flask/policy: Update example policy

Rewrite the example policy to make it easier to understand and
demonstrate some of the security goals that FLASK can enforce.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

2 files changed, 178 insertions, 152 deletions

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 1b508987f2..cd240d8f7d 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -1,92 +1,96 @@
-###############################################################################
-#
-# create_domain(priv_dom, domain, channel)
-#
-################################################################################
-define(`create_domain', `
-	type $2, domain_type;
-	allow $1 $2:domain {create max_vcpus setdomainmaxmem 
-				setaddrsize getdomaininfo hypercall 
-				setvcpucontext scheduler unpause 
-				getvcpuinfo getaddrsize getvcpuaffinity};
-	allow $1 $2:shadow {enable};
-	allow $1 $2:mmu {map_read map_write adjust physmap};
-	allow $2 $2:mmu {adjust physmap};
-	allow $1 $3:event {create};
-')
-
-###############################################################################
-#
-# create_hvm_dom(priv_dom, domain, channel)
-#
-################################################################################
-define(`create_hvm_dom', `
-	create_domain($1, $2, $3)
-	allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel	pcilevel trackdirtyvram };
-	allow $2 $2:hvm setparam;
-')	
+# Macro definitions for FLASK policy
 
-###############################################################################
-#
-# create_pv_dom(priv_dom, domain, channel, iodomain)
-#
-################################################################################
-define(`create_pv_dom', `
-	create_domain($1, $2, $3)
-	allow $1 $2:mmu {memorymap pinpage};
-	allow $2 $2:mmu {map_read map_write pinpage};
-	allow $2 $4:mmu {map_read};
-	
-	allow $2 $2:grant {query setup};
-	allow $1 $2:grant {map_read unmap};
-')	
 ################################################################################
 #
-# manage_domain(priv_dom, domain)
+# Domain creation and setup
 #
 ################################################################################
-define(`manage_domain', `
-	allow $1 $2:domain {pause destroy};
+# declare_domain(type)
+#   Declare a type as a domain type, and allow basic domain setup
+define(`declare_domain', `
+	type $1, domain_type;
+	allow $1 $1:grant { query setup };
+	allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage };
+	allow $1 $1:hvm { getparam setparam };
+')
+
+# create_domain(priv, target)
+#   Allow a domain to be created
+define(`create_domain', `
+	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
+			getdomaininfo hypercall setvcpucontext scheduler
+			unpause getvcpuinfo getvcpuextstate getaddrsize
+			getvcpuaffinity };
+	allow $1 $2:security check_context;
+	allow $1 $2:shadow enable;
+	allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
+	allow $1 $2:grant setup;
+	allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam };
+	allow $1 $2_$1_channel:event create;
 ')
 
 ################################################################################
 #
-# create_channel(caller, peer, channel)
+# Inter-domain communication
 #
 ################################################################################
+
+# create_channel(source, dest, chan-label)
+#   This allows an event channel to be created from domains with labels
+#   <source> to <dest> and will label it <chan-label>
 define(`create_channel', `
 	type $3, event_type;
 	type_transition $1 $2:event $3;
-	allow $1 $3:event {create};
-	allow $3 $2:event {bind};
+	allow $1 $3:event { create send status };
+	allow $3 $2:event { bind };
 ')
-###############################################################################
-#
-# create_passthrough_resource(priv_dom, domain, resource)
-#
-###############################################################################
-define(`create_passthrough_resource', `
-        type $3, resource_type;
-        allow $1 $2:resource {add remove};
-        allow $1 ioport_t:resource {add_ioport use};
-        allow $1 iomem_t:resource {add_iomem use};
-        allow $1 irq_t:resource  {add_irq use};
-        allow $1 domio_t:mmu {map_read map_write};
-        allow $2 domio_t:mmu {map_write};
-        allow $2 irq_t:resource {use};
-        allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device};
-        allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem};
-        allow $2 $3:mmu {map_read map_write};
+
+# domain_event_comms(dom1, dom2)
+#   Allow two domain types to communicate using event channels
+define(`domain_event_comms', `
+	create_channel($1, $2, $1_$2_channel)
+	create_channel($2, $1, $2_$1_channel)
+')
+
+# domain_comms(dom1, dom2)
+#   Allow two domain types to communicate using grants and event channels
+define(`domain_comms', `
+	domain_event_comms($1, $2)
+	allow $1 $2:grant { map_read map_write copy unmap };
+	allow $2 $1:grant { map_read map_write copy unmap };
+')
+
+# domain_self_comms(domain)
+#   Allow a domain types to communicate with others of its type using grants
+#   and event channels (this includes event channels to DOMID_SELF)
+define(`domain_self_comms', `
+	create_channel($1, $1, $1_self_channel)
+	allow $1 $1:grant { map_read map_write copy unmap };
 ')
-###############################################################################
+
+################################################################################
 #
-# create_hvm_resource(priv_dom, domain, resource)
+# Device types and delegation (PCI passthrough)
 #
-###############################################################################
-define(`create_hvm_resource', `
-        type $3, resource_type;
-        allow $1 $2:resource {add remove};
-        allow $1 $3:hvm {bind_irq};
-        allow $1 $3:resource {stat_device add_device remove_device add_irq remove_irq add_iomem remove_iomem add_ioport remove_ioport};
-        allow $2 $3:resource {use};
+################################################################################
+
+# use_device(domain, device)
+#   Allow a device to be used by a domain
+define(`use_device', `
+    allow $1 $2:resource use;
+    allow $1 $2:mmu { map_read map_write };
+')
+
+# admin_device(domain, device)
+#   Allow a device to be used and delegated by a domain
+define(`admin_device', `
+    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport };
+    allow $1 $2:hvm bind_irq;
+    use_device($1, $2)
+')
+
+# delegate_devices(priv-domain, target-domain)
+#   Allow devices to be delegated
+define(`delegate_devices', `
+    allow $1 $2:resource { add remove };
 ')
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 1a7f29ad72..0fc31b53fa 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -1,21 +1,47 @@
+################################################################################
+#
+# Attributes for types
+#
+# An attribute may be used in a rule as shorthand for all types with that
+# attribute.
+#
+################################################################################
 attribute xen_type;
 attribute domain_type;
 attribute resource_type;
 attribute event_type;
 attribute mls_priv;
 
