From fba7e0e2d350742f114994d183c1e7bf9fdb5949 Mon Sep 17 00:00:00 2001 From: Daniel De Graaf Date: Tue, 20 Dec 2011 18:19:53 +0000 Subject: flask/policy: Update example policy Rewrite the example policy to make it easier to understand and demonstrate some of the security goals that FLASK can enforce. Signed-off-by: Daniel De Graaf Committed-by: Ian Jackson --- tools/flask/policy/policy/modules/xen/xen.if | 150 +++++++++++----------- tools/flask/policy/policy/modules/xen/xen.te | 180 +++++++++++++++------------ 2 files changed, 178 insertions(+), 152 deletions(-) (limited to 'tools/flask') diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index 1b508987f2..cd240d8f7d 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -1,92 +1,96 @@ -############################################################################### -# -# create_domain(priv_dom, domain, channel) -# -################################################################################ -define(`create_domain', ` - type $2, domain_type; - allow $1 $2:domain {create max_vcpus setdomainmaxmem - setaddrsize getdomaininfo hypercall - setvcpucontext scheduler unpause - getvcpuinfo getaddrsize getvcpuaffinity}; - allow $1 $2:shadow {enable}; - allow $1 $2:mmu {map_read map_write adjust physmap}; - allow $2 $2:mmu {adjust physmap}; - allow $1 $3:event {create}; -') - -############################################################################### -# -# create_hvm_dom(priv_dom, domain, channel) -# -################################################################################ -define(`create_hvm_dom', ` - create_domain($1, $2, $3) - allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel pcilevel trackdirtyvram }; - allow $2 $2:hvm setparam; -') +# Macro definitions for FLASK policy -############################################################################### -# -# create_pv_dom(priv_dom, domain, channel, iodomain) -# -################################################################################ -define(`create_pv_dom', ` - create_domain($1, $2, $3) - allow $1 $2:mmu {memorymap pinpage}; - allow $2 $2:mmu {map_read map_write pinpage}; - allow $2 $4:mmu {map_read}; - - allow $2 $2:grant {query setup}; - allow $1 $2:grant {map_read unmap}; -') ################################################################################ # -# manage_domain(priv_dom, domain) +# Domain creation and setup # ################################################################################ -define(`manage_domain', ` - allow $1 $2:domain {pause destroy}; +# declare_domain(type) +# Declare a type as a domain type, and allow basic domain setup +define(`declare_domain', ` + type $1, domain_type; + allow $1 $1:grant { query setup }; + allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage }; + allow $1 $1:hvm { getparam setparam }; +') + +# create_domain(priv, target) +# Allow a domain to be created +define(`create_domain', ` + allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize + getdomaininfo hypercall setvcpucontext scheduler + unpause getvcpuinfo getvcpuextstate getaddrsize + getvcpuaffinity }; + allow $1 $2:security check_context; + allow $1 $2:shadow enable; + allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage}; + allow $1 $2:grant setup; + allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam }; + allow $1 $2_$1_channel:event create; ') ################################################################################ # -# create_channel(caller, peer, channel) +# Inter-domain communication # ################################################################################ + +# create_channel(source, dest, chan-label) +# This allows an event channel to be created from domains with labels +# to and will label it define(`create_channel', ` type $3, event_type; type_transition $1 $2:event $3; - allow $1 $3:event {create}; - allow $3 $2:event {bind}; + allow $1 $3:event { create send status }; + allow $3 $2:event { bind }; ') -############################################################################### -# -# create_passthrough_resource(priv_dom, domain, resource) -# -############################################################################### -define(`create_passthrough_resource', ` - type $3, resource_type; - allow $1 $2:resource {add remove}; - allow $1 ioport_t:resource {add_ioport use}; - allow $1 iomem_t:resource {add_iomem use}; - allow $1 irq_t:resource {add_irq use}; - allow $1 domio_t:mmu {map_read map_write}; - allow $2 domio_t:mmu {map_write}; - allow $2 irq_t:resource {use}; - allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device}; - allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem}; - allow $2 $3:mmu {map_read map_write}; + +# domain_event_comms(dom1, dom2) +# Allow two domain types to communicate using event channels +define(`domain_event_comms', ` + create_channel($1, $2, $1_$2_channel) + create_channel($2, $1, $2_$1_channel) +') + +# domain_comms(dom1, dom2) +# Allow two domain types to communicate using grants and event channels +define(`domain_comms', ` + domain_event_comms($1, $2) + allow $1 $2:grant { map_read map_write copy unmap }; + allow $2 $1:grant { map_read map_write copy unmap }; +') + +# domain_self_comms(domain) +# Allow