Xen project Mailing List

[Xen-changelog] [SPAM] [xen-unstable] xsm, flask: sample flask policy

From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>

Date: Sat, 06 Sep 2008 01:40:11 -0700

Delivery-date: Sat, 06 Sep 2008 01:40:50 -0700

Importance: Low

List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch # User Keir Fraser <keir.fraser@xxxxxxxxxx> # Date 1220523985 -3600 # Node ID 294fc8fc4ba05c1fe91754dfe3b770834c56231b # Parent 44f039c4aee498ef47103c94cc9e7b78575b0e85 xsm, flask: sample flask policy - The patch includes a policy for xen that can be booted into enforcing mode and supports creation and management of paravirtualized guests. The policy follows the dom0/domU usage model, extension to other models or the addition of management or IO permissions should be much more straightforward now. The option flask_enforcing=1 can be passed on the xen line in grub to boot into enforcing mode. - The policy provides a basic policy for booting the platform and creating a domU with the label system_u:object_r:domU_t. The policy can be easily extended to support new types by modifying the xen.te source file. - The policy includes some basic macros which may be helpful in extending the policy. - The policy is compatible with and requires the most recent XSM patch, xsm-flask-io-sysctl-hooks-090308.diff. - The policy is not built as part of the make all as it requires the SELinux policy compiler which may/may not be installed on all systems. Users must go into the tools/flask/policy directory and explicitly compile the policy. Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx> --- tools/flask/policy/Makefile | 234 +++++++++++ tools/flask/policy/Rules.modular | 166 ++++++++ tools/flask/policy/Rules.monolithic | 196 +++++++++ tools/flask/policy/policy/constraints | 27 + tools/flask/policy/policy/flask/Makefile | 41 ++ tools/flask/policy/policy/flask/access_vectors | 166 ++++++++ tools/flask/policy/policy/flask/initial_sids | 17 tools/flask/policy/policy/flask/mkaccess_vector.sh | 227 +++++++++++ tools/flask/policy/policy/flask/mkflask.sh | 95 ++++ tools/flask/policy/policy/flask/security_classes | 20 + tools/flask/policy/policy/global_booleans | 5 tools/flask/policy/policy/global_tunables | 6 tools/flask/policy/policy/mcs | 324 ++++++++++++++++ tools/flask/policy/policy/mls | 354 ++++++++++++++++++ tools/flask/policy/policy/modules.conf | 21 + tools/flask/policy/policy/modules/xen/xen.if | 1 tools/flask/policy/policy/modules/xen/xen.te | 135 ++++++ tools/flask/policy/policy/support/loadable_module.spt | 166 ++++++++ tools/flask/policy/policy/support/misc_macros.spt | 32 + tools/flask/policy/policy/systemuser | 19 tools/flask/policy/policy/users | 39 + 21 files changed, 2291 insertions(+) diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/Makefile Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,234 @@ +# +# Makefile for the security policy. +# +# Targets: +# +# install - compile and install the policy configuration, and context files. +# load - compile, install, and load the policy configuration. +# reload - compile, install, and load/reload the policy configuration. +# policy - compile the policy configuration locally for testing/development. +# +# The default target is 'policy'. +# + +######################################## +# +# Configurable portions of the Makefile +# + +# Policy version +# By default, checkpolicy will create the highest +# version policy it supports. Setting this will +# override the version. +OUTPUT_POLICY = 20 + +# Policy Type +# strict, targeted, +# strict-mls, targeted-mls, +# strict-mcs, targeted-mcs +TYPE = strict + +# Policy Name +# If set, this will be used as the policy +# name. Otherwise the policy type will be +# used for the name. +NAME = xenrefpolicy + +# Distribution +# Some distributions have portions of policy +# for programs or configurations specific to the +# distribution. Setting this will enable options +# for the distribution. +# redhat, gentoo, debian, and suse are current options. +# Fedora users should enable redhat. +#DISTRO = + +# Build monolithic policy. Putting n here +# will build a loadable module policy. +MONOLITHIC=y + +# Uncomment this to disable command echoing +#QUIET:=@ + +######################################## +# +# NO OPTIONS BELOW HERE +# + +# executable paths +PREFIX := /usr +BINDIR := $(PREFIX)/bin +SBINDIR := $(PREFIX)/sbin +CHECKPOLICY := $(BINDIR)/checkpolicy +CHECKMODULE := $(BINDIR)/checkmodule +SEMOD_PKG := $(BINDIR)/semodule_package +LOADPOLICY := $(SBINDIR)/flask-loadpolicy + +CFLAGS := -Wall + +# policy source layout +POLDIR := policy +MODDIR := $(POLDIR)/modules +FLASKDIR := $(POLDIR)/flask +SECCLASS := $(FLASKDIR)/security_classes +ISIDS := $(FLASKDIR)/initial_sids +AVS := $(FLASKDIR)/access_vectors + +#policy building support tools +SUPPORT := support +FCSORT := tmp/fc_sort + +# config file paths +GLOBALTUN := $(POLDIR)/global_tunables +GLOBALBOOL := $(POLDIR)/global_booleans +MOD_CONF := $(POLDIR)/modules.conf +TUNABLES := $(POLDIR)/tunables.conf +BOOLEANS := $(POLDIR)/booleans.conf + +# install paths +TOPDIR = $(DESTDIR)/etc/xen/ +INSTALLDIR = $(TOPDIR)/$(NAME) +SRCPATH = $(INSTALLDIR)/src +USERPATH = $(INSTALLDIR)/users +CONTEXTPATH = $(INSTALLDIR)/contexts + +# enable MLS if requested. +ifneq ($(findstring -mls,$(TYPE)),) + override M4PARAM += -D enable_mls + CHECKPOLICY += -M + CHECKMODULE += -M +endif + +# enable MLS if MCS requested. +ifneq ($(findstring -mcs,$(TYPE)),) + override M4PARAM += -D enable_mcs + CHECKPOLICY += -M + CHECKMODULE += -M +endif + +# compile targeted policy if requested. +ifneq ($(findstring targeted,$(TYPE)),) + override M4PARAM += -D targeted_policy +endif + +# enable distribution-specific policy +ifneq ($(DISTRO),) + override M4PARAM += -D distro_$(DISTRO) +endif + +ifneq ($(OUTPUT_POLICY),) + CHECKPOLICY += -c $(OUTPUT_POLICY) +endif + +ifeq ($(NAME),) + NAME := $(TYPE) +endif + +# determine the policy version and current kernel version if possible +PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') +KV := $(shell cat /selinux/policyvers) + +# dont print version warnings if we are unable to determine +# the currently running kernel's policy version +ifeq ($(KV),) + KV := $(PV) +endif + +FC := file_contexts +POLVER := policy.