diff options
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/policy/constraints | 15 | ||||
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 28 | ||||
| -rw-r--r-- | tools/flask/policy/policy/users | 14 |
3 files changed, 39 insertions, 18 deletions
diff --git a/tools/flask/policy/policy/constraints b/tools/flask/policy/policy/constraints index beb949c9b6..765ed4d0cd 100644 --- a/tools/flask/policy/policy/constraints +++ b/tools/flask/policy/policy/constraints @@ -22,6 +22,19 @@ # role_op : == | != | eq | dom | domby | incomp # # names : name | { name_list } -# name_list : name | name_list name +# name_list : name | name_list name # +# Prevent event channels and grants between different customers + +constrain event bind ( + u1 == system_u or + u2 == system_u or + u1 == u2 +); + +constrain grant { map_read map_write copy } ( + u1 == system_u or + u2 == system_u or + u1 == u2 +); diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index ac52c3fd99..67dd0dfa88 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -22,22 +22,22 @@ attribute mls_priv; ################################################################################ # The hypervisor itself -type xen_t, xen_type, domain_type, mls_priv; +type xen_t, xen_type, mls_priv; # Domain 0 type dom0_t, domain_type, mls_priv; # Untracked I/O memory (pseudo-domain) -type domio_t, domain_type; +type domio_t, xen_type; # Xen heap (pseudo-domain) -type domxen_t, domain_type; +type domxen_t, xen_type; # Unlabeled objects -type unlabeled_t, domain_type; +type unlabeled_t, xen_type; # The XSM/FLASK security server -type security_t, domain_type; +type security_t, xen_type; # Unlabeled device resources # Note: don't allow access to these types directly; see below for how to label @@ -143,7 +143,11 @@ delegate_devices(dom0_t, domU_t) ################################################################################ # -# Constraints +# Policy constraints +# +# Neverallow rules will cause the policy build to fail if an allow rule exists +# that violates the expression. This is used to ensure proper labeling of +# objects. # ################################################################################ @@ -159,9 +163,19 @@ neverallow * ~event_type:event { create send status }; ################################################################################ # -# Labels for initial SIDs and system role +# Roles # ################################################################################ +# The object role (object_r) is used for devices, resources, and event channels; +# it does not need to be defined here and should not be used for domains. + +# The system role is used for utility domains and pseudo-domains role system_r; role system_r types { xen_type domain_type }; +# If you want to prevent domUs from being placed in system_r: +##role system_r types { xen_type dom0_t }; + +# The vm role is used for customer virtual machines +role vm_r; +role vm_r types { domain_type -dom0_t }; diff --git a/tools/flask/policy/policy/users b/tools/flask/policy/policy/users index a0205e5462..35ed8a9334 100644 --- a/tools/flask/policy/policy/users +++ b/tools/flask/policy/policy/users @@ -3,15 +3,9 @@ # System User configuration. # -# -# gen_user(username, role_set, mls_defaultlevel, mls_range) -# - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# +# system_u is the user identity for system domains and objects gen_user(system_u,, system_r, s0, s0 - mls_systemhigh) +# Other users are defined using the vm role +gen_user(customer_1,, vm_r, s0, s0) +gen_user(customer_2,, vm_r, s0, s0) |