xsm, flask: sample flask policy

- The patch includes a policy for xen that can be booted into
  enforcing mode and supports creation and management of
  paravirtualized guests.  The policy follows the dom0/domU usage
  model, extension to other models or the addition of management or IO
  permissions should be much more straightforward now. The option
  flask_enforcing=1 can be passed on the xen line in grub to boot
  into enforcing mode.

- The policy provides a basic policy for booting the platform and
  creating a domU with the label system_u:object_r:domU_t.  The policy
  can be easily extended to support new types by modifying the xen.te
  source file.

- The policy includes some basic macros which may be helpful in
  extending the policy.

- The policy is compatible with and requires the most recent XSM
  patch, xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the
  SELinux policy compiler which may/may not be installed on all
  systems.  Users must go into the tools/flask/policy directory and
  explicitly compile the policy.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>

1 files changed, 135 insertions, 0 deletions

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
new file mode 100644
index 0000000000..70fbfc0774
--- /dev/null
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -0,0 +1,135 @@
+attribute xen_type;
+attribute domain_type;
+attribute resource_type;
+attribute event_type;
+
+type xen_t, xen_type, domain_type;
+
+type dom0_t, domain_type;
+
+type domio_t, domain_type;
+
+type domxen_t, domain_type;
+
+type unlabeled_t, domain_type;
+
+type security_t, domain_type;
+
+type pirq_t, resource_type;
+type ioport_t, resource_type;
+type iomem_t, resource_type;
+type device_t, resource_type;
+
+################################################################################
+#
+# create_domain(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_domain', `
+	type $2, domain_type;
+	allow $1 $2:domain {create max_vcpus setdomainmaxmem 
+				setaddrsize getdomaininfo hypercall 
+				setvcpucontext scheduler unpause 
+				getvcpuinfo getaddrsize getvcpuaffinity};
+	allow $1 $2:shadow {enable};
+	allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
+	allow $2 $2:mmu {map_read map_write pinpage};
+	allow $2 domio_t:mmu {map_read};
+	allow $2 $2:grant {query setup};
+	allow $1 $2:grant {map_read unmap};
+	allow $1 $3:event {create};
+')
+
+################################################################################
+#
+# manage_domain(priv_dom, domain)
+#
+################################################################################
+define(`manage_domain', `
+	allow $1 $2:domain {pause destroy};
+')
+
+################################################################################
+#
+# create_channel(caller, peer, channel)
+#
+################################################################################
+define(`create_channel', `
+	type $3, event_type;
+	type_transition $1 $2:event $3;
+	allow $1 $3:event {create};
+	allow $3 $2:event {bind};
+')
+
+################################################################################
+#
+# Boot the hypervisor and dom0
+#
+################################################################################
+allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del 
+scheduler physinfo heap quirk readconsole writeconsole settime microcode};
+
+allow dom0_t domio_t:mmu {map_read map_write};
+allow dom0_t iomem_t:mmu {map_read map_write};
+allow dom0_t pirq_t:event {vector};
+allow dom0_t xen_t:mmu {memorymap};
+
+allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust};
+allow dom0_t dom0_t:grant {query setup};
+allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity};
+
+allow xen_t dom0_t:domain {create};
+allow xen_t dom0_t:resource {add remove};
+allow xen_t ioport_t:resource {add_ioport remove_ioport};
+allow dom0_t ioport_t:resource {use};
+allow xen_t iomem_t:resource {add_iomem remove_iomem};
+allow dom0_t iomem_t:resource {use};
+allow xen_t pirq_t:resource {add_irq remove_irq};
+allow dom0_t pirq_t:resource {use};
+
+allow dom0_t security_t:security {compute_av compute_create compute_member 
+check_context load_policy compute_relabel compute_user setenforce setbool
+setsecparam};
+
+create_channel(dom0_t, dom0_t, evchn0-0_t)
+allow dom0_t evchn0-0_t:event {send};
+
+################################################################################
+#
+# Create and manage a domU w/ dom0 IO
+#
+################################################################################
+create_domain(dom0_t, domU_t, evchnU-0_t)
+
+create_channel(domU_t, domU_t, evchnU-U_t)
+allow domU_t evchnU-U_t:event {send};
+
+create_channel(dom0_t, domU_t, evchn0-U_t)
+allow dom0_t evchn0-U_t:event {send};
+
+create_channel(domU_t, dom0_t, evchnU-0_t)
+allow domU_t evchnU-0_t:event {send};
+
+manage_domain(dom0_t, domU_t)
+
+################################################################################
+#
+#
+#
+################################################################################
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domU gen_context(system_u:system_r:domU_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid pirq gen_context(system_u:object_r:pirq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)
+
+role system_r types { xen_type domain_type };
+role user_r types { xen_type domain_type };
+role sysadm_r types { xen_type domain_type };
+role staff_r types { xen_type domain_type };