$(PV) + +M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) + +APPCONF := config/appconfig-$(TYPE) +APPDIR := $(CONTEXTPATH) +APPFILES := $(INSTALLDIR)/booleans +CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media +USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users + +ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d)) + +GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in))) +GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in))) +GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in))) + +# sort here since it removes duplicates, which can happen +# when a generated file is already generated +DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE)) + +# modules.conf setting for base module +MODBASE := base + +# modules.conf setting for module +MODMOD := module + +# extract settings from modules.conf +BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) +MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te))) + +HOMEDIR_TEMPLATE = tmp/homedir_template + +######################################## +# +# Load appropriate rules +# + +ifeq ($(MONOLITHIC),y) + include Rules.monolithic +else + include Rules.modular +endif + +######################################## +# +# Create config files +# +conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC) + +$(MOD_CONF) $(BOOLEANS): $(POLXML) + @echo "Updating $(MOD_CONF) and $(BOOLEANS)" + $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML) + +######################################## +# +# Appconfig files +# +install-appconfig: $(APPFILES) + +$(INSTALLDIR)/booleans: $(BOOLEANS) + @mkdir -p $(INSTALLDIR) + $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \ + | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans + $(QUIET) install -m 644 tmp/booleans $@ + +######################################## +# +# Install policy sources +# +install-src: + rm -rf $(SRCPATH)/policy.old + -mv $(SRCPATH)/policy $(SRCPATH)/policy.old + mkdir -p $(SRCPATH)/policy + cp -R . $(SRCPATH)/policy + +######################################## +# +# Clean everything +# +bare: clean + rm -f $(POLXML) + rm -f $(SUPPORT)/*.pyc + rm -f $(FCSORT) + rm -f $(MOD_CONF) + rm -f $(BOOLEANS) + rm -fR $(HTMLDIR) +ifneq ($(GENERATED_TE),) + rm -f $(GENERATED_TE) +endif +ifneq ($(GENERATED_IF),) + rm -f $(GENERATED_IF) +endif +ifneq ($(GENERATED_FC),) + rm -f $(GENERATED_FC) +endif + +.PHONY: install-src install-appconfig conf html bare diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/Rules.modular --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/Rules.modular Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,166 @@ +######################################## +# +# Rules and Targets for building modular policies +# + +ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS)) +ALL_INTERFACES := $(ALL_MODULES:.te=.if) + +BASE_PKG := base.pp +BASE_FC := base.fc + +BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf + +BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs +BASE_TE_FILES := $(BASE_MODS) +BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints +BASE_FC_FILES := $(BASE_MODS:.te=.fc) + +MOD_MODULES := $(MOD_MODS:.te=.mod) +MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp)) + +# search layer dirs for source files +vpath %.te $(ALL_LAYERS) +vpath %.if $(ALL_LAYERS) +vpath %.fc $(ALL_LAYERS) + +######################################## +# +# default action: create all module packages +# +default: base + +base: $(BASE_PKG) + +modules: $(MOD_PKGS) + +#policy: $(POLVER) +#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users +#load: tmp/load + +######################################## +# +# Create a base module package +# +$(BASE_PKG): tmp/base.mod $(BASE_FC) + @echo "Creating $(NAME) base module package" + $(QUIET) $(SEMOD_PKG) $@ $^ + +######################################## +# +# Compile a base module +# +tmp/base.mod: base.conf + @echo "Compiling $(NAME) base module" + $(QUIET) $(CHECKMODULE) $^ -o $@ + +######################################## +# +# Construct a base module policy.conf +# +base.conf: $(BASE_SECTIONS) + @echo "Creating $(NAME) base module policy.conf" +# checkpolicy can use the #line directives provided by -s for error reporting: + $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp + $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ +# the ordering of these ocontexts matters: + $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true + $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true + $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true + +tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES) + @test -d tmp || mkdir -p tmp +# define all available object classes + $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@ +# per-userdomain templates + $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@ + $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ + echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ + >> $@ ;\ + done + $(QUIET) echo "')" >> $@ +# define foo.te + $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \ + echo "define(\`$$i')" >> $@ ;\ + done + $(QUIET) $(SETTUN) $(BOOLEANS) >> $@ + +tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) +ifeq ($(ALL_INTERFACES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") +endif + @test -d tmp || mkdir -p tmp + $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ + +tmp/all_te_files.conf: $(BASE_TE_FILES) +ifeq ($(BASE_TE_FILES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") +endif + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/post_te_files.conf: $(BASE_POST_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +# extract attributes and put them first. extract post te stuff +# like genfscon and put last. portcon, nodecon, and netifcon +# is delayed since they are generated by m4 +tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf + $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true + $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf + $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf + $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ + -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ + < tmp/all_te_files.conf > tmp/only_te_rules.conf + +######################################## +# +# Construct base module file contexts +# +$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT) +ifeq ($(BASE_FC_FILES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") +endif + @echo "Creating $(NAME) base module file contexts." + @test -d tmp || mkdir -p tmp + $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp + $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE) + $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp + $(QUIET) $(FCSORT) tmp/$@.tmp $@ + +######################################## +# +# Build module packages +# +tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te + @if test -z "$(filter $^,$(MOD_MODS))"; then \ + echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\ + false ;\ + fi + @echo "Compliling $(NAME) $(@F) module" + $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + +%.pp: tmp/%.mod %.fc + @echo "Creating $(NAME) $(@F) policy package" + $(QUIET) $(SEMOD_PKG) $@ $^ + +######################################## +# +# Clean the sources +# +clean: + rm -fR tmp + rm -f base.conf + rm -f *.pp + rm -f $(BASE_FC) + +.PHONY: default base modules clean diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/Rules.monolithic --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/Rules.monolithic Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,196 @@ +######################################## +# +# Rules and Targets for building monolithic policies +# + +# install paths +POLICYPATH = $(INSTALLDIR)/policy +LOADPATH = $(POLICYPATH)/$(POLVER) +FCPATH = $(CONTEXTPATH)/files/file_contexts +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template + +# for monolithic policy use all base and module to create policy +ENABLEMOD := $(BASE_MODS) $(MOD_MODS) + +ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS)) + +ALL_INTERFACES := $(ALL_MODULES:.te=.if) +ALL_TE_FILES := $(ALL_MODULES) +ALL_FC_FILES := $(ALL_MODULES:.te=.fc) + +PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs +POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints + +POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf + +######################################## +# +# default action: build policy locally +# +default: policy + +policy: $(POLVER) + +install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users + +load: tmp/load + +######################################## +# +# Build a binary policy locally +# +$(POLVER): policy.conf + @echo "Compiling $(NAME) $(POLVER)" +ifneq ($(PV),$(KV)) + @echo + @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" + @echo +endif + $(QUIET) $(CHECKPOLICY) $^ -o $@ + +######################################## +# +# Install a binary policy +# +$(LOADPATH): policy.conf + @mkdir -p $(POLICYPATH) + @echo "Compiling and installing $(NAME) $(LOADPATH)" +ifneq ($(PV),$(KV)) + @echo + @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" + @echo +endif + $(QUIET) $(CHECKPOLICY) $^ -o $@ + +######################################## +# +# Load the binary policy +# +reload tmp/load: $(LOADPATH) $(FCPATH) + @echo "Loading $(NAME) $(LOADPATH)" + $(QUIET) $(LOADPOLICY) -q $(LOADPATH) + @touch tmp/load + +######################################## +# +# Construct a monolithic policy.conf +# +policy.conf: $(POLICY_SECTIONS) + @echo "Creating $(NAME) policy.conf" +# checkpolicy can use the #line directives provided by -s for error reporting: + $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp + $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ + +tmp/pre_te_files.conf: $(PRE_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) +# per-userdomain templates: + @test -d tmp || mkdir -p tmp + $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@ + $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \ + echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \ + >> $@ ;\ + done + $(QUIET) echo "')" >> $@ +# define foo.te + $(QUIET) for i in $(notdir $(ALL_MODULES)); do \ + echo "define(\`$$i')" >> $@ ;\ + done +# $(QUIET) $(SETTUN) $(BOOLEANS) >> $@ + +tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES) +ifeq ($(ALL_INTERFACES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") +endif + @test -d tmp || mkdir -p tmp + $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ + +tmp/all_te_files.conf: $(ALL_TE_FILES) +ifeq ($(ALL_TE_FILES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") +endif + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +tmp/post_te_files.conf: $(POST_TE_FILES) + @test -d tmp || mkdir -p tmp + $(QUIET) cat $^ > $@ + +# extract attributes and put them first. extract post te stuff +# like genfscon and put last. portcon, nodecon, and netifcon +# is delayed since they are generated by m4 +tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf + $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true + $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf + $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf + $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true + $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \ + -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ + < tmp/all_te_files.conf > tmp/only_te_rules.conf + +######################################## +# +# Remove the dontaudit rules from the policy.conf +# +enableaudit: policy.conf + @test -d tmp || mkdir -p tmp + @echo "Removing dontaudit rules from policy.conf" + $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit + $(QUIET) mv tmp/policy.audit policy.conf + +######################################## +# +# Construct file_contexts +# +$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) +ifeq ($(ALL_FC_FILES),) + $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf") +endif + @echo "Creating $(NAME) file_contexts." + @test -d tmp || mkdir -p tmp + $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp +# $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE) +# $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp +# $(QUIET) $(FCSORT) tmp/$@.tmp $@ + $(QUIET) touch $(HOMEDIR_TEMPLATE) + $(QUIET) touch $@ + +######################################## +# +# Install file_contexts +# +$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users + @echo "Validating $(NAME) file_contexts." +# $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC) + @echo "Installing file_contexts." + @mkdir -p $(CONTEXTPATH)/files + $(QUIET) install -m 644 $(FC) $(FCPATH) + $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH) +# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD) + +######################################## +# +# Run policy source checks +# +check: policy.conf $(FC) + $(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > $@.res + +longcheck: policy.conf $(FC) + $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res + +######################################## +# +# Clean the sources +# +clean: + rm -fR tmp + rm -f policy.conf + rm -f policy.$(PV) + rm -f $(FC) + rm -f *.res + +.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/constraints --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/constraints Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,27 @@ + +# +# Define the constraints +# +# constrain class_set perm_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_op r2 +# | t1 op t2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# +# op : == | != +# role_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/flask/Makefile Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,41 @@ +# flask needs to know where to export the libselinux headers. +LIBSEL ?= ../../libselinux + +# flask needs to know where to export the kernel headers. +LINUXDIR ?= ../../../linux-2.6 + +AWK = awk + +CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + else if [ -x /bin/bash ]; then echo /bin/bash; \ + else echo sh; fi ; fi) + +FLASK_H_DEPEND = security_classes initial_sids +AV_H_DEPEND = access_vectors + +FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h +AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) + +all: $(ALL_H_FILES) + +$(FLASK_H_FILES): $(FLASK_H_DEPEND) + $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) + +$(AV_H_FILES): $(AV_H_DEPEND) + $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) + +tolib: all + install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux + install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src + +tokern: all + install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include + +install: all + +relabel: + +clean: + rm -f $(FLASK_H_FILES) + rm -f $(AV_H_FILES) diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/access_vectors --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/flask/access_vectors Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,166 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + +# +# Define a common prefix for file access vectors. +# + + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class xen +{ + scheduler + settime + tbufcontrol + readconsole + clearconsole + perfcontrol + mtrr_add + mtrr_del + mtrr_read + microcode + physinfo + quirk + writeconsole + readapic + writeapic + privprofile + nonprivprofile + kexec + firmware + sleep + frequency + getidle + debug + getcpuinfo + heap +} + +class domain +{ + setvcpucontext + pause + unpause + resume + create + transition + max_vcpus + destroy + setvcpuaffinity + getvcpuaffinity + scheduler + getdomaininfo + getvcpuinfo + getvcpucontext + setdomainmaxmem + setdomainhandle + setdebugging + hypercall + settime + set_target + shutdown + setaddrsize + getaddrsize + trigger + getextvcpucontext + setextvcpucontext +} + +class hvm +{ + sethvmc + gethvmc + setparam + getparam + pcilevel + irqlevel + pciroute + bind_irq + cacheattr +} + +class event +{ + bind + send + status + notify + create + vector + reset +} + +class grant +{ + map_read + map_write + unmap + transfer + setup + copy + query +} + +class mmu +{ + map_read + map_write + pageinfo + pagelist + adjust + stat + translategp + updatemp + physmap + pinpage + mfnlist + memorymap +} + +class shadow +{ + disable + enable + logdirty +} + +class resource +{ + add + remove + use + add_irq + remove_irq + add_ioport + remove_ioport + add_iomem + remove_iomem + stat_device + add_device + remove_device +} + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam +} diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/initial_sids --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/flask/initial_sids Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,17 @@ +# FLASK + +# +# Define initial security identifiers +# +sid xen +sid dom0 +sid domU +sid domio +sid domxen +sid unlabeled +sid security +sid ioport +sid iomem +sid pirq +sid device +# FLASK diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/mkaccess_vector.