/*************************** set policy ****************************/
int acm_domain_set_chwallpolicy(void *bufstart, int buflen) {
-#define CWALL_MAX_SSIDREFS 5
+#define CWALL_MAX_SSIDREFS 6
#define CWALL_MAX_TYPES 10
#define CWALL_MAX_CONFLICTSETS 2
struct acm_chwall_policy_buffer *chwall_bin_pol = (struct acm_chwall_policy_buffer *)bufstart;
domaintype_t *ssidrefs, *conflicts;
int ret = 0;
- int i,j;
+ int j;
chwall_bin_pol->chwall_max_types = htons(CWALL_MAX_TYPES);
chwall_bin_pol->chwall_max_ssidrefs = htons(CWALL_MAX_SSIDREFS);
return -1; /* not enough space */
ssidrefs = (domaintype_t *)(bufstart+ntohs(chwall_bin_pol->chwall_ssid_offset));
- for(i=0; i< CWALL_MAX_SSIDREFS; i++) {
- for (j=0; j< CWALL_MAX_TYPES; j++)
- ssidrefs[i*CWALL_MAX_TYPES + j] = htons(0);
- /* here, set type i for ssidref i; generally, a ssidref can have multiple chwall types */
- if (i < CWALL_MAX_SSIDREFS)
- ssidrefs[i*CWALL_MAX_TYPES + i] = htons(1);
- }
+ memset(ssidrefs, 0, CWALL_MAX_TYPES*CWALL_MAX_SSIDREFS*sizeof(domaintype_t));
+
+ /* now set type j-1 for ssidref i+1 */
+ for(j=0; j<= CWALL_MAX_SSIDREFS; j++)
+ if ((0 < j) &&( j <= CWALL_MAX_TYPES))
+ ssidrefs[j*CWALL_MAX_TYPES + j - 1] = htons(1);
+
ret += CWALL_MAX_TYPES*CWALL_MAX_SSIDREFS*sizeof(domaintype_t);
if ((buflen - ret) < (CWALL_MAX_CONFLICTSETS*CWALL_MAX_TYPES*sizeof(domaintype_t)))
return -1; /* not enough space */
conflicts = (domaintype_t *)(bufstart +
ntohs(chwall_bin_pol->chwall_conflict_sets_offset));
memset((void *)conflicts, 0, CWALL_MAX_CONFLICTSETS*CWALL_MAX_TYPES*sizeof(domaintype_t));
- /* just 1 conflict set [0]={2,3}, [1]={0,5,6} */
+ /* just 1 conflict set [0]={2,3}, [1]={1,5,6} */
if (CWALL_MAX_TYPES > 3) {
conflicts[2] = htons(1); conflicts[3] = htons(1); /* {2,3} */
- conflicts[CWALL_MAX_TYPES] = htons(1); conflicts[CWALL_MAX_TYPES+5] = htons(1);
+ conflicts[CWALL_MAX_TYPES+1] = htons(1); conflicts[CWALL_MAX_TYPES+5] = htons(1);
conflicts[CWALL_MAX_TYPES+6] = htons(1);/* {0,5,6} */
}
ret += sizeof(domaintype_t)*CWALL_MAX_CONFLICTSETS*CWALL_MAX_TYPES;
}
int acm_domain_set_stepolicy(void *bufstart, int buflen) {
-#define STE_MAX_SSIDREFS 5
-#define STE_MAX_TYPES 5
+#define STE_MAX_SSIDREFS 6
+#define STE_MAX_TYPES 5
struct acm_ste_policy_buffer *ste_bin_pol = (struct acm_ste_policy_buffer *)bufstart;
domaintype_t *ssidrefs;
- int i,j, ret = 0;
+ int j, ret = 0;
ste_bin_pol->ste_max_types = htons(STE_MAX_TYPES);
ste_bin_pol->ste_max_ssidrefs = htons(STE_MAX_SSIDREFS);
return -1; /* not enough space */
ssidrefs = (domaintype_t *)(bufstart+ntohs(ste_bin_pol->ste_ssid_offset));
- for(i=0; i< STE_MAX_SSIDREFS; i++) {
- for (j=0; j< STE_MAX_TYPES; j++)
- ssidrefs[i*STE_MAX_TYPES + j] = htons(0);
- /* set type i in ssidref 0 and ssidref i */
- ssidrefs[i] = htons(1); /* ssidref 0 has all types set */
- if (i < STE_MAX_SSIDREFS)
- ssidrefs[i*STE_MAX_TYPES + i] = htons(1);
- }
+ memset(ssidrefs, 0, STE_MAX_TYPES*STE_MAX_SSIDREFS*sizeof(domaintype_t));
+ /* all types 1 for ssidref 1 */
+ for(j=0; j< STE_MAX_TYPES; j++)
+ ssidrefs[1*STE_MAX_TYPES +j] = htons(1);
+ /* now set type j-1 for ssidref j */
+ for(j=0; j< STE_MAX_SSIDREFS; j++)
+ if ((0 < j) &&( j <= STE_MAX_TYPES))
+ ssidrefs[j*STE_MAX_TYPES + j - 1] = htons(1);
ret += STE_MAX_TYPES*STE_MAX_SSIDREFS*sizeof(domaintype_t);
return ret;
}
u32 dom = 0;
int ret;
- u32 ssidref = 0xFFFFFFFF;
+ u32 ssidref = 0x0;
static char *kwd_list[] = { "dom", "ssidref", NULL };
d['port'] = sxp.child_value(console, 'console_port')
else:
d['port'] = ''
- if ((int(sxp.child_value(info, 'ssidref', '-1'))) != -1):
- d['ssidref1'] = int(sxp.child_value(info, 'ssidref', '-1')) & 0xffff
- d['ssidref2'] = (int(sxp.child_value(info, 'ssidref', '-1')) >> 16) & 0xffff
+ if ((int(sxp.child_value(info, 'ssidref', '0'))) != 0):
