diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-20 18:19:53 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2011-12-20 18:19:53 +0000 |
commit | fba7e0e2d350742f114994d183c1e7bf9fdb5949 (patch) | |
tree | a8a9c0cb5e8d48e82fb0697026acdc4b1bd953b0 /tools/flask/policy/policy/modules/xen/xen.if | |
parent | 7b83f96ce7e2560388f0c6e36551b0d748a0542a (diff) | |
download | xen-fba7e0e2d350742f114994d183c1e7bf9fdb5949.tar.gz xen-fba7e0e2d350742f114994d183c1e7bf9fdb5949.tar.bz2 xen-fba7e0e2d350742f114994d183c1e7bf9fdb5949.zip |
flask/policy: Update example policy
Rewrite the example policy to make it easier to understand and
demonstrate some of the security goals that FLASK can enforce.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
Diffstat (limited to 'tools/flask/policy/policy/modules/xen/xen.if')
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 150 |
1 files changed, 77 insertions, 73 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 1b508987f2..cd240d8f7d 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -1,92 +1,96 @@ -############################################################################### -# -# create_domain(priv_dom, domain, channel) -# -################################################################################ -define(`create_domain', ` - type $2, domain_type; - allow $1 $2:domain {create max_vcpus setdomainmaxmem - setaddrsize getdomaininfo hypercall - setvcpucontext scheduler unpause - getvcpuinfo getaddrsize getvcpuaffinity}; - allow $1 $2:shadow {enable}; - allow $1 $2:mmu {map_read map_write adjust physmap}; - allow $2 $2:mmu {adjust physmap}; - allow $1 $3:event {create}; -') - -############################################################################### -# -# create_hvm_dom(priv_dom, domain, channel) -# -################################################################################ -define(`create_hvm_dom', ` - create_domain($1, $2, $3) - allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel trackdirtyvram }; - allow $2 $2:hvm setparam; -') +# Macro definitions for FLASK policy -############################################################################### -# -# create_pv_dom(priv_dom, domain, channel, iodomain) -# -################################################################################ -define(`create_pv_dom', ` - create_domain($1, $2, $3) - allow $1 $2:mmu {memorymap pinpage}; - allow $2 $2:mmu {map_read map_write pinpage}; - allow $2 $4:mmu {map_read}; - - allow $2 $2:grant {query setup}; - allow $1 $2:grant {map_read unmap}; -') ################################################################################ # -# manage_domain(priv_dom, domain) +# Domain creation and setup # ################################################################################ -define(`manage_domain', ` - allow $1 $2:domain {pause destroy}; +# declare_domain(type) +# Declare a type as a domain type, and allow basic domain setup +define(`declare_domain', ` + type $1, domain_type; + allow $1 $1:grant { query setup }; + allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage }; + allow $1 $1:hvm { getparam setparam }; +') + +# create_domain(priv, target) +# Allow a domain to be created +define(`create_domain', ` + allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize + getdomaininfo hypercall setvcpucontext scheduler + unpause getvcpuinfo getvcpuextstate getaddrsize + getvcpuaffinity }; + allow $1 $2:security check_context; + allow $1 $2:shadow enable; + allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage}; + allow $1 $2:grant setup; + allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam }; + allow $1 $2_$1_channel:event create; ') ################################################################################ # -# create_channel(caller, peer, channel) +# Inter-domain communication # ################################################################################ + +# create_channel(source, dest, chan-label) +# This allows an event channel to be created from domains with labels +# <source> to <dest> and will label it <chan-label> define(`create_channel', ` type $3, event_type; type_transition $1 $2:event $3; - allow $1 $3:event {create}; - allow $3 $2:event {bind}; + allow $1 $3:event { create send status }; + allow $3 $2:event { bind }; ') -############################################################################### -# -# create_passthrough_resource(priv_dom, domain, resource) -# -############################################################################### -define(`create_passthrough_resource', ` - type $3, resource_type; - allow $1 $2:resource {add remove}; - allow $1 ioport_t:resource {add_ioport use}; - allow $1 iomem_t:resource {add_iomem use}; - allow $1 irq_t:resource {add_irq use}; - allow $1 domio_t:mmu {map_read map_write}; - allow $2 domio_t:mmu {map_write}; - allow $2 irq_t:resource {use}; - allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device}; - allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem}; - allow $2 $3:mmu {map_read map_write}; + +# domain_event_comms(dom1, dom2) +# Allow two domain types to communicate using event channels +define(`domain_event_comms', ` + create_channel($1, $2, $1_$2_channel) + create_channel($2, $1, $2_$1_channel) +') + +# domain_comms(dom1, dom2) +# Allow two domain types to communicate using grants and event channels +define(`domain_comms', ` + domain_event_comms($1, $2) + allow $1 $2:grant { map_read map_write copy unmap }; + allow $2 $1:grant { map_read map_write copy unmap }; +') + +# domain_self_comms(domain) +# Allow a domain types to communicate with others of its type using grants +# and event channels (this includes event channels to DOMID_SELF) +define(`domain_self_comms', ` + create_channel($1, $1, $1_self_channel) + allow $1 $1:grant { map_read map_write copy unmap }; ') -############################################################################### + +################################################################################ # -# create_hvm_resource(priv_dom, domain, resource) +# Device types and delegation (PCI passthrough) # -############################################################################### -define(`create_hvm_resource', ` - type $3, resource_type; - allow $1 $2:resource {add remove}; - allow $1 $3:hvm {bind_irq}; - allow $1 $3:resource {stat_device add_device remove_device add_irq remove_irq add_iomem remove_iomem add_ioport remove_ioport}; - allow $2 $3:resource {use}; +################################################################################ + +# use_device(domain, device) +# Allow a device to be used by a domain +define(`use_device', ` + allow $1 $2:resource use; + allow $1 $2:mmu { map_read map_write }; +') + +# admin_device(domain, device) +# Allow a device to be used and delegated by a domain +define(`admin_device', ` + allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport }; + allow $1 $2:hvm bind_irq; + use_device($1, $2) +') + +# delegate_devices(priv-domain, target-domain) +# Allow devices to be delegated +define(`delegate_devices', ` + allow $1 $2:resource { add remove }; ') |