int flask_del_device(int xc_handle, unsigned long device) { int err; flask_op_t op; char *buf; char *dev = OCON_DEVICE_STR; int size = strlen(dev) + (sizeof(unsigned long)) + (sizeof(char) * 2); if ( (buf = (char *) malloc(size)) == NULL ) return -ENOMEM; memset(buf, 0, size); op.cmd = FLASK_DEL_OCONTEXT; snprintf(buf, size, "%s %lu", dev, device); op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } free(buf); return 0; }
int flask_del_iomem(int xc_handle, unsigned long low, unsigned long high) { int err; flask_op_t op; char *buf; char *iomem = OCON_IOMEM_STR; int size = strlen(iomem) + (sizeof(unsigned long) * 2) + (sizeof(char) * 3); if ( (buf = (char *) malloc(size)) == NULL ) return -ENOMEM; memset(buf, 0, size); op.cmd = FLASK_DEL_OCONTEXT; snprintf(buf, size, "%s %lu %lu", iomem, low, high); op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } free(buf); return 0; }
int xc_flask_getbool_byname(xc_interface *xch, char *name, int *curr, int *pend) { int rv; DECLARE_FLASK_OP; DECLARE_HYPERCALL_BOUNCE(name, strlen(name), XC_HYPERCALL_BUFFER_BOUNCE_IN); if ( xc_hypercall_bounce_pre(xch, name) ) { PERROR("Could not bounce memory for flask op hypercall"); return -1; } op.cmd = FLASK_GETBOOL; op.u.boolean.bool_id = -1; op.u.boolean.size = strlen(name); set_xen_guest_handle(op.u.boolean.name, name); rv = xc_flask_op(xch, &op); xc_hypercall_bounce_post(xch, name); if ( rv ) return rv; if ( curr ) *curr = op.u.boolean.enforcing; if ( pend ) *pend = op.u.boolean.pending; return rv; }
int flask_add_ioport(int xc_handle, unsigned long low, unsigned long high, char *scontext) { int err; flask_op_t op; char *buf; char *ioport = OCON_IOPORT_STR; int size = INITCONTEXTLEN + strlen(ioport) + (sizeof(unsigned long) * 2) + (sizeof(char) * 4); if ( (buf = (char *) malloc(size)) == NULL ) return -ENOMEM; memset(buf, 0, size); op.cmd = FLASK_ADD_OCONTEXT; snprintf(buf, size, "%s %255s %lu %lu", ioport, scontext, low, high); op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } free(buf); return 0; }
int xc_flask_getenforce(xc_interface *xch) { DECLARE_FLASK_OP; op.cmd = FLASK_GETENFORCE; return xc_flask_op(xch, &op); }
int xc_flask_policyvers(xc_interface *xch) { DECLARE_FLASK_OP; op.cmd = FLASK_POLICYVERS; return xc_flask_op(xch, &op); }
int flask_del_pirq(int xc_handle, unsigned int pirq) { int err; flask_op_t op; char *buf; char *pirq_s = OCON_PIRQ_STR; int size = strlen(pirq_s) + (sizeof(unsigned int)) + (sizeof(char) * 2); if ( (buf = (char *) malloc(size)) == NULL ) return -ENOMEM; memset(buf, 0, size); op.cmd = FLASK_DEL_OCONTEXT; snprintf(buf, size, "%s %u", pirq_s, pirq); op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } free(buf); return 0; }
int xc_flask_setbool(xc_interface *xch, char *name, int value, int commit) { int rv; DECLARE_FLASK_OP; DECLARE_HYPERCALL_BOUNCE(name, strlen(name), XC_HYPERCALL_BUFFER_BOUNCE_IN); if ( xc_hypercall_bounce_pre(xch, name) ) { PERROR("Could not bounce memory for flask op hypercall"); return -1; } op.cmd = FLASK_SETBOOL; op.u.boolean.bool_id = -1; op.u.boolean.new_value = value; op.u.boolean.commit = 1; op.u.boolean.size = strlen(name); set_xen_guest_handle(op.u.boolean.name, name); rv = xc_flask_op(xch, &op); xc_hypercall_bounce_post(xch, name); return rv; }
