[ACM] Check a domain's authorization to run.

A domain is only authorized to run if it has a superset of Simple Type Enforcement Types in its VM label compared to that of Domain-0, which itself may not have all STEs available in a policy. This patch adds a check for this into Xend and the necessary code support into Xen. Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author: kfraser@localhost.localdomain <kfraser@localhost.localdomain> 2007-07-27 09:01:15 +0100
committer: kfraser@localhost.localdomain <kfraser@localhost.localdomain> 2007-07-27 09:01:15 +0100
commit: bf9e4257b392c550afe1c34d1fe38b6a2659dd69 (patch)
tree: 2544a327b55a0a389c3d5a7169e7faf6e23458a0 /tools
parent: 2abe070373048a47d66851e76593c11f95683059 (diff)
download: xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.tar.gz
xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.tar.bz2
xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.zip
3 files changed, 32 insertions, 7 deletions
diff --git a/tools/python/xen/lowlevel/acm/acm.c b/tools/python/xen/lowlevel/acm/acm.c
index f8f024f66f..9b59ea48ed 100644
--- a/tools/python/xen/lowlevel/acm/acm.c
+++ b/tools/python/xen/lowlevel/acm/acm.c
@@ -148,9 +148,10 @@ static PyObject *getdecision(PyObject * self, PyObject * args)
     char *arg1_name, *arg1, *arg2_name, *arg2, *decision = NULL;
     struct acm_getdecision getdecision;
     int xc_handle, rc;
+    uint32_t hooktype;
 
-    if (!PyArg_ParseTuple(args, "ssss", &arg1_name,
-                          &arg1, &arg2_name, &arg2)) {
+    if (!PyArg_ParseTuple(args, "ssssi", &arg1_name,
+                          &arg1, &arg2_name, &arg2, &hooktype)) {
         return NULL;
     }
 
@@ -163,7 +164,7 @@ static PyObject *getdecision(PyObject * self, PyObject * args)
     (strcmp(arg2_name, "domid") && strcmp(arg2_name, "ssidref")))
         return NULL;
 
-    getdecision.hook = ACMHOOK_sharing;
+    getdecision.hook = hooktype;
     if (!strcmp(arg1_name, "domid")) {
         getdecision.get_decision_by1 = ACM_GETBY_domainid;
         getdecision.id1.domainid = atoi(arg1);
diff --git a/tools/python/xen/util/security.py b/tools/python/xen/util/security.py
index 5183ed2c98..47d51cb20a 100644
--- a/tools/python/xen/util/security.py
+++ b/tools/python/xen/util/security.py
@@ -62,6 +62,10 @@ empty_line_re = re.compile("^\s*$")
 binary_name_re = re.compile(".*[chwall|ste|chwall_ste].*\.bin", re.IGNORECASE)
 policy_name_re = re.compile(".*[chwall|ste|chwall_ste].*", re.IGNORECASE)
 
+#decision hooks known to the hypervisor
+ACMHOOK_sharing = 1
+ACMHOOK_authorization = 2
+
 #other global variables
 NULL_SSIDREF = 0
 
@@ -453,7 +457,8 @@ def get_decision(arg1, arg2):
         err("Invalid id or ssidref type, string or int required")
 
     try:
-        decision = acm.getdecision(arg1[0], arg1[1], arg2[0], arg2[1])
+        decision = acm.getdecision(arg1[0], arg1[1], arg2[0], arg2[1],
+                                   ACMHOOK_sharing)
     except:
         err("Cannot determine decision.")
 
@@ -463,6 +468,21 @@ def get_decision(arg1, arg2):
         err("Cannot determine decision (Invalid parameter).")
 
 
+def has_authorization(ssidref):
+    """ Check if the domain with the given ssidref has authorization to
+        run on this system. To have authoriztion dom0's STE types must
+        be a superset of that of the domain's given through its ssidref.
+    """
+    rc = True
+    dom0_ssidref = int(acm.getssid(0)['ssidref'])
+    decision = acm.getdecision('ssidref', str(dom0_ssidref),
+                               'ssidref', str(ssidref),
+                               ACMHOOK_authorization)
+    if decision == "DENIED":
+        rc = False
+    return rc
+
+
 def hv_chg_policy(bin_pol, del_array, chg_array):
     """
         Change the binary policy in the hypervisor
diff --git a/tools/python/xen/xend/XendDomainInfo.py b/tools/python/xen/xend/XendDomainInfo.py
index 3ce18bc96f..0fe545aa31 100644
--- a/tools/python/xen/xend/XendDomainInfo.py
+++ b/tools/python/xen/xend/XendDomainInfo.py
@@ -1460,9 +1460,13 @@ class XendDomainInfo:
         # allocation of 1MB. We free up 2MB here to be on the safe side.
         balloon.free(2*1024) # 2MB should be plenty
 
-        ssidref = security.calc_dom_ssidref_from_info(self.info)
-        if ssidref == 0 and security.on():
-            raise VmError('VM is not properly labeled.')
+        ssidref = 0
+        if security.on():
+            ssidref = security.calc_dom_ssidref_from_info(self.info)
+            if ssidref == 0:
+                raise VmError('VM is not properly labeled.')
+            if security.has_authorization(ssidref) == False:
+                raise VmError("VM is not authorized to run.")
 
         try:
             self.domid = xc.domain_create(
author	kfraser@localhost.localdomain <kfraser@localhost.localdomain>	2007-07-27 09:01:15 +0100
committer	kfraser@localhost.localdomain <kfraser@localhost.localdomain>	2007-07-27 09:01:15 +0100
commit	bf9e4257b392c550afe1c34d1fe38b6a2659dd69 (patch)
tree	2544a327b55a0a389c3d5a7169e7faf6e23458a0 /tools
parent	2abe070373048a47d66851e76593c11f95683059 (diff)
download	xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.tar.gz xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.tar.bz2 xen-bf9e4257b392c550afe1c34d1fe38b6a2659dd69.zip