diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2008-09-04 11:26:25 +0100 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2008-09-04 11:26:25 +0100 |
commit | 3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8 (patch) | |
tree | 9ad863524d59aff303bf67434c3dec8b45bae7bc /tools/flask/policy/policy/modules/xen/xen.te | |
parent | aff2988ad524ed3835bd0c402f8ec25264db61ea (diff) | |
download | xen-3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8.tar.gz xen-3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8.tar.bz2 xen-3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8.zip |
xsm, flask: sample flask policy
- The patch includes a policy for xen that can be booted into
enforcing mode and supports creation and management of
paravirtualized guests. The policy follows the dom0/domU usage
model, extension to other models or the addition of management or IO
permissions should be much more straightforward now. The option
flask_enforcing=1 can be passed on the xen line in grub to boot
into enforcing mode.
- The policy provides a basic policy for booting the platform and
creating a domU with the label system_u:object_r:domU_t. The policy
can be easily extended to support new types by modifying the xen.te
source file.
- The policy includes some basic macros which may be helpful in
extending the policy.
- The policy is compatible with and requires the most recent XSM
patch, xsm-flask-io-sysctl-hooks-090308.diff.
- The policy is not built as part of the make all as it requires the
SELinux policy compiler which may/may not be installed on all
systems. Users must go into the tools/flask/policy directory and
explicitly compile the policy.
Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
Diffstat (limited to 'tools/flask/policy/policy/modules/xen/xen.te')
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te new file mode 100644 index 0000000000..70fbfc0774 --- /dev/null +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -0,0 +1,135 @@ +attribute xen_type; +attribute domain_type; +attribute resource_type; +attribute event_type; + +type xen_t, xen_type, domain_type; + +type dom0_t, domain_type; + +type domio_t, domain_type; + +type domxen_t, domain_type; + +type unlabeled_t, domain_type; + +type security_t, domain_type; + +type pirq_t, resource_type; +type ioport_t, resource_type; +type iomem_t, resource_type; +type device_t, resource_type; + +################################################################################ +# +# create_domain(priv_dom, domain, channel) +# +################################################################################ +define(`create_domain', ` + type $2, domain_type; + allow $1 $2:domain {create max_vcpus setdomainmaxmem + setaddrsize getdomaininfo hypercall + setvcpucontext scheduler unpause + getvcpuinfo getaddrsize getvcpuaffinity}; + allow $1 $2:shadow {enable}; + allow $1 $2:mmu {map_read map_write memorymap adjust pinpage}; + allow $2 $2:mmu {map_read map_write pinpage}; + allow $2 domio_t:mmu {map_read}; + allow $2 $2:grant {query setup}; + allow $1 $2:grant {map_read unmap}; + allow $1 $3:event {create}; +') + +################################################################################ +# +# manage_domain(priv_dom, domain) +# +################################################################################ +define(`manage_domain', ` + allow $1 $2:domain {pause destroy}; +') + +################################################################################ +# +# create_channel(caller, peer, channel) +# +################################################################################ +define(`create_channel', ` + type $3, event_type; + type_transition $1 $2:event $3; + allow $1 $3:event {create}; + allow $3 $2:event {bind}; +') + +################################################################################ +# +# Boot the hypervisor and dom0 +# +################################################################################ +allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del +scheduler physinfo heap quirk readconsole writeconsole settime microcode}; + +allow dom0_t domio_t:mmu {map_read map_write}; +allow dom0_t iomem_t:mmu {map_read map_write}; +allow dom0_t pirq_t:event {vector}; +allow dom0_t xen_t:mmu {memorymap}; + +allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust}; +allow dom0_t dom0_t:grant {query setup}; +allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity}; + +allow xen_t dom0_t:domain {create}; +allow xen_t dom0_t:resource {add remove}; +allow xen_t ioport_t:resource {add_ioport remove_ioport}; +allow dom0_t ioport_t:resource {use}; +allow xen_t iomem_t:resource {add_iomem remove_iomem}; +allow dom0_t iomem_t:resource {use}; +allow xen_t pirq_t:resource {add_irq remove_irq}; +allow dom0_t pirq_t:resource {use}; + +allow dom0_t security_t:security {compute_av compute_create compute_member +check_context load_policy compute_relabel compute_user setenforce setbool +setsecparam}; + +create_channel(dom0_t, dom0_t, evchn0-0_t) +allow dom0_t evchn0-0_t:event {send}; + +################################################################################ +# +# Create and manage a domU w/ dom0 IO +# +################################################################################ +create_domain(dom0_t, domU_t, evchnU-0_t) + +create_channel(domU_t, domU_t, evchnU-U_t) +allow domU_t evchnU-U_t:event {send}; + +create_channel(dom0_t, domU_t, evchn0-U_t) +allow dom0_t evchn0-U_t:event {send}; + +create_channel(domU_t, dom0_t, evchnU-0_t) +allow domU_t evchnU-0_t:event {send}; + +manage_domain(dom0_t, domU_t) + +################################################################################ +# +# +# +################################################################################ +sid xen gen_context(system_u:system_r:xen_t,s0) +sid dom0 gen_context(system_u:system_r:dom0_t,s0) +sid domU gen_context(system_u:system_r:domU_t,s0) +sid domxen gen_context(system_u:system_r:domxen_t,s0) +sid domio gen_context(system_u:system_r:domio_t,s0) +sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0) +sid security gen_context(system_u:system_r:security_t,s0) +sid pirq gen_context(system_u:object_r:pirq_t,s0) +sid iomem gen_context(system_u:object_r:iomem_t,s0) +sid ioport gen_context(system_u:object_r:ioport_t,s0) +sid device gen_context(system_u:object_r:device_t,s0) + +role system_r types { xen_type domain_type }; +role user_r types { xen_type domain_type }; +role sysadm_r types { xen_type domain_type }; +role staff_r types { xen_type domain_type }; |