+################################################################################
+#
+# Types for the initial SIDs
+#
+# These types are used internally for objects created during Xen startup or for
+# devices that have not yet been labeled
+#
+################################################################################
+
+# The hypervisor itself
 type xen_t, xen_type, domain_type, mls_priv;
 
+# Domain 0
 type dom0_t, domain_type, mls_priv;
 
+# Untracked I/O memory (pseudo-domain)
 type domio_t, domain_type;
 
+# Xen heap (pseudo-domain)
 type domxen_t, domain_type;
 
+# Unlabeled objects
 type unlabeled_t, domain_type;
 
+# The XSM/FLASK security server
 type security_t, domain_type;
 
+# Unlabeled device resources
+# Note: don't allow access to these types directly; see below for how to label
+#       devices and use that label for allow rules
 type irq_t, resource_type;
 type ioport_t, resource_type;
 type iomem_t, resource_type;
@@ -23,119 +49,115 @@ type device_t, resource_type;
 
 ################################################################################
 #
-# Boot the hypervisor and dom0
+# Rules required to boot the hypervisor and dom0
 #
 ################################################################################
-allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del 
-scheduler physinfo heap quirk readconsole writeconsole settime microcode};
-
-allow dom0_t domio_t:mmu {map_read map_write};
-allow dom0_t iomem_t:mmu {map_read map_write};
-allow dom0_t xen_t:mmu {memorymap};
-
-allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust updatemp};
-allow dom0_t dom0_t:grant {query setup};
-allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity};
-
-allow xen_t dom0_t:domain {create};
-allow xen_t dom0_t:resource {add remove};
-allow xen_t ioport_t:resource {add_ioport remove_ioport};
-allow dom0_t ioport_t:resource {use};
-allow xen_t iomem_t:resource {add_iomem remove_iomem};
-allow dom0_t iomem_t:resource {use};
-allow xen_t irq_t:resource {add_irq remove_irq};
-allow dom0_t irq_t:resource { add_irq remove_irq use};
+allow xen_t dom0_t:domain { create };
+
+allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
+	scheduler physinfo heap quirk readconsole writeconsole settime
+	microcode cpupool_op sched_op };
+allow dom0_t xen_t:mmu { memorymap };
+allow dom0_t security_t:security { check_context compute_av compute_create
+	compute_member load_policy compute_relabel compute_user setenforce
+	setbool setsecparam add_ocontext del_ocontext };
+
+allow dom0_t dom0_t:domain { getdomaininfo getvcpuinfo getvcpuaffinity };
+allow dom0_t dom0_t:grant { query setup };
+allow dom0_t dom0_t:mmu { adjust physmap map_read map_write stat pinpage };
 allow dom0_t dom0_t:resource { add remove };
-allow dom0_t xen_t:xen firmware;
 
-allow dom0_t security_t:security {compute_av compute_create compute_member 
-check_context load_policy compute_relabel compute_user setenforce setbool
-setsecparam add_ocontext del_ocontext};
+admin_device(dom0_t, device_t)
+admin_device(dom0_t, irq_t)
+admin_device(dom0_t, ioport_t)
+admin_device(dom0_t, iomem_t)
+allow dom0_t domio_t:mmu { map_read map_write };
 
-create_channel(dom0_t, dom0_t, evchn0-0_t)
-allow dom0_t evchn0-0_t:event {send};
+domain_self_comms(dom0_t)
 
