# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Date 1188558307 -3600
# Node ID 7e7e0ea6a0bbc093461f199947d6c99eaae01eba
# Parent fa4d44c9d9f668867f6cb578155433678f6c5a93
Cleanups after XSM checkin.
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
xen/include/acm/acm_core.h | 196 -------------
xen/include/acm/acm_endian.h | 69 ----
xen/include/acm/acm_hooks.h | 349 ------------------------
xen/include/public/acm.h | 229 ---------------
xen/include/public/acm_ops.h | 159 ----------
.hgignore | 1
Config.mk | 12
tools/Rules.mk | 2
tools/libxc/xenctrl.h | 4
tools/python/xen/lowlevel/acm/acm.c | 5
tools/security/secpol_tool.c | 4
tools/security/secpol_xml2bin.c | 3
xen/Rules.mk | 8
xen/arch/ia64/xen/xensetup.c | 2
xen/arch/powerpc/setup.c | 2
xen/arch/x86/setup.c | 2
xen/include/public/xsm/acm.h | 229 +++++++++++++++
xen/include/public/xsm/acm_ops.h | 159 ++++++++++
xen/include/xen/sched.h | 5
xen/include/xsm/acm/acm_core.h | 196 +++++++++++++
xen/include/xsm/acm/acm_endian.h | 69 ++++
xen/include/xsm/acm/acm_hooks.h | 349 ++++++++++++++++++++++++
xen/xsm/acm/acm_chinesewall_hooks.c | 9
xen/xsm/acm/acm_core.c | 10
xen/xsm/acm/acm_null_hooks.c | 2
xen/xsm/acm/acm_ops.c | 6
xen/xsm/acm/acm_policy.c | 8
xen/xsm/acm/acm_simple_type_enforcement_hooks.c | 6
xen/xsm/acm/acm_xsm_hooks.c | 20 -
29 files changed, 1056 insertions(+), 1059 deletions(-)
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb .hgignore
--- a/.hgignore Fri Aug 31 11:41:49 2007 +0100
+++ b/.hgignore Fri Aug 31 12:05:07 2007 +0100
@@ -151,6 +151,7 @@
^tools/python/build/.*$
^tools/security/secpol_tool$
^tools/security/xen/.*$
+^tools/security/xensec_tool$
^tools/tests/blowfish\.bin$
^tools/tests/blowfish\.h$
^tools/tests/test_x86_emulator$
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb Config.mk
--- a/Config.mk Fri Aug 31 11:41:49 2007 +0100
+++ b/Config.mk Fri Aug 31 12:05:07 2007 +0100
@@ -79,19 +79,9 @@ CFLAGS += $(foreach i, $(EXTRA_INCLUDES)
CFLAGS += $(foreach i, $(EXTRA_INCLUDES), -I$(i))
# Enable XSM security module. Enabling XSM requires selection of an
-# XSM security module.
+# XSM security module (FLASK_ENABLE or ACM_SECURITY).
XSM_ENABLE ?= n
-ifeq ($(XSM_ENABLE),y)
FLASK_ENABLE ?= n
-ifeq ($(FLASK_ENABLE),y)
-FLASK_DEVELOP ?= y
-FLASK_BOOTPARAM ?= y
-FLASK_AVC_STATS ?= y
-endif
-endif
-
-# If ACM_SECURITY = y, then the access control module is compiled
-# into Xen and the policy type can be set by the boot policy file
ACM_SECURITY ?= n
# Optional components
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/Rules.mk
--- a/tools/Rules.mk Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/Rules.mk Fri Aug 31 12:05:07 2007 +0100
@@ -49,6 +49,8 @@ mk-symlinks:
( cd xen/hvm && ln -sf ../../$(XEN_ROOT)/xen/include/public/hvm/*.h . )
mkdir -p xen/io
( cd xen/io && ln -sf ../../$(XEN_ROOT)/xen/include/public/io/*.h . )
+ mkdir -p xen/xsm
+ ( cd xen/xsm && ln -sf ../../$(XEN_ROOT)/xen/include/public/xsm/*.h . )
mkdir -p xen/arch-x86
( cd xen/arch-x86 && ln -sf
../../$(XEN_ROOT)/xen/include/public/arch-x86/*.h . )
mkdir -p xen/foreign
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/libxc/xenctrl.h
--- a/tools/libxc/xenctrl.h Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/libxc/xenctrl.h Fri Aug 31 12:05:07 2007 +0100
@@ -26,8 +26,8 @@
#include <xen/event_channel.h>
#include <xen/sched.h>
#include <xen/memory.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
+#include <xen/xsm/acm.h>
+#include <xen/xsm/acm_ops.h>
#ifdef __ia64__
#define XC_PAGE_SHIFT 14
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/python/xen/lowlevel/acm/acm.c
--- a/tools/python/xen/lowlevel/acm/acm.c Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/python/xen/lowlevel/acm/acm.c Fri Aug 31 12:05:07 2007 +0100
@@ -18,6 +18,7 @@
*
* indent -i4 -kr -nut
*/
+
#include <Python.h>
#include <stdio.h>
@@ -27,8 +28,8 @@
#include <stdlib.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
+#include <xen/xsm/acm.h>
+#include <xen/xsm/acm_ops.h>
#include <xenctrl.h>
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/security/secpol_tool.c Fri Aug 31 12:05:07 2007 +0100
@@ -34,8 +34,8 @@
#include <string.h>
#include <netinet/in.h>
#include <stdint.h>
-#include <xen/acm.h>
-#include <xen/acm_ops.h>
+#include <xen/xsm/acm.h>
+#include <xen/xsm/acm_ops.h>
#include <xenctrl.h>
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb tools/security/secpol_xml2bin.c
--- a/tools/security/secpol_xml2bin.c Fri Aug 31 11:41:49 2007 +0100
+++ b/tools/security/secpol_xml2bin.c Fri Aug 31 12:05:07 2007 +0100
@@ -22,6 +22,7 @@
*
* indent -i4 -kr -nut
*/
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -38,7 +39,7 @@
#include <libxml/tree.h>
#include <libxml/xmlreader.h>
#include <stdint.h>
-#include <xen/acm.h>
+#include <xen/xsm/acm.h>
#include "secpol_xml2bin.h"
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/Rules.mk
--- a/xen/Rules.mk Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/Rules.mk Fri Aug 31 12:05:07 2007 +0100
@@ -57,11 +57,9 @@ ALL_OBJS-y += $(BASEDIR)/a
CFLAGS-y += -g -D__XEN__
CFLAGS-$(XSM_ENABLE) += -DXSM_ENABLE
-CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
-CFLAGS-$(FLASK_DEVELOP) += -DFLASK_DEVELOP
-CFLAGS-$(FLASK_BOOTPARAM) += -DFLASK_BOOTPARAM
-CFLAGS-$(FLASK_AVC_STATS) += -DFLASK_AVC_STATS
-CFLAGS-$(ACM_SECURITY) += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100
+CFLAGS-$(FLASK_ENABLE) += -DFLASK_ENABLE -DXSM_MAGIC=0xf97cff8c
+CFLAGS-$(FLASK_ENABLE) += -DFLASK_DEVELOP -DFLASK_BOOTPARAM -DFLASK_AVC_STATS
+CFLAGS-$(ACM_SECURITY) += -DACM_SECURITY -DXSM_MAGIC=0xbcde0100
CFLAGS-$(verbose) += -DVERBOSE
CFLAGS-$(crash_debug) += -DCRASH_DEBUG
CFLAGS-$(perfc) += -DPERF_COUNTERS
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/ia64/xen/xensetup.c
--- a/xen/arch/ia64/xen/xensetup.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/arch/ia64/xen/xensetup.c Fri Aug 31 12:05:07 2007 +0100
@@ -28,7 +28,7 @@
#include <asm/iosapic.h>
#include <xen/softirq.h>
#include <xen/rcupdate.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
#include <asm/sn/simulator.h>
unsigned long xenheap_phys_end, total_pages;
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/powerpc/setup.c
--- a/xen/arch/powerpc/setup.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/arch/powerpc/setup.c Fri Aug 31 12:05:07 2007 +0100
@@ -38,7 +38,7 @@
#include <xen/numa.h>
#include <xen/rcupdate.h>
#include <xen/version.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
#include <public/version.h>
#include <asm/mpic.h>
#include <asm/processor.h>
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/arch/x86/setup.c
--- a/xen/arch/x86/setup.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/arch/x86/setup.c Fri Aug 31 12:05:07 2007 +0100
@@ -32,7 +32,7 @@
#include <asm/desc.h>
#include <asm/paging.h>
#include <asm/e820.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
#include <xen/kexec.h>
#include <asm/edd.h>
#include <xsm/xsm.h>
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_core.h
--- a/xen/include/acm/acm_core.h Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,196 +0,0 @@
-/****************************************************************
- * acm_core.h
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Author:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * sHype header file describing core data types and constants
- * for the access control module and relevant policies
- *
- */
-
-#ifndef _ACM_CORE_H
-#define _ACM_CORE_H
-
-#include <xen/spinlock.h>
-#include <xen/list.h>
-#include <public/acm.h>
-#include <public/acm_ops.h>
-#include <acm/acm_endian.h>
-
-#define ACM_DEFAULT_SECURITY_POLICY \
- ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
-
-/* Xen-internal representation of the binary policy */
-struct acm_binary_policy {
- char *policy_reference_name;
- u16 primary_policy_code;
- u16 secondary_policy_code;
- struct acm_policy_version xml_pol_version;
-};
-
-struct chwall_binary_policy {
- u32 max_types;
- u32 max_ssidrefs;
- u32 max_conflictsets;
- domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */
- domaintype_t *conflict_aggregate_set; /* [max_types] */
- domaintype_t *running_types; /* [max_types] */
- domaintype_t *conflict_sets; /* [max_conflictsets][max_types]*/
-};
-
-struct ste_binary_policy {
- u32 max_types;
- u32 max_ssidrefs;
- domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */
- atomic_t ec_eval_count, gt_eval_count;
- atomic_t ec_denied_count, gt_denied_count;
- atomic_t ec_cachehit_count, gt_cachehit_count;
-};
-
-/* global acm policy */
-extern u16 acm_active_security_policy;
-extern struct acm_binary_policy acm_bin_pol;
-extern struct chwall_binary_policy chwall_bin_pol;
-extern struct ste_binary_policy ste_bin_pol;
-/* use the lock when reading / changing binary policy ! */
-extern rwlock_t acm_bin_pol_rwlock;
-extern rwlock_t ssid_list_rwlock;
-
-/* subject and object type definitions */
-#define ACM_DATATYPE_domain 1
-
-/* defines number of access decisions to other domains can be cached
- * one entry per domain, TE does not distinguish evtchn or grant_table */
-#define ACM_TE_CACHE_SIZE 8
-#define ACM_STE_valid 0
-#define ACM_STE_free 1
-
-/* cache line:
