diff options
| author | smh22@firebug.cl.cam.ac.uk <smh22@firebug.cl.cam.ac.uk> | 2006-04-24 10:54:47 +0100 |
|---|---|---|
| committer | smh22@firebug.cl.cam.ac.uk <smh22@firebug.cl.cam.ac.uk> | 2006-04-24 10:54:47 +0100 |
| commit | 2d59e34fc28f8e7ed22c025ad45683ed244a62f6 (patch) | |
| tree | 6879dc4b900c26980fd28308e402b0679969636b /tools/security | |
| parent | 1f11fdecb12bf99154574c5a594426c31a302472 (diff) | |
| download | xen-2d59e34fc28f8e7ed22c025ad45683ed244a62f6.tar.gz xen-2d59e34fc28f8e7ed22c025ad45683ed244a62f6.tar.bz2 xen-2d59e34fc28f8e7ed22c025ad45683ed244a62f6.zip | |
This patch deletes the old shell-based security tools.
Signed-off by: Reiner Sailer <sailer@us.ibm.com>
Diffstat (limited to 'tools/security')
| -rw-r--r-- | tools/security/get_decision.c | 176 | ||||
| -rw-r--r-- | tools/security/getlabel.sh | 94 | ||||
| -rw-r--r-- | tools/security/labelfuncs.sh | 799 | ||||
| -rw-r--r-- | tools/security/setlabel.sh | 106 | ||||
| -rw-r--r-- | tools/security/updategrub.sh | 90 |
5 files changed, 0 insertions, 1265 deletions
diff --git a/tools/security/get_decision.c b/tools/security/get_decision.c deleted file mode 100644 index 888c0e8f6a..0000000000 --- a/tools/security/get_decision.c +++ /dev/null @@ -1,176 +0,0 @@ -/**************************************************************** - * get_decision.c - * - * Copyright (C) 2005 IBM Corporation - * - * Authors: - * Reiner Sailer <sailer@watson.ibm.com> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * An example program that shows how to retrieve an access control - * decision from the hypervisor ACM based on the currently active policy. - * - */ - -#include <unistd.h> -#include <stdio.h> -#include <errno.h> -#include <fcntl.h> -#include <getopt.h> -#include <sys/mman.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <stdlib.h> -#include <sys/ioctl.h> -#include <string.h> -#include <netinet/in.h> -#include <xen/acm.h> -#include <xen/acm_ops.h> -#include <xen/linux/privcmd.h> - -#define PERROR(_m, _a...) \ -fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a , \ - errno, strerror(errno)) - -void usage(char *progname) -{ - printf("Use: %s \n", progname); - printf(" Test program illustrating the retrieval of\n"); - printf(" access control decisions from xen. At this time,\n"); - printf(" only sharing (STE) policy decisions are supported.\n"); - printf(" parameter options:\n"); - printf("\t -i domid -i domid\n"); - printf("\t -i domid -s ssidref\n"); - printf("\t -s ssidref -s ssidref\n\n"); - exit(-1); -} - -static inline int do_policycmd(int xc_handle, unsigned int cmd, - unsigned long data) -{ - return ioctl(xc_handle, cmd, data); -} - -static inline int do_xen_hypercall(int xc_handle, - privcmd_hypercall_t * hypercall) -{ - return do_policycmd(xc_handle, - IOCTL_PRIVCMD_HYPERCALL, - (unsigned long) hypercall); -} - -static inline int do_acm_op(int xc_handle, struct acm_op *op) -{ - int ret = -1; - privcmd_hypercall_t hypercall; - - op->interface_version = ACM_INTERFACE_VERSION; - - hypercall.op = __HYPERVISOR_acm_op; - hypercall.arg[0] = (unsigned long) op; - - if (mlock(op, sizeof(*op)) != 0) { - PERROR("Could not lock memory for Xen policy hypercall"); - goto out1; - } - - if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) { - if (errno == EACCES) - fprintf(stderr, "ACM operation failed -- need to" - " rebuild the user-space tool set?\n"); - goto out2; - } - - out2:(void) munlock(op, sizeof(*op)); - out1:return ret; -} - - -/************************ get decision ******************************/ - -/* this example uses two domain ids and retrieves the decision if these domains - * can share information (useful, i.e., to enforce policy onto network traffic in dom0 - */ -int acm_get_decision(int xc_handle, int argc, char *const argv[]) -{ - struct acm_op op; - int ret; - - op.cmd = ACM_GETDECISION; - op.interface_version = ACM_INTERFACE_VERSION; - op.u.getdecision.get_decision_by1 = UNSET; - op.u.getdecision.get_decision_by2 = UNSET; - op.u.getdecision.hook = SHARING; - - while (1) { - int c = getopt(argc, argv, "i:s:"); - if (c == -1) - break; - - if (c == 'i') { - if (op.u.getdecision.get_decision_by1 == UNSET) { - op.u.getdecision.get_decision_by1 = DOMAINID; - op.u.getdecision.id1.domainid = strtoul(optarg, NULL, 0); - } else if (op.u.getdecision.get_decision_by2 == UNSET) { - op.u.getdecision.get_decision_by2 = DOMAINID; - op.u.getdecision.id2.domainid = strtoul(optarg, NULL, 0); - } else - usage(argv[0]); - } else if (c == 's') { - if (op.u.getdecision.get_decision_by1 == UNSET) { - op.u.getdecision.get_decision_by1 = SSIDREF; - op.u.getdecision.id1.ssidref = strtoul(optarg, NULL, 0); - } else if (op.u.getdecision.get_decision_by2 == UNSET) { - op.u.getdecision.get_decision_by2 = SSIDREF; - op.u.getdecision.id2.ssidref = strtoul(optarg, NULL, 0); - } else - usage(argv[0]); - } else - usage(argv[0]); - } - if ((op.u.getdecision.get_decision_by1 == UNSET) || - (op.u.getdecision.get_decision_by2 == UNSET)) - usage(argv[0]); - - if ((ret = do_acm_op(xc_handle, &op))) { - printf("%s: Error getting decision (%d).\n", __func__, ret); - printf("%s: decision = %s.\n", __func__, - (op.u.getdecision.acm_decision == - ACM_ACCESS_PERMITTED) ? "PERMITTED" : ((op.u.getdecision. - acm_decision == - ACM_ACCESS_DENIED) - ? "DENIED" : - "ERROR")); - return ret; - } - return op.u.getdecision.acm_decision; -} - -/***************************** main **************************************/ - -int main(int argc, char **argv) -{ - - int acm_cmd_fd, ret = 0; - - if (argc < 5) - usage(argv[0]); - - if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) { - printf("ERROR: Could not open xen privcmd device!\n"); - exit(-1); - } - - ret = acm_get_decision(acm_cmd_fd, argc, argv); - - printf("Decision: %s (%d)\n", - (ret == ACM_ACCESS_PERMITTED) ? "PERMITTED" : - ((ret == ACM_ACCESS_DENIED) ? "DENIED" : "ERROR"), ret); - - close(acm_cmd_fd); - return ret; -} diff --git a/tools/security/getlabel.sh b/tools/security/getlabel.sh deleted file mode 100644 index f5064c39c1..0000000000 --- a/tools/security/getlabel.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/sh -# * -# * getlabel -# * -# * Copyright (C) 2005 IBM Corporation -# * -# * Authors: -# * Stefan Berger <stefanb@us.ibm.com> -# * -# * This program is free software; you can redistribute it and/or -# * modify it under the terms of the GNU General Public License as -# * published by the Free Software Foundation, version 2 of the -# * License. -# * -# * 'getlabel' tries to find the labels corresponding to the ssidref -# * -# * 'getlabel -?' shows the usage of the program -# * -# * 'getlabel -sid <ssidref> [<policy name>]' lists the label corresponding -# * to the given ssidref. -# * -# * 'getlabel -dom <domain id> [<policy name>]' lists the label of the -# * domain with given id -# * -# - -if [ -z "$runbash" ]; then - runbash="1" - export runbash - exec sh -c "bash $0 $*" -fi - - -export PATH=$PATH:. -dir=`dirname $0` -source $dir/labelfuncs.sh - -usage () -{ - prg=`basename $0` -echo "Use this tool to display the label of a domain or the label that is -corresponding to an ssidref given the name of the running policy. - -Usage: $prg -sid <ssidref> [<policy name> [<policy dir>]] or - $prg -dom <domid> [<policy name> [<policy dir>]] - -policy name : the name of the policy, i.e. 'chwall' - If the policy name is omitted, the grub.conf - entry of the running system is tried to be read - and the policy name determined from there. -policy dir : the directory where the <policy name> policy is located - The default location is '/etc/xen/acm-security/policies' -ssidref : an ssidref in hex or decimal format, i.e., '0x00010002' - or '65538' -domid : id of the domain, i.e., '1'; Use numbers from the 2nd - column shown when invoking 'xm list' -" -} - - - -if [ "$1" == "-h" ]; then - usage - exit 0 -elif [ "$1" == "-dom" ]; then - mode="domid" - shift -elif [ "$1" == "-sid" ]; then - mode="sid" - shift -else - usage - exit -1 -fi - -setPolicyVars $2 $3 -findMapFile $policy $policydir -ret=$? -if [ $ret -eq 0 ]; then - echo "Could not find map file for policy '$policy'." - exit -1 -fi - -if [ "$mode" == "domid" ]; then - getSSIDUsingSecpolTool $1 - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not determine the SSID of the domain." - exit -1 - fi - translateSSIDREF $ssid $mapfile -else # mode == sid - translateSSIDREF $1 $mapfile -fi diff --git a/tools/security/labelfuncs.sh b/tools/security/labelfuncs.sh deleted file mode 100644 index 9b22e18b3f..0000000000 --- a/tools/security/labelfuncs.sh +++ /dev/null @@ -1,799 +0,0 @@ -# * -# * labelfuncs.sh -# * -# * Copyright (C) 2005 IBM Corporation -# * -# * Authors: -# * Stefan Berger <stefanb@us.ibm.com> -# * -# * This program is free software; you can redistribute it and/or -# * modify it under the terms of the GNU General Public License as -# * published by the Free Software Foundation, version 2 of the -# * License. -# * -# * -# * A collection of functions to handle polcies, mapfiles, -# * and ssidrefs. -# - - -#Some global variables for tools using this module -ACM_DEFAULT_ROOT="/etc/xen/acm-security" - -# Set the policy and policydir variables -# Parameters: -# 1st : possible policy name -# 2nd : possible policy directory -# Results: -# The variables policy and policydir will hold the values for locating -# policy information -# If there are no errors, the functions returns a '1', -# a '0' otherwise. -setPolicyVars () -{ - local ret - # Set default values - policydir="$ACM_DEFAULT_ROOT/policies" - policy="" - - if [ "$1" == "" ]; then - findGrubConf - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find grub.conf." - return 0; - fi - findPolicyInGrub $grubconf - if [ "$policy" == "" ]; then - echo "Could not find policy in grub.conf. Looked for entry using kernel $linux." - return 0; - fi - echo "Assuming policy to be '$policy'."; - else - policy=$1 - if [ "$2" != "" ]; then - policydir=$2 - fi - fi - - return 1 -} - -# Find the mapfile given a policy nmame -# Parameters: -# 1st : the name of the policy whose map file is to be found, i.e., -# chwall -# 2nd : the policy directory for locating the map file -# Results: -# The variable mapfile will hold the realtive path to the mapfile -# for the given policy. -# In case the mapfile could be found, the functions returns a '1', -# a '0' otherwise. -findMapFile () -{ - mapfile="$2/$1/$1.map" - if [ -r "$mapfile" ]; then - return 1 - fi - return 0 -} - - -# Determine the name of the primary policy -# Parameters -# 1st : the path to the mapfile; the path may be relative -# to the current directory -# Results -# The variable primary will hold the name of the primary policy -getPrimaryPolicy () -{ - local mapfile=$1 - primary=`cat $mapfile | \ - awk ' \ - { \ - if ( $1 == "PRIMARY" ) { \ - res=$2; \ - } \ - } END { \ - print res; \ - } '` -} - - -# Determine the name of the secondary policy -# Parameters -# 1st : the path to the mapfile; the path may be relative -# to the current directory -# Results -# The variable secondary will hold the name of the secondary policy -getSecondaryPolicy () -{ - local mapfile=$1 - secondary=`cat $mapfile | \ - awk ' \ - { \ - if ( $1 == "SECONDARY" ) { \ - res=$2; \ - } \ - } END { \ - print res; \ - } '` -} - - -#Return where the grub.conf file is. -#I only know of one place it can be. -#Returns: -# 1 : if the file is writeable and readable -# 2 : if the file is only readable -# 0 : if the file does not