int flask_del_device(int xc_handle, unsigned long device)
{
int err;
flask_op_t op;
char *buf;
char *dev = OCON_DEVICE_STR;
int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2);
if ( (buf = (char *) malloc(size)) == NULL )
return -ENOMEM;
memset(buf, 0, size);
op.cmd = FLASK_DEL_OCONTEXT;
snprintf(buf, size, "%s %lu", dev, device);
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
free(buf);
return 0;
}
int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high)
{
int err;
flask_op_t op;
char *buf;
char *iomem = OCON_IOMEM_STR;
int size = strlen(iomem) + (sizeof(unsigned long) * 2) +
(sizeof(char) * 3);
if ( (buf = (char *) malloc(size)) == NULL )
return -ENOMEM;
memset(buf, 0, size);
op.cmd = FLASK_DEL_OCONTEXT;
snprintf(buf, size, "%s %lu %lu", iomem, low, high);
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
free(buf);
return 0;
}
int xc_flask_getbool_byname(xc_interface *xch, char *name, int *curr, int *pend)
{
int rv;
DECLARE_FLASK_OP;
DECLARE_HYPERCALL_BOUNCE(name, strlen(name), XC_HYPERCALL_BUFFER_BOUNCE_IN);
if ( xc_hypercall_bounce_pre(xch, name) )
{
PERROR("Could not bounce memory for flask op hypercall");
return -1;
}
op.cmd = FLASK_GETBOOL;
op.u.boolean.bool_id = -1;
op.u.boolean.size = strlen(name);
set_xen_guest_handle(op.u.boolean.name, name);
rv = xc_flask_op(xch, &op);
xc_hypercall_bounce_post(xch, name);
if ( rv )
return rv;
if ( curr )
*curr = op.u.boolean.enforcing;
if ( pend )
*pend = op.u.boolean.pending;
return rv;
}
int flask_add_ioport(int xc_handle, unsigned long low, unsigned long high,
char *scontext)
{
int err;
flask_op_t op;
char *buf;
char *ioport = OCON_IOPORT_STR;
int size = INITCONTEXTLEN + strlen(ioport) +
(sizeof(unsigned long) * 2) + (sizeof(char) * 4);
if ( (buf = (char *) malloc(size)) == NULL )
return -ENOMEM;
memset(buf, 0, size);
op.cmd = FLASK_ADD_OCONTEXT;
snprintf(buf, size, "%s %255s %lu %lu", ioport, scontext, low, high);
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
free(buf);
return 0;
}
int xc_flask_getenforce(xc_interface *xch)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_GETENFORCE;
return xc_flask_op(xch, &op);
}
int xc_flask_policyvers(xc_interface *xch)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_POLICYVERS;
return xc_flask_op(xch, &op);
}
int flask_del_pirq(int xc_handle, unsigned int pirq)
{
int err;
flask_op_t op;
char *buf;
char *pirq_s = OCON_PIRQ_STR;
int size = strlen(pirq_s) + (sizeof(unsigned int)) +
(sizeof(char) * 2);
if ( (buf = (char *) malloc(size)) == NULL )
return -ENOMEM;
memset(buf, 0, size);
op.cmd = FLASK_DEL_OCONTEXT;
snprintf(buf, size, "%s %u", pirq_s, pirq);
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
free(buf);
return 0;
}
int xc_flask_setbool(xc_interface *xch, char *name, int value, int commit)
{
int rv;
DECLARE_FLASK_OP;
DECLARE_HYPERCALL_BOUNCE(name, strlen(name), XC_HYPERCALL_BUFFER_BOUNCE_IN);
if ( xc_hypercall_bounce_pre(xch, name) )
{
PERROR("Could not bounce memory for flask op hypercall");
return -1;
}
op.cmd = FLASK_SETBOOL;
op.u.boolean.bool_id = -1;
op.u.boolean.new_value = value;
op.u.boolean.commit = 1;
op.u.boolean.size = strlen(name);
set_xen_guest_handle(op.u.boolean.name, name);
rv = xc_flask_op(xch, &op);
xc_hypercall_bounce_post(xch, name);
return rv;
}