- * if cache_line.valid==ACM_STE_valid, then
- * STE decision is cached as "permitted"
- * on domain cache_line.id
- */
-struct acm_ste_cache_line {
- int valid; /* ACM_STE_* */
- domid_t id;
-};
-
-/* general definition of a subject security id */
-struct acm_ssid_domain {
- struct list_head node; /* all are chained together */
- int datatype; /* type of subject (e.g., partition):
ACM_DATATYPE_* */
- ssidref_t ssidref; /* combined security reference */
- ssidref_t old_ssidref; /* holds previous value of ssidref during
relabeling */
- void *primary_ssid; /* primary policy ssid part (e.g. chinese wall) */
- void *secondary_ssid; /* secondary policy ssid part (e.g. type
enforcement) */
- struct domain *subject;/* backpointer to subject structure */
- domid_t domainid; /* replicate id */
-};
-
-/* chinese wall ssid type */
-struct chwall_ssid {
- ssidref_t chwall_ssidref;
-};
-
-/* simple type enforcement ssid type */
-struct ste_ssid {
- ssidref_t ste_ssidref;
- struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache
*/
-};
-
-/* macros to access ssidref for primary / secondary policy
- * primary ssidref = lower 16 bit
- * secondary ssidref = higher 16 bit
- */
-#define ACM_PRIMARY(ssidref) \
- ((ssidref) & 0xffff)
-
-#define ACM_SECONDARY(ssidref) \
- ((ssidref) >> 16)
-
-#define GET_SSIDREF(POLICY, ssidref) \
- ((POLICY) == acm_bin_pol.primary_policy_code) ? \
- ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
-
-/* macros to access ssid pointer for primary / secondary policy */
-#define GET_SSIDP(POLICY, ssid) \
- ((POLICY) == acm_bin_pol.primary_policy_code) ? \
- ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
-
-#define ACM_INVALID_SSIDREF (0xffffffff)
-
-struct acm_sized_buffer
-{
- uint32_t *array;
- uint num_items;
- uint position;
-};
-
-static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
- uint32_t a, uint32_t b)
-{
- uint i;
- if (buf == NULL)
- return 0;
-
- i = buf->position;
-
- if ((i + 2) > buf->num_items)
- return 0;
-
- buf->array[i] = cpu_to_be32(a);
- buf->array[i+1] = cpu_to_be32(b);
- buf->position += 2;
- return 1;
-}
-
-/* protos */
-int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
-void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
-int acm_init_binary_policy(u32 policy_code);
-int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
-int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
- struct acm_sized_buffer *, struct acm_sized_buffer *,
- struct acm_sized_buffer *);
-int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
-int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
-int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16
buf_size);
-int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
-int acm_set_policy_reference(u8 * buf, u32 buf_size);
-int acm_dump_policy_reference(u8 *buf, u32 buf_size);
-int acm_change_policy(struct acm_change_policy *);
-int acm_relabel_domains(struct acm_relabel_doms *);
-int do_chwall_init_state_curr(struct acm_sized_buffer *);
-int do_ste_init_state_curr(struct acm_sized_buffer *);
-
-/* variables */
-extern ssidref_t dom0_chwall_ssidref;
-extern ssidref_t dom0_ste_ssidref;
-#define ACM_MAX_NUM_TYPES (256)
-
-/* traversing the list of ssids */
-extern struct list_head ssid_list;
-#define for_each_acmssid( N ) \
- for ( N = (struct acm_ssid_domain *)ssid_list.next; \
- N != (struct acm_ssid_domain *)&ssid_list; \
- N = (struct acm_ssid_domain *)N->node.next )
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_endian.h
--- a/xen/include/acm/acm_endian.h Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-/****************************************************************
- * acm_endian.h
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Author:
- * Stefan Berger <stefanb@xxxxxxxxxxxxxx>
- *
- * Contributions:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * sHype header file defining endian-dependent functions for the
- * big-endian policy interface
- *
- */
-
-#ifndef _ACM_ENDIAN_H
-#define _ACM_ENDIAN_H
-
-#include <asm/byteorder.h>
-
-static inline void arrcpy16(u16 *dest, const u16 *src, size_t n)
-{
- unsigned int i;
- for ( i = 0; i < n; i++ )
- dest[i] = cpu_to_be16(src[i]);
-}
-
-static inline void arrcpy32(u32 *dest, const u32 *src, size_t n)
-{
- unsigned int i;
- for ( i = 0; i < n; i++ )
- dest[i] = cpu_to_be32(src[i]);
-}
-
-static inline void arrcpy(
- void *dest, const void *src, unsigned int elsize, size_t n)
-{
- switch ( elsize )
- {
- case sizeof(u16):
- arrcpy16((u16 *)dest, (u16 *)src, n);
- break;
-
- case sizeof(u32):
- arrcpy32((u32 *)dest, (u32 *)src, n);
- break;
-
- default:
- memcpy(dest, src, elsize*n);
- }
-}
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/acm/acm_hooks.h
--- a/xen/include/acm/acm_hooks.h Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,349 +0,0 @@
-/****************************************************************
- * acm_hooks.h
- *
- * Copyright (C) 2005 IBM Corporation
- *
- * Author:
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * acm header file implementing the global (policy-independent)
- * sHype hooks that are called throughout Xen.
- *
- */
-
-#ifndef _ACM_HOOKS_H
-#define _ACM_HOOKS_H
-
-#include <xen/config.h>
-#include <xen/errno.h>
-#include <xen/types.h>
-#include <xen/lib.h>
-#include <xen/delay.h>
-#include <xen/sched.h>
-#include <xen/multiboot.h>
-#include <public/acm.h>
-#include <acm/acm_core.h>
-#include <public/domctl.h>
-#include <public/event_channel.h>
-#include <asm/current.h>
-
-/*
- * HOOK structure and meaning (justifies a few words about our model):
- *
- * General idea: every policy-controlled system operation is reflected in a
- * transaction in the system's security state
- *
- * Keeping the security state consistent requires "atomic" transactions.
- * The name of the hooks to place around policy-controlled transactions
- * reflects this. If authorizations do not involve security state changes,
- * then and only then POST and FAIL hooks remain empty since we don't care
- * about the eventual outcome of the operation from a security viewpoint.
- *
- * PURPOSE of hook types:
- * ======================
- * PRE-Hooks
- * a) general authorization to guard a controlled system operation
- * b) prepare security state change
- * (means: fail hook must be able to "undo" this)
- *
- * POST-Hooks
- * a) commit prepared state change
- *
- * FAIL-Hooks
- * a) roll-back prepared security state change from PRE-Hook
- *
- *
- * PLACEMENT of hook types:
- * ========================
- * PRE-Hooks must be called before a guarded/controlled system operation
- * is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
- * error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
- *
- * POST-Hooks must be called after a successful system operation.
- * There is no return value: commit never fails.
- *
- * FAIL-Hooks must be called:
- * a) if system transaction (operation) fails after calling the PRE-hook
- * b) if another (secondary) policy denies access in its PRE-Hook
- * (policy layering is useful but requires additional handling)
- *
- * Hook model from a security transaction viewpoint:
- * start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
- * (pre-hook) \ (post-hook)
- * \
- * fail
- * \
- * \
- * roll-back
- * (fail-hook)
- * \
- * sys-ops error
- *
- */
-
-struct acm_operations {
- /* policy management functions (must always be defined!) */
- int (*init_domain_ssid) (void **ssid, ssidref_t ssidref);
- void (*free_domain_ssid) (void *ssid);
- int (*dump_binary_policy) (u8 *buffer, u32 buf_size);
- int (*test_binary_policy) (u8 *buffer, u32 buf_size,
- int is_bootpolicy,
- struct acm_sized_buffer *);
- int (*set_binary_policy) (u8 *buffer, u32 buf_size);
- int (*dump_statistics) (u8 *buffer, u16 buf_size);
- int (*dump_ssid_types) (ssidref_t ssidref, u8 *buffer, u16
buf_size);
- /* domain management control hooks (can be NULL) */
- int (*domain_create) (void *subject_ssid, ssidref_t ssidref,
- domid_t domid);
- void (*domain_destroy) (void *object_ssid, struct domain *d);
- /* event channel control hooks (can be NULL) */
- int (*pre_eventchannel_unbound) (domid_t id1, domid_t id2);
- void (*fail_eventchannel_unbound) (domid_t id1, domid_t id2);
- int (*pre_eventchannel_interdomain) (domid_t id);
- void (*fail_eventchannel_interdomain) (domid_t id);
- /* grant table control hooks (can be NULL) */
- int (*pre_grant_map_ref) (domid_t id);
- void (*fail_grant_map_ref) (domid_t id);
- int (*pre_grant_setup) (domid_t id);
- void (*fail_grant_setup) (domid_t id);
- /* generic domain-requested decision hooks (can be NULL) */
- int (*sharing) (ssidref_t ssidref1,
- ssidref_t ssidref2);
- int (*authorization) (ssidref_t ssidref1,
- ssidref_t ssidref2);
- /* determine whether the default policy is installed */
- int (*is_default_policy) (void);
-};
-
-/* global variables */
-extern struct acm_operations *acm_primary_ops;
-extern struct acm_operations *acm_secondary_ops;
-
-/* if ACM_TRACE_MODE defined, all hooks should
- * print a short trace message */
-/* #define ACM_TRACE_MODE */
-
-#ifdef ACM_TRACE_MODE
-# define traceprintk(fmt, args...) printk(fmt,## args)
-#else
-# define traceprintk(fmt, args...)
-#endif
-
-
-#ifndef ACM_SECURITY
-
-static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
-{ return 0; }
-static inline int acm_pre_eventchannel_interdomain(domid_t id)
-{ return 0; }
-static inline int acm_pre_grant_map_ref(domid_t id)
-{ return 0; }
-static inline int acm_pre_grant_setup(domid_t id)
-{ return 0; }
-static inline int acm_is_policy(char *buf, unsigned long len)
-{ return 0; }
-static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
-{ return 0; }
-static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
-{ return 0; }
-static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
-{ return 0; }
-static inline void acm_domain_destroy(struct domain *d)
-{ return; }
-
-#define DOM0_SSIDREF 0x0
-
-#else
-
-static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid)
-{
- write_lock(&ssid_list_rwlock);
- list_add(&ssid->node, &ssid_list);
- write_unlock(&ssid_list_rwlock);
-}
-
-static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid)
-{
- write_lock(&ssid_list_rwlock);
- list_del(&ssid->node);
- write_unlock(&ssid_list_rwlock);
-}
-
-static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
-{
- if ((acm_primary_ops->pre_eventchannel_unbound != NULL) &&
- acm_primary_ops->pre_eventchannel_unbound(id1, id2))
- return ACM_ACCESS_DENIED;
- else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) &&
- acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) {
- /* roll-back primary */
- if (acm_primary_ops->fail_eventchannel_unbound != NULL)
- acm_primary_ops->fail_eventchannel_unbound(id1, id2);
- return ACM_ACCESS_DENIED;
- } else
- return ACM_ACCESS_PERMITTED;
-}
-
-static inline int acm_pre_eventchannel_interdomain(domid_t id)
-{
- if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
- acm_primary_ops->pre_eventchannel_interdomain(id))
- return ACM_ACCESS_DENIED;
- else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
- acm_secondary_ops->pre_eventchannel_interdomain(id)) {
- /* roll-back primary */
- if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
- acm_primary_ops->fail_eventchannel_interdomain(id);
- return ACM_ACCESS_DENIED;
- } else
- return ACM_ACCESS_PERMITTED;
-}
-
-
-static inline int acm_pre_grant_map_ref(domid_t id)
-{
- if ( (acm_primary_ops->pre_grant_map_ref != NULL) &&
- acm_primary_ops->pre_grant_map_ref(id) )
- {
- return ACM_ACCESS_DENIED;
- }
- else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) &&
- acm_secondary_ops->pre_grant_map_ref(id) )
- {
- /* roll-back primary */
- if ( acm_primary_ops->fail_grant_map_ref != NULL )
- acm_primary_ops->fail_grant_map_ref(id);
- return ACM_ACCESS_DENIED;
- }
- else
- {
- return ACM_ACCESS_PERMITTED;
- }
-}
-
-static inline int acm_pre_grant_setup(domid_t id)
-{
- if ( (acm_primary_ops->pre_grant_setup != NULL) &&
- acm_primary_ops->pre_grant_setup(id) )
- {
- return ACM_ACCESS_DENIED;
- }
- else if ( (acm_secondary_ops->pre_grant_setup != NULL) &&
- acm_secondary_ops->pre_grant_setup(id) )
- {
- /* roll-back primary */
- if (acm_primary_ops->fail_grant_setup != NULL)
- acm_primary_ops->fail_grant_setup(id);
- return ACM_ACCESS_DENIED;
- }
- else
- {
- return ACM_ACCESS_PERMITTED;
- }
-}
-
-
-static inline void acm_domain_destroy(struct domain *d)
-{
- void *ssid = d->ssid;
- if (ssid != NULL) {
- if (acm_primary_ops->domain_destroy != NULL)
- acm_primary_ops->domain_destroy(ssid, d);
- if (acm_secondary_ops->domain_destroy != NULL)
- acm_secondary_ops->domain_destroy(ssid, d);
- /* free security ssid for the destroyed domain (also if null policy */
- acm_domain_ssid_off_list(ssid);
- acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
- }
-}
-
-
-static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
-{
- void *subject_ssid = current->domain->ssid;
- domid_t domid = d->domain_id;
- int rc;
-
- read_lock(&acm_bin_pol_rwlock);
- /*
- To be called when a domain is created; returns '0' if the
- domain is allowed to be created, != '0' if not.
- */
- rc = acm_init_domain_ssid(d, ssidref);
- if (rc != ACM_OK)
- goto error_out;
-
- if ((acm_primary_ops->domain_create != NULL) &&
- acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) {
- rc = ACM_ACCESS_DENIED;
- } else if ((acm_secondary_ops->domain_create != NULL) &&
- acm_secondary_ops->domain_create(subject_ssid, ssidref,
- domid)) {
- /* roll-back primary */
- if (acm_primary_ops->domain_destroy != NULL)
- acm_primary_ops->domain_destroy(d->ssid, d);
- rc = ACM_ACCESS_DENIED;
- }
-
- if ( rc == ACM_OK )
- {
- acm_domain_ssid_onto_list(d->ssid);
- } else {
- acm_free_domain_ssid(d->ssid);
- }
-
-error_out:
- read_unlock(&acm_bin_pol_rwlock);
- return rc;
-}
-
-
-static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
-{
- if ((acm_primary_ops->sharing != NULL) &&
- acm_primary_ops->sharing(ssidref1, ssidref2))
- return ACM_ACCESS_DENIED;
- else if ((acm_secondary_ops->sharing != NULL) &&
- acm_secondary_ops->sharing(ssidref1, ssidref2)) {
- return ACM_ACCESS_DENIED;
- } else
- return ACM_ACCESS_PERMITTED;
-}
-
-
-static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
-{
- if ((acm_primary_ops->authorization != NULL) &&
- acm_primary_ops->authorization(ssidref1, ssidref2))
- return ACM_ACCESS_DENIED;
- else if ((acm_secondary_ops->authorization != NULL) &&
- acm_secondary_ops->authorization(ssidref1, ssidref2)) {
- return ACM_ACCESS_DENIED;
- } else
- return ACM_ACCESS_PERMITTED;
-}
-
-
-/* Return true iff buffer has an acm policy magic number. */
-extern int acm_is_policy(char *buf, unsigned long len);
-
-#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref)
-
-#endif
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/acm.h
--- a/xen/include/public/acm.h Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,229 +0,0 @@
-/*
- * acm.h: Xen access control module interface defintions
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to
- * deal in the Software without restriction, including without limitation the
- * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
- * sell copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
- * DEALINGS IN THE SOFTWARE.
- *
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- * Copyright (c) 2005, International Business Machines Corporation.
- */
-
-#ifndef _XEN_PUBLIC_ACM_H
-#define _XEN_PUBLIC_ACM_H
-
-#include "xen.h"
-
-/* if ACM_DEBUG defined, all hooks should
- * print a short trace message (comment it out
- * when not in testing mode )
- */
-/* #define ACM_DEBUG */
-
-#ifdef ACM_DEBUG
-# define printkd(fmt, args...) printk(fmt,## args)
-#else
-# define printkd(fmt, args...)
-#endif
-
-/* default ssid reference value if not supplied */
-#define ACM_DEFAULT_SSID 0x0
-#define ACM_DEFAULT_LOCAL_SSID 0x0
-
-/* Internal ACM ERROR types */
-#define ACM_OK 0
-#define ACM_UNDEF -1
-#define ACM_INIT_SSID_ERROR -2
-#define ACM_INIT_SOID_ERROR -3
-#define ACM_ERROR -4
-
-/* External ACCESS DECISIONS */
-#define ACM_ACCESS_PERMITTED 0
-#define ACM_ACCESS_DENIED -111
-#define ACM_NULL_POINTER_ERROR -200
-
-/*
- Error codes reported in when trying to test for a new policy
- These error codes are reported in an array of tuples where
- each error code is followed by a parameter describing the error
- more closely, such as a domain id.
-*/
-#define ACM_EVTCHN_SHARING_VIOLATION 0x100
-#define ACM_GNTTAB_SHARING_VIOLATION 0x101
-#define ACM_DOMAIN_LOOKUP 0x102
-#define ACM_CHWALL_CONFLICT 0x103
-#define ACM_SSIDREF_IN_USE 0x104
-
-
-/* primary policy in lower 4 bits */
-#define ACM_NULL_POLICY 0
-#define ACM_CHINESE_WALL_POLICY 1
-#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
-#define ACM_POLICY_UNDEFINED 15
-
-/* combinations have secondary policy component in higher 4bit */
-#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
- ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
-
-/* policy: */
-#define ACM_POLICY_NAME(X) \
- ((X) == (ACM_NULL_POLICY)) ? "NULL" : \
- ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" : \
- ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT"
: \
- ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE
WALL AND SIMPLE TYPE ENFORCEMENT" : \
- "UNDEFINED"
-
-/* the following policy versions must be increased
- * whenever the interpretation of the related
- * policy's data structure changes
- */
-#define ACM_POLICY_VERSION 3
-#define ACM_CHWALL_VERSION 1
-#define ACM_STE_VERSION 1
-
-/* defines a ssid reference used by xen */
-typedef uint32_t ssidref_t;
-
-/* hooks that are known to domains */
-#define ACMHOOK_none 0
-#define ACMHOOK_sharing 1
-#define ACMHOOK_authorization 2
-
-/* -------security policy relevant type definitions-------- */
-
-/* type identifier; compares to "equal" or "not equal" */
-typedef uint16_t domaintype_t;
-
-/* CHINESE WALL POLICY DATA STRUCTURES
- *
- * current accumulated conflict type set:
- * When a domain is started and has a type that is in
- * a conflict set, the conflicting types are incremented in
- * the aggregate set. When a domain is destroyed, the
- * conflicting types to its type are decremented.
- * If a domain has multiple types, this procedure works over
- * all those types.
- *
- * conflict_aggregate_set[i] holds the number of
- * running domains that have a conflict with type i.
- *
- * running_types[i] holds the number of running domains
- * that include type i in their ssidref-referenced type set
- *
- * conflict_sets[i][j] is "0" if type j has no conflict
- * with type i and is "1" otherwise.
- */
-/* high-16 = version, low-16 = check magic */
-#define ACM_MAGIC 0x0001debc
-
-/* each offset in bytes from start of the struct they
- * are part of */
-
-/* V3 of the policy buffer aded a version structure */
-struct acm_policy_version
-{
- uint32_t major;
- uint32_t minor;
-};
-
-
-/* each buffer consists of all policy information for
- * the respective policy given in the policy code
- *
- * acm_policy_buffer, acm_chwall_policy_buffer,
- * and acm_ste_policy_buffer need to stay 32-bit aligned
- * because we create binary policies also with external
- * tools that assume packed representations (e.g. the java tool)
- */
-struct acm_policy_buffer {
- uint32_t magic;
- uint32_t policy_version; /* ACM_POLICY_VERSION */
- uint32_t len;
- uint32_t policy_reference_offset;
- uint32_t primary_policy_code;
- uint32_t primary_buffer_offset;
- uint32_t secondary_policy_code;
- uint32_t secondary_buffer_offset;
- struct acm_policy_version xml_pol_version; /* add in V3 */
-};
-
-
-struct acm_policy_reference_buffer {
- uint32_t len;
-};
-
-struct acm_chwall_policy_buffer {
- uint32_t policy_version; /* ACM_CHWALL_VERSION */
- uint32_t policy_code;
- uint32_t chwall_max_types;
- uint32_t chwall_max_ssidrefs;
- uint32_t chwall_max_conflictsets;
- uint32_t chwall_ssid_offset;
- uint32_t chwall_conflict_sets_offset;
- uint32_t chwall_running_types_offset;
- uint32_t chwall_conflict_aggregate_offset;
-};
-
-struct acm_ste_policy_buffer {
- uint32_t policy_version; /* ACM_STE_VERSION */
- uint32_t policy_code;
- uint32_t ste_max_types;
- uint32_t ste_max_ssidrefs;
- uint32_t ste_ssid_offset;
-};
-
-struct acm_stats_buffer {
- uint32_t magic;
- uint32_t len;
- uint32_t primary_policy_code;
- uint32_t primary_stats_offset;
- uint32_t secondary_policy_code;
- uint32_t secondary_stats_offset;
-};
-
-struct acm_ste_stats_buffer {
- uint32_t ec_eval_count;
- uint32_t gt_eval_count;
- uint32_t ec_denied_count;
- uint32_t gt_denied_count;
- uint32_t ec_cachehit_count;
- uint32_t gt_cachehit_count;
-};
-
-struct acm_ssid_buffer {
- uint32_t len;
- ssidref_t ssidref;
- uint32_t policy_reference_offset;
- uint32_t primary_policy_code;
- uint32_t primary_max_types;
- uint32_t primary_types_offset;
- uint32_t secondary_policy_code;
- uint32_t secondary_max_types;
- uint32_t secondary_types_offset;
-};
-
-#endif
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/acm_ops.h
--- a/xen/include/public/acm_ops.h Fri Aug 31 11:41:49 2007 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,159 +0,0 @@
-/*
- * acm_ops.h: Xen access control module hypervisor commands
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to
- * deal in the Software without restriction, including without limitation the
- * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
- * sell copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
- * DEALINGS IN THE SOFTWARE.
- *
- * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
- * Copyright (c) 2005,2006 International Business Machines Corporation.
- */
-
-#ifndef __XEN_PUBLIC_ACM_OPS_H__
-#define __XEN_PUBLIC_ACM_OPS_H__
-
-#include "xen.h"
-#include "acm.h"
-
-/*
- * Make sure you increment the interface version whenever you modify this file!
- * This makes sure that old versions of acm tools will stop working in a
- * well-defined way (rather than crashing the machine, for instance).
- */
-#define ACM_INTERFACE_VERSION 0xAAAA000A
-
-/************************************************************************/
-
-/*
- * Prototype for this hypercall is:
- * int acm_op(int cmd, void *args)
- * @cmd == ACMOP_??? (access control module operation).
- * @args == Operation-specific extra arguments (NULL if none).
- */
-
-
-#define ACMOP_setpolicy 1
-struct acm_setpolicy {
- /* IN */
- XEN_GUEST_HANDLE_64(void) pushcache;
- uint32_t pushcache_size;
-};
-
-
-#define ACMOP_getpolicy 2
-struct acm_getpolicy {
- /* IN */
- XEN_GUEST_HANDLE_64(void) pullcache;
- uint32_t pullcache_size;
-};
-
-
-#define ACMOP_dumpstats 3
-struct acm_dumpstats {
- /* IN */
- XEN_GUEST_HANDLE_64(void) pullcache;
- uint32_t pullcache_size;
-};
-
-
-#define ACMOP_getssid 4
-#define ACM_GETBY_ssidref 1
-#define ACM_GETBY_domainid 2
-struct acm_getssid {
- /* IN */
- uint32_t get_ssid_by; /* ACM_GETBY_* */
- union {
- domaintype_t domainid;
- ssidref_t ssidref;
- } id;
- XEN_GUEST_HANDLE_64(void) ssidbuf;
- uint32_t ssidbuf_size;
-};
-
-#define ACMOP_getdecision 5
-struct acm_getdecision {
- /* IN */
- uint32_t get_decision_by1; /* ACM_GETBY_* */
- uint32_t get_decision_by2; /* ACM_GETBY_* */
- union {
- domaintype_t domainid;
- ssidref_t ssidref;
- } id1;
- union {
- domaintype_t domainid;
- ssidref_t ssidref;
- } id2;
- uint32_t hook;
- /* OUT */
- uint32_t acm_decision;
-};
-
-
-#define ACMOP_chgpolicy 6
-struct acm_change_policy {
- /* IN */
- XEN_GUEST_HANDLE_64(void) policy_pushcache;
- uint32_t policy_pushcache_size;
- XEN_GUEST_HANDLE_64(void) del_array;
- uint32_t delarray_size;
- XEN_GUEST_HANDLE_64(void) chg_array;
- uint32_t chgarray_size;
- /* OUT */
- /* array with error code */
- XEN_GUEST_HANDLE_64(void) err_array;
- uint32_t errarray_size;
-};
-
-#define ACMOP_relabeldoms 7
-struct acm_relabel_doms {
- /* IN */
- XEN_GUEST_HANDLE_64(void) relabel_map;
- uint32_t relabel_map_size;
- /* OUT */
- XEN_GUEST_HANDLE_64(void) err_array;
- uint32_t errarray_size;
-};
-
-/* future interface to Xen */
-struct xen_acmctl {
- uint32_t cmd;
- uint32_t interface_version;
- union {
- struct acm_setpolicy setpolicy;
- struct acm_getpolicy getpolicy;
- struct acm_dumpstats dumpstats;
- struct acm_getssid getssid;
- struct acm_getdecision getdecision;
- struct acm_change_policy change_policy;
- struct acm_relabel_doms relabel_doms;
- } u;
-};
-
-typedef struct xen_acmctl xen_acmctl_t;
-DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t);
-
-#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
-
-/*
- * Local variables:
- * mode: C
- * c-set-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/xsm/acm.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/public/xsm/acm.h Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,229 @@
+/*
+ * acm.h: Xen access control module interface defintions
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ * Copyright (c) 2005, International Business Machines Corporation.
+ */
+
+#ifndef _XEN_PUBLIC_ACM_H
+#define _XEN_PUBLIC_ACM_H
+
+#include "../xen.h"
+
+/* if ACM_DEBUG defined, all hooks should
+ * print a short trace message (comment it out
+ * when not in testing mode )
+ */
+/* #define ACM_DEBUG */
+
+#ifdef ACM_DEBUG
+# define printkd(fmt, args...) printk(fmt,## args)
+#else
+# define printkd(fmt, args...)
+#endif
+
+/* default ssid reference value if not supplied */
+#define ACM_DEFAULT_SSID 0x0
+#define ACM_DEFAULT_LOCAL_SSID 0x0
+
+/* Internal ACM ERROR types */
+#define ACM_OK 0
+#define ACM_UNDEF -1
+#define ACM_INIT_SSID_ERROR -2
+#define ACM_INIT_SOID_ERROR -3
+#define ACM_ERROR -4
+
+/* External ACCESS DECISIONS */
+#define ACM_ACCESS_PERMITTED 0
+#define ACM_ACCESS_DENIED -111
+#define ACM_NULL_POINTER_ERROR -200
+
+/*
+ Error codes reported in when trying to test for a new policy
+ These error codes are reported in an array of tuples where
+ each error code is followed by a parameter describing the error
+ more closely, such as a domain id.
+*/
+#define ACM_EVTCHN_SHARING_VIOLATION 0x100
+#define ACM_GNTTAB_SHARING_VIOLATION 0x101
+#define ACM_DOMAIN_LOOKUP 0x102
+#define ACM_CHWALL_CONFLICT 0x103
+#define ACM_SSIDREF_IN_USE 0x104
+
+
+/* primary policy in lower 4 bits */
+#define ACM_NULL_POLICY 0
+#define ACM_CHINESE_WALL_POLICY 1
+#define ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY 2
+#define ACM_POLICY_UNDEFINED 15
+
+/* combinations have secondary policy component in higher 4bit */
+#define ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY \
+ ((ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY << 4) | ACM_CHINESE_WALL_POLICY)
+
+/* policy: */
+#define ACM_POLICY_NAME(X) \
+ ((X) == (ACM_NULL_POLICY)) ? "NULL" : \
+ ((X) == (ACM_CHINESE_WALL_POLICY)) ? "CHINESE WALL" : \
+ ((X) == (ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "SIMPLE TYPE ENFORCEMENT"
: \
+ ((X) == (ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)) ? "CHINESE
WALL AND SIMPLE TYPE ENFORCEMENT" : \
+ "UNDEFINED"
+
+/* the following policy versions must be increased
+ * whenever the interpretation of the related
+ * policy's data structure changes
+ */
+#define ACM_POLICY_VERSION 3
+#define ACM_CHWALL_VERSION 1
+#define ACM_STE_VERSION 1
+
+/* defines a ssid reference used by xen */
+typedef uint32_t ssidref_t;
+
+/* hooks that are known to domains */
+#define ACMHOOK_none 0
+#define ACMHOOK_sharing 1
+#define ACMHOOK_authorization 2
+
+/* -------security policy relevant type definitions-------- */
+
+/* type identifier; compares to "equal" or "not equal" */
+typedef uint16_t domaintype_t;
+
+/* CHINESE WALL POLICY DATA STRUCTURES
+ *
+ * current accumulated conflict type set:
+ * When a domain is started and has a type that is in
+ * a conflict set, the conflicting types are incremented in
+ * the aggregate set. When a domain is destroyed, the
+ * conflicting types to its type are decremented.
+ * If a domain has multiple types, this procedure works over
+ * all those types.
+ *
+ * conflict_aggregate_set[i] holds the number of
+ * running domains that have a conflict with type i.
+ *
+ * running_types[i] holds the number of running domains
+ * that include type i in their ssidref-referenced type set
+ *
+ * conflict_sets[i][j] is "0" if type j has no conflict
+ * with type i and is "1" otherwise.
+ */
+/* high-16 = version, low-16 = check magic */
+#define ACM_MAGIC 0x0001debc
+
+/* each offset in bytes from start of the struct they
+ * are part of */
+
+/* V3 of the policy buffer aded a version structure */
+struct acm_policy_version
+{
+ uint32_t major;
+ uint32_t minor;
+};
+
+
+/* each buffer consists of all policy information for
+ * the respective policy given in the policy code
+ *
+ * acm_policy_buffer, acm_chwall_policy_buffer,
+ * and acm_ste_policy_buffer need to stay 32-bit aligned
+ * because we create binary policies also with external
+ * tools that assume packed representations (e.g. the java tool)
+ */
+struct acm_policy_buffer {
+ uint32_t magic;
+ uint32_t policy_version; /* ACM_POLICY_VERSION */
+ uint32_t len;
+ uint32_t policy_reference_offset;
+ uint32_t primary_policy_code;
+ uint32_t primary_buffer_offset;
+ uint32_t secondary_policy_code;
+ uint32_t secondary_buffer_offset;
+ struct acm_policy_version xml_pol_version; /* add in V3 */
+};
+
+
+struct acm_policy_reference_buffer {
+ uint32_t len;
+};
+
+struct acm_chwall_policy_buffer {
+ uint32_t policy_version; /* ACM_CHWALL_VERSION */
+ uint32_t policy_code;
+ uint32_t chwall_max_types;
+ uint32_t chwall_max_ssidrefs;
+ uint32_t chwall_max_conflictsets;
+ uint32_t chwall_ssid_offset;
+ uint32_t chwall_conflict_sets_offset;
+ uint32_t chwall_running_types_offset;
+ uint32_t chwall_conflict_aggregate_offset;
+};
+
+struct acm_ste_policy_buffer {
+ uint32_t policy_version; /* ACM_STE_VERSION */
+ uint32_t policy_code;
+ uint32_t ste_max_types;
+ uint32_t ste_max_ssidrefs;
+ uint32_t ste_ssid_offset;
+};
+
+struct acm_stats_buffer {
+ uint32_t magic;
+ uint32_t len;
+ uint32_t primary_policy_code;
+ uint32_t primary_stats_offset;
+ uint32_t secondary_policy_code;
+ uint32_t secondary_stats_offset;
+};
+
+struct acm_ste_stats_buffer {
+ uint32_t ec_eval_count;
+ uint32_t gt_eval_count;
+ uint32_t ec_denied_count;
+ uint32_t gt_denied_count;
+ uint32_t ec_cachehit_count;
+ uint32_t gt_cachehit_count;
+};
+
+struct acm_ssid_buffer {
+ uint32_t len;
+ ssidref_t ssidref;
+ uint32_t policy_reference_offset;
+ uint32_t primary_policy_code;
+ uint32_t primary_max_types;
+ uint32_t primary_types_offset;
+ uint32_t secondary_policy_code;
+ uint32_t secondary_max_types;
+ uint32_t secondary_types_offset;
+};
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/public/xsm/acm_ops.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/public/xsm/acm_ops.h Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,159 @@
+/*
+ * acm_ops.h: Xen access control module hypervisor commands
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ * Copyright (c) 2005,2006 International Business Machines Corporation.
+ */
+
+#ifndef __XEN_PUBLIC_ACM_OPS_H__
+#define __XEN_PUBLIC_ACM_OPS_H__
+
+#include "../xen.h"
+#include "acm.h"
+
+/*
+ * Make sure you increment the interface version whenever you modify this file!
+ * This makes sure that old versions of acm tools will stop working in a
+ * well-defined way (rather than crashing the machine, for instance).
+ */
+#define ACM_INTERFACE_VERSION 0xAAAA000A
+
+/************************************************************************/
+
+/*
+ * Prototype for this hypercall is:
+ * int acm_op(int cmd, void *args)
+ * @cmd == ACMOP_??? (access control module operation).
+ * @args == Operation-specific extra arguments (NULL if none).
+ */
+
+
+#define ACMOP_setpolicy 1
+struct acm_setpolicy {
+ /* IN */
+ XEN_GUEST_HANDLE_64(void) pushcache;
+ uint32_t pushcache_size;
+};
+
+
+#define ACMOP_getpolicy 2
+struct acm_getpolicy {
+ /* IN */
+ XEN_GUEST_HANDLE_64(void) pullcache;
+ uint32_t pullcache_size;
+};
+
+
+#define ACMOP_dumpstats 3
+struct acm_dumpstats {
+ /* IN */
+ XEN_GUEST_HANDLE_64(void) pullcache;
+ uint32_t pullcache_size;
+};
+
+
+#define ACMOP_getssid 4
+#define ACM_GETBY_ssidref 1
+#define ACM_GETBY_domainid 2
+struct acm_getssid {
+ /* IN */
+ uint32_t get_ssid_by; /* ACM_GETBY_* */
+ union {
+ domaintype_t domainid;
+ ssidref_t ssidref;
+ } id;
+ XEN_GUEST_HANDLE_64(void) ssidbuf;
+ uint32_t ssidbuf_size;
+};
+
+#define ACMOP_getdecision 5
+struct acm_getdecision {
+ /* IN */
+ uint32_t get_decision_by1; /* ACM_GETBY_* */
+ uint32_t get_decision_by2; /* ACM_GETBY_* */
+ union {
+ domaintype_t domainid;
+ ssidref_t ssidref;
+ } id1;
+ union {
+ domaintype_t domainid;
+ ssidref_t ssidref;
+ } id2;
+ uint32_t hook;
+ /* OUT */
+ uint32_t acm_decision;
+};
+
+
+#define ACMOP_chgpolicy 6
+struct acm_change_policy {
+ /* IN */
+ XEN_GUEST_HANDLE_64(void) policy_pushcache;
+ uint32_t policy_pushcache_size;
+ XEN_GUEST_HANDLE_64(void) del_array;
+ uint32_t delarray_size;
+ XEN_GUEST_HANDLE_64(void) chg_array;
+ uint32_t chgarray_size;
+ /* OUT */
+ /* array with error code */
+ XEN_GUEST_HANDLE_64(void) err_array;
+ uint32_t errarray_size;
+};
+
+#define ACMOP_relabeldoms 7
+struct acm_relabel_doms {
+ /* IN */
+ XEN_GUEST_HANDLE_64(void) relabel_map;
+ uint32_t relabel_map_size;
+ /* OUT */
+ XEN_GUEST_HANDLE_64(void) err_array;
+ uint32_t errarray_size;
+};
+
+/* future interface to Xen */
+struct xen_acmctl {
+ uint32_t cmd;
+ uint32_t interface_version;
+ union {
+ struct acm_setpolicy setpolicy;
+ struct acm_getpolicy getpolicy;
+ struct acm_dumpstats dumpstats;
+ struct acm_getssid getssid;
+ struct acm_getdecision getdecision;
+ struct acm_change_policy change_policy;
+ struct acm_relabel_doms relabel_doms;
+ } u;
+};
+
+typedef struct xen_acmctl xen_acmctl_t;
+DEFINE_XEN_GUEST_HANDLE(xen_acmctl_t);
+
+#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xen/sched.h
--- a/xen/include/xen/sched.h Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/include/xen/sched.h Fri Aug 31 12:05:07 2007 +0100
@@ -10,7 +10,7 @@
#include <public/xen.h>
#include <public/domctl.h>
#include <public/vcpu.h>
-#include <public/acm.h>
+#include <public/xsm/acm.h>
#include <xen/time.h>
#include <xen/timer.h>
#include <xen/grant_table.h>
@@ -63,6 +63,9 @@ struct evtchn
u16 pirq; /* state == ECS_PIRQ */
u16 virq; /* state == ECS_VIRQ */
} u;
+#ifdef FLASK_ENABLE
+ void *ssid;
+#endif
};
int evtchn_init(struct domain *d);
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_core.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/xsm/acm/acm_core.h Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,196 @@
+/****************************************************************
+ * acm_core.h
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype header file describing core data types and constants
+ * for the access control module and relevant policies
+ *
+ */
+
+#ifndef _ACM_CORE_H
+#define _ACM_CORE_H
+
+#include <xen/spinlock.h>
+#include <xen/list.h>
+#include <public/xsm/acm.h>
+#include <public/xsm/acm_ops.h>
+#include <xsm/acm/acm_endian.h>
+
+#define ACM_DEFAULT_SECURITY_POLICY \
+ ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
+
+/* Xen-internal representation of the binary policy */
+struct acm_binary_policy {
+ char *policy_reference_name;
+ u16 primary_policy_code;
+ u16 secondary_policy_code;
+ struct acm_policy_version xml_pol_version;
+};
+
+struct chwall_binary_policy {
+ u32 max_types;
+ u32 max_ssidrefs;
+ u32 max_conflictsets;
+ domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */
+ domaintype_t *conflict_aggregate_set; /* [max_types] */
+ domaintype_t *running_types; /* [max_types] */
+ domaintype_t *conflict_sets; /* [max_conflictsets][max_types]*/
+};
+
+struct ste_binary_policy {
+ u32 max_types;
+ u32 max_ssidrefs;
+ domaintype_t *ssidrefs; /* [max_ssidrefs][max_types] */
+ atomic_t ec_eval_count, gt_eval_count;
+ atomic_t ec_denied_count, gt_denied_count;
+ atomic_t ec_cachehit_count, gt_cachehit_count;
+};
+
+/* global acm policy */
+extern u16 acm_active_security_policy;
+extern struct acm_binary_policy acm_bin_pol;
+extern struct chwall_binary_policy chwall_bin_pol;
+extern struct ste_binary_policy ste_bin_pol;
+/* use the lock when reading / changing binary policy ! */
+extern rwlock_t acm_bin_pol_rwlock;
+extern rwlock_t ssid_list_rwlock;
+
+/* subject and object type definitions */
+#define ACM_DATATYPE_domain 1
+
+/* defines number of access decisions to other domains can be cached
+ * one entry per domain, TE does not distinguish evtchn or grant_table */
+#define ACM_TE_CACHE_SIZE 8
+#define ACM_STE_valid 0
+#define ACM_STE_free 1
+
+/* cache line:
+ * if cache_line.valid==ACM_STE_valid, then
+ * STE decision is cached as "permitted"
+ * on domain cache_line.id
+ */
+struct acm_ste_cache_line {
+ int valid; /* ACM_STE_* */
+ domid_t id;
+};
+
+/* general definition of a subject security id */
+struct acm_ssid_domain {
+ struct list_head node; /* all are chained together */
+ int datatype; /* type of subject (e.g., partition):
ACM_DATATYPE_* */
+ ssidref_t ssidref; /* combined security reference */
+ ssidref_t old_ssidref; /* holds previous value of ssidref during
relabeling */
+ void *primary_ssid; /* primary policy ssid part (e.g. chinese wall) */
+ void *secondary_ssid; /* secondary policy ssid part (e.g. type
enforcement) */
+ struct domain *subject;/* backpointer to subject structure */
+ domid_t domainid; /* replicate id */
+};
+
+/* chinese wall ssid type */
+struct chwall_ssid {
+ ssidref_t chwall_ssidref;
+};
+
+/* simple type enforcement ssid type */
+struct ste_ssid {
+ ssidref_t ste_ssidref;
+ struct acm_ste_cache_line ste_cache[ACM_TE_CACHE_SIZE]; /* decision cache
*/
+};
+
+/* macros to access ssidref for primary / secondary policy
+ * primary ssidref = lower 16 bit
+ * secondary ssidref = higher 16 bit
+ */
+#define ACM_PRIMARY(ssidref) \
+ ((ssidref) & 0xffff)
+
+#define ACM_SECONDARY(ssidref) \
+ ((ssidref) >> 16)
+
+#define GET_SSIDREF(POLICY, ssidref) \
+ ((POLICY) == acm_bin_pol.primary_policy_code) ? \
+ ACM_PRIMARY(ssidref) : ACM_SECONDARY(ssidref)
+
+/* macros to access ssid pointer for primary / secondary policy */
+#define GET_SSIDP(POLICY, ssid) \
+ ((POLICY) == acm_bin_pol.primary_policy_code) ? \
+ ((ssid)->primary_ssid) : ((ssid)->secondary_ssid)
+
+#define ACM_INVALID_SSIDREF (0xffffffff)
+
+struct acm_sized_buffer
+{
+ uint32_t *array;
+ uint num_items;
+ uint position;
+};
+
+static inline int acm_array_append_tuple(struct acm_sized_buffer *buf,
+ uint32_t a, uint32_t b)
+{
+ uint i;
+ if (buf == NULL)
+ return 0;
+
+ i = buf->position;
+
+ if ((i + 2) > buf->num_items)
+ return 0;
+
+ buf->array[i] = cpu_to_be32(a);
+ buf->array[i+1] = cpu_to_be32(b);
+ buf->position += 2;
+ return 1;
+}
+
+/* protos */
+int acm_init_domain_ssid(struct domain *, ssidref_t ssidref);
+void acm_free_domain_ssid(struct acm_ssid_domain *ssid);
+int acm_init_binary_policy(u32 policy_code);
+int acm_set_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
+int do_acm_set_policy(void *buf, u32 buf_size, int is_bootpolicy,
+ struct acm_sized_buffer *, struct acm_sized_buffer *,
+ struct acm_sized_buffer *);
+int acm_get_policy(XEN_GUEST_HANDLE_64(void) buf, u32 buf_size);
+int acm_dump_statistics(XEN_GUEST_HANDLE_64(void) buf, u16 buf_size);
+int acm_get_ssid(ssidref_t ssidref, XEN_GUEST_HANDLE_64(void) buf, u16
buf_size);
+int acm_get_decision(ssidref_t ssidref1, ssidref_t ssidref2, u32 hook);
+int acm_set_policy_reference(u8 * buf, u32 buf_size);
+int acm_dump_policy_reference(u8 *buf, u32 buf_size);
+int acm_change_policy(struct acm_change_policy *);
+int acm_relabel_domains(struct acm_relabel_doms *);
+int do_chwall_init_state_curr(struct acm_sized_buffer *);
+int do_ste_init_state_curr(struct acm_sized_buffer *);
+
+/* variables */
+extern ssidref_t dom0_chwall_ssidref;
+extern ssidref_t dom0_ste_ssidref;
+#define ACM_MAX_NUM_TYPES (256)
+
+/* traversing the list of ssids */
+extern struct list_head ssid_list;
+#define for_each_acmssid( N ) \
+ for ( N = (struct acm_ssid_domain *)ssid_list.next; \
+ N != (struct acm_ssid_domain *)&ssid_list; \
+ N = (struct acm_ssid_domain *)N->node.next )
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_endian.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/xsm/acm/acm_endian.h Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,69 @@
+/****************************************************************
+ * acm_endian.h
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author:
+ * Stefan Berger <stefanb@xxxxxxxxxxxxxx>
+ *
+ * Contributions:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * sHype header file defining endian-dependent functions for the
+ * big-endian policy interface
+ *
+ */
+
+#ifndef _ACM_ENDIAN_H
+#define _ACM_ENDIAN_H
+
+#include <asm/byteorder.h>
+
+static inline void arrcpy16(u16 *dest, const u16 *src, size_t n)
+{
+ unsigned int i;
+ for ( i = 0; i < n; i++ )
+ dest[i] = cpu_to_be16(src[i]);
+}
+
+static inline void arrcpy32(u32 *dest, const u32 *src, size_t n)
+{
+ unsigned int i;
+ for ( i = 0; i < n; i++ )
+ dest[i] = cpu_to_be32(src[i]);
+}
+
+static inline void arrcpy(
+ void *dest, const void *src, unsigned int elsize, size_t n)
+{
+ switch ( elsize )
+ {
+ case sizeof(u16):
+ arrcpy16((u16 *)dest, (u16 *)src, n);
+ break;
+
+ case sizeof(u32):
+ arrcpy32((u32 *)dest, (u32 *)src, n);
+ break;
+
+ default:
+ memcpy(dest, src, elsize*n);
+ }
+}
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/include/xsm/acm/acm_hooks.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/xen/include/xsm/acm/acm_hooks.h Fri Aug 31 12:05:07 2007 +0100
@@ -0,0 +1,349 @@
+/****************************************************************
+ * acm_hooks.h
+ *
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Author:
+ * Reiner Sailer <sailer@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * acm header file implementing the global (policy-independent)
+ * sHype hooks that are called throughout Xen.
+ *
+ */
+
+#ifndef _ACM_HOOKS_H
+#define _ACM_HOOKS_H
+
+#include <xen/config.h>
+#include <xen/errno.h>
+#include <xen/types.h>
+#include <xen/lib.h>
+#include <xen/delay.h>
+#include <xen/sched.h>
+#include <xen/multiboot.h>
+#include <public/xsm/acm.h>
+#include <xsm/acm/acm_core.h>
+#include <public/domctl.h>
+#include <public/event_channel.h>
+#include <asm/current.h>
+
+/*
+ * HOOK structure and meaning (justifies a few words about our model):
+ *
+ * General idea: every policy-controlled system operation is reflected in a
+ * transaction in the system's security state
+ *
+ * Keeping the security state consistent requires "atomic" transactions.
+ * The name of the hooks to place around policy-controlled transactions
+ * reflects this. If authorizations do not involve security state changes,
+ * then and only then POST and FAIL hooks remain empty since we don't care
+ * about the eventual outcome of the operation from a security viewpoint.
+ *
+ * PURPOSE of hook types:
+ * ======================
+ * PRE-Hooks
+ * a) general authorization to guard a controlled system operation
+ * b) prepare security state change
+ * (means: fail hook must be able to "undo" this)
+ *
+ * POST-Hooks
+ * a) commit prepared state change
+ *
+ * FAIL-Hooks
+ * a) roll-back prepared security state change from PRE-Hook
+ *
+ *
+ * PLACEMENT of hook types:
+ * ========================
+ * PRE-Hooks must be called before a guarded/controlled system operation
+ * is started. They return ACM_ACCESS_PERMITTED, ACM_ACCESS_DENIED or
+ * error. Operation must be aborted if return is not ACM_ACCESS_PERMITTED.
+ *
+ * POST-Hooks must be called after a successful system operation.
+ * There is no return value: commit never fails.
+ *
+ * FAIL-Hooks must be called:
+ * a) if system transaction (operation) fails after calling the PRE-hook
+ * b) if another (secondary) policy denies access in its PRE-Hook
+ * (policy layering is useful but requires additional handling)
+ *
+ * Hook model from a security transaction viewpoint:
+ * start-sys-ops--> prepare ----succeed-----> commit --> sys-ops success
+ * (pre-hook) \ (post-hook)
+ * \
+ * fail
+ * \
+ * \
+ * roll-back
+ * (fail-hook)
+ * \
+ * sys-ops error
+ *
+ */
+
+struct acm_operations {
+ /* policy management functions (must always be defined!) */
+ int (*init_domain_ssid) (void **ssid, ssidref_t ssidref);
+ void (*free_domain_ssid) (void *ssid);
+ int (*dump_binary_policy) (u8 *buffer, u32 buf_size);
+ int (*test_binary_policy) (u8 *buffer, u32 buf_size,
+ int is_bootpolicy,
+ struct acm_sized_buffer *);
+ int (*set_binary_policy) (u8 *buffer, u32 buf_size);
+ int (*dump_statistics) (u8 *buffer, u16 buf_size);
+ int (*dump_ssid_types) (ssidref_t ssidref, u8 *buffer, u16
buf_size);
+ /* domain management control hooks (can be NULL) */
+ int (*domain_create) (void *subject_ssid, ssidref_t ssidref,
+ domid_t domid);
+ void (*domain_destroy) (void *object_ssid, struct domain *d);
+ /* event channel control hooks (can be NULL) */
+ int (*pre_eventchannel_unbound) (domid_t id1, domid_t id2);
+ void (*fail_eventchannel_unbound) (domid_t id1, domid_t id2);
+ int (*pre_eventchannel_interdomain) (domid_t id);
+ void (*fail_eventchannel_interdomain) (domid_t id);
+ /* grant table control hooks (can be NULL) */
+ int (*pre_grant_map_ref) (domid_t id);
+ void (*fail_grant_map_ref) (domid_t id);
+ int (*pre_grant_setup) (domid_t id);
+ void (*fail_grant_setup) (domid_t id);
+ /* generic domain-requested decision hooks (can be NULL) */
+ int (*sharing) (ssidref_t ssidref1,
+ ssidref_t ssidref2);
+ int (*authorization) (ssidref_t ssidref1,
+ ssidref_t ssidref2);
+ /* determine whether the default policy is installed */
+ int (*is_default_policy) (void);
+};
+
+/* global variables */
+extern struct acm_operations *acm_primary_ops;
+extern struct acm_operations *acm_secondary_ops;
+
+/* if ACM_TRACE_MODE defined, all hooks should
+ * print a short trace message */
+/* #define ACM_TRACE_MODE */
+
+#ifdef ACM_TRACE_MODE
+# define traceprintk(fmt, args...) printk(fmt,## args)
+#else
+# define traceprintk(fmt, args...)
+#endif
+
+
+#ifndef ACM_SECURITY
+
+static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
+{ return 0; }
+static inline int acm_pre_eventchannel_interdomain(domid_t id)
+{ return 0; }
+static inline int acm_pre_grant_map_ref(domid_t id)
+{ return 0; }
+static inline int acm_pre_grant_setup(domid_t id)
+{ return 0; }
+static inline int acm_is_policy(char *buf, unsigned long len)
+{ return 0; }
+static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
+{ return 0; }
+static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
+{ return 0; }
+static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
+{ return 0; }
+static inline void acm_domain_destroy(struct domain *d)
+{ return; }
+
+#define DOM0_SSIDREF 0x0
+
+#else
+
+static inline void acm_domain_ssid_onto_list(struct acm_ssid_domain *ssid)
+{
+ write_lock(&ssid_list_rwlock);
+ list_add(&ssid->node, &ssid_list);
+ write_unlock(&ssid_list_rwlock);
+}
+
+static inline void acm_domain_ssid_off_list(struct acm_ssid_domain *ssid)
+{
+ write_lock(&ssid_list_rwlock);
+ list_del(&ssid->node);
+ write_unlock(&ssid_list_rwlock);
+}
+
+static inline int acm_pre_eventchannel_unbound(domid_t id1, domid_t id2)
+{
+ if ((acm_primary_ops->pre_eventchannel_unbound != NULL) &&
+ acm_primary_ops->pre_eventchannel_unbound(id1, id2))
+ return ACM_ACCESS_DENIED;
+ else if ((acm_secondary_ops->pre_eventchannel_unbound != NULL) &&
+ acm_secondary_ops->pre_eventchannel_unbound(id1, id2)) {
+ /* roll-back primary */
+ if (acm_primary_ops->fail_eventchannel_unbound != NULL)
+ acm_primary_ops->fail_eventchannel_unbound(id1, id2);
+ return ACM_ACCESS_DENIED;
+ } else
+ return ACM_ACCESS_PERMITTED;
+}
+
+static inline int acm_pre_eventchannel_interdomain(domid_t id)
+{
+ if ((acm_primary_ops->pre_eventchannel_interdomain != NULL) &&
+ acm_primary_ops->pre_eventchannel_interdomain(id))
+ return ACM_ACCESS_DENIED;
+ else if ((acm_secondary_ops->pre_eventchannel_interdomain != NULL) &&
+ acm_secondary_ops->pre_eventchannel_interdomain(id)) {
+ /* roll-back primary */
+ if (acm_primary_ops->fail_eventchannel_interdomain != NULL)
+ acm_primary_ops->fail_eventchannel_interdomain(id);
+ return ACM_ACCESS_DENIED;
+ } else
+ return ACM_ACCESS_PERMITTED;
+}
+
+
+static inline int acm_pre_grant_map_ref(domid_t id)
+{
+ if ( (acm_primary_ops->pre_grant_map_ref != NULL) &&
+ acm_primary_ops->pre_grant_map_ref(id) )
+ {
+ return ACM_ACCESS_DENIED;
+ }
+ else if ( (acm_secondary_ops->pre_grant_map_ref != NULL) &&
+ acm_secondary_ops->pre_grant_map_ref(id) )
+ {
+ /* roll-back primary */
+ if ( acm_primary_ops->fail_grant_map_ref != NULL )
+ acm_primary_ops->fail_grant_map_ref(id);
+ return ACM_ACCESS_DENIED;
+ }
+ else
+ {
+ return ACM_ACCESS_PERMITTED;
+ }
+}
+
+static inline int acm_pre_grant_setup(domid_t id)
+{
+ if ( (acm_primary_ops->pre_grant_setup != NULL) &&
+ acm_primary_ops->pre_grant_setup(id) )
+ {
+ return ACM_ACCESS_DENIED;
+ }
+ else if ( (acm_secondary_ops->pre_grant_setup != NULL) &&
+ acm_secondary_ops->pre_grant_setup(id) )
+ {
+ /* roll-back primary */
+ if (acm_primary_ops->fail_grant_setup != NULL)
+ acm_primary_ops->fail_grant_setup(id);
+ return ACM_ACCESS_DENIED;
+ }
+ else
+ {
+ return ACM_ACCESS_PERMITTED;
+ }
+}
+
+
+static inline void acm_domain_destroy(struct domain *d)
+{
+ void *ssid = d->ssid;
+ if (ssid != NULL) {
+ if (acm_primary_ops->domain_destroy != NULL)
+ acm_primary_ops->domain_destroy(ssid, d);
+ if (acm_secondary_ops->domain_destroy != NULL)
+ acm_secondary_ops->domain_destroy(ssid, d);
+ /* free security ssid for the destroyed domain (also if null policy */
+ acm_domain_ssid_off_list(ssid);
+ acm_free_domain_ssid((struct acm_ssid_domain *)(ssid));
+ }
+}
+
+
+static inline int acm_domain_create(struct domain *d, ssidref_t ssidref)
+{
+ void *subject_ssid = current->domain->ssid;
+ domid_t domid = d->domain_id;
+ int rc;
+
+ read_lock(&acm_bin_pol_rwlock);
+ /*
+ To be called when a domain is created; returns '0' if the
+ domain is allowed to be created, != '0' if not.
+ */
+ rc = acm_init_domain_ssid(d, ssidref);
+ if (rc != ACM_OK)
+ goto error_out;
+
+ if ((acm_primary_ops->domain_create != NULL) &&
+ acm_primary_ops->domain_create(subject_ssid, ssidref, domid)) {
+ rc = ACM_ACCESS_DENIED;
+ } else if ((acm_secondary_ops->domain_create != NULL) &&
+ acm_secondary_ops->domain_create(subject_ssid, ssidref,
+ domid)) {
+ /* roll-back primary */
+ if (acm_primary_ops->domain_destroy != NULL)
+ acm_primary_ops->domain_destroy(d->ssid, d);
+ rc = ACM_ACCESS_DENIED;
+ }
+
+ if ( rc == ACM_OK )
+ {
+ acm_domain_ssid_onto_list(d->ssid);
+ } else {
+ acm_free_domain_ssid(d->ssid);
+ }
+
+error_out:
+ read_unlock(&acm_bin_pol_rwlock);
+ return rc;
+}
+
+
+static inline int acm_sharing(ssidref_t ssidref1, ssidref_t ssidref2)
+{
+ if ((acm_primary_ops->sharing != NULL) &&
+ acm_primary_ops->sharing(ssidref1, ssidref2))
+ return ACM_ACCESS_DENIED;
+ else if ((acm_secondary_ops->sharing != NULL) &&
+ acm_secondary_ops->sharing(ssidref1, ssidref2)) {
+ return ACM_ACCESS_DENIED;
+ } else
+ return ACM_ACCESS_PERMITTED;
+}
+
+
+static inline int acm_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
+{
+ if ((acm_primary_ops->authorization != NULL) &&
+ acm_primary_ops->authorization(ssidref1, ssidref2))
+ return ACM_ACCESS_DENIED;
+ else if ((acm_secondary_ops->authorization != NULL) &&
+ acm_secondary_ops->authorization(ssidref1, ssidref2)) {
+ return ACM_ACCESS_DENIED;
+ } else
+ return ACM_ACCESS_PERMITTED;
+}
+
+
+/* Return true iff buffer has an acm policy magic number. */
+extern int acm_is_policy(char *buf, unsigned long len);
+
+#define DOM0_SSIDREF (dom0_ste_ssidref << 16 | dom0_chwall_ssidref)
+
+#endif
+
+#endif
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_chinesewall_hooks.c
--- a/xen/xsm/acm/acm_chinesewall_hooks.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_chinesewall_hooks.c Fri Aug 31 12:05:07 2007 +0100
@@ -36,12 +36,11 @@
#include <xen/lib.h>
#include <xen/delay.h>
#include <xen/sched.h>
-#include <public/acm.h>
+#include <public/xsm/acm.h>
#include <asm/atomic.h>
-#include <acm/acm_core.h>
-#include <acm/acm_hooks.h>
-#include <acm/acm_endian.h>
-#include <acm/acm_core.h>
+#include <xsm/acm/acm_core.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
ssidref_t dom0_chwall_ssidref = 0x0001;
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_core.c
--- a/xen/xsm/acm/acm_core.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_core.c Fri Aug 31 12:05:07 2007 +0100
@@ -1,4 +1,4 @@
-/****************************************************************
+#/****************************************************************
* acm_core.c
*
* Copyright (C) 2005 IBM Corporation
@@ -29,16 +29,16 @@
#include <xen/delay.h>
#include <xen/sched.h>
#include <xen/multiboot.h>
-#include <acm/acm_hooks.h>
-#include <acm/acm_endian.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
#include <xsm/xsm.h>
/* debug:
- * include/acm/acm_hooks.h defines a constant ACM_TRACE_MODE;
+ * include/xsm/acm/acm_hooks.h defines a constant ACM_TRACE_MODE;
* define/undefine this constant to receive / suppress any
* security hook debug output of sHype
*
- * include/public/acm.h defines a constant ACM_DEBUG
+ * include/public/xsm/acm.h defines a constant ACM_DEBUG
* define/undefine this constant to receive non-hook-related
* debug output.
*/
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_null_hooks.c
--- a/xen/xsm/acm/acm_null_hooks.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_null_hooks.c Fri Aug 31 12:05:07 2007 +0100
@@ -12,7 +12,7 @@
* License.
*/
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
static int
null_init_domain_ssid(void **ssid, ssidref_t ssidref)
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_ops.c
--- a/xen/xsm/acm/acm_ops.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_ops.c Fri Aug 31 12:05:07 2007 +0100
@@ -18,14 +18,14 @@
#include <xen/types.h>
#include <xen/lib.h>
#include <xen/mm.h>
-#include <public/acm.h>
-#include <public/acm_ops.h>
+#include <public/xsm/acm.h>
+#include <public/xsm/acm_ops.h>
#include <xen/sched.h>
#include <xen/event.h>
#include <xen/trace.h>
#include <xen/console.h>
#include <xen/guest_access.h>
-#include <acm/acm_hooks.h>
+#include <xsm/acm/acm_hooks.h>
#ifndef ACM_SECURITY
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_policy.c
--- a/xen/xsm/acm/acm_policy.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_policy.c Fri Aug 31 12:05:07 2007 +0100
@@ -28,10 +28,10 @@
#include <xen/sched.h>
#include <xen/guest_access.h>
#include <public/xen.h>
-#include <acm/acm_core.h>
-#include <public/acm_ops.h>
-#include <acm/acm_hooks.h>
-#include <acm/acm_endian.h>
+#include <xsm/acm/acm_core.h>
+#include <public/xsm/acm_ops.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
#include <asm/current.h>
static int acm_check_deleted_ssidrefs(struct acm_sized_buffer *dels,
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb
xen/xsm/acm/acm_simple_type_enforcement_hooks.c
--- a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c Fri Aug 31 11:41:49
2007 +0100
+++ b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c Fri Aug 31 12:05:07
2007 +0100
@@ -28,10 +28,10 @@
#include <xen/lib.h>
#include <asm/types.h>
#include <asm/current.h>
-#include <acm/acm_hooks.h>
#include <asm/atomic.h>
-#include <acm/acm_endian.h>
-#include <acm/acm_core.h>
+#include <xsm/acm/acm_hooks.h>
+#include <xsm/acm/acm_endian.h>
+#include <xsm/acm/acm_core.h>
ssidref_t dom0_ste_ssidref = 0x0001;
diff -r fa4d44c9d9f6 -r 7e7e0ea6a0bb xen/xsm/acm/acm_xsm_hooks.c
--- a/xen/xsm/acm/acm_xsm_hooks.c Fri Aug 31 11:41:49 2007 +0100
+++ b/xen/xsm/acm/acm_xsm_hooks.c Fri Aug 31 12:05:07 2007 +0100
@@ -20,34 +20,36 @@
*/
#include <xsm/xsm.h>
-#include <acm/acm_hooks.h>
-#include <public/acm.h>
+#include <xsm/acm/acm_hooks.h>
+#include <public/xsm/acm.h>
-static int acm_grant_mapref (struct domain *ld, struct domain *rd,
- uint32_t
flags)
+static int acm_grant_mapref(
+ struct domain *ld, struct domain *rd, uint32_t flags)
{
domid_t id = rd->domain_id;
return acm_pre_grant_map_ref(id);
}
-static int acm_evtchn_unbound (struct domain *d1, struct evtchn *chn1, domid_t
id2)
+static int acm_evtchn_unbound(
+ struct domain *d1, struct evtchn *chn1, domid_t id2)
{
domid_t id1 = d1->domain_id;
return acm_pre_eventchannel_unbound(id1, id2);
}
-static int acm_evtchn_interdomain (struct domain *d1, struct evtchn *chn1,
- struct domain *d2, struct evtchn
*chn2)
+static int acm_evtchn_interdomain(
+ struct domain *d1, struct evtchn *chn1,
+ struct domain *d2, struct evtchn *chn2)
{
domid_t id2 = d2->domain_id;
return acm_pre_eventchannel_interdomain(id2);
}
-static void acm_security_domaininfo (struct domain *d,
- struct xen_domctl_getdomaininfo *info)
+static void acm_security_domaininfo(
+ struct domain *d, struct xen_domctl_getdomaininfo *info)
{
if ( d->ssid != NULL )
info->ssidref = ((struct acm_ssid_domain *)d->ssid)->ssidref;
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|