[ACM] Allow version information to be embedded in the XML representation of

the ACM policy. The translation tool has been adapted to parse the
version found in the XML representation and put it into the binary
policy. Xen has been adapted to remember the version information and
report it when asked for the current policy.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>

4 files changed, 108 insertions, 51 deletions

diff --git a/tools/security/policies/security_policy.xsd b/tools/security/policies/security_policy.xsd
index f2e9b67e97..8789adb9de 100644
--- a/tools/security/policies/security_policy.xsd
+++ b/tools/security/policies/security_policy.xsd
@@ -22,6 +22,8 @@
 				<xsd:element name="Reference" type="xsd:string" minOccurs="0" maxOccurs="1" />
 				<xsd:element name="Date" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
 				<xsd:element name="NameSpaceUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
+				<xsd:element name="Version" minOccurs="0" maxOccurs="1" type="VersionFormat"/>
+				<xsd:element ref="FromPolicy" minOccurs="0" maxOccurs="1"/>
 			</xsd:sequence>
 		</xsd:complexType>
 	</xsd:element>
@@ -116,4 +118,17 @@
 			<xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration>
 		</xsd:restriction>
 	</xsd:simpleType>
+	<xsd:element name="FromPolicy">
+		<xsd:complexType>
+			<xsd:sequence>
+				<xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"/>
+				<xsd:element name="Version" minOccurs="1" maxOccurs="1" type="VersionFormat"/>
+			</xsd:sequence>
+		</xsd:complexType>
+	</xsd:element>
+	<xsd:simpleType name="VersionFormat">
+		<xsd:restriction base="xsd:string">
+			<xsd:pattern value="[0-9]{1,8}.[0-9]{1,8}"></xsd:pattern>
+		</xsd:restriction>
+	</xsd:simpleType>
 </xsd:schema>
diff --git a/tools/security/secpol_tool.c b/tools/security/secpol_tool.c
index 470de4f25b..0b9c3e4acd 100644
--- a/tools/security/secpol_tool.c
+++ b/tools/security/secpol_tool.c
@@ -172,6 +172,9 @@ void acm_dump_policy_buffer(void *buf, int buflen)
     printf("============\n");
     printf("POLICY REFERENCE = %s.\n", policy_reference_name);
     printf("PolicyVer = %x.\n", ntohl(pol->policy_version));
+    printf("XML Vers. = %d.%d\n",
+           ntohl(pol->xml_pol_version.major),
+           ntohl(pol->xml_pol_version.minor));
     printf("Magic     = %x.\n", ntohl(pol->magic));
     printf("Len       = %x.\n", ntohl(pol->len));
     printf("Primary   = %s (c=%x, off=%x).\n",
diff --git a/tools/security/secpol_xml2bin.c b/tools/security/secpol_xml2bin.c
index c316250e41..581ede1b64 100644
--- a/tools/security/secpol_xml2bin.c
+++ b/tools/security/secpol_xml2bin.c
@@ -108,26 +108,25 @@ char *policy_filename = NULL,
 
 char *policy_reference_name = NULL;
 
+char *policy_version_string = NULL;
+
 void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state);
 
 void usage(char *prg)
 {
-    printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
-    printf
-        ("POLICYNAME is the directory name within the policy directory\n");
-    printf
-        ("that contains the policy files.  The default policy directory\n");
-    printf("is '%s' (see the '-d' option below to change it)\n",
-           POLICY_DIR);
-    printf
-        ("The policy files contained in the POLICYNAME directory must be named:\n");
-    printf("\tPOLICYNAME-security_policy.xml\n");
-    printf("\tPOLICYNAME-security_label_template.xml\n\n");
-    printf("OPTIONS:\n");
-    printf("\t-d POLICYDIR\n");
-    printf
-        ("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
-    printf("\t\tthe policy schema file 'security_policy.xsd'\n");
+    printf(
+    "Usage: %s [OPTIONS] POLICYNAME\n"
+    "POLICYNAME is the directory name within the policy directory\n"
+    "that contains the policy files.  The default policy directory\n"
+    "is '%s' (see the '-d' option below to change it)\n"
+    "The policy files contained in the POLICYNAME directory must be named:\n"
+    "\tPOLICYNAME-security_policy.xml\n"
+    "\tPOLICYNAME-security_label_template.xml\n\n"
+    "OPTIONS:\n"
+    "\t-d POLICYDIR\n"
+    "\t\tUse POLICYDIR as the policy directory. This directory must \n"
+    "\t\tcontain the policy schema file 'security_policy.xsd'\n",
+    prg, POLICY_DIR);
     exit(EXIT_FAILURE);
 }
 
