<xsd:element name="Reference" type="xsd:string" minOccurs="0" maxOccurs="1" />
<xsd:element name="Date" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
<xsd:element name="NameSpaceUrl" minOccurs="0" maxOccurs="1" type="xsd:string"></xsd:element>
+ <xsd:element name="Version" minOccurs="0" maxOccurs="1" type="VersionFormat"/>
+ <xsd:element ref="FromPolicy" minOccurs="0" maxOccurs="1"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:enumeration value="PrimaryPolicyComponent"></xsd:enumeration>
</xsd:restriction>
</xsd:simpleType>
+ <xsd:element name="FromPolicy">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="PolicyName" minOccurs="1" maxOccurs="1" type="xsd:string"/>
+ <xsd:element name="Version" minOccurs="1" maxOccurs="1" type="VersionFormat"/>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ <xsd:simpleType name="VersionFormat">
+ <xsd:restriction base="xsd:string">
+ <xsd:pattern value="[0-9]{1,8}.[0-9]{1,8}"></xsd:pattern>
+ </xsd:restriction>
+ </xsd:simpleType>
</xsd:schema>
printf("============\n");
printf("POLICY REFERENCE = %s.\n", policy_reference_name);
printf("PolicyVer = %x.\n", ntohl(pol->policy_version));
+ printf("XML Vers. = %d.%d\n",
+ ntohl(pol->xml_pol_version.major),
+ ntohl(pol->xml_pol_version.minor));
printf("Magic = %x.\n", ntohl(pol->magic));
printf("Len = %x.\n", ntohl(pol->len));
printf("Primary = %s (c=%x, off=%x).\n",
char *policy_reference_name = NULL;
+char *policy_version_string = NULL;
+
void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state);
void usage(char *prg)
{
- printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
- printf
- ("POLICYNAME is the directory name within the policy directory\n");
- printf
- ("that contains the policy files. The default policy directory\n");
- printf("is '%s' (see the '-d' option below to change it)\n",
- POLICY_DIR);
- printf
- ("The policy files contained in the POLICYNAME directory must be named:\n");
- printf("\tPOLICYNAME-security_policy.xml\n");
- printf("\tPOLICYNAME-security_label_template.xml\n\n");
- printf("OPTIONS:\n");
- printf("\t-d POLICYDIR\n");
- printf
- ("\t\tUse POLICYDIR as the policy directory. This directory must contain\n");
- printf("\t\tthe policy schema file 'security_policy.xsd'\n");
+ printf(
+ "Usage: %s [OPTIONS] POLICYNAME\n"
+ "POLICYNAME is the directory name within the policy directory\n"
+ "that contains the policy files. The default policy directory\n"
+ "is '%s' (see the '-d' option below to change it)\n"
+ "The policy files contained in the POLICYNAME directory must be named:\n"
+ "\tPOLICYNAME-security_policy.xml\n"
+ "\tPOLICYNAME-security_label_template.xml\n\n"
+ "OPTIONS:\n"
+ "\t-d POLICYDIR\n"
+ "\t\tUse POLICYDIR as the policy directory. This directory must \n"
+ "\t\tcontain the policy schema file 'security_policy.xsd'\n",
+ prg, POLICY_DIR);
exit(EXIT_FAILURE);
}
case XML2BIN_CHWALLTYPES:
case XML2BIN_CONFLICTSETS:
case XML2BIN_POLICYHEADER:
+ case XML2BIN_FROMPOLICY:
walk_policy(cur_node->children, doc, state | (1 << code));
break;
case XML2BIN_POLICYNAME: /* get policy reference name .... */
- if (state != XML2BIN_PN_S) {
+ if (state != XML2BIN_PN_S &&
+ state != XML2BIN_PN_frompolicy_S) {
printf("ERROR: >Url< >%s< out of context.\n",
(char *) xmlNodeListGetString(doc,
cur_node->
xmlChildrenNode, 1));
exit(EXIT_FAILURE);
}
- policy_reference_name = (char *)
- xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
- if (!policy_reference_name) {
- printf("ERROR: empty >policy reference name (Url)<!\n");