-################################################################################
+auditallow dom0_t security_t:security { load_policy setenforce };
+
+###############################################################################
 #
-# Create and manage a domU w/ dom0 IO
+# Domain creation
 #
-################################################################################
-create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t)
+###############################################################################
+
+declare_domain(domU_t)
+domain_self_comms(domU_t)
+create_domain(dom0_t, domU_t)
+domain_comms(dom0_t, domU_t)
+
+declare_domain(isolated_domU_t)
+create_domain(dom0_t, isolated_domU_t)
+domain_comms(dom0_t, isolated_domU_t)
 
-create_channel(domU_t, domU_t, evchnU-U_t)
-allow domU_t evchnU-U_t:event {send};
+###############################################################################
+#
+# Device delegation
+#
+###############################################################################
 
-create_channel(dom0_t, domU_t, evchn0-U_t)
-allow dom0_t evchn0-U_t:event {send};
+type nic_dev_t, resource_type;
 
-create_channel(domU_t, dom0_t, evchnU-0_t)
-allow domU_t evchnU-0_t:event {send};
+admin_device(dom0_t, nic_dev_t)
+use_device(domU_t, nic_dev_t)
 
-allow dom0_t dom0_t:event {send};
-allow dom0_t domU_t:grant {copy};
-allow domU_t domU_t:grant {copy};
+delegate_devices(dom0_t, domU_t)
 
 ###############################################################################
 #
-# Create device labels
+# Label devices for delegation
+#
+# The PCI, IRQ, memory, and I/O port ranges are hardware-specific.
+# You may also use flask-label-pci to dynamically label devices on each boot.
 #
 ###############################################################################
 
-# create device resources
-#create_passthrough_resource(dom0_t, domU_t, nicP_t)
-#create_hvm_resource(dom0_t, domHU_t, nicP_t)
-
 # label e1000e nic
-#pirqcon 33 system_u:object_r:nicP_t
-#pirqcon 55 system_u:object_r:nicP_t
-#iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
-#iomemcon 0xfebd9 system_u:object_r:nicP_t
-#ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
-#pcidevicecon 0xc800 system_u:object_r:nicP_t
+#pirqcon 33 system_u:object_r:nic_dev_t
+#pirqcon 55 system_u:object_r:nic_dev_t
+#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t
+#iomemcon 0xfebd9 system_u:object_r:nic_dev_t
+#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t
+#pcidevicecon 0xc800 system_u:object_r:nic_dev_t
 
 # label e100 nic
-#pirqcon 16 system_u:object_r:nicP_t
-#iomemcon 0xfe5df system_u:object_r:nicP_t
-#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nicP_t
-#iomemcon 0xc2000-0xc200f system_u:object_r:nicP_t
-#ioportcon 0xccc0-0xcd00 system_u:object_r:nicP_t
+#pirqcon 16 system_u:object_r:nic_dev_t
+#iomemcon 0xfe5df system_u:object_r:nic_dev_t
+#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t
+#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t
+#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t
 
 # label usb 1d.0-2 1d.7
-#pirqcon 23 system_u:object_r:nicP_t
-#pirqcon 17 system_u:object_r:nicP_t
-#pirqcon 18 system_u:object_r:nicP_t
-#ioportcon 0xff80-0xFF9F system_u:object_r:nicP_t
-#ioportcon 0xff60-0xff7f system_u:object_r:nicP_t
-#ioportcon 0xff40-0xff5f system_u:object_r:nicP_t
-#iomemcon 0xff980 system_u:object_r:nicP_t
-#ioportcon 0xff00-0xff1f system_u:object_r:nicP_t
-
-manage_domain(dom0_t, domU_t)
+#pirqcon 23 system_u:object_r:nic_dev_t
+#pirqcon 17 system_u:object_r:nic_dev_t
+#pirqcon 18 system_u:object_r:nic_dev_t
+#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t
+#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t
+#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t
+#iomemcon 0xff980 system_u:object_r:nic_dev_t
+#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t
 
 ################################################################################
 #
-# Create and manage an HVM domU w/ dom0 IO
+# Constraints
 #
 ################################################################################
-create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t)
-allow dom0_t evchn0-HU_t:event {send};
 
-create_channel(domHU_t, domHU_t, evchnHU-HU_t)
-allow domHU_t evchnU-U_t:event {send};
+# Domains must be declared using domain_type
+neverallow * ~domain_type:domain create;
 
-create_channel(dom0_t, domHU_t, evchn0-HU_t)
-allow dom0_t evchn0-U_t:event {send};
+# Resources must be declared using resource_type
+neverallow * ~resource_type:resource use;
 
-create_channel(domHU_t, dom0_t, evchnHU-0_t)
-allow domHU_t evchnU-0_t:event {send};
-
-allow dom0_t dom0_t:event {send};
-
-manage_domain(dom0_t, domHU_t)
+# Events must use event_type (see create_channel for a template)
+neverallow ~event_type *:event bind;
+neverallow * ~event_type:event { create send status };
 
 ################################################################################
 #
-#
+# Labels for initial SIDs and system role
 #
 ################################################################################
 sid xen gen_context(system_u:system_r:xen_t,s0)