diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2010-01-26 07:50:04 +0000 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2010-01-26 07:50:04 +0000 |
commit | 224c24a3df88e20c0fa4685284506c0c45b6b401 (patch) | |
tree | d5b5f66999a5db903cdf30be8d6184f47297a777 /tools/flask | |
parent | bebd60a04f42b020cca824bbfbe2fe5cce8121ee (diff) | |
download | xen-224c24a3df88e20c0fa4685284506c0c45b6b401.tar.gz xen-224c24a3df88e20c0fa4685284506c0c45b6b401.tar.bz2 xen-224c24a3df88e20c0fa4685284506c0c45b6b401.zip |
tools/xsm: Expose Flask XSM AVC functions to user-space
This patch exposes the flask_access, flask_avc_cachestats,
flask_avc_hashstats, flask_getavc_threshold, flask_setavc_threshold,
and flask_policyvers functions to user-space. A python wrapper was
created for the flask_access function to facilitate policy based
user-space access control decisions. flask.h was renamed to libflask.h
to remove a naming conflict.
Signed-off-by : Machon Gregory <mbgrego@tycho.ncsc.mil>
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/libflask/Makefile | 2 | ||||
-rw-r--r-- | tools/flask/libflask/flask_op.c | 159 | ||||
-rw-r--r-- | tools/flask/libflask/include/libflask.h (renamed from tools/flask/libflask/include/flask.h) | 16 | ||||
-rw-r--r-- | tools/flask/utils/getenforce.c | 2 | ||||
-rw-r--r-- | tools/flask/utils/loadpolicy.c | 2 | ||||
-rw-r--r-- | tools/flask/utils/setenforce.c | 2 |
6 files changed, 175 insertions, 8 deletions
diff --git a/tools/flask/libflask/Makefile b/tools/flask/libflask/Makefile index c03fc8aca8..7f33f124df 100644 --- a/tools/flask/libflask/Makefile +++ b/tools/flask/libflask/Makefile @@ -38,7 +38,7 @@ install: build $(INSTALL_DATA) libflask.a $(DESTDIR)$(LIBDIR) ln -sf libflask.so.$(MAJOR).$(MINOR) $(DESTDIR)$(LIBDIR)/libflask.so.$(MAJOR) ln -sf libflask.so.$(MAJOR) $(DESTDIR)$(LIBDIR)/libflask.so - $(INSTALL_DATA) include/flask.h $(DESTDIR)$(INCLUDEDIR) + $(INSTALL_DATA) include/libflask.h $(DESTDIR)$(INCLUDEDIR)/xen/xsm .PHONY: TAGS TAGS: diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c index 8b40c70595..29c3cd1149 100644 --- a/tools/flask/libflask/flask_op.c +++ b/tools/flask/libflask/flask_op.c @@ -19,7 +19,7 @@ #include <stdlib.h> #include <stdint.h> #include <sys/ioctl.h> -#include <flask.h> +#include <libflask.h> #include <xenctrl.h> int flask_load(int xc_handle, char *buf, uint32_t size) @@ -342,3 +342,160 @@ int flask_del_device(int xc_handle, unsigned long device) return 0; } + +int flask_access(int xc_handle, const char *scon, const char *tcon, + u_int16_t tclass, u_int32_t req, + u_int32_t *allowed, u_int32_t *decided, + u_int32_t *auditallow, u_int32_t *auditdeny, + u_int32_t *seqno) +{ +/* maximum number of digits in a 16-bit decimal number: */ +#define MAX_SHORT_DEC_LEN 5 + + char *buf; + int bufLen; + int err; + flask_op_t op; + u_int32_t dummy_allowed; + u_int32_t dummy_decided; + u_int32_t dummy_auditallow; + u_int32_t dummy_auditdeny; + u_int32_t dummy_seqno; + + if (!allowed) + allowed = &dummy_allowed; + if (!decided) + decided = &dummy_decided; + if (!auditallow) + auditallow = &dummy_auditallow; + if (!auditdeny) + auditdeny = &dummy_auditdeny; + if (!seqno) + seqno = &dummy_seqno; + + if (!scon) + return -EINVAL; + if (!tcon) + return -EINVAL; + + bufLen = strlen(scon) + 1 + strlen(tcon) + 1 + + MAX_SHORT_DEC_LEN + 1 + + sizeof(req)*2 + 1; + buf = malloc(bufLen); + snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req); + + op.cmd = FLASK_ACCESS; + op.buf = buf; + op.size = strlen(buf)+1; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + if (sscanf(op.buf, "%x %x %x %x %u", + allowed, decided, + auditallow, auditdeny, + seqno) != 5) { + err = -EILSEQ; + } + + err = ((*allowed & req) == req)? 