|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] flask/policy: split into modules
commit 31689dcb0fbfe00f7556337ac72a10c238d7a40d
Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
AuthorDate: Mon Jun 20 10:04:10 2016 -0400
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Jun 21 15:29:17 2016 +0100
flask/policy: split into modules
This makes it easier to enable or disable parts of the XSM policy.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Reviewed-by: Doug Goldstein <cardoe@xxxxxxxxxx>
---
tools/flask/policy/Makefile | 22 +--
tools/flask/policy/modules/dom0.te | 74 ++++++++
tools/flask/policy/modules/domU.te | 25 +++
tools/flask/policy/modules/guest_features.te | 31 +++
tools/flask/policy/modules/isolated_domU.te | 7 +
tools/flask/policy/modules/modules.conf | 34 ++++
tools/flask/policy/modules/nic_dev.te | 14 ++
tools/flask/policy/modules/nomigrate.te | 8 +
tools/flask/policy/modules/prot_domU.te | 13 ++
tools/flask/policy/modules/xen.if | 189 +++++++++++++++++++
tools/flask/policy/modules/xen.te | 89 +++++++++
tools/flask/policy/policy/modules.conf | 15 --
tools/flask/policy/policy/modules/xen/xen.if | 189 -------------------
tools/flask/policy/policy/modules/xen/xen.te | 272 ---------------------------
14 files changed, 491 insertions(+), 491 deletions(-)
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 4be921c..b2c2d06 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -37,7 +37,7 @@ POLICY_VER_LIST_HV = 24 30
# policy source layout
POLDIR := policy
-MODDIR := $(POLDIR)/modules
+MODDIR := modules
# Classes and access vectors defined in the hypervisor. Changes to these
require
# a recompile of both the hypervisor and security policy.
@@ -60,7 +60,7 @@ DEV_OCONS := $(POLDIR)/device_contexts
# config file paths
GLOBALTUN := $(POLDIR)/global_tunables
-MOD_CONF := $(POLDIR)/modules.conf
+MOD_CONF := $(MODDIR)/modules.conf
# checkpolicy can use the #line directives provided by -s for error reporting:
M4PARAM := -D self_contained_policy -s
@@ -84,22 +84,14 @@ endif
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
-# Find modules
-ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*)
-maxdepth 0 -type d))
-
-# sort here since it removes duplicates, which can happen
-# when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
-
# modules.conf setting for policy configuration
MODENABLED := on
# extract settings from modules.conf
-ENABLED_MODS := $(foreach mod,$(shell awk '/^[ \t]*[a-z]/{ if ($$3 ==
"$(MODENABLED)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell
find -iname $(mod).te)))
-
-ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
+ENABLED_LIST := $(shell awk '/^[ \t]*[a-z]/{ if ($$3 == "$(MODENABLED)") print
$$1 }' $(MOD_CONF) 2> /dev/null)
-ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_MODULES := $(foreach mod,$(ENABLED_LIST),$(MODDIR)/$(mod).te)
+ALL_INTERFACES := $(wildcard $(ALL_MODULES:.te=.if))
# The order of these files is important
POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
@@ -118,8 +110,8 @@ install: $(POLICY_FILENAME)
$(POLICY_FILENAME): policy.conf
$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
-policy.conf: $(POLICY_SECTIONS)
- $(M4) $(M4PARAM) $^ > $@
+policy.conf: $(POLICY_SECTIONS) $(MOD_CONF)
+ $(M4) $(M4PARAM) $(POLICY_SECTIONS) > $@
clean:
$(RM) tmp policy.conf $(POLICY_FILENAME)
diff --git a/tools/flask/policy/modules/dom0.te
b/tools/flask/policy/modules/dom0.te
new file mode 100644
index 0000000..ef6a986
--- /dev/null
+++ b/tools/flask/policy/modules/dom0.te
@@ -0,0 +1,74 @@
+################################################################################
+#
+# Allow dom0 access to all sysctls, devices, and the security server.
+#
+# While this could be written more briefly using wildcards, the permissions are
+# listed out to make removing specific permissions simpler.
+#
+################################################################################
+allow dom0_t xen_t:xen {
+ settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
+ mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
+ writeapic privprofile nonprivprofile kexec firmware sleep frequency
+ getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
+ tmem_control getscheduler setscheduler
+};
+allow dom0_t xen_t:xen2 {
+ resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
+ get_cpu_levelling_caps get_cpu_featureset livepatch_op
+};
+
+# Allow dom0 to use all XENVER_ subops that have checks.
+# Note that dom0 is part of domain_type so this has duplicates.
+allow dom0_t xen_t:version {
+ xen_extraversion xen_compile_info xen_capabilities
+ xen_changeset xen_pagesize xen_guest_handle xen_commandline
+ xen_build_id
+};
+
+allow dom0_t xen_t:mmu memorymap;
+
+# Allow dom0 to use these domctls on itself. For domctls acting on other
+# domains, see the definitions of create_domain and manage_domain.
+allow dom0_t dom0_t:domain {
+ setvcpucontext max_vcpus setaffinity getaffinity getscheduler
+ getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
+ setdebugging hypercall settime setaddrsize getaddrsize trigger
+ getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
+ getpodtarget setpodtarget set_misc_info set_virq_handler
+};
+allow dom0_t dom0_t:domain2 {
+ set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
+ get_vnumainfo psr_cmt_op psr_cat_op
+};
+allow dom0_t dom0_t:resource { add remove };
+
+# These permissions allow using the FLASK security server to compute access
+# checks locally, which could be used by a domain or service (such as xenstore)
+# that does not have its own security server to make access decisions based on
+# Xen's security policy.
+allow dom0_t security_t:security {
+ compute_av compute_create compute_member compute_relabel compute_user
+};
+
+# Allow string/SID conversions (for "xl list -Z" and similar)
+allow dom0_t security_t:security check_context;
+
+# Allow flask-label-pci to add and change labels
+allow dom0_t security_t:security { add_ocontext del_ocontext };
+
+# Allow performance parameters of the security server to be tweaked
+allow dom0_t security_t:security setsecparam;
+
+# Allow changing the security policy
+allow dom0_t security_t:security { load_policy setenforce setbool };
+
+# Audit policy change events even when they are allowed
+auditallow dom0_t security_t:security { load_policy setenforce setbool };
+
+admin_device(dom0_t, device_t)
+admin_device(dom0_t, irq_t)
+admin_device(dom0_t, ioport_t)
+admin_device(dom0_t, iomem_t)
+
+domain_comms(dom0_t, dom0_t)
diff --git a/tools/flask/policy/modules/domU.te
b/tools/flask/policy/modules/domU.te
new file mode 100644
index 0000000..ca5eecd
--- /dev/null
+++ b/tools/flask/policy/modules/domU.te
@@ -0,0 +1,25 @@
+###############################################################################
+#
+# Domain creation
+#
+###############################################################################
+
+declare_domain(domU_t)
+domain_self_comms(domU_t)
+create_domain(dom0_t, domU_t)
+manage_domain(dom0_t, domU_t)
+domain_comms(dom0_t, domU_t)
+domain_comms(domU_t, domU_t)
+migrate_domain_out(dom0_t, domU_t)
+domain_self_comms(domU_t)
+
+# Device model for domU_t. You can define distinct types for device models for
+# domains of other types, or add more make_device_model lines for this type.
+declare_domain(dm_dom_t)
+create_domain(dom0_t, dm_dom_t)
+manage_domain(dom0_t, dm_dom_t)
+domain_comms(dom0_t, dm_dom_t)
+make_device_model(dom0_t, dm_dom_t, domU_t)
+
+# This is required for PCI (or other device) passthrough
+delegate_devices(dom0_t, domU_t)
diff --git a/tools/flask/policy/modules/guest_features.te
b/tools/flask/policy/modules/guest_features.te
new file mode 100644
index 0000000..9ac9780
--- /dev/null
+++ b/tools/flask/policy/modules/guest_features.te
@@ -0,0 +1,31 @@
+# Allow all domains to use (unprivileged parts of) the tmem hypercall
+allow domain_type xen_t:xen tmem_op;
+
+# Allow all domains to use PMU (but not to change its settings --- that's what
+# pmu_ctrl is for)
+allow domain_type xen_t:xen2 pmu_use;
+
+# Allow guest console output to the serial console. This is used by PV Linux
+# and stub domains for early boot output, so don't audit even when we deny it.
+# Without XSM, this is enabled only if the Xen was compiled in debug mode.
+gen_bool(guest_writeconsole, true)
+if (guest_writeconsole) {
+ allow domain_type xen_t : xen writeconsole;
+} else {
+ dontaudit domain_type xen_t : xen writeconsole;
+}
+
+# For normal guests, allow all queries except XENVER_commandline.
+allow domain_type xen_t:version {
+ xen_extraversion xen_compile_info xen_capabilities
+ xen_changeset xen_pagesize xen_guest_handle
+};
+
+# Version queries don't need auditing when denied. They can be
+# encountered in normal operation by xl or by reading sysfs files in
+# Linux, so without this they will show up in the logs. Since these
+# operations return valid responses (like "denied"), hiding the denials
+# should not break anything.
+dontaudit domain_type xen_t:version {
+ xen_commandline xen_build_id
+};
diff --git a/tools/flask/policy/modules/isolated_domU.te
b/tools/flask/policy/modules/isolated_domU.te
new file mode 100644
index 0000000..4ee7689
--- /dev/null
+++ b/tools/flask/policy/modules/isolated_domU.te
@@ -0,0 +1,7 @@
+declare_domain(isolated_domU_t)
+create_domain(dom0_t, isolated_domU_t)
+manage_domain(dom0_t, isolated_domU_t)
+domain_comms(dom0_t, isolated_domU_t)
+migrate_domain_out(dom0_t, isolated_domU_t)
+domain_self_comms(isolated_domU_t)
+
diff --git a/tools/flask/policy/modules/modules.conf
b/tools/flask/policy/modules/modules.conf
new file mode 100644
index 0000000..dba4b40
--- /dev/null
+++ b/tools/flask/policy/modules/modules.conf
@@ -0,0 +1,34 @@
+#
+# This file contains a listing of available modules.
+#
+# To prevent a module from being used in policy creation, set the module name
+# to "off"; otherwise, set the module name on "on".
+#
+# The order the modules appear in this file is the order they will be parsed;
+# this can be important if you plan to use types defined in one file in
another.
+#
+
+# Basic types and classes for the Xen hypervisor. This module is required.
+xen = on
+
+# Permissions for domain 0. Most of these are required to boot.
+dom0 = on
+
+# Allow all domains the ability to use access-controlled features and
hypercalls
+# that are not restricted when XSM is disabled.
+guest_features = on
+
+# The default domain type (domU_t) and its device model (dm_dom_t). The domain
+# is created and managed by dom0_t, and has no special restrictions.
+#
+# This is required if you want to be able to create domains without specifying
+# their XSM label in the configuration.
+domU = on
+
+# Example types with restrictions
+isolated_domU = on
+prot_domU = on
+nomigrate = on
+
+# Example device policy. Also see policy/device_contexts.
+nic_dev = on
diff --git a/tools/flask/policy/modules/nic_dev.te
b/tools/flask/policy/modules/nic_dev.te
new file mode 100644
index 0000000..e0484af
--- /dev/null
+++ b/tools/flask/policy/modules/nic_dev.te
@@ -0,0 +1,14 @@
+###############################################################################
+#
+# Device delegation
+#
+# This requires that the device be labeled with a type defined here. You can
+# use flask-label-pci to dynamically label devices on each boot or define the
+# labels statically in tools/flask/policy/policy/device_contexts
+#
+###############################################################################
+
+type nic_dev_t, resource_type;
+
+admin_device(dom0_t, nic_dev_t)
+use_device(domU_t, nic_dev_t)
diff --git a/tools/flask/policy/modules/nomigrate.te
b/tools/flask/policy/modules/nomigrate.te
new file mode 100644
index 0000000..5b56caf
--- /dev/null
+++ b/tools/flask/policy/modules/nomigrate.te
@@ -0,0 +1,8 @@
+# Domains of type nomigrate_t must be built via the nomigrate_t_building label;
+# once built, dom0 cannot read their memory.
+declare_domain(nomigrate_t)
+declare_build_label(nomigrate_t)
+create_domain_build_label(dom0_t, nomigrate_t)
+manage_domain(dom0_t, nomigrate_t)
+domain_comms(dom0_t, nomigrate_t)
+domain_self_comms(nomigrate_t)
diff --git a/tools/flask/policy/modules/prot_domU.te
b/tools/flask/policy/modules/prot_domU.te
new file mode 100644
index 0000000..a7c012c
--- /dev/null
+++ b/tools/flask/policy/modules/prot_domU.te
@@ -0,0 +1,13 @@
+# This is an alternative to nomigrate_t: a policy boolean controls the ability
+# to create or migrate a domain of type prot_domU_t. If disabled, dom0 cannot
+# map memory belonging to those domains.
+gen_bool(prot_doms_locked, false)
+declare_domain(prot_domU_t)
+if (!prot_doms_locked) {
+ create_domain(dom0_t, prot_domU_t)
+ migrate_domain_out(dom0_t, prot_domU_t)
+}
+domain_comms(dom0_t, prot_domU_t)
+domain_comms(domU_t, prot_domU_t)
+domain_comms(prot_domU_t, prot_domU_t)
+domain_self_comms(prot_domU_t)
diff --git a/tools/flask/policy/modules/xen.if
b/tools/flask/policy/modules/xen.if
new file mode 100644
index 0000000..00d1bbb
--- /dev/null
+++ b/tools/flask/policy/modules/xen.if
@@ -0,0 +1,189 @@
+# Macro definitions for FLASK policy
+
+################################################################################
+#
+# Domain creation and setup
+#
+################################################################################
+define(`declare_domain_common', `
+ allow $1 $2:grant { query setup };
+ allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage
updatemp mmuext_op };
+ allow $1 $2:hvm { getparam setparam altp2mhvm_op };
+ allow $1 $2:domain2 get_vnumainfo;
+')
+
+# declare_domain(type, attrs...)
+# Declare a domain type, along with associated _self and _channel types
+# Allow the domain to perform basic operations on itself
+define(`declare_domain', `
+ type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+ type $1_self, domain_type, domain_self_type;
+ type_transition $1 $1:domain $1_self;
+ type $1_channel, event_type;
+ type_transition $1 domain_type:event $1_channel;
+ declare_domain_common($1, $1_self)
+')
+
+# declare_singleton_domain(type, attrs...)
+# Declare a domain type and associated _channel types.
+# Note: Because the domain can perform basic operations on itself and any
+# other domain of the same type, this constructor should be used for types
+# containing at most one domain. This is not enforced by policy.
+define(`declare_singleton_domain', `
+ type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+ define(`$1_self', `$1')
+ type $1_channel, event_type;
+ type_transition $1 domain_type:event $1_channel;
+ declare_domain_common($1, $1)
+')
+
+# declare_build_label(type)
+# Declare a paired _building type for the given domain type
+define(`declare_build_label', `
+ type $1_building, domain_type;
+ type_transition $1_building domain_type:event $1_channel;
+ allow $1_building $1 : domain transition;
+')
+
+define(`create_domain_common', `
+ allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
+ getdomaininfo hypercall setvcpucontext setextvcpucontext
+ getscheduler getvcpuinfo getvcpuextstate getaddrsize
+ getaffinity setaffinity setvcpuextstate };
+ allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
+ set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
+ psr_cmt_op psr_cat_op soft_reset };
+ allow $1 $2:security check_context;
+ allow $1 $2:shadow enable;
+ allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op updatemp };
+ allow $1 $2:grant setup;
+ allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
+ setparam pcilevel trackdirtyvram nested altp2mhvm
altp2mhvm_op };
+')
+
+# create_domain(priv, target)
+# Allow a domain to be created directly
+define(`create_domain', `
+ create_domain_common($1, $2)
+ allow $1 $2_channel:event create;
+')
+
+# create_domain_build_label(priv, target)
+# Allow a domain to be created via its domain build label
+define(`create_domain_build_label', `
+ create_domain_common($1, $2_building)
+ allow $1 $2_channel:event create;
+ allow $1 $2_building:domain2 relabelfrom;
+ allow $1 $2:domain2 relabelto;
+ allow $2_building $2:domain transition;
+')
+
+# manage_domain(priv, target)
+# Allow managing a running domain
+define(`manage_domain', `
+ allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
+ getaddrsize pause unpause trigger shutdown destroy
+ setaffinity setdomainmaxmem getscheduler resume };
+ allow $1 $2:domain2 set_vnumainfo;
+')
+
+# migrate_domain_out(priv, target)
+# Allow creation of a snapshot or migration image from a domain
+# (inbound migration is the same as domain creation)
+define(`migrate_domain_out', `
+ allow $1 domxen_t:mmu map_read;
+ allow $1 $2:hvm { gethvmc getparam irqlevel };
+ allow $1 $2:mmu { stat pageinfo map_read };
+ allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext
getvcpuextstate pause destroy };
+ allow $1 $2:domain2 gettsc;
+ allow $1 $2:shadow { enable disable logdirty };
+')
+
+################################################################################
+#
+# Inter-domain communication
+#
+################################################################################
+
+# create_channel(source, dest, chan-label)
+# This allows an event channel to be created from domains with labels
+# <source> to <dest> and will label it <chan-label>
+define(`create_channel', `
+ allow $1 $3:event { create send status };
+ allow $3 $2:event { bind };
+')
+
+# domain_event_comms(dom1, dom2)
+# Allow two domain types to communicate using event channels
+define(`domain_event_comms', `
+ create_channel($1, $2, $1_channel)
+ create_channel($2, $1, $2_channel)
+')
+
+# domain_comms(dom1, dom2)
+# Allow two domain types to communicate using grants and event channels
+define(`domain_comms', `
+ domain_event_comms($1, $2)
+ allow $1 $2:grant { map_read map_write copy unmap };
+ allow $2 $1:grant { map_read map_write copy unmap };
+')
+
+# domain_self_comms(domain)
+# Allow a non-singleton domain type to communicate with itself using grants
+# and event channels
+define(`domain_self_comms', `
+ create_channel($1, $1_self, $1_channel)
+ allow $1 $1_self:grant { map_read map_write copy unmap };
+')
+
+# device_model(dm_dom, hvm_dom)
+# Define how a device model domain interacts with its target
+define(`device_model', `
+ type $2_target, domain_type, domain_target_type;
+ type_transition $2 $1:domain $2_target;
+ allow $1 $2:domain set_target;
+
+ type_transition $2_target domain_type:event $2_channel;
+ create_channel($1, $2_target, $1_channel)
+ create_channel($2, $1, $2_channel)
+ allow $1 $2_channel:event create;
+
+ allow $1 $2_target:domain shutdown;
+ allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack
};
+ allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl
irqlevel pciroute pcilevel cacheattr send_irq };
+')
+
+# make_device_model(priv, dm_dom, hvm_dom)
+# Allow creation of a device model and HVM domain pair
+define(`make_device_model', `
+ device_model($2, $3)
+ allow $1 $2:domain2 make_priv_for;
+ allow $1 $3:domain2 set_as_target;
+')
+################################################################################
+#
+# Device types and delegation (PCI passthrough)
+#
+################################################################################
+
+# use_device(domain, device)
+# Allow a device to be used by a domain
+define(`use_device', `
+ allow $1 $1_self:mmu exchange;
+ allow $1 $2:resource use;
+ allow $1 domio_t:mmu { map_read map_write };
+')
+
+# admin_device(domain, device)
+# Allow a device to be used and delegated by a domain
+define(`admin_device', `
+ allow $1 $2:resource { setup stat_device add_device add_irq add_iomem
add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
+ allow $1 $2:hvm bind_irq;
+ use_device($1, $2)
+')
+
+# delegate_devices(priv-domain, target-domain)
+# Allow devices to be delegated
+define(`delegate_devices', `
+ allow $1 $2:resource { add remove };
+')
diff --git a/tools/flask/policy/modules/xen.te
b/tools/flask/policy/modules/xen.te
new file mode 100644
index 0000000..3ee5e75
--- /dev/null
+++ b/tools/flask/policy/modules/xen.te
@@ -0,0 +1,89 @@
+################################################################################
+#
+# Attributes for types
+#
+# An attribute may be used in a rule as shorthand for all types with that
+# attribute.
