[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] flask/policy: split into modules



commit 31689dcb0fbfe00f7556337ac72a10c238d7a40d
Author:     Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
AuthorDate: Mon Jun 20 10:04:10 2016 -0400
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Jun 21 15:29:17 2016 +0100

    flask/policy: split into modules
    
    This makes it easier to enable or disable parts of the XSM policy.
    
    Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
    Reviewed-by: Doug Goldstein <cardoe@xxxxxxxxxx>
---
 tools/flask/policy/Makefile                  |  22 +--
 tools/flask/policy/modules/dom0.te           |  74 ++++++++
 tools/flask/policy/modules/domU.te           |  25 +++
 tools/flask/policy/modules/guest_features.te |  31 +++
 tools/flask/policy/modules/isolated_domU.te  |   7 +
 tools/flask/policy/modules/modules.conf      |  34 ++++
 tools/flask/policy/modules/nic_dev.te        |  14 ++
 tools/flask/policy/modules/nomigrate.te      |   8 +
 tools/flask/policy/modules/prot_domU.te      |  13 ++
 tools/flask/policy/modules/xen.if            | 189 +++++++++++++++++++
 tools/flask/policy/modules/xen.te            |  89 +++++++++
 tools/flask/policy/policy/modules.conf       |  15 --
 tools/flask/policy/policy/modules/xen/xen.if | 189 -------------------
 tools/flask/policy/policy/modules/xen/xen.te | 272 ---------------------------
 14 files changed, 491 insertions(+), 491 deletions(-)

diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 4be921c..b2c2d06 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -37,7 +37,7 @@ POLICY_VER_LIST_HV = 24 30
 
 # policy source layout
 POLDIR := policy
-MODDIR := $(POLDIR)/modules
+MODDIR := modules
 
 # Classes and access vectors defined in the hypervisor. Changes to these 
require
 # a recompile of both the hypervisor and security policy.
@@ -60,7 +60,7 @@ DEV_OCONS := $(POLDIR)/device_contexts
 
 # config file paths
 GLOBALTUN := $(POLDIR)/global_tunables
-MOD_CONF := $(POLDIR)/modules.conf
+MOD_CONF := $(MODDIR)/modules.conf
 
 # checkpolicy can use the #line directives provided by -s for error reporting:
 M4PARAM := -D self_contained_policy -s
@@ -84,22 +84,14 @@ endif
 M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
 
 
-# Find modules
-ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) 
-maxdepth 0 -type d))
-
-# sort here since it removes duplicates, which can happen
-# when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
-
 # modules.conf setting for policy configuration
 MODENABLED := on
 
 # extract settings from modules.conf
-ENABLED_MODS := $(foreach mod,$(shell awk '/^[ \t]*[a-z]/{ if ($$3 == 
"$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell 
find -iname $(mod).te)))
-
-ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
+ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print 
$$1 }' $(MOD_CONF) 2> /dev/null)
 
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
+ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
 
 # The order of these files is important
 POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
@@ -118,8 +110,8 @@ install: $(POLICY_FILENAME)
 $(POLICY_FILENAME): policy.conf
        $(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
 
-policy.conf: $(POLICY_SECTIONS)
-       $(M4) $(M4PARAM) $^ > $@
+policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
+       $(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
 
 clean:
        $(RM) tmp policy.conf $(POLICY_FILENAME)
diff --git a/tools/flask/policy/modules/dom0.te 
b/tools/flask/policy/modules/dom0.te
new file mode 100644
index 0000000..ef6a986
--- /dev/null
+++ b/tools/flask/policy/modules/dom0.te
@@ -0,0 +1,74 @@
+################################################################################
+#
+# Allow dom0 access to all sysctls, devices, and the security server.
+#
+# While this could be written more briefly using wildcards, the permissions are
+# listed out to make removing specific permissions simpler.
+#
+################################################################################
+allow dom0_t xen_t:xen {
+       settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
+       mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
+       writeapic privprofile nonprivprofile kexec firmware sleep frequency
+       getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
+       tmem_control getscheduler setscheduler
+};
+allow dom0_t xen_t:xen2 {
+       resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
+       get_cpu_levelling_caps get_cpu_featureset livepatch_op
+};
+
+# Allow dom0 to use all XENVER_ subops that have checks.
+# Note that dom0 is part of domain_type so this has duplicates.
+allow dom0_t xen_t:version {
+       xen_extraversion xen_compile_info xen_capabilities
+       xen_changeset xen_pagesize xen_guest_handle xen_commandline
+       xen_build_id
+};
+
+allow dom0_t xen_t:mmu memorymap;
+
+# Allow dom0 to use these domctls on itself. For domctls acting on other
+# domains, see the definitions of create_domain and manage_domain.
+allow dom0_t dom0_t:domain {
+       setvcpucontext max_vcpus setaffinity getaffinity getscheduler
+       getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
+       setdebugging hypercall settime setaddrsize getaddrsize trigger
+       getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
+       getpodtarget setpodtarget set_misc_info set_virq_handler
+};
+allow dom0_t dom0_t:domain2 {
+       set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
+       get_vnumainfo psr_cmt_op psr_cat_op
+};
+allow dom0_t dom0_t:resource { add remove };
+
+# These permissions allow using the FLASK security server to compute access
+# checks locally, which could be used by a domain or service (such as xenstore)
+# that does not have its own security server to make access decisions based on
+# Xen's security policy.
+allow dom0_t security_t:security {
+       compute_av compute_create compute_member compute_relabel compute_user
+};
+
+# Allow string/SID conversions (for "xl list -Z" and similar)
+allow dom0_t security_t:security check_context;
+
+# Allow flask-label-pci to add and change labels
+allow dom0_t security_t:security { add_ocontext del_ocontext };
+
+# Allow performance parameters of the security server to be tweaked
+allow dom0_t security_t:security setsecparam;
+
+# Allow changing the security policy
+allow dom0_t security_t:security { load_policy setenforce setbool };
+
+# Audit policy change events even when they are allowed
+auditallow dom0_t security_t:security { load_policy setenforce setbool };
+
+admin_device(dom0_t, device_t)
+admin_device(dom0_t, irq_t)
+admin_device(dom0_t, ioport_t)
+admin_device(dom0_t, iomem_t)
+
+domain_comms(dom0_t, dom0_t)
diff --git a/tools/flask/policy/modules/domU.te 
b/tools/flask/policy/modules/domU.te
new file mode 100644
index 0000000..ca5eecd
--- /dev/null
+++ b/tools/flask/policy/modules/domU.te
@@ -0,0 +1,25 @@
+###############################################################################
+#
+# Domain creation
+#
+###############################################################################
+
+declare_domain(domU_t)
+domain_self_comms(domU_t)
+create_domain(dom0_t, domU_t)
+manage_domain(dom0_t, domU_t)
+domain_comms(dom0_t, domU_t)
+domain_comms(domU_t, domU_t)
+migrate_domain_out(dom0_t, domU_t)
+domain_self_comms(domU_t)
+
+# Device model for domU_t.  You can define distinct types for device models for
+# domains of other types, or add more make_device_model lines for this type.
+declare_domain(dm_dom_t)
+create_domain(dom0_t, dm_dom_t)
+manage_domain(dom0_t, dm_dom_t)
+domain_comms(dom0_t, dm_dom_t)
+make_device_model(dom0_t, dm_dom_t, domU_t)
+
+# This is required for PCI (or other device) passthrough
+delegate_devices(dom0_t, domU_t)
diff --git a/tools/flask/policy/modules/guest_features.te 
b/tools/flask/policy/modules/guest_features.te
new file mode 100644
index 0000000..9ac9780
--- /dev/null
+++ b/tools/flask/policy/modules/guest_features.te
@@ -0,0 +1,31 @@
+# Allow all domains to use (unprivileged parts of) the tmem hypercall
+allow domain_type xen_t:xen tmem_op;
+
+# Allow all domains to use PMU (but not to change its settings --- that's what
+# pmu_ctrl is for)
+allow domain_type xen_t:xen2 pmu_use;
+
+# Allow guest console output to the serial console.  This is used by PV Linux
+# and stub domains for early boot output, so don't audit even when we deny it.
+# Without XSM, this is enabled only if the Xen was compiled in debug mode.
+gen_bool(guest_writeconsole, true)
+if (guest_writeconsole) {
+       allow domain_type xen_t : xen writeconsole;
+} else {
+       dontaudit domain_type xen_t : xen writeconsole;
+}
+
+# For normal guests, allow all queries except XENVER_commandline.
+allow domain_type xen_t:version {
+    xen_extraversion xen_compile_info xen_capabilities
