debuggers.hg

view tools/security/policies/example/client_v1-security_policy.xml @ 0:7d21f7218375

Exact replica of unstable on 051908 + README-this
author Mukesh Rathor
date Mon May 19 15:34:57 2008 -0700 (2008-05-19)
parents
children
line source
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com -->
3 <!-- This file defines the security policies, which -->
4 <!-- can be enforced by the Xen Access Control Module. -->
5 <!-- Currently: Chinese Wall and Simple Type Enforcement-->
6 <SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
7 <PolicyHeader>
8 <PolicyName>example.client_v1</PolicyName>
9 <PolicyUrl>www.ibm.com/example/client_v1</PolicyUrl>
10 <Date>2006-03-31</Date>
11 <Version>1.0</Version>
12 </PolicyHeader>
13 <!-- -->
14 <!-- example of a simple type enforcement policy definition -->
15 <!-- -->
16 <SimpleTypeEnforcement>
17 <SimpleTypeEnforcementTypes>
18 <Type>ste_SystemManagement</Type><!-- machine/security management -->
19 <Type>ste_PersonalFinances</Type><!-- personal finances -->
20 <Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
21 <Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
22 <Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
23 <Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
24 </SimpleTypeEnforcementTypes>
25 </SimpleTypeEnforcement>
26 <!-- -->
27 <!-- example of a chinese wall type definition -->
28 <!-- along with its conflict sets -->
29 <!-- (typse in a confict set are exclusive, i.e. -->
30 <!-- once a Domain with one type of a set is -->
31 <!-- running, no other Domain with another type -->
32 <!-- of the same conflict set can start.) -->
33 <ChineseWall priority="PrimaryPolicyComponent">
34 <ChineseWallTypes>
35 <Type>cw_SystemManagement</Type>
36 <Type>cw_Sensitive</Type>
37 <Type>cw_Isolated</Type>
38 <Type>cw_Distrusted</Type>
39 </ChineseWallTypes>
41 <ConflictSets>
42 <Conflict name="Protection1">
43 <Type>cw_Sensitive</Type>
44 <Type>cw_Distrusted</Type>
45 </Conflict>
46 </ConflictSets>
47 </ChineseWall>
48 <SecurityLabelTemplate>
49 <SubjectLabels bootstrap="SystemManagement">
50 <!-- single ste typed domains -->
51 <!-- ACM enforces that only domains with -->
52 <!-- the same type can share information -->
53 <!-- -->
54 <!-- Bootstrap label is assigned to Dom0 -->
55 <VirtualMachineLabel>
56 <Name>dom_HomeBanking</Name>
57 <SimpleTypeEnforcementTypes>
58 <Type>ste_PersonalFinances</Type>
59 </SimpleTypeEnforcementTypes>
61 <ChineseWallTypes>
62 <Type>cw_Sensitive</Type>
63 </ChineseWallTypes>
64 </VirtualMachineLabel>
66 <VirtualMachineLabel>
67 <Name>dom_Fun</Name>
68 <SimpleTypeEnforcementTypes>
69 <Type>ste_InternetInsecure</Type>
70 </SimpleTypeEnforcementTypes>
72 <ChineseWallTypes>
73 <Type>cw_Distrusted</Type>
74 </ChineseWallTypes>
75 </VirtualMachineLabel>
77 <VirtualMachineLabel>
78 <!-- donating some cycles to seti@home -->
79 <Name>dom_BoincClient</Name>
80 <SimpleTypeEnforcementTypes>
81 <Type>ste_DonatedCycles</Type>
82 </SimpleTypeEnforcementTypes>
84 <ChineseWallTypes>
85 <Type>cw_Isolated</Type>
86 </ChineseWallTypes>
87 </VirtualMachineLabel>
