merge

7 files changed, 73 insertions, 472 deletions

diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
deleted file mode 100644
index c7e29abb32..0000000000
--- a/tools/flask/policy/policy/flask/access_vectors
+++ /dev/null
@@ -1,178 +0,0 @@
-#
-# Define the access vectors.
-#
-# class class_name { permission_name ... }
-
-class xen
-{
-	scheduler
-	settime
-	tbufcontrol
-	readconsole
-	clearconsole
-	perfcontrol
-	mtrr_add
-	mtrr_del
-	mtrr_read
-	microcode
-	physinfo
-	quirk
-    writeconsole
-    readapic
-    writeapic
-    privprofile
-    nonprivprofile
-    kexec
-	firmware
-	sleep
-	frequency
-	getidle
-	debug
-	getcpuinfo
-	heap
-	pm_op
-	mca_op
-	lockprof
-	cpupool_op
-	sched_op
-}
-
-class domain
-{
-	setvcpucontext
-	pause
-	unpause
-    resume
-    create
-    transition
-    max_vcpus
-    destroy
-    setvcpuaffinity
-	getvcpuaffinity
-	scheduler
-	getdomaininfo
-	getvcpuinfo
-	getvcpucontext
-	setdomainmaxmem
-	setdomainhandle
-	setdebugging
-	hypercall
-    settime
-    set_target
-    shutdown
-    setaddrsize
-    getaddrsize
-	trigger
-	getextvcpucontext
-	setextvcpucontext
-	getvcpuextstate
-	setvcpuextstate
-	getpodtarget
-	setpodtarget
-	set_misc_info
-	set_virq_handler
-}
-
-class domain2
-{
-	relabelfrom
-	relabelto
-	relabelself
-}
-
-class hvm
-{
-    sethvmc
-    gethvmc
-    setparam
-    getparam
-    pcilevel
-    irqlevel
-    pciroute
-	bind_irq
-	cacheattr
-    trackdirtyvram
-    hvmctl
-    mem_event
-    mem_sharing
-}
-
-class event
-{
-	bind
-	send
-	status
-	notify
-	create
-    reset
-}
-
-class grant
-{
-	map_read
-	map_write
-	unmap
-	transfer
-	setup
-    copy
-    query
-}
-
-class mmu
-{
-	map_read
-	map_write
-	pageinfo
-	pagelist
-    adjust
-    stat
-    translategp
-	updatemp
-    physmap
-    pinpage
-    mfnlist
-    memorymap
-    remote_remap
-}
-
-class shadow
-{
-	disable
-	enable
-    logdirty
-}
-
-class resource
-{
-	add
-	remove
-	use
-	add_irq
-	remove_irq
-	add_ioport
-	remove_ioport
-	add_iomem
-	remove_iomem
-	stat_device
-	add_device
-	remove_device
-	plug
-	unplug
-	setup
-}
-
-class security
-{
-	compute_av
-	compute_create
-	compute_member
-	check_context
-	load_policy
-	compute_relabel
-	compute_user
-	setenforce
-	setbool
-	setsecparam
-        add_ocontext
-        del_ocontext
-}
diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids
deleted file mode 100644
index e508bde976..0000000000
--- a/tools/flask/policy/policy/flask/initial_sids
+++ /dev/null
@@ -1,16 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers 
-#
-sid xen
-sid dom0
-sid domio
-sid domxen
-sid unlabeled
-sid security
-sid ioport
-sid iomem
-sid irq
-sid device
-# FLASK
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh
deleted file mode 100644
index 8ec87f7b8c..0000000000
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="include/av_permissions.h"
-av_perm_to_string="include/av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN	{
-		outfile = \"$av_permissions\"
-		avpermfile = \"$av_perm_to_string\"
-		"'
-		nextstate = "COMMON_OR_AV";
-		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
-		printf("/* This file is automatically generated.  Do not edit. */\n") > avpermfile;
-;
-	}
-/^[ \t]*#/	{ 
-			next;
-		}
-$1 == "class"	{
-			if (nextstate != "COMMON_OR_AV" &&
-			    nextstate != "CLASS_OR_CLASS-OPENBRACKET")
-			{
-				printf("Parse error:  Unexpected class definition on line %d\n", NR);
-				next;	
-			}
-
-			tclass = $2;
-
-			if (tclass in av_defined)
-			{
-				printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
-				next;
-			} 
-			av_defined[tclass] = 1;
-
-			permission = 1;
-
-			nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
-			next;
-		}
-$1 == "{"	{ 
-			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
-			    nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
-			    nextstate != "COMMON-OPENBRACKET")
-			{
-				printf("Parse error:  Unexpected { on line %d\n", NR);
-				next;
-			}
-
-			if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
-				nextstate = "CLASS-CLOSEBRACKET";
-
-			if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
-				nextstate = "CLASS-CLOSEBRACKET";
-
-			if (nextstate == "COMMON-OPENBRACKET")
-				nextstate = "COMMON-CLOSEBRACKET";
-		}
-/[a-z][a-z_]*/	{
-			if (nextstate != "COMMON-CLOSEBRACKET" &&
-			    nextstate != "CLASS-CLOSEBRACKET")
-			{
-				printf("Parse error:  Unexpected symbol %s on line %d\n", $1, NR);		
-				next;
-			}
-
-			if (nextstate == "COMMON-CLOSEBRACKET")
-			{
-				if ((common_name,$1) in common_perms)
-				{
-					printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
-					next;
-				}
-
-				common_perms[common_name,$1] = permission;
-
-				printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; 
-
-				printf("    S_(\"%s\")\n", $1) > cpermfile;
-			}
-			else
-			{
-				if ((tclass,$1) in av_perms)
-				{
-					printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
-					next;
-				}
-
-				av_perms[tclass,$1] = permission;
-		
-				printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; 
-
-				printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
-			}
-
-			spaces = 40 - (length($1) + length(tclass));
-			if (spaces < 1)
-			      spaces = 1;
-
-			for (i = 0; i < spaces; i++) 
-				printf(" ") > outfile; 
