1
1
/******************************************************************************
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation, version 2 of the
4
* This library is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU Lesser General Public
6
* License as published by the Free Software Foundation;
7
* version 2.1 of the License.
9
* This library is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12
* Lesser General Public License for more details.
14
* You should have received a copy of the GNU Lesser General Public
15
* License along with this library; if not, write to the Free Software
16
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
10
19
#include "xc_private.h"
12
int xc_flask_op(int xc_handle, flask_op_t *op)
26
#include <sys/types.h>
30
#include <sys/ioctl.h>
33
#define OCON_PIRQ_STR "pirq"
34
#define OCON_IOPORT_STR "ioport"
35
#define OCON_IOMEM_STR "iomem"
36
#define OCON_DEVICE_STR "pcidevice"
37
#define INITCONTEXTLEN 256
39
int xc_flask_op(xc_interface *xch, flask_op_t *op)
43
DECLARE_HYPERCALL_BOUNCE(op, sizeof(*op), XC_HYPERCALL_BUFFER_BOUNCE_BOTH);
45
if ( xc_hypercall_bounce_pre(xch, op) )
47
PERROR("Could not bounce memory for flask op hypercall");
17
51
hypercall.op = __HYPERVISOR_xsm_op;
18
hypercall.arg[0] = (unsigned long)op;
20
if ( mlock(op, sizeof(*op)) != 0 )
22
PERROR("Could not lock memory for Xen hypercall");
26
if ( (ret = do_xen_hypercall(xc_handle, &hypercall)) < 0 )
52
hypercall.arg[0] = HYPERCALL_BUFFER_AS_ARG(op);
54
if ( (ret = do_xen_hypercall(xch, &hypercall)) < 0 )
28
56
if ( errno == EACCES )
29
57
fprintf(stderr, "XSM operation failed!\n");
32
safe_munlock(op, sizeof(*op));
60
xc_hypercall_bounce_post(xch, op);
66
int xc_flask_load(xc_interface *xc_handle, char *buf, uint32_t size)
75
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
81
int xc_flask_context_to_sid(xc_interface *xc_handle, char *buf, uint32_t size, uint32_t *sid)
86
op.cmd = FLASK_CONTEXT_TO_SID;
90
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
93
sscanf(buf, "%u", sid);
98
int xc_flask_sid_to_context(xc_interface *xc_handle, int sid, char *buf, uint32_t size)
103
op.cmd = FLASK_SID_TO_CONTEXT;
107
snprintf(buf, size, "%u", sid);
109
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
115
int xc_flask_getenforce(xc_interface *xc_handle)
123
op.cmd = FLASK_GETENFORCE;
127
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
130
sscanf(buf, "%i", &mode);
135
int xc_flask_setenforce(xc_interface *xc_handle, int mode)
142
op.cmd = FLASK_SETENFORCE;
146
snprintf(buf, size, "%i", mode);
148
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
154
static int xc_flask_add(xc_interface *xc_handle, char *cat, char *arg, char *scontext)
160
snprintf(buf, 512, "%s %255s %s", cat, scontext, arg);
161
op.cmd = FLASK_ADD_OCONTEXT;
165
return xc_flask_op(xc_handle, &op);
168
int xc_flask_add_pirq(xc_interface *xc_handle, unsigned int pirq, char *scontext)
172
snprintf(arg, 16, "%u", pirq);
173
return xc_flask_add(xc_handle, OCON_PIRQ_STR, arg, scontext);
176
int xc_flask_add_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high,
181
snprintf(arg, 64, "%lu %lu", low, high);
182
return xc_flask_add(xc_handle, OCON_IOPORT_STR, arg, scontext);
185
int xc_flask_add_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high,
190
snprintf(arg, 64, "%lu %lu", low, high);
191
return xc_flask_add(xc_handle, OCON_IOMEM_STR, arg, scontext);
194
int xc_flask_add_device(xc_interface *xc_handle, unsigned long device, char *scontext)
198
snprintf(arg, 32, "%lu", device);
199
return xc_flask_add(xc_handle, OCON_DEVICE_STR, arg, scontext);
202
static int xc_flask_del(xc_interface *xc_handle, char *cat, char *arg)
208
snprintf(buf, 256, "%s %s", cat, arg);
209
op.cmd = FLASK_DEL_OCONTEXT;
213
return xc_flask_op(xc_handle, &op);
216
int xc_flask_del_pirq(xc_interface *xc_handle, unsigned int pirq)
220
snprintf(arg, 16, "%u", pirq);
221
return xc_flask_del(xc_handle, OCON_PIRQ_STR, arg);
224
int xc_flask_del_ioport(xc_interface *xc_handle, unsigned long low, unsigned long high)
228
snprintf(arg, 64, "%lu %lu", low, high);
229
return xc_flask_del(xc_handle, OCON_IOPORT_STR, arg);
232
int xc_flask_del_iomem(xc_interface *xc_handle, unsigned long low, unsigned long high)
236
snprintf(arg, 64, "%lu %lu", low, high);
237
return xc_flask_del(xc_handle, OCON_IOMEM_STR, arg);
240
int xc_flask_del_device(xc_interface *xc_handle, unsigned long device)
244
snprintf(arg, 32, "%lu", device);
245
return xc_flask_del(xc_handle, OCON_DEVICE_STR, arg);
248
int xc_flask_access(xc_interface *xc_handle, const char *scon, const char *tcon,
249
uint16_t tclass, uint32_t req,
250
uint32_t *allowed, uint32_t *decided,
251
uint32_t *auditallow, uint32_t *auditdeny,
254
/* maximum number of digits in a 16-bit decimal number: */
255
#define MAX_SHORT_DEC_LEN 5
261
uint32_t dummy_allowed;
262
uint32_t dummy_decided;
263
uint32_t dummy_auditallow;
264
uint32_t dummy_auditdeny;
265
uint32_t dummy_seqno;
268
allowed = &dummy_allowed;
270
decided = &dummy_decided;
272
auditallow = &dummy_auditallow;
274
auditdeny = &dummy_auditdeny;
276
seqno = &dummy_seqno;
283
bufLen = strlen(scon) + 1 + strlen(tcon) + 1 +
284
MAX_SHORT_DEC_LEN + 1 +
286
buf = malloc(bufLen);
287
snprintf(buf, bufLen, "%s %s %hu %x", scon, tcon, tclass, req);
289
op.cmd = FLASK_ACCESS;
291
op.size = strlen(buf)+1;
293
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
299
if (sscanf(op.buf, "%x %x %x %x %u",
301
auditallow, auditdeny,
306
err = ((*allowed & req) == req)? 0 : -EPERM;
312
int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size)
317
op.cmd = FLASK_AVC_HASHSTATS;
321
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
330
int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size)
335
op.cmd = FLASK_AVC_CACHESTATS;
339
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
348
int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size)
353
op.cmd = FLASK_POLICYVERS;
357
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
366
int xc_flask_getavc_threshold(xc_interface *xc_handle)
374
op.cmd = FLASK_GETAVC_THRESHOLD;
378
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
381
sscanf(buf, "%i", &threshold);
386
int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold)
393
op.cmd = FLASK_SETAVC_THRESHOLD;
397
snprintf(buf, size, "%i", threshold);
399
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
39
406
* Local variables: