acm: Modify the default ACM boot policy so that unlabeled domains can always start

I am modifying the xen- and xend-internal default policy so that
unlabeled domains can always start. A more restrictive security policy
can then be set on top of that policy.

Signed-off-by: Stefan Beger <stefanb@us.ibm.com>

diff --git a/tools/python/xen/util/acmpolicy.py b/tools/python/xen/util/acmpolicy.py
index ef31734ad3fe9d1aff399123ad44f1529de0ff74..89ee983600c403a0775b8bde007a3133cbdf8441 100644 (file)
--- a/tools/python/xen/util/acmpolicy.py
+++ b/tools/python/xen/util/acmpolicy.py
@@ -76,6 +76,7 @@ DEFAULT_policy = \
 "  <SimpleTypeEnforcement>\n" +\
 "    <SimpleTypeEnforcementTypes>\n" +\
 "      <Type>SystemManagement</Type>\n" +\
+"      <Type>__UNLABELED__</Type>\n" +\
 "    </SimpleTypeEnforcementTypes>\n" +\
 "  </SimpleTypeEnforcement>\n" +\
 "  <ChineseWall>\n" +\
@@ -89,12 +90,30 @@ DEFAULT_policy = \
 "        <Name%s>SystemManagement</Name>\n" +\
 "        <SimpleTypeEnforcementTypes>\n" +\
 "          <Type>SystemManagement</Type>\n" +\
+"          <Type>__UNLABELED__</Type>\n" +\
+"        </SimpleTypeEnforcementTypes>\n" +\
+"        <ChineseWallTypes>\n" +\
+"          <Type/>\n" +\
+"        </ChineseWallTypes>\n" +\
+"      </VirtualMachineLabel>\n" +\
+"      <VirtualMachineLabel>\n" +\
+"        <Name>__UNLABELED__</Name>\n" +\
+"        <SimpleTypeEnforcementTypes>\n" +\
+"          <Type>__UNLABELED__</Type>\n" +\
 "        </SimpleTypeEnforcementTypes>\n" +\
 "        <ChineseWallTypes>\n" +\
 "          <Type/>\n" +\
 "        </ChineseWallTypes>\n" +\
 "      </VirtualMachineLabel>\n" +\
 "    </SubjectLabels>\n" +\
+"    <ObjectLabels>\n" +\
+"      <ResourceLabel>\n" +\
+"        <Name>__UNLABELED__</Name>\n" +\
+"        <SimpleTypeEnforcementTypes>\n" +\
+"          <Type>__UNLABELED__</Type>\n" +\
+"        </SimpleTypeEnforcementTypes>\n" +\
+"      </ResourceLabel>\n" +\
+"    </ObjectLabels>\n" +\
 "  </SecurityLabelTemplate>\n" +\
 "</SecurityPolicyDefinition>\n"
 
@@ -231,13 +250,14 @@ class ACMPolicy(XSPolicy):
         """
            Determine whether this is the default policy
         """
-        default = ['SystemManagement']
+        default = ['SystemManagement', ACM_LABEL_UNLABELED ]
         if self.policy_get_virtualmachinelabel_names() == default and \
            self.policy_get_bootstrap_vmlabel() == default[0] and \
            self.policy_get_stetypes_types() == default and \
            self.policy_get_stes_of_vmlabel(default[0]) == default and \
-           self.policy_get_resourcelabel_names() == [] and \
-           self.policy_get_chwall_types() == default and \
+           self.policy_get_stes_of_vmlabel(default[1]) == [default[1]] and \
+           self.policy_get_resourcelabel_names() == [default[1]] and \
+           self.policy_get_chwall_types() == [ default[0] ] and \
            self.get_name() == "DEFAULT":
             return True
         return False

diff --git a/tools/security/Makefile b/tools/security/Makefile
index 81da0194851d15cbd420e3b902e609e84aa80e8a..61062715a26578d5506cbdab5a2ffc6c1196644a 100644 (file)
--- a/tools/security/Makefile
+++ b/tools/security/Makefile
@@ -32,7 +32,7 @@ ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin
 
 ACM_SCHEMA        = security_policy.xsd
 ACM_EXAMPLES      = client_v1 test
-ACM_DEF_POLICIES  = DEFAULT-UL
+ACM_DEF_POLICIES  =
 ACM_POLICY_SUFFIX = security_policy.xml
 
 ifeq ($(ACM_SECURITY),y)

diff --git a/xen/xsm/acm/acm_chinesewall_hooks.c b/xen/xsm/acm/acm_chinesewall_hooks.c
index 65e60e7cb480d76e582575187a4e29257e6850d7..977c45ff2a34cc4d33d85d8290e02720db65f82e 100644 (file)
--- a/xen/xsm/acm/acm_chinesewall_hooks.c
+++ b/xen/xsm/acm/acm_chinesewall_hooks.c
@@ -637,8 +637,12 @@ static void chwall_domain_destroy(void *object_ssid, struct domain *d)
 
 static int chwall_is_default_policy(void)
 {
-    return ( (chwall_bin_pol.max_types    == 1 ) &&
-             (chwall_bin_pol.max_ssidrefs == 2 ) );
+    static const domaintype_t def_policy[2] = { 0x0, 0x0 };
+    return ( ( chwall_bin_pol.max_types    == 1 ) &&
+             ( chwall_bin_pol.max_ssidrefs == 2 ) &&
+             ( memcmp(chwall_bin_pol.ssidrefs,
+                      def_policy,
+                      sizeof(def_policy)) == 0 ) );
 }
 
 

diff --git a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c
index 01eae51bb2902cced570b3e9c8dcc6288986085b..2810597c39c5c82a266956ae6105bc0169c029e8 100644 (file)
--- a/xen/xsm/acm/acm_simple_type_enforcement_hooks.c
+++ b/xen/xsm/acm/acm_simple_type_enforcement_hooks.c
@@ -108,7 +108,7 @@ static int share_common_type(struct domain *subj, struct domain *obj)
 int acm_init_ste_policy(void)
 {
     /* minimal startup policy; policy write-locked already */
-    ste_bin_pol.max_types = 1;
+    ste_bin_pol.max_types = 2;
     ste_bin_pol.max_ssidrefs = 1 + dom0_ste_ssidref;
     ste_bin_pol.ssidrefs =
             (domaintype_t *)xmalloc_array(domaintype_t,
@@ -123,7 +123,9 @@ int acm_init_ste_policy(void)
                                     ste_bin_pol.max_ssidrefs);
 
     /* initialize state so that dom0 can start up and communicate with itself */
+    ste_bin_pol.ssidrefs[ste_bin_pol.max_types - 1 ] = 1;
     ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref] = 1;
+    ste_bin_pol.ssidrefs[ste_bin_pol.max_types * dom0_ste_ssidref + 1] = 1;
 
     /* init stats */
     atomic_set(&(ste_bin_pol.ec_eval_count), 0);
@@ -868,8 +870,12 @@ ste_authorization(ssidref_t ssidref1, ssidref_t ssidref2)
 static int
 ste_is_default_policy(void)
 {
-    return ((ste_bin_pol.max_types    == 1) &&
-            (ste_bin_pol.max_ssidrefs == 2));
+    const static domaintype_t def_policy[4] = { 0x0, 0x1, 0x1, 0x1};
+    return ((ste_bin_pol.max_types    == 2) &&
+            (ste_bin_pol.max_ssidrefs == 2) &&
+            (memcmp(ste_bin_pol.ssidrefs,
+                    def_policy,
+                    sizeof(def_policy)) == 0));
 }
 
 /* now define the hook structure similarly to LSM */