xsm: Add support for Xen device policies

Add support for Xen ocontext records to enable device polices. The default policy will not be changed and instructions have been added to enable the new functionality. Examples on how to use the new policy language have been added but commented out. The newest version of checkpolicy (>= 2.0.20) and libsepol (>= 2.0.39) is needed in order to compile it. Devices can be labeled and enforced using the following new commands; pirqcon, iomemcon, ioportcon and pcidevicecon. Signed-off-by : George Coker <gscoker@alpha.ncsc.mil> Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
author: Keir Fraser <keir.fraser@citrix.com> 2009-10-27 12:52:57 +0000
committer: Keir Fraser <keir.fraser@citrix.com> 2009-10-27 12:52:57 +0000
commit: 78942912c8a3ff303b910d4a179ff6be7e9b0477 (patch)
tree: 10468e48843fbc769f0298b5bc52df3dfb63aa73 /tools/flask/policy
parent: 16d8dcbfb346174e67a61134a45d40870d112cad (diff)
download: xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.tar.gz
xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.tar.bz2
xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.zip
3 files changed, 81 insertions, 1 deletions
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 1d227cc15f..4c0d428b57 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -149,6 +149,8 @@ load: tmp/load
 $(POLVER): policy.conf
 	@echo "Compiling $(NAME) $(POLVER)"
 	$(QUIET) $(CHECKPOLICY) $^ -o $@
+# Uncomment line below to enable policies for devices
+#	$(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
 
 ########################################
 #
@@ -157,6 +159,8 @@ $(POLVER): policy.conf
 $(LOADPATH): policy.conf
 	@echo "Compiling and installing $(NAME) $(LOADPATH)"
 	$(QUIET) $(CHECKPOLICY) $^ -o $@
+# Uncomment line below to enable policies for devices
+#	$(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
 
 ########################################
 #
@@ -206,8 +210,18 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
 	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
 	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
 	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) grep ^pirqcon tmp/all_te_files.conf >> \
+                      tmp/all_post.conf || true
+	$(QUIET) grep ^ioportcon tmp/all_te_files.conf >> \
+                      tmp/all_post.conf || true
+	$(QUIET) grep ^iomemcon tmp/all_te_files.conf >> \
+                      tmp/all_post.conf || true
+	$(QUIET) grep ^pcidevicecon tmp/all_te_files.conf >> \
+                      tmp/all_post.conf || true
 	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
-			< tmp/all_te_files.conf > tmp/only_te_rules.conf
+                     -e "/^pirqcon/d" -e "/^pcidevicecon/d" -e "/^ioportcon/d" \
+                     -e "/^iomemcon/d" < tmp/all_te_files.conf \
+                     > tmp/only_te_rules.conf
 
 ########################################
 #
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index a4ab005087..99afad6f6b 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -60,3 +60,34 @@ define(`create_channel', `
 	allow $1 $3:event {create};
 	allow $3 $2:event {bind};
 ')
+###############################################################################
+#
+# create_passthrough_resource(priv_dom, domain, resource)
+#
+###############################################################################
+define(`create_passthrough_resource', `
+        type $3, resource_type;
+        allow $1 $3:event vector;
+        allow $1 $2:resource {add remove};
+        allow $1 ioport_t:resource {add_ioport use};
+        allow $1 iomem_t:resource {add_iomem use};
+        allow $1 pirq_t:resource  {add_irq use};
+        allow $1 domio_t:mmu {map_read map_write};
+        allow $2 domio_t:mmu {map_write};
+        allow $2 pirq_t:resource {use};
+        allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device};
+        allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem};
+        allow $2 $3:mmu {map_read map_write};
+')
+###############################################################################
+#
+# create_hvm_resource(priv_dom, domain, resource)
+#
+###############################################################################
+define(`create_hvm_resource', `
+        type $3, resource_type;
+        allow $1 $2:resource {add remove};
+        allow $1 $3:hvm {bind_irq};
+        allow $1 $3:resource {stat_device add_device remove_device add_irq remove_irq add_iomem remove_iomem add_ioport remove_ioport};
+        allow $2 $3:resource {use};
+')
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index e72e4e6e57..851b0d6bd3 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -76,6 +76,41 @@ allow dom0_t dom0_t:event {send};
 allow dom0_t domU_t:grant {copy};
 allow domU_t domU_t:grant {copy};
 
+###############################################################################
+#
+# Create device labels
+#
+###############################################################################
+
+# create device resources
+#create_passthrough_resource(dom0_t, domU_t, nicP_t)
+#create_hvm_resource(dom0_t, domHU_t, nicP_t)
+
+# label e1000e nic
+#pirqcon 33 system_u:object_r:nicP_t
+#pirqcon 55 system_u:object_r:nicP_t
+#iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
+#iomemcon 0xfebd9 system_u:object_r:nicP_t
+#ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
+#pcidevicecon 0xc800 system_u:object_r:nicP_t
+
+# label e100 nic
+#pirqcon 16 system_u:object_r:nicP_t
+#iomemcon 0xfe5df system_u:object_r:nicP_t
+#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nicP_t
+#iomemcon 0xc2000-0xc200f system_u:object_r:nicP_t
+#ioportcon 0xccc0-0xcd00 system_u:object_r:nicP_t
+
+# label usb 1d.0-2 1d.7
+#pirqcon 23 system_u:object_r:nicP_t
+#pirqcon 17 system_u:object_r:nicP_t
+#pirqcon 18 system_u:object_r:nicP_t
+#ioportcon 0xff80-0xFF9F system_u:object_r:nicP_t
+#ioportcon 0xff60-0xff7f system_u:object_r:nicP_t
+#ioportcon 0xff40-0xff5f system_u:object_r:nicP_t
+#iomemcon 0xff980 system_u:object_r:nicP_t
+#ioportcon 0xff00-0xff1f system_u:object_r:nicP_t
+
 manage_domain(dom0_t, domU_t)
 
 ################################################################################
author	Keir Fraser <keir.fraser@citrix.com>	2009-10-27 12:52:57 +0000
committer	Keir Fraser <keir.fraser@citrix.com>	2009-10-27 12:52:57 +0000
commit	78942912c8a3ff303b910d4a179ff6be7e9b0477 (patch)
tree	10468e48843fbc769f0298b5bc52df3dfb63aa73 /tools/flask/policy
parent	16d8dcbfb346174e67a61134a45d40870d112cad (diff)
download	xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.tar.gz xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.tar.bz2 xen-78942912c8a3ff303b910d4a179ff6be7e9b0477.zip