+ d['ssidref1'] = int(sxp.child_value(info, 'ssidref', '0')) & 0xffff
+ d['ssidref2'] = (int(sxp.child_value(info, 'ssidref', '0')) >> 16) & 0xffff
print ("%(name)-16s %(dom)3d %(mem)7d %(cpu)3d %(vcpus)5d %(state)5s %(cpu_time)7.1f %(port)4s s:%(ssidref2)02x/p:%(ssidref1)02x" % d)
else:
print ("%(name)-16s %(dom)3d %(mem)7d %(cpu)3d %(vcpus)5d %(state)5s %(cpu_time)7.1f %(port)4s" % d)
{
/* minimal startup policy; policy write-locked already */
chwall_bin_pol.max_types = 1;
- chwall_bin_pol.max_ssidrefs = 1;
+ chwall_bin_pol.max_ssidrefs = 2;
chwall_bin_pol.max_conflictsets = 1;
chwall_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, chwall_bin_pol.max_ssidrefs*chwall_bin_pol.max_types);
chwall_bin_pol.conflict_sets = (domaintype_t *)xmalloc_array(domaintype_t, chwall_bin_pol.max_conflictsets*chwall_bin_pol.max_types);
* part of the global ssidref (same way we'll get the partial ssid pointer)
*/
chwall_ssidp->chwall_ssidref = GET_SSIDREF(ACM_CHINESE_WALL_POLICY, ssidref);
- if (chwall_ssidp->chwall_ssidref >= chwall_bin_pol.max_ssidrefs) {
- printkd("%s: ERROR chwall_ssidref(%x) > max(%x).\n",
- __func__, chwall_ssidp->chwall_ssidref, chwall_bin_pol.max_ssidrefs-1);
+ if ((chwall_ssidp->chwall_ssidref >= chwall_bin_pol.max_ssidrefs) ||
+ (chwall_ssidp->chwall_ssidref == ACM_DEFAULT_LOCAL_SSID)) {
+ printkd("%s: ERROR chwall_ssidref(%x) undefined (>max) or unset (0).\n",
+ __func__, chwall_ssidp->chwall_ssidref);
xfree(chwall_ssidp);
return ACM_INIT_SSID_ERROR;
}
{
/* minimal startup policy; policy write-locked already */
ste_bin_pol.max_types = 1;
- ste_bin_pol.max_ssidrefs = 1;
- ste_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, 1);
-
+ ste_bin_pol.max_ssidrefs = 2;
+ ste_bin_pol.ssidrefs = (domaintype_t *)xmalloc_array(domaintype_t, 2);
+ memset(ste_bin_pol.ssidrefs, 0, 2);
+
if (ste_bin_pol.ssidrefs == NULL)
return ACM_INIT_SSID_ERROR;
- /* initialize state */
- ste_bin_pol.ssidrefs[0] = 1;
+ /* initialize state so that dom0 can start up and communicate with itself */
+ ste_bin_pol.ssidrefs[1] = 1;
/* init stats */
atomic_set(&(ste_bin_pol.ec_eval_count), 0);
/* get policy-local ssid reference */
ste_ssidp->ste_ssidref = GET_SSIDREF(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY, ssidref);
- if (ste_ssidp->ste_ssidref >= ste_bin_pol.max_ssidrefs) {
- printkd("%s: ERROR ste_ssidref (%x) > max(%x).\n",
- __func__, ste_ssidp->ste_ssidref, ste_bin_pol.max_ssidrefs-1);
+ if ((ste_ssidp->ste_ssidref >= ste_bin_pol.max_ssidrefs) ||
+ (ste_ssidp->ste_ssidref == ACM_DEFAULT_LOCAL_SSID)) {
+ printkd("%s: ERROR ste_ssidref (%x) undefined or unset (0).\n",
+ __func__, ste_ssidp->ste_ssidref);
xfree(ste_ssidp);
return ACM_INIT_SSID_ERROR;
}
}
/* predefined ssidref for DOM0 used by xen when creating DOM0 */
-#define ACM_DOM0_SSIDREF 0
+#define ACM_DOM0_SSIDREF 0x00010001
static inline void acm_post_domain0_create(domid_t domid)
{
#endif
/* default ssid reference value if not supplied */
-#define ACM_DEFAULT_SSID 0xffffffff
-#define ACM_DEFAULT_LOCAL_SSID 0xffff
+#define ACM_DEFAULT_SSID 0x0
+#define ACM_DEFAULT_LOCAL_SSID 0x0
/* Internal ACM ERROR types */
#define ACM_OK 0
* This makes sure that old versions of dom0 tools will stop working in a
* well-defined way (rather than crashing the machine, for instance).
*/
-#define DOM0_INTERFACE_VERSION 0xAAAA1007
+#define DOM0_INTERFACE_VERSION 0xAAAA1008
/************************************************************************/
* This makes sure that old versions of policy tools will stop working in a
* well-defined way (rather than crashing the machine, for instance).
*/
-#define POLICY_INTERFACE_VERSION 0xAAAA0001
+#define POLICY_INTERFACE_VERSION 0xAAAA0002
/************************************************************************/
projects / xen.git / commitdiff