int xc_flask_getavc_threshold(xc_interface *xch)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_GETAVC_THRESHOLD;
return xc_flask_op(xch, &op);
}
int xc_flask_avc_cachestats(xc_interface *xch, char *buf, int size)
{
int err, n;
int i = 0;
DECLARE_FLASK_OP;
n = snprintf(buf, size, "lookups hits misses allocations reclaims frees\n");
buf += n;
size -= n;
op.cmd = FLASK_AVC_CACHESTATS;
while ( size > 0 )
{
op.u.cache_stats.cpu = i;
err = xc_flask_op(xch, &op);
if ( err && errno == ENOENT )
return 0;
if ( err )
return err;
n = snprintf(buf, size, "%u %u %u %u %u %u\n",
op.u.cache_stats.lookups, op.u.cache_stats.hits,
op.u.cache_stats.misses, op.u.cache_stats.allocations,
op.u.cache_stats.reclaims, op.u.cache_stats.frees);
buf += n;
size -= n;
i++;
}
return 0;
}
int xc_flask_context_to_sid(xc_interface *xch, char *buf, uint32_t size, uint32_t *sid)
{
int err;
DECLARE_FLASK_OP;
DECLARE_HYPERCALL_BOUNCE(buf, size, XC_HYPERCALL_BUFFER_BOUNCE_IN);
if ( xc_hypercall_bounce_pre(xch, buf) )
{
PERROR("Could not bounce memory for flask op hypercall");
return -1;
}
op.cmd = FLASK_CONTEXT_TO_SID;
op.u.sid_context.size = size;
set_xen_guest_handle(op.u.sid_context.context, buf);
err = xc_flask_op(xch, &op);
if ( !err )
*sid = op.u.sid_context.sid;
xc_hypercall_bounce_post(xch, buf);
return err;
}
int xc_flask_setavc_threshold(xc_interface *xch, int threshold)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_SETAVC_THRESHOLD;
op.u.setavc_threshold.threshold = threshold;
return xc_flask_op(xch, &op);
}
int xc_flask_setenforce(xc_interface *xch, int mode)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_SETENFORCE;
op.u.enforce.enforcing = mode;
return xc_flask_op(xch, &op);
}
int xc_flask_relabel_domain(xc_interface *xch, int domid, uint32_t sid)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_RELABEL_DOMAIN;
op.u.relabel.domid = domid;
op.u.relabel.sid = sid;
return xc_flask_op(xch, &op);
}
static int xc_flask_del(xc_interface *xch, uint32_t ocon, uint64_t low, uint64_t high)
{
DECLARE_FLASK_OP;
op.cmd = FLASK_DEL_OCONTEXT;
op.u.ocontext.ocon = ocon;
op.u.ocontext.low = low;
op.u.ocontext.high = high;
return xc_flask_op(xch, &op);
}
static int xc_flask_add(xc_interface *xc_handle, char *cat, char *arg, char *scontext)
{
char buf[512];
flask_op_t op;
memset(buf, 0, 512);
snprintf(buf, 512, "%s %255s %s", cat, scontext, arg);
op.cmd = FLASK_ADD_OCONTEXT;
op.buf = buf;
op.size = 512;
return xc_flask_op(xc_handle, &op);
}
static int xc_flask_del(xc_interface *xc_handle, char *cat, char *arg)
{
char buf[256];
flask_op_t op;
memset(buf, 0, 256);
snprintf(buf, 256, "%s %s", cat, arg);
op.cmd = FLASK_DEL_OCONTEXT;
op.buf = buf;
op.size = 256;
return xc_flask_op(xc_handle, &op);
}
int flask_load(int xc_handle, char *buf, uint32_t size)
{
int err;
flask_op_t op;
op.cmd = FLASK_LOAD;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
return 0;
}
int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size)
{
int err;
flask_op_t op;
op.cmd = FLASK_SID_TO_CONTEXT;
op.buf = buf;
op.size = size;
snprintf(buf, size, "%u", sid);
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
return 0;
}
int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t *sid)
{
int err;
flask_op_t op;
op.cmd = FLASK_CONTEXT_TO_SID;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
sscanf(buf, "%u", sid);
return 0;
}
