diff -r a4c4b2407117 -r d864c312eae4 domname_list.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/domname_list.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,119 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include +#include "role_list.h" +#include "domname_list.h" +#include "xr_log.h" + +static void +init_domname(domname *dn) +{ + strcpy(dn->value, "\n"); + dn->next = NULL; +} + +domname* +new_domname(void) +{ + domname *dn; + + DMSG(FUNC, "start\n"); + + dn = (domname *) malloc(sizeof(struct _domname)); + if (!dn) { + EMSG("out of memory for domname\n"); + return NULL; + } + DMSG(FUNC, "allocate domname: %p\n", dn); + + dn->value = (char *) malloc(XR_MAX_LENGTH_OF_DOMNAME * sizeof(char)); + if (!dn->value) { + free(dn); + EMSG("out of memory for value of domname\n"); + return NULL; + } + DMSG(FUNC, "allocate value of domname: %p\n", dn->value); + + init_domname(dn); + return dn; +} + +static void +free_domname(domname *dn) +{ + DMSG(FUNC, "start\n"); + + if (!dn) + return; + + if (dn->value) { + DMSG(FUNC, "free value of domname: %p\n", dn->value); + free(dn->value); + } + + DMSG(FUNC, "free domname: %p\n", dn); + free(dn); +} + +void +free_domname_list(role *r) +{ + domname *dn = r->managementVMList; + domname *dn_next = NULL; + + DMSG(FUNC, "start\n"); + + while (dn) { + dn_next = dn; + free_domname(dn); + dn = dn_next; + } +} + +void +append_domname(role *r, domname *dn) +{ + DMSG(FUNC, "start\n"); + + dn->next = r->managementVMList; + r->managementVMList = dn; + + r->domname_c++; +} + +void +show_domname_list(role *r) +{ + domname *dn = r->managementVMList; + + while (dn) { + DMSG(" domname : %p\n", dn); + DMSG(" value : %s\n", dn->value); + DMSG(" next : %p\n", dn->next); + dn = dn->next; + } +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 domname_list.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/domname_list.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,42 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __DOMNAME_LIST_H__ +#define __DOMNAME_LIST_H__ +#define XR_MAX_LENGTH_OF_DOMNAME 100 + +typedef struct _domname domname; +struct _domname { + char *value; + struct _domname *next; +}; +struct _role; + +domname *new_domname(void); +void free_domname_list(struct _role *r); +void append_domname(struct _role *r, domname *dn); +void show_domname_list(struct _role *r); + +#endif /* __DOMNAME_LIST_H */ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 opeid_list.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/opeid_list.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,105 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include "role_list.h" +#include "opeid_list.h" +#include "xr_log.h" + +static void +init_opeid_data(opeid_data *op) +{ + op->value = 0; + op->next = NULL; +} + +opeid_data* +new_opeid_data(void) +{ + opeid_data *op; + + DMSG(FUNC, "start\n"); + + op = (opeid_data *) malloc(sizeof(struct _opeid_data)); + if (!op) { + EMSG("out of memory for opeid_data"); + return NULL; + } + DMSG(FUNC, "allocate opeid_data: %p\n", op); + + init_opeid_data(op); + return op; +} + +static void +free_opeid_data(opeid_data *op) +{ + DMSG(FUNC, "start\n"); + + if (!op) + return; + + DMSG(FUNC, "free opeid_data: %p\n", op); + free(op); +} + +void +free_opeid_data_list(role *r) +{ + opeid_data *op = r->acceptOperationList; + opeid_data *op_next; + + DMSG(FUNC, "start\n"); + + while (op) { + op_next = op->next; + free_opeid_data(op); + op = op_next; + } +} + +void +append_opeid_data(role *r, opeid_data *op) +{ + DMSG(FUNC, "start\n"); + + op->next = r->acceptOperationList; + r->acceptOperationList = op; + + r->opeid_c++; +} + +void +show_opeid_data_list(role *r) +{ + opeid_data *op = r->acceptOperationList; + + while (op) { + DMSG(" opeid_data : %p\n", op); + DMSG(" value : %d\n", op->value); + DMSG(" next : %p\n", op->next); + op = op->next; + } +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 opeid_list.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/opeid_list.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,41 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __OPEID_LIST_H__ +#define __OPEID_LIST_H__ + +typedef struct _opeid_data opeid_data; +struct _opeid_data { + int value; + struct _opeid_data *next; +}; +struct _role; + +opeid_data *new_opeid_data(void); +void free_opeid_data_list(struct _role *r); +void append_opeid_data(struct _role *r, opeid_data *op); +void show_opeid_data_list(struct _role *r); + +#endif /* __OPEID_LIST_H */ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 python/xen/lowlevel/xr/xr.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/python/xen/lowlevel/xr/xr.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,99 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include "xenrbac.h" + +#define PKG "xen.lowlevel.xr" +static PyObject *xr_error_obj; + +static PyObject* +pyxr_error_to_exception(int result) +{ + PyObject *pyerr; + + if (result == XR_ACCEPT){ + Py_DECREF(xr_error_obj); + return NULL; + } + + pyerr = Py_BuildValue("s",strerror(result)); + PyErr_SetObject(xr_error_obj,pyerr); + Py_DECREF(pyerr); + + return NULL; +} + +static PyObject* +pyxr_judge(PyObject* self, PyObject* args) +{ + int result = XR_ACCEPT; + static char formats[] = "zizi"; + PyObject *username, *opeid, *domainname, *all_flag; + + if (!PyArg_ParseTuple(args, formats, + &username, &opeid, &domainname, &all_flag)) + goto error; + + if ((result = xr_judge( (char *)username , (int)opeid, + (char *)domainname, (int)all_flag))) + goto error; + + return Py_BuildValue("i",result); + + error: + + return pyxr_error_to_exception(result); + +} + +static PyMethodDef xr_funcs[] = { + {"xr_judge", + (PyCFunction)pyxr_judge, + METH_VARARGS, + "xr_judge() does the access judgement.\n" + "user name [str]\n" + "operation number [int]\n" + "domain name [str]\n" + "all flag [int]\n" + "Returns [int]:judged result. \n"}, + + {NULL, NULL, 0, NULL} +}; + +void +initxr(void) +{ + PyObject *m; + + if (!(m = Py_InitModule("xr",xr_funcs))) + return; + + xr_error_obj = PyErr_NewException(PKG".Libxenrbac_Error", + PyExc_RuntimeError, NULL); + Py_INCREF(xr_error_obj); + PyModule_AddObject(m,"Libxenrbac_Error",xr_error_obj); + +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 rolePolicyDefinition.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rolePolicyDefinition.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,506 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include +#include +#include +#include +#include "userinfo.h" +#include "role_list.h" +#include "rolePolicyDefinition.h" +#include "xr.h" +#include "xr_log.h" + +static xmlNodePtr getXPathNode(const char *xpath, xmlXPathContextPtr ctxt); +static int searchRole(userInfo *ui, xmlNodePtr node); +static int searchPolicyID(role *r, xmlNodePtr node); +static int searchManageVM(role *r, xmlNodePtr node); +static int searchVM(role *r, xmlNodePtr node); +static int makeStructDomname(role *r, xmlChar *attr); +static int searchControlOperation(role *r, xmlNodePtr node); +static int searchAccept(role *r, xmlNodePtr node); +static int searchOperation(role *r, xmlNodePtr node); +static int makeStructOpeid(role *r, int opeid); + +#define EMSG_XML(_a...) \ + do { \ + EMSG("%s parsing failed. (%s)\n", ROLE_POLICY_FILENAME, _a); \ + } while (0) + +int +readRolePolicyDefinition(userInfo *ui) +{ + xmlDoc *doc = NULL; + xmlXPathContextPtr ctxt = NULL; + xmlNodePtr r_node = NULL; + + int rc = 0; + char fileName[strlen(XENRBAC_POLICY_PATHNAME) + strlen(ROLE_POLICY_FILENAME) + 1]; + + strcpy(fileName, XENRBAC_POLICY_PATHNAME); + strcat(fileName, ROLE_POLICY_FILENAME); + + doc = xmlReadFile(fileName, NULL, XML_PARSE_NOBLANKS); + if (!doc) { + EMSG("%s reading or parsing failed(%m)\n", + ROLE_POLICY_FILENAME); + rc = errno; + goto error; + } + + ctxt = xmlXPathNewContext(doc); + if (!ctxt) { + EMSG_XML("ctxt is NULL"); + rc = EINVAL; + goto error; + } + + r_node = getXPathNode("/RolePolicyDefinition/RoleDefinition/Role", ctxt); + if (!r_node) { + EMSG_XML("/RolePolicyDefinition/RoleDefinition/Role is not defined"); + rc = EINVAL; + goto error; + } + + if (!(rc = searchRole(ui, r_node))) + goto cleanup; + +error: + DMSG(FUNC, "error in readRolePolicyDefinition\n"); + +cleanup: + DMSG(FUNC, "cleanup in readRolePolicyDefinition\n"); + //free the document + /* + *Free the global variables that may + *have been allocated by the parser. + */ + xmlCleanupParser(); + + if (ctxt) + xmlXPathFreeContext(ctxt); + if (doc) + xmlFreeDoc(doc); + + return rc; +} + +static xmlNodePtr +getXPathNode(const char *xpath, xmlXPathContextPtr ctxt) +{ + xmlXPathObjectPtr obj = NULL; + xmlNodePtr ret = NULL; + + if ((ctxt == NULL) || (xpath == NULL)) + return NULL; + + obj = xmlXPathEval(BAD_CAST xpath, ctxt); + if ((obj == NULL) || + (obj->type != XPATH_NODESET) || + (obj->nodesetval == NULL) || + (obj->nodesetval->nodeNr <= 0) || + (obj->nodesetval->nodeTab == NULL)) { + xmlXPathFreeObject(obj); + return NULL; + } + + ret = obj->nodesetval->nodeTab[0]; + xmlXPathFreeObject(obj); + + return ret; +} + +static int +searchRole(userInfo *ui, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + int rc; + size_t len; + role *r; + + DMSG("%S(%d) %S\n",__func__,__LINE__,"searchRole start\n"); + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "Role", sizeof("Role"))) + continue; + + attr = xmlGetProp(c_node, "name"); + if (!attr) { + EMSG_XML("name in /RolePolicyDefinition/Role is not defined"); + return EINVAL; + } + + len = strlen(attr); + if (len >= XR_MAX_LENGTH_OF_ROLENAME) { + EMSG_XML("name in /RolePolicyDefinition/Role is long"); + xmlFree(attr); + return EINVAL; + } + + for (r = ui->roleList; r; r = r->next) { + if (strcmp(r->roleName, (char *) attr)) + continue; + + if (r->parsed_Role) { + EMSG_XML("multiple roles with same name are defined"); + xmlFree(attr); + return EINVAL; + } + + if ((rc = searchPolicyID(r, c_node->children))) { + xmlFree(attr); + return rc; + } + + if ((rc = searchManageVM(r, c_node->children))) { + xmlFree(attr); + return rc; + } + + if ((rc = searchControlOperation(r, c_node->children))) { + xmlFree(attr); + return rc; + + r->parsed_Role = 1; + + break; + } + } + + xmlFree(attr); + } + + return 0; +} + +static int +searchPolicyID(role *r, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + size_t len; + int rc; + + DMSG("%S(%d) %S\n",__func__,__LINE__,"searchPolidyID start\n"); + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "PolicyID", sizeof("PolicyID"))) + continue; + + if (r->parsed_PolicyID) { + EMSG_XML("multiple /RolePolicyDefinition/Role/PolicyID is defined for the role"); + return EINVAL; + } + + attr = xmlGetProp(c_node, "id"); + + if (!attr) { + EMSG_XML("type in /RolePolicyDefinition/Role/PolicyID is not defined"); + return EINVAL; + } + + len = strlen(attr); + if (len >= XR_MAX_LENGTH_OF_PolicyID) { + EMSG_XML("name in /RolePolicyDefinition/PolidyID is long"); + xmlFree(attr); + return EINVAL; + } + r->parsed_PolicyID = 1; + + strcpy(r->policyID, (char *) attr); + + xmlFree(attr); + } + + return 0; +} + +static int +searchManageVM(role *r, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + int rc; + + DMSG("%S(%d) %S\n",__func__,__LINE__,"searchManagerVM start\n"); + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "ManageVM", sizeof("ManageVM"))) + continue; + + if (r->parsed_ManageVM) { + EMSG_XML("multiple /RolePolicyDefinition/Role/ManageVMs are defined for the role"); + return EINVAL; + } + + attr = xmlGetProp(c_node, "type"); + + if (!attr) { + EMSG_XML("type in /RolePolicyDefinition/Role/ManageVM is not defined"); + return EINVAL; + } + + if (!strncmp(attr, "individual", sizeof("individual"))) { + + r->managementVMType = XR_VMTYPE_INDIVIDUAL; + + if ((rc = searchVM(r, c_node->children))) { + xmlFree(attr); + return rc; + } + + } else if (!strncmp(attr, "whole", sizeof("whole"))) { + + r->managementVMType = XR_VMTYPE_WHOLE; + + } else { + + EMSG_XML("type in /RolePolicyDefinition/Role/ManageVM is wrong"); + xmlFree(attr); + return EINVAL; + } + + r->parsed_ManageVM = 1; + + xmlFree(attr); + } + + return 0; +} + +static int +searchVM(role *r, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + int rc; + size_t len; + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "VM", sizeof("VM"))) + continue; + + attr = xmlGetProp(c_node, "name"); + if (!attr) { + EMSG_XML("name in /RolePolicyDefinition/Role/ManageVM/VM is not defined"); + return EINVAL; + } + + len = strlen(attr); + if (len >= XR_MAX_LENGTH_OF_DOMNAME) { + EMSG_XML("name in /RolePolicyDefinition/Role/ManageVM/VM is long"); + xmlFree(attr); + return EINVAL; + } + + if ((rc = makeStructDomname(r, attr))) { + xmlFree(attr); + return rc; + } + + xmlFree(attr); + } + + return 0; +} + +static int +makeStructDomname(role *r, xmlChar *attr) +{ + domname *dn; + + DMSG(FUNC, "management domain name = %s\n", attr); + + for (dn = r->managementVMList; dn; dn = dn->next) { + if (!strcmp(dn->value, (char *) attr)) { + EMSG_XML("same domain name is defined for the role"); + return EINVAL; + } + } + + if (r->domname_c >= XR_NR_DOMNAME_LISTS) { + EMSG_XML("too many /RolePolicyDefinition/Role/ManageVM/VM"); + return EINVAL; + } + + if (!