int xc_flask_getavc_threshold(xc_interface *xch) { DECLARE_FLASK_OP; op.cmd = FLASK_GETAVC_THRESHOLD; return xc_flask_op(xch, &op); }
int xc_flask_avc_cachestats(xc_interface *xch, char *buf, int size) { int err, n; int i = 0; DECLARE_FLASK_OP; n = snprintf(buf, size, "lookups hits misses allocations reclaims frees\n"); buf += n; size -= n; op.cmd = FLASK_AVC_CACHESTATS; while ( size > 0 ) { op.u.cache_stats.cpu = i; err = xc_flask_op(xch, &op); if ( err && errno == ENOENT ) return 0; if ( err ) return err; n = snprintf(buf, size, "%u %u %u %u %u %u\n", op.u.cache_stats.lookups, op.u.cache_stats.hits, op.u.cache_stats.misses, op.u.cache_stats.allocations, op.u.cache_stats.reclaims, op.u.cache_stats.frees); buf += n; size -= n; i++; } return 0; }
int xc_flask_context_to_sid(xc_interface *xch, char *buf, uint32_t size, uint32_t *sid) { int err; DECLARE_FLASK_OP; DECLARE_HYPERCALL_BOUNCE(buf, size, XC_HYPERCALL_BUFFER_BOUNCE_IN); if ( xc_hypercall_bounce_pre(xch, buf) ) { PERROR("Could not bounce memory for flask op hypercall"); return -1; } op.cmd = FLASK_CONTEXT_TO_SID; op.u.sid_context.size = size; set_xen_guest_handle(op.u.sid_context.context, buf); err = xc_flask_op(xch, &op); if ( !err ) *sid = op.u.sid_context.sid; xc_hypercall_bounce_post(xch, buf); return err; }
int xc_flask_setavc_threshold(xc_interface *xch, int threshold) { DECLARE_FLASK_OP; op.cmd = FLASK_SETAVC_THRESHOLD; op.u.setavc_threshold.threshold = threshold; return xc_flask_op(xch, &op); }
int xc_flask_setenforce(xc_interface *xch, int mode) { DECLARE_FLASK_OP; op.cmd = FLASK_SETENFORCE; op.u.enforce.enforcing = mode; return xc_flask_op(xch, &op); }
int xc_flask_relabel_domain(xc_interface *xch, int domid, uint32_t sid) { DECLARE_FLASK_OP; op.cmd = FLASK_RELABEL_DOMAIN; op.u.relabel.domid = domid; op.u.relabel.sid = sid; return xc_flask_op(xch, &op); }
static int xc_flask_del(xc_interface *xch, uint32_t ocon, uint64_t low, uint64_t high) { DECLARE_FLASK_OP; op.cmd = FLASK_DEL_OCONTEXT; op.u.ocontext.ocon = ocon; op.u.ocontext.low = low; op.u.ocontext.high = high; return xc_flask_op(xch, &op); }
static int xc_flask_add(xc_interface *xc_handle, char *cat, char *arg, char *scontext) { char buf[512]; flask_op_t op; memset(buf, 0, 512); snprintf(buf, 512, "%s %255s %s", cat, scontext, arg); op.cmd = FLASK_ADD_OCONTEXT; op.buf = buf; op.size = 512; return xc_flask_op(xc_handle, &op); }
static int xc_flask_del(xc_interface *xc_handle, char *cat, char *arg) { char buf[256]; flask_op_t op; memset(buf, 0, 256); snprintf(buf, 256, "%s %s", cat, arg); op.cmd = FLASK_DEL_OCONTEXT; op.buf = buf; op.size = 256; return xc_flask_op(xc_handle, &op); }
int flask_load(int xc_handle, char *buf, uint32_t size) { int err; flask_op_t op; op.cmd = FLASK_LOAD; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; return 0; }
int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size) { int err; flask_op_t op; op.cmd = FLASK_SID_TO_CONTEXT; op.buf = buf; op.size = size; snprintf(buf, size, "%u", sid); if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; return 0; }
int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t *sid) { int err; flask_op_t op; op.cmd = FLASK_CONTEXT_TO_SID; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; sscanf(buf, "%u", sid); return 0; }