int xc_flask_avc_hashstats(xc_interface *xch, char *buf, int size)
{
int err;
DECLARE_FLASK_OP;
op.cmd = FLASK_AVC_HASHSTATS;
err = xc_flask_op(xch, &op);
snprintf(buf, size,
"entries: %d\nbuckets used: %d/%d\nlongest chain: %d\n",
op.u.hash_stats.entries, op.u.hash_stats.buckets_used,
op.u.hash_stats.buckets_total, op.u.hash_stats.max_chain_len);
return err;
}
int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size)
{
int err;
flask_op_t op;
op.cmd = FLASK_AVC_CACHESTATS;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
return 0;
}
int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size)
{
int err;
flask_op_t op;
op.cmd = FLASK_POLICYVERS;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
return 0;
}
int flask_avc_hashstats(int xc_handle, char *buf, int size)
{
int err;
flask_op_t op;
op.cmd = FLASK_AVC_HASHSTATS;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
{
free(buf);
return err;
}
return 0;
}
static int xc_flask_add(xc_interface *xch, uint32_t ocon, uint64_t low, uint64_t high, char *scontext)
{
uint32_t sid;
int err;
DECLARE_FLASK_OP;
err = xc_flask_context_to_sid(xch, scontext, strlen(scontext), &sid);
if ( err )
return err;
op.cmd = FLASK_ADD_OCONTEXT;
op.u.ocontext.ocon = ocon;
op.u.ocontext.sid = sid;
op.u.ocontext.low = low;
op.u.ocontext.high = high;
return xc_flask_op(xch, &op);
}
int xc_flask_setenforce(xc_interface *xc_handle, int mode)
{
int err;
flask_op_t op;
char buf[20];
int size = 20;
op.cmd = FLASK_SETENFORCE;
op.buf = buf;
op.size = size;
snprintf(buf, size, "%i", mode);
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
return 0;
}
int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold)
{
int err;
flask_op_t op;
char buf[20];
int size = 20;
op.cmd = FLASK_SETAVC_THRESHOLD;
op.buf = buf;
op.size = size;
snprintf(buf, size, "%i", threshold);
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
return 0;
}
int xc_flask_getavc_threshold(xc_interface *xc_handle)
{
int err;
flask_op_t op;
char buf[20];
int size = 20;
int threshold;
op.cmd = FLASK_GETAVC_THRESHOLD;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
sscanf(buf, "%i", &threshold);
return threshold;
}
int xc_flask_getenforce(xc_interface *xc_handle)
{
int err;
flask_op_t op;
char buf[20];
int size = 20;
int mode;
op.cmd = FLASK_GETENFORCE;
op.buf = buf;
op.size = size;
if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
return err;
sscanf(buf, "%i", &mode);
return mode;
}
int xc_flask_access(xc_interface *xch, const char *scon, const char *tcon,
uint16_t tclass, uint32_t req,
uint32_t *allowed, uint32_t *decided,
uint32_t *auditallow, uint32_t *auditdeny,
uint32_t *seqno)
{
DECLARE_FLASK_OP;
int err;
err = xc_flask_context_to_sid(xch, (char*)scon, strlen(scon), &op.u.access.ssid);
if ( err )
return err;
err = xc_flask_context_to_sid(xch, (char*)tcon, strlen(tcon), &op.u.access.tsid);
if ( err )
return err;
op.cmd = FLASK_ACCESS;
op.u.access.tclass = tclass;
op.u.access.req = req;
err = xc_flask_op(xch, &op);
if ( err )
return err;
if ( allowed )
*allowed = op.u.access.allowed;
if ( decided )
*decided = 0xffffffff;
if ( auditallow )
*auditallow = op.u.access.audit_allow;
if ( auditdeny )
*auditdeny = op.u.access.audit_deny;
if ( seqno )
*seqno = op.u.access.seqno;
if ( (op.u.access.allowed & req) != req )
err = -EPERM;
return err;
}