+#
+################################################################################
+attribute xen_type;
+attribute domain_type;
+attribute domain_self_type;
+attribute domain_target_type;
+attribute resource_type;
+attribute event_type;
+attribute mls_priv;
+
+################################################################################
+#
+# Types for the initial SIDs
+#
+# These types are used internally for objects created during Xen startup or for
+# devices that have not yet been labeled
+#
+################################################################################
+
+# The hypervisor itself
+type xen_t, xen_type, mls_priv;
+
+# Domain 0
+declare_singleton_domain(dom0_t, mls_priv);
+
+# I/O memory (DOMID_IO pseudo-domain)
+type domio_t, xen_type;
+
+# Xen heap (DOMID_XEN pseudo-domain)
+type domxen_t, xen_type;
+
+# Unlabeled objects
+type unlabeled_t, xen_type;
+
+# The XSM/FLASK security server
+type security_t, xen_type;
+
+# Unlabeled device resources
+# Note: don't allow access to these types directly; see below for how to label
+# devices and use that label for allow rules
+type irq_t, resource_type;
+type ioport_t, resource_type;
+type iomem_t, resource_type;
+type device_t, resource_type;
+
+################################################################################
+#
+# Policy constraints
+#
+# Neverallow rules will cause the policy build to fail if an allow rule exists
+# that violates the expression. This is used to ensure proper labeling of
+# objects.
+#
+################################################################################
+
+# Domains must be declared using domain_type
+neverallow * ~domain_type:domain { create transition };
+
+# Resources must be declared using resource_type
+neverallow * ~resource_type:resource use;
+
+# Events must use event_type (see create_channel for a template)
+neverallow ~event_type *:event bind;
+neverallow * ~event_type:event { create send status };
+
+################################################################################
+#
+# Roles
+#
+################################################################################
+
+# The object role (object_r) is used for devices, resources, and event
channels;
+# it does not need to be defined here and should not be used for domains.
+
+# The system role is used for utility domains and pseudo-domains
+role system_r;
+role system_r types { xen_type domain_type };
+# If you want to prevent domUs from being placed in system_r:
+##role system_r types { xen_type dom0_t };
+
+# The vm role is used for customer virtual machines
+role vm_r;
+role vm_r types { domain_type -dom0_t };
diff --git a/tools/flask/policy/policy/modules.conf
b/tools/flask/policy/policy/modules.conf
deleted file mode 100644
index 8043974..0000000
--- a/tools/flask/policy/policy/modules.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from being used in policy
-# creation, set the module name to "off" otherwise
-# set the module name on "on".
-#
-
-# Layer: xen
-# Module: xen
-# Required in base
-#
-# Policy for xen.
-#
-xen = on
-
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
deleted file mode 100644
index 00d1bbb..0000000
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ /dev/null
@@ -1,189 +0,0 @@
-# Macro definitions for FLASK policy
-
-################################################################################
-#
-# Domain creation and setup
-#
-################################################################################
-define(`declare_domain_common', `
- allow $1 $2:grant { query setup };
- allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage
updatemp mmuext_op };
- allow $1 $2:hvm { getparam setparam altp2mhvm_op };
- allow $1 $2:domain2 get_vnumainfo;
-')
-
-# declare_domain(type, attrs...)
-# Declare a domain type, along with associated _self and _channel types
-# Allow the domain to perform basic operations on itself
-define(`declare_domain', `
- type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
- type $1_self, domain_type, domain_self_type;
- type_transition $1 $1:domain $1_self;
- type $1_channel, event_type;
- type_transition $1 domain_type:event $1_channel;
- declare_domain_common($1, $1_self)
-')
-
-# declare_singleton_domain(type, attrs...)
-# Declare a domain type and associated _channel types.
-# Note: Because the domain can perform basic operations on itself and any
-# other domain of the same type, this constructor should be used for types
-# containing at most one domain. This is not enforced by policy.
