[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] flask/policy: Update example policy



# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1324405193 0
# Node ID e56500f95b6a861a9dc28c31bad947afefd2b57c
# Parent  e3ab8df943ed14367b3a7e6da08a7f5e32818687
flask/policy: Update example policy

Rewrite the example policy to make it easier to understand and
demonstrate some of the security goals that FLASK can enforce.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
---


diff -r e3ab8df943ed -r e56500f95b6a 
tools/flask/policy/policy/modules/xen/xen.if
--- a/tools/flask/policy/policy/modules/xen/xen.if      Fri Dec 16 09:34:46 
2011 +0000
+++ b/tools/flask/policy/policy/modules/xen/xen.if      Tue Dec 20 18:19:53 
2011 +0000
@@ -1,92 +1,96 @@
-###############################################################################
+# Macro definitions for FLASK policy
+
+################################################################################
 #
-# create_domain(priv_dom, domain, channel)
+# Domain creation and setup
 #
 
################################################################################
-define(`create_domain', `
-       type $2, domain_type;
-       allow $1 $2:domain {create max_vcpus setdomainmaxmem 
-                               setaddrsize getdomaininfo hypercall 
-                               setvcpucontext scheduler unpause 
-                               getvcpuinfo getaddrsize getvcpuaffinity};
-       allow $1 $2:shadow {enable};
-       allow $1 $2:mmu {map_read map_write adjust physmap};
-       allow $2 $2:mmu {adjust physmap};
-       allow $1 $3:event {create};
+# declare_domain(type)
+#   Declare a type as a domain type, and allow basic domain setup
+define(`declare_domain', `
+       type $1, domain_type;
+       allow $1 $1:grant { query setup };
+       allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage };
+       allow $1 $1:hvm { getparam setparam };
 ')
 
-###############################################################################
-#
-# create_hvm_dom(priv_dom, domain, channel)
-#
-################################################################################
-define(`create_hvm_dom', `
-       create_domain($1, $2, $3)
-       allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel 
pcilevel trackdirtyvram };
-       allow $2 $2:hvm setparam;
-')     
-
-###############################################################################
-#
-# create_pv_dom(priv_dom, domain, channel, iodomain)
-#
-################################################################################
-define(`create_pv_dom', `
-       create_domain($1, $2, $3)
-       allow $1 $2:mmu {memorymap pinpage};
-       allow $2 $2:mmu {map_read map_write pinpage};
-       allow $2 $4:mmu {map_read};
-       
-       allow $2 $2:grant {query setup};
-       allow $1 $2:grant {map_read unmap};
-')     
-################################################################################
-#
-# manage_domain(priv_dom, domain)
-#
-################################################################################
-define(`manage_domain', `
-       allow $1 $2:domain {pause destroy};
+# create_domain(priv, target)
+#   Allow a domain to be created
+define(`create_domain', `
+       allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
+                       getdomaininfo hypercall setvcpucontext scheduler
+                       unpause getvcpuinfo getvcpuextstate getaddrsize
+                       getvcpuaffinity };
+       allow $1 $2:security check_context;
+       allow $1 $2:shadow enable;
+       allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
+       allow $1 $2:grant setup;
+       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam 
};
+       allow $1 $2_$1_channel:event create;
 ')
 
 
################################################################################
 #
-# create_channel(caller, peer, channel)
+# Inter-domain communication
 #
 
