In my architecture there is an ASWC(as the mode user) requesting to change the mode from BSWM module(as the mode manger) via a sender-receiver port and the BSWM is supposed to send the changed mode via a mode switch port in response. I have made sender-receiver and mode switch ports and interfaces in my ASWC and added The ASWC descriptions to the configuration tool(EB Tresos) as well. While configuring, I made an BswMModeRequestPortset and added required arbitration rules and set BswMRequestProcessing to BSWM_IMMEDIATE . After Generating, As the attached picture shows, I expected that the configuration tool generated required code checking arbitration rules (ModeArbitration() in the picture) and issued the related action via the mode switch port to the mode users in the mode arbitration runnable. But, what it was generated was a blanked runnable body as if the user is expected to fill it by hand.
If the user must typically fill the runnable body, what API must be used ??
thanks for your answers in advance.
Related
I'm using BTool, together with a TI Launchpad and the nRF Connect mobile app on my Samsung S21. I am curious, what type of services nRF Connect can be used, that send notifications to my TI Launchpad whenever their value is changed. Not periodically. Only after their value is changed.
I tried using a Battery Level service, but I'm not sure on how to "subscribe" to that service (how to enable notifications) from BTool.
Any advice?
According to this BTool User Guide I found the process of enabling notifications is as follows:
In order to enable notifications, the client device must write a value of 0x0001 to the client characteristic configuration descriptor (CCCD) for the particular characteristic. The handle for the CCCD immediately follows the characteristic value’s handle. Therefore, a value of 0x0001 must be written to the “handle + 1”.
The Battery Service you created has the UUID 0x180F and you have to get the handle for this characteristic. One way is described in the part about reading a characteristic by UUID.
To do this, you will first need to click the “Read/Write” tab in BTool. Select the option “Read Using Characteristic UUID” under the”sub-procedure” option in the “Characteristic Read” section at the top of the screen. Enter the UUID (note that the LSB is entered first, and the MSB is entered last) in the “Characteristic UUID” box, and click the “Read” button.
You can now access the CCCD using "handle + 1" as described earlier. To enable the notifications just write 0x0001 to that handle.
I have written battery driver and that driver sends an uevent when a power supply is changed, i.e. from AC to battery
When I run udevadm monitor I see an KERNEL and UDEV CHANGE events from power_supply subsystem upon removing AC supply.
My requirement is to notify the user application when there is an CHANGE event from power_supply subsystem. I do not want to poll for kernel message or netlink socket from user application.
Is it possible for me to register/listen for this particular uevent
from user application and gets something like callback function when
an event occurs?
It is possible and there is a great reference here. In the reference they use a change rule for a similar application:
# Rule for when switching to battery
ACTION=="change", SUBSYSTEM=="power_supply", ATTR{type}=="Mains", ATTR{online}=="0", ENV{DISPLAY}=":0", ENV{XAUTHORITY}="/home/USERNAME/.Xauthority" RUN+="/usr/bin/su USERNAME_TO_RUN_SCRIPT_AS -c /usr/local/bin/brightness_notification.sh"
The ACTION=="change" registers a rule for a change event. The SUBSYSTEM and ATTR parameters specify the rule to only apply to a certain device or devices (you can get these for your device from udevadm). The RUN parameter is how you run a userspace executable when the event is seen. In the case below they also use the ENV parameter to pass a environment variable to the executable and they also use the su command in RUN to run the executable as another user, but this is probably not necessary for most applications.
What i have:
I am running a freeradius server fully configured of how i need it to be. Everything works just fine right now.
What i need:
I need the radius to put the devices in a seperate vlan before authentication and to run a vulnerability scan (nessus / openvas etc) on the devices in this vlan to check for software status ( antivirus etc. )
if the device passes the test the authentication should be done normaly.
if it fails it should be put into a third ( fourth if you count the unauth-vid ) vlan.
can someone tell me if this is doable in freeradius ?
thanks in advance for your answers
Yes. But this is a very broad question and is dependent on the networking equipment being used. I'll give you an overview of how I'd design such a system.
In general, you'll have an easier time if you can use the same DHCP server/IP range for your NAC and full access VLAN. That means you don't have to signal the higher networking layers in the client that there's been a state change, you can swap out VLANs behind the scenes to change what they can access.
You'd set up a database with an entry for each client. This doesn't have to be pre-populated, it could be populated during the first auth attempt. Part of each client entry would be a status field detailing when they last completed NAC.
