flask/policy: Add user and constraint examples

These examples show how to use constraints and the user field of the
security label to prevent communication between virtual machines of
different customers in a multi-tenant environment.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

3 files changed, 39 insertions, 18 deletions

diff --git a/tools/flask/policy/policy/constraints b/tools/flask/policy/policy/constraints
index beb949c9b6..765ed4d0cd 100644
--- a/tools/flask/policy/policy/constraints
+++ b/tools/flask/policy/policy/constraints
@@ -22,6 +22,19 @@
 # role_op : == | != | eq | dom | domby | incomp
 #
 # names : name | { name_list }
-# name_list : name | name_list name		
+# name_list : name | name_list name
 #
 
+# Prevent event channels and grants between different customers
+
+constrain event bind (
+	u1 == system_u or
+	u2 == system_u or
+	u1 == u2
+);
+
+constrain grant { map_read map_write copy } (
+	u1 == system_u or
+	u2 == system_u or
+	u1 == u2
+);
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index ac52c3fd99..67dd0dfa88 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -22,22 +22,22 @@ attribute mls_priv;
 ################################################################################
 
 # The hypervisor itself
-type xen_t, xen_type, domain_type, mls_priv;
+type xen_t, xen_type, mls_priv;
 
 # Domain 0
 type dom0_t, domain_type, mls_priv;
 
 # Untracked I/O memory (pseudo-domain)
-type domio_t, domain_type;
+type domio_t, xen_type;
 
 # Xen heap (pseudo-domain)
-type domxen_t, domain_type;
+type domxen_t, xen_type;
 
 # Unlabeled objects
-type unlabeled_t, domain_type;
+type unlabeled_t, xen_type;
 
 # The XSM/FLASK security server
-type security_t, domain_type;
+type security_t, xen_type;
 
 # Unlabeled device resources
 # Note: don't allow access to these types directly; see below for how to label
@@ -143,7 +143,11 @@ delegate_devices(dom0_t, domU_t)
 
 ################################################################################
 #
-# Constraints
+# Policy constraints
+#
+# Neverallow rules will cause the policy build to fail if an allow rule exists
+# that violates the expression. This is used to ensure proper labeling of
+# objects.
 #
 ################################################################################
 
@@ -159,9 +163,19 @@ neverallow * ~event_type:event { create send status };
 
 ################################################################################
 #
-# Labels for initial SIDs and system role
+# Roles
 #
 ################################################################################
 
+# The object role (object_r) is used for devices, resources, and event channels;
+# it does not need to be defined here and should not be used for domains.
+
+# The system role is used for utility domains and pseudo-domains
 role system_r;
 role system_r types { xen_type domain_type };
+# If you want to prevent domUs from being placed in system_r:
+##role system_r types { xen_type dom0_t };
+
+# The vm role is used for customer virtual machines
+role vm_r;
+role vm_r types { domain_type -dom0_t };
diff --git a/tools/flask/policy/policy/users b/tools/flask/policy/policy/users
index a0205e5462..35ed8a9334 100644
--- a/tools/flask/policy/policy/users
+++ b/tools/flask/policy/policy/users
@@ -3,15 +3,9 @@
 # System User configuration.
 #
 
-#
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
-#
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
+# system_u is the user identity for system domains and objects
 gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
 
+# Other users are defined using the vm role
+gen_user(customer_1,, vm_r, s0, s0)
+gen_user(customer_2,, vm_r, s0, s0)