a domain types to communicate with others of its type using grants +# and event channels (this includes event channels to DOMID_SELF) +define(`domain_self_comms', ` + create_channel($1, $1, $1_self_channel) + allow $1 $1:grant { map_read map_write copy unmap }; ') -############################################################################### + +################################################################################ # -# create_hvm_resource(priv_dom, domain, resource) +# Device types and delegation (PCI passthrough) # -############################################################################### -define(`create_hvm_resource', ` - type $3, resource_type; - allow $1 $2:resource {add remove}; - allow $1 $3:hvm {bind_irq}; - allow $1 $3:resource {stat_device add_device remove_device add_irq remove_irq add_iomem remove_iomem add_ioport remove_ioport}; - allow $2 $3:resource {use}; +################################################################################ + +# use_device(domain, device) +# Allow a device to be used by a domain +define(`use_device', ` + allow $1 $2:resource use; + allow $1 $2:mmu { map_read map_write }; +') + +# admin_device(domain, device) +# Allow a device to be used and delegated by a domain +define(`admin_device', ` + allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport }; + allow $1 $2:hvm bind_irq; + use_device($1, $2) +') + +# delegate_devices(priv-domain, target-domain) +# Allow devices to be delegated +define(`delegate_devices', ` + allow $1 $2:resource { add remove }; ') diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 1a7f29ad72..0fc31b53fa 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -1,21 +1,47 @@ +################################################################################ +# +# Attributes for types +# +# An attribute may be used in a rule as shorthand for all types with that +# attribute. +# +################################################################################ attribute xen_type; attribute domain_type; attribute resource_type; attribute event_type; attribute mls_priv; +################################################################################ +# +# Types for the initial SIDs +# +# These types are used internally for objects created during Xen startup or for +# devices that have not yet been labeled +# +################################################################################ + +# The hypervisor itself type xen_t, xen_type, domain_type, mls_priv; +# Domain 0 type dom0_t, domain_type, mls_priv; +# Untracked I/O memory (pseudo-domain) type domio_t, domain_type; +# Xen heap (pseudo-domain) type domxen_t, domain_type; +# Unlabeled objects type unlabeled_t, domain_type; +# The XSM/FLASK security server type security_t, domain_type; +# Unlabeled device resources +# Note: don't allow access to these types directly; see below for how to label +# devices and use that label for allow rules type irq_t, resource_type; type ioport_t, resource_type; type iomem_t, resource_type; @@ -23,119 +49,115 @@ type device_t, resource_type; ################################################################################ # -# Boot the hypervisor and dom0 +# Rules required to boot the hypervisor and dom0 # ################################################################################ -allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del -scheduler physinfo heap quirk readconsole writeconsole settime microcode}; - -allow dom0_t domio_t:mmu {map_read map_write}; -allow dom0_t iomem_t:mmu {map_read map_write}; -allow dom0_t xen_t:mmu {memorymap}; - -allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust updatemp}; -allow dom0_t dom0_t:grant {query setup}; -allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity}; - -allow xen_t dom0_t:domain {create}; -allow xen_t dom0_t:resource {add remove}; -allow xen_t ioport_t:resource {add_ioport remove_ioport}; -allow dom0_t ioport_t:resource {use}; -allow xen_t iomem_t:resource {add_iomem remove_iomem}; -allow dom0_t iomem_t:resource {use}; -allow xen_t irq_t:resource {add_irq remove_irq}; -allow dom0_t irq_t:resource { add_irq remove_irq use}; +allow xen_t dom0_t:domain { create }; + +allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del + scheduler physinfo heap quirk readconsole writeconsole settime + microcode cpupool_op sched_op }; +allow dom0_t xen_t:mmu { memorymap }; +allow dom0_t security_t:security { check_context compute_av compute_create + compute_member load_policy compute_relabel compute_user setenforce + setbool setsecparam add_ocontext del_ocontext }; + +allow dom0_t dom0_t:domain { getdomaininfo getvcpuinfo getvcpuaffinity }; +allow dom0_t dom0_t:grant { query setup }; +allow dom0_t dom0_t:mmu { adjust physmap map_read map_write stat pinpage }; allow dom0_t dom0_t:resource { add remove }; -allow dom0_t xen_t:xen firmware; -allow dom0_t security_t:security {compute_av compute_create compute_member -check_context load_policy compute_relabel compute_user setenforce setbool -setsecparam add_ocontext del_ocontext}; +admin_device(dom0_t, device_t) +admin_device(dom0_t, irq_t) +admin_device(dom0_t, ioport_t) +admin_device(dom0_t, iomem_t) +allow dom0_t domio_t:mmu { map_read