[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 8/8] flask: Add flask-label-pci tool



This allows a PCI device and its associated resources to be labeled
without hardcoding addresses (which may change from system to system) in
the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 tools/flask/utils/Makefile    |    5 +-
 tools/flask/utils/label-pci.c |  123 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+), 1 deletions(-)
 create mode 100644 tools/flask/utils/label-pci.c

diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile
index 25729a1..171a728 100644
--- a/tools/flask/utils/Makefile
+++ b/tools/flask/utils/Makefile
@@ -11,7 +11,7 @@ TESTDIR  = testsuite/tmp
 TESTFLAGS= -DTESTING
 TESTENV  = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
 
-CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci
 CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
 CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
 
@@ -27,6 +27,9 @@ flask-setenforce: setenforce.o
 flask-getenforce: getenforce.o
        $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask 
$(LDLIBS_libxenctrl) -o $@
 
+flask-label-pci: label-pci.o
+       $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask 
$(LDLIBS_libxenctrl) -o $@
+
 .PHONY: clean
 clean: 
        rm -f *.o *.opic *.so
diff --git a/tools/flask/utils/label-pci.c b/tools/flask/utils/label-pci.c
new file mode 100644
index 0000000..839ad61
--- /dev/null
+++ b/tools/flask/utils/label-pci.c
@@ -0,0 +1,123 @@
+/*
+ *  Author:  Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <libflask.h>
+
+/* Pulled from linux/include/linux/ioport.h */
+#define IORESOURCE_TYPE_BITS    0x00001f00  /* Resource type */
+#define IORESOURCE_IO       0x00000100
+#define IORESOURCE_MEM      0x00000200
+#define IORESOURCE_IRQ      0x00000400
+#define IORESOURCE_DMA      0x00000800
+#define IORESOURCE_BUS      0x00001000
+
+
+static void usage (int argCnt, char *argv[])
+{
+       fprintf(stderr, "Usage: %s SBDF label\n", argv[0]);
+       exit(1);
+}
+
+int main (int argCnt, char *argv[])
+{
+       int ret, err = 0;
+       xc_interface *xch = 0;
+       int seg, bus, dev, fn;
+       uint32_t sbdf;
+       uint64_t start, end, flags;
+       char buf[1024];
+       FILE *f;
+
+       if (argCnt != 3)
+               usage(argCnt, argv);
+
+       xch = xc_interface_open(0,0,0);
+       if ( !xch )
+       {
+               fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                               strerror(errno));
+               err = 1;
+               goto done;
+       }
+
+       sscanf(argv[1], "%x:%x:%x.%d", &seg, &bus, &dev, &fn);
+       sbdf = (seg << 16) | (bus << 8) | (dev << 3) | fn;
+
+       snprintf(buf, sizeof(buf), 
"/sys/bus/pci/devices/%04x:%02x:%02x.%d/resource",
+                       seg, bus, dev, fn);
+
+       f = fopen(buf, "r");
+       if (!f) {
+               fprintf(stderr, "Unable to find device %s: %s\n", argv[1],
+                               strerror(errno));
+               err = 1;
+               goto done;
+       }
+
+       ret = flask_add_device(xch, sbdf, argv[2]);
+       if (ret) {
+               fprintf(stderr, "flask_add_device: Unable to set context of PCI 
device %s (0x%x) to %s: %d\n",
+                       argv[1], sbdf, argv[2], ret);
+               err = 2;
+               goto done;
+       }
+
+       while (fscanf(f, "0x%lx 0x%lx 0x%lx\n", &start, &end, &flags) == 3) {
+               if (flags & IORESOURCE_IO) {
+                       // printf("Port %lx-%lx\n", start, end);
+                       ret = flask_add_ioport(xch, start, end, argv[2]);
+                       if (ret) {
+                               fprintf(stderr, "flask_add_ioport %lx-%lx 
failed: %d\n",
+                                               start, end, ret);
+                               err = 2;
+                       }
+               } else if (flags & IORESOURCE_MEM) {
+                       start >>= 12;
+                       end >>= 12;
+                       // printf("IOMEM %lx-%lx\n", start, end);
+                       ret = flask_add_iomem(xch, start, end, argv[2]);
+                       if (ret) {
+                               fprintf(stderr, "flask_add_iomem %lx-%lx 
failed: %d\n",
+                                               start, end, ret);
+                               err = 2;
+                       }
+               }
+       }
+       fclose(f);
+
+       snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/irq",
+                       seg, bus, dev, fn);
+       f = fopen(buf, "r");
+       if (!f)
+               goto done;
+       start = 0;
+       fscanf(f, "%ld", &start);
+       if (start) {
+               ret = flask_add_pirq(xch, start, argv[2]);
+               if (ret) {
+                       fprintf(stderr, "flask_add_pirq %ld failed: %d\n",
+                                       start, ret);
+                       err = 2;
+               }
+       }
+       fclose(f);
+done:
+       if ( xch )
+               xc_interface_close(xch);
+
+       return err;
+}
-- 
1.7.7.3


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.