+    xen_changeset xen_pagesize xen_guest_handle
+};
+
+# Version queries don't need auditing when denied.  They can be
+# encountered in normal operation by xl or by reading sysfs files in
+# Linux, so without this they will show up in the logs.  Since these
+# operations return valid responses (like "denied"), hiding the denials
+# should not break anything.
+dontaudit domain_type xen_t:version {
+       xen_commandline xen_build_id
+};
diff --git a/tools/flask/policy/modules/isolated_domU.te 
b/tools/flask/policy/modules/isolated_domU.te
new file mode 100644
index 0000000..4ee7689
--- /dev/null
+++ b/tools/flask/policy/modules/isolated_domU.te
@@ -0,0 +1,7 @@
+declare_domain(isolated_domU_t)
+create_domain(dom0_t, isolated_domU_t)
+manage_domain(dom0_t, isolated_domU_t)
+domain_comms(dom0_t, isolated_domU_t)
+migrate_domain_out(dom0_t, isolated_domU_t)
+domain_self_comms(isolated_domU_t)
+
diff --git a/tools/flask/policy/modules/modules.conf 
b/tools/flask/policy/modules/modules.conf
new file mode 100644
index 0000000..dba4b40
--- /dev/null
+++ b/tools/flask/policy/modules/modules.conf
@@ -0,0 +1,34 @@
+#
+# This file contains a listing of available modules.
+#
+# To prevent a module from  being used in policy creation, set the module name
+# to "off"; otherwise, set the module name on "on".
+#
+# The order the modules appear in this file is the order they will be parsed;
+# this can be important if you plan to use types defined in one file in 
another.
+#
+
+# Basic types and classes for the Xen hypervisor.  This module is required.
+xen = on
+
+# Permissions for domain 0.  Most of these are required to boot.
+dom0 = on
+
+# Allow all domains the ability to use access-controlled features and 
hypercalls
+# that are not restricted when XSM is disabled.
+guest_features = on
+
+# The default domain type (domU_t) and its device model (dm_dom_t).  The domain
+# is created and managed by dom0_t, and has no special restrictions.
+#
+# This is required if you want to be able to create domains without specifying
+# their XSM label in the configuration.
+domU = on
+
+# Example types with restrictions
+isolated_domU = on
+prot_domU = on
+nomigrate = on
+
+# Example device policy.  Also see policy/device_contexts.
+nic_dev = on
diff --git a/tools/flask/policy/modules/nic_dev.te 
b/tools/flask/policy/modules/nic_dev.te
new file mode 100644
index 0000000..e0484af
--- /dev/null
+++ b/tools/flask/policy/modules/nic_dev.te
@@ -0,0 +1,14 @@
+###############################################################################
+#
+# Device delegation
+#
+# This requires that the device be labeled with a type defined here.  You can
+# use flask-label-pci to dynamically label devices on each boot or define the
+# labels statically in tools/flask/policy/policy/device_contexts
+#
+###############################################################################
+
+type nic_dev_t, resource_type;
+
+admin_device(dom0_t, nic_dev_t)
+use_device(domU_t, nic_dev_t)
diff --git a/tools/flask/policy/modules/nomigrate.te 
b/tools/flask/policy/modules/nomigrate.te
new file mode 100644
index 0000000..5b56caf
--- /dev/null
+++ b/tools/flask/policy/modules/nomigrate.te
@@ -0,0 +1,8 @@
+# Domains of type nomigrate_t must be built via the nomigrate_t_building label;
+# once built, dom0 cannot read their memory.
+declare_domain(nomigrate_t)
+declare_build_label(nomigrate_t)
+create_domain_build_label(dom0_t, nomigrate_t)
+manage_domain(dom0_t, nomigrate_t)
+domain_comms(dom0_t, nomigrate_t)
+domain_self_comms(nomigrate_t)
diff --git a/tools/flask/policy/modules/prot_domU.te 
b/tools/flask/policy/modules/prot_domU.te
new file mode 100644
index 0000000..a7c012c
--- /dev/null
+++ b/tools/flask/policy/modules/prot_domU.te
@@ -0,0 +1,13 @@
+# This is an alternative to nomigrate_t: a policy boolean controls the ability
+# to create or migrate a domain of type prot_domU_t.  If disabled, dom0 cannot
+# map memory belonging to those domains.
+gen_bool(prot_doms_locked, false)
+declare_domain(prot_domU_t)
+if (!prot_doms_locked) {
+       create_domain(dom0_t, prot_domU_t)
+       migrate_domain_out(dom0_t, prot_domU_t)
+}
+domain_comms(dom0_t, prot_domU_t)
+domain_comms(domU_t, prot_domU_t)
+domain_comms(prot_domU_t, prot_domU_t)
+domain_self_comms(prot_domU_t)
diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
new file mode 100644
index 0000000..00d1bbb
--- /dev/null
+++ b/tools/flask/policy/modules/xen.if
@@ -0,0 +1,189 @@
+# Macro definitions for FLASK policy
+
+################################################################################
+#
+# Domain creation and setup
+#
+################################################################################
+define(`declare_domain_common', `
+       allow $1 $2:grant { query setup };
+       allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp mmuext_op };
+       allow $1 $2:hvm { getparam setparam altp2mhvm_op };
+       allow $1 $2:domain2 get_vnumainfo;
+')
+
+# declare_domain(type, attrs...)
+#   Declare a domain type, along with associated _self and _channel types
+#   Allow the domain to perform basic operations on itself
+define(`declare_domain', `
+       type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+       type $1_self, domain_type, domain_self_type;
+       type_transition $1 $1:domain $1_self;
+       type $1_channel, event_type;
+       type_transition $1 domain_type:event $1_channel;
+       declare_domain_common($1, $1_self)
