diff options
author | Keir Fraser <keir@xensource.com> | 2007-04-19 19:29:19 +0100 |
---|---|---|
committer | Keir Fraser <keir@xensource.com> | 2007-04-19 19:29:19 +0100 |
commit | 856a272f3590d96129d004839af719b7d018548f (patch) | |
tree | c131b2345ddbf4ebc368b537d4864d4a827b3419 /tools/security | |
parent | e5baa1aa0c0b408ff70edfde038e30ef47688ea7 (diff) | |
download | xen-856a272f3590d96129d004839af719b7d018548f.tar.gz xen-856a272f3590d96129d004839af719b7d018548f.tar.bz2 xen-856a272f3590d96129d004839af719b7d018548f.zip |
[security] When building the binary policy align its contents the same way as the
ACM module does when returning its contents.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Diffstat (limited to 'tools/security')
-rw-r--r-- | tools/security/secpol_tool.c | 12 | ||||
-rw-r--r-- | tools/security/secpol_xml2bin.c | 53 |
2 files changed, 39 insertions, 26 deletions
diff --git a/tools/security/secpol_tool.c b/tools/security/secpol_tool.c index a4a782c754..86ba10114e 100644 --- a/tools/security/secpol_tool.c +++ b/tools/security/secpol_tool.c @@ -43,8 +43,6 @@ fprintf(stderr, "ERROR: " _m " (%d = %s)\n" , ## _a , \ errno, strerror(errno)) -#define ALIGN8(x) (void *)(((long)(x) + 7) & ~7) - void usage(char *progname) { printf("Usage: %s ACTION\n" @@ -192,15 +190,14 @@ void acm_dump_policy_buffer(void *buf, int buflen, ntohl(pol->secondary_buffer_offset)); switch (ntohl(pol->primary_policy_code)) { case ACM_CHINESE_WALL_POLICY: - acm_dump_chinesewall_buffer(ALIGN8(buf + - ntohl(pol->primary_buffer_offset)), + acm_dump_chinesewall_buffer(buf + ntohl(pol->primary_buffer_offset), ntohl(pol->len) - ntohl(pol->primary_buffer_offset), chwall_ref); break; case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY: - acm_dump_ste_buffer(ALIGN8(buf + ntohl(pol->primary_buffer_offset)), + acm_dump_ste_buffer(buf + ntohl(pol->primary_buffer_offset), ntohl(pol->len) - ntohl(pol->primary_buffer_offset), ste_ref); @@ -216,15 +213,14 @@ void acm_dump_policy_buffer(void *buf, int buflen, switch (ntohl(pol->secondary_policy_code)) { case ACM_CHINESE_WALL_POLICY: - acm_dump_chinesewall_buffer(ALIGN8(buf + - ntohl(pol->secondary_buffer_offset)), + acm_dump_chinesewall_buffer(buf + ntohl(pol->secondary_buffer_offset), ntohl(pol->len) - ntohl(pol->secondary_buffer_offset), chwall_ref); break; case ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY: - acm_dump_ste_buffer(ALIGN8(buf + ntohl(pol->secondary_buffer_offset)), + acm_dump_ste_buffer(buf + ntohl(pol->secondary_buffer_offset), ntohl(pol->len) - ntohl(pol->secondary_buffer_offset), ste_ref); diff --git a/tools/security/secpol_xml2bin.c b/tools/security/secpol_xml2bin.c index 4b8f1dc7cd..98ef3e1af3 100644 --- a/tools/security/secpol_xml2bin.c +++ b/tools/security/secpol_xml2bin.c @@ -46,6 +46,8 @@ #define NULL_LABEL_NAME "__NULL_LABEL__" +#define ROUND8(x) ((x + 7) & ~7) + /* primary / secondary policy component setting */ enum policycomponent { CHWALL, STE, NULLPOLICY } primary = NULLPOLICY, secondary = NULLPOLICY; @@ -1152,6 +1154,19 @@ unsigned char *write_ste_binary(u_int32_t * len_ste) return buf; /* for now */ } +static ssize_t write_padded(int fd, const void *buf, size_t count) +{ + int rc; + static