-			printf("0x%08xUL\n", permission) > outfile; 
-			permission = permission * 2;
-		}
-$1 == "}"	{
-			if (nextstate != "CLASS-CLOSEBRACKET" && 
-			    nextstate != "COMMON-CLOSEBRACKET")
-			{
-				printf("Parse error:  Unexpected } on line %d\n", NR);
-				next;
-			}
-
-			if (nextstate == "COMMON-CLOSEBRACKET")
-			{
-				common_base[common_name] = permission;
-				printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; 
-			}
-
-			printf("\n") > outfile;
-
-			nextstate = "COMMON_OR_AV";
-		}
-END	{
-		if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
-			printf("Parse error:  Unexpected end of file\n");
-
-	}'
-
-# FLASK
diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/tools/flask/policy/policy/flask/mkflask.sh
deleted file mode 100644
index e8d8fb5d2c..0000000000
--- a/tools/flask/policy/policy/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="include/flask.h"
-debug_file="include/class_to_string.h"
-debug_file2="include/initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN	{
-		outfile = \"$output_file\"
-		debugfile = \"$debug_file\"
-		debugfile2 = \"$debug_file2\"
-		"'
-		nextstate = "CLASS";
-
-		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
-
-		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
-		printf("#define _SELINUX_FLASK_H_\n") > outfile;
-		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
-		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
-		printf("/*\n * Security object class definitions\n */\n") > debugfile;
-		printf("    S_(\"null\")\n") > debugfile;
-		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile2;
-		printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
-		printf("    \"null\",\n") > debugfile2;
-	}
-/^[ \t]*#/	{ 
-			next;
-		}
-$1 == "class"	{ 
-			if (nextstate != "CLASS")
-			{
-				printf("Parse error:  Unexpected class definition on line %d\n", NR);
-				next;	
-			}
-
-			if ($2 in class_found)
-			{
-				printf("Duplicate class definition for %s on line %d.\n", $2, NR);
-				next;
-			}	
-			class_found[$2] = 1;
-
-			class_value++;
-
-			printf("#define SECCLASS_%s", toupper($2)) > outfile;
-			for (i = 0; i < 40 - length($2); i++) 
-				printf(" ") > outfile; 
-			printf("%d\n", class_value) > outfile; 
-
-			printf("    S_(\"%s\")\n", $2) > debugfile;
-		}
-$1 == "sid"	{ 
-			if (nextstate == "CLASS")
-			{
-			    nextstate = "SID";
-			    printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;			    
-			}
-
-			if ($2 in sid_found)
-			{
-				printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
-				next;
-			}	
-			sid_found[$2] = 1;
-			sid_value++;
-
-			printf("#define SECINITSID_%s", toupper($2)) > outfile;
-			for (i = 0; i < 37 - length($2); i++) 
-				printf(" ") > outfile; 
-			printf("%d\n", sid_value) > outfile; 
-			printf("    \"%s\",\n", $2) > debugfile2;
-		}
-END	{
-		if (nextstate != "SID")
-			printf("Parse error:  Unexpected end of file\n");
-
-		printf("\n#define SECINITSID_NUM") > outfile;
-		for (i = 0; i < 34; i++) 
-			printf(" ") > outfile; 
-		printf("%d\n", sid_value) > outfile; 
-		printf("\n#endif\n") > outfile;
-		printf("};\n\n") > debugfile2;
-	}'
-
-# FLASK
diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes
deleted file mode 100644
index ef134a7457..0000000000
--- a/tools/flask/policy/policy/flask/security_classes
+++ /dev/null
@@ -1,21 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes 
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class xen
-class domain
-class domain2
-class hvm
-class mmu
-class resource
-class shadow
-class event
-class grant
-class security
-
-# FLASK
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 2ad11b2206..2ce22125c1 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -5,15 +5,35 @@
 # Domain creation and setup
 #
 ################################################################################
+define(`declare_domain_common', `
+	allow $1 $2:grant { query setup };
+	allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op };
+	allow $1 $2:hvm { getparam setparam };
+')
+
 # declare_domain(type, attrs...)
-#   Declare a type as a domain type, and allow basic domain setup
+#   Declare a domain type, along with associated _self and _channel types
+#   Allow the domain to perform basic operations on itself
 define(`declare_domain', `
 	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+	type $1_self, domain_type, domain_self_type;
+	type_transition $1 $1:domain $1_self;
+	type $1_channel, event_type;
+	type_transition $1 domain_type:event $1_channel;
+	declare_domain_common($1, $1_self)
+')
+
+# declare_singleton_domain(type, attrs...)
+#   Declare a domain type and associated _channel types.
+#   Note: Because the domain can perform basic operations on itself and any
+#   other domain of the same type, this constructor should be used for types
+#   containing at most one domain. This is not enforced by policy.
+define(`declare_singleton_domain', `
+	type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)');
+	define(`$1_self', `$1')
 	type $1_channel, event_type;
 	type_transition $1 domain_type:event $1_channel;
-	allow $1 $1:grant { query setup };
-	allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage };
-	allow $1 $1:hvm { getparam setparam };
+	declare_domain_common($1, $1)
 ')
 
 # declare_build_label(type)
@@ -27,11 +47,12 @@ define(`declare_build_label', `
 define(`create_domain_common', `
 	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
 			getdomaininfo hypercall setvcpucontext setextvcpucontext
-			scheduler getvcpuinfo getvcpuextstate getaddrsize
+			getscheduler getvcpuinfo getvcpuextstate getaddrsize
 			getvcpuaffinity setvcpuaffinity };
+	allow $1 $2:domain2 { set_cpuid settsc setscheduler };
 	allow $1 $2:security check_context;
 	allow $1 $2:shadow enable;
-	allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage};
+	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
 	allow $1 $2:grant setup;
 	allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc setparam pcilevel trackdirtyvram };
 ')
@@ -50,6 +71,7 @@ define(`create_domain_build_label', `
 	allow $1 $2_channel:event create;
 	allow $1 $2_building:domain2 relabelfrom;
 	allow $1 $2:domain2 relabelto;
+	allow $2_building $2:domain transition;
 ')
 
 # manage_domain(priv, target)
@@ -57,7 +79,7 @@ define(`create_domain_build_label', `
 define(`manage_domain', `
 	allow $1 $2:domain { getdomaininfo getvcpuinfo getvcpuaffinity
 			getaddrsize pause unpause trigger shutdown destroy
-			setvcpuaffinity setdomainmaxmem };
+			setvcpuaffinity setdomainmaxmem getscheduler };
 ')
 
 # migrate_domain_out(priv, target)
@@ -67,6 +89,7 @@ define(`migrate_domain_out', `
 	allow $1 $2:hvm { gethvmc getparam irqlevel };
 	allow $1 $2:mmu { stat pageinfo map_read };
 	allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
+	allow $1 $2:domain2 gettsc;
 ')
 
 ################################################################################
@@ -99,20 +122,36 @@ define(`domain_comms', `
 ')
 
 # domain_self_comms(domain)
-#   Allow a domain types to communicate with others of its type using grants
-#   and event channels (this includes event channels to DOMID_SELF)
+#   Allow a non-singleton domain type to communicate with itself using grants
+#   and event channels
 define(`domain_self_comms', `
-	create_channel($1, $1, $1_channel)
-	allow $1 $1:grant { map_read map_write copy unmap };
+	create_channel($1, $1_self, $1_channel)
+	allow $1 $1_self:grant { map_read map_write copy unmap };
 ')
 