+')
+
+# declare_singleton_domain(type, attrs...)
+#   Declare a domain type and associated _channel types.
+#   Note: Because the domain can perform basic operations on itself and any
+#   other domain of the same type, this constructor should be used for types
+#   containing at most one domain. This is not enforced by policy.
+define(`declare_singleton_domain', `
+       type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+       define(`$1_self', `$1')
+       type $1_channel, event_type;
+       type_transition $1 domain_type:event $1_channel;
+       declare_domain_common($1, $1)
+')
+
+# declare_build_label(type)
+#   Declare a paired _building type for the given domain type
+define(`declare_build_label', `
+       type $1_building, domain_type;
+       type_transition $1_building domain_type:event $1_channel;
+       allow $1_building $1 : domain transition;
+')
+
+define(`create_domain_common', `
+       allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
+                       getdomaininfo hypercall setvcpucontext setextvcpucontext
+                       getscheduler getvcpuinfo getvcpuextstate getaddrsize
+                       getaffinity setaffinity setvcpuextstate };
+       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
+                       set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
+                       psr_cmt_op psr_cat_op soft_reset };
+       allow $1 $2:security check_context;
+       allow $1 $2:shadow enable;
+       allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op updatemp };
+       allow $1 $2:grant setup;
+       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
+                       setparam pcilevel trackdirtyvram nested altp2mhvm 
altp2mhvm_op };
+')
+
+# create_domain(priv, target)
+#   Allow a domain to be created directly
+define(`create_domain', `
+       create_domain_common($1, $2)
+       allow $1 $2_channel:event create;
+')
+
+# create_domain_build_label(priv, target)
+#   Allow a domain to be created via its domain build label
+define(`create_domain_build_label', `
+       create_domain_common($1, $2_building)
+       allow $1 $2_channel:event create;
+       allow $1 $2_building:domain2 relabelfrom;
+       allow $1 $2:domain2 relabelto;
+       allow $2_building $2:domain transition;
+')
+
+# manage_domain(priv, target)
+#   Allow managing a running domain
+define(`manage_domain', `
+       allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
+                       getaddrsize pause unpause trigger shutdown destroy
+                       setaffinity setdomainmaxmem getscheduler resume };
+    allow $1 $2:domain2 set_vnumainfo;
+')
+
+# migrate_domain_out(priv, target)
+#   Allow creation of a snapshot or migration image from a domain
+#   (inbound migration is the same as domain creation)
+define(`migrate_domain_out', `
+       allow $1 domxen_t:mmu map_read;
+       allow $1 $2:hvm { gethvmc getparam irqlevel };
+       allow $1 $2:mmu { stat pageinfo map_read };
+       allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext 
getvcpuextstate pause destroy };
+       allow $1 $2:domain2 gettsc;
+       allow $1 $2:shadow { enable disable logdirty };
+')
+
+################################################################################
+#
+# Inter-domain communication
+#
+################################################################################
+
+# create_channel(source, dest, chan-label)
+#   This allows an event channel to be created from domains with labels
+#   <source> to <dest> and will label it <chan-label>
+define(`create_channel', `
+       allow $1 $3:event { create send status };
+       allow $3 $2:event { bind };
+')
+
+# domain_event_comms(dom1, dom2)
+#   Allow two domain types to communicate using event channels
+define(`domain_event_comms', `
+       create_channel($1, $2, $1_channel)
+       create_channel($2, $1, $2_channel)
+')
+
+# domain_comms(dom1, dom2)
+#   Allow two domain types to communicate using grants and event channels
+define(`domain_comms', `
+       domain_event_comms($1, $2)
+       allow $1 $2:grant { map_read map_write copy unmap };
+       allow $2 $1:grant { map_read map_write copy unmap };
+')
+
+# domain_self_comms(domain)
+#   Allow a non-singleton domain type to communicate with itself using grants
+#   and event channels
+define(`domain_self_comms', `
+       create_channel($1, $1_self, $1_channel)
+       allow $1 $1_self:grant { map_read map_write copy unmap };
+')
+
+# device_model(dm_dom, hvm_dom)
+#   Define how a device model domain interacts with its target
+define(`device_model', `
+       type $2_target, domain_type, domain_target_type;
+       type_transition $2 $1:domain $2_target;
+       allow $1 $2:domain set_target;
+
+       type_transition $2_target domain_type:event $2_channel;
+       create_channel($1, $2_target, $1_channel)
+       create_channel($2, $1, $2_channel)
+       allow $1 $2_channel:event create;
+
+       allow $1 $2_target:domain shutdown;
+       allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack 
};
+       allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl 
irqlevel pciroute pcilevel cacheattr send_irq };
+')
+
+# make_device_model(priv, dm_dom, hvm_dom)
+#   Allow creation of a device model and HVM domain pair
+define(`make_device_model', `
+       device_model($2, $3)
+       allow $1 $2:domain2 make_priv_for;
+       allow $1 $3:domain2 set_as_target;
+')
+################################################################################
+#
+# Device types and delegation (PCI passthrough)
+#
+################################################################################
+
+# use_device(domain, device)
+#   Allow a device to be used by a domain
+define(`use_device', `
+    allow $1 $1_self:mmu exchange;
+    allow $1 $2:resource use;
+    allow $1 domio_t:mmu { map_read map_write };
+')
+
+# admin_device(domain, device)
+#   Allow a device to be used and delegated by a domain
+define(`admin_device', `
+    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem 
add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
+    allow $1 $2:hvm bind_irq;
+    use_device($1, $2)
+')
+
+# delegate_devices(priv-domain, target-domain)
+#   Allow devices to be delegated
+define(`delegate_devices', `
+    allow $1 $2:resource { add remove };
+')
diff --git a/tools/flask/policy/modules/xen.te 
b/tools/flask/policy/modules/xen.te
new file mode 100644
index 0000000..3ee5e75
--- /dev/null
+++ b/tools/flask/policy/modules/xen.te
@@ -0,0 +1,89 @@
+################################################################################
+#
+# Attributes for types
+#
+# An attribute may be used in a rule as shorthand for all types with that
+# attribute.
+#
+################################################################################
+attribute xen_type;
+attribute domain_type;
+attribute domain_self_type;
+attribute domain_target_type;
+attribute resource_type;
+attribute event_type;
+attribute mls_priv;
+
+################################################################################
+#
+# Types for the initial SIDs
+#
+# These types are used internally for objects created during Xen startup or for
+# devices that have not yet been labeled
+#
+################################################################################
+
+# The hypervisor itself
+type xen_t, xen_type, mls_priv;
+
+# Domain 0
+declare_singleton_domain(dom0_t, mls_priv);
+
+# I/O memory (DOMID_IO pseudo-domain)
+type domio_t, xen_type;
+
+# Xen heap (DOMID_XEN pseudo-domain)
+type domxen_t, xen_type;
+
+# Unlabeled objects
+type unlabeled_t, xen_type;
+
+# The XSM/FLASK security server
+type security_t, xen_type;
+
+# Unlabeled device resources
+# Note: don't allow access to these types directly; see below for how to label
+#       devices and use that label for allow rules
+type irq_t, resource_type;
+type ioport_t, resource_type;
+type iomem_t, resource_type;
+type device_t, resource_type;
+
+################################################################################
+#
+# Policy constraints
+#
+# Neverallow rules will cause the policy build to fail if an allow rule exists
+# that violates the expression. This is used to ensure proper labeling of
+# objects.
+#
+################################################################################
+
+# Domains must be declared using domain_type
+neverallow * ~domain_type:domain { create transition };
+
+# Resources must be declared using resource_type
+neverallow * ~resource_type:resource use;
+
+# Events must use event_type (see create_channel for a template)
+neverallow ~event_type *:event bind;
+neverallow * ~event_type:event { create send status };
+
+################################################################################
+#
+# Roles
+#
+################################################################################
+
+# The object role (object_r) is used for devices, resources, and event 
channels;
+# it does not need to be defined here and should not be used for domains.
+
+# The system role is used for utility domains and pseudo-domains
+role system_r;
+role system_r types { xen_type domain_type };
+# If you want to prevent domUs from being placed in system_r:
+##role system_r types { xen_type dom0_t };
+
+# The vm role is used for customer virtual machines
+role vm_r;
+role vm_r types { domain_type -dom0_t };
diff --git a/tools/flask/policy/policy/modules.conf 
b/tools/flask/policy/policy/modules.conf
deleted file mode 100644
index 8043974..0000000
--- a/tools/flask/policy/policy/modules.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from  being used in policy
-# creation, set the module name to "off" otherwise
-# set the module name on "on".
-#
-
-# Layer: xen
-# Module: xen
-# Required in base
-#
-# Policy for xen.
-# 
-xen = on
-
diff --git a/tools/flask/policy/policy/modules/xen/xen.if 
b/tools/flask/policy/policy/modules/xen/xen.if
deleted file mode 100644
index 00d1bbb..0000000
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ /dev/null
@@ -1,189 +0,0 @@
-# Macro definitions for FLASK policy
-
-################################################################################
-#
-# Domain creation and setup
-#
-################################################################################
-define(`declare_domain_common', `
-       allow $1 $2:grant { query setup };
-       allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage 
updatemp mmuext_op };
-       allow $1 $2:hvm { getparam setparam altp2mhvm_op };
-       allow $1 $2:domain2 get_vnumainfo;
-')
-
-# declare_domain(type, attrs...)
-#   Declare a domain type, along with associated _self and _channel types
-#   Allow the domain to perform basic operations on itself
-define(`declare_domain', `
-       type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
