From: Keir Fraser Date: Fri, 11 Jan 2013 10:36:06 +0000 (+0000) Subject: xsm: Move flask policy files into hypervisor (missed from earlier commit). X-Git-Tag: 4.3.0-rc1~535^2~14 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=4b73f651d09d7e566ec3b6f0df16af7b5b1dd8be;p=xen.git xsm: Move flask policy files into hypervisor (missed from earlier commit). Signed-off-by: Keir Fraser --HG-- rename : tools/flask/policy/policy/flask/access_vectors => xen/xsm/flask/policy/access_vectors rename : tools/flask/policy/policy/flask/initial_sids => xen/xsm/flask/policy/initial_sids rename : tools/flask/policy/policy/flask/mkaccess_vector.sh => xen/xsm/flask/policy/mkaccess_vector.sh rename : tools/flask/policy/policy/flask/mkflask.sh => xen/xsm/flask/policy/mkflask.sh rename : tools/flask/policy/policy/flask/security_classes => xen/xsm/flask/policy/security_classes --- diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors deleted file mode 100644 index c7e29abb32..0000000000 --- a/tools/flask/policy/policy/flask/access_vectors +++ /dev/null @@ -1,178 +0,0 @@ -# -# Define the access vectors. -# -# class class_name { permission_name ... } - -class xen -{ - scheduler - settime - tbufcontrol - readconsole - clearconsole - perfcontrol - mtrr_add - mtrr_del - mtrr_read - microcode - physinfo - quirk - writeconsole - readapic - writeapic - privprofile - nonprivprofile - kexec - firmware - sleep - frequency - getidle - debug - getcpuinfo - heap - pm_op - mca_op - lockprof - cpupool_op - sched_op -} - -class domain -{ - setvcpucontext - pause - unpause - resume - create - transition - max_vcpus - destroy - setvcpuaffinity - getvcpuaffinity - scheduler - getdomaininfo - getvcpuinfo - getvcpucontext - setdomainmaxmem - setdomainhandle - setdebugging - hypercall - settime - set_target - shutdown - setaddrsize - getaddrsize - trigger - getextvcpucontext - setextvcpucontext - getvcpuextstate - setvcpuextstate - getpodtarget - setpodtarget - set_misc_info - set_virq_handler -} - -class domain2 -{ - relabelfrom - relabelto - relabelself -} - -class hvm -{ - sethvmc - gethvmc - setparam - getparam - pcilevel - irqlevel - pciroute - bind_irq - cacheattr - trackdirtyvram - hvmctl - mem_event - mem_sharing -} - -class event -{ - bind - send - status - notify - create - reset -} - -class grant -{ - map_read - map_write - unmap - transfer - setup - copy - query -} - -class mmu -{ - map_read - map_write - pageinfo - pagelist - adjust - stat - translategp - updatemp - physmap - pinpage - mfnlist - memorymap - remote_remap -} - -class shadow -{ - disable - enable - logdirty -} - -class resource -{ - add - remove - use - add_irq - remove_irq - add_ioport - remove_ioport - add_iomem - remove_iomem - stat_device - add_device - remove_device - plug - unplug - setup -} - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce - setbool - setsecparam - add_ocontext - del_ocontext -} diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids deleted file mode 100644 index e508bde976..0000000000 --- a/tools/flask/policy/policy/flask/initial_sids +++ /dev/null @@ -1,16 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# -sid xen -sid dom0 -sid domio -sid domxen -sid unlabeled -sid security -sid ioport -sid iomem -sid irq -sid device -# FLASK diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh deleted file mode 100644 index 8ec87f7b8c..0000000000 --- a/tools/flask/policy/policy/flask/mkaccess_vector.sh +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift - -# output files -av_permissions="include/av_permissions.h" -av_perm_to_string="include/av_perm_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$av_permissions\" - avpermfile = \"$av_perm_to_string\" - "' - nextstate = "COMMON_OR_AV"; - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; -; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "COMMON_OR_AV" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - tclass = $2; - - if (tclass in av_defined) - { - printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); - next; - } - av_defined[tclass] = 1; - - permission = 1; - - nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; - next; - } -$1 == "{" { - if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && - nextstate != "CLASS_OR_CLASS-OPENBRACKET" && - nextstate != "COMMON-OPENBRACKET") - { - printf("Parse error: Unexpected { on line %d\n", NR); - next; - } - - if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") - nextstate = "CLASS-CLOSEBRACKET"; - - if (nextstate == "COMMON-OPENBRACKET") - nextstate = "COMMON-CLOSEBRACKET"; - } -/[a-z][a-z_]*/ { - if (nextstate != "COMMON-CLOSEBRACKET" && - nextstate != "CLASS-CLOSEBRACKET") - { - printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - if ((common_name,$1) in common_perms) - { - printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); - next; - } - - common_perms[common_name,$1] = permission; - - printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - - printf(" S_(\"%s\")\n", $1) > cpermfile; - } - else - { - if ((tclass,$1) in av_perms) - { - printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); - next; - } - - av_perms[tclass,$1] = permission; - - printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - - printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; - } - - spaces = 40 - (length($1) + length(tclass)); - if (spaces < 1) - spaces = 1; - - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - printf("0x%08xUL\n", permission) > outfile; - permission = permission * 2; - } -$1 == "}" { - if (nextstate != "CLASS-CLOSEBRACKET" && - nextstate != "COMMON-CLOSEBRACKET") - { - printf("Parse error: Unexpected } on line %d\n", NR); - next; - } - - if (nextstate == "COMMON-CLOSEBRACKET") - { - common_base[common_name] = permission; - printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; - } - - printf("\n") > outfile; - - nextstate = "COMMON_OR_AV"; - } -END { - if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") - printf("Parse error: Unexpected end of file\n"); - - }' - -# FLASK diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/tools/flask/policy/policy/flask/mkflask.sh deleted file mode 100644 index e8d8fb5d2c..0000000000 --- a/tools/flask/policy/policy/flask/mkflask.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -# - -# FLASK - -set -e - -awk=$1 -shift 1 - -# output file -output_file="include/flask.h" -debug_file="include/class_to_string.h" -debug_file2="include/initial_sid_to_string.h" - -cat $* | $awk " -BEGIN { - outfile = \"$output_file\" - debugfile = \"$debug_file\" - debugfile2 = \"$debug_file2\" - "' - nextstate = "CLASS"; - - printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - - printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; - printf("#define _SELINUX_FLASK_H_\n") > outfile; - printf("\n/*\n * Security object class definitions\n */\n") > outfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; - printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf(" S_(\"null\")\n") > debugfile; - printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; - printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; - printf(" \"null\",\n") > debugfile2; - } -/^[ \t]*#/ { - next; - } -$1 == "class" { - if (nextstate != "CLASS") - { - printf("Parse error: Unexpected class definition on line %d\n", NR); - next; - } - - if ($2 in class_found) - { - printf("Duplicate class definition for %s on line %d.\n", $2, NR); - next; - } - class_found[$2] = 1; - - class_value++; - - printf("#define SECCLASS_%s", toupper($2)) > outfile; - for (i = 0; i < 40 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", class_value) > outfile; - - printf(" S_(\"%s\")\n", $2) > debugfile; - } -$1 == "sid" { - if (nextstate == "CLASS") - { - nextstate = "SID"; - printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; - } - - if ($2 in sid_found) - { - printf("Duplicate SID definition for %s on line %d.\n", $2, NR); - next; - } - sid_found[$2] = 1; - sid_value++; - - printf("#define SECINITSID_%s", toupper($2)) > outfile; - for (i = 0; i < 37 - length($2); i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile2; - } -END { - if (nextstate != "SID") - printf("Parse error: Unexpected end of file\n"); - - printf("\n#define SECINITSID_NUM") > outfile; - for (i = 0; i < 34; i++) - printf(" ") > outfile; - printf("%d\n", sid_value) > outfile; - printf("\n#endif\n") > outfile; - printf("};\n\n") > debugfile2; - }' - -# FLASK diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes deleted file mode 100644 index ef134a7457..0000000000 --- a/tools/flask/policy/policy/flask/security_classes +++ /dev/null @@ -1,21 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -# Classes marked as userspace are classes -# for userspace object managers - -class xen -class domain -class domain2 -class hvm -class mmu -class resource -class shadow -class event -class grant -class security - -# FLASK diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors new file mode 100644 index 0000000000..c7e29abb32 --- /dev/null +++ b/xen/xsm/flask/policy/access_vectors @@ -0,0 +1,178 @@ +# +# Define the access vectors. +# +# class class_name { permission_name ... } + +class xen +{ + scheduler + settime + tbufcontrol + readconsole + clearconsole + perfcontrol + mtrr_add + mtrr_del + mtrr_read + microcode + physinfo + quirk + writeconsole + readapic + writeapic + privprofile + nonprivprofile + kexec + firmware + sleep + frequency + getidle + debug + getcpuinfo + heap + pm_op + mca_op + lockprof + cpupool_op + sched_op +} + +class domain +{ + setvcpucontext + pause + unpause + resume + create + transition + max_vcpus + destroy + setvcpuaffinity + getvcpuaffinity + scheduler + getdomaininfo + getvcpuinfo + getvcpucontext + setdomainmaxmem + setdomainhandle + setdebugging + hypercall + settime + set_target + shutdown + setaddrsize + getaddrsize + trigger + getextvcpucontext + setextvcpucontext + getvcpuextstate + setvcpuextstate + getpodtarget + setpodtarget + set_misc_info + set_virq_handler +} + +class domain2 +{ + relabelfrom + relabelto + relabelself +} + +class hvm +{ + sethvmc + gethvmc + setparam + getparam + pcilevel + irqlevel + pciroute + bind_irq + cacheattr + trackdirtyvram + hvmctl + mem_event + mem_sharing +} + +class event +{ + bind + send + status + notify + create + reset +} + +class grant +{ + map_read + map_write + unmap + transfer + setup + copy + query +} + +class mmu +{ + map_read + map_write + pageinfo + pagelist + adjust + stat + translategp + updatemp + physmap + pinpage + mfnlist + memorymap + remote_remap +} + +class shadow +{ + disable + enable + logdirty +} + +class resource +{ + add + remove + use + add_irq + remove_irq + add_ioport + remove_ioport + add_iomem + remove_iomem + stat_device + add_device + remove_device + plug + unplug + setup +} + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce + setbool + setsecparam + add_ocontext + del_ocontext +} diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids new file mode 100644 index 0000000000..e508bde976 --- /dev/null +++ b/xen/xsm/flask/policy/initial_sids @@ -0,0 +1,16 @@ +# FLASK + +# +# Define initial security identifiers +# +sid xen +sid dom0 +sid domio +sid domxen +sid unlabeled +sid security +sid ioport +sid iomem +sid irq +sid device +# FLASK diff --git a/xen/xsm/flask/policy/mkaccess_vector.sh b/xen/xsm/flask/policy/mkaccess_vector.sh new file mode 100644 index 0000000000..8ec87f7b8c --- /dev/null +++ b/xen/xsm/flask/policy/mkaccess_vector.sh @@ -0,0 +1,138 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="include/av_permissions.h" +av_perm_to_string="include/av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh new file mode 100644 index 0000000000..e8d8fb5d2c --- /dev/null +++ b/xen/xsm/flask/policy/mkflask.sh @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="include/flask.h" +debug_file="include/class_to_string.h" +debug_file2="include/initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes new file mode 100644 index 0000000000..ef134a7457 --- /dev/null +++ b/xen/xsm/flask/policy/security_classes @@ -0,0 +1,21 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class xen +class domain +class domain2 +class hvm +class mmu +class resource +class shadow +class event +class grant +class security + +# FLASK