tools/xsm: Expose Flask XSM AVC functions to user-space

This patch exposes the flask_access, flask_avc_cachestats,
flask_avc_hashstats, flask_getavc_threshold, flask_setavc_threshold,
and flask_policyvers functions to user-space. A python wrapper was
created for the flask_access function to facilitate policy based
user-space access control decisions. flask.h was renamed to libflask.h
to remove a naming conflict.

Signed-off-by : Machon Gregory <mbgrego@tycho.ncsc.mil>

6 files changed, 175 insertions, 8 deletions

diff --git a/tools/flask/libflask/Makefile b/tools/flask/libflask/Makefile
index c03fc8aca8..7f33f124df 100644
--- a/tools/flask/libflask/Makefile
+++ b/tools/flask/libflask/Makefile
@@ -38,7 +38,7 @@ install: build
 	$(INSTALL_DATA) libflask.a $(DESTDIR)$(LIBDIR)
 	ln -sf libflask.so.$(MAJOR).$(MINOR) $(DESTDIR)$(LIBDIR)/libflask.so.$(MAJOR)
 	ln -sf libflask.so.$(MAJOR) $(DESTDIR)$(LIBDIR)/libflask.so
-	$(INSTALL_DATA) include/flask.h $(DESTDIR)$(INCLUDEDIR)
+	$(INSTALL_DATA) include/libflask.h $(DESTDIR)$(INCLUDEDIR)/xen/xsm
 
 .PHONY: TAGS
 TAGS:
diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c
index 8b40c70595..29c3cd1149 100644
--- a/tools/flask/libflask/flask_op.c
+++ b/tools/flask/libflask/flask_op.c
@@ -19,7 +19,7 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <sys/ioctl.h>
-#include <flask.h>
+#include <libflask.h>
 #include <xenctrl.h>
 
 int flask_load(int xc_handle, char *buf, uint32_t size)
@@ -342,3 +342,160 @@ int flask_del_device(int xc_handle, unsigned long device)
     return 0;
 
 }
+
+int flask_access(int xc_handle, const char *scon, const char *tcon,
+                u_int16_t tclass, u_int32_t req,
+                u_int32_t *allowed, u_int32_t *decided,
+                u_int32_t *auditallow, u_int32_t *auditdeny,
+                u_int32_t *seqno)
+{
+/* maximum number of digits in a 16-bit decimal number: */
+#define MAX_SHORT_DEC_LEN 5
+
+    char *buf;
+    int bufLen;
+    int err;
+    flask_op_t op;
+    u_int32_t dummy_allowed;
+    u_int32_t dummy_decided;
+    u_int32_t dummy_auditallow;
+    u_int32_t dummy_auditdeny;
+    u_int32_t dummy_seqno;
+  
+    if (!allowed)
+        allowed = &dummy_allowed;
+    if (!decided)
+        decided = &dummy_decided;
+    if (!auditallow)
+        auditallow = &dummy_auditallow;
+    if (!auditdeny)
+        auditdeny = &dummy_auditdeny;
+    if (!seqno)
+        seqno = &dummy_seqno;
+
+    if (!scon)
+        return -EINVAL;
+    if (!tcon)
+        return -EINVAL;
+
+    bufLen = strlen(scon) + 1 + strlen(tcon) + 1 +
+        MAX_SHORT_DEC_LEN + 1 +
+        sizeof(req)*2 + 1;
+    buf = malloc(bufLen);
+    snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req);
+
+    op.cmd = FLASK_ACCESS;
+    op.buf = buf;
+    op.size = strlen(buf)+1;
+    
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+   
+    if (sscanf(op.buf, "%x %x %x %x %u",
+               allowed, decided,
+               auditallow, auditdeny,
+               seqno) != 5) {
+        err = -EILSEQ;
+    }
+
+    err = ((*allowed & req) == req)? 0 : -EPERM;
+
+    return err;
+
+}
+
+int flask_avc_hashstats(int xc_handle, char *buf, int size)
+{
+    int err;
+    flask_op_t op;
+  
+    op.cmd = FLASK_AVC_HASHSTATS;
+    op.buf = buf;
+    op.size = size;
+  
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+
+    return 0;
+}
+
+int flask_avc_cachestats(int xc_handle, char *buf, int size)
+{
+    int err;
+    flask_op_t op;
+  
+    op.cmd = FLASK_AVC_CACHESTATS;
+    op.buf = buf;
+    op.size = size;
+  
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+
+    return 0;
+}
+
+int flask_policyvers(int xc_handle, char *buf, int size)
+{
+    int err;
+    flask_op_t op;
+  
+    op.cmd = FLASK_POLICYVERS;
+    op.buf = buf;
+    op.size = size;
+
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+    {
+        free(buf);
+        return err;
+    }
+
+    return 0;
+}
+
+int flask_getavc_threshold(int xc_handle)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];            
+    int size = 20;
+    int threshold;
+ 
+    op.cmd = FLASK_GETAVC_THRESHOLD;
+    op.buf = buf;
+    op.size = size;
+    
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    sscanf(buf, "%i", &threshold);
+
+    return threshold;
+}
+
+int flask_setavc_threshold(int xc_handle, int threshold)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];            
+    int size = 20;
+ 
+    op.cmd = FLASK_SETAVC_THRESHOLD;
+    op.buf = buf;
+    op.size = size;
+
+    snprintf(buf, size, "%i", threshold);
+ 
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    return 0;
+}
diff --git a/tools/flask/libflask/include/flask.h b/tools/flask/libflask/include/libflask.h
index 44de26bb89..7548d4e299 100644
--- a/tools/flask/libflask/include/flask.h
+++ b/tools/flask/libflask/include/libflask.h
@@ -8,8 +8,8 @@
  *  as published by the Free Software Foundation.
  */
 
-#ifndef __FLASK_H__
-#define __FLASK_H__
+#ifndef __LIBFLASK_H__
+#define __LIBFLASK_H__
 
 #include <stdint.h>
 #include <xen/xen.h>
@@ -30,6 +30,16 @@ int flask_del_pirq(int xc_handle, unsigned int pirq);
 int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high);
 int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high);
 int flask_del_device(int xc_handle, unsigned long device);
+int flask_access(int xc_handle, const char *scon, const char *tcon,
+                  u_int16_t tclass, u_int32_t req,
+                  u_int32_t *allowed, u_int32_t *decided,
+                  u_int32_t *auditallow, u_int32_t *auditdeny,
+                  u_int32_t *seqno);
+int flask_avc_cachestats(int xc_handle, char *buf, int size);
+int flask_policyvers(int xc_handle, char *buf, int size);
+int flask_avc_hashstats(int xc_handle, char *buf, int size);
+int flask_getavc_threshold(int xc_handle);
+int flask_setavc_threshold(int xc_handle, int threshold);
 #define flask_add_single_ioport(x, l, s) flask_add_ioport(x, l, l, s)
 #define flask_add_single_iomem(x, l, s) flask_add_iomem(x, l, l, s)
 #define flask_del_single_ioport(x, l) flask_del_ioport(x, l, l)
@@ -40,4 +50,4 @@ int flask_del_device(int xc_handle, unsigned long device);
 #define OCON_IOMEM_STR  "iomem"
 #define OCON_DEVICE_STR "pcidevice"
 #define INITCONTEXTLEN  256
-#endif /* __FLASK_H__ */
+#endif /* __LIBFLASK_H__ */
diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c
index 9960434ac8..1706f6a2e2 100644
--- a/tools/flask/utils/getenforce.c
+++ b/tools/flask/utils/getenforce.c
@@ -16,7 +16,7 @@
 #include <sys/stat.h>
 #include <string.h>
 #include <unistd.h>
-#include <flask.h>
+#include <libflask.h>
 
 static void usage (int argCnt, const char *args[])
 {
diff --git a/tools/flask/utils/loadpolicy.c b/tools/flask/utils/loadpolicy.c
index bb6eeb8de5..13e4cb2c32 100644
--- a/tools/flask/utils/loadpolicy.c
+++ b/tools/flask/utils/loadpolicy.c
@@ -17,7 +17,7 @@
 #include <sys/stat.h>
 #include <string.h>
 #include <unistd.h>
-#include <flask.h>
+#include <libflask.h>
 
 #define USE_MMAP
 
diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c
index 91fb3594aa..60e8eb086f 100644
--- a/tools/flask/utils/setenforce.c
+++ b/tools/flask/utils/setenforce.c
@@ -16,7 +16,7 @@
 #include <sys/stat.h>
 #include <string.h>
 #include <unistd.h>
-#include <flask.h>
+#include <libflask.h>
 
 static void usage (int argCnt, const char *args[])
 {