This allows a PCI device and its associated resources to be labeled
without hardcoding addresses (which may change from system to system) in
the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/utils/Makefile | 5 +-
tools/flask/utils/label-pci.c | 123 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 127 insertions(+), 1 deletions(-)
create mode 100644 tools/flask/utils/label-pci.c
diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile
index 25729a1..171a728 100644
--- a/tools/flask/utils/Makefile
+++ b/tools/flask/utils/Makefile
@@ -11,7 +11,7 @@ TESTDIR = testsuite/tmp
TESTFLAGS= -DTESTING
TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
-CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci
CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
@@ -27,6 +27,9 @@ flask-setenforce: setenforce.o
flask-getenforce: getenforce.o
$(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
+flask-label-pci: label-pci.o
+ $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
+
.PHONY: clean
clean:
rm -f *.o *.opic *.so
diff --git a/tools/flask/utils/label-pci.c b/tools/flask/utils/label-pci.c
new file mode 100644
index 0000000..839ad61
--- /dev/null
+++ b/tools/flask/utils/label-pci.c
@@ -0,0 +1,123 @@
+/*
+ * Author: Daniel De Graaf <dgdegra@tycho.nsa.gov>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <libflask.h>
+
+/* Pulled from linux/include/linux/ioport.h */
+#define IORESOURCE_TYPE_BITS 0x00001f00 /* Resource type */
+#define IORESOURCE_IO 0x00000100
+#define IORESOURCE_MEM 0x00000200
+#define IORESOURCE_IRQ 0x00000400
+#define IORESOURCE_DMA 0x00000800
+#define IORESOURCE_BUS 0x00001000
+
+
+static void usage (int argCnt, char *argv[])
+{
+ fprintf(stderr, "Usage: %s SBDF label\n", argv[0]);
+ exit(1);
+}
+
+int main (int argCnt, char *argv[])
+{
+ int ret, err = 0;
+ xc_interface *xch = 0;
+ int seg, bus, dev, fn;
+ uint32_t sbdf;
+ uint64_t start, end, flags;
+ char buf[1024];
+ FILE *f;
+
+ if (argCnt != 3)
+ usage(argCnt, argv);
+
+ xch = xc_interface_open(0,0,0);
+ if ( !xch )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ err = 1;
+ goto done;
+ }
+
+ sscanf(argv[1], "%x:%x:%x.%d", &seg, &bus, &dev, &fn);
+ sbdf = (seg << 16) | (bus << 8) | (dev << 3) | fn;
+
+ snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/resource",
+ seg, bus, dev, fn);
+
+ f = fopen(buf, "r");
+ if (!f) {
+ fprintf(stderr, "Unable to find device %s: %s\n", argv[1],
+ strerror(errno));
+ err = 1;
+ goto done;
+ }
+
+ ret = flask_add_device(xch, sbdf, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_device: Unable to set context of PCI device %s (0x%x) to %s: %d\n",
+ argv[1], sbdf, argv[2], ret);
+ err = 2;
+ goto done;
+ }
+
+ while (fscanf(f, "0x%lx 0x%lx 0x%lx\n", &start, &end, &flags) == 3) {
+ if (flags & IORESOURCE_IO) {
+ // printf("Port %lx-%lx\n", start, end);
+ ret = flask_add_ioport(xch, start, end, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_ioport %lx-%lx failed: %d\n",
+ start, end, ret);
+ err = 2;
+ }
+ } else if (flags & IORESOURCE_MEM) {
+ start >>= 12;
+ end >>= 12;
+ // printf("IOMEM %lx-%lx\n", start, end);
+ ret = flask_add_iomem(xch, start, end, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_iomem %lx-%lx failed: %d\n",
+ start, end, ret);
+ err = 2;
+ }
+ }
+ }
+ fclose(f);
+
+ snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/irq",
+ seg, bus, dev, fn);
+ f = fopen(buf, "r");
+ if (!f)
+ goto done;
+ start = 0;
+ fscanf(f, "%ld", &start);
+ if (start) {
+ ret = flask_add_pirq(xch, start, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_pirq %ld failed: %d\n",
+ start, ret);
+ err = 2;
+ }
+ }
+ fclose(f);
+done:
+ if ( xch )
+ xc_interface_close(xch);
+
+ return err;
+}
--
1.7.7.3
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
without hardcoding addresses (which may change from system to system) in
the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/utils/Makefile | 5 +-
tools/flask/utils/label-pci.c | 123 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 127 insertions(+), 1 deletions(-)
create mode 100644 tools/flask/utils/label-pci.c
diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile
index 25729a1..171a728 100644
--- a/tools/flask/utils/Makefile
+++ b/tools/flask/utils/Makefile
@@ -11,7 +11,7 @@ TESTDIR = testsuite/tmp
TESTFLAGS= -DTESTING
TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
-CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci
CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
@@ -27,6 +27,9 @@ flask-setenforce: setenforce.o
flask-getenforce: getenforce.o
$(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
+flask-label-pci: label-pci.o
+ $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
+
.PHONY: clean
clean:
rm -f *.o *.opic *.so
diff --git a/tools/flask/utils/label-pci.c b/tools/flask/utils/label-pci.c
new file mode 100644
index 0000000..839ad61
--- /dev/null
+++ b/tools/flask/utils/label-pci.c
@@ -0,0 +1,123 @@
+/*
+ * Author: Daniel De Graaf <dgdegra@tycho.nsa.gov>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <libflask.h>
+
+/* Pulled from linux/include/linux/ioport.h */
+#define IORESOURCE_TYPE_BITS 0x00001f00 /* Resource type */
+#define IORESOURCE_IO 0x00000100
+#define IORESOURCE_MEM 0x00000200
+#define IORESOURCE_IRQ 0x00000400
+#define IORESOURCE_DMA 0x00000800
+#define IORESOURCE_BUS 0x00001000
+
+
+static void usage (int argCnt, char *argv[])
+{
+ fprintf(stderr, "Usage: %s SBDF label\n", argv[0]);
+ exit(1);
+}
+
+int main (int argCnt, char *argv[])
+{
+ int ret, err = 0;
+ xc_interface *xch = 0;
+ int seg, bus, dev, fn;
+ uint32_t sbdf;
+ uint64_t start, end, flags;
+ char buf[1024];
+ FILE *f;
+
+ if (argCnt != 3)
+ usage(argCnt, argv);
+
+ xch = xc_interface_open(0,0,0);
+ if ( !xch )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ err = 1;
+ goto done;
+ }
+
+ sscanf(argv[1], "%x:%x:%x.%d", &seg, &bus, &dev, &fn);
+ sbdf = (seg << 16) | (bus << 8) | (dev << 3) | fn;
+
+ snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/resource",
+ seg, bus, dev, fn);
+
+ f = fopen(buf, "r");
+ if (!f) {
+ fprintf(stderr, "Unable to find device %s: %s\n", argv[1],
+ strerror(errno));
+ err = 1;
+ goto done;
+ }
+
+ ret = flask_add_device(xch, sbdf, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_device: Unable to set context of PCI device %s (0x%x) to %s: %d\n",
+ argv[1], sbdf, argv[2], ret);
+ err = 2;
+ goto done;
+ }
+
+ while (fscanf(f, "0x%lx 0x%lx 0x%lx\n", &start, &end, &flags) == 3) {
+ if (flags & IORESOURCE_IO) {
+ // printf("Port %lx-%lx\n", start, end);
+ ret = flask_add_ioport(xch, start, end, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_ioport %lx-%lx failed: %d\n",
+ start, end, ret);
+ err = 2;
+ }
+ } else if (flags & IORESOURCE_MEM) {
+ start >>= 12;
+ end >>= 12;
+ // printf("IOMEM %lx-%lx\n", start, end);
+ ret = flask_add_iomem(xch, start, end, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_iomem %lx-%lx failed: %d\n",
+ start, end, ret);
+ err = 2;
+ }
+ }
+ }
+ fclose(f);
+
+ snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/irq",
+ seg, bus, dev, fn);
+ f = fopen(buf, "r");
+ if (!f)
+ goto done;
+ start = 0;
+ fscanf(f, "%ld", &start);
+ if (start) {
+ ret = flask_add_pirq(xch, start, argv[2]);
+ if (ret) {
+ fprintf(stderr, "flask_add_pirq %ld failed: %d\n",
+ start, ret);
+ err = 2;
+ }
+ }
+ fclose(f);
+done:
+ if ( xch )
+ xc_interface_close(xch);
+
+ return err;
+}
--
1.7.7.3
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel