/******************************************************************************
+ * xc_acm.c
*
- * Copyright (C) 2005 IBM Corporation
+ * Copyright (C) 2005, 2006 IBM Corporation, R Sailer
*
* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
- * Authors:
- * Reiner Sailer <sailer@watson.ibm.com>
- * Stefan Berger <stefanb@watson.ibm.com>
- *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
#include "xc_private.h"
-int xc_acm_op(int xc_handle, struct acm_op *op)
+
+int xc_acm_op(int xc_handle, int cmd, void *arg, size_t arg_size)
{
int ret = -1;
DECLARE_HYPERCALL;
- op->interface_version = ACM_INTERFACE_VERSION;
-
hypercall.op = __HYPERVISOR_acm_op;
- hypercall.arg[0] = (unsigned long) op;
+ hypercall.arg[0] = cmd;
+ hypercall.arg[1] = (unsigned long) arg;
- if (mlock(op, sizeof(*op)) != 0) {
- PERROR("Could not lock memory for Xen policy hypercall");
- goto out1;
+ if (mlock(arg, arg_size) != 0) {
+ PERROR("xc_acm_op: arg mlock failed");
+ goto out;
}
-
ret = do_xen_hypercall(xc_handle, &hypercall);
- ret = ioctl(xc_handle, IOCTL_PRIVCMD_HYPERCALL, &hypercall);
- if (ret < 0) {
- goto out2;
- }
- out2:
- safe_munlock(op, sizeof(*op));
- out1:
+ safe_munlock(arg, arg_size);
+ out:
return ret;
}
unsigned long long ptr, unsigned long long val);
int xc_finish_mmu_updates(int xc_handle, xc_mmu_t *mmu);
-int xc_acm_op(int xc_handle, struct acm_op *op);
+int xc_acm_op(int xc_handle, int cmd, void *arg, size_t arg_size);
#endif
/* generic shared function */
void * __getssid(int domid, uint32_t *buflen)
{
- struct acm_op op;
+ struct acm_getssid getssid;
int xc_handle;
#define SSID_BUFFER_SIZE 4096
void *buf = NULL;
goto out2;
}
memset(buf, 0, SSID_BUFFER_SIZE);
- op.cmd = ACM_GETSSID;
- op.interface_version = ACM_INTERFACE_VERSION;
- op.u.getssid.ssidbuf = buf;
- op.u.getssid.ssidbuf_size = SSID_BUFFER_SIZE;
- op.u.getssid.get_ssid_by = DOMAINID;
- op.u.getssid.id.domainid = domid;
-
- if (xc_acm_op(xc_handle, &op) < 0) {
+ getssid.interface_version = ACM_INTERFACE_VERSION;
+ getssid.ssidbuf = buf;
+ getssid.ssidbuf_size = SSID_BUFFER_SIZE;
+ getssid.get_ssid_by = DOMAINID;
+ getssid.id.domainid = domid;
+
+ if (xc_acm_op(xc_handle, ACMOP_getssid, &getssid, sizeof(getssid)) < 0) {
if (errno == EACCES)
PERROR("ACM operation failed.");
free(buf);
static PyObject *getdecision(PyObject * self, PyObject * args)
{
char *arg1_name, *arg1, *arg2_name, *arg2, *decision = NULL;
- struct acm_op op;
+ struct acm_getdecision getdecision;
int xc_handle;
if (!PyArg_ParseTuple(args, "ssss", &arg1_name, &arg1, &arg2_name, &arg2)) {
(strcmp(arg2_name, "domid") && strcmp(arg2_name, "ssidref")))
return NULL;
- op.cmd = ACM_GETDECISION;
- op.interface_version = ACM_INTERFACE_VERSION;
- op.u.getdecision.hook = SHARING;
+ getdecision.interface_version = ACM_INTERFACE_VERSION;
+ getdecision.hook = SHARING;
if (!strcmp(arg1_name, "domid")) {
- op.u.getdecision.get_decision_by1 = DOMAINID;
- op.u.getdecision.id1.domainid = atoi(arg1);
+ getdecision.get_decision_by1 = DOMAINID;
+ getdecision.id1.domainid = atoi(arg1);
} else {
- op.u.getdecision.get_decision_by1 = SSIDREF;
- op.u.getdecision.id1.ssidref = atol(arg1);
+ getdecision.get_decision_by1 = SSIDREF;
+ getdecision.id1.ssidref = atol(arg1);
}
if (!strcmp(arg2_name, "domid")) {
- op.u.getdecision.get_decision_by2 = DOMAINID;
- op.u.getdecision.id2.domainid = atoi(arg2);
+ getdecision.get_decision_by2 = DOMAINID;
+ getdecision.id2.domainid = atoi(arg2);
} else {
- op.u.getdecision.get_decision_by2 = SSIDREF;
- op.u.getdecision.id2.ssidref = atol(arg2);
+ getdecision.get_decision_by2 = SSIDREF;
+ getdecision.id2.ssidref = atol(arg2);
}
- if (xc_acm_op(xc_handle, &op) < 0) {
+ if (xc_acm_op(xc_handle, ACMOP_getdecision, &getdecision, sizeof(getdecision)) < 0) {
if (errno == EACCES)
PERROR("ACM operation failed.");
}
xc_interface_close(xc_handle);
- if (op.u.getdecision.acm_decision == ACM_ACCESS_PERMITTED)
+ if (getdecision.acm_decision == ACM_ACCESS_PERMITTED)
decision = "PERMITTED";
- else if (op.u.getdecision.acm_decision == ACM_ACCESS_DENIED)
+ else if (getdecision.acm_decision == ACM_ACCESS_DENIED)
decision = "DENIED";
return Py_BuildValue("s", decision);
uint8_t pull_buffer[PULL_CACHE_SIZE];
int acm_domain_getpolicy(int xc_handle)
{
- struct acm_op op;
+ struct acm_getpolicy getpolicy;
int ret;
memset(pull_buffer, 0x00, sizeof(pull_buffer));
- op.cmd = ACM_GETPOLICY;
- op.u.getpolicy.pullcache = (void *) pull_buffer;
- op.u.getpolicy.pullcache_size = sizeof(pull_buffer);
- if ((ret = xc_acm_op(xc_handle, &op)) < 0) {
+ getpolicy.interface_version = ACM_INTERFACE_VERSION;
+ getpolicy.pullcache = (void *) pull_buffer;
+ getpolicy.pullcache_size = sizeof(pull_buffer);
+ ret = xc_acm_op(xc_handle, ACMOP_getpolicy, &getpolicy, sizeof(getpolicy));
+
+ if (ret < 0) {
printf("ACM operation failed: errno=%d\n", errno);
if (errno == EACCES)
fprintf(stderr, "ACM operation failed -- need to"
goto free_out;
}
if (len == read(fd, buffer, len)) {
- struct acm_op op;
+ struct acm_setpolicy setpolicy;
/* dump it and then push it down into xen/acm */
acm_dump_policy_buffer(buffer, len);
- op.cmd = ACM_SETPOLICY;
- op.u.setpolicy.pushcache = (void *) buffer;
- op.u.setpolicy.pushcache_size = len;
- ret = xc_acm_op(xc_handle, &op);
+ setpolicy.interface_version = ACM_INTERFACE_VERSION;
+ setpolicy.pushcache = (void *) buffer;
+ setpolicy.pushcache_size = len;
+ ret = xc_acm_op(xc_handle, ACMOP_setpolicy, &setpolicy, sizeof(setpolicy));
if (ret)
printf
int acm_domain_dumpstats(int xc_handle)
{
uint8_t stats_buffer[PULL_STATS_SIZE];
- struct acm_op op;
+ struct acm_dumpstats dumpstats;
int ret;
struct acm_stats_buffer *stats;
memset(stats_buffer, 0x00, sizeof(stats_buffer));
- op.cmd = ACM_DUMPSTATS;
- op.u.dumpstats.pullcache = (void *) stats_buffer;
- op.u.dumpstats.pullcache_size = sizeof(stats_buffer);
- ret = xc_acm_op(xc_handle, &op);
+ dumpstats.interface_version = ACM_INTERFACE_VERSION;
+ dumpstats.pullcache = (void *) stats_buffer;
+ dumpstats.pullcache_size = sizeof(stats_buffer);
+ ret = xc_acm_op(xc_handle, ACMOP_dumpstats, &dumpstats, sizeof(dumpstats));
if (ret < 0) {
printf
#ifndef ACM_SECURITY
-long do_acm_op(XEN_GUEST_HANDLE(acm_op_t) u_acm_op)
+
+long do_acm_op(int cmd, XEN_GUEST_HANDLE(void) arg)
{
return -ENOSYS;
}
+
#else
-enum acm_operation {
- POLICY, /* access to policy interface (early drop) */
- GETPOLICY, /* dump policy cache */
- SETPOLICY, /* set policy cache (controls security) */
- DUMPSTATS, /* dump policy statistics */
- GETSSID, /* retrieve ssidref for domain id (decide inside authorized domains) */
- GETDECISION /* retrieve ACM decision from authorized domains */
-};
-int acm_authorize_acm_ops(struct domain *d, enum acm_operation pops)
+int acm_authorize_acm_ops(struct domain *d)
{
/* currently, policy management functions are restricted to privileged domains */
if (!IS_PRIV(d))
return -EPERM;
-
return 0;
}
-long do_acm_op(XEN_GUEST_HANDLE(acm_op_t) u_acm_op)
+
+long do_acm_op(int cmd, XEN_GUEST_HANDLE(void) arg)
{
- long ret = 0;
- struct acm_op curop, *op = &curop;
+ long rc = -EFAULT;
- if (acm_authorize_acm_ops(current->domain, POLICY))
+ if (acm_authorize_acm_ops(current->domain))
return -EPERM;
- if (copy_from_guest(op, u_acm_op, 1))
- return -EFAULT;
+ switch ( cmd )
+ {
- if (op->interface_version != ACM_INTERFACE_VERSION)
- return -EACCES;
+ case ACMOP_setpolicy: {
+ struct acm_setpolicy setpolicy;
+ if (copy_from_guest(&setpolicy, arg, 1) != 0)
+ return -EFAULT;
+ if (setpolicy.interface_version != ACM_INTERFACE_VERSION)
+ return -EACCES;
- switch (op->cmd)
- {
- case ACM_SETPOLICY:
- {
- ret = acm_authorize_acm_ops(current->domain, SETPOLICY);
- if (!ret)
- ret = acm_set_policy(op->u.setpolicy.pushcache,
- op->u.setpolicy.pushcache_size, 1);
+ rc = acm_set_policy(setpolicy.pushcache,
+ setpolicy.pushcache_size, 1);
+ break;
}
- break;
- case ACM_GETPOLICY:
- {
- ret = acm_authorize_acm_ops(current->domain, GETPOLICY);
- if (!ret)
- ret = acm_get_policy(op->u.getpolicy.pullcache,
- op->u.getpolicy.pullcache_size);
- if (!ret)
- copy_to_guest(u_acm_op, op, 1);
+ case ACMOP_getpolicy: {
+ struct acm_getpolicy getpolicy;
+ if (copy_from_guest(&getpolicy, arg, 1) != 0)
+ return -EFAULT;
+ if (getpolicy.interface_version != ACM_INTERFACE_VERSION)
+ return -EACCES;
+
+ rc = acm_get_policy(getpolicy.pullcache,
+ getpolicy.pullcache_size);
+ break;
}
- break;
- case ACM_DUMPSTATS:
- {
- ret = acm_authorize_acm_ops(current->domain, DUMPSTATS);
- if (!ret)
- ret = acm_dump_statistics(op->u.dumpstats.pullcache,
- op->u.dumpstats.pullcache_size);
- if (!ret)
- copy_to_guest(u_acm_op, op, 1);
+ case ACMOP_dumpstats: {
+ struct acm_dumpstats dumpstats;
+ if (copy_from_guest(&dumpstats, arg, 1) != 0)
+ return -EFAULT;
+ if (dumpstats.interface_version != ACM_INTERFACE_VERSION)
+ return -EACCES;
+
+ rc = acm_dump_statistics(dumpstats.pullcache,
+ dumpstats.pullcache_size);
+ break;
}
- break;
- case ACM_GETSSID:
- {
+ case ACMOP_getssid: {
+ struct acm_getssid getssid;
ssidref_t ssidref;
- ret = acm_authorize_acm_ops(current->domain, GETSSID);
- if (ret)
- break;
+ if (copy_from_guest(&getssid, arg, 1) != 0)
+ return -EFAULT;
+ if (getssid.interface_version != ACM_INTERFACE_VERSION)
+ return -EACCES;
- if (op->u.getssid.get_ssid_by == SSIDREF)
- ssidref = op->u.getssid.id.ssidref;
- else if (op->u.getssid.get_ssid_by == DOMAINID)
+ if (getssid.get_ssid_by == SSIDREF)
+ ssidref = getssid.id.ssidref;
+ else if (getssid.get_ssid_by == DOMAINID)
{
- struct domain *subj = find_domain_by_id(op->u.getssid.id.domainid);
+ struct domain *subj = find_domain_by_id(getssid.id.domainid);
if (!subj)
{
- ret = -ESRCH; /* domain not found */
+ rc = -ESRCH; /* domain not found */
break;
}
if (subj->ssid == NULL)
{
put_domain(subj);
- ret = -ESRCH;
+ rc = -ESRCH;
break;
}
ssidref = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
}
else
{
- ret = -ESRCH;
+ rc = -ESRCH;
break;
}
- ret = acm_get_ssid(ssidref,
- op->u.getssid.ssidbuf,
- op->u.getssid.ssidbuf_size);
- if (!ret)
- copy_to_guest(u_acm_op, op, 1);
+ rc = acm_get_ssid(ssidref, getssid.ssidbuf, getssid.ssidbuf_size);
+ break;
}
- break;
- case ACM_GETDECISION:
- {
+ case ACMOP_getdecision: {
+ struct acm_getdecision getdecision;
ssidref_t ssidref1, ssidref2;
- ret = acm_authorize_acm_ops(current->domain, GETDECISION);
- if (ret)
- break;
+ if (copy_from_guest(&getdecision, arg, 1) != 0)
+ return -EFAULT;
+ if (getdecision.interface_version != ACM_INTERFACE_VERSION)
+ return -EACCES;
- if (op->u.getdecision.get_decision_by1 == SSIDREF)
- ssidref1 = op->u.getdecision.id1.ssidref;
- else if (op->u.getdecision.get_decision_by1 == DOMAINID)
+ if (getdecision.get_decision_by1 == SSIDREF)
+ ssidref1 = getdecision.id1.ssidref;
+ else if (getdecision.get_decision_by1 == DOMAINID)
{
- struct domain *subj = find_domain_by_id(op->u.getdecision.id1.domainid);
+ struct domain *subj = find_domain_by_id(getdecision.id1.domainid);
if (!subj)
{
- ret = -ESRCH; /* domain not found */
+ rc = -ESRCH; /* domain not found */
break;
}
if (subj->ssid == NULL)
{
put_domain(subj);
- ret = -ESRCH;
+ rc = -ESRCH;
break;
}
ssidref1 = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
}
else
{
- ret = -ESRCH;
+ rc = -ESRCH;
break;
}
- if (op->u.getdecision.get_decision_by2 == SSIDREF)
- ssidref2 = op->u.getdecision.id2.ssidref;
- else if (op->u.getdecision.get_decision_by2 == DOMAINID)
+ if (getdecision.get_decision_by2 == SSIDREF)
+ ssidref2 = getdecision.id2.ssidref;
+ else if (getdecision.get_decision_by2 == DOMAINID)
{
- struct domain *subj = find_domain_by_id(op->u.getdecision.id2.domainid);
+ struct domain *subj = find_domain_by_id(getdecision.id2.domainid);
if (!subj)
{
- ret = -ESRCH; /* domain not found */
+ rc = -ESRCH; /* domain not found */
break;;
}
if (subj->ssid == NULL)
{
put_domain(subj);
- ret = -ESRCH;
+ rc = -ESRCH;
break;
}
ssidref2 = ((struct acm_ssid_domain *)(subj->ssid))->ssidref;
}
else
{
- ret = -ESRCH;
+ rc = -ESRCH;
break;
}
- ret = acm_get_decision(ssidref1, ssidref2, op->u.getdecision.hook);
+ rc = acm_get_decision(ssidref1, ssidref2, getdecision.hook);
- if (ret == ACM_ACCESS_PERMITTED)
+ if (rc == ACM_ACCESS_PERMITTED)
{
- op->u.getdecision.acm_decision = ACM_ACCESS_PERMITTED;
- ret = 0;
+ getdecision.acm_decision = ACM_ACCESS_PERMITTED;
+ rc = 0;
}
- else if (ret == ACM_ACCESS_DENIED)
+ else if (rc == ACM_ACCESS_DENIED)
{
- op->u.getdecision.acm_decision = ACM_ACCESS_DENIED;
- ret = 0;
+ getdecision.acm_decision = ACM_ACCESS_DENIED;
+ rc = 0;
}
else
- ret = -ESRCH;
+ rc = -ESRCH;
- if (!ret)
- copy_to_guest(u_acm_op, op, 1);
+ if ( (rc == 0) && (copy_to_guest(arg, &getdecision, 1) != 0) )
+ rc = -EFAULT;
+ break;
}
- break;
default:
- ret = -ESRCH;
+ rc = -ENOSYS;
+ break;
}
- return ret;
+ return rc;
}
#endif
* acm_ops.h: Xen access control module hypervisor commands
*
* Reiner Sailer <sailer@watson.ibm.com>
- * Copyright (c) 2005, International Business Machines Corporation.