const char padding[7] = {0,0,0,0,0,0,0}; + unsigned int len = ROUND8(count) - count; + + rc = write(fd, buf, count); + if (rc == count && len > 0) { + write(fd, padding, len); + } + return rc; +} + int write_binary(char *filename) { struct acm_policy_buffer header; @@ -1183,35 +1198,37 @@ int write_binary(char *filename) header.xml_pol_version.major = htonl(major); header.xml_pol_version.minor = htonl(minor); - len = sizeof(struct acm_policy_buffer); + len = ROUND8(sizeof(struct acm_policy_buffer)); if (have_chwall) - len += len_chwall; + len += ROUND8(len_chwall); if (have_ste) - len += len_ste; - len += len_pr; /* policy reference is mandatory */ + len += ROUND8(len_ste); + len += ROUND8(len_pr); /* policy reference is mandatory */ header.len = htonl(len); header.policy_reference_offset = - htonl(sizeof(struct acm_policy_buffer)); + htonl(ROUND8(sizeof(struct acm_policy_buffer))); header.primary_buffer_offset = - htonl(sizeof(struct acm_policy_buffer) + len_pr); + htonl(ROUND8(sizeof(struct acm_policy_buffer)) + + ROUND8(len_pr)); if (primary == CHWALL) { header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY); header.secondary_buffer_offset = - htonl((sizeof(struct acm_policy_buffer)) + len_pr + - len_chwall); + htonl(ROUND8(sizeof(struct acm_policy_buffer)) + + ROUND8(len_pr) + + ROUND8(len_chwall)); } else if (primary == STE) { header.primary_policy_code = htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY); header.secondary_buffer_offset = - htonl((sizeof(struct acm_policy_buffer)) + len_pr + - len_ste); + htonl(ROUND8(sizeof(struct acm_policy_buffer)) + + ROUND8(len_pr) + + ROUND8(len_ste)); } else { /* null policy */ header.primary_policy_code = htonl(ACM_NULL_POLICY); - header.secondary_buffer_offset = - htonl(header.primary_buffer_offset); + header.secondary_buffer_offset = header.primary_buffer_offset; } if (secondary == CHWALL) @@ -1222,25 +1239,25 @@ int write_binary(char *filename) else header.secondary_policy_code = htonl(ACM_NULL_POLICY); - if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer)) + if (write_padded(fd, (void *) &header, sizeof(struct acm_policy_buffer)) != sizeof(struct acm_policy_buffer)) { ret = -EIO; goto out1; } /* write label reference name */ - if (write(fd, policy_reference_buffer, len_pr) != len_pr) { + if (write_padded(fd, policy_reference_buffer, len_pr) != len_pr) { ret = -EIO; goto out1; } /* write primary policy component */ if (primary == CHWALL) { - if (write(fd, chwall_buffer, len_chwall) != len_chwall) { + if (write_padded(fd, chwall_buffer, len_chwall) != len_chwall) { ret = -EIO; goto out1; } } else if (primary == STE) { - if (write(fd, ste_buffer, len_ste) != len_ste) { + if (write_padded(fd, ste_buffer, len_ste) != len_ste) { ret = -EIO; goto out1; } @@ -1248,12 +1265,12 @@ int write_binary(char *filename) /* write secondary policy component */ if (secondary == CHWALL) { - if (write(fd, chwall_buffer, len_chwall) != len_chwall) { + if (write_padded(fd, chwall_buffer, len_chwall) != len_chwall) { ret = -EIO; goto out1; } } else if (secondary == STE) { - if (write(fd, ste_buffer, len_ste) != len_ste) { + if (write_padded(fd, ste_buffer, len_ste) != len_ste) { ret = -EIO; goto out1; } |