map_write }; -create_channel(dom0_t, dom0_t, evchn0-0_t) -allow dom0_t evchn0-0_t:event {send}; +domain_self_comms(dom0_t) -################################################################################ +auditallow dom0_t security_t:security { load_policy setenforce }; + +############################################################################### # -# Create and manage a domU w/ dom0 IO +# Domain creation # -################################################################################ -create_pv_dom(dom0_t, domU_t, evchnU-0_t, domio_t) +############################################################################### + +declare_domain(domU_t) +domain_self_comms(domU_t) +create_domain(dom0_t, domU_t) +domain_comms(dom0_t, domU_t) + +declare_domain(isolated_domU_t) +create_domain(dom0_t, isolated_domU_t) +domain_comms(dom0_t, isolated_domU_t) -create_channel(domU_t, domU_t, evchnU-U_t) -allow domU_t evchnU-U_t:event {send}; +############################################################################### +# +# Device delegation +# +############################################################################### -create_channel(dom0_t, domU_t, evchn0-U_t) -allow dom0_t evchn0-U_t:event {send}; +type nic_dev_t, resource_type; -create_channel(domU_t, dom0_t, evchnU-0_t) -allow domU_t evchnU-0_t:event {send}; +admin_device(dom0_t, nic_dev_t) +use_device(domU_t, nic_dev_t) -allow dom0_t dom0_t:event {send}; -allow dom0_t domU_t:grant {copy}; -allow domU_t domU_t:grant {copy}; +delegate_devices(dom0_t, domU_t) ############################################################################### # -# Create device labels +# Label devices for delegation +# +# The PCI, IRQ, memory, and I/O port ranges are hardware-specific. +# You may also use flask-label-pci to dynamically label devices on each boot. # ############################################################################### -# create device resources -#create_passthrough_resource(dom0_t, domU_t, nicP_t) -#create_hvm_resource(dom0_t, domHU_t, nicP_t) - # label e1000e nic -#pirqcon 33 system_u:object_r:nicP_t -#pirqcon 55 system_u:object_r:nicP_t -#iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t -#iomemcon 0xfebd9 system_u:object_r:nicP_t -#ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t -#pcidevicecon 0xc800 system_u:object_r:nicP_t +#pirqcon 33 system_u:object_r:nic_dev_t +#pirqcon 55 system_u:object_r:nic_dev_t +#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t +#iomemcon 0xfebd9 system_u:object_r:nic_dev_t +#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t +#pcidevicecon 0xc800 system_u:object_r:nic_dev_t # label e100 nic -#pirqcon 16 system_u:object_r:nicP_t -#iomemcon 0xfe5df system_u:object_r:nicP_t -#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nicP_t -#iomemcon 0xc2000-0xc200f system_u:object_r:nicP_t -#ioportcon 0xccc0-0xcd00 system_u:object_r:nicP_t +#pirqcon 16 system_u:object_r:nic_dev_t +#iomemcon 0xfe5df system_u:object_r:nic_dev_t +#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t +#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t +#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t # label usb 1d.0-2 1d.7 -#pirqcon 23 system_u:object_r:nicP_t -#pirqcon 17 system_u:object_r:nicP_t -#pirqcon 18 system_u:object_r:nicP_t -#ioportcon 0xff80-0xFF9F system_u:object_r:nicP_t -#ioportcon 0xff60-0xff7f system_u:object_r:nicP_t -#ioportcon 0xff40-0xff5f system_u:object_r:nicP_t -#iomemcon 0xff980 system_u:object_r:nicP_t -#ioportcon 0xff00-0xff1f system_u:object_r:nicP_t - -manage_domain(dom0_t, domU_t) +#pirqcon 23 system_u:object_r:nic_dev_t +#pirqcon 17 system_u:object_r:nic_dev_t +#pirqcon 18 system_u:object_r:nic_dev_t +#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t +#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t +#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t +#iomemcon 0xff980 system_u:object_r:nic_dev_t +#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t ################################################################################ # -# Create and manage an HVM domU w/ dom0 IO +# Constraints # ################################################################################ -create_hvm_dom(dom0_t, domHU_t, evchnHU-0_t) -allow dom0_t evchn0-HU_t:event {send}; -create_channel(domHU_t, domHU_t, evchnHU-HU_t) -allow domHU_t evchnU-U_t:event {send}; +# Domains must be declared using domain_type +neverallow * ~domain_type:domain create; -create_channel(dom0_t, domHU_t, evchn0-HU_t) -allow dom0_t evchn0-U_t:event {send}; +# Resources must be declared using resource_type +neverallow * ~resource_type:resource use; -create_channel(domHU_t, dom0_t, evchnHU-0_t) -allow domHU_t evchnU-0_t:event {send}; - -allow dom0_t dom0_t:event {send}; - -manage_domain(dom0_t, domHU_t) +# Events must use event_type (see create_channel for a template) +neverallow ~event_type *:event bind; +neverallow * ~event_type:event { create send status }; ################################################################################ # -# +# Labels for initial SIDs and system role # ################################################################################ sid xen gen_context(system_u:system_r:xen_t,s0) -- cgit v1.2.3