(dn = new_domname())) + return ENOMEM; + + strcpy(dn->value, (char *) attr); + append_domname(r, dn); + + return 0; +} + +static int +searchControlOperation(role *r, xmlNodePtr node) +{ + xmlNodePtr c_node; + + int rc; + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "ControlOperation", sizeof("ControlOperation"))) + continue; + + if (r->parsed_ControlOpe) { + EMSG_XML("multiple /RolePolicyDefinition/Role/ControlOperations are defined for the role"); + return EINVAL; + } + + if ((rc = searchAccept(r, c_node->children))) + return rc; + + r->parsed_ControlOpe = 1; + } + + return 0; +} + +static int +searchAccept(role* r, xmlNodePtr node) +{ + xmlNodePtr c_node; + + int rc; + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "Accept", sizeof("Accept"))) + continue; + + if (r->parsed_Accept) { + EMSG_XML("multiple /RolePolicyDefinition/Role/ControlOperation/Accepts are defined for the role"); + return EINVAL; + } + + if ((rc = searchOperation(r, c_node->children))) + return rc; + + r->parsed_Accept = 1; + } + + return 0; +} + +static int +searchOperation(role* r, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + int rc; + long int long_id; + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "operation", sizeof("operation"))) + continue; + + attr = xmlGetProp(c_node, "id"); + if (!attr) { + EMSG_XML("id in /RolePolicyDefinition/Role/ControlOperation/Accept/operation is not defined"); + return EINVAL; + } + + errno = 0; + long_id = strtol((char *) attr, NULL, 10); + if (errno) { + EMSG_XML("id in /RolePolicyDefinition/Role/ControlOperation/Accept/operation is invalid"); + xmlFree(attr); + return errno; + } + + if (long_id < 0 || + long_id > XR_MAX_OPEID) { + EMSG_XML("id in /RolePolicyDefinition/Role/ControlOperation/Accept/operation is invalid"); + xmlFree(attr); + return errno; + } + + if ((rc = makeStructOpeid(r, (int) long_id))) { + xmlFree(attr); + return rc; + } + + xmlFree(attr); + } + + return 0; +} + +static int +makeStructOpeid(role *r, int opeid) +{ + opeid_data *opd; + + DMSG(FUNC, "id = %d\n", opeid); + /* + for (opd = r->acceptOperationList; opd; opd = opd->next) { + if (opd->value == opeid) { + EMSG_XML("same operation id is defined for the role"); + return EINVAL; + } + } + */ + + if (r->opeid_c >= XR_NR_OPEID_LISTS) { + EMSG_XML("too many /RolePolicyDefinition/Role/ControlOperation/Accept/operation"); + return EINVAL; + } + + if (!(opd = new_opeid_data())) + return ENOMEM; + + opd->value = opeid; + append_opeid_data(r, opd); + + return 0; +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 rolePolicyDefinition.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rolePolicyDefinition.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,27 @@ +/* + Copyright (C) 200 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __ROLE_POLICY_DEFINITION_H__ +#define __ROLE_POLICY_DEFINITION_H__ + +#include "userinfo.h" + +int readRolePolicyDefinition(userInfo *ui); + +#endif /*__ROLE_POLICY_DEFINITION_H__ */ diff -r a4c4b2407117 -r d864c312eae4 role_list.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/role_list.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,152 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +* +/ +#include +#include +#include "userinfo.h" +#include "role_list.h" +#include "xr_log.h" + +static void +init_role(role *r) +{ + strcpy(r->roleName, ""); + r->managementVMType = XR_VMTYPE_UNKNOWN; + r->acceptOperationList = NULL; + r->opeid_c = 0; + strcpy(r->policyID, ""); + r->managementVMList = NULL; + r->domname_c = 0; + r->next = NULL; + r->parsed_Role = 0; + r->parsed_PolicyID = 0; + r->parsed_ManageVM = 0; + r->parsed_ControlOpe = 0; + r->parsed_Accept = 0; +} + +role* +new_role(void) +{ + role *r; + + DMSG(FUNC, "start\n"); + + r = (role *) malloc(sizeof(struct _role)); + if (!r) { + EMSG("out of memory for role\n"); + return NULL; + } + DMSG(FUNC, "allocate role: %p\n", r); + + r->roleName = (char *) malloc(XR_MAX_LENGTH_OF_ROLENAME * sizeof(char)); + if (!r->roleName) { + free(r); + EMSG("out of memory for roleName\n"); + return NULL; + } + DMSG(FUNC, "allocate roleName: %p\n", r->roleName); + + r->policyID = (char *) malloc(XR_MAX_LENGTH_OF_PolicyID * sizeof(char)); + if (!r->policyID) { + free(r); + EMSG("out of memory for policyID\n"); + return NULL; + } + DMSG(FUNC, "allocate policyID: %p\n", r->policyID); + + init_role(r); + return r; +} + +static void +free_role(role *r) +{ + DMSG(FUNC, "start\n"); + + if (!r) + return; + + if (r->roleName) { + DMSG(FUNC, "free roleName: %p\n", r->roleName); + free(r->roleName); + } + if (r->policyID) { + DMSG(FUNC, "free policyID: %p\n", r->policyID); + free(r->policyID); + } + if (r->acceptOperationList) + free_opeid_data_list(r); + if (r->managementVMList) + free_domname_list(r); + + DMSG(FUNC, "free role: %p\n", r); + free(r); +} + +void +free_role_list(userInfo *ui) +{ + role *r = ui->roleList; + role *r_next; + + DMSG(FUNC, "start\n"); + + while (r) { + r_next = r->next; + free_role(r); + r = r_next; + } +} + +void +append_role(userInfo *ui, role *r) +{ + DMSG(FUNC, "start\n"); + + r->next = ui->roleList; + ui->roleList = r; + + ui->role_c++; +} + +void +show_role_list(userInfo *ui) +{ + role *r = ui->roleList; + + while (r) { + DMSG(" role : %p\n", r); + DMSG(" roleName : %s\n", r->roleName); + DMSG(" policyID : %s\n", r->policyID); + DMSG(" managementVMType : %d\n", r->managementVMType); + DMSG(" next : %p\n", r->next); + DMSG(" opeid_c : %d\n", r->opeid_c); + show_opeid_data_list(r); + DMSG(" domname_c : %d\n", r->domname_c); + show_domname_list(r); + r = r->next; + } +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 role_list.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/role_list.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,68 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + + +#ifndef __ROLE_LIST_H__ +#define __ROLE_LIST_H__ + +#include "opeid_list.h" +#include "domname_list.h" + +#define XR_NR_DOMNAME_LISTS 1000 +#define XR_NR_OPEID_LISTS 1000 + +#define XR_MAX_LENGTH_OF_ROLENAME 100 +#define XR_MAX_LENGTH_OF_PolicyID 37 + +enum manageVMType { + XR_VMTYPE_UNKNOWN = 0, + XR_VMTYPE_WHOLE = 1, + XR_VMTYPE_INDIVIDUAL = 2 +}; + +typedef struct _role role; +struct _role { + char *roleName; + char *policyID; + enum manageVMType managementVMType; + opeid_data *acceptOperationList; + int opeid_c; + domname *managementVMList; + int domname_c; + struct _role *next; + int parsed_Role; + int parsed_PolicyID; + int parsed_ManageVM; + int parsed_ControlOpe; + int parsed_Accept; +}; +struct _userInfo; + +role *new_role(void); +void free_role_list(struct _userInfo *ui); +void append_role(struct _userInfo *ui, role *r); +void show_role_list(struct _userInfo *ui); + +#endif /* __ROLE_LIST_H */ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 rsyslog.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rsyslog.conf Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,47 @@ +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! + +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/maillog + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +*.emerg * + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + +################################################# +# For Xen-RBAC 2008/06/27 +################################################# +$umask 0000 +$CreateDirs on +$RepeatedMsgReduction off + +$template templateXenRBAC,"%msg%\n" +$template fileNameXenRBAC, "/var/log/xen-audit/audit-xen-rbac.log" + +$DirOwner root +$DirGroup log-admin +$DirCreateMode 0750 + +$FileOwner root +$FileGroup log-admin +$FileCreateMode 0640 + +:syslogtag,isequal,"xenrbac" +auth.info ?fileNameXenRBAC;templateXenRBAC diff -r a4c4b2407117 -r d864c312eae4 userConfiguration.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/userConfiguration.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,248 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include +#include +#include +#include +#include "userinfo.h" +#include "role_list.h" +#include "xr.h" +#include "xr_log.h" + +static int searchUser(userInfo *ui, xmlNodePtr node); +static int searchUserRole(userInfo *ui, xmlNodePtr node); +static int makeStructRole(userInfo *ui, xmlChar *attr); +static xmlNodePtr getXPathNode(const char *xpath, xmlXPathContextPtr ctxt); + +#define EMSG_XML(_a...) \ + do { \ + EMSG("%s parsing failed. (%s)\n", USER_CONFIG_FILENAME, _a); \ + } while (0) + +int +readUserConfiguration(userInfo *ui) +{ + xmlDoc *doc = NULL; + xmlXPathContextPtr ctxt = NULL; + xmlNodePtr node = NULL; + + int rc = 0; + char fileName[strlen(XENRBAC_POLICY_PATHNAME) + strlen(USER_CONFIG_FILENAME) + 1]; + + strcpy(fileName, XENRBAC_POLICY_PATHNAME); + strcat(fileName, USER_CONFIG_FILENAME); + + doc = xmlReadFile(fileName, NULL, XML_PARSE_NOBLANKS); + if (!doc) { + EMSG("%s reading or parsing failed (%m)\n", + USER_CONFIG_FILENAME); + rc = errno; + goto error; + } + + ctxt = xmlXPathNewContext(doc); + if (!ctxt) { + EMSG_XML("ctxt is NULL"); + rc = EINVAL; + goto error; + } + + node = getXPathNode("/UserConfiguration/User", ctxt); + if (!node) { + EMSG_XML("/UserConfiguration/User is not defined"); + rc = EINVAL; + goto error; + } + + if (!