From 8c706ec28d6ac4805a513fe29850a97773a9a4ee Mon Sep 17 00:00:00 2001 From: "kfraser@localhost.localdomain" Date: Wed, 25 Apr 2007 09:31:52 +0100 Subject: [PATCH] acm: Changes to XML schema of the policy This patch changes the XML schema of the ACM policy to require a version and that every conflict set have a name. Every VM label must have one Chinese Wall Type and every resource label one Simple Type Enforcement Type. As a consequence of this some example policies needed to be changed. Also not offering that many configuration options for compiling xen anymore to make things simpler. Signed-off-by: Stefan Berger --- Config.mk | 2 - docs/src/user.tex | 53 +++++----- tools/security/Makefile | 15 +-- .../chwall/client_v1-security_policy.xml | 90 ----------------- .../client_v1-security_policy.xml | 5 +- .../policies/example/test-security_policy.xml | 97 +++++++++++++++++++ .../python/xensec_gen/cgi-bin/policy.cgi | 1 + tools/security/xensec_ezpolicy | 5 +- .../security-acm/xm-test-security_policy.xml | 1 + 9 files changed, 136 insertions(+), 133 deletions(-) delete mode 100644 tools/security/policies/example/chwall/client_v1-security_policy.xml rename tools/security/policies/example/{chwall_ste => }/client_v1-security_policy.xml (98%) create mode 100644 tools/security/policies/example/test-security_policy.xml diff --git a/Config.mk b/Config.mk index 57d17740ad..c77f6ae020 100644 --- a/Config.mk +++ b/Config.mk @@ -83,8 +83,6 @@ ACM_SECURITY ?= n # ACM_DEFAULT_SECURITY_POLICY # Supported models are: # ACM_NULL_POLICY -# ACM_CHINESE_WALL_POLICY -# ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY # ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY diff --git a/docs/src/user.tex b/docs/src/user.tex index 52daba7add..91f7b27875 100644 --- a/docs/src/user.tex +++ b/docs/src/user.tex @@ -2673,33 +2673,34 @@ one of these workload types. The XML Policy consists of four parts: xsi:schemaLocation= "http://www.ibm.com ../../security_policy.xsd "> 04 -05 example.chwall_ste.test +05 example.test 06 Wed Jul 12 17:32:59 2006 -07 -08 -09 -10 -11 SystemManagement -12 PepsiCo -13 CocaCola -14 -15 -16 -17 -18 -19 SystemManagement -20 PepsiCo -21 CocaCola -22 -23 -24 -25 -26 CocaCola -27 PepsiCo -28 -29 -30 -31 +07 1.0 +08 +09 +10 +11 +12 SystemManagement +13 PepsiCo +14 CocaCola +15 +16 +17 +18 +19 +20 SystemManagement +21 PepsiCo +22 CocaCola +23 +24 +25 +26 +27 CocaCola +28 PepsiCo +29 +30 +31 +32 \end{verbatim} \end{scriptsize} \caption{Example XML security policy file -- Part I: Types and Rules Definition.} diff --git a/tools/security/Makefile b/tools/security/Makefile index d4cc1b9b95..2ce8fbf4df 100644 --- a/tools/security/Makefile +++ b/tools/security/Makefile @@ -16,12 +16,6 @@ LDFLAGS += $(shell xml2-config --libs ) # if this does not work, try -L/usr/l ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY) POLICY=null endif -ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY) -POLICY=chwall -endif -ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY) -POLICY=ste -endif ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY) POLICY=chwall_ste endif @@ -46,7 +40,7 @@ ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin ACM_SCHEMA = security_policy.xsd -ACM_EXAMPLES = chwall ste chwall_ste +ACM_EXAMPLES = client_v1 test ACM_POLICY_SUFFIX = security_policy.xml ifeq ($(ACM_SECURITY),y) @@ -66,8 +60,7 @@ install: all $(ACM_CONFIG_FILE) $(INSTALL_DATA) policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR) $(INSTALL_DIR) $(DESTDIR)$(ACM_POLICY_DIR)/example for i in $(ACM_EXAMPLES); do \ - $(INSTALL_DIR) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \ - $(INSTALL_DATA) policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \ + $(INSTALL_DATA) policies/example/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/; \ done $(INSTALL_DIR) $(DESTDIR)$(ACM_SCRIPT_DIR) $(INSTALL_PROG) $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR) @@ -94,10 +87,10 @@ build: $(ACM_INST_TOOLS) $(ACM_NOINST_TOOLS) chmod 700 $(ACM_SCRIPTS) xensec_tool: $(OBJS_TOOL) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -L$(XEN_LIBXC) -lxenctrl + $(CC) -g $(CFLAGS) $(LDFLAGS) -O0 -o $@ $^ -L$(XEN_LIBXC) -lxenctrl xensec_xml2bin: $(OBJS_XML2BIN) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + $(CC) -g $(CFLAGS) $(LDFLAGS) -O0 -o $@ $^ xensec_gen: xensec_gen.py cp -f $^ $@ diff --git a/tools/security/policies/example/chwall/client_v1-security_policy.xml b/tools/security/policies/example/chwall/client_v1-security_policy.xml deleted file mode 100644 index 6c1ee84e5e..0000000000 --- a/tools/security/policies/example/chwall/client_v1-security_policy.xml +++ /dev/null @@ -1,90 +0,0 @@ - - - - - - - - example.chwall.client_v1 - www.ibm.com/example/chwall/client_v1 - 2006-03-31 - - - - - - - - - - - cw_SystemManagement - cw_Sensitive - cw_Isolated - cw_Distrusted - - - - cw_Sensitive - cw_Distrusted - - - - - - - - - - - - dom_HomeBanking - - cw_Sensitive - - - - - dom_Fun - - cw_Distrusted - - - - - - dom_BoincClient - - cw_Isolated - - - - - - - dom_SystemManagement - - cw_SystemManagement - - - - - - dom_StorageDomain - - cw_SystemManagement - - - - - - dom_NetworkDomain - - cw_SystemManagement - - - - - - - diff --git a/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml b/tools/security/policies/example/client_v1-security_policy.xml similarity index 98% rename from tools/security/policies/example/chwall_ste/client_v1-security_policy.xml rename to tools/security/policies/example/client_v1-security_policy.xml index 55da60af34..669f0696c5 100644 --- a/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml +++ b/tools/security/policies/example/client_v1-security_policy.xml @@ -5,9 +5,10 @@ - example.chwall_ste.client_v1 - www.ibm.com/example/chwall_ste/client_v1 + example.client_v1 + www.ibm.com/example/client_v1 2006-03-31 + 1.0 diff --git a/tools/security/policies/example/test-security_policy.xml b/tools/security/policies/example/test-security_policy.xml new file mode 100644 index 0000000000..0f338a2c0b --- /dev/null +++ b/tools/security/policies/example/test-security_policy.xml @@ -0,0 +1,97 @@ + + + + + example.test + Mon Apr 16 13:13:59 2007 + 1.0 + + + + + SystemManagement + PepsiCo + CocaCola + + + + + + SystemManagement + PepsiCo + CocaCola + VIOServer + + + + + + + + SystemManagement + + SystemManagement + PepsiCo + CocaCola + + + SystemManagement + + + + + PepsiCo + + PepsiCo + + + PepsiCo + + + + + CocaCola + + CocaCola + + + CocaCola + + + + + VIO + + CocaCola + PepsiCo + + + VIOServer + + + + + + + SystemManagement + + SystemManagement + + + + + PepsiCo + + PepsiCo + + + + + CocaCola + + CocaCola + + + + + diff --git a/tools/security/python/xensec_gen/cgi-bin/policy.cgi b/tools/security/python/xensec_gen/cgi-bin/policy.cgi index 5916e35ac4..d429c57cb1 100644 --- a/tools/security/python/xensec_gen/cgi-bin/policy.cgi +++ b/tools/security/python/xensec_gen/cgi-bin/policy.cgi @@ -1816,6 +1816,7 @@ def sendPHeaderXml( ): # Policy header definition print '' print ' ' + formPolicyName[1] + '' + print ' 1.0' if len( formPolicyUrl[1] ) > 0: print ' ' + formPolicyUrl[1] + '' if len( formPolicyRef[1] ) > 0: diff --git a/tools/security/xensec_ezpolicy b/tools/security/xensec_ezpolicy index eaf5f91340..970fb380b4 100644 --- a/tools/security/xensec_ezpolicy +++ b/tools/security/xensec_ezpolicy @@ -1131,15 +1131,16 @@ def dict_read(dictname, filename): #==================== Policy Generation/Translation functions -def printPolicyHeader (fd, policyname, timestamp): +def printPolicyHeader (fd, policyname, timestamp, version="1.0"): fd.write( """ %s %s + %s -""" % (policyname, timestamp)) +""" % (policyname, timestamp, version)) diff --git a/tools/xm-test/tests/security-acm/xm-test-security_policy.xml b/tools/xm-test/tests/security-acm/xm-test-security_policy.xml index b1736dbdf2..9c84a83626 100644 --- a/tools/xm-test/tests/security-acm/xm-test-security_policy.xml +++ b/tools/xm-test/tests/security-acm/xm-test-security_policy.xml @@ -4,6 +4,7 @@ xm-test Fri Sep 29 14:44:38 2006 + 1.0 -- 2.30.2