-       type $1_self, domain_type, domain_self_type;
-       type_transition $1 $1:domain $1_self;
-       type $1_channel, event_type;
-       type_transition $1 domain_type:event $1_channel;
-       declare_domain_common($1, $1_self)
-')
-
-# declare_singleton_domain(type, attrs...)
-#   Declare a domain type and associated _channel types.
-#   Note: Because the domain can perform basic operations on itself and any
-#   other domain of the same type, this constructor should be used for types
-#   containing at most one domain. This is not enforced by policy.
-define(`declare_singleton_domain', `
-       type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
-       define(`$1_self', `$1')
-       type $1_channel, event_type;
-       type_transition $1 domain_type:event $1_channel;
-       declare_domain_common($1, $1)
-')
-
-# declare_build_label(type)
-#   Declare a paired _building type for the given domain type
-define(`declare_build_label', `
-       type $1_building, domain_type;
-       type_transition $1_building domain_type:event $1_channel;
-       allow $1_building $1 : domain transition;
-')
-
-define(`create_domain_common', `
-       allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
-                       getdomaininfo hypercall setvcpucontext setextvcpucontext
-                       getscheduler getvcpuinfo getvcpuextstate getaddrsize
-                       getaffinity setaffinity setvcpuextstate };
-       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
-                       set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
-                       psr_cmt_op psr_cat_op soft_reset };
-       allow $1 $2:security check_context;
-       allow $1 $2:shadow enable;
-       allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage 
mmuext_op updatemp };
-       allow $1 $2:grant setup;
-       allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
-                       setparam pcilevel trackdirtyvram nested altp2mhvm 
altp2mhvm_op };
-')
-
-# create_domain(priv, target)
-#   Allow a domain to be created directly
-define(`create_domain', `
-       create_domain_common($1, $2)
-       allow $1 $2_channel:event create;
-')
-
-# create_domain_build_label(priv, target)
-#   Allow a domain to be created via its domain build label
-define(`create_domain_build_label', `
-       create_domain_common($1, $2_building)
-       allow $1 $2_channel:event create;
-       allow $1 $2_building:domain2 relabelfrom;
-       allow $1 $2:domain2 relabelto;
-       allow $2_building $2:domain transition;
-')
-
-# manage_domain(priv, target)
-#   Allow managing a running domain
-define(`manage_domain', `
-       allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
-                       getaddrsize pause unpause trigger shutdown destroy
-                       setaffinity setdomainmaxmem getscheduler resume };
-    allow $1 $2:domain2 set_vnumainfo;
-')
-
-# migrate_domain_out(priv, target)
-#   Allow creation of a snapshot or migration image from a domain
-#   (inbound migration is the same as domain creation)
-define(`migrate_domain_out', `
-       allow $1 domxen_t:mmu map_read;
-       allow $1 $2:hvm { gethvmc getparam irqlevel };
-       allow $1 $2:mmu { stat pageinfo map_read };
-       allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext 
getvcpuextstate pause destroy };
-       allow $1 $2:domain2 gettsc;
-       allow $1 $2:shadow { enable disable logdirty };
-')
-
-################################################################################
-#
-# Inter-domain communication
-#
-################################################################################
-
-# create_channel(source, dest, chan-label)
-#   This allows an event channel to be created from domains with labels
-#   <source> to <dest> and will label it <chan-label>
-define(`create_channel', `
-       allow $1 $3:event { create send status };
-       allow $3 $2:event { bind };
-')
-
-# domain_event_comms(dom1, dom2)
-#   Allow two domain types to communicate using event channels
-define(`domain_event_comms', `
-       create_channel($1, $2, $1_channel)
-       create_channel($2, $1, $2_channel)
-')
-
-# domain_comms(dom1, dom2)
-#   Allow two domain types to communicate using grants and event channels
-define(`domain_comms', `
-       domain_event_comms($1, $2)
-       allow $1 $2:grant { map_read map_write copy unmap };
-       allow $2 $1:grant { map_read map_write copy unmap };
-')
-
-# domain_self_comms(domain)
-#   Allow a non-singleton domain type to communicate with itself using grants
-#   and event channels
-define(`domain_self_comms', `
-       create_channel($1, $1_self, $1_channel)
-       allow $1 $1_self:grant { map_read map_write copy unmap };
-')
-
-# device_model(dm_dom, hvm_dom)
-#   Define how a device model domain interacts with its target
-define(`device_model', `
-       type $2_target, domain_type, domain_target_type;
-       type_transition $2 $1:domain $2_target;
-       allow $1 $2:domain set_target;
-
-       type_transition $2_target domain_type:event $2_channel;
-       create_channel($1, $2_target, $1_channel)
-       create_channel($2, $1, $2_channel)
-       allow $1 $2_channel:event create;
-
-       allow $1 $2_target:domain shutdown;
-       allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack 
};
-       allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl 
irqlevel pciroute pcilevel cacheattr send_irq };
-')
-
-# make_device_model(priv, dm_dom, hvm_dom)
-#   Allow creation of a device model and HVM domain pair
-define(`make_device_model', `
-       device_model($2, $3)
-       allow $1 $2:domain2 make_priv_for;
-       allow $1 $3:domain2 set_as_target;
-')
-################################################################################
-#
-# Device types and delegation (PCI passthrough)
-#
-################################################################################
-
-# use_device(domain, device)
-#   Allow a device to be used by a domain
-define(`use_device', `
-    allow $1 $1_self:mmu exchange;
-    allow $1 $2:resource use;
-    allow $1 domio_t:mmu { map_read map_write };
-')
-
-# admin_device(domain, device)
-#   Allow a device to be used and delegated by a domain
-define(`admin_device', `
-    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem 
add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
-    allow $1 $2:hvm bind_irq;
-    use_device($1, $2)
-')
-
-# delegate_devices(priv-domain, target-domain)
-#   Allow devices to be delegated
-define(`delegate_devices', `
-    allow $1 $2:resource { add remove };
-')
diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
deleted file mode 100644
index 50aa602..0000000
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ /dev/null
@@ -1,272 +0,0 @@
-################################################################################
-#
-# Attributes for types
-#
-# An attribute may be used in a rule as shorthand for all types with that
-# attribute.
-#
-################################################################################
-attribute xen_type;
-attribute domain_type;
-attribute domain_self_type;
-attribute domain_target_type;
-attribute resource_type;
-attribute event_type;
-attribute mls_priv;
-
-################################################################################
-#
-# Types for the initial SIDs
-#
-# These types are used internally for objects created during Xen startup or for
-# devices that have not yet been labeled
-#
-################################################################################
-
-# The hypervisor itself
-type xen_t, xen_type, mls_priv;
-
-# Domain 0
-declare_singleton_domain(dom0_t, mls_priv);
-
-# I/O memory (DOMID_IO pseudo-domain)
-type domio_t, xen_type;
-
-# Xen heap (DOMID_XEN pseudo-domain)
-type domxen_t, xen_type;
-
-# Unlabeled objects
-type unlabeled_t, xen_type;
-
-# The XSM/FLASK security server
-type security_t, xen_type;
-
-# Unlabeled device resources
-# Note: don't allow access to these types directly; see below for how to label
-#       devices and use that label for allow rules
-type irq_t, resource_type;
-type ioport_t, resource_type;
-type iomem_t, resource_type;
-type device_t, resource_type;
-
-################################################################################
-#
-# Allow dom0 access to all sysctls, devices, and the security server.
-#
-# While this could be written more briefly using wildcards, the permissions are
-# listed out to make removing specific permissions simpler.
-#
-################################################################################
-allow dom0_t xen_t:xen {
-       settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
-       mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
-       writeapic privprofile nonprivprofile kexec firmware sleep frequency
-       getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
-       tmem_control getscheduler setscheduler
-};
-allow dom0_t xen_t:xen2 {
-    resource_op
-    psr_cmt_op
-    psr_cat_op
-};
-allow dom0_t xen_t:xen2 {
-    pmu_ctrl
-    get_symbol
-    get_cpu_levelling_caps
-    get_cpu_featureset
-    livepatch_op
-};
-
-# Allow dom0 to use all XENVER_ subops that have checks.
-# Note that dom0 is part of domain_type so this has duplicates.
-allow dom0_t xen_t:version {
-    xen_extraversion xen_compile_info xen_capabilities
-    xen_changeset xen_pagesize xen_guest_handle xen_commandline
-    xen_build_id
-};
-
-allow dom0_t xen_t:mmu memorymap;
-
-# Allow dom0 to use these domctls on itself. For domctls acting on other
-# domains, see the definitions of create_domain and manage_domain.
-allow dom0_t dom0_t:domain {
-       setvcpucontext max_vcpus setaffinity getaffinity getscheduler
-       getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
-       setdebugging hypercall settime setaddrsize getaddrsize trigger
-       getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
-       getpodtarget setpodtarget set_misc_info set_virq_handler
-};
-allow dom0_t dom0_t:domain2 {
-       set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
-       get_vnumainfo psr_cmt_op psr_cat_op
-};
-allow dom0_t dom0_t:resource { add remove };
-
-# These permissions allow using the FLASK security server to compute access
-# checks locally, which could be used by a domain or service (such as xenstore)
-# that does not have its own security server to make access decisions based on
-# Xen's security policy.
-allow dom0_t security_t:security {
-       compute_av compute_create compute_member compute_relabel compute_user
-};
-
-# Allow string/SID conversions (for "xl list -Z" and similar)
-allow dom0_t security_t:security check_context;
-
-# Allow flask-label-pci to add and change labels
-allow dom0_t security_t:security { add_ocontext del_ocontext };
-
-# Allow performance parameters of the security server to be tweaked
-allow dom0_t security_t:security setsecparam;
-
-# Allow changing the security policy
-allow dom0_t security_t:security { load_policy setenforce setbool };
-
-# Audit policy change events even when they are allowed
-auditallow dom0_t security_t:security { load_policy setenforce setbool };
-
-admin_device(dom0_t, device_t)
-admin_device(dom0_t, irq_t)
-admin_device(dom0_t, ioport_t)
-admin_device(dom0_t, iomem_t)
-
-domain_comms(dom0_t, dom0_t)
-
-# Allow all domains to use (unprivileged parts of) the tmem hypercall
-allow domain_type xen_t:xen tmem_op;
-
-# Allow guest console output to the serial console.  This is used by PV Linux
-# and stub domains for early boot output, so don't audit even when we deny it.
-# Without XSM, this is enabled only if the Xen was compiled in debug mode.
-gen_bool(guest_writeconsole, true)
-if (guest_writeconsole) {
-       allow domain_type xen_t : xen writeconsole;
-} else {
-       dontaudit domain_type xen_t : xen writeconsole;
-}
-
-# Allow all domains to use PMU (but not to change its settings --- that's what
-# pmu_ctrl is for)
-allow domain_type xen_t:xen2 pmu_use;
-
-# For normal guests all possible except XENVER_commandline.
-allow domain_type xen_t:version {
-    xen_extraversion xen_compile_info xen_capabilities
-    xen_changeset xen_pagesize xen_guest_handle
-};
-
-# These queries don't need auditing when denied.  They can be
-# encountered in normal operation by xl or by reading sysfs files in
-# Linux, so without this they will show up in the logs.  Since these
-# operations return valid responses (like "denied"), hiding the denials
-# should not break anything.
-dontaudit domain_type xen_t:version {
-    xen_commandline xen_build_id
-};
-
-###############################################################################
-#
-# Domain creation
-#
-###############################################################################
-
-declare_domain(domU_t)
-domain_self_comms(domU_t)
-create_domain(dom0_t, domU_t)
-manage_domain(dom0_t, domU_t)
-domain_comms(dom0_t, domU_t)
-domain_comms(domU_t, domU_t)
-migrate_domain_out(dom0_t, domU_t)
-domain_self_comms(domU_t)
-
-declare_domain(isolated_domU_t)
-create_domain(dom0_t, isolated_domU_t)
-manage_domain(dom0_t, isolated_domU_t)
-domain_comms(dom0_t, isolated_domU_t)
-migrate_domain_out(dom0_t, isolated_domU_t)
-domain_self_comms(isolated_domU_t)
-
-# Declare a boolean that denies creation of prot_domU_t domains
-gen_bool(prot_doms_locked, false)
-declare_domain(prot_domU_t)
-if (!prot_doms_locked) {
-       create_domain(dom0_t, prot_domU_t)
-       migrate_domain_out(dom0_t, prot_domU_t)
-}
-domain_comms(dom0_t, prot_domU_t)
-domain_comms(domU_t, prot_domU_t)
-domain_comms(prot_domU_t, prot_domU_t)
-domain_self_comms(prot_domU_t)
-
-# Device model for domU_t.  You can define distinct types for device models for
-# domains of other types, or add more make_device_model lines for this type.
-declare_domain(dm_dom_t)
-create_domain(dom0_t, dm_dom_t)
-manage_domain(dom0_t, dm_dom_t)
-domain_comms(dom0_t, dm_dom_t)
-make_device_model(dom0_t, dm_dom_t, domU_t)
-
-# nomigrate_t must be built via the nomigrate_t_building label; once built,
-# dom0 cannot read its memory.
-declare_domain(nomigrate_t)
-declare_build_label(nomigrate_t)
-create_domain_build_label(dom0_t, nomigrate_t)
-manage_domain(dom0_t, nomigrate_t)
-domain_comms(dom0_t, nomigrate_t)
-domain_self_comms(nomigrate_t)
-
-###############################################################################
-#
-# Device delegation
-#
-# This requires that the device be labeled with a type defined here.  You can
-# use flask-label-pci to dynamically label devices on each boot or define the
-# labels statically in tools/flask/policy/policy/device_contexts
-#
-###############################################################################
-
-type nic_dev_t, resource_type;
-
-admin_device(dom0_t, nic_dev_t)
-use_device(domU_t, nic_dev_t)
-
-delegate_devices(dom0_t, domU_t)
-
-################################################################################
-#
-# Policy constraints
-#
-# Neverallow rules will cause the policy build to fail if an allow rule exists
-# that violates the expression. This is used to ensure proper labeling of
-# objects.
-#
-################################################################################
-
-# Domains must be declared using domain_type
-neverallow * ~domain_type:domain { create transition };
-
-# Resources must be declared using resource_type
-neverallow * ~resource_type:resource use;
-
-# Events must use event_type (see create_channel for a template)
-neverallow ~event_type *:event bind;
-neverallow * ~event_type:event { create send status };
-
-################################################################################
-#
-# Roles
-#
-################################################################################
-
-# The object role (object_r) is used for devices, resources, and event 
channels;
-# it does not need to be defined here and should not be used for domains.
-
-# The system role is used for utility domains and pseudo-domains
-role system_r;
-role system_r types { xen_type domain_type };
-# If you want to prevent domUs from being placed in system_r:
-##role system_r types { xen_type dom0_t };
-
-# The vm role is used for customer virtual machines
-role vm_r;
-role vm_r types { domain_type -dom0_t };
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.