $2
  48.166 +
  48.167 +findGrubConf
  48.168 +ERR=$?
  48.169 +if [ $ERR -eq 0 ]; then
  48.170 +	echo "Could not find grub.conf. Aborting."
  48.171 +	exit -1
  48.172 +fi
  48.173 +
  48.174 +updateGrub $grubconf $policyfile $linux
    49.1 --- a/xen/Rules.mk	Fri Aug 19 12:21:29 2005 +0000
    49.2 +++ b/xen/Rules.mk	Fri Aug 19 12:22:27 2005 +0000
    49.3 @@ -11,14 +11,6 @@ optimize    ?= y
    49.4  domu_debug  ?= n
    49.5  crash_debug ?= n
    49.6  
    49.7 -# ACM_USE_SECURITY_POLICY is set to security policy of Xen
    49.8 -# Supported models are:
    49.9 -#	ACM_NULL_POLICY (ACM will not be built with this policy)
   49.10 -#	ACM_CHINESE_WALL_POLICY
   49.11 -#	ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
   49.12 -#	ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
   49.13 -ACM_USE_SECURITY_POLICY ?= ACM_NULL_POLICY
   49.14 -
   49.15  include $(BASEDIR)/../Config.mk
   49.16  
   49.17  # Set ARCH/SUBARCH appropriately.
    50.1 --- a/xen/arch/x86/domain_build.c	Fri Aug 19 12:21:29 2005 +0000
    50.2 +++ b/xen/arch/x86/domain_build.c	Fri Aug 19 12:22:27 2005 +0000
    50.3 @@ -22,16 +22,28 @@
    50.4  #include <asm/i387.h>
    50.5  #include <asm/shadow.h>
    50.6  
    50.7 -/* opt_dom0_mem: memory allocated to domain 0. */
    50.8 -static unsigned int opt_dom0_mem;
    50.9 +static long dom0_nrpages;
   50.10 +
   50.11 +/*
   50.12 + * dom0_mem:
   50.13 + *  If +ve:
   50.14 + *   * The specified amount of memory is allocated to domain 0.
   50.15 + *  If -ve:
   50.16 + *   * All of memory is allocated to domain 0, minus the specified amount.
   50.17 + *  If not specified: 
   50.18 + *   * All of memory is allocated to domain 0, minus 1/16th which is reserved
   50.19 + *     for uses such as DMA buffers (the reservation is clamped to 128MB).
   50.20 + */
   50.21  static void parse_dom0_mem(char *s)
   50.22  {
   50.23 -    unsigned long long bytes = parse_size_and_unit(s);
   50.24 -    /* If no unit is specified we default to kB units, not bytes. */
   50.25 -    if ( isdigit(s[strlen(s)-1]) )
   50.26 -        opt_dom0_mem = (unsigned int)bytes;
   50.27 -    else
   50.28 -        opt_dom0_mem = (unsigned int)(bytes >> 10);
   50.29 +    unsigned long long bytes;
   50.30 +    char *t = s;
   50.31 +    if ( *s == '-' )
   50.32 +        t++;
   50.33 +    bytes = parse_size_and_unit(t);
   50.34 +    dom0_nrpages = bytes >> PAGE_SHIFT;
   50.35 +    if ( *s == '-' )
   50.36 +        dom0_nrpages = -dom0_nrpages;
   50.37  }
   50.38  custom_param("dom0_mem", parse_dom0_mem);
   50.39  
   50.40 @@ -137,12 +149,30 @@ int construct_dom0(struct domain *d,
   50.41  
   50.42      printk("*** LOADING DOMAIN 0 ***\n");
   50.43  
   50.44 -    /* By default DOM0 is allocated all available memory. */
   50.45      d->max_pages = ~0U;
   50.46 -    if ( (nr_pages = opt_dom0_mem >> (PAGE_SHIFT - 10)) == 0 )
   50.47 +
   50.48 +    /*
   50.49 +     * If domain 0 allocation isn't specified, reserve 1/16th of available
   50.50 +     * memory for things like DMA buffers. This reservation is clamped to 
   50.51 +     * a maximum of 128MB.
   50.52 +     */
   50.53 +    if ( dom0_nrpages == 0 )
   50.54 +    {
   50.55 +        dom0_nrpages = avail_domheap_pages() +
   50.56 +            ((initrd_len + PAGE_SIZE - 1) >> PAGE_SHIFT) +
   50.57 +            ((image_len  + PAGE_SIZE - 1) >> PAGE_SHIFT);
   50.58 +        dom0_nrpages = min(dom0_nrpages / 16, 128L << (20 - PAGE_SHIFT));
   50.59 +        dom0_nrpages = -dom0_nrpages;
   50.60 +    }
   50.61 +
   50.62 +    /* Negative memory specification means "all memory - specified amount". */
   50.63 +    if ( dom0_nrpages < 0 )
   50.64          nr_pages = avail_domheap_pages() +
   50.65              ((initrd_len + PAGE_SIZE - 1) >> PAGE_SHIFT) +
   50.66 -            ((image_len  + PAGE_SIZE - 1) >> PAGE_SHIFT);
   50.67 +            ((image_len  + PAGE_SIZE - 1) >> PAGE_SHIFT) +
   50.68 +            dom0_nrpages;
   50.69 +    else
   50.70 +        nr_pages = dom0_nrpages;
   50.71  
   50.72      if ( (rc = parseelfimage(&dsi)) != 0 )
   50.73          return rc;
    51.1 --- a/xen/common/lib.c	Fri Aug 19 12:21:29 2005 +0000
    51.2 +++ b/xen/common/lib.c	Fri Aug 19 12:22:27 2005 +0000
    51.3 @@ -450,8 +450,10 @@ unsigned long long parse_size_and_unit(c
    51.4  		ret <<= 10;
    51.5  	case 'M': case 'm':
    51.6  		ret <<= 10;
    51.7 -	case 'K': case 'k':
    51.8 +	case 'K': case 'k': default:
    51.9  		ret <<= 10;
   51.10 +	case 'B': case 'b':
   51.11 +		break;
   51.12  	}
   51.13  
   51.14  	return ret;