################################################################################
+
+# create_channel(source, dest, chan-label)
+#   This allows an event channel to be created from domains with labels
+#   <source> to <dest> and will label it <chan-label>
 define(`create_channel', `
        type $3, event_type;
        type_transition $1 $2:event $3;
-       allow $1 $3:event {create};
-       allow $3 $2:event {bind};
+       allow $1 $3:event { create send status };
+       allow $3 $2:event { bind };
 ')
-###############################################################################
+
+# domain_event_comms(dom1, dom2)
+#   Allow two domain types to communicate using event channels
+define(`domain_event_comms', `
+       create_channel($1, $2, $1_$2_channel)
+       create_channel($2, $1, $2_$1_channel)
+')
+
+# domain_comms(dom1, dom2)
+#   Allow two domain types to communicate using grants and event channels
+define(`domain_comms', `
+       domain_event_comms($1, $2)
+       allow $1 $2:grant { map_read map_write copy unmap };
+       allow $2 $1:grant { map_read map_write copy unmap };
+')
+
+# domain_self_comms(domain)
+#   Allow a domain types to communicate with others of its type using grants
+#   and event channels (this includes event channels to DOMID_SELF)
+define(`domain_self_comms', `
+       create_channel($1, $1, $1_self_channel)
+       allow $1 $1:grant { map_read map_write copy unmap };
+')
+
+################################################################################
 #
-# create_passthrough_resource(priv_dom, domain, resource)
+# Device types and delegation (PCI passthrough)
 #
-###############################################################################
-define(`create_passthrough_resource', `
-        type $3, resource_type;
-        allow $1 $2:resource {add remove};
-        allow $1 ioport_t:resource {add_ioport use};
-        allow $1 iomem_t:resource {add_iomem use};
-        allow $1 irq_t:resource  {add_irq use};
-        allow $1 domio_t:mmu {map_read map_write};
-        allow $2 domio_t:mmu {map_write};
-        allow $2 irq_t:resource {use};
-        allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq 
remove_iomem remove_ioport use add_device remove_device};
-        allow $2 $3:resource {use add_ioport add_iomem remove_ioport 
remove_iomem};
-        allow $2 $3:mmu {map_read map_write};
+################################################################################
+
+# use_device(domain, device)
+#   Allow a device to be used by a domain
+define(`use_device', `
+    allow $1 $2:resource use;
+    allow $1 $2:mmu { map_read map_write };
 ')
-###############################################################################
-#
-# create_hvm_resource(priv_dom, domain, resource)
-#
-###############################################################################
-define(`create_hvm_resource', `
-        type $3, resource_type;
-        allow $1 $2:resource {add remove};
-        allow $1 $3:hvm {bind_irq};
-        allow $1 $3:resource {stat_device add_device remove_device add_irq 
remove_irq add_iomem remove_iomem add_ioport remove_ioport};
-        allow $2 $3:resource {use};
+
+# admin_device(domain, device)
+#   Allow a device to be used and delegated by a domain
+define(`admin_device', `
+    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem 
add_ioport remove_device remove_irq remove_iomem remove_ioport };
+    allow $1 $2:hvm bind_irq;
+    use_device($1, $2)
 ')
+
+# delegate_devices(priv-domain, target-domain)
+#   Allow devices to be delegated
+define(`delegate_devices', `
+    allow $1 $2:resource { add remove };
+')
diff -r e3ab8df943ed -r e56500f95b6a 
tools/flask/policy/policy/modules/xen/xen.te
--- a/tools/flask/policy/policy/modules/xen/xen.te      Fri Dec 16 09:34:46 
2011 +0000
+++ b/tools/flask/policy/policy/modules/xen/xen.te      Tue Dec 20 18:19:53 
2011 +0000
@@ -1,21 +1,47 @@
+################################################################################
+#
+# Attributes for types
+#
+# An attribute may be used in a rule as shorthand for all types with that
+# attribute.
+#
+################################################################################
 attribute xen_type;
 attribute domain_type;
 attribute resource_type;
 attribute event_type;
 attribute mls_priv;
 
+################################################################################
+#
+# Types for the initial SIDs
+#
+# These types are used internally for objects created during Xen startup or for
+# devices that have not yet been labeled
+#
+################################################################################
+
+# The hypervisor itself
 type xen_t, xen_type, domain_type, mls_priv;
 
+# Domain 0
 type dom0_t, domain_type, mls_priv;
 
+# Untracked I/O memory (pseudo-domain)
 type domio_t, domain_type;
 
+# Xen heap (pseudo-domain)
 type domxen_t, domain_type;
 
+# Unlabeled objects
 type unlabeled_t, domain_type;
 
+# The XSM/FLASK security server
 type security_t, domain_type;
 
+# Unlabeled device resources
+# Note: don't allow access to these types directly; see below for how to label
+#       devices and use that label for allow rules
 type irq_t, resource_type;
 type ioport_t, resource_type;
 type iomem_t, resource_type;
@@ -23,119 +49,115 @@
 
 
################################################################################
 #
-# Boot the hypervisor and dom0
+# Rules required to boot the hypervisor and dom0
 #
 
################################################################################
-allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del 
-scheduler physinfo heap quirk readconsole writeconsole settime microcode};
+allow xen_t dom0_t:domain { create };
 
-allow dom0_t domio_t:mmu {map_read map_write};
-allow dom0_t iomem_t:mmu {map_read map_write};
-allow dom0_t xen_t:mmu {memorymap};
+allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
+       scheduler physinfo heap quirk readconsole writeconsole settime
+       microcode cpupool_op sched_op };
+allow dom0_t xen_t:mmu { memorymap };
+allow dom0_t security_t:security { check_context compute_av compute_create
+       compute_member load_policy compute_relabel compute_user setenforce
+       setbool setsecparam add_ocontext del_ocontext };
 
-allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust updatemp};
-allow dom0_t dom0_t:grant {query setup};
-allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo 
getvcpuaffinity};
+allow dom0_t dom0_t:domain { getdomaininfo getvcpuinfo getvcpuaffinity };
+allow dom0_t dom0_t:grant { query setup };
+allow dom0_t dom0_t:mmu { adjust physmap map_read map_write stat pinpage };
+allow dom0_t dom0_t:resource { add remove };
 
-allow xen_t dom0_t:domain {create};
-allow xen_t dom0_t:resource {add remove};
-allow xen_t ioport_t:resource {add_ioport remove_ioport};
-allow dom0_t ioport_t:resource {use};
-allow xen_t iomem_t:resource {add_iomem remove_iomem};
-allow dom0_t iomem_t:resource {use};
-allow xen_t irq_t:resource {add_irq remove_irq};
-allow dom0_t irq_t:resource { add_irq remove_irq use};
-allow dom0_t dom0_t:resource { add remove };
-allow dom0_t xen_t:xen firmware;
+admin_device(dom0_t, device_t)
+admin_device(dom0_t, irq_t)
+admin_device(dom0_t, ioport_t)
+admin_device(dom0_t, iomem_t)
+allow dom0_t domio_t:mmu { map_read map_write };
 
-allow dom0_t security_t:security {compute_av compute_create compute_member 
-check_context load_policy compute_relabel compute_user setenforce setbool
-setsecparam add_ocontext del_ocontext};
+domain_self_comms(dom0_t)
 
-create_channel(dom0_t, dom0_t, evchn0-0_t)
-allow dom0_t evchn0-0_t:event {send};
+auditallow dom0_t security_t:security { load_policy setenforce };
+
+###############################################################################
+#
+# Domain creation
+#
+###############################################################################
+
+declare_domain(domU_t)
+domain_self_comms(domU_t)
+create_domain(dom0_t, domU_t)
+domain_comms(dom0_t, domU_t)
+
+declare_domain(isolated_domU_t)
+create_domain(dom0_t, isolated_domU_t)
+domain_comms(dom0_t, isolated_domU_t)
+
+###############################################################################
+#
+# Device delegation
+#
+###############################################################################
+
+type nic_dev_t, resource_type;
+
+admin_device(dom0_t, nic_dev_t)
+use_device(domU_t, nic_dev_t)
+
+delegate_devices(dom0_t, domU_t)
+
+###############################################################################
+#
+# Label devices for delegation
+#
+# The PCI, IRQ, memory, and I/O port ranges are hardware-specific.
+# You may also use flask-label-pci to dynamically label devices on each boot.
+#
+###############################################################################
+
+# label e1000e nic
+#pirqcon 33 system_u:object_r:nic_dev_t
+#pirqcon 55 system_u:object_r:nic_dev_t
+#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t
+#iomemcon 0xfebd9 system_u:object_r:nic_dev_t
+#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t
+#pcidevicecon 0xc800 system_u:object_r:nic_dev_t
+
+# label e100 nic
+#pirqcon 16 system_u:object_r:nic_dev_t
+#iomemcon 0xfe5df system_u:object_r:nic_dev_t
+#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t
+#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t
+#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t
+
+# label usb 1d.0-2 1d.7
+#pirqcon 23 system_u:object_r:nic_dev_t
+#pirqcon 17 system_u:object_r:nic_dev_t
+#pirqcon 18 system_u:object_r:nic_dev_t
+#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t
+#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t
+#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t
+#iomemcon 0xff980 system_u:object_r:nic_dev_t
+#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t
 