+ if (state == XML2BIN_PN_S) {
+ policy_reference_name = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!policy_reference_name) {
+ printf("ERROR: empty >policy reference name (Url)<!\n");
+ exit(EXIT_FAILURE);
+ } else
+ printf("Policy Reference name (Url): %s\n",
+ policy_reference_name);
+ }
+ break;
+
+ case XML2BIN_VERSION: /* get policy version number .... */
+ if (state != XML2BIN_PN_S &&
+ state != XML2BIN_PN_frompolicy_S) {
+ printf("ERROR: >Url< >%s< out of context.\n",
+ (char *) xmlNodeListGetString(doc,
+ cur_node->
+ xmlChildrenNode, 1));
exit(EXIT_FAILURE);
- } else
- printf("Policy Reference name (Url): %s\n",
- policy_reference_name);
+ }
+ if (state == XML2BIN_PN_S) {
+ policy_version_string = (char *)
+ xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+ if (!policy_version_string) {
+ printf("ERROR: empty >policy version string <!\n");
+ exit(EXIT_FAILURE);
+ } else
+ printf("Policy version string: %s\n",
+ policy_version_string);
+ }
break;
case XML2BIN_STE:
NULL, *policy_reference_buffer = NULL;
u_int32_t len;
int fd, ret = 0;
+ uint32_t major = 0, minor = 0;
u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0; /* length of policy components */
+ sscanf(policy_version_string,"%d.%d", &major, &minor);
+
/* open binary file */
if ((fd =
open(filename, O_WRONLY | O_CREAT | O_TRUNC,
/* determine primary component (default chwall) */
header.policy_version = htonl(ACM_POLICY_VERSION);
header.magic = htonl(ACM_MAGIC);
+ header.xml_pol_version.major = htonl(major);
+ header.xml_pol_version.minor = htonl(minor);
len = sizeof(struct acm_policy_buffer);
if (have_chwall)
#define SCHEMA_FILENAME "security_policy.xsd"
/* basic states (used as 1 << X) */
-#define ENDOFLIST_POS 22 /* ADAPT!! this position will be NULL; stay below 32 (bit) */
-#define XML2BIN_SECPOL 0 /* policy tokens */
-#define XML2BIN_STE 1
-#define XML2BIN_CHWALL 2
-#define XML2BIN_CONFLICTSETS 3
-#define XML2BIN_CSTYPE 4
-#define XML2BIN_POLICYHEADER 5
-#define XML2BIN_NSURL 6
-#define XML2BIN_POLICYNAME 7
-#define XML2BIN_URL 8
-#define XML2BIN_REFERENCE 9
-#define XML2BIN_DATE 10
-
-#define XML2BIN_LABELTEMPLATE 11 /* label tokens */
-#define XML2BIN_SUBJECTS 12
-#define XML2BIN_OBJECTS 13
-#define XML2BIN_VM 14
-#define XML2BIN_RES 15
-#define XML2BIN_NAME 16
-
-#define XML2BIN_STETYPES 17 /* shared tokens */
-#define XML2BIN_CHWALLTYPES 18
-#define XML2BIN_TYPE 19
-#define XML2BIN_TEXT 20
-#define XML2BIN_COMMENT 21
+enum {
+ XML2BIN_SECPOL = 0, /* policy tokens */
+ XML2BIN_STE,
+ XML2BIN_CHWALL,
+ XML2BIN_CONFLICTSETS,
+ XML2BIN_CSTYPE,
+ XML2BIN_POLICYHEADER,
+ XML2BIN_NSURL,
+ XML2BIN_POLICYNAME,
+ XML2BIN_URL,
+ XML2BIN_REFERENCE,
+ XML2BIN_DATE,
+ XML2BIN_VERSION,
+ XML2BIN_FROMPOLICY,
+
+ XML2BIN_LABELTEMPLATE, /* label tokens */
+ XML2BIN_SUBJECTS,
+ XML2BIN_OBJECTS,
+ XML2BIN_VM,
+ XML2BIN_RES,
+ XML2BIN_NAME,
+
+ XML2BIN_STETYPES,
+ XML2BIN_CHWALLTYPES,
+ XML2BIN_TYPE,
+ XML2BIN_TEXT,
+ XML2BIN_COMMENT,
+ ENDOFLIST_POS /* keep last ! */
+};
/* type "data type" (currently 16bit) */
typedef u_int16_t type_t;
[XML2BIN_URL] = "PolicyUrl",
[XML2BIN_REFERENCE] = "Reference",
[XML2BIN_DATE] = "Date",
+ [XML2BIN_VERSION] = "Version",
+ [XML2BIN_FROMPOLICY] = "FromPolicy",
[XML2BIN_LABELTEMPLATE] = "SecurityLabelTemplate", /* label-template xml */
[XML2BIN_SUBJECTS] = "SubjectLabels",
[XML2BIN_STETYPES] = "SimpleTypeEnforcementTypes", /* common tags */
[XML2BIN_CHWALLTYPES] = "ChineseWallTypes",
[XML2BIN_TYPE] = "Type",
