diff options
| -rw-r--r-- | tools/flask/policy/Makefile | 203 | ||||
| -rw-r--r-- | tools/flask/policy/policy/access_vectors | 24 | ||||
| -rw-r--r-- | tools/flask/policy/policy/global_booleans | 5 | ||||
| -rw-r--r-- | tools/flask/policy/policy/global_tunables | 5 | ||||
| -rw-r--r-- | tools/flask/policy/policy/initial_sids | 4 | ||||
| -rw-r--r-- | tools/flask/policy/policy/security_classes | 8 |
6 files changed, 96 insertions, 153 deletions
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile index 3f5aa38d1c..e666f3e718 100644 --- a/tools/flask/policy/Makefile +++ b/tools/flask/policy/Makefile @@ -1,117 +1,86 @@ -# -# Makefile for the security policy. -# -# Targets: -# -# install - compile and install the policy configuration. -# load - compile, install, and load the policy configuration. -# reload - compile, install, and load/reload the policy configuration. -# policy - compile the policy configuration locally for testing/development. -# -# The default target is 'policy'. -# +XEN_ROOT=$(CURDIR)/../../.. +include $(XEN_ROOT)/tools/Rules.mk ######################################## # # Configurable portions of the Makefile # +######################################## -# Policy version -# By default, checkpolicy will create the highest -# version policy it supports. Setting this will -# override the version. -OUTPUT_POLICY = 24 - -# Policy Type -# xen -# xen-mls -TYPE = xen - -# Policy Name -# If set, this will be used as the policy -# name. Otherwise xenpolicy will be -# used for the name. -# NAME = xenpolicy - -# Number of MLS Sensitivities -# The sensitivities will be s0 to s(MLS_SENS-1). -# Dominance will be in increasing numerical order -# with s0 being lowest. -# MLS_SENS = 16 +CONFIG_MLS ?= n -# Number of MLS Categories +# Number of available MLS sensitivities and categories. +# The sensitivities will be s0 to s(MLS_SENS-1). Dominance will be in +# increasing numerical order with s0 being lowest. +MLS_SENS ?= 16 # The categories will be c0 to c(MLS_CATS-1). -# MLS_CATS = 256 +MLS_CATS ?= 256 -# Uncomment this to disable command echoing -# QUIET:=@ +# executable paths +CHECKPOLICY ?= checkpolicy +M4 ?= m4 ######################################## # -# NO OPTIONS BELOW HERE +# End of configuration options # +######################################## -# executable paths -PREFIX := /usr -BINDIR := $(PREFIX)/bin -SBINDIR := $(PREFIX)/sbin -CHECKPOLICY := $(BINDIR)/checkpolicy -LOADPOLICY := $(SBINDIR)/flask-loadpolicy +# Policy version +# By default, checkpolicy creates the highest version policy it supports. Force +# the use of version 24 which is the highest that Xen supports, and the first to +# include the Xen policy type (needed for static device policy). +OUTPUT_POLICY = 24 + +POLICY_FILENAME = xenpolicy.$(OUTPUT_POLICY) +POLICY_LOADPATH = $(DESTDIR)/boot # policy source layout POLDIR := policy MODDIR := $(POLDIR)/modules + +# Classes and access vectors defined in the hypervisor. Changes to these require +# a recompile of both the hypervisor and security policy. FLASKDIR := ../../../xen/xsm/flask/policy SECCLASS := $(FLASKDIR)/security_classes -ISIDS := $(FLASKDIR)/initial_sids +ISID_DECLS := $(FLASKDIR)/initial_sids AVS := $(FLASKDIR)/access_vectors +# Additional classes and access vectors defined by local policy +SECCLASS += $(POLDIR)/security_classes +AVS += $(POLDIR)/access_vectors + +# Other policy components +M4SUPPORT := $(wildcard $(POLDIR)/support/*.spt) +MLSSUPPORT := $(POLDIR)/mls +USERS := $(POLDIR)/users +CONSTRAINTS := $(POLDIR)/constraints +ISID_DEFS := $(POLDIR)/initial_sids + # config file paths GLOBALTUN := $(POLDIR)/global_tunables -GLOBALBOOL := $(POLDIR)/global_booleans MOD_CONF := $(POLDIR)/modules.conf -TUNABLES := $(POLDIR)/tunables.conf -BOOLEANS := $(POLDIR)/booleans.conf - -# install paths - -DESTDIR = /boot -INSTALLDIR = $(DESTDIR) -LOADPATH = $(INSTALLDIR)/$(POLVER) -# default MLS sensitivity and category settings. -MLS_SENS ?= 16 -MLS_CATS ?= 256 +# checkpolicy can use the #line directives provided by -s for error reporting: +M4PARAM := -D self_contained_policy -s +CHECKPOLICY_PARAM := -t Xen -c $(OUTPUT_POLICY) # enable MLS if requested. -ifneq ($(findstring -mls,$(TYPE)),) +ifneq ($(CONFIG_MLS),n) M4PARAM += -D enable_mls - CHECKPOLICY += -M -endif - -ifeq ($(NAME),) - NAME := xenpolicy -endif - -PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') - -ifneq ($(OUTPUT_POLICY),) - CHECKPOLICY += -c $(OUTPUT_POLICY) - POLVER = $(NAME).$(OUTPUT_POLICY) -else - POLVER +=$(NAME).$(PV) + CHECKPOLICY_PARAM += -M endif # Always define these because they are referenced even in non-MLS policy M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt) +# Find modules ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d)) # sort here since it removes duplicates, which can happen # when a generated file is already generated -DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))) +DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))) # modules.conf setting for policy configuration MODENABLED := on @@ -122,81 +91,27 @@ ENABLED_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 = ALL_MODULES := $(filter $(ENABLED_MODS),$(DETECTED_MODS)) ALL_INTERFACES := $(ALL_MODULES:.te=.if) -ALL_TE_FILES := $(ALL_MODULES) - -PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls -POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids -POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES) - -######################################## -# -# default action: build policy locally -# -default: policy +# The order of these files is important +POLICY_SECTIONS := $(SECCLASS) $(ISID_DECLS) $(AVS) +POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT) +POLICY_SECTIONS += $(ALL_INTERFACES) +POLICY_SECTIONS += $(GLOBALTUN) +POLICY_SECTIONS += $(ALL_MODULES) +POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS) -policy: $(POLVER) +all: $(POLICY_FILENAME) -install: $(LOADPATH) +install: $(POLICY_FILENAME) + $(INSTALL_DATA) $^ $(POLICY_LOADPATH) -load: .load_stamp +$(POLICY_FILENAME): policy.conf + $(CHECKPOLICY) $(CHECKPOLICY_PARAM) $^ -o $@ -######################################## -# -# Build a binary policy locally -# -$(POLVER): policy.conf - @echo "Compiling $(NAME) $(POLVER)" - $(QUIET) $(CHECKPOLICY) $^ -o $@ -# Uncomment line below to enable policies for devices -# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ - -######################################## -# -# Install a binary policy -# -$(LOADPATH): policy.conf - @echo "Compiling and installing $(NAME) $(LOADPATH)" - $(QUIET) $(CHECKPOLICY) $^ -o $@ -# Uncomment line below to enable policies for devices -# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ - -######################################## -# -# Load the binary policy -# -.load_stamp: reload -reload: $(LOADPATH) - @echo "Loading $(NAME) $(LOADPATH)" - $(QUIET) $(LOADPOLICY) $(LOADPATH) - @touch .load_stamp - -######################################## -# -# Construct a monolithic policy.conf -# policy.conf: $(POLICY_SECTIONS) - @echo "Creating $(NAME) policy.conf" -# checkpolicy can use the #line directives provided by -s for error reporting: - $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@ + $(M4) $(M4PARAM) $^ > $@ -######################################## -# -# Remove the dontaudit rules from the policy.conf -# -enableaudit: policy.conf - @test -d tmp || mkdir -p tmp - @echo "Removing dontaudit rules from policy.conf" - $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit - $(QUIET) mv tmp/policy.audit policy.conf - -######################################## -# -# Clean the built policies. -# clean: - rm -fR tmp - rm -f policy.conf - rm -f $(POLVER) + $(RM) tmp policy.conf $(POLICY_FILENAME) -.PHONY: default policy install load reload enableaudit clean +.PHONY: all install clean diff --git a/tools/flask/policy/policy/access_vectors b/tools/flask/policy/policy/access_vectors new file mode 100644 index 0000000000..4fd61f1a59 --- /dev/null +++ b/tools/flask/policy/policy/access_vectors @@ -0,0 +1,24 @@ +# Locally defined access vectors +# +# Define access vectors for the security classes defined in security_classes +# + +# Note: this is an example; the xenstore daemon provided with Xen does +# not yet include XSM support, and the exact permissions may be defined +# differently if such support is added. +class xenstore { + # read from keys owned by the target domain (if permissions allow) + read + # write to keys owned by the target domain (if permissions allow) + write + # change permissions of a key owned by the target domain + chmod + # change the owner of a key which was owned by the target domain + chown_from + # change the owner of a key to the target domain + chown_to + # access a key owned by the target domain without permission + override + # introduce a domain + introduce +} diff --git a/tools/flask/policy/policy/global_booleans b/tools/flask/policy/policy/global_booleans deleted file mode 100644 index 4c13cfb062..0000000000 --- a/tools/flask/policy/policy/global_booleans +++ /dev/null @@ -1,5 +0,0 @@ -# -# This file is for the declaration of global booleans. -# To change the default value at build time, the booleans.conf -# file should be used. -# diff --git a/tools/flask/policy/policy/global_tunables b/tools/flask/policy/policy/global_tunables index 801b27ec2e..c5da7ae716 100644 --- a/tools/flask/policy/policy/global_tunables +++ b/tools/flask/policy/policy/global_tunables @@ -1,6 +1,5 @@ # -# This file is for the declaration of global tunables. -# To change the default value at build time, the booleans.conf -# file should be used. +# This file is for the declaration of global policy tunables, booleans, +# and other components not defined within a specific policy module. # diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids index b70a54ee7d..5de0bbf7c2 100644 --- a/tools/flask/policy/policy/initial_sids +++ b/tools/flask/policy/policy/initial_sids @@ -1,4 +1,6 @@ -# Labels for initial SIDs +# Labels for initial SIDs. These initial SIDs are used by the hypervisor for +# objects created before the policy is loaded or for objects that do not have a +# label defined in some other manner. sid xen gen_context(system_u:system_r:xen_t,s0) sid dom0 gen_context(system_u:system_r:dom0_t,s0) diff --git a/tools/flask/policy/policy/security_classes b/tools/flask/policy/policy/security_classes new file mode 100644 index 0000000000..56595e8c59 --- /dev/null +++ b/tools/flask/policy/policy/security_classes @@ -0,0 +1,8 @@ +# Locally defined security classes +# +# These classes are not used by the hypervisor, but may be used by domains or +# daemons that need to make access control decisions using the hypervisor's +# security policy. +# +# Access vectors for these classes must be defined in the access_vectors file. +class xenstore |