 
################################################################################
 #
-# Create and manage a domU w/ dom0 IO
+# Constraints
 #
 
################################################################################
-create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t)
 
-create_channel(domU_t, domU_t, evchnU-U_t)
-allow domU_t evchnU-U_t:event {send};
+# Domains must be declared using domain_type
+neverallow * ~domain_type:domain create;
 
-create_channel(dom0_t, domU_t, evchn0-U_t)
-allow dom0_t evchn0-U_t:event {send};
+# Resources must be declared using resource_type
+neverallow * ~resource_type:resource use;
 
-create_channel(domU_t, dom0_t, evchnU-0_t)
-allow domU_t evchnU-0_t:event {send};
-
-allow dom0_t dom0_t:event {send};
-allow dom0_t domU_t:grant {copy};
-allow domU_t domU_t:grant {copy};
-
-###############################################################################
-#
-# Create device labels
-#
-###############################################################################
-
-# create device resources
-#create_passthrough_resource(dom0_t, domU_t, nicP_t)
-#create_hvm_resource(dom0_t, domHU_t, nicP_t)
-
-# label e1000e nic
-#pirqcon 33 system_u:object_r:nicP_t
-#pirqcon 55 system_u:object_r:nicP_t
-#iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
-#iomemcon 0xfebd9 system_u:object_r:nicP_t
-#ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
-#pcidevicecon 0xc800 system_u:object_r:nicP_t
-
-# label e100 nic
-#pirqcon 16 system_u:object_r:nicP_t
-#iomemcon 0xfe5df system_u:object_r:nicP_t
-#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nicP_t
-#iomemcon 0xc2000-0xc200f system_u:object_r:nicP_t
-#ioportcon 0xccc0-0xcd00 system_u:object_r:nicP_t
-
-# label usb 1d.0-2 1d.7
-#pirqcon 23 system_u:object_r:nicP_t
-#pirqcon 17 system_u:object_r:nicP_t
-#pirqcon 18 system_u:object_r:nicP_t
-#ioportcon 0xff80-0xFF9F system_u:object_r:nicP_t
-#ioportcon 0xff60-0xff7f system_u:object_r:nicP_t
-#ioportcon 0xff40-0xff5f system_u:object_r:nicP_t
-#iomemcon 0xff980 system_u:object_r:nicP_t
-#ioportcon 0xff00-0xff1f system_u:object_r:nicP_t
-
-manage_domain(dom0_t, domU_t)
+# Events must use event_type (see create_channel for a template)
+neverallow ~event_type *:event bind;
+neverallow * ~event_type:event { create send status };
 
 
################################################################################
 #
-# Create and manage an HVM domU w/ dom0 IO
-#
-################################################################################
-create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t)
-allow dom0_t evchn0-HU_t:event {send};
-
-create_channel(domHU_t, domHU_t, evchnHU-HU_t)
-allow domHU_t evchnU-U_t:event {send};
-
-create_channel(dom0_t, domHU_t, evchn0-HU_t)
-allow dom0_t evchn0-U_t:event {send};
-
-create_channel(domHU_t, dom0_t, evchnHU-0_t)
-allow domHU_t evchnU-0_t:event {send};
-
-allow dom0_t dom0_t:event {send};
-
-manage_domain(dom0_t, domHU_t)
-
-################################################################################
-#
-#
+# Labels for initial SIDs and system role
 #
 
################################################################################
 sid xen gen_context(system_u:system_r:xen_t,s0)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.