diff options
Diffstat (limited to 'tools/misc/policyprocessor/readme.xen')
-rw-r--r-- | tools/misc/policyprocessor/readme.xen | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/tools/misc/policyprocessor/readme.xen b/tools/misc/policyprocessor/readme.xen new file mode 100644 index 0000000000..e7f9fa4c9a --- /dev/null +++ b/tools/misc/policyprocessor/readme.xen @@ -0,0 +1,65 @@ +# Author: Ray Valdez, rvaldez@us.ibm.com +# Version: 1.0 +# +# This readme describes the policy processor tool for sHype. +# + +Java program: + + java XmlToBin -i [file.xml] -o <file.bin> -xssid <SsidFile> -xssidconf <SsidConf> + + Command line options: + + -i inputFile: name of policyfile (.xml) + -o outputFile: name of binary policy file (Big Endian) + -xssid SsidFile: xen ssids to named types text file + -xssidconf SsidConf: xen conflict ssids to types text file + -debug turn on debug messages + -help help. This printout + +Where: + +file.xml is the (input) xml policy file to be parsed and validated. +The syntax for file.xml is defined in the SecurityPolicySpec.xsd file. +file.bin is the (output) binary policy file generated by XmlToBin. +This binary policy can be activated in sHype. The binary policy file +is laid out in network byte order (i.e., big endian). The SsidFile +file contains the mapping of type enforcement (TE) ssids to the "named +types". Similarly, the SsidConf file contains the mapping of Chinese +Wall (ChWall) ssids to conflict named types. The ssidFile and SsidConf +files are used by Xen. + +Xml Schema and policy: + +The SecurityPolicySpec.xsd defines the syntax of a policy file. It +declares the tags that are used by XmlToBin to generate the binary +policy file. The tags that XmlToBin keys on are TE, ChWall, id, vid, +etc. The xml files that describe a policy are simple. Semantic +checking of a policy is performed mostly by XmlToBin. A type, for +example, is a string. No fixed values are defined for types in Xml. + +A policy consists of two Xml files: definition and policy. The +definition Xml declares the types that are permitted in the policy +Xml. The policy Xml contains the assignment of labels to +subject/object (e.g., vm). This Xml file contains an explicit +reference to the definition Xml (e.g., <url>xen_sample_def.xml</url>). +The policy Xml is the one provided as a command line argument. + + +Files: + +*.java - policy processor source +xen_sample_policy.xml - sample xml policy file +xen_sample_def.xml - sample user defined types +SecurityPolicySpec.xsd - schema definition file + + +To generate the sample binary policy: + +export CLASSPATH=$XERCES_HOME/xercesImpl.jar:$XERCES_HOME/xmlParserAPIs.jar:. + +java XmlToBin -i xen_sample_policy.xml -o xen_sample_policy.bin + +where $XERCES_HOME is the installation directory of the Apache Xerces-J + + |