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,227 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="av_permissions.h" +av_inherit="av_inherit.h" +common_perm_to_string="common_perm_to_string.h" +av_perm_to_string="av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + inheritfile = \"$av_inherit\" + cpermfile = \"$common_perm_to_string\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; + printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "common" { + if (nextstate != "COMMON_OR_AV") + { + printf("Parse error: Unexpected COMMON definition on line %d\n", NR); + next; + } + + if ($2 in common_defined) + { + printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); + next; + } + common_defined[$2] = 1; + + tclass = $2; + common_name = $2; + permission = 1; + + printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; + + nextstate = "COMMON-OPENBRACKET"; + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + inherits = ""; + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "inherits" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); + next; + } + + if (!($2 in common_defined)) + { + printf("COMMON %s is not defined (line %d).\n", $2, NR); + next; + } + + inherits = $2; + permission = common_base[$2]; + + for (combined in common_perms) + { + split(combined,separate, SUBSEP); + if (separate[1] == inherits) + { + inherited_perms[common_perms[combined]] = separate[2]; + } + } + + j = 1; + for (i in inherited_perms) { + ind[j] = i + 0; + j++; + } + n = asort(ind); + for (i = 1; i <= n; i++) { + perm = inherited_perms[ind[i]]; + printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; + spaces = 40 - (length(perm) + length(tclass)); + if (spaces < 1) + spaces = 1; + for (j = 0; j < spaces; j++) + printf(" ") > outfile; + printf("0x%08xUL\n", ind[i]) > outfile; + } + printf("\n") > outfile; + for (i in ind) delete ind[i]; + for (i in inherited_perms) delete inherited_perms[i]; + + printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; + + nextstate = "CLASS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + if (inherits != "") + { + if ((inherits,$1) in common_perms) + { + printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); + next; + } + } + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/mkflask.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/flask/mkflask.sh Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="flask.h" +debug_file="class_to_string.h" +debug_file2="initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/security_classes --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/flask/security_classes Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,20 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class xen +class domain +class hvm +class mmu +class resource +class shadow +class event +class grant +class security + +# FLASK diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/global_booleans --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/global_booleans Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,5 @@ +# +# This file is for the declaration of global booleans. +# To change the default value at build time, the booleans.conf +# file should be used. +# diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/global_tunables --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/global_tunables Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,6 @@ +# +# This file is for the declaration of global tunables. +# To change the default value at build time, the booleans.conf +# file should be used. +# + diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/mcs --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/mcs Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,324 @@ +ifdef(`enable_mcs',` +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +# MCS is single-sensitivity. +# +sensitivity s0; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; +category c14; +category c15; +category c16; +category c17; +category c18; +category c19; +category c20; +category c21; +category c22; +category c23; +category c24; +category c25; +category c26; +category c27; +category c28; +category c29; +category c30; +category c31; +category c32; +category c33; +category c34; +category c35; +category c36; +category c37; +category c38; +category c39; +category c40; +category c41; +category c42; +category c43; +category c44; +category c45; +category c46; +category c47; +category c48; +category c49; +category c50; +category c51; +category c52; +category c53; +category c54; +category c55; +category c56; +category c57; +category c58; +category c59; +category c60; +category c61; +category c62; +category c63; +category c64; +category c65; +category c66; +category c67; +category c68; +category c69; +category c70; +category c71; +category c72; +category c73; +category c74; +category c75; +category c76; +category c77; +category c78; +category c79; +category c80; +category c81; +category c82; +category c83; +category c84; +category c85; +category c86; +category c87; +category c88; +category c89; +category c90; +category c91; +category c92; +category c93; +category c94; +category c95; +category c96; +category c97; +category c98; +category c99; +category c100; +category c101; +category c102; +category c103; +category c104; +category c105; +category c106; +category c107; +category c108; +category c109; +category c110; +category c111; +category c112; +category c113; +category c114; +category c115; +category c116; +category c117; +category c118; +category c119; +category c120; +category c121; +category c122; +category c123; +category c124; +category c125; +category c126; +category c127; +category c128; +category c129; +category c130; +category c131; +category c132; +category c133; +category c134; +category c135; +category c136; +category c137; +category c138; +category c139; +category c140; +category c141; +category c142; +category c143; +category c144; +category c145; +category c146; +category