89 <!-- Domains with multiple ste types services; such domains -->
90 <!-- must keep the types inside their domain safely confined. -->
91 <VirtualMachineLabel>
92 <Name>SystemManagement</Name>
93 <SimpleTypeEnforcementTypes>
94 <!-- since dom0 needs access to every domain and -->
95 <!-- resource right now ... -->
96 <Type>ste_SystemManagement</Type>
97 <Type>ste_PersonalFinances</Type>
98 <Type>ste_InternetInsecure</Type>
99 <Type>ste_DonatedCycles</Type>
100 <Type>ste_PersistentStorageA</Type>
101 <Type>ste_NetworkAdapter0</Type>
102 </SimpleTypeEnforcementTypes>
104 <ChineseWallTypes>
105 <Type>cw_SystemManagement</Type>
106 </ChineseWallTypes>
107 </VirtualMachineLabel>
109 <VirtualMachineLabel>
110 <!-- serves persistent storage to other domains -->
111 <Name>dom_StorageDomain</Name>
112 <SimpleTypeEnforcementTypes>
113 <!-- access right to the resource (hard drive a) -->
114 <Type>ste_PersistentStorageA</Type>
115 <!-- can serve following types -->
116 <Type>ste_PersonalFinances</Type>
117 <Type>ste_InternetInsecure</Type>
118 </SimpleTypeEnforcementTypes>
120 <ChineseWallTypes>
121 <Type>cw_SystemManagement</Type>
122 </ChineseWallTypes>
123 </VirtualMachineLabel>
125 <VirtualMachineLabel>
126 <!-- serves network access to other domains -->
127 <Name>dom_NetworkDomain</Name>
128 <SimpleTypeEnforcementTypes>
129 <!-- access right to the resource (ethernet card) -->
130 <Type>ste_NetworkAdapter0</Type>
131 <!-- can serve following types -->
132 <Type>ste_PersonalFinances</Type>
133 <Type>ste_InternetInsecure</Type>
134 <Type>ste_DonatedCycles</Type>
135 </SimpleTypeEnforcementTypes>
137 <ChineseWallTypes>
138 <Type>cw_SystemManagement</Type>
139 </ChineseWallTypes>
140 </VirtualMachineLabel>
141 </SubjectLabels>
143 <ObjectLabels>
144 <ResourceLabel>
145 <Name>res_ManagementResource</Name>
146 <SimpleTypeEnforcementTypes>
147 <Type>ste_SystemManagement</Type>
148 </SimpleTypeEnforcementTypes>
149 </ResourceLabel>
151 <ResourceLabel>
152 <Name>res_HardDrive(hda)</Name>
153 <SimpleTypeEnforcementTypes>
154 <Type>ste_PersistentStorageA</Type>
155 </SimpleTypeEnforcementTypes>
156 </ResourceLabel>
158 <ResourceLabel>
159 <Name>res_LogicalDiskPartition1(hda1)</Name>
160 <SimpleTypeEnforcementTypes>
161 <Type>ste_PersonalFinances</Type>
162 </SimpleTypeEnforcementTypes>
163 </ResourceLabel>
165 <ResourceLabel>
166 <Name>res_LogicalDiskPartition2(hda2)</Name>
167 <SimpleTypeEnforcementTypes>
168 <Type>ste_InternetInsecure</Type>
169 </SimpleTypeEnforcementTypes>
170 </ResourceLabel>
172 <ResourceLabel>
173 <Name>res_EthernetCard</Name>
174 <SimpleTypeEnforcementTypes>
175 <Type>ste_NetworkAdapter0</Type>
176 </SimpleTypeEnforcementTypes>
177 </ResourceLabel>
179 <ResourceLabel>
180 <Name>res_SecurityToken</Name>
181 <SimpleTypeEnforcementTypes>
182 <Type>ste_PersonalFinances</Type>
183 </SimpleTypeEnforcementTypes>
184 </ResourceLabel>
186 <ResourceLabel>
187 <Name>res_GraphicsAdapter</Name>
188 <SimpleTypeEnforcementTypes>
189 <Type>ste_SystemManagement</Type>
190 </SimpleTypeEnforcementTypes>
191 </ResourceLabel>
192 </ObjectLabels>
193 </SecurityLabelTemplate>
194 </SecurityPolicyDefinition>