" <SimpleTypeEnforcement>\n" +\
" <SimpleTypeEnforcementTypes>\n" +\
" <Type>SystemManagement</Type>\n" +\
+" <Type>__UNLABELED__</Type>\n" +\
" </SimpleTypeEnforcementTypes>\n" +\
" </SimpleTypeEnforcement>\n" +\
" <ChineseWall>\n" +\
" <Name%s>SystemManagement</Name>\n" +\
" <SimpleTypeEnforcementTypes>\n" +\
" <Type>SystemManagement</Type>\n" +\
+" <Type>__UNLABELED__</Type>\n" +\
+" </SimpleTypeEnforcementTypes>\n" +\
+" <ChineseWallTypes>\n" +\
+" <Type/>\n" +\
+" </ChineseWallTypes>\n" +\
+" </VirtualMachineLabel>\n" +\
+" <VirtualMachineLabel>\n" +\
+" <Name>__UNLABELED__</Name>\n" +\
+" <SimpleTypeEnforcementTypes>\n" +\
+" <Type>__UNLABELED__</Type>\n" +\
" </SimpleTypeEnforcementTypes>\n" +\
" <ChineseWallTypes>\n" +\
" <Type/>\n" +\
" </ChineseWallTypes>\n" +\
" </VirtualMachineLabel>\n" +\
" </SubjectLabels>\n" +\
+" <ObjectLabels>\n" +\
+" <ResourceLabel>\n" +\
+" <Name>__UNLABELED__</Name>\n" +\
+" <SimpleTypeEnforcementTypes>\n" +\
+" <Type>__UNLABELED__</Type>\n" +\
+" </SimpleTypeEnforcementTypes>\n" +\
+" </ResourceLabel>\n" +\
+" </ObjectLabels>\n" +\
" </SecurityLabelTemplate>\n" +\
"</SecurityPolicyDefinition>\n"
"""
Determine whether this is the default policy
"""
- default = ['SystemManagement']
+ default = ['SystemManagement', ACM_LABEL_UNLABELED ]
if self.policy_get_virtualmachinelabel_names() == default and \
self.policy_get_bootstrap_vmlabel() == default[0] and \
self.policy_get_stetypes_types() == default and \
self.policy_get_stes_of_vmlabel(default[0]) == default and \
- self.policy_get_resourcelabel_names() == [] and \
- self.policy_get_chwall_types() == default and \
+ self.policy_get_stes_of_vmlabel(default[1]) == [default[1]] and \
+ self.policy_get_resourcelabel_names() == [default[1]] and \
+ self.policy_get_chwall_types() == [ default[0] ] and \
self.get_name() == "DEFAULT":
return True
return False
static int chwall_is_default_policy(void)
{
- return ( (chwall_bin_pol.max_types == 1 ) &&
- (chwall_bin_pol.max_ssidrefs == 2 ) );
+ static const domaintype_t def_policy[2] = { 0x0, 0x0 };
+ return ( ( chwall_bin_pol.max_types == 1 ) &&
+ ( chwall_bin_pol.max_ssidrefs == 2 ) &&
+ ( memcmp(chwall_bin_pol.ssidrefs,
+ def_policy,
+ sizeof(def_policy)) == 0 ) );
}
int acm_init_ste_policy(void)
{
/* minimal startup policy; policy write-locked already */
- ste_bin_pol.max_types = 1;
+ ste_bin_pol.max_types = 2;
ste_bin_pol.max_ssidrefs = 1 + dom0_ste_ssidref;
ste_bin_pol.ssidrefs =
(domaintype_t *)xmalloc_array(domaintype_t,
ste_bin_pol.max_ssidrefs);
/* initialize state so that dom0 can start up and communicate with itself */
+ ste_bin_pol.ssidrefs[ste_bin_pol.max_types - 1 ] = 1;
ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref] = 1;
+ ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref + 1] = 1;
/* init stats */
atomic_set(&(ste_bin_pol.ec_eval_count), 0);
static int
ste_is_default_policy(void)
{
- return ((ste_bin_pol.max_types == 1) &&
- (ste_bin_pol.max_ssidrefs == 2));
+ const static domaintype_t def_policy[4] = { 0x0, 0x1, 0x1, 0x1};
+ return ((ste_bin_pol.max_types == 2) &&
+ (ste_bin_pol.max_ssidrefs == 2) &&
+ (memcmp(ste_bin_pol.ssidrefs,
+ def_policy,
+ sizeof(def_policy)) == 0));
}
/* now define the hook structure similarly to LSM */