c147; +category c148; +category c149; +category c150; +category c151; +category c152; +category c153; +category c154; +category c155; +category c156; +category c157; +category c158; +category c159; +category c160; +category c161; +category c162; +category c163; +category c164; +category c165; +category c166; +category c167; +category c168; +category c169; +category c170; +category c171; +category c172; +category c173; +category c174; +category c175; +category c176; +category c177; +category c178; +category c179; +category c180; +category c181; +category c182; +category c183; +category c184; +category c185; +category c186; +category c187; +category c188; +category c189; +category c190; +category c191; +category c192; +category c193; +category c194; +category c195; +category c196; +category c197; +category c198; +category c199; +category c200; +category c201; +category c202; +category c203; +category c204; +category c205; +category c206; +category c207; +category c208; +category c209; +category c210; +category c211; +category c212; +category c213; +category c214; +category c215; +category c216; +category c217; +category c218; +category c219; +category c220; +category c221; +category c222; +category c223; +category c224; +category c225; +category c226; +category c227; +category c228; +category c229; +category c230; +category c231; +category c232; +category c233; +category c234; +category c235; +category c236; +category c237; +category c238; +category c239; +category c240; +category c241; +category c242; +category c243; +category c244; +category c245; +category c246; +category c247; +category c248; +category c249; +category c250; +category c251; +category c252; +category c253; +category c254; +category c255; + + +# +# Each MCS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c255; + +# +# Define the MCS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + + +') dnl end enable_mcs diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/mls --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/mls Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,354 @@ + +ifdef(`enable_mls',` +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +sensitivity s0; +sensitivity s1; +sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; +sensitivity s7; +sensitivity s8; +sensitivity s9; +sensitivity s10; +sensitivity s11; +sensitivity s12; +sensitivity s13; +sensitivity s14; +sensitivity s15; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; +category c14; +category c15; +category c16; +category c17; +category c18; +category c19; +category c20; +category c21; +category c22; +category c23; +category c24; +category c25; +category c26; +category c27; +category c28; +category c29; +category c30; +category c31; +category c32; +category c33; +category c34; +category c35; +category c36; +category c37; +category c38; +category c39; +category c40; +category c41; +category c42; +category c43; +category c44; +category c45; +category c46; +category c47; +category c48; +category c49; +category c50; +category c51; +category c52; +category c53; +category c54; +category c55; +category c56; +category c57; +category c58; +category c59; +category c60; +category c61; +category c62; +category c63; +category c64; +category c65; +category c66; +category c67; +category c68; +category c69; +category c70; +category c71; +category c72; +category c73; +category c74; +category c75; +category c76; +category c77; +category c78; +category c79; +category c80; +category c81; +category c82; +category c83; +category c84; +category c85; +category c86; +category c87; +category c88; +category c89; +category c90; +category c91; +category c92; +category c93; +category c94; +category c95; +category c96; +category c97; +category c98; +category c99; +category c100; +category c101; +category c102; +category c103; +category c104; +category c105; +category c106; +category c107; +category c108; +category c109; +category c110; +category c111; +category c112; +category c113; +category c114; +category c115; +category c116; +category c117; +category c118; +category c119; +category c120; +category c121; +category c122; +category c123; +category c124; +category c125; +category c126; +category c127; +category c128; +category c129; +category c130; +category c131; +category c132; +category c133; +category c134; +category c135; +category c136; +category c137; +category c138; +category c139; +category c140; +category c141; +category c142; +category c143; +category c144; +category c145; +category c146; +category c147; +category c148; +category c149; +category c150; +category c151; +category c152; +category c153; +category c154; +category c155; +category c156; +category c157; +category c158; +category c159; +category c160; +category c161; +category c162; +category c163; +category c164; +category c165; +category c166; +category c167; +category c168; +category c169; +category c170; +category c171; +category c172; +category c173; +category c174; +category c175; +category c176; +category c177; +category c178; +category c179; +category c180; +category c181; +category c182; +category c183; +category c184; +category c185; +category c186; +category c187; +category c188; +category c189; +category c190; +category c191; +category c192; +category c193; +category c194; +category c195; +category c196; +category c197; +category c198; +category c199; +category c200; +category c201; +category c202; +category c203; +category c204; +category c205; +category c206; +category c207; +category c208; +category c209; +category c210; +category c211; +category c212; +category c213; +category c214; +category c215; +category c216; +category c217; +category c218; +category c219; +category c220; +category c221; +category c222; +category c223; +category c224; +category c225; +category c226; +category c227; +category c228; +category c229; +category