Example #1
0
func addContainerRules(host string, domain *tao.Domain) {
	dt := template()
	if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
		for _, c := range dt.ContainerPaths {
			prin, err := makeContainerSubPrin(c)
			if err != nil {
				continue
			}
			pt := auth.PrinTail{Ext: prin}
			pred := auth.MakePredicate(dt.GetContainerPredicateName(), pt)
			err = domain.Guard.AddRule(fmt.Sprint(pred))
			options.FailIf(err, "Can't add rule to domain")
		}
	} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" && host != "" {
		prin := makeHostPrin(host)
		for _, p := range dt.ContainerPaths {
			subprin, err := makeContainerSubPrin(p)
			if err != nil {
				continue
			}
			prog := prin.MakeSubprincipal(subprin)
			err = domain.Guard.Authorize(prog, "Execute", nil)
			options.FailIf(err, "Can't authorize program in domain")
		}
	}
	err := domain.Save()
	options.FailIf(err, "Can't save domain")
}
func makeDatalogGuard() (*DatalogGuard, *Keys, string, error) {
	tmpdir, err := ioutil.TempDir("", "test_datalog_guard")
	if err != nil {
		return nil, nil, "",
			fmt.Errorf("Couldn't get a temp directory for the datalog guard test")
	}
	keys, err := NewTemporaryKeys(Signing)
	if err != nil {
		return nil, nil, "", err
	}
	g, err := NewDatalogGuardFromConfig(keys.VerifyingKey, DatalogGuardDetails{
		SignedRulesPath: proto.String(tmpdir + "/rules"),
	})
	if err != nil {
		return nil, nil, "", err
	}

	// Add a bogus rule.
	bogusOSString := `ext.PCRs("17, 18", "000, 000")`
	var prin auth.PrinTail
	fmt.Sscanf(bogusOSString, "%s", &prin)
	pred := auth.MakePredicate("BogusTPM", prin)
	if err = g.AddRule(fmt.Sprint(pred)); err != nil {
		return nil, nil, "", err
	}
	return g, keys, tmpdir, nil
}
Example #3
0
func makeDatalogPredicate(p auth.Prin, op string, args []string) auth.Pred {
	a := []interface{}{p, op}
	for _, s := range args {
		a = append(a, s)
	}
	return auth.MakePredicate("Authorized", a...)
}
Example #4
0
// This function returns a secret disclosure directive signed by key with the statement:
// 'delegator says delegate predicate protectedObjectId'.
func CreateSecretDisclosureDirective(key *tao.Keys, delegator, delegate *auth.Prin,
	predicate string, protectedObjId *po.ObjectIdMessage) (*DirectiveMessage, error) {

	// Construct serialized 'says' statement.
	serializedObjId, err := proto.Marshal(protectedObjId)
	if err != nil {
		return nil, err
	}
	pred := auth.MakePredicate(predicate, *delegate, serializedObjId)
	statement := auth.Says{
		Speaker:    *delegator,
		Time:       nil, // TODO: For now, time and exp not implemented.
		Expiration: nil,
		Message:    pred,
	}
	serializedStatement := auth.Marshal(statement)

	// Sign serialized statement.
	signature, err := key.SigningKey.Sign(serializedStatement, SigningContext)
	if err != nil {
		return nil, err
	}

	// Construct and return directive.
	directive := &DirectiveMessage{
		Type:                DirectiveMessage_SECRET_DISCLOSURE.Enum(),
		SerializedStatement: serializedStatement,
		Signature:           signature,
		Signer:              auth.Marshal(key.SigningKey.ToPrincipal()),
		Cert:                key.Cert.Raw,
	}
	return directive, nil
}
Example #5
0
func addTPM2Rules(domain *tao.Domain) {
	dt := template()
	tpmPath, pcrNums := getTPM2Config()
	prin := makeTPM2Prin(tpmPath, pcrNums)

	// TrustedOS predicate from PCR principal tail.
	prinPCRs := auth.PrinTail{Ext: prin.Ext}
	predTrustedOS := auth.MakePredicate(dt.GetOsPredicateName(), prinPCRs)
	err := domain.Guard.AddRule(fmt.Sprint(predTrustedOS))
	options.FailIf(err, "Can't add rule to domain")

	// TrustedTPM predicate from TPM principal.
	prin.Ext = nil
	predTrustedTPM2 := auth.MakePredicate(dt.GetTpm2PredicateName(), prin)
	err = domain.Guard.AddRule(fmt.Sprint(predTrustedTPM2))
	options.FailIf(err, "Can't add rule to domain")

	err = domain.Save()
	options.FailIf(err, "Can't save domain")
}
Example #6
0
func addHostRules(host string, domain *tao.Domain) {
	if host == "" {
		return
	}
	dt := template()
	prin := makeHostPrin(host)
	pred := auth.MakePredicate(dt.GetHostPredicateName(), prin)
	err := domain.Guard.AddRule(fmt.Sprint(pred))
	options.FailIf(err, "Can't add rule to domain")
	err = domain.Save()
	options.FailIf(err, "Can't save domain")
}
Example #7
0
func formula(v interface{}, p *auth.Prin, key string, prefix ...string) auth.Form {
	if m, ok := v.(Manifest); ok {
		return m.Formula(p, append([]string{key}, prefix...)...)
	}
	var args []interface{}
	// Manifest(p, prefix1, prefix2, prefix3, ..., key, v)
	args = append(args, p)
	for _, s := range prefix {
		args = append(args, s)
	}
	args = append(args, key)
	args = append(args, v)
	return auth.MakePredicate("Manifest", args...)
}
Example #8
0
func addLinuxHostRules(domain *tao.Domain) {
	dt := template()
	for _, c := range dt.LinuxHostPaths {
		prin, err := makeLinuxHostSubPrin(c)
		if err != nil {
			continue
		}
		pt := auth.PrinTail{Ext: prin}
		pred := auth.MakePredicate(dt.GetLinuxHostPredicateName(), pt)
		err = domain.Guard.AddRule(fmt.Sprint(pred))
		options.FailIf(err, "Can't add rule to domain")
	}
	// The ACLs need the full name, so that only happens for containers and
	// programs.
	err := domain.Save()
	options.FailIf(err, "Can't save domain")
}
Example #9
0
func addProgramRules(host string, domain *tao.Domain) {
	dt := template()
	if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
		// Add the hashes of any programs given in the template.
		for _, p := range dt.ProgramPaths {
			prin, err := makeProgramSubPrin(p)
			if err != nil {
				continue
			}
			pt := auth.PrinTail{Ext: prin}
			pred := auth.MakePredicate(dt.GetProgramPredicateName(), pt)
			err = domain.Guard.AddRule(fmt.Sprint(pred))
			options.FailIf(err, "Can't add rule to domain")
		}
	} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" {
		addACLPrograms(host, domain)
	}
	err := domain.Save()
	options.FailIf(err, "Can't save domain")
}