(rc = searchUser(ui, node))) + goto cleanup; + +error: + DMSG(FUNC, "error in readUserConfiguration\n"); + +cleanup: + DMSG(FUNC, "cleanup in readUserConfiguration\n"); + //free the document + /* + *Free the global variables that may + *have been allocated by the parser. + */ + xmlCleanupParser(); + + if (ctxt) + xmlXPathFreeContext(ctxt); + if (doc) + xmlFreeDoc(doc); + + return rc; +} + +static xmlNodePtr +getXPathNode(const char *xpath, xmlXPathContextPtr ctxt) +{ + xmlXPathObjectPtr obj = NULL; + xmlNodePtr ret = NULL; + + if ((ctxt == NULL) || (xpath == NULL)) + return NULL; + + obj = xmlXPathEval(BAD_CAST xpath, ctxt); + if ((obj == NULL) || + (obj->type != XPATH_NODESET) || + (obj->nodesetval == NULL) || + (obj->nodesetval->nodeNr <= 0) || + (obj->nodesetval->nodeTab == NULL)) { + xmlXPathFreeObject(obj); + return NULL; + } + + ret = obj->nodesetval->nodeTab[0]; + xmlXPathFreeObject(obj); + + return ret; +} + +static int +searchUser(userInfo *ui, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + int rc; + size_t len; + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "User", sizeof("User"))) + continue; + + attr = xmlGetProp(c_node, "name"); + if (!attr) { + EMSG_XML("name in /UserConfiguration/User is not defined"); + return EINVAL; + } + + len = strlen((char *) attr); + if (len >= XR_MAX_LENGTH_OF_USERNAME) { + EMSG_XML("name in /UserConfiguration/User is long"); + xmlFree(attr); + return EINVAL; + } + + if (strncmp((char *) attr, ui->userName, XR_MAX_LENGTH_OF_USERNAME)) { + xmlFree(attr); + continue; + } + + if (ui->parsed_User) { + EMSG("multiple /UserConfiguration/Users are defined for the user"); + xmlFree(attr); + return EINVAL; + } + + if ((rc = searchUserRole(ui, c_node->children))) { + xmlFree(attr); + return rc; + } + + ui->parsed_User = 1; + + xmlFree(attr); + } + + return 0; +} + +static int +searchUserRole(userInfo *ui, xmlNodePtr node) +{ + xmlNodePtr c_node; + xmlChar *attr; + + int rc; + size_t len; + + for (c_node = node; c_node; c_node = c_node->next) { + if (c_node->type != XML_ELEMENT_NODE) + continue; + + if (strncmp(c_node->name, "UserRole", sizeof("UserRole"))) + continue; + + attr = xmlGetProp(c_node, "role"); + if (!attr) { + EMSG_XML("role in /UserConfiguration/User/UserRole is not defined"); + return EINVAL; + } + + len = strlen((char *) attr); + if (len >= XR_MAX_LENGTH_OF_ROLENAME) { + EMSG_XML("role in /UserConfiguration/User/UserRole is long"); + xmlFree(attr); + return EINVAL; + } + + if ((rc = makeStructRole(ui, attr))) { + xmlFree(attr); + return rc; + } + + xmlFree(attr); + } + + return 0; +} + +static int +makeStructRole(userInfo *ui, xmlChar *attr) +{ + role *r; + + DMSG(FUNC, "role = %s\n", (char *) attr); + + for (r = ui->roleList; r; r = r->next) { + if (!strcmp(r->roleName, (char *) attr)) { + EMSG_XML("same role is defined for the user"); + return EINVAL; + } + } + + if (ui->role_c >= XR_NR_ROLE_LISTS) { + EMSG_XML("too many /UserConfiguration/User/UserRole for the user"); + return EINVAL; + } + + if (!(r = new_role())) + return ENOMEM; + + strcpy(r->roleName, (char *) attr); + append_role(ui, r); + + return 0; +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 userConfiguration.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/userConfiguration.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,33 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __USER_CONFIGULATION_H_ +#define __USER_CONFIGULATION_H_ + +#include "userinfo.h" + +int readUserConfiguration(userInfo *userInfo); + +#endif +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 userinfo.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/userinfo.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,79 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include +#include "userinfo.h" +#include "xr_log.h" + +static void +init_UserInfo(userInfo* ui) +{ + strcpy(ui->userName, "\n"); + ui->roleList = NULL; + ui->role_c = 0; + ui->parsed_User = 0; +} + +userInfo* +new_UserInfo(void) +{ + userInfo *ui; + + DMSG(FUNC, "start\n"); + + ui = (userInfo *) malloc(sizeof(struct _userInfo)); + if (!ui) { + EMSG("out of memory for userInfo\n"); + return NULL; + } + DMSG(FUNC, "allocate userInfo: %p\n", ui); + + init_UserInfo(ui); + return ui; +} + +void +free_UserInfo(userInfo *ui) +{ + DMSG(FUNC, "start\n"); + + if (!ui) { + if (!ui->roleList) + free_role_list(ui); + + DMSG(FUNC, "free userInfo: %p\n", ui); + free(ui); + } +} + +void +show_UserInfo(userInfo *ui) +{ + DMSG("userInfo : %p", ui); + DMSG(" user : %s", ui->userName); + DMSG(" role_c : %d", ui->role_c); + show_role_list(ui); +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 userinfo.