0 : -EPERM; + + return err; + +} + +int flask_avc_hashstats(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_AVC_HASHSTATS; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + return 0; +} + +int flask_avc_cachestats(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_AVC_CACHESTATS; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + return 0; +} + +int flask_policyvers(int xc_handle, char *buf, int size) +{ + int err; + flask_op_t op; + + op.cmd = FLASK_POLICYVERS; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + return 0; +} + +int flask_getavc_threshold(int xc_handle) +{ + int err; + flask_op_t op; + char buf[20]; + int size = 20; + int threshold; + + op.cmd = FLASK_GETAVC_THRESHOLD; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + return err; + + sscanf(buf, "%i", &threshold); + + return threshold; +} + +int flask_setavc_threshold(int xc_handle, int threshold) +{ + int err; + flask_op_t op; + char buf[20]; + int size = 20; + + op.cmd = FLASK_SETAVC_THRESHOLD; + op.buf = buf; + op.size = size; + + snprintf(buf, size, "%i", threshold); + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + return err; + + return 0; +} diff --git a/tools/flask/libflask/include/flask.h b/tools/flask/libflask/include/libflask.h index 44de26bb89..7548d4e299 100644 --- a/tools/flask/libflask/include/flask.h +++ b/tools/flask/libflask/include/libflask.h @@ -8,8 +8,8 @@ * as published by the Free Software Foundation. */ -#ifndef __FLASK_H__ -#define __FLASK_H__ +#ifndef __LIBFLASK_H__ +#define __LIBFLASK_H__ #include <stdint.h> #include <xen/xen.h> @@ -30,6 +30,16 @@ int flask_del_pirq(int xc_handle, unsigned int pirq); int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high); int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high); int flask_del_device(int xc_handle, unsigned long device); +int flask_access(int xc_handle, const char *scon, const char *tcon, + u_int16_t tclass, u_int32_t req, + u_int32_t *allowed, u_int32_t *decided, + u_int32_t *auditallow, u_int32_t *auditdeny, + u_int32_t *seqno); +int flask_avc_cachestats(int xc_handle, char *buf, int size); +int flask_policyvers(int xc_handle, char *buf, int size); +int flask_avc_hashstats(int xc_handle, char *buf, int size); +int flask_getavc_threshold(int xc_handle); +int flask_setavc_threshold(int xc_handle, int threshold); #define flask_add_single_ioport(x, l, s) flask_add_ioport(x, l, l, s) #define flask_add_single_iomem(x, l, s) flask_add_iomem(x, l, l, s) #define flask_del_single_ioport(x, l) flask_del_ioport(x, l, l) @@ -40,4 +50,4 @@ int flask_del_device(int xc_handle, unsigned long device); #define OCON_IOMEM_STR "iomem" #define OCON_DEVICE_STR "pcidevice" #define INITCONTEXTLEN 256 -#endif /* __FLASK_H__ */ +#endif /* __LIBFLASK_H__ */ diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c index 9960434ac8..1706f6a2e2 100644 --- a/tools/flask/utils/getenforce.c +++ b/tools/flask/utils/getenforce.c @@ -16,7 +16,7 @@ #include <sys/stat.h> #include <string.h> #include <unistd.h> -#include <flask.h> +#include <libflask.h> static void usage (int argCnt, const char *args[]) { diff --git a/tools/flask/utils/loadpolicy.c b/tools/flask/utils/loadpolicy.c index bb6eeb8de5..13e4cb2c32 100644 --- a/tools/flask/utils/loadpolicy.c +++ b/tools/flask/utils/loadpolicy.c @@ -17,7 +17,7 @@ #include <sys/stat.h> #include <string.h> #include <unistd.h> -#include <flask.h> +#include <libflask.h> #define USE_MMAP diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c index 91fb3594aa..60e8eb086f 100644 --- a/tools/flask/utils/setenforce.c +++ b/tools/flask/utils/setenforce.c @@ -16,7 +16,7 @@ #include <sys/stat.h> #include <string.h> #include <unistd.h> -#include <flask.h> +#include <libflask.h> static void usage (int argCnt, const char *args[]) { |