 # device_model(dm_dom, hvm_dom)
 #   Define how a device model domain interacts with its target
 define(`device_model', `
-	domain_comms($1, $2)
-	allow $1 $2:domain { set_target shutdown };
-	allow $1 $2:mmu { map_read map_write adjust physmap };
-	allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute };
+	type $2_target, domain_type, domain_target_type;
+	type_transition $2 $1:domain $2_target;
+	allow $1 $2:domain set_target;
+
+	type_transition $2_target domain_type:event $2_channel;
+	create_channel($1, $2_target, $1_channel)
+	create_channel($2, $1, $2_channel)
+	allow $1 $2_channel:event create;
+
+	allow $1 $2_target:domain shutdown;
+	allow $1 $2_target:mmu { map_read map_write adjust physmap };
+	allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute cacheattr send_irq };
+')
+
+# make_device_model(priv, dm_dom, hvm_dom)
+#   Allow creation of a device model and HVM domain pair
+define(`make_device_model', `
+	device_model($2, $3)
+	allow $1 $2:domain2 make_priv_for;
+	allow $1 $3:domain2 set_as_target;
 ')
 ################################################################################
 #
@@ -123,8 +162,9 @@ define(`device_model', `
 # use_device(domain, device)
 #   Allow a device to be used by a domain
 define(`use_device', `
+    allow $1 $1_self:mmu exchange;
     allow $1 $2:resource use;
-    allow $1 $2:mmu { map_read map_write };
+    allow $1 domio_t:mmu { map_read map_write };
 ')
 
 # admin_device(domain, device)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 116215384b..955fd8bee6 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -8,6 +8,8 @@
 ################################################################################
 attribute xen_type;
 attribute domain_type;
+attribute domain_self_type;
+attribute domain_target_type;
 attribute resource_type;
 attribute event_type;
 attribute mls_priv;
@@ -25,12 +27,12 @@ attribute mls_priv;
 type xen_t, xen_type, mls_priv;
 
 # Domain 0
-declare_domain(dom0_t, mls_priv);
+declare_singleton_domain(dom0_t, mls_priv);
 
-# Untracked I/O memory (pseudo-domain)
+# I/O memory (DOMID_IO pseudo-domain)
 type domio_t, xen_type;
 
-# Xen heap (pseudo-domain)
+# Xen heap (DOMID_XEN pseudo-domain)
 type domxen_t, xen_type;
 
 # Unlabeled objects
@@ -53,8 +55,8 @@ type device_t, resource_type;
 #
 ################################################################################
 allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
-	scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo
-	microcode cpupool_op sched_op pm_op };
+	physinfo heap quirk readconsole writeconsole settime getcpuinfo
+	microcode cpupool_op pm_op tmem_control getscheduler setscheduler };
 allow dom0_t xen_t:mmu { memorymap };
 allow dom0_t security_t:security { check_context compute_av compute_create
 	compute_member load_policy compute_relabel compute_user setenforce
@@ -67,12 +69,14 @@ admin_device(dom0_t, device_t)
 admin_device(dom0_t, irq_t)
 admin_device(dom0_t, ioport_t)
 admin_device(dom0_t, iomem_t)
-allow dom0_t domio_t:mmu { map_read map_write };
 
-domain_self_comms(dom0_t)
+domain_comms(dom0_t, dom0_t)
 
 auditallow dom0_t security_t:security { load_policy setenforce setbool };
 
+# Allow all domains to use (unprivileged parts of) the tmem hypercall
+allow domain_type xen_t:xen tmem_op;
+
 ###############################################################################
 #
 # Domain creation
@@ -84,11 +88,14 @@ domain_self_comms(domU_t)
 create_domain(dom0_t, domU_t)
 manage_domain(dom0_t, domU_t)
 domain_comms(dom0_t, domU_t)
+domain_comms(domU_t, domU_t)
+domain_self_comms(domU_t)
 
 declare_domain(isolated_domU_t)
 create_domain(dom0_t, isolated_domU_t)
 manage_domain(dom0_t, isolated_domU_t)
 domain_comms(dom0_t, isolated_domU_t)
+domain_self_comms(isolated_domU_t)
 
 # Declare a boolean that denies creation of prot_domU_t domains
 gen_bool(prot_doms_locked, false)
@@ -98,6 +105,8 @@ if (!prot_doms_locked) {
 }
 domain_comms(dom0_t, prot_domU_t)
 domain_comms(domU_t, prot_domU_t)
+domain_comms(prot_domU_t, prot_domU_t)
+domain_self_comms(prot_domU_t)
 
 # domHVM_t is meant to be paired with a qemu-dm stub domain of type dm_dom_t
 declare_domain(domHVM_t)
@@ -110,7 +119,7 @@ declare_domain(dm_dom_t)
 create_domain(dom0_t, dm_dom_t)
 manage_domain(dom0_t, dm_dom_t)
 domain_comms(dom0_t, dm_dom_t)
-device_model(dm_dom_t, domHVM_t)
+make_device_model(dom0_t, dm_dom_t, domHVM_t)
 
 # nomigrate_t must be built via the nomigrate_t_building label; once built,
 # dom0 cannot read its memory.