diff options
author | Ian Campbell <ijc@hellion.org.uk> | 2013-01-11 12:23:39 +0000 |
---|---|---|
committer | Ian Campbell <ijc@hellion.org.uk> | 2013-01-11 12:23:39 +0000 |
commit | c11edec4d6b2a20e9e808437d73a1010be6e31fb (patch) | |
tree | 1391e20aef6711c8fd1d2f7acc11381d288c14fd /tools | |
parent | 5267d751d9e29f1bae09dad12ca32cb44b008e16 (diff) | |
parent | 2ffc6723b0b7a9e85745606ba2b1e1021a862548 (diff) | |
download | xen-c11edec4d6b2a20e9e808437d73a1010be6e31fb.tar.gz xen-c11edec4d6b2a20e9e808437d73a1010be6e31fb.tar.bz2 xen-c11edec4d6b2a20e9e808437d73a1010be6e31fb.zip |
merge
Diffstat (limited to 'tools')
-rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 178 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/initial_sids | 16 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/mkaccess_vector.sh | 138 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/mkflask.sh | 95 | ||||
-rw-r--r-- | tools/flask/policy/policy/flask/security_classes | 21 | ||||
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 72 | ||||
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 25 |
7 files changed, 73 insertions, 472 deletions
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors deleted file mode 100644 index c7e29abb32..0000000000 --- a/tools/flask/policy/policy/flask/access_vectors +++ /dev/null @@ -1,178 +0,0 @@ -# -# Define the access vectors. -# -# class class_name { permission_name ... } - -class xen -{ - scheduler - settime - tbufcontrol - readconsole - clearconsole - perfcontrol - mtrr_add - mtrr_del - mtrr_read - microcode - physinfo - quirk - writeconsole - readapic - writeapic - privprofile - nonprivprofile - kexec - firmware - sleep - frequency - getidle - debug - getcpuinfo - heap - pm_op - mca_op - lockprof - cpupool_op - sched_op -} - -class domain -{ - setvcpucontext - pause - unpause - resume - create - transition - max_vcpus - destroy - setvcpuaffinity - getvcpuaffinity - scheduler - getdomaininfo - getvcpuinfo - getvcpucontext - setdomainmaxmem - setdomainhandle - setdebugging - hypercall - settime - set_target - shutdown - setaddrsize - getaddrsize - trigger - getextvcpucontext - setextvcpucontext - getvcpuextstate - setvcpuextstate - getpodtarget - setpodtarget - set_misc_info - set_virq_handler -} - -class domain2 -{ - relabelfrom - relabelto - relabelself -} - -class hvm -{ - sethvmc - gethvmc - setparam - getparam - pcilevel - irqlevel - pciroute - bind_irq - cacheattr - trackdirtyvram - hvmctl - mem_event - mem_sharing -} - -class event -{ - bind - send - status - notify - create - reset -} - -class grant -{ - map_read - map_write - unmap - transfer - setup - copy - query -} - -class mmu -{ - map_read - map_write - pageinfo - pagelist - adjust - stat - translategp - updatemp - physmap - pinpage - mfnlist - memorymap - remote_remap -} - -class shadow -{ - disable - enable - logdirty -} - -class resource -{ - add - remove - use - add_irq - remove_irq - add_ioport - remove_ioport - add_iomem - remove_iomem - stat_device - add_device - remove_device - plug - unplug - setup -} - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce - setbool - setsecparam - add_ocontext - del_ocontext -} diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids deleted file mode 100644 index e508bde976..0000000000 --- a/tools/flask/policy/policy/flask/initial_sids +++ /dev/null @@ -1,16 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# -sid xen -sid dom0 -sid domio -sid domxen -sid unlabeled -sid security -sid ioport -sid iomem -sid irq -sid device -# FLASK diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh deleted file mode 100644 index 8ec87f7b8c..0000000000 --- a/tools/flask/policy/policy/flask/mkaccess_vector.sh +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift - -# output files -av_permissions="include/av_permissions.h" -av_perm_to_string="include/av_perm_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$av_permissions\" - avpermfile = \"$av_perm_to_string\" - "' - nextstate = "COMMON_OR_AV"; - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; -; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "COMMON_OR_AV" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - tclass = $2; - - if (tclass in av_defined) - { - printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); - next; - } - av_defined[tclass] = 1; - - permission = 1; - - nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "{" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET" && - nextstate != "COMMON-OPENBRACKET") - { - printf("Parse error: Unexpected { on line %d\n", NR); - next; - } - - if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "COMMON-OPENBRACKET") - nextstate = "COMMON-CLOSEBRACKET"; - } -/[a-z][a-z_]*/ { - if (nextstate != "COMMON-CLOSEBRACKET" && - nextstate != "CLASS-CLOSEBRACKET") - { - printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - if ((common_name,$1) in common_perms) - { - printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); - next; - } - - common_perms[common_name,$1] = permission; - - printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - - printf(" S_(\"%s\")\n", $1) > cpermfile; - } - else - { - if ((tclass,$1) in av_perms) - { - printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); - next; - } - - av_perms[tclass,$1] = permission; - - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - - printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; - } - - spaces = 40 - (length($1) + length(tclass)); - if (spaces < 1) - spaces = 1; - - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; - } -$1 == "}" { - if (nextstate != "CLASS-CLOSEBRACKET" && - nextstate != "COMMON-CLOSEBRACKET") - { - printf("Parse error: Unexpected } on line %d\n", NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - common_base[common_name] = permission; - printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; - } - - printf("\n") > outfile; - - nextstate = "COMMON_OR_AV"; - } -END { - if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") - printf("Parse error: Unexpected end of file\n"); - - }' - -# FLASK diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/tools/flask/policy/policy/flask/mkflask.sh deleted file mode 100644 index e8d8fb5d2c..0000000000 --- a/tools/flask/policy/policy/flask/mkflask.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift 1 - -# output file -output_file="include/flask.h" -debug_file="include/class_to_string.h" -debug_file2="include/initial_sid_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$output_file\" - debugfile = \"$debug_file\" - debugfile2 = \"$debug_file2\" - "' - nextstate = "CLASS"; - - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; - printf("\n/*\n * Security object class definitions\n */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; - printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf(" S_(\"null\")\n") > debugfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; - printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; - printf(" \"null\",\n") > debugfile2; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "CLASS") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - if ($2 in class_found) - { - printf("Duplicate class definition for %s on line %d.\n", $2, NR); - next; - } - class_found[$2] = 1; - - class_value++; - - printf("#define SECCLASS_%s", toupper($2)) > outfile; - for (i = 0; i < 40 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", class_value) > outfile; - - printf(" S_(\"%s\")\n", $2) > debugfile; - } -$1 == "sid" { - if (nextstate == "CLASS") - { - nextstate = "SID"; - printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; - } - - if ($2 in sid_found) - { - printf("Duplicate SID definition for %s on line %d.\n", $2, NR); - next; - } - sid_found[$2] = 1; - sid_value++; - - printf("#define SECINITSID_%s", toupper($2)) > outfile; - for (i = 0; i < 37 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile2; - } -END { - if (nextstate != "SID") - printf("Parse error: Unexpected end of file\n"); - - printf("\n#define SECINITSID_NUM") > outfile; - for (i = 0; i < 34; i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf("\n#endif\n") > outfile; - printf("};\n\n") > debugfile2; - }' - -# FLASK diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes deleted file mode 100644 index ef134a7457..0000000000 --- a/tools/flask/policy/policy/flask/security_classes +++ /dev/null @@ -1,21 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -# Classes marked as userspace are classes -# for userspace object managers - -class xen -class domain -class domain2 -class hvm -class mmu -class resource -class shadow -class event -class grant -class security - -# FLASK diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 2ad11b2206..2ce22125c1 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -5,15 +5,35 @@ # Domain creation and setup # ################################################################################ +define(`declare_domain_common', ` + allow $1 $2:grant { query setup }; + allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op }; + allow $1 $2:hvm { getparam setparam }; +') + # declare_domain(type, attrs...) -# Declare a type as a domain type, and allow basic domain setup +# Declare a domain type, along with associated _self and _channel types +# Allow the domain to perform basic operations on itself define(`declare_domain', ` type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)'); + type $1_self, domain_type, domain_self_type; + type_transition $1 $1:domain $1_self; + type $1_channel, event_type; + type_transition $1 domain_type:event $1_channel; + declare_domain_common($1, $1_self) +') + +# declare_singleton_domain(type, attrs...) +# Declare a domain type and associated _channel types. +# Note: Because the domain can perform basic operations on itself and any +# other domain of the same type, this constructor should be used for types +# containing at most one domain. This is not enforced by policy. +define(`declare_singleton_domain', ` + type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)'); + define(`$1_self', `$1') type $1_channel, event_type; type_transition $1 domain_type:event $1_channel; - allow $1 $1:grant { query setup }; - allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage }; - allow $1 $1:hvm { getparam setparam }; + declare_domain_common($1, $1) ') # declare_build_label(type) @@ -27,11 +47,12 @@ define(`declare_build_label', ` define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext setextvcpucontext - scheduler getvcpuinfo getvcpuextstate getaddrsize + getscheduler getvcpuinfo getvcpuextstate getaddrsize getvcpuaffinity setvcpuaffinity }; + allow $1 $2:domain2 { set_cpuid settsc setscheduler }; allow $1 $2:security check_context; allow $1 $2:shadow enable; - allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage}; + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; allow $1 $2:grant setup; allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc setparam pcilevel trackdirtyvram }; ') @@ -50,6 +71,7 @@ define(`create_domain_build_label', ` allow $1 $2_channel:event create; allow $1 $2_building:domain2 relabelfrom; allow $1 $2:domain2 relabelto; + allow $2_building $2:domain transition; ') # manage_domain(priv, target) @@ -57,7 +79,7 @@ define(`create_domain_build_label', ` define(`manage_domain', ` allow $1 $2:domain { getdomaininfo getvcpuinfo getvcpuaffinity getaddrsize pause unpause trigger shutdown destroy - setvcpuaffinity setdomainmaxmem }; + setvcpuaffinity setdomainmaxmem getscheduler }; ') # migrate_domain_out(priv, target) @@ -67,6 +89,7 @@ define(`migrate_domain_out', ` allow $1 $2:hvm { gethvmc getparam irqlevel }; allow $1 $2:mmu { stat pageinfo map_read }; allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy }; + allow $1 $2:domain2 gettsc; ') ################################################################################ @@ -99,20 +122,36 @@ define(`domain_comms', ` ') # domain_self_comms(domain) -# Allow a domain types to communicate with others of its type using grants -# and event channels (this includes event channels to DOMID_SELF) +# Allow a non-singleton domain type to communicate with itself using grants +# and event channels define(`domain_self_comms', ` - create_channel($1, $1, $1_channel) - allow $1 $1:grant { map_read map_write copy unmap }; + create_channel($1, $1_self, $1_channel) + allow $1 $1_self:grant { map_read map_write copy unmap }; ') # device_model(dm_dom, hvm_dom) # Define how a device model domain interacts with its target define(`device_model', ` - domain_comms($1, $2) - allow $1 $2:domain { set_target shutdown }; - allow $1 $2:mmu { map_read map_write adjust physmap }; - allow $1 $2:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute }; + type $2_target, domain_type, domain_target_type; + type_transition $2 $1:domain $2_target; + allow $1 $2:domain set_target; + + type_transition $2_target domain_type:event $2_channel; + create_channel($1, $2_target, $1_channel) + create_channel($2, $1, $2_channel) + allow $1 $2_channel:event create; + + allow $1 $2_target:domain shutdown; + allow $1 $2_target:mmu { map_read map_write adjust physmap }; + allow $1 $2_target:hvm { getparam setparam trackdirtyvram hvmctl irqlevel pciroute cacheattr send_irq }; +') + +# make_device_model(priv, dm_dom, hvm_dom) +# Allow creation of a device model and HVM domain pair +define(`make_device_model', ` + device_model($2, $3) + allow $1 $2:domain2 make_priv_for; + allow $1 $3:domain2 set_as_target; ') ################################################################################ # @@ -123,8 +162,9 @@ define(`device_model', ` # use_device(domain, device) # Allow a device to be used by a domain define(`use_device', ` + allow $1 $1_self:mmu exchange; allow $1 $2:resource use; - allow $1 $2:mmu { map_read map_write }; + allow $1 domio_t:mmu { map_read map_write }; ') # admin_device(domain, device) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 116215384b..955fd8bee6 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -8,6 +8,8 @@ ################################################################################ attribute xen_type; attribute domain_type; +attribute domain_self_type; +attribute domain_target_type; attribute resource_type; attribute event_type; attribute mls_priv; @@ -25,12 +27,12 @@ attribute mls_priv; type xen_t, xen_type, mls_priv; # Domain 0 -declare_domain(dom0_t, mls_priv); +declare_singleton_domain(dom0_t, mls_priv); -# Untracked I/O memory (pseudo-domain) +# I/O memory (DOMID_IO pseudo-domain) type domio_t, xen_type; -# Xen heap (pseudo-domain) +# Xen heap (DOMID_XEN pseudo-domain) type domxen_t, xen_type; # Unlabeled objects @@ -53,8 +55,8 @@ type device_t, resource_type; # ################################################################################ allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del - scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo - microcode cpupool_op sched_op pm_op }; + physinfo heap quirk readconsole writeconsole settime getcpuinfo + microcode cpupool_op pm_op tmem_control getscheduler setscheduler }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce @@ -67,12 +69,14 @@ admin_device(dom0_t, device_t) admin_device(dom0_t, irq_t) admin_device(dom0_t, ioport_t) admin_device(dom0_t, iomem_t) -allow dom0_t domio_t:mmu { map_read map_write }; -domain_self_comms(dom0_t) +domain_comms(dom0_t, dom0_t) auditallow dom0_t security_t:security { load_policy setenforce setbool }; +# Allow all domains to use (unprivileged parts of) the tmem hypercall +allow domain_type xen_t:xen tmem_op; + ############################################################################### # # Domain creation @@ -84,11 +88,14 @@ domain_self_comms(domU_t) create_domain(dom0_t, domU_t) manage_domain(dom0_t, domU_t) domain_comms(dom0_t, domU_t) +domain_comms(domU_t, domU_t) +domain_self_comms(domU_t) declare_domain(isolated_domU_t) create_domain(dom0_t, isolated_domU_t) manage_domain(dom0_t, isolated_domU_t) domain_comms(dom0_t, isolated_domU_t) +domain_self_comms(isolated_domU_t) # Declare a boolean that denies creation of prot_domU_t domains gen_bool(prot_doms_locked, false) @@ -98,6 +105,8 @@ if (!prot_doms_locked) { } domain_comms(dom0_t, prot_domU_t) domain_comms(domU_t, prot_domU_t) +domain_comms(prot_domU_t, prot_domU_t) +domain_self_comms(prot_domU_t) # domHVM_t is meant to be paired with a qemu-dm stub domain of type dm_dom_t declare_domain(domHVM_t) @@ -110,7 +119,7 @@ declare_domain(dm_dom_t) create_domain(dom0_t, dm_dom_t) manage_domain(dom0_t, dm_dom_t) domain_comms(dom0_t, dm_dom_t) -device_model(dm_dom_t, domHVM_t) +make_device_model(dom0_t, dm_dom_t, domHVM_t) # nomigrate_t must be built via the nomigrate_t_building label; once built, # dom0 cannot read its memory. |