You'd also need an accounting database, to store information about where each client is connected to the network.
If the client had never completed NAC checks before, you'd assign the client to the NAC VLAN, and signal your NAC processes to start interrogating it.
FreeRADIUS can act as both a RADIUS and DHCPv4 server, so you'd probably do signal the NAC process from the DHCPv4 side because then you'd know what IP the client received.
Binding the RADIUS and DHCPv4 sides can be done in a couple of ways. The most obvious is MAC, another common way is NAS/Port ID using the accounting table.
Once the NAC checks had completed, you'd have the NAC process write out a receipt in detail file format, and have that read back in by a detail file listener (there are examples of this in sites-available/ in the 'decoupled-accounting' virtual server files). When reading those entries back in, you'd change the state in the database, and send a CoA packet to the switch using information from the accounting database to identify the client. This would flip the VLAN and allow them to the standard set of networking resources.
I know this is very high level, documenting it properly would probably exceed StackOverflow's character limit. If you need more help with this, I suggest you research what I've described above and then start asking the RADIUS related questions on the FreeRADIUS user's mailing list https://freeradius.org/support/.
I am trying to write a program to block a LUN using SCSI 2 reservations.
In SCSI 2 reservations, can the LUN be reserved by the same host with a different path or the I-T-L nexus is only a single path.
Eg : Lets say the host tries to reserve the already reserved LUN from the same target but with the different port of the target. Is this possible?
Basically the LUN reservation would still be the same host but would be from different paths.
[EDIT]
I have got the required response for the above mentioned problem but have another query.
Lets say the host has reservation on LUN X and a connection drops or the host issues logout. What happens to the reservation?
Whether it depends on the host driver to clear the reservation and clear its data or the reservation remains and other hosts would get a conflict if they try to reserve the same LUN.
I tried googling it but could not find the specs related to this issue.
Each I_T_L nexus is a single path. When you use the RESERVE(6) or RESERVE(10) commands described in SPC-2, that's what you're reserving. So, only one path can be active at a time. If that's what you want, then you're good! (Edit: to be clear, the second I_T_L nexus to issue RESERVE gets a reservation conflict.)
If your initiator and target can handle it, the PERSISTENT RESERVE/RELEASE commands in SPC-3 offer much more flexibility. You can register each nexus with the LU and then set an "exclusive-access registrants-only" reservation that blocks access to everyone else, but permits it to the registered nexuses.
An example of this can be seen in the description of a bug in the SCSI fence script used in the Redhat clustering software. The existing solution didn't interoperate with multipath I/O, because the redundant paths kept hitting reservation conflicts. The solution was to register all paths: https://bugzilla.redhat.com/show_bug.cgi?id=661134
[EDIT] to respond to your additional question: if the connection drops, the reservation is still held. From SPC-2:
This command shall request that the entire logical unit be reserved
for the exclusive use of the initiator until the reservation is
superseded by another valid RESERVE command from the same initiator or
until released by a RELEASE command from the same initiator that made
the reservation, by a TARGET RESET task management function performed
by any initiator, by a hard reset condition, or by a power on cycle.
I am writing a build script which has some password protected files (keys). I need a way to prompt the user once for the password and then use this key across multiple scripts. These scripts do not live inside the same shell, and may spawn other windows via dbus. I can then send them commands, one of which must have access to the password.
I have this working already, but at a few points the passphrase is either used directly on a command-line (passed via dbus), or is put into a file (the name then passed to the other script). Both of these are less secure than I want*. The command-line ends up in a history which may be stored in a file, as well as appearing in the process list, and the second option stores in a file which can be read by somebody else.
Is there some standard way to create a temporary communications channel between two processes which could communicate the password and not be intercepted by another user on the system (including root)?
*Note: This is primarily an exercise to be fully secure. For my current project the temporary in-file storage of the password is okay.
Setting "root being all-powerful" aside, I would imagine that a Private DBus Connection would do the trick although the documentation I could find seems a little light on what exactly makes a private connection private.
However, the DBus Specification, more specifically, the Message Bus Specification subsection on eavesdropping says in part:
Receiving a unicast message whose DESTINATION indicates a different
recipient is called eavesdropping. On a message bus which acts as a
security boundary (like the standard system bus), the security policy
should usually prevent eavesdropping, since unicast messages are
normally kept private and may contain security-sensitive information.
So you may not even need to use private connections which incur more overhead costs. But on a risk/reward basis with security being paramount, that may be the more secure alternative for you. Hope that helps.