+ * Copyright (c) 2005,2006 International Business Machines Corporation.
*/
#ifndef __XEN_PUBLIC_ACM_OPS_H__
* This makes sure that old versions of acm tools will stop working in a
* well-defined way (rather than crashing the machine, for instance).
*/
-#define ACM_INTERFACE_VERSION 0xAAAA0006
+#define ACM_INTERFACE_VERSION 0xAAAA0007
/************************************************************************/
-#define ACM_SETPOLICY 4
+/*
+ * Prototype for this hypercall is:
+ * int acm_op(int cmd, void *args)
+ * @cmd == ACMOP_??? (access control module operation).
+ * @args == Operation-specific extra arguments (NULL if none).
+ */
+
+
+#define ACMOP_setpolicy 1
struct acm_setpolicy {
- /* OUT variables */
+ /* IN */
+ uint32_t interface_version;
void *pushcache;
uint32_t pushcache_size;
};
-#define ACM_GETPOLICY 5
+#define ACMOP_getpolicy 2
struct acm_getpolicy {
- /* OUT variables */
+ /* IN */
+ uint32_t interface_version;
void *pullcache;
uint32_t pullcache_size;
};
-#define ACM_DUMPSTATS 6
+#define ACMOP_dumpstats 3
struct acm_dumpstats {
+ /* IN */
+ uint32_t interface_version;
void *pullcache;
uint32_t pullcache_size;
};
-#define ACM_GETSSID 7
+#define ACMOP_getssid 4
enum get_type {UNSET=0, SSIDREF, DOMAINID};
struct acm_getssid {
+ /* IN */
+ uint32_t interface_version;
enum get_type get_ssid_by;
union {
domaintype_t domainid;
uint32_t ssidbuf_size;
};
-#define ACM_GETDECISION 8
+#define ACMOP_getdecision 5
struct acm_getdecision {
- enum get_type get_decision_by1; /* in */
+ /* IN */
+ uint32_t interface_version;
+ enum get_type get_decision_by1;
enum get_type get_decision_by2;
union {
domaintype_t domainid;
ssidref_t ssidref;
} id2;
enum acm_hook_type hook;
- int acm_decision; /* out */
-};
-
-struct acm_op {
- uint32_t cmd;
- uint32_t interface_version; /* ACM_INTERFACE_VERSION */
- union {
- struct acm_setpolicy setpolicy;
- struct acm_getpolicy getpolicy;
- struct acm_dumpstats dumpstats;
- struct acm_getssid getssid;
- struct acm_getdecision getdecision;
- } u;
+ /* OUT */
+ int acm_decision;
};
-typedef struct acm_op acm_op_t;
-DEFINE_XEN_GUEST_HANDLE(acm_op_t);
-#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
+#endif /* __XEN_PUBLIC_ACM_OPS_H__ */
/*
* Local variables:
extern long
do_acm_op(
- XEN_GUEST_HANDLE(acm_op_t) u_acm_op);
+ int cmd, XEN_GUEST_HANDLE(void) arg);
extern long
do_nmi_op(
projects / xen.git / commitdiff