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/userinfo.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,46 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __USERINFO_H__ +#define __USERINFO_H__ + +#include "role_list.h" + +#define XR_MAX_LENGTH_OF_USERNAME 32 +#define XR_NR_ROLE_LISTS 1000 + +typedef struct _userInfo userInfo; +struct _userInfo { + char userName[XR_MAX_LENGTH_OF_USERNAME]; + struct _role *roleList; + int role_c; + int parsed_User; +}; + +userInfo *new_UserInfo(void); +void free_UserInfo(userInfo *ui); +void show_UserInfo(userInfo *ui); + +#endif /*__USERINFO_H__*/ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 xenrbac.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xenrbac.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,325 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include +#include +#include +#include +#include "userinfo.h" +#include "role_list.h" +#include "domname_list.h" +#include "opeid_list.h" +#include "rolePolicyDefinition.h" +#include "userConfiguration.h" +#include "xenrbac.h" +#include "xr.h" +#include "xr_log.h" + +static void +getTime(char *outstr, int size){ + + time_t t; + struct tm *tmp; + char *format = "%FT%T%z"; + + t = time(NULL); + tmp = localtime(&t); + if (tmp == NULL) { + perror("localtime\n"); + outstr = NULL; } + + if (strftime(outstr, size, format, tmp) == 0) { + fprintf(stderr, "strftime returned 0\n"); + outstr = NULL; } +} + +static void +outputlog(char *user, char *arguments, char *judgedMsg, char *policyID, char *message){ + + char time[40]; + char *host = getenv("HOSTNAME"); + char *compo = "xen-rbac"; + char *action = "Execute"; + + if (!host) + host = ""; + getTime(time, sizeof(time)); + + if (!message) { + AUDITMSG("\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"\n", + time, + user, + host, + arguments, + action, + judgedMsg, + policyID, + compo + ); + } else { + AUDITMSG("\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"\n", + time, + user, + host, + arguments, + action, + judgedMsg, + policyID, + compo, + message + ); + + } +} + +static int +searchOperationID(int opeid, role *r) +{ + opeid_data *opd; + + for (opd = r->acceptOperationList; opd; opd = opd->next) { + if (opd->value == opeid) + return XR_ACCEPT; + } + + return XR_DENY; +} + +static int +searchManagementVM(char *domainname, role *r) +{ + domname *dn = NULL; + + for (dn = r->managementVMList; dn; dn = dn->next) + if (domainname && + !strcmp(dn->value, domainname)) + return XR_ACCEPT; + + return XR_DENY; +} + +int +check_args_username(char *un) +{ + size_t len_un; + + if (!un) { + EMSG("username is NULL\n"); + return EINVAL; + } + + len_un = strlen(un); + if (len_un == 0) { + EMSG("username is none\n"); + return EINVAL; + } + if (len_un >= XR_MAX_LENGTH_OF_USERNAME) { + EMSG("username is long\n"); + return EINVAL; + } + + return 0; +} + +int +check_args_opeid(int op) +{ + if (op < XR_MIN_OPEID) { + EMSG("opeid is out of range\n"); + return EINVAL; + } + + return 0; +} + +int +check_args_domainname(char *dn) +{ + size_t len_dn; + + if (!dn) + return 0; + + len_dn = strlen(dn); + /* + if (len_dn == 0) { + EMSG("domainname is none\n"); + return EINVAL; + }*/ + if (len_dn >= XR_MAX_LENGTH_OF_DOMNAME) { + EMSG("domainname is long\n"); + return EINVAL; + } + + return 0; +} + +int +check_args_flag_all(int f) +{ + if (f != XR_ALL && + f != XR_ANY) { + EMSG("flag_all is invalid\n"); + return EINVAL; + } + + return 0; +} + +int +check_args(char *username, int opeid, char *domainname, int flag_all) +{ + int rc; + + if ((rc = check_args_username(username))) + return rc; + if ((rc = check_args_opeid(opeid))) + return rc; + if ((rc = check_args_domainname(domainname))) + return rc; + if ((rc = check_args_flag_all(flag_all))) + return rc; + + return 0; +} + +int +xr_judge(char *username, int opeid, char *domainname, int flag_all) +{ + int rc = XR_ACCEPT; + + userInfo *ui = NULL; + role *r = NULL; + char arg[100]; + char message[100]; + + init_xenrbac_log(); + + if ((rc = check_args(username, opeid, domainname, flag_all))) + goto error; + + if (domainname) + sprintf(arg, "OperationID:%d;Flag:%d;VMName:%s", opeid, flag_all, domainname); + else + sprintf(arg, "OperationID:%d;Flag:%d;VMName:%s", opeid, flag_all, ""); + + if (!(ui = new_UserInfo())) { + rc = ENOMEM; + goto error; + } + strncpy(ui->userName, username, XR_MAX_LENGTH_OF_USERNAME); + + if ((rc = readUserConfiguration(ui))) + goto error; + show_UserInfo(ui); + + if ((rc = readRolePolicyDefinition(ui))) + goto error; + show_UserInfo(ui); + + //When user don't have role + if (!(r = ui->roleList)) { + outputlog(username, arg, "deny", "", "role is none"); + goto access_deny; + } + + if (flag_all) { + for (r = ui->roleList; r ; r = r->next) { + if (r->managementVMType != XR_VMTYPE_WHOLE) { + sprintf(message, "ManagementVMType:whole is not found in role"); + outputlog(username, arg, "deny", r->policyID, message); + continue; + } + if (searchOperationID(opeid, r) == XR_ACCEPT) { + goto access_accept; + } else { + sprintf(message, "OperationID:%d is not found in role", opeid); + outputlog(username, arg, "deny", r->policyID, message); + } + } + + goto access_deny; + } + + for (r = ui->roleList; r ; r = r->next) { + if (r->managementVMType == XR_VMTYPE_INDIVIDUAL) { + if(searchManagementVM(domainname, r) == XR_DENY) { + sprintf(message, "ManagementVM:%s is not found in role", domainname); + outputlog(username, arg, "deny", r->policyID, message); + continue; + } + if (searchOperationID(opeid, r) == XR_ACCEPT) { + goto access_accept; + } else { + sprintf(message, "OperationID:%d is not found in role", opeid); + outputlog(username, arg, "deny", r->policyID, message); + continue; + } + } else if (r->managementVMType == XR_VMTYPE_WHOLE) { + if (searchOperationID(opeid, r) == XR_ACCEPT) { + goto access_accept; + } else { + sprintf(message, "OperationID:%d is not found in role", opeid); + outputlog(username, arg, "deny", r->policyID, message); + continue; + } + } + } + + goto access_deny; + +error: + DMSG("error error_no = %d\n", rc); + + if (rc == XR_ACCEPT) { + EMSG("return code is not set"); + rc = XR_DENY; + } + goto cleanup; + +access_deny: + DMSG("judged result is DENY\n"); + + rc = XR_DENY; + goto cleanup; + +access_accept: + DMSG("judged result is ACCEPT\n"); + outputlog(username, arg, "allow", r->policyID, NULL); + + rc = XR_ACCEPT; + goto cleanup; + +cleanup: + DMSG("%s(%d) : %s", __func__, __LINE__, "cleannup\n"); + + if (ui) + free_UserInfo(ui); + + end_xenrbac_log(); + + return rc; +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 xenrbac.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xenrbac.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,39 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __XENRBAC_H__ +#define __XENRBAC_H__ + +#include + +int xr_judge(char *username, int opeid, char *domainname, int flag_all); + +#define XR_ANY 0 +#define XR_ALL 1 + +#define XR_ACCEPT 0 +#define XR_DENY EPERM + +#endif /*__XENRBAC_H__*/ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 xr.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xr.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,39 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __XR_H__ +#define __XR_H__ + +#define XENRBAC_POLICY_PATHNAME "/etc/xen/role/" +#define USER_CONFIG_FILENAME "user_define.xml" +#define ROLE_POLICY_FILENAME "role_define.xml" + +#define XR_OPEID_COMMAND_INVALID -1 +#define XR_OPEID_COMMAND_XM 0 +#define XR_MIN_OPEID -1 +#define XR_MAX_OPEID 83 +#define XR_NR_OPEIDS 84 + +#endif /*__XR_H__*/ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 xr_log.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xr_log.c Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,48 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#include +#include +#include "xr.h" +#include "xr_log.h" + +int XENRBAC_DEBUG = 0; + +void +init_xenrbac_log(void) +{ + openlog("xenrbac", LOG_PID, LOG_AUTHPRIV); + + if (getenv("XENRBAC_DEBUG")) { + XENRBAC_DEBUG = 1; + DMSG("start with debug mode\n"); + } +} + +void +end_xenrbac_log(void) +{ + closelog(); +} +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r a4c4b2407117 -r d864c312eae4 xr_log.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xr_log.h Fri Jan 23 04:39:58 2009 +0900 @@ -0,0 +1,60 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __XR_LOG_H__ +#define __XR_LOG_H__ + +#include + +extern int XENRBAC_DEBUG; + +void init_xenrbac_log(void); +void end_xenrbac_log(void); + +#define FUNC "%s: ", __func__ +#define LINE "%s: ", __LINE__ + +#define AUDITMSG(_a...) \ + do { \ + syslog(LOG_AUTH|LOG_INFO, _a); \ + } while (0) + +#define EMSG(_a...) \ + do { \ + syslog(LOG_AUTHPRIV|LOG_ERR, _a); \ + } while (0) + +#define IMSG(_a...) \ + do { \ + syslog(LOG_AUTHPRIV|LOG_INFO, _a); \ + } while (0) + +#define DMSG(_a...) \ + do { \ + if (XENRBAC_DEBUG) \ + syslog(LOG_AUTHPRIV|LOG_INFO, _a); \ + } while (0) + +#endif /*__XR_LOG_H__*/ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */