flask/policy: rework policy build system

This adds the ability to define security classes and access vectors in
FLASK policy not defined by the hypervisor, for the use of stub domains
or applications without their own security policies.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

6 files changed, 96 insertions, 153 deletions

diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index 3f5aa38d1c..e666f3e718 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -1,117 +1,86 @@
-#
-# Makefile for the security policy.
-#
-# Targets:
-# 
-# install       - compile and install the policy configuration.
-# load          - compile, install, and load the policy configuration.
-# reload        - compile, install, and load/reload the policy configuration.
-# policy        - compile the policy configuration locally for testing/development.
-#
-# The default target is 'policy'.
-#
+XEN_ROOT=$(CURDIR)/../../..
+include $(XEN_ROOT)/tools/Rules.mk
 
 ########################################
 #
 # Configurable portions of the Makefile
 #
+########################################
 
-# Policy version
-# By default, checkpolicy will create the highest
-# version policy it supports.  Setting this will
-# override the version.
-OUTPUT_POLICY = 24
-
-# Policy Type
-# xen
-# xen-mls
-TYPE = xen 
-
-# Policy Name
-# If set, this will be used as the policy
-# name.  Otherwise xenpolicy will be
-# used for the name.
-# NAME = xenpolicy
-
-# Number of MLS Sensitivities
-# The sensitivities will be s0 to s(MLS_SENS-1).
-# Dominance will be in increasing numerical order
-# with s0 being lowest.
-# MLS_SENS = 16
+CONFIG_MLS ?= n
 
-# Number of MLS Categories
+# Number of available MLS sensitivities and categories.
+# The sensitivities will be s0 to s(MLS_SENS-1).  Dominance will be in
+# increasing numerical order with s0 being lowest.
+MLS_SENS ?= 16
 # The categories will be c0 to c(MLS_CATS-1).
-# MLS_CATS = 256
+MLS_CATS ?= 256
 
-# Uncomment this to disable command echoing
-# QUIET:=@
+# executable paths
+CHECKPOLICY ?= checkpolicy
+M4 ?= m4
 
 ########################################
 #
-# NO OPTIONS BELOW HERE
+# End of configuration options
 #
+########################################
 
-# executable paths
-PREFIX := /usr
-BINDIR := $(PREFIX)/bin
-SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
-LOADPOLICY := $(SBINDIR)/flask-loadpolicy
+# Policy version
+# By default, checkpolicy creates the highest version policy it supports. Force
+# the use of version 24 which is the highest that Xen supports, and the first to
+# include the Xen policy type (needed for static device policy).
+OUTPUT_POLICY = 24
+
+POLICY_FILENAME = xenpolicy.$(OUTPUT_POLICY)
+POLICY_LOADPATH = $(DESTDIR)/boot
 
 # policy source layout
 POLDIR := policy
 MODDIR := $(POLDIR)/modules
+
+# Classes and access vectors defined in the hypervisor. Changes to these require
+# a recompile of both the hypervisor and security policy.
 FLASKDIR := ../../../xen/xsm/flask/policy
 SECCLASS := $(FLASKDIR)/security_classes
-ISIDS := $(FLASKDIR)/initial_sids
+ISID_DECLS := $(FLASKDIR)/initial_sids
 AVS := $(FLASKDIR)/access_vectors
 
+# Additional classes and access vectors defined by local policy
+SECCLASS += $(POLDIR)/security_classes
+AVS += $(POLDIR)/access_vectors
+
+# Other policy components
+M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt)
+MLSSUPPORT := $(POLDIR)/mls
+USERS := $(POLDIR)/users
+CONSTRAINTS := $(POLDIR)/constraints
+ISID_DEFS := $(POLDIR)/initial_sids
+
 # config file paths
 GLOBALTUN := $(POLDIR)/global_tunables
-GLOBALBOOL := $(POLDIR)/global_booleans
 MOD_CONF := $(POLDIR)/modules.conf
-TUNABLES := $(POLDIR)/tunables.conf
-BOOLEANS := $(POLDIR)/booleans.conf
-
-# install paths
-
-DESTDIR = /boot
-INSTALLDIR = $(DESTDIR)
-LOADPATH = $(INSTALLDIR)/$(POLVER)
 
-# default MLS sensitivity and category settings.
-MLS_SENS ?= 16
-MLS_CATS ?= 256
+# checkpolicy can use the #line directives provided by -s for error reporting:
+M4PARAM := -D self_contained_policy -s
+CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY)
 
 # enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifneq ($(CONFIG_MLS),n)
 	M4PARAM += -D enable_mls
-	CHECKPOLICY += -M
-endif
-
-ifeq ($(NAME),)
-	NAME := xenpolicy
-endif
-
-PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
-
-ifneq ($(OUTPUT_POLICY),)
-	CHECKPOLICY += -c $(OUTPUT_POLICY)
-	POLVER = $(NAME).$(OUTPUT_POLICY)
-else
-	POLVER +=$(NAME).$(PV)
+	CHECKPOLICY_PARAM += -M
 endif
 
 # Always define these because they are referenced even in non-MLS policy
 M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
 
-M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
 
+# Find modules
 ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
 
 # sort here since it removes duplicates, which can happen
 # when a generated file is already generated
-DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))) 
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)))
 
 # modules.conf setting for policy configuration
 MODENABLED := on
@@ -122,81 +91,27 @@ ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 =
 ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS))
 
 ALL_INTERFACES := $(ALL_MODULES:.te=.if)
-ALL_TE_FILES := $(ALL_MODULES)
-
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids
 
-POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES)
-
-########################################
-#
-# default action: build policy locally
-#
-default: policy
+# The order of these files is important
+POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS)
+POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
+POLICY_SECTIONS += $(ALL_INTERFACES)
+POLICY_SECTIONS += $(GLOBALTUN)
+POLICY_SECTIONS += $(ALL_MODULES)
+POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS)
 
-policy: $(POLVER)
+all: $(POLICY_FILENAME)
 
-install: $(LOADPATH)
+install: $(POLICY_FILENAME)
+	$(INSTALL_DATA) $^ $(POLICY_LOADPATH)
 
-load: .load_stamp
+$(POLICY_FILENAME): policy.conf
+	$(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@
 
-########################################
-#
-# Build a binary policy locally
-#
-$(POLVER): policy.conf
-	@echo "Compiling $(NAME) $(POLVER)"
-	$(QUIET) $(CHECKPOLICY) $^ -o $@
-# Uncomment line below to enable policies for devices
-#	$(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
-
-########################################
-#
-# Install a binary policy
-#
-$(LOADPATH): policy.conf
-	@echo "Compiling and installing $(NAME) $(LOADPATH)"
-	$(QUIET) $(CHECKPOLICY) $^ -o $@
-# Uncomment line below to enable policies for devices
-#	$(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@
-
-########################################
-#
-# Load the binary policy
-#
-.load_stamp: reload
-reload: $(LOADPATH)
-	@echo "Loading $(NAME) $(LOADPATH)"
-	$(QUIET) $(LOADPOLICY) $(LOADPATH)
-	@touch .load_stamp
-
-########################################
-#
-# Construct a monolithic policy.conf
-#
 policy.conf: $(POLICY_SECTIONS)
-	@echo "Creating $(NAME) policy.conf"
-# checkpolicy can use the #line directives provided by -s for error reporting:
-	$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
+	$(M4) $(M4PARAM) $^ > $@
 
-########################################
-#
-# Remove the dontaudit rules from the policy.conf
-#
-enableaudit: policy.conf
-	@test -d tmp || mkdir -p tmp
-	@echo "Removing dontaudit rules from policy.conf"
-	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
-	$(QUIET) mv tmp/policy.audit policy.conf
-
-########################################
-#
-# Clean the built policies. 
-#
 clean:
-	rm -fR tmp
-	rm -f policy.conf
-	rm -f $(POLVER)
+	$(RM) tmp policy.conf $(POLICY_FILENAME)
 
-.PHONY: default policy install load reload enableaudit clean
+.PHONY: all install clean
diff --git a/tools/flask/policy/policy/access_vectors b/tools/flask/policy/policy/access_vectors
new file mode 100644
index 0000000000..4fd61f1a59
--- /dev/null
+++ b/tools/flask/policy/policy/access_vectors
@@ -0,0 +1,24 @@
+# Locally defined access vectors
+#
+# Define access vectors for the security classes defined in security_classes
+#
+
+# Note: this is an example; the xenstore daemon provided with Xen does
+# not yet include XSM support, and the exact permissions may be defined
+# differently if such support is added.
+class xenstore {
+	# read from keys owned by the target domain (if permissions allow)
+	read
+	# write to keys owned by the target domain (if permissions allow)
+	write
+	# change permissions of a key owned by the target domain
+	chmod
+	# change the owner of a key which was owned by the target domain
+	chown_from
+	# change the owner of a key to the target domain
+	chown_to
+	# access a key owned by the target domain without permission
+	override
+	# introduce a domain
+	introduce
+}
diff --git a/tools/flask/policy/policy/global_booleans b/tools/flask/policy/policy/global_booleans
deleted file mode 100644
index 4c13cfb062..0000000000
--- a/tools/flask/policy/policy/global_booleans
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# This file is for the declaration of global booleans.
-# To change the default value at build time, the booleans.conf
-# file should be used.
-#
diff --git a/tools/flask/policy/policy/global_tunables b/tools/flask/policy/policy/global_tunables
index 801b27ec2e..c5da7ae716 100644
--- a/tools/flask/policy/policy/global_tunables
+++ b/tools/flask/policy/policy/global_tunables
@@ -1,6 +1,5 @@
 #
-# This file is for the declaration of global tunables.
-# To change the default value at build time, the booleans.conf
-# file should be used.
+# This file is for the declaration of global policy tunables, booleans,
+# and other components not defined within a specific policy module.
 #
 
diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
index b70a54ee7d..5de0bbf7c2 100644
--- a/tools/flask/policy/policy/initial_sids
+++ b/tools/flask/policy/policy/initial_sids
@@ -1,4 +1,6 @@
-# Labels for initial SIDs
+# Labels for initial SIDs. These initial SIDs are used by the hypervisor for
+# objects created before the policy is loaded or for objects that do not have a
+# label defined in some other manner.
 
 sid xen gen_context(system_u:system_r:xen_t,s0)
 sid dom0 gen_context(system_u:system_r:dom0_t,s0)
diff --git a/tools/flask/policy/policy/security_classes b/tools/flask/policy/policy/security_classes
new file mode 100644
index 0000000000..56595e8c59
--- /dev/null
+++ b/tools/flask/policy/policy/security_classes
@@ -0,0 +1,8 @@
+# Locally defined security classes
+#
+# These classes are not used by the hypervisor, but may be used by domains or
+# daemons that need to make access control decisions using the hypervisor's
+# security policy.
+#
+# Access vectors for these classes must be defined in the access_vectors file.
+class xenstore