From 4b73f651d09d7e566ec3b6f0df16af7b5b1dd8be Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Fri, 11 Jan 2013 10:36:06 +0000 Subject: xsm: Move flask policy files into hypervisor (missed from earlier commit). Signed-off-by: Keir Fraser --HG-- rename : tools/flask/policy/policy/flask/access_vectors => xen/xsm/flask/policy/access_vectors rename : tools/flask/policy/policy/flask/initial_sids => xen/xsm/flask/policy/initial_sids rename : tools/flask/policy/policy/flask/mkaccess_vector.sh => xen/xsm/flask/policy/mkaccess_vector.sh rename : tools/flask/policy/policy/flask/mkflask.sh => xen/xsm/flask/policy/mkflask.sh rename : tools/flask/policy/policy/flask/security_classes => xen/xsm/flask/policy/security_classes --- xen/xsm/flask/policy/access_vectors | 178 ++++++++++++++++++++++++++++++++ xen/xsm/flask/policy/initial_sids | 16 +++ xen/xsm/flask/policy/mkaccess_vector.sh | 138 +++++++++++++++++++++++++ xen/xsm/flask/policy/mkflask.sh | 95 +++++++++++++++++ xen/xsm/flask/policy/security_classes | 21 ++++ 5 files changed, 448 insertions(+) create mode 100644 xen/xsm/flask/policy/access_vectors create mode 100644 xen/xsm/flask/policy/initial_sids create mode 100644 xen/xsm/flask/policy/mkaccess_vector.sh create mode 100644 xen/xsm/flask/policy/mkflask.sh create mode 100644 xen/xsm/flask/policy/security_classes (limited to 'xen/xsm') diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors new file mode 100644 index 0000000000..c7e29abb32 --- /dev/null +++ b/xen/xsm/flask/policy/access_vectors @@ -0,0 +1,178 @@ +# +# Define the access vectors. +# +# class class_name { permission_name ... } + +class xen +{ + scheduler + settime + tbufcontrol + readconsole + clearconsole + perfcontrol + mtrr_add + mtrr_del + mtrr_read + microcode + physinfo + quirk + writeconsole + readapic + writeapic + privprofile + nonprivprofile + kexec + firmware + sleep + frequency + getidle + debug + getcpuinfo + heap + pm_op + mca_op + lockprof + cpupool_op + sched_op +} + +class domain +{ + setvcpucontext + pause + unpause + resume + create + transition + max_vcpus + destroy + setvcpuaffinity + getvcpuaffinity + scheduler + getdomaininfo + getvcpuinfo + getvcpucontext + setdomainmaxmem + setdomainhandle + setdebugging + hypercall + settime + set_target + shutdown + setaddrsize + getaddrsize + trigger + getextvcpucontext + setextvcpucontext + getvcpuextstate + setvcpuextstate + getpodtarget + setpodtarget + set_misc_info + set_virq_handler +} + +class domain2 +{ + relabelfrom + relabelto + relabelself +} + +class hvm +{ + sethvmc + gethvmc + setparam + getparam + pcilevel + irqlevel + pciroute + bind_irq + cacheattr + trackdirtyvram + hvmctl + mem_event + mem_sharing +} + +class event +{ + bind + send + status + notify + create + reset +} + +class grant +{ + map_read + map_write + unmap + transfer + setup + copy + query +} + +class mmu +{ + map_read + map_write + pageinfo + pagelist + adjust + stat + translategp + updatemp + physmap + pinpage + mfnlist + memorymap + remote_remap +} + +class shadow +{ + disable + enable + logdirty +} + +class resource +{ + add + remove + use + add_irq + remove_irq + add_ioport + remove_ioport + add_iomem + remove_iomem + stat_device + add_device + remove_device + plug + unplug + setup +} + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam + add_ocontext + del_ocontext +} diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids new file mode 100644 index 0000000000..e508bde976 --- /dev/null +++ b/xen/xsm/flask/policy/initial_sids @@ -0,0 +1,16 @@ +# FLASK + +# +# Define initial security identifiers +# +sid xen +sid dom0 +sid domio +sid domxen +sid unlabeled +sid security +sid ioport +sid iomem +sid irq +sid device +# FLASK diff --git a/xen/xsm/flask/policy/mkaccess_vector.sh b/xen/xsm/flask/policy/mkaccess_vector.sh new file mode 100644 index 0000000000..8ec87f7b8c --- /dev/null +++ b/xen/xsm/flask/policy/mkaccess_vector.sh @@ -0,0 +1,138 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="include/av_permissions.h" +av_perm_to_string="include/av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh new file mode 100644 index 0000000000..e8d8fb5d2c --- /dev/null +++ b/xen/xsm/flask/policy/mkflask.sh @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="include/flask.h" +debug_file="include/class_to_string.h" +debug_file2="include/initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes new file mode 100644 index 0000000000..ef134a7457 --- /dev/null +++ b/xen/xsm/flask/policy/security_classes @@ -0,0 +1,21 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class xen +class domain +class domain2 +class hvm +class mmu +class resource +class shadow +class event +class grant +class security + +# FLASK -- cgit v1.2.3