c230; +category c231; +category c232; +category c233; +category c234; +category c235; +category c236; +category c237; +category c238; +category c239; +category c240; +category c241; +category c242; +category c243; +category c244; +category c245; +category c246; +category c247; +category c248; +category c249; +category c250; +category c251; +category c252; +category c253; +category c254; +category c255; + + +# +# Each MLS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c255; +level s1:c0.c255; +level s2:c0.c255; +level s3:c0.c255; +level s4:c0.c255; +level s5:c0.c255; +level s6:c0.c255; +level s7:c0.c255; +level s8:c0.c255; +level s9:c0.c255; +level s10:c0.c255; +level s11:c0.c255; +level s12:c0.c255; +level s13:c0.c255; +level s14:c0.c255; +level s15:c0.c255; + + +# +# Define the MLS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + + +') dnl end enable_mls diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/modules.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/modules.conf Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,21 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: xen +# Module: xen +# Required in base +# +# Policy for xen. +# +xen = base + diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/modules/xen/xen.if --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/modules/xen/xen.if Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,1 @@ +# diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/modules/xen/xen.te --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/modules/xen/xen.te Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,135 @@ +attribute xen_type; +attribute domain_type; +attribute resource_type; +attribute event_type; + +type xen_t, xen_type, domain_type; + +type dom0_t, domain_type; + +type domio_t, domain_type; + +type domxen_t, domain_type; + +type unlabeled_t, domain_type; + +type security_t, domain_type; + +type pirq_t, resource_type; +type ioport_t, resource_type; +type iomem_t, resource_type; +type device_t, resource_type; + +################################################################################ +# +# create_domain(priv_dom, domain, channel) +# +################################################################################ +define(`create_domain', ` + type $2, domain_type; + allow $1 $2:domain {create max_vcpus setdomainmaxmem + setaddrsize getdomaininfo hypercall + setvcpucontext scheduler unpause + getvcpuinfo getaddrsize getvcpuaffinity}; + allow $1 $2:shadow {enable}; + allow $1 $2:mmu {map_read map_write memorymap adjust pinpage}; + allow $2 $2:mmu {map_read map_write pinpage}; + allow $2 domio_t:mmu {map_read}; + allow $2 $2:grant {query setup}; + allow $1 $2:grant {map_read unmap}; + allow $1 $3:event {create}; +') + +################################################################################ +# +# manage_domain(priv_dom, domain) +# +################################################################################ +define(`manage_domain', ` + allow $1 $2:domain {pause destroy}; +') + +################################################################################ +# +# create_channel(caller, peer, channel) +# +################################################################################ +define(`create_channel', ` + type $3, event_type; + type_transition $1 $2:event $3; + allow $1 $3:event {create}; + allow $3 $2:event {bind}; +') + +################################################################################ +# +# Boot the hypervisor and dom0 +# +################################################################################ +allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del +scheduler physinfo heap quirk readconsole writeconsole settime microcode}; + +allow dom0_t domio_t:mmu {map_read map_write}; +allow dom0_t iomem_t:mmu {map_read map_write}; +allow dom0_t pirq_t:event {vector}; +allow dom0_t xen_t:mmu {memorymap}; + +allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust}; +allow dom0_t dom0_t:grant {query setup}; +allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity}; + +allow xen_t dom0_t:domain {create}; +allow xen_t dom0_t:resource {add remove}; +allow xen_t ioport_t:resource {add_ioport remove_ioport}; +allow dom0_t ioport_t:resource {use}; +allow xen_t iomem_t:resource {add_iomem remove_iomem}; +allow dom0_t iomem_t:resource {use}; +allow xen_t pirq_t:resource {add_irq remove_irq}; +allow dom0_t pirq_t:resource {use}; + +allow dom0_t security_t:security {compute_av compute_create compute_member +check_context load_policy compute_relabel compute_user setenforce setbool +setsecparam}; + +create_channel(dom0_t, dom0_t, evchn0-0_t) +allow dom0_t evchn0-0_t:event {send}; + +################################################################################ +# +# Create and manage a domU w/ dom0 IO +# +################################################################################ +create_domain(dom0_t, domU_t, evchnU-0_t) + +create_channel(domU_t, domU_t, evchnU-U_t) +allow domU_t evchnU-U_t:event {send}; + +create_channel(dom0_t, domU_t, evchn0-U_t) +allow dom0_t evchn0-U_t:event {send}; + +create_channel(domU_t, dom0_t, evchnU-0_t) +allow domU_t evchnU-0_t:event {send}; + +manage_domain(dom0_t, domU_t) + +################################################################################ +# +# +# +################################################################################ +sid xen gen_context(system_u:system_r:xen_t,s0) +sid dom0 gen_context(system_u:system_r:dom0_t,s0) +sid domU gen_context(system_u:system_r:domU_t,s0) +sid domxen gen_context(system_u:system_r:domxen_t,s0) +sid domio gen_context(system_u:system_r:domio_t,s0) +sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0) +sid security gen_context(system_u:system_r:security_t,s0) +sid pirq gen_context(system_u:object_r:pirq_t,s0) +sid iomem