diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2009-11-13 22:00:19 +0000 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2009-11-13 22:00:19 +0000 |
commit | 3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81 (patch) | |
tree | 44cd05b2caf235afa0fd9bbaf71d1897d53efb13 /tools/flask | |
parent | 4def0d9ca1ab8a1fdf4300f87118068e46e6491f (diff) | |
download | xen-3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81.tar.gz xen-3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81.tar.bz2 xen-3695303ba1539e57e5d8bdf4ee7ba1bc6e3edc81.zip |
xsm: Dynamic update to device ocontexts
Added the ability to add and delete ocontexts dynamically on a running
system. Two new commands have been added to the xsm hypercall, add
and delete ocontext. Twelve new library functions have been
implemented that use the hypercall commands to label and unlabel
pirqs, PCI devices, I/O ports and memory. The base policy has been
updated so dom0 has the ability to use the hypercall commands by
default. Items added to the list will not be present next time the
system reloads. They will need to be added to the static policy.
Signed-off-by : George Coker <gscoker@alpha.ncsc.mil>
Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/libflask/flask_op.c | 233 | ||||
-rw-r--r-- | tools/flask/libflask/include/flask.h | 19 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 2 | ||||
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 2 |
4 files changed, 255 insertions, 1 deletions
diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c index 579be20d96..9eab033e4d 100644 --- a/tools/flask/libflask/flask_op.c +++ b/tools/flask/libflask/flask_op.c @@ -109,3 +109,236 @@ int flask_setenforce(int xc_handle, int mode) return 0; } + +int flask_add_pirq(int xc_handle, unsigned int pirq, char *scontext) +{ + int err; + flask_op_t op; + char *buf; + char *pirq_s = OCON_PIRQ_STR; + int size = INITCONTEXTLEN + strlen(pirq_s) + (sizeof(unsigned int)) + + (sizeof(char) * 3); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_ADD_OCONTEXT; + snprintf(buf, size, "%s %255s %u", pirq_s, scontext, pirq); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_add_ioport(int xc_handle, unsigned long low, unsigned long high, + char *scontext) +{ + int err; + flask_op_t op; + char *buf; + char *ioport = OCON_IOPORT_STR; + int size = INITCONTEXTLEN + strlen(ioport) + + (sizeof(unsigned long) * 2) + (sizeof(char) * 4); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_ADD_OCONTEXT; + snprintf(buf, size, "%s %255s %li %li", ioport, scontext, low, high); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_add_iomem(int xc_handle, unsigned long low, unsigned long high, + char *scontext) +{ + int err; + flask_op_t op; + char *buf; + char *iomem = OCON_IOMEM_STR; + int size = INITCONTEXTLEN + strlen(iomem) + + (sizeof(unsigned long) * 2) + (sizeof(char) * 4); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_ADD_OCONTEXT; + snprintf(buf, size, "%s %255s %li %li", iomem, scontext, low, high); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_add_device(int xc_handle, unsigned long device, char *scontext) +{ + int err; + flask_op_t op; + char *buf; + char *dev = OCON_DEVICE_STR; + int size = INITCONTEXTLEN + strlen(dev) + (sizeof(unsigned long)) + + (sizeof(char) * 3); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_ADD_OCONTEXT; + snprintf(buf, size, "%s %255s %li", dev, scontext, device); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_del_pirq(int xc_handle, unsigned int pirq) +{ + int err; + flask_op_t op; + char *buf; + char *pirq_s = OCON_PIRQ_STR; + int size = strlen(pirq_s) + (sizeof(unsigned int)) + + (sizeof(char) * 2); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_DEL_OCONTEXT; + snprintf(buf, size, "%s %u", pirq_s, pirq); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high) +{ + int err; + flask_op_t op; + char *buf; + char *ioport = OCON_IOPORT_STR; + int size = strlen(ioport) + (sizeof(unsigned long) * 2) + + (sizeof(char) * 3); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_DEL_OCONTEXT; + snprintf(buf, size, "%s %li %li", ioport, low, high); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high) +{ + int err; + flask_op_t op; + char *buf; + char *iomem = OCON_IOMEM_STR; + int size = strlen(iomem) + (sizeof(unsigned long) * 2) + + (sizeof(char) * 3); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_DEL_OCONTEXT; + snprintf(buf, size, "%s %li %li", iomem, low, high); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} + +int flask_del_device(int xc_handle, unsigned long device) +{ + int err; + flask_op_t op; + char *buf; + char *dev = OCON_DEVICE_STR; + int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2); + + if ( (buf = (char *) malloc(size)) == NULL ) + return -ENOMEM; + memset(buf, 0, size); + + op.cmd = FLASK_DEL_OCONTEXT; + snprintf(buf, size, "%s %li", dev, device); + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + { + free(buf); + return err; + } + + free(buf); + return 0; + +} diff --git a/tools/flask/libflask/include/flask.h b/tools/flask/libflask/include/flask.h index 31f6263404..44de26bb89 100644 --- a/tools/flask/libflask/include/flask.h +++ b/tools/flask/libflask/include/flask.h @@ -20,5 +20,24 @@ int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t *sid) int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size); int flask_getenforce(int xc_handle); int flask_setenforce(int xc_handle, int mode); +int flask_add_pirq(int xc_handle, unsigned int pirq, char *scontext); +int flask_add_ioport(int xc_handle, unsigned long low, unsigned long high, + char *scontext); +int flask_add_iomem(int xc_handle, unsigned long low, unsigned long high, + char *scontext); +int flask_add_device(int xc_handle, unsigned long device, char *scontext); +int flask_del_pirq(int xc_handle, unsigned int pirq); +int flask_del_ioport(int xc_handle, unsigned long low, unsigned long high); +int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high); +int flask_del_device(int xc_handle, unsigned long device); +#define flask_add_single_ioport(x, l, s) flask_add_ioport(x, l, l, s) +#define flask_add_single_iomem(x, l, s) flask_add_iomem(x, l, l, s) +#define flask_del_single_ioport(x, l) flask_del_ioport(x, l, l) +#define flask_del_single_iomem(x, l) flask_del_iomem(x, l, l); +#define OCON_PIRQ_STR "pirq" +#define OCON_IOPORT_STR "ioport" +#define OCON_IOMEM_STR "iomem" +#define OCON_DEVICE_STR "pcidevice" +#define INITCONTEXTLEN 256 #endif /* __FLASK_H__ */ diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index 0df71d0a46..f835eb5a32 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -163,4 +163,6 @@ class security setenforce setbool setsecparam + add_ocontext + del_ocontext } diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 851b0d6bd3..0977939146 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -51,7 +51,7 @@ allow dom0_t xen_t:xen firmware; allow dom0_t security_t:security {compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool -setsecparam}; +setsecparam add_ocontext del_ocontext}; create_channel(dom0_t, dom0_t, evchn0-0_t) allow dom0_t evchn0-0_t:event {send}; |