exist -findGrubConf() -{ - grubconf="/boot/grub/grub.conf" - if [ -w $grubconf ]; then - return 1 - fi - if [ -r $grubconf ]; then - return 2 - fi - return 0 -} - - -# This function sets the global variable 'linux' -# to the name and version of the Linux kernel that was compiled -# for domain 0. -# If this variable could not be found, the variable 'linux' -# will hold a pattern -# Parameters: -# 1st: the path to reach the root directory of the XEN build tree -# where linux-*-xen is located at -# Results: -# The variable linux holds then name and version of the compiled -# kernel, i.e., 'vmlinuz-2.6.12-xen' -getLinuxVersion () -{ - local path - local versionfile - local lnx - if [ "$1" == "" ]; then - path="/lib/modules/*-xen" - else - path="/lib/modules/$1" - fi - - linux="" - for f in $path ; do - versionfile=$f/build/include/linux/version.h - if [ -r $versionfile ]; then - lnx=`cat $versionfile | \ - grep UTS_RELEASE | \ - awk '{ \ - len=length($3); \ - version=substr($3,2,len-2); \ - split(version,numbers,"."); \ - if (numbers[4]=="") { \ - printf("%s.%s.%s", \ - numbers[1], \ - numbers[2], \ - numbers[3]); \ - } else { \ - printf("%s.%s.%s[.0-9]*-xen", \ - numbers[1], \ - numbers[2], \ - numbers[3]); \ - } \ - }'` - fi - if [ "$lnx" != "" ]; then - linux="[./0-9a-zA-z]*$lnx" - return; - fi - done - - #Last resort. - linux="vmlinuz-2.[45678].[0-9]*[.0-9]*-xen$" -} - - -# Find out with which policy the hypervisor was booted with. -# Parameters -# 1st : The complete path to grub.conf, i.e., /boot/grub/grub.conf -# Result: -# Sets the variable 'policy' to the name of the policy -findPolicyInGrub () -{ - local grubconf=$1 - local linux=`uname -r` - policy=`cat $grubconf | \ - awk -vlinux=$linux '{ \ - if ( $1 == "title" ) { \ - kernelfound = 0; \ - policymaycome = 0; \ - } \ - else if ( $1 == "kernel" ) { \ - if ( match($2,"xen.gz$") ) { \ - pathlen=RSTART; \ - kernelfound = 1; \ - } \ - } \ - else if ( $1 == "module" && \ - kernelfound == 1 && \ - match($2,linux) ) { \ - policymaycome = 1; \ - } \ - else if ( $1 == "module" && \ - kernelfound == 1 && \ - policymaycome == 1 && \ - match($2,"[0-9a-zA-Z_]*.bin$") ) { \ - policymaycome = 0; \ - kernelfound = 0; \ - polname = substr($2,pathlen); \ - len=length(polname); \ - polname = substr(polname,0,len-4); \ - } \ - } END { \ - print polname \ - }'` -} - - -# Get the SSID of a domain -# Parameters: -# 1st : domain ID, i.e. '1' -# Results -# If the ssid could be found, the variable 'ssid' will hold -# the currently used ssid in the hex format, i.e., '0x00010001'. -# The funtion returns '1' on success, '0' on failure -getSSIDUsingSecpolTool () -{ - local domid=$1 - export PATH=$PATH:. - ssid=`xensec_tool getssid -d $domid -f | \ - grep -E "SSID:" | \ - awk '{ print $4 }'` - - if [ "$ssid" != "" ]; then - return 1 - fi - return 0 -} - - -# Break the ssid identifier into its high and low values, -# which are equal to the secondary and primary policy references. -# Parameters: -# 1st: ssid to break into high and low value, i.e., '0x00010002' -# Results: -# The variable ssidlo_int and ssidhi_int will hold the low and -# high ssid values as integers. -getSSIDLOHI () -{ - local ssid=$1 - ssidlo_int=`echo $ssid | awk \ - '{ \ - len=length($0); \ - beg=substr($0,1,2); \ - if ( beg == "0x" ) { \ - dig = len - 2; \ - if (dig <= 0) { \ - exit; \ - } \ - if (dig > 4) { \ - dig=4; \ - } \ - lo=sprintf("0x%s",substr($0,len-dig+1,dig)); \ - print strtonum(lo);\ - } else { \ - lo=strtonum($0); \ - if (lo < 65536) { \ - print lo; \ - } else { \ - hi=lo; \ - hi2= (hi / 65536);\ - hi2_str=sprintf("%d",hi2); \ - hi2=strtonum(hi2_str);\ - lo=hi-(hi2*65536); \ - printf("%d",lo); \ - } \ - } \ - }'` - ssidhi_int=`echo $ssid | awk \ - '{ \ - len=length($0); \ - beg=substr($0,1,2); \ - if ( beg == "0x" ) { \ - dig = len - 2; \ - if (dig <= 0 || \ - dig > 8) { \ - exit; \ - } \ - if (dig < 4) { \ - print 0; \ - exit; \ - } \ - dig -= 4; \ - hi=sprintf("0x%s",substr($0,len-4-dig+1,dig)); \ - print strtonum(hi);\ - } else { \ - hi=strtonum($0); \ - if (hi >= 65536) { \ - hi = hi / 65536; \ - printf ("%d",hi);\ - } else { \ - printf ("0"); \ - } \ - } \ - }'` - if [ "$ssidhi_int" == "" -o \ - "$ssidlo_int" == "" ]; then - return 0; - fi - return 1 -} - - -#Update the grub configuration file. -#Search for existing entries and replace the current -#policy entry with the policy passed to this script -# -#Arguments passed to this function -# 1st : the grub configuration file with full path -# 2nd : the binary policy file name, i.e. chwall.bin -# 3rd : the name or pattern of the linux kernel name to match -# (this determines where the module entry will be made) -# -# The algorithm here is based on pattern matching -# and is working correctly if -# - under a title a line beginning with 'kernel' is found -# whose following item ends with "xen.gz" -# Example: kernel /xen.gz dom0_mem=.... -# - a module line matching the 3rd parameter is found -# -updateGrub () -{ - local grubconf=$1 - local policyfile=$2 - local linux=$3 - - local tmpfile="/tmp/new_grub.conf" - - cat $grubconf | \ - awk -vpolicy=$policyfile \ - -vlinux=$linux '{ \ - if ( $1 == "title" ) { \ - kernelfound = 0; \ - if ( policymaycome == 1 ){ \ - printf ("\tmodule %s%s\n", path, policy); \ - } \ - policymaycome = 0; \ - } \ - else if ( $1 == "kernel" ) { \ - if ( match($2,"xen.gz$") ) { \ - path=substr($2,1,RSTART-1); \ - kernelfound = 1; \ - } \ - } \ - else if ( $1 == "module" && \ - kernelfound == 1 && \ - match($2,linux) ) { \ - policymaycome = 1; \ - } \ - else if ( $1 == "module" && \ - kernelfound == 1 && \ - policymaycome == 1 && \ - match($2,"[0-9a-zA-Z]*.bin$") ) { \ - printf ("\tmodule %s%s\n", path, policy); \ - policymaycome = 0; \ - kernelfound = 0; \ - dontprint = 1; \ - } \ - else if ( $1 == "" && \ - kernelfound == 1 && \ - policymaycome == 1) { \ - dontprint = 1; \ - } \ - if (dontprint == 0) { \ - printf ("%s\n", $0); \ - } \ - dontprint = 0; \ - } END { \ - if ( policymaycome == 1 ) { \ - printf ("\tmodule %s%s\n", path, policy); \ - } \ - }' > $tmpfile - if [ ! -r $tmpfile ]; then - echo "Could not create temporary file! Aborting." - exit -1 - fi - diff $tmpfile $grubconf > /dev/null - RES=$? - if [ "$RES" == "0" ]; then - echo "No changes were made to $grubconf." - else - echo "Successfully updated $grubconf." - mv -f $tmpfile $grubconf - fi -} - - -#Compile a policy into its binary representation -# Parameters: -# 1st: The directory where the ./policies directory is located at -# 2nd: The name of the policy -genBinPolicy () -{ - local root=$1 - local policy=$2 - pushd $root > /dev/null - xensec_xml2bin -d policies $policy > /dev/null - popd > /dev/null -} - - -# Copy the bootpolicy into the destination directory -# Generate the policy's .bin and .map files if necessary -# Parameters: -# 1st: Destination directory -# 2nd: The root directory of the security tools; this is where the -# policies directory is located at -# 3rd: The policy name -# Returns '1' on success, '0' on failure. -cpBootPolicy () -{ - local dest=$1 - local root=$2 - local policy=$3 - local binfile=$root/policies/$policy/$policy.bin - local dstfile=$dest/$policy.bin - if [ ! -e $binfile ]; then - genBinPolicy $root $policy - if [ ! -e $binfile ]; then - echo "Could not compile policy '$policy'." - return 0 - fi - fi - - if [ ! -e $dstfile -o \ - $binfile -nt $dstfile ]; then - cp -f $binfile $dstfile - fi - return 1 -} - - -# Display all the labels in a given mapfile -# Parameters -# 1st: Full or relative path to the policy's mapfile -showLabels () -{ - local mapfile=$1 - local line - local ITEM - local found=0 - - if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then - echo "Cannot read from vm configuration file $vmfile." - return -1 - fi - - getPrimaryPolicy $mapfile - getSecondaryPolicy $mapfile - - echo "The following labels are available:" - let line=1 - while [ 1 ]; do - ITEM=`cat $mapfile | \ - awk -vline=$line \ - -vprimary=$primary \ - '{ \ - if ($1 == "LABEL->SSID" && \ - $2 == "VM" && \ - $3 == primary ) { \ - ctr++; \ - if (ctr == line) { \ - print $4; \ - } \ - } \ - } END { \ - }'` - - if [ "$ITEM" == "" ]; then - break - fi - if [ "$secondary" != "NULL" ]; then - LABEL=`cat $mapfile | \ - awk -vitem=$ITEM \ - '{ - if ($1 == "LABEL->SSID" && \ - $2 == "VM" && \ - $3 == "CHWALL" && \ - $4 == item ) { \ - result = item; \ - } \ - } END { \ - print result \ - }'` - else - LABEL=$ITEM - fi - - if [ "$LABEL" != "" ]; then - echo "$LABEL" - found=1 - fi - let line=line+1 - done - if [ "$found" != "1" ]; then - echo "No labels found." - fi -} - - -# Get the default SSID given a mapfile and the policy name -# Parameters -# 1st: Full or relative path to the policy's mapfile -# 2nd: the name of the policy -getDefaultSsid () -{ - local mapfile=$1 - local pol=$2 - RES=`cat $mapfile \ - awk -vpol=$pol \ - { \ - if ($1 == "LABEL->SSID" && \ - $2 == "ANY" && \ - $3 == pol && \ - $4 == "DEFAULT" ) {\ - res=$5; \ - } \ - } END { \ - printf "%04x", strtonum(res) \ - }'` - echo "default NULL mapping is $RES" - defaultssid=$RES -} - - -#Relabel a VM configuration file -# Parameters -# 1st: Full or relative path to the VM configuration file -# 2nd: The label to translate into an ssidref -# 3rd: Full or relative path to the policy's map file -# 4th: The mode this function is supposed to operate in: -# 'relabel' : Relabels the file without querying the user -# other : Prompts the user whether to proceed -relabel () -{ - local vmfile=$1 - local label=$2 - local mapfile=$3 - local mode=$4 - local SSIDLO - local SSIDHI - local RES - - if [ ! -r "$vmfile" ]; then - echo "Cannot read from vm configuration file $vmfile." - return -1 - fi - - if [ ! -w "$vmfile" ]; then - echo "Cannot write to vm configuration file $vmfile." - return -1 - fi - - if [ ! -r "$mapfile" ] ; then - echo "Cannot read mapping file $mapfile." - return -1 - fi - - # Determine which policy is primary, which sec. - getPrimaryPolicy $mapfile - getSecondaryPolicy $mapfile - - # Calculate the primary policy's SSIDREF - if [ "$primary" == "NULL" ]; then - SSIDLO="0001" - else - SSIDLO=`cat $mapfile | \ - awk -vlabel=$label \ - -vprimary=$primary \ - '{ \ - if ( $1 == "LABEL->SSID" && \ - $2 == "VM" && \ - $3 == primary && \ - $4 == label ) { \ - result=$5 \ - } \ - } END { \ - if (result != "" ) \ - {printf "%04x", strtonum(result)}\ - }'` - fi - - # Calculate the secondary policy's SSIDREF - if [ "$secondary" == "NULL" ]; then - if [ "$primary" == "NULL" ]; then - SSIDHI="0001" - else - SSIDHI="0000" - fi - else - SSIDHI=`cat $mapfile | \ - awk -vlabel=$label \ - -vsecondary=$secondary \ - '{ \ - if ( $1 == "LABEL->SSID" && \ - $2 == "VM" && \ - $3 == secondary && \ - $4 == label ) { \ - result=$5 \ - } \ - } END { \ - if (result != "" ) \ - {printf "%04x", strtonum(result)}\ - }'` - fi - - if [ "$SSIDLO" == "" -o \ - "$SSIDHI" == "" ]; then - echo "Could not map the given label '$label'." - return -1 - fi - - ACM_POLICY=`cat $mapfile | \ - awk ' { if ( $1 == "POLICY" ) { \ - result=$2 \ - } \ - } \ - END { \ - if (result != "") { \ - printf result \ - } \ - }'` - - if [ "$ACM_POLICY" == "" ]; then - echo "Could not find 'POLICY' entry in map file." - return -1 - fi - - SSIDREF="0x$SSIDHI$SSIDLO" - - if [ "$mode" != "relabel" ]; then - RES=`cat $vmfile | \ - awk '{ \ - if ( substr($1,0,7) == "ssidref" ) {\ - print $0; \ - } \ - }'` - if [ "$RES" != "" ]; then - echo "Do you want to overwrite the existing mapping ($RES)? (y/N)" - read user - if [ "$user" != "y" -a "$user" != "Y" ]; then - echo "Aborted." - return 0 - fi - fi - fi - - #Write the output - local vmtmp1="/tmp/__setlabel.tmp1" - local vmtmp2="/tmp/__setlabel.tmp2" - touch $vmtmp1 - touch $vmtmp2 - if [ ! -w "$vmtmp1" -o ! -w "$vmtmp2" ]; then - echo "Cannot create temporary files. Aborting." - return -1 - fi - RES=`sed -e '/^#ACM_POLICY/d' $vmfile > $vmtmp1` - RES=`sed -e '/^#ACM_LABEL/d' $vmtmp1 > $vmtmp2` - RES=`sed -e '/^ssidref/d' $vmtmp2 > $vmtmp1` - echo "#ACM_POLICY=$ACM_POLICY" >> $vmtmp1 - echo "#ACM_LABEL=$label" >> $vmtmp1 - echo "ssidref = $SSIDREF" >> $vmtmp1 - mv -f $vmtmp1 $vmfile - rm -rf $vmtmp1 $vmtmp2 - echo "Mapped label '$label' to ssidref '$SSIDREF'." -} - - -# Translate an ssidref into its label. This does the reverse lookup -# to the relabel function above. -# This function displays the results. -# Parameters: -# 1st: The ssidref to translate; must be in the form '0x00010002' -# 2nd: Full or relative path to the policy's mapfile -translateSSIDREF () -{ - local ssidref=$1 - local mapfile=$2 - local line1 - local line2 - - if [ ! -r "$mapfile" -o "$mapfile" == "" ]; then - echo "Cannot read from vm configuration file $vmfile." - return -1 - fi - - getPrimaryPolicy $mapfile - getSecondaryPolicy $mapfile - - if [ "$primary" == "NULL" -a "$secondary" == "NULL" ]; then - echo "There are no labels for the NULL policy." - return - fi - - getSSIDLOHI $ssidref - ret=$? - if [ $ret -ne 1 ]; then - echo "Error while parsing the ssid ref number '$ssidref'." - fi; - - let line1=0 - let line2=0 - while [ 1 ]; do - ITEM1=`cat $mapfile | \ - awk -vprimary=$primary \ - -vssidlo=$ssidlo_int \ - -vline=$line1 \ - '{ \ - if ( $1 == "LABEL->SSID" && \ - $3 == primary && \ - int($5) == ssidlo ) { \ - if (l == line) { \ - print $4; \ - exit; \ - } \ - l++; \ - } \ - }'` - - ITEM2=`cat $mapfile | \ - awk -vsecondary=$secondary \ - -vssidhi=$ssidhi_int \ - -vline=$line2 \ - '{ \ - if ( $1 == "LABEL->SSID" && \ - $3 == secondary && \ - int($5) == ssidhi ) { \ - if (l == line) { \ - print $4; \ - exit; \ - } \ - l++; \ - } \ - }'` - - if [ "$secondary" != "NULL" ]; then - if [ "$ITEM1" == "" ]; then - let line1=0 - let line2=line2+1 - else - let line1=line1+1 - fi - - if [ "$ITEM1" == "" -a \ - "$ITEM2" == "" ]; then - echo "Could not determine the referenced label." - break - fi - - if [ "$ITEM1" == "$ITEM2" ]; then - echo "Label: $ITEM1" - break - fi - else - if [ "$ITEM1" != "" ]; then - echo "Label: $ITEM1" - else - if [ "$found" == "0" ]; then - found=1 - else - break - fi - fi - let line1=line1+1 - fi - done -} diff --git a/tools/security/setlabel.sh b/tools/security/setlabel.sh deleted file mode 100644 index cb82a21320..0000000000 --- a/tools/security/setlabel.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/sh -# * -# * setlabel -# * -# * Copyright (C) 2005 IBM Corporation -# * -# * Authors: -# * Stefan Berger <stefanb@us.ibm.com> -# * -# * This program is free software; you can redistribute it and/or -# * modify it under the terms of the GNU General Public License as -# * published by the Free Software Foundation, version 2 of the -# * License. -# * -# * 'setlabel' labels virtual machine (domain) configuration files with -# * security identifiers that can be enforced in Xen. -# * -# * 'setlabel -?' shows the usage of the program -# * -# * 'setlabel -l vmconfig-file' lists all available labels (only VM -# * labels are used right now) -# * -# * 'setlabel vmconfig-file security-label map-file' inserts the 'ssidref' -# * that corresponds to the security-label under the -# * current policy (if policy changes, 'label' -# * must be re-run over the configuration files; -# * map-file is created during policy translation and -# * is found in the policy's directory -# - -if [ -z "$runbash" ]; then - runbash="1" - export runbash - exec sh -c "bash $0 $*" -fi - -export PATH=$PATH:. -dir=`dirname $0` -source $dir/labelfuncs.sh - -usage () -{ - prg=`basename $0` -echo "Use this tool to put the ssidref corresponding to a label of a policy into -the VM configuration file, or use it to display all labels of a policy. - -Usage: $prg [-r] <vmfile> <label> [<policy name> [<policy dir>]] or - $prg -l [<policy name> [<policy dir>]] - --r : to relabel a file without being prompted --l : to show the valid labels in a map file -vmfile : XEN vm configuration file; give complete path -label : the label to map to an ssidref -policy name : the name of the policy, i.e. 'chwall' - If the policy name is omitted, it is attempted - to find the current policy's name in grub.conf. -policy dir : the directory where the <policy name> policy is located - The default location is '/etc/xen/acm-security/policies' -" -} - -if [ "$1" == "-r" ]; then - mode="relabel" - shift -elif [ "$1" == "-l" ]; then - mode="show" - shift -elif [ "$1" == "-h" ]; then - mode="usage" -fi - -if [ "$mode" == "usage" ]; then - usage -elif [ "$mode" == "show" ]; then - setPolicyVars $1 $2 - ret=$? - if [ $ret -eq 0 ]; then - echo "Error when trying to find policy-related information." - exit -1 - fi - findMapFile $policy $policydir - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find map file for policy '$policy'." - exit -1 - fi - showLabels $mapfile -else - if [ "$2" == "" ]; then - usage - exit -1 - fi - setPolicyVars $3 $4 - ret=$? - if [ $ret -eq 0 ]; then - echo "Error when trying to find policy-related information." - exit -1 - fi - findMapFile $policy $policydir - ret=$? - if [ $ret -eq 0 ]; then - echo "Could not find map file for policy '$policy'." - exit -1 - fi - relabel $1 $2 $mapfile $mode -fi diff --git a/tools/security/updategrub.sh b/tools/security/updategrub.sh deleted file mode 100644 index d45f2863d2..0000000000 --- a/tools/security/updategrub.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -# * -# * updategrub -# * -# * Copyright (C) 2005 IBM Corporation -# * -# * Authors: -# * Stefan Berger <stefanb@us.ibm.com> -# * -# * This program is free software; you can redistribute it and/or -# * modify it under the terms of the GNU General Public License as -# * published by the Free Software Foundation, version 2 of the -# * License. -# * -# * -# - -if [ -z "$runbash" ]; then - runbash="1" - export runbash - exec sh -c "bash $0 $*" - exit -fi - -dir=`dirname $0` -source $dir/labelfuncs.sh - -acmroot=$ACM_DEFAULT_ROOT - - -# Show usage of this program -usage () -{ - prg=`basename $0` -echo "Use this tool to add the binary policy to the Xen grub entry and -have Xen automatically enforce the policy when starting. - -Usage: $prg [-d <policies root>] <policy name> [<kernel version>] - -<policies root> : The directory where the policies directory is located in; - default is $acmroot -<policy name> : The name of the policy, i.e. xen_null -<kernel version> : The version of the kernel to apply the policy - against, i.e. 2.6.16-xen - If not specified, a kernel version ending with '-xen' - will be searched for in '/lib/modules' -" -} - - - -if [ "$1" == "-h" ]; then - usage - exit 0 -elif [ "$1" == "-d" ]; then - shift - acmroot=$1 - shift -fi - -if [ "$1" == "" ]; then - echo "Error: Not enough command line parameters." - echo "" - usage - exit -1 -fi - - -policy=$1 -policyfile=$policy.bin - -getLinuxVersion $2 - -findGrubConf -ret=$? -if [ $ret -eq 0 ]; then - echo "Could not find grub.conf." - exit -1 -elif [ $ret -eq 2 ]; then - echo "Need to have write-access to $grubconf. Exiting." - exit -1 -fi - -cpBootPolicy /boot $acmroot $policy -ret=$? -if [ $ret -ne 1 ]; then - echo "Error copying or generating the binary policy." - exit -1 -fi -updateGrub $grubconf $policyfile $linux |