@@ -300,25 +299,50 @@ void walk_policy(xmlNode * start, xmlDocPtr doc, unsigned long state)
         case XML2BIN_CHWALLTYPES:
         case XML2BIN_CONFLICTSETS:
         case XML2BIN_POLICYHEADER:
+        case XML2BIN_FROMPOLICY:
             walk_policy(cur_node->children, doc, state | (1 << code));
             break;
 
         case XML2BIN_POLICYNAME:       /* get policy reference name .... */
-            if (state != XML2BIN_PN_S) {
+            if (state != XML2BIN_PN_S &&
+                state != XML2BIN_PN_frompolicy_S) {
                 printf("ERROR: >Url< >%s< out of context.\n",
                        (char *) xmlNodeListGetString(doc,
                                                      cur_node->
                                                      xmlChildrenNode, 1));
                 exit(EXIT_FAILURE);
             }
-            policy_reference_name = (char *)
-                xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
-            if (!policy_reference_name) {
-                printf("ERROR: empty >policy reference name (Url)<!\n");
+            if (state == XML2BIN_PN_S) {
+                policy_reference_name = (char *)
+                    xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+                if (!policy_reference_name) {
+                    printf("ERROR: empty >policy reference name (Url)<!\n");
+                    exit(EXIT_FAILURE);
+                } else
+                    printf("Policy Reference name (Url): %s\n",
+                           policy_reference_name);
+            }
+            break;
+
+        case XML2BIN_VERSION:         /* get policy version number .... */
+            if (state != XML2BIN_PN_S &&
+                state != XML2BIN_PN_frompolicy_S) {
+                printf("ERROR: >Url< >%s< out of context.\n",
+                       (char *) xmlNodeListGetString(doc,
+                                                     cur_node->
+                                                     xmlChildrenNode, 1));
                 exit(EXIT_FAILURE);
-            } else
-                printf("Policy Reference name (Url): %s\n",
-                       policy_reference_name);
+            }
+            if (state == XML2BIN_PN_S) {
+                policy_version_string = (char *)
+                    xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+                if (!policy_version_string) {
+                    printf("ERROR: empty >policy version string <!\n");
+                    exit(EXIT_FAILURE);
+                } else
+                    printf("Policy version string: %s\n",
+                           policy_version_string);
+            }
             break;
 
         case XML2BIN_STE:
@@ -1135,9 +1159,12 @@ int write_binary(char *filename)
         NULL, *policy_reference_buffer = NULL;
     u_int32_t len;
     int fd, ret = 0;
+    uint32_t major = 0, minor = 0;
 
     u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0;  /* length of policy components */
 
+    sscanf(policy_version_string,"%d.%d", &major, &minor);
+
     /* open binary file */
     if ((fd =
          open(filename, O_WRONLY | O_CREAT | O_TRUNC,
@@ -1152,6 +1179,8 @@ int write_binary(char *filename)
     /* determine primary component (default chwall) */
     header.policy_version = htonl(ACM_POLICY_VERSION);
     header.magic = htonl(ACM_MAGIC);
+    header.xml_pol_version.major = htonl(major);
+    header.xml_pol_version.minor = htonl(minor);
 
     len = sizeof(struct acm_policy_buffer);
     if (have_chwall)
diff --git a/tools/security/secpol_xml2bin.h b/tools/security/secpol_xml2bin.h
index cb4e9023dc..0afb85505c 100644
--- a/tools/security/secpol_xml2bin.h
+++ b/tools/security/secpol_xml2bin.h
@@ -22,31 +22,35 @@
 #define SCHEMA_FILENAME     			"security_policy.xsd"
 
 /* basic states (used as 1 << X) */
-#define ENDOFLIST_POS           22  /* ADAPT!! this position will be NULL; stay below 32 (bit) */
-#define XML2BIN_SECPOL          0   /* policy tokens */
-#define XML2BIN_STE             1
-#define XML2BIN_CHWALL          2
-#define XML2BIN_CONFLICTSETS    3
-#define XML2BIN_CSTYPE          4
-#define XML2BIN_POLICYHEADER    5
-#define XML2BIN_NSURL           6
-#define XML2BIN_POLICYNAME      7
-#define XML2BIN_URL             8
-#define XML2BIN_REFERENCE       9
-#define XML2BIN_DATE            10
-
-#define XML2BIN_LABELTEMPLATE   11  /* label tokens */
-#define XML2BIN_SUBJECTS        12
-#define XML2BIN_OBJECTS         13
-#define XML2BIN_VM              14
-#define XML2BIN_RES             15
-#define XML2BIN_NAME            16
-
-#define XML2BIN_STETYPES        17  /* shared tokens */
-#define XML2BIN_CHWALLTYPES     18
-#define XML2BIN_TYPE            19
-#define XML2BIN_TEXT            20
-#define XML2BIN_COMMENT         21
+enum {
+    XML2BIN_SECPOL = 0,   /* policy tokens */
+    XML2BIN_STE,
+    XML2BIN_CHWALL,
+    XML2BIN_CONFLICTSETS,
+    XML2BIN_CSTYPE,
+    XML2BIN_POLICYHEADER,
+    XML2BIN_NSURL,
+    XML2BIN_POLICYNAME,
+    XML2BIN_URL,
+    XML2BIN_REFERENCE,
+    XML2BIN_DATE,
+    XML2BIN_VERSION,
+    XML2BIN_FROMPOLICY,
+
+    XML2BIN_LABELTEMPLATE,  /* label tokens */
+    XML2BIN_SUBJECTS,
+    XML2BIN_OBJECTS,
+    XML2BIN_VM,
+    XML2BIN_RES,
+    XML2BIN_NAME,
+
+    XML2BIN_STETYPES,
+    XML2BIN_CHWALLTYPES,
+    XML2BIN_TYPE,
+    XML2BIN_TEXT,
+    XML2BIN_COMMENT,
+    ENDOFLIST_POS /* keep last ! */
+};
 
 /* type "data type" (currently 16bit) */
 typedef u_int16_t type_t;
@@ -68,6 +72,8 @@ char *token[32] =                       /* parser triggers */
     [XML2BIN_URL]           = "PolicyUrl",
     [XML2BIN_REFERENCE]     = "Reference",
     [XML2BIN_DATE]          = "Date",
+    [XML2BIN_VERSION]       = "Version",
+    [XML2BIN_FROMPOLICY]    = "FromPolicy",
 
     [XML2BIN_LABELTEMPLATE] = "SecurityLabelTemplate", /* label-template xml */
     [XML2BIN_SUBJECTS]      = "SubjectLabels",
@@ -79,7 +85,7 @@ char *token[32] =                       /* parser triggers */
     [XML2BIN_STETYPES]      = "SimpleTypeEnforcementTypes", /* common tags */
     [XML2BIN_CHWALLTYPES]   = "ChineseWallTypes",
     [XML2BIN_TYPE]          = "Type",
-	[XML2BIN_TEXT]          = "text",
+    [XML2BIN_TEXT]          = "text",
     [XML2BIN_COMMENT]       = "comment",
     [ENDOFLIST_POS]         = NULL  /* End of LIST, adapt ENDOFLIST_POS
                                        when adding entries */
@@ -112,6 +118,10 @@ char *token[32] =                       /* parser triggers */
 #define XML2BIN_PN_S ((1 << XML2BIN_SECPOL) | \
                  (1 << XML2BIN_POLICYHEADER))
 
+#define XML2BIN_PN_frompolicy_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_POLICYHEADER) | \
+                 (1 << XML2BIN_FROMPOLICY))
+
 /* label xml states */
 #define XML2BIN_VM_S ((1 << XML2BIN_SECPOL) | \
                  (1 << XML2BIN_LABELTEMPLATE) |	\
@@ -147,7 +157,7 @@ char *token[32] =                       /* parser triggers */
  */
 
 /* protects from unnoticed changes in struct acm_policy_buffer */
-#define WRITTEN_AGAINST_ACM_POLICY_VERSION  2
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION  3
 
 /* protects from unnoticed changes in struct acm_chwall_policy_buffer */
 #define WRITTEN_AGAINST_ACM_CHWALL_VERSION  1