- [XML2BIN_TEXT] = "text",
+ [XML2BIN_TEXT] = "text",
[XML2BIN_COMMENT] = "comment",
[ENDOFLIST_POS] = NULL /* End of LIST, adapt ENDOFLIST_POS
when adding entries */
#define XML2BIN_PN_S ((1 << XML2BIN_SECPOL) | \
(1 << XML2BIN_POLICYHEADER))
+#define XML2BIN_PN_frompolicy_S ((1 << XML2BIN_SECPOL) | \
+ (1 << XML2BIN_POLICYHEADER) | \
+ (1 << XML2BIN_FROMPOLICY))
+
/* label xml states */
#define XML2BIN_VM_S ((1 << XML2BIN_SECPOL) | \
(1 << XML2BIN_LABELTEMPLATE) | \
*/
/* protects from unnoticed changes in struct acm_policy_buffer */
-#define WRITTEN_AGAINST_ACM_POLICY_VERSION 2
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION 3
/* protects from unnoticed changes in struct acm_chwall_policy_buffer */
#define WRITTEN_AGAINST_ACM_CHWALL_VERSION 1
acm_secondary_ops->set_binary_policy(buf + offset, length))
goto error_lock_free;
+ memcpy(&acm_bin_pol.xml_pol_version,
+ &pol->xml_pol_version,
+ sizeof(acm_bin_pol.xml_pol_version));
+
write_unlock(&acm_bin_pol_rwlock);
return ACM_OK;
u8 *policy_buffer;
int ret;
struct acm_policy_buffer *bin_pol;
-
+
if (buf_size < sizeof(struct acm_policy_buffer))
return -EFAULT;
bin_pol->primary_buffer_offset = cpu_to_be32(be32_to_cpu(bin_pol->len));
bin_pol->secondary_buffer_offset = cpu_to_be32(be32_to_cpu(bin_pol->len));
+ memcpy(&bin_pol->xml_pol_version,
+ &acm_bin_pol.xml_pol_version,
+ sizeof(struct acm_policy_version));
+
ret = acm_dump_policy_reference(policy_buffer + be32_to_cpu(bin_pol->policy_reference_offset),
buf_size - be32_to_cpu(bin_pol->policy_reference_offset));
if (ret < 0)
char *policy_reference_name;
u16 primary_policy_code;
u16 secondary_policy_code;
+ struct acm_policy_version xml_pol_version;
};
struct chwall_binary_policy {
* whenever the interpretation of the related
* policy's data structure changes
*/
-#define ACM_POLICY_VERSION 2
+#define ACM_POLICY_VERSION 3
#define ACM_CHWALL_VERSION 1
#define ACM_STE_VERSION 1
/* each offset in bytes from start of the struct they
* are part of */
+/* V3 of the policy buffer aded a version structure */
+struct acm_policy_version
+{
+ uint32_t major;
+ uint32_t minor;
+} __attribute__((packed));
+
+
/* each buffer consists of all policy information for
* the respective policy given in the policy code
*
uint32_t primary_buffer_offset;
uint32_t secondary_policy_code;
uint32_t secondary_buffer_offset;
-};
+ struct acm_policy_version xml_pol_version; /* add in V3 */
+} __attribute__((packed));
+
struct acm_policy_reference_buffer {
uint32_t len;
-};
+} __attribute__((packed));
struct acm_chwall_policy_buffer {
uint32_t policy_version; /* ACM_CHWALL_VERSION */
uint32_t chwall_conflict_sets_offset;
uint32_t chwall_running_types_offset;
uint32_t chwall_conflict_aggregate_offset;
-};
+} __attribute__((packed));
struct acm_ste_policy_buffer {
uint32_t policy_version; /* ACM_STE_VERSION */
uint32_t ste_max_types;
uint32_t ste_max_ssidrefs;
uint32_t ste_ssid_offset;
-};
+} __attribute__((packed));
struct acm_stats_buffer {
uint32_t magic;
uint32_t primary_stats_offset;
uint32_t secondary_policy_code;
uint32_t secondary_stats_offset;
-};
+} __attribute__((packed));
struct acm_ste_stats_buffer {
uint32_t ec_eval_count;
uint32_t gt_denied_count;
uint32_t ec_cachehit_count;
uint32_t gt_cachehit_count;
-};
+} __attribute__((packed));
struct acm_ssid_buffer {
uint32_t len;
uint32_t secondary_policy_code;
uint32_t secondary_max_types;
uint32_t secondary_types_offset;
-};
+} __attribute__((packed));
#endif
projects / xen.git / commitdiff