int xc_flask_avc_hashstats(xc_interface *xch, char *buf, int size) { int err; DECLARE_FLASK_OP; op.cmd = FLASK_AVC_HASHSTATS; err = xc_flask_op(xch, &op); snprintf(buf, size, "entries: %d\nbuckets used: %d/%d\nlongest chain: %d\n", op.u.hash_stats.entries, op.u.hash_stats.buckets_used, op.u.hash_stats.buckets_total, op.u.hash_stats.max_chain_len); return err; }
int xc_flask_avc_cachestats(xc_interface *xc_handle, char *buf, int size) { int err; flask_op_t op; op.cmd = FLASK_AVC_CACHESTATS; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } return 0; }
int xc_flask_policyvers(xc_interface *xc_handle, char *buf, int size) { int err; flask_op_t op; op.cmd = FLASK_POLICYVERS; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } return 0; }
int flask_avc_hashstats(int xc_handle, char *buf, int size) { int err; flask_op_t op; op.cmd = FLASK_AVC_HASHSTATS; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) { free(buf); return err; } return 0; }
static int xc_flask_add(xc_interface *xch, uint32_t ocon, uint64_t low, uint64_t high, char *scontext) { uint32_t sid; int err; DECLARE_FLASK_OP; err = xc_flask_context_to_sid(xch, scontext, strlen(scontext), &sid); if ( err ) return err; op.cmd = FLASK_ADD_OCONTEXT; op.u.ocontext.ocon = ocon; op.u.ocontext.sid = sid; op.u.ocontext.low = low; op.u.ocontext.high = high; return xc_flask_op(xch, &op); }
int xc_flask_setenforce(xc_interface *xc_handle, int mode) { int err; flask_op_t op; char buf[20]; int size = 20; op.cmd = FLASK_SETENFORCE; op.buf = buf; op.size = size; snprintf(buf, size, "%i", mode); if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; return 0; }
int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold) { int err; flask_op_t op; char buf[20]; int size = 20; op.cmd = FLASK_SETAVC_THRESHOLD; op.buf = buf; op.size = size; snprintf(buf, size, "%i", threshold); if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; return 0; }
int xc_flask_getavc_threshold(xc_interface *xc_handle) { int err; flask_op_t op; char buf[20]; int size = 20; int threshold; op.cmd = FLASK_GETAVC_THRESHOLD; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; sscanf(buf, "%i", &threshold); return threshold; }
int xc_flask_getenforce(xc_interface *xc_handle) { int err; flask_op_t op; char buf[20]; int size = 20; int mode; op.cmd = FLASK_GETENFORCE; op.buf = buf; op.size = size; if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) return err; sscanf(buf, "%i", &mode); return mode; }
int xc_flask_access(xc_interface *xch, const char *scon, const char *tcon, uint16_t tclass, uint32_t req, uint32_t *allowed, uint32_t *decided, uint32_t *auditallow, uint32_t *auditdeny, uint32_t *seqno) { DECLARE_FLASK_OP; int err; err = xc_flask_context_to_sid(xch, (char*)scon, strlen(scon), &op.u.access.ssid); if ( err ) return err; err = xc_flask_context_to_sid(xch, (char*)tcon, strlen(tcon), &op.u.access.tsid); if ( err ) return err; op.cmd = FLASK_ACCESS; op.u.access.tclass = tclass; op.u.access.req = req; err = xc_flask_op(xch, &op); if ( err ) return err; if ( allowed ) *allowed = op.u.access.allowed; if ( decided ) *decided = 0xffffffff; if ( auditallow ) *auditallow = op.u.access.audit_allow; if ( auditdeny ) *auditdeny = op.u.access.audit_deny; if ( seqno ) *seqno = op.u.access.seqno; if ( (op.u.access.allowed & req) != req ) err = -EPERM; return err; }