-define(`declare_singleton_domain', `
- type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
- define(`$1_self', `$1')
- type $1_channel, event_type;
- type_transition $1 domain_type:event $1_channel;
- declare_domain_common($1, $1)
-')
-
-# declare_build_label(type)
-# Declare a paired _building type for the given domain type
-define(`declare_build_label', `
- type $1_building, domain_type;
- type_transition $1_building domain_type:event $1_channel;
- allow $1_building $1 : domain transition;
-')
-
-define(`create_domain_common', `
- allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
- getdomaininfo hypercall setvcpucontext setextvcpucontext
- getscheduler getvcpuinfo getvcpuextstate getaddrsize
- getaffinity setaffinity setvcpuextstate };
- allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
- set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
- psr_cmt_op psr_cat_op soft_reset };
- allow $1 $2:security check_context;
- allow $1 $2:shadow enable;
- allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage
mmuext_op updatemp };
- allow $1 $2:grant setup;
- allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
- setparam pcilevel trackdirtyvram nested altp2mhvm
altp2mhvm_op };
-')
-
-# create_domain(priv, target)
-# Allow a domain to be created directly
-define(`create_domain', `
- create_domain_common($1, $2)
- allow $1 $2_channel:event create;
-')
-
-# create_domain_build_label(priv, target)
-# Allow a domain to be created via its domain build label
-define(`create_domain_build_label', `
- create_domain_common($1, $2_building)
- allow $1 $2_channel:event create;
- allow $1 $2_building:domain2 relabelfrom;
- allow $1 $2:domain2 relabelto;
- allow $2_building $2:domain transition;
-')
-
-# manage_domain(priv, target)
-# Allow managing a running domain
-define(`manage_domain', `
- allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
- getaddrsize pause unpause trigger shutdown destroy
- setaffinity setdomainmaxmem getscheduler resume };
- allow $1 $2:domain2 set_vnumainfo;
-')
-
-# migrate_domain_out(priv, target)
-# Allow creation of a snapshot or migration image from a domain
-# (inbound migration is the same as domain creation)
-define(`migrate_domain_out', `
- allow $1 domxen_t:mmu map_read;
- allow $1 $2:hvm { gethvmc getparam irqlevel };
- allow $1 $2:mmu { stat pageinfo map_read };
- allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext
getvcpuextstate pause destroy };
- allow $1 $2:domain2 gettsc;
- allow $1 $2:shadow { enable disable logdirty };
-')
-
-################################################################################
-#
-# Inter-domain communication
-#
-################################################################################
-
-# create_channel(source, dest, chan-label)
-# This allows an event channel to be created from domains with labels
-# <source> to <dest> and will label it <chan-label>
-define(`create_channel', `
- allow $1 $3:event { create send status };
- allow $3 $2:event { bind };
-')
-
-# domain_event_comms(dom1, dom2)
-# Allow two domain types to communicate using event channels
-define(`domain_event_comms', `
- create_channel($1, $2, $1_channel)
- create_channel($2, $1, $2_channel)
-')
-
-# domain_comms(dom1, dom2)
-# Allow two domain types to communicate using grants and event channels
-define(`domain_comms', `
- domain_event_comms($1, $2)
- allow $1 $2:grant { map_read map_write copy unmap };
- allow $2 $1:grant { map_read map_write copy unmap };
-')
-
-# domain_self_comms(domain)
-# Allow a non-singleton domain type to communicate with itself using grants
-# and event channels
-define(`domain_self_comms', `
- create_channel($1, $1_self, $1_channel)
- allow $1 $1_self:grant { map_read map_write copy unmap };
-')
-
-# device_model(dm_dom, hvm_dom)
-# Define how a device model domain interacts with its target
-define(`device_model', `
- type $2_target, domain_type, domain_target_type;
- type_transition $2 $1:domain $2_target;
- allow $1 $2:domain set_target;
-
- type_transition $2_target domain_type:event $2_channel;
- create_channel($1, $2_target, $1_channel)
- create_channel($2, $1, $2_channel)
- allow $1 $2_channel:event create;
-
- allow $1 $2_target:domain shutdown;
- allow $1 $2_target:mmu { map_read map_write adjust physmap target_hack
};
- allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl
irqlevel pciroute pcilevel cacheattr send_irq };
-')
-
-# make_device_model(priv, dm_dom, hvm_dom)
-# Allow creation of a device model and HVM domain pair
-define(`make_device_model', `
- device_model($2, $3)
- allow $1 $2:domain2 make_priv_for;
- allow $1 $3:domain2 set_as_target;
-')
-################################################################################
-#
-# Device types and delegation (PCI passthrough)
-#
-################################################################################
-
-# use_device(domain, device)
-# Allow a device to be used by a domain
-define(`use_device', `
- allow $1 $1_self:mmu exchange;
- allow $1 $2:resource use;
- allow $1 domio_t:mmu { map_read map_write };
-')
-
-# admin_device(domain, device)
-# Allow a device to be used and delegated by a domain
-define(`admin_device', `
- allow $1 $2:resource { setup stat_device add_device add_irq add_iomem
add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
- allow $1 $2:hvm bind_irq;
- use_device($1, $2)
-')
-
-# delegate_devices(priv-domain, target-domain)
-# Allow devices to be delegated
-define(`delegate_devices', `
- allow $1 $2:resource { add remove };
-')
diff --git a/tools/flask/policy/policy/modules/xen/xen.te
b/tools/flask/policy/policy/modules/xen/xen.te
deleted file mode 100644
index 50aa602..0000000
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ /dev/null
@@ -1,272 +0,0 @@
-################################################################################
-#
-# Attributes for types
-#
-# An attribute may be used in a rule as shorthand for all types with that
-# attribute.
-#
-################################################################################
-attribute xen_type;
-attribute domain_type;
-attribute domain_self_type;
-attribute domain_target_type;
-attribute resource_type;
-attribute event_type;
-attribute mls_priv;
-
-################################################################################
-#
-# Types for the initial SIDs
-#
-# These types are used internally for objects created during Xen startup or for
-# devices that have not yet been labeled
-#
-################################################################################
-
-# The hypervisor itself
-type xen_t, xen_type, mls_priv;
-
-# Domain 0
-declare_singleton_domain(dom0_t, mls_priv);
-
-# I/O memory (DOMID_IO pseudo-domain)
-type domio_t, xen_type;
-
-# Xen heap (DOMID_XEN pseudo-domain)
-type domxen_t, xen_type;
-
-# Unlabeled objects
-type unlabeled_t, xen_type;
-
-# The XSM/FLASK security server
-type security_t, xen_type;
-
-# Unlabeled device resources
-# Note: don't allow access to these types directly; see below for how to label
-# devices and use that label for allow rules
-type irq_t, resource_type;
-type ioport_t, resource_type;
-type iomem_t, resource_type;
-type device_t, resource_type;
-
-################################################################################
-#
-# Allow dom0 access to all sysctls, devices, and the security server.
-#
-# While this could be written more briefly using wildcards, the permissions are
-# listed out to make removing specific permissions simpler.
-#
-################################################################################
-allow dom0_t xen_t:xen {
- settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
- mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
- writeapic privprofile nonprivprofile kexec firmware sleep frequency
- getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
- tmem_control getscheduler setscheduler
-};
-allow dom0_t xen_t:xen2 {
- resource_op
- psr_cmt_op
- psr_cat_op
-};
-allow dom0_t xen_t:xen2 {
- pmu_ctrl
- get_symbol
- get_cpu_levelling_caps
- get_cpu_featureset
- livepatch_op
-};
-
-# Allow dom0 to use all XENVER_ subops that have checks.
-# Note that dom0 is part of domain_type so this has duplicates.
-allow dom0_t xen_t:version {
- xen_extraversion xen_compile_info xen_capabilities
- xen_changeset xen_pagesize xen_guest_handle xen_commandline
- xen_build_id
-};
-
-allow dom0_t xen_t:mmu memorymap;
-
-# Allow dom0 to use these domctls on itself. For domctls acting on other
-# domains, see the definitions of create_domain and manage_domain.
-allow dom0_t dom0_t:domain {
- setvcpucontext max_vcpus setaffinity getaffinity getscheduler
- getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
- setdebugging hypercall settime setaddrsize getaddrsize trigger
- getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
- getpodtarget setpodtarget set_misc_info set_virq_handler
-};
-allow dom0_t dom0_t:domain2 {
- set_cpuid gettsc settsc setscheduler set_max_evtchn set_vnumainfo
- get_vnumainfo psr_cmt_op psr_cat_op
-};
-allow dom0_t dom0_t:resource { add remove };
-
-# These permissions allow using the FLASK security server to compute access
-# checks locally, which could be used by a domain or service (such as xenstore)
-# that does not have its own security server to make access decisions based on
-# Xen's security policy.
-allow dom0_t security_t:security {
- compute_av compute_create compute_member compute_relabel compute_user
-};
-
-# Allow string/SID conversions (for "xl list -Z" and similar)
-allow dom0_t security_t:security check_context;
-
-# Allow flask-label-pci to add and change labels
-allow dom0_t security_t:security { add_ocontext del_ocontext };
-
-# Allow performance parameters of the security server to be tweaked
-allow dom0_t security_t:security setsecparam;
-
-# Allow changing the security policy
-allow dom0_t security_t:security { load_policy setenforce setbool };
-
-# Audit policy change events even when they are allowed
-auditallow dom0_t security_t:security { load_policy setenforce setbool };
-
-admin_device(dom0_t, device_t)
-admin_device(dom0_t, irq_t)
-admin_device(dom0_t, ioport_t)
-admin_device(dom0_t, iomem_t)
-
-domain_comms(dom0_t, dom0_t)
-
-# Allow all domains to use (unprivileged parts of) the tmem hypercall
-allow domain_type xen_t:xen tmem_op;
-
-# Allow guest console output to the serial console. This is used by PV Linux
-# and stub domains for early boot output, so don't audit even when we deny it.
