[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 8/8] flask: Add flask-label-pci tool
This allows a PCI device and its associated resources to be labeled without hardcoding addresses (which may change from system to system) in the security policy. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/utils/Makefile | 5 +- tools/flask/utils/label-pci.c | 123 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+), 1 deletions(-) create mode 100644 tools/flask/utils/label-pci.c diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile index 25729a1..171a728 100644 --- a/tools/flask/utils/Makefile +++ b/tools/flask/utils/Makefile @@ -11,7 +11,7 @@ TESTDIR = testsuite/tmp TESTFLAGS= -DTESTING TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR) -CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce +CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS)) CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS)) @@ -27,6 +27,9 @@ flask-setenforce: setenforce.o flask-getenforce: getenforce.o $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@ +flask-label-pci: label-pci.o + $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@ + .PHONY: clean clean: rm -f *.o *.opic *.so diff --git a/tools/flask/utils/label-pci.c b/tools/flask/utils/label-pci.c new file mode 100644 index 0000000..839ad61 --- /dev/null +++ b/tools/flask/utils/label-pci.c @@ -0,0 +1,123 @@ +/* + * Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <libflask.h> + +/* Pulled from linux/include/linux/ioport.h */ +#define IORESOURCE_TYPE_BITS 0x00001f00 /* Resource type */ +#define IORESOURCE_IO 0x00000100 +#define IORESOURCE_MEM 0x00000200 +#define IORESOURCE_IRQ 0x00000400 +#define IORESOURCE_DMA 0x00000800 +#define IORESOURCE_BUS 0x00001000 + + +static void usage (int argCnt, char *argv[]) +{ + fprintf(stderr, "Usage: %s SBDF label\n", argv[0]); + exit(1); +} + +int main (int argCnt, char *argv[]) +{ + int ret, err = 0; + xc_interface *xch = 0; + int seg, bus, dev, fn; + uint32_t sbdf; + uint64_t start, end, flags; + char buf[1024]; + FILE *f; + + if (argCnt != 3) + usage(argCnt, argv); + + xch = xc_interface_open(0,0,0); + if ( !xch ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + err = 1; + goto done; + } + + sscanf(argv[1], "%x:%x:%x.%d", &seg, &bus, &dev, &fn); + sbdf = (seg << 16) | (bus << 8) | (dev << 3) | fn; + + snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/resource", + seg, bus, dev, fn); + + f = fopen(buf, "r"); + if (!f) { + fprintf(stderr, "Unable to find device %s: %s\n", argv[1], + strerror(errno)); + err = 1; + goto done; + } + + ret = flask_add_device(xch, sbdf, argv[2]); + if (ret) { + fprintf(stderr, "flask_add_device: Unable to set context of PCI device %s (0x%x) to %s: %d\n", + argv[1], sbdf, argv[2], ret); + err = 2; + goto done; + } + + while (fscanf(f, "0x%lx 0x%lx 0x%lx\n", &start, &end, &flags) == 3) { + if (flags & IORESOURCE_IO) { + // printf("Port %lx-%lx\n", start, end); + ret = flask_add_ioport(xch, start, end, argv[2]); + if (ret) { + fprintf(stderr, "flask_add_ioport %lx-%lx failed: %d\n", + start, end, ret); + err = 2; + } + } else if (flags & IORESOURCE_MEM) { + start >>= 12; + end >>= 12; + // printf("IOMEM %lx-%lx\n", start, end); + ret = flask_add_iomem(xch, start, end, argv[2]); + if (ret) { + fprintf(stderr, "flask_add_iomem %lx-%lx failed: %d\n", + start, end, ret); + err = 2; + } + } + } + fclose(f); + + snprintf(buf, sizeof(buf), "/sys/bus/pci/devices/%04x:%02x:%02x.%d/irq", + seg, bus, dev, fn); + f = fopen(buf, "r"); + if (!f) + goto done; + start = 0; + fscanf(f, "%ld", &start); + if (start) { + ret = flask_add_pirq(xch, start, argv[2]); + if (ret) { + fprintf(stderr, "flask_add_pirq %ld failed: %d\n", + start, ret); + err = 2; + } + } + fclose(f); +done: + if ( xch ) + xc_interface_close(xch); + + return err; +} -- 1.7.7.3 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |