diff options
author | Keir Fraser <keir@xen.org> | 2011-03-25 21:47:57 +0000 |
---|---|---|
committer | Keir Fraser <keir@xen.org> | 2011-03-25 21:47:57 +0000 |
commit | 6102cace934c5ef156e7e1e21966cf3950dc40e5 (patch) | |
tree | 612c892c08a8a6c371b3c02981b2699e7ebdc9ae /tools/python | |
parent | 662f524483de23084ae4dde930fa7570fb15e033 (diff) | |
download | xen-6102cace934c5ef156e7e1e21966cf3950dc40e5.tar.gz xen-6102cace934c5ef156e7e1e21966cf3950dc40e5.tar.bz2 xen-6102cace934c5ef156e7e1e21966cf3950dc40e5.zip |
Remove unmaintained Access Control Module (ACM) from hypervisor.
Signed-off-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/python')
-rw-r--r-- | tools/python/setup.py | 11 | ||||
-rw-r--r-- | tools/python/xen/lowlevel/acm/acm.c | 403 | ||||
-rw-r--r-- | tools/python/xen/xm/messages/xen-xm.pot | 3 |
3 files changed, 3 insertions, 414 deletions
diff --git a/tools/python/setup.py b/tools/python/setup.py index f803632d3b..0f0c5f860d 100644 --- a/tools/python/setup.py +++ b/tools/python/setup.py @@ -43,14 +43,6 @@ process = Extension("process", depends = [ ], sources = [ "xen/lowlevel/process/process.c" ]) -acm = Extension("acm", - extra_compile_args = extra_compile_args, - include_dirs = [ PATH_XEN, PATH_LIBXC, "xen/lowlevel/acm" ], - library_dirs = [ PATH_LIBXC ], - libraries = [ "xenctrl" ], - depends = [ PATH_LIBXC + "/libxenctrl.so" ], - sources = [ "xen/lowlevel/acm/acm.c" ]) - flask = Extension("flask", extra_compile_args = extra_compile_args, include_dirs = [ PATH_XEN, PATH_LIBXC, "xen/lowlevel/flask", @@ -98,7 +90,7 @@ xl = Extension("xl", sources = [ "xen/lowlevel/xl/xl.c", "xen/lowlevel/xl/_pyxl_types.c" ]) plat = os.uname()[0] -modules = [ xc, xs, ptsname, acm, flask, xl ] +modules = [ xc, xs, ptsname, flask, xl ] if plat == 'SunOS': modules.extend([ scf, process ]) if plat == 'Linux': @@ -113,7 +105,6 @@ setup(name = 'xen', 'xen.util.xsm', 'xen.util.xsm.dummy', 'xen.util.xsm.flask', - 'xen.util.xsm.acm', 'xen.xend', 'xen.xend.server', 'xen.xend.xenstore', diff --git a/tools/python/xen/lowlevel/acm/acm.c b/tools/python/xen/lowlevel/acm/acm.c deleted file mode 100644 index 832458de74..0000000000 --- a/tools/python/xen/lowlevel/acm/acm.c +++ /dev/null @@ -1,403 +0,0 @@ -/**************************************************************** - * acm.c - * - * Copyright (C) 2006,2007 IBM Corporation - * - * Authors: - * Reiner Sailer <sailer@watson.ibm.com> - * Stefan Berger <stefanb@us.ibm.com> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * ACM low-level code that allows Python control code to leverage - * the ACM hypercall interface to retrieve real-time information - * from the Xen hypervisor security module. - * - * indent -i4 -kr -nut - */ - -#include <Python.h> - -#include <stdio.h> -#include <fcntl.h> -#include <sys/mman.h> -#include <sys/types.h> -#include <stdlib.h> -#include <arpa/inet.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <xenctrl.h> -#include <xen/xsm/acm.h> -#include <xen/xsm/acm_ops.h> - -#define PERROR(_m, _a...) \ -fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a , \ - errno, strerror(errno)) - -static PyObject *acm_error_obj; - -/* generic shared function */ -static void *__getssid(xc_interface *xc_handle, int domid, uint32_t *buflen, xc_hypercall_buffer_t *buffer) -{ - struct acm_getssid getssid; - #define SSID_BUFFER_SIZE 4096 - void *buf; - DECLARE_HYPERCALL_BUFFER_ARGUMENT(buffer); - - if ((buf = xc_hypercall_buffer_alloc(xc_handle, buffer, SSID_BUFFER_SIZE)) == NULL) { - PERROR("acm.policytype: Could not allocate ssid buffer!\n"); - return NULL; - } - - memset(buf, 0, SSID_BUFFER_SIZE); - set_xen_guest_handle(getssid.ssidbuf, buffer); - getssid.ssidbuf_size = SSID_BUFFER_SIZE; - getssid.get_ssid_by = ACM_GETBY_domainid; - getssid.id.domainid = domid; - - if (xc_acm_op(xc_handle, ACMOP_getssid, &getssid, sizeof(getssid)) < 0) { - if (errno == EACCES) - PERROR("ACM operation failed."); - buf = NULL; - } else { - *buflen = SSID_BUFFER_SIZE; - } - return buf; -} - - -/* retrieve the policytype indirectly by retrieving the - * ssidref for domain 0 (always exists) */ -static PyObject *policy(PyObject * self, PyObject * args) -{ - xc_interface *xc_handle; - char *policyreference; - PyObject *ret; - uint32_t buf_len; - DECLARE_HYPERCALL_BUFFER(void, ssid_buffer); - - if (!PyArg_ParseTuple(args, "", NULL)) { - return NULL; - } - if ((xc_handle = xc_interface_open(0,0,0)) == 0) - return PyErr_SetFromErrno(acm_error_obj); - - ssid_buffer = __getssid(xc_handle, 0, &buf_len, HYPERCALL_BUFFER(ssid_buffer)); - if (ssid_buffer == NULL || buf_len < sizeof(struct acm_ssid_buffer)) - ret = PyErr_SetFromErrno(acm_error_obj); - else { - struct acm_ssid_buffer *ssid = (struct acm_ssid_buffer *)ssid_buffer; - policyreference = (char *)(ssid_buffer + ssid->policy_reference_offset - + sizeof (struct acm_policy_reference_buffer)); - ret = Py_BuildValue("s", policyreference); - } - - xc_hypercall_buffer_free(xc_handle, ssid_buffer); - xc_interface_close(xc_handle); - return ret; -} - - -/* retrieve ssid info for a domain domid*/ -static PyObject *getssid(PyObject * self, PyObject * args) -{ - xc_interface *xc_handle; - - /* in */ - uint32_t domid; - /* out */ - char *policytype, *policyreference; - uint32_t ssidref; - PyObject *ret; - - DECLARE_HYPERCALL_BUFFER(void, ssid_buffer); - uint32_t buf_len; - - if (!PyArg_ParseTuple(args, "i", &domid)) { - return NULL; - } - if ((xc_handle = xc_interface_open(0,0,0)) == 0) - return PyErr_SetFromErrno(acm_error_obj); - - ssid_buffer = __getssid(xc_handle, domid, &buf_len, HYPERCALL_BUFFER(ssid_buffer)); - if (ssid_buffer == NULL) { - ret = NULL; - } else if (buf_len < sizeof(struct acm_ssid_buffer)) { - ret = NULL; - } else { - struct acm_ssid_buffer *ssid = (struct acm_ssid_buffer *) ssid_buffer; - policytype = ACM_POLICY_NAME(ssid->secondary_policy_code << 4 | - ssid->primary_policy_code); - ssidref = ssid->ssidref; - policyreference = (char *)(ssid_buffer + ssid->policy_reference_offset - + sizeof (struct acm_policy_reference_buffer)); - ret = Py_BuildValue("{s:s,s:s,s:i}", - "policyreference", policyreference, - "policytype", policytype, - "ssidref", ssidref); - } - xc_hypercall_buffer_free(xc_handle, ssid_buffer); - xc_interface_close(xc_handle); - return ret; -} - - -/* retrieve access decision based on domain ids or ssidrefs */ -static PyObject *getdecision(PyObject * self, PyObject * args) -{ - char *arg1_name, *arg1, *arg2_name, *arg2, *decision = NULL; - struct acm_getdecision getdecision; - xc_interface *xc_handle; - int rc; - uint32_t hooktype; - - if (!PyArg_ParseTuple(args, "ssssi", &arg1_name, - &arg1, &arg2_name, &arg2, &hooktype)) { - return NULL; - } - - if ((xc_handle = xc_interface_open(0,0,0)) == 0) { - perror("Could not open xen privcmd device!\n"); - return NULL; - } - - if ((strcmp(arg1_name, "domid") && strcmp(arg1_name, "ssidref")) || - (strcmp(arg2_name, "domid") && strcmp(arg2_name, "ssidref"))) - return NULL; - - getdecision.hook = hooktype; - if (!strcmp(arg1_name, "domid")) { - getdecision.get_decision_by1 = ACM_GETBY_domainid; - getdecision.id1.domainid = atoi(arg1); - } else { - getdecision.get_decision_by1 = ACM_GETBY_ssidref; - getdecision.id1.ssidref = atol(arg1); - } - if (!strcmp(arg2_name, "domid")) { - getdecision.get_decision_by2 = ACM_GETBY_domainid; - getdecision.id2.domainid = atoi(arg2); - } else { - getdecision.get_decision_by2 = ACM_GETBY_ssidref; - getdecision.id2.ssidref = atol(arg2); - } - - rc = xc_acm_op(xc_handle, ACMOP_getdecision, - &getdecision, sizeof(getdecision)); - - xc_interface_close(xc_handle); - - if (rc < 0) { - if (errno == EACCES) - PERROR("ACM operation failed."); - return NULL; - } - - if (getdecision.acm_decision == ACM_ACCESS_PERMITTED) - decision = "PERMITTED"; - else if (getdecision.acm_decision == ACM_ACCESS_DENIED) - decision = "DENIED"; - - return Py_BuildValue("s", decision); -} - -/* error messages for exceptions */ -const char bad_arg[] = "Bad function argument."; -const char ctrlif_op[] = "Could not open control interface."; -const char hv_op_err[] = "Error from hypervisor operation."; - -static PyObject *chgpolicy(PyObject *self, PyObject *args) -{ - struct acm_change_policy chgpolicy; - xc_interface *xc_handle; - int rc; - char *bin_pol = NULL, *del_arr = NULL, *chg_arr = NULL; - int bin_pol_len = 0, del_arr_len = 0, chg_arr_len = 0; - uint errarray_mbrs = 20 * 2; - PyObject *result = NULL; - uint len; - DECLARE_HYPERCALL_BUFFER(char, bin_pol_buf); - DECLARE_HYPERCALL_BUFFER(char, del_arr_buf); - DECLARE_HYPERCALL_BUFFER(char, chg_arr_buf); - DECLARE_HYPERCALL_BUFFER(uint32_t, error_array); - - memset(&chgpolicy, 0x0, sizeof(chgpolicy)); - - if (!PyArg_ParseTuple(args, "s#s#s#" ,&bin_pol, &bin_pol_len, - &del_arr, &del_arr_len, - &chg_arr, &chg_arr_len)) { - PyErr_SetString(PyExc_TypeError, bad_arg); - return NULL; - } - - if ((xc_handle = xc_interface_open(0,0,0)) == 0) { - PyErr_SetString(PyExc_IOError, ctrlif_op); - return NULL; - } - - if ( (bin_pol_buf = xc_hypercall_buffer_alloc(xc_handle, bin_pol_buf, bin_pol_len)) == NULL ) - goto out; - if ( (del_arr_buf = xc_hypercall_buffer_alloc(xc_handle, del_arr_buf, del_arr_len)) == NULL ) - goto out; - if ( (chg_arr_buf = xc_hypercall_buffer_alloc(xc_handle, chg_arr_buf, chg_arr_len)) == NULL ) - goto out; - if ( (error_array = xc_hypercall_buffer_alloc(xc_handle, error_array, sizeof(*error_array)*errarray_mbrs)) == NULL ) - goto out; - - memcpy(bin_pol_buf, bin_pol, bin_pol_len); - memcpy(del_arr_buf, del_arr, del_arr_len); - memcpy(chg_arr_buf, chg_arr, chg_arr_len); - - chgpolicy.policy_pushcache_size = bin_pol_len; - chgpolicy.delarray_size = del_arr_len; - chgpolicy.chgarray_size = chg_arr_len; - chgpolicy.errarray_size = sizeof(*error_array)*errarray_mbrs; - set_xen_guest_handle(chgpolicy.policy_pushcache, bin_pol_buf); - set_xen_guest_handle(chgpolicy.del_array, del_arr_buf); - set_xen_guest_handle(chgpolicy.chg_array, chg_arr_buf); - set_xen_guest_handle(chgpolicy.err_array, error_array); - - rc = xc_acm_op(xc_handle, ACMOP_chgpolicy, &chgpolicy, sizeof(chgpolicy)); - - /* only pass the filled error codes */ - for (len = 0; (len + 1) < errarray_mbrs; len += 2) { - if (error_array[len] == 0) { - len *= sizeof(error_array[0]); - break; - } - } - - result = Py_BuildValue("is#", rc, error_array, len); - -out: - xc_hypercall_buffer_free(xc_handle, bin_pol_buf); - xc_hypercall_buffer_free(xc_handle, del_arr_buf); - xc_hypercall_buffer_free(xc_handle, chg_arr_buf); - xc_hypercall_buffer_free(xc_handle, error_array); - xc_interface_close(xc_handle); - return result; -} - - -static PyObject *getpolicy(PyObject *self, PyObject *args) -{ - struct acm_getpolicy getpolicy; - xc_interface *xc_handle; - int rc; - PyObject *result = NULL; - uint32_t len = 8192; - DECLARE_HYPERCALL_BUFFER(uint8_t, pull_buffer); - - if ((xc_handle = xc_interface_open(0,0,0)) == 0) { - PyErr_SetString(PyExc_IOError, ctrlif_op); - return NULL; - } - - if ((pull_buffer = xc_hypercall_buffer_alloc(xc_handle, pull_buffer, len)) == NULL) - goto out; - - memset(&getpolicy, 0x0, sizeof(getpolicy)); - set_xen_guest_handle(getpolicy.pullcache, pull_buffer); - getpolicy.pullcache_size = sizeof(pull_buffer); - - rc = xc_acm_op(xc_handle, ACMOP_getpolicy, &getpolicy, sizeof(getpolicy)); - - if (rc == 0) { - struct acm_policy_buffer *header = - (struct acm_policy_buffer *)pull_buffer; - if (ntohl(header->len) < 8192) - len = ntohl(header->len); - } else { - len = 0; - } - - result = Py_BuildValue("is#", rc, pull_buffer, len); -out: - xc_hypercall_buffer_free(xc_handle, pull_buffer); - xc_interface_close(xc_handle); - return result; -} - - -static PyObject *relabel_domains(PyObject *self, PyObject *args) -{ - struct acm_relabel_doms reldoms; - xc_interface *xc_handle; - int rc; - char *relabel_rules = NULL; - int rel_rules_len = 0; - uint errarray_mbrs = 20 * 2; - DECLARE_HYPERCALL_BUFFER(uint32_t, error_array); - DECLARE_HYPERCALL_BUFFER(char, relabel_rules_buf); - PyObject *result = NULL; - uint len; - - memset(&reldoms, 0x0, sizeof(reldoms)); - - if (!PyArg_ParseTuple(args, "s#" ,&relabel_rules, &rel_rules_len)) { - PyErr_SetString(PyExc_TypeError, bad_arg); - return NULL; - } - - if ((xc_handle = xc_interface_open(0,0,0)) == 0) { - PyErr_SetString(PyExc_IOError, ctrlif_op); - return NULL; - } - - if ((relabel_rules_buf = xc_hypercall_buffer_alloc(xc_handle, relabel_rules_buf, rel_rules_len)) == NULL) - goto out; - if ((error_array = xc_hypercall_buffer_alloc(xc_handle, error_array, sizeof(*error_array)*errarray_mbrs)) == NULL) - goto out; - - memcpy(relabel_rules_buf, relabel_rules, rel_rules_len); - - reldoms.relabel_map_size = rel_rules_len; - reldoms.errarray_size = sizeof(error_array); - - set_xen_guest_handle(reldoms.relabel_map, relabel_rules_buf); - set_xen_guest_handle(reldoms.err_array, error_array); - - rc = xc_acm_op(xc_handle, ACMOP_relabeldoms, &reldoms, sizeof(reldoms)); - - /* only pass the filled error codes */ - for (len = 0; (len + 1) < errarray_mbrs; len += 2) { - if (error_array[len] == 0) { - len *= sizeof(error_array[0]); - break; - } - } - - result = Py_BuildValue("is#", rc, error_array, len); -out: - xc_hypercall_buffer_free(xc_handle, relabel_rules_buf); - xc_hypercall_buffer_free(xc_handle, error_array); - xc_interface_close(xc_handle); - - return result; -} - - -/*=================General Python Extension Declarations=================*/ - -/* methods */ -static PyMethodDef acmMethods[] = { - {"policy", policy, METH_VARARGS, "Retrieve Active ACM Policy Reference Name"}, - {"getssid", getssid, METH_VARARGS, "Retrieve label information and ssidref for a domain"}, - {"getdecision", getdecision, METH_VARARGS, "Retrieve ACM access control decision"}, - {"chgpolicy", chgpolicy, METH_VARARGS, "Change the policy in one step"}, - {"getpolicy", getpolicy, METH_NOARGS , "Get the binary policy from the hypervisor"}, - {"relabel_domains", relabel_domains, METH_VARARGS, "Relabel domains"}, - /* end of list (extend list above this line) */ - {NULL, NULL, 0, NULL} -}; - -/* inits */ -PyMODINIT_FUNC initacm(void) -{ - PyObject *m = Py_InitModule("acm", acmMethods); - acm_error_obj = PyErr_NewException("acm.Error", PyExc_RuntimeError, NULL); - Py_INCREF(acm_error_obj); - PyModule_AddObject(m, "Error", acm_error_obj); -} diff --git a/tools/python/xen/xm/messages/xen-xm.pot b/tools/python/xen/xm/messages/xen-xm.pot index a600a69f0d..25c7556c30 100644 --- a/tools/python/xen/xm/messages/xen-xm.pot +++ b/tools/python/xen/xm/messages/xen-xm.pot @@ -8,10 +8,11 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2008-03-31 17:40+0100\n" +"POT-Creation-Date: 2011-03-25 21:46+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" |