gen_context(system_u:object_r:iomem_t,s0) +sid ioport gen_context(system_u:object_r:ioport_t,s0) +sid device gen_context(system_u:object_r:device_t,s0) + +role system_r types { xen_type domain_type }; +role user_r types { xen_type domain_type }; +role sysadm_r types { xen_type domain_type }; +role staff_r types { xen_type domain_type }; diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/support/loadable_module.spt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/support/loadable_module.spt Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,166 @@ +######################################## +# +# Macros for switching between source policy +# and loadable policy module support +# + +############################## +# +# For adding the module statement +# +define(`policy_module',` + ifdef(`self_contained_policy',`',` + module $1 $2; + + require { + role system_r; + all_kernel_class_perms + } + ') +') + +############################## +# +# For use in interfaces, to optionally insert a require block +# +define(`gen_require',` + ifdef(`self_contained_policy',`',` + define(`in_gen_require_block') + require { + $1 + } + undefine(`in_gen_require_block') + ') +') + +############################## +# +# In the future interfaces should be in loadable modules +# +# template(name,rules) +# +define(`template',` + `define(`$1',` +##### begin $1(dollarsstar) + $2 +##### end $1(dollarsstar) + '') +') + +# helper function, since m4 wont expand macros +# if a line is a comment (#): +define(`policy_m4_comment',`dnl +##### $2 depth: $1 +')dnl + +############################## +# +# In the future interfaces should be in loadable modules +# +# interface(name,rules) +# +define(`interface',` + `define(`$1',` + + define(`policy_temp',incr(policy_call_depth)) + pushdef(`policy_call_depth',policy_temp) + undefine(`policy_temp') + + policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) + + $2 + + define(`policy_temp',decr(policy_call_depth)) + pushdef(`policy_call_depth',policy_temp) + undefine(`policy_temp') + + policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) + + '') +') + +define(`policy_call_depth',0) + +############################## +# +# Optional policy handling +# +define(`optional_policy',` + ifdef(`self_contained_policy',` + ifdef(`$1',`$2',`$3') + ',` + optional { + $2 + ifelse(`$3',`',`',` + } else { + $3 + ') + } + ') +') + +############################## +# +# Determine if we should use the default +# tunable value as specified by the policy +# or if the override value should be used +# +define(`dflt_or_overr',`ifdef(`$1',$1,$2)') + +############################## +# +# Extract booleans out of an expression. +# This needs to be reworked so expressions +# with parentheses can work. + +define(`delcare_required_symbols',` +ifelse(regexp($1, `\w'), -1, `', `dnl +bool regexp($1, `$\w+$', `\1'); +delcare_required_symbols(regexp($1, `\w+$.*$', `\1'))dnl +') dnl +') + +############################## +# +# Tunable declaration +# +define(`gen_tunable',` + ifdef(`self_contained_policy',` + bool $1 dflt_or_overr(`$1'_conf,$2); + ',` + # loadable module tunable + # declaration will go here + # instead of bool when + # loadable modules support + # tunables + bool $1 dflt_or_overr(`$1'_conf,$2); + ') +') + +############################## +# +# Tunable policy handling +# +define(`tunable_policy',` + ifdef(`self_contained_policy',` + if (`$1') { + $2 + } else { + $3 + } + ',` + # structure for tunables + # will go here instead of a + # conditional when loadable + # modules support tunables + gen_require(` + delcare_required_symbols(`$1') + ') + + if (`$1') { + $2 + } else { + $3 + } + ') +') diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/support/misc_macros.spt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/support/misc_macros.spt Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,32 @@ + +######################################## +# +# Helper macros +# + +# +# shiftn(num,list...) +# +# shift the list num times +# +define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') + +######################################## +# +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) +# +define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');') + +######################################## +# +# gen_context(context,mls_sensitivity,[mcs_categories]) +# +define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl + +######################################## +# +# gen_bool(name,default_value) +# +define(`gen_bool',` + bool $1 dflt_or_overr(`$1'_conf,$2); +') diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/systemuser --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/systemuser Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,19 @@ +################################## +# +# System User configuration. +# + +# +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) +# + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127) + +# Normal users should not be added to this file, +# but instead added to the users file. diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/users --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/flask/policy/policy/users Thu Sep 04 11:26:25 2008 +0100 @@ -0,0 +1,39 @@ + +################################## +# +# Core User configuration. +# + +# +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +ifdef(`targeted_policy',` +gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127) +',` +gen_user(user_u, user_r, s0, s0 - s9:c0.c127) +') + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +ifdef(`targeted_policy',` + gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127) +',` + ifdef(`direct_sysadm_daemon',` + gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127) + ',` + gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127) + ') +') _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.