diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2010-01-26 07:50:04 +0000 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2010-01-26 07:50:04 +0000 |
commit | 224c24a3df88e20c0fa4685284506c0c45b6b401 (patch) | |
tree | d5b5f66999a5db903cdf30be8d6184f47297a777 | |
parent | bebd60a04f42b020cca824bbfbe2fe5cce8121ee (diff) | |
download | xen-224c24a3df88e20c0fa4685284506c0c45b6b401.tar.gz xen-224c24a3df88e20c0fa4685284506c0c45b6b401.tar.bz2 xen-224c24a3df88e20c0fa4685284506c0c45b6b401.zip |
tools/xsm: Expose Flask XSM AVC functions to user-space
This patch exposes the flask_access, flask_avc_cachestats,
flask_avc_hashstats, flask_getavc_threshold, flask_setavc_threshold,
and flask_policyvers functions to user-space. A python wrapper was
created for the flask_access function to facilitate policy based
user-space access control decisions. flask.h was renamed to libflask.h
to remove a naming conflict.
Signed-off-by : Machon Gregory <mbgrego@tycho.ncsc.mil>
-rw-r--r-- | tools/flask/libflask/Makefile | 2 | ||||
-rw-r--r-- | tools/flask/libflask/flask_op.c | 159 | ||||
-rw-r--r-- | tools/flask/libflask/include/libflask.h (renamed from tools/flask/libflask/include/flask.h) | 16 | ||||
-rw-r--r-- | tools/flask/utils/getenforce.c | 2 | ||||
-rw-r--r-- | tools/flask/utils/loadpolicy.c | 2 | ||||
-rw-r--r-- | tools/flask/utils/setenforce.c | 2 | ||||
-rw-r--r-- | tools/python/xen/lowlevel/flask/flask.c | 60 |
7 files changed, 234 insertions, 9 deletions
diff --git a/tools/flask/libflask/Makefile b/tools/flask/libflask/Makefile index c03fc8aca8..7f33f124df 100644 --- a/tools/flask/libflask/Makefile +++ b/tools/flask/libflask/Makefile @@ -38,7 +38,7 @@ install: build $(INSTALL_DATA) libflask.a $(DESTDIR)$(LIBDIR) ln -sf libflask.so.$(MAJOR).$(MINOR) $(DESTDIR)$(LIBDIR)/libflask.so.$(MAJOR) ln -sf libflask.so.$(MAJOR) $(DESTDIR)$(LIBDIR)/libflask.so - $(INSTALL_DATA) include/flask.h $(DESTDIR)$(INCLUDEDIR) + $(INSTALL_DATA) include/libflask.h $(DESTDIR)$(INCLUDEDIR)/xen/xsm .PHONY: TAGS TAGS: diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c index 8b40c70595..29c3cd1149 100644 --- a/tools/flask/libflask/flask_op.c +++ b/tools/flask/libflask/flask_op.c @@ -19,7 +19,7 @@ #include <stdlib.h> #include <stdint.h> #include <sys/ioctl.h> -#include <flask.h> +#include <libflask.h> #include <xenctrl.h> int flask_load(int xc_handle, char *buf, uint32_t size) @@ -342,3 +342,160 @@ int flask_del_device(int xc_handle, unsigned long device) return 0; } + +int flask_access(int xc_handle, const char *scon, const char *tcon, + u_int16_t tclass, u_int32_t req, + u_int32_t *allowed, u_int32_t *decided, + u_int32_t *auditallow, u_int32_t *auditdeny, + u_int32_t *seqno) +{ +/* maximum number of digits in a 16-bit decimal number: */ +#define MAX_SHORT_DEC_LEN 5 + + char *buf; + int bufLen; + int err; + flask_op_t op; + u_int32_t dummy_allowed; + u_int32_t dummy_decided; + u_int32_t dummy_auditallow; + u_int32_t dummy_auditdeny; + u_int32_t dummy_seqno; + + if (!allowed) + allowed = &dummy_allowed; + if (!decided) + decided = &dummy_decided; + if (!auditallow) + auditallow = &dummy_auditallow; + if (!auditdeny) + auditdeny = &dummy_auditdeny; + if (!seqno) + seqno = &dummy_seqno; + + if (!scon) + return -EINVAL; + if (!tcon) + return -EINVAL; + + bufLen = strlen(scon) + 1 + strlen(tcon) + 1 + + MAX_SHORT_DEC_LEN + 1 + + sizeof(req)*2 + 1; + buf = malloc(bufLen); + snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req); + + op.cmd = FLASK_ACCESS; + op.buf = buf; + op.size = strlen(buf)+1; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + if (sscanf(op.buf, "%x %x %x %x %u", + allowed, decided, + auditallow, auditdeny, + seqno) != 5) { + err = -EILSEQ; + } + + err = ((*allowed & req) == req)? 0 : -EPERM; + + return err; + +} + +int flask_avc_hashstats(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_AVC_HASHSTATS; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + return 0; +} + +int flask_avc_cachestats(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_AVC_CACHESTATS; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + return 0; +} + +int flask_policyvers(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_POLICYVERS; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + return 0; +} + +int flask_getavc_threshold(int xc_handle) +{ + int err; + flask_op_t op; + char buf[20]; + int size = 20; + int threshold; + + op.cmd = FLASK_GETAVC_THRESHOLD; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + return err; + + sscanf(buf, "%i", &threshold); + + return threshold; +} + +int flask_setavc_threshold(int xc_handle, int threshold) +{ + int err; + flask_op_t op; + char buf[20]; + int size = 20; + + op.cmd = FLASK_SETAVC_THRESHOLD; + op.buf = buf; + op.size = size; + + snprintf(buf, size, "%i", threshold); + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + return err; + + return 0; +} diff --git a/tools/flask/libflask/include/flask.h b/tools/flask/libflask/include/libflask.h index 44de26bb89..7548d4e299 100644 --- a/tools/flask/libflask/include/flask.h +++ b/tools/flask/libflask/include/libflask.h @@ -8,8 +8,8 @@ * as published by the Free Software Foundation. */ -#ifndef __FLASK_H__ -#define __FLASK_H__ +#ifndef __LIBFLASK_H__ +#define __LIBFLASK_H__ #include <stdint.h> #include <xen/xen.h> @@ -30,6 +30,16 @@ int flask_del_pirq(int xc_handle, unsigned int pirq); int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high); int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high); int flask_del_device(int xc_handle, unsigned long device); +int flask_access(int xc_handle, const char *scon, const char *tcon, + u_int16_t tclass, u_int32_t req, + u_int32_t *allowed, u_int32_t *decided, + u_int32_t *auditallow, u_int32_t *auditdeny, + u_int32_t *seqno); +int flask_avc_cachestats(int xc_handle, char *buf, int size); +int flask_policyvers(int xc_handle, char *buf, int size); +int flask_avc_hashstats(int xc_handle, char *buf, int size); +int flask_getavc_threshold(int xc_handle); +int flask_setavc_threshold(int xc_handle, int threshold); #define flask_add_single_ioport(x, l, s) flask_add_ioport(x, l, l, s) #define flask_add_single_iomem(x, l, s) flask_add_iomem(x, l, l, s) #define flask_del_single_ioport(x, l) flask_del_ioport(x, l, l) @@ -40,4 +50,4 @@ int flask_del_device(int xc_handle, unsigned long device); #define OCON_IOMEM_STR "iomem" #define OCON_DEVICE_STR "pcidevice" #define INITCONTEXTLEN 256 -#endif /* __FLASK_H__ */ +#endif /* __LIBFLASK_H__ */ diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c index 9960434ac8..1706f6a2e2 100644 --- a/tools/flask/utils/getenforce.c +++ b/tools/flask/utils/getenforce.c @@ -16,7 +16,7 @@ #include <sys/stat.h> #include <string.h> #include <unistd.h> -#include <flask.h> +#include <libflask.h> static void usage (int argCnt, const char *args[]) { diff --git a/tools/flask/utils/loadpolicy.c b/tools/flask/utils/loadpolicy.c index bb6eeb8de5..13e4cb2c32 100644 --- a/tools/flask/utils/loadpolicy.c +++ b/tools/flask/utils/loadpolicy.c @@ -17,7 +17,7 @@ #include <sys/stat.h> #include <string.h> #include <unistd.h> -#include <flask.h> +#include <libflask.h> #define USE_MMAP diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c index 91fb3594aa..60e8eb086f 100644 --- a/tools/flask/utils/setenforce.c +++ b/tools/flask/utils/setenforce.c @@ -16,7 +16,7 @@ #include <sys/stat.h> #include <string.h> #include <unistd.h> -#include <flask.h> +#include <libflask.h> static void usage (int argCnt, const char *args[]) { diff --git a/tools/python/xen/lowlevel/flask/flask.c b/tools/python/xen/lowlevel/flask/flask.c index bb42b5ce8f..858d8d3b25 100644 --- a/tools/python/xen/lowlevel/flask/flask.c +++ b/tools/python/xen/lowlevel/flask/flask.c @@ -12,7 +12,7 @@ #include <Python.h> #include <xenctrl.h> -#include <flask.h> +#include <libflask.h> #define PKG "xen.lowlevel.flask" #define CLS "flask" @@ -190,6 +190,44 @@ static PyObject *pyflask_setenforce(PyObject *self, PyObject *args, return Py_BuildValue("i", ret); } +static PyObject *pyflask_access(PyObject *self, PyObject *args, + PyObject *kwds) +{ + int xc_handle; + char *tcon, *scon; + uint16_t tclass; + uint32_t req, allowed, decided, auditallow, auditdeny, seqno; + int ret; + + static char *kwd_list[] = { "src_context", "tar_context", + "tar_class", "req_permissions", + "decided", "auditallow","auditdeny", + "seqno", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "ssil|llll", kwd_list, + &scon, &tcon, &tclass, &req, &decided, + &auditallow, &auditdeny, &seqno) ) + return NULL; + + xc_handle = xc_interface_open(); + if (xc_handle < 0) { + errno = xc_handle; + return PyErr_SetFromErrno(xc_error_obj); + } + + ret = flask_access(xc_handle, scon, tcon, tclass, req, &allowed, &decided, + &auditallow, &auditdeny, &seqno); + + xc_interface_close(xc_handle); + + if ( ret != 0 ) { + errno = -ret; + return PyErr_SetFromErrno(xc_error_obj); + } + + return Py_BuildValue("i",ret); +} + static PyMethodDef pyflask_methods[] = { { "flask_context_to_sid", (PyCFunction)pyflask_context_to_sid, @@ -224,7 +262,27 @@ static PyMethodDef pyflask_methods[] = { "Modifies the current mode for the Flask XSM module.\n" " mode [int]: mode to change to\n" "Returns: [int]: 0 on success; -1 on failure.\n" }, + + { "flask_access", + (PyCFunction)pyflask_access, + METH_KEYWORDS, "\n" + "Returns whether a source context has access to target context based on \ + class and permissions requested.\n" + " scon [str]: source context\n" + " tcon [str]: target context\n" + " tclass [int]: target security class\n" + " req [int] requested permissions\n" + " allowed [int] permissions allow for the target class between the source \ + and target context\n" + " decided [int] the permissions that were returned in the allowed \ + parameter\n" + " auditallow [int] permissions set to audit on allow\n" + " auditdeny [int] permissions set to audit on deny\n" + " seqno [int] not used\n" + "Returns: [int]: 0 on all permission granted; -1 if any permissions are \ + denied\n" }, { NULL, NULL, 0, NULL } + }; PyMODINIT_FUNC initflask(void) |