-# Without XSM, this is enabled only if the Xen was compiled in debug mode.
-gen_bool(guest_writeconsole, true)
-if (guest_writeconsole) {
- allow domain_type xen_t : xen writeconsole;
-} else {
- dontaudit domain_type xen_t : xen writeconsole;
-}
-
-# Allow all domains to use PMU (but not to change its settings --- that's what
-# pmu_ctrl is for)
-allow domain_type xen_t:xen2 pmu_use;
-
-# For normal guests all possible except XENVER_commandline.
-allow domain_type xen_t:version {
- xen_extraversion xen_compile_info xen_capabilities
- xen_changeset xen_pagesize xen_guest_handle
-};
-
-# These queries don't need auditing when denied. They can be
-# encountered in normal operation by xl or by reading sysfs files in
-# Linux, so without this they will show up in the logs. Since these
-# operations return valid responses (like "denied"), hiding the denials
-# should not break anything.
-dontaudit domain_type xen_t:version {
- xen_commandline xen_build_id
-};
-
-###############################################################################
-#
-# Domain creation
-#
-###############################################################################
-
-declare_domain(domU_t)
-domain_self_comms(domU_t)
-create_domain(dom0_t, domU_t)
-manage_domain(dom0_t, domU_t)
-domain_comms(dom0_t, domU_t)
-domain_comms(domU_t, domU_t)
-migrate_domain_out(dom0_t, domU_t)
-domain_self_comms(domU_t)
-
-declare_domain(isolated_domU_t)
-create_domain(dom0_t, isolated_domU_t)
-manage_domain(dom0_t, isolated_domU_t)
-domain_comms(dom0_t, isolated_domU_t)
-migrate_domain_out(dom0_t, isolated_domU_t)
-domain_self_comms(isolated_domU_t)
-
-# Declare a boolean that denies creation of prot_domU_t domains
-gen_bool(prot_doms_locked, false)
-declare_domain(prot_domU_t)
-if (!prot_doms_locked) {
- create_domain(dom0_t, prot_domU_t)
- migrate_domain_out(dom0_t, prot_domU_t)
-}
-domain_comms(dom0_t, prot_domU_t)
-domain_comms(domU_t, prot_domU_t)
-domain_comms(prot_domU_t, prot_domU_t)
-domain_self_comms(prot_domU_t)
-
-# Device model for domU_t. You can define distinct types for device models for
-# domains of other types, or add more make_device_model lines for this type.
-declare_domain(dm_dom_t)
-create_domain(dom0_t, dm_dom_t)
-manage_domain(dom0_t, dm_dom_t)
-domain_comms(dom0_t, dm_dom_t)
-make_device_model(dom0_t, dm_dom_t, domU_t)
-
-# nomigrate_t must be built via the nomigrate_t_building label; once built,
-# dom0 cannot read its memory.
-declare_domain(nomigrate_t)
-declare_build_label(nomigrate_t)
-create_domain_build_label(dom0_t, nomigrate_t)
-manage_domain(dom0_t, nomigrate_t)
-domain_comms(dom0_t, nomigrate_t)
-domain_self_comms(nomigrate_t)
-
-###############################################################################
-#
-# Device delegation
-#
-# This requires that the device be labeled with a type defined here. You can
-# use flask-label-pci to dynamically label devices on each boot or define the
-# labels statically in tools/flask/policy/policy/device_contexts
-#
-###############################################################################
-
-type nic_dev_t, resource_type;
-
-admin_device(dom0_t, nic_dev_t)
-use_device(domU_t, nic_dev_t)
-
-delegate_devices(dom0_t, domU_t)
-
-################################################################################
-#
-# Policy constraints
-#
-# Neverallow rules will cause the policy build to fail if an allow rule exists
-# that violates the expression. This is used to ensure proper labeling of
-# objects.
-#
-################################################################################
-
-# Domains must be declared using domain_type
-neverallow * ~domain_type:domain { create transition };
-
-# Resources must be declared using resource_type
-neverallow * ~resource_type:resource use;
-
-# Events must use event_type (see create_channel for a template)
-neverallow ~event_type *:event bind;
-neverallow * ~event_type:event { create send status };
-
-################################################################################
-#
-# Roles
-#
-################################################################################
-
-# The object role (object_r) is used for devices, resources, and event
channels;
-# it does not need to be defined here and should not be used for domains.
-
-# The system role is used for utility domains and pseudo-domains
-role system_r;
-role system_r types { xen_type domain_type };
-# If you want to prevent domUs from being placed in system_r:
-##role system_r types { xen_type dom0_t };
-
-# The vm role is used for customer virtual machines
-role vm_r;
-role vm_r types { domain_type -dom0_t };
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |