func addContainerRules(host string, domain *tao.Domain) {
dt := template()
if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
for _, c := range dt.ContainerPaths {
prin, err := makeContainerSubPrin(c)
if err != nil {
continue
}
pt := auth.PrinTail{Ext: prin}
pred := auth.MakePredicate(dt.GetContainerPredicateName(), pt)
err = domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
}
} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" && host != "" {
prin := makeHostPrin(host)
for _, p := range dt.ContainerPaths {
subprin, err := makeContainerSubPrin(p)
if err != nil {
continue
}
prog := prin.MakeSubprincipal(subprin)
err = domain.Guard.Authorize(prog, "Execute", nil)
options.FailIf(err, "Can't authorize program in domain")
}
}
err := domain.Save()
options.FailIf(err, "Can't save domain")
}
// This function reads in trusted entities from a file at trustedEntitiesPath. In particular,
// this file contains the text representation of a trusted_entities proto message, which contains
// the Tao names of trusted programs and hosts, information about trusted machines and trusted
// machine certificates.
// For each such trusted entity, this function adds ACL rules to the domain guard, and saves
// the changes before returning.
func InitAcls(domain *tao.Domain, trustedEntitiesPath string) error {
text, err := ioutil.ReadFile(trustedEntitiesPath)
if err != nil {
log.Printf("Can't open trusted entities file: %s", trustedEntitiesPath)
return err
}
trustedEntities := TrustedEntities{}
err = proto.UnmarshalText(string(text), &trustedEntities)
if err != nil {
log.Printf("Can't parse trusted entities file: %s", trustedEntitiesPath)
return err
}
for _, programTaoName := range trustedEntities.GetTrustedProgramTaoNames() {
var programPrin auth.Prin
_, err := fmt.Sscanf(programTaoName, "%v", &programPrin)
if err != nil {
log.Printf("Can't create program principal from: %s\nError: %s",
programTaoName, err)
return err
}
err = domain.Guard.Authorize(programPrin, "Execute", []string{})
if err != nil {
log.Printf("Can't authorize principal: %s\nError: %s", programPrin, err)
return err
}
}
for _, hostTaoName := range trustedEntities.GetTrustedHostTaoNames() {
var hostPrin auth.Prin
_, err := fmt.Sscanf(hostTaoName, "%v", &hostPrin)
if err != nil {
log.Printf("Can't create host principal from: %s\nError: %s",
hostTaoName, err)
return err
}
err = domain.Guard.Authorize(hostPrin, "Host", []string{})
if err != nil {
log.Printf("Can't authorize principal: %s\nError: %s", hostPrin, err)
return err
}
}
for _, machineInfo := range trustedEntities.GetTrustedMachineInfos() {
machinePrin := auth.Prin{
Type: "MachineInfo",
KeyHash: auth.Str(machineInfo),
}
err = domain.Guard.Authorize(machinePrin, "Root", []string{})
if err != nil {
log.Printf("Can't authorize principal: %s\nError: %s", machinePrin, err)
return err
}
}
err = domain.Save()
if err != nil {
log.Println("Can't save domain.", err)
}
return err
}
func addHostRules(host string, domain *tao.Domain) {
if host == "" {
return
}
dt := template()
prin := makeHostPrin(host)
pred := auth.MakePredicate(dt.GetHostPredicateName(), prin)
err := domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
err = domain.Save()
options.FailIf(err, "Can't save domain")
}
func addGuardRules(domain *tao.Domain) {
dt := template()
subprin := domain.Guard.Subprincipal()
pt := auth.PrinTail{Ext: subprin}
pred := auth.Pred{
Name: dt.GetGuardPredicateName(),
Arg: []auth.Term{pt},
}
err := domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
err = domain.Save()
options.FailIf(err, "Can't save domain")
}
func addExecute(path, host string, domain *tao.Domain) {
prin := makeHostPrin(host)
subprin, err := makeProgramSubPrin(path)
if err == nil {
prog := prin.MakeSubprincipal(subprin)
fmt.Fprintf(noise, "Authorizing program to execute:\n"+
" path: %s\n"+
" host: %s\n"+
" name: %s\n", path, prin, subprin)
err := domain.Guard.Authorize(prog, "Execute", nil)
options.FailIf(err, "Can't authorize program in domain")
err = domain.Save()
options.FailIf(err, "Can't save domain")
}
}
func addLinuxHostRules(domain *tao.Domain) {
dt := template()
for _, c := range dt.LinuxHostPaths {
prin, err := makeLinuxHostSubPrin(c)
if err != nil {
continue
}
pt := auth.PrinTail{Ext: prin}
pred := auth.MakePredicate(dt.GetLinuxHostPredicateName(), pt)
err = domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
}
// The ACLs need the full name, so that only happens for containers and
// programs.
err := domain.Save()
options.FailIf(err, "Can't save domain")
}
func addTPM2Rules(domain *tao.Domain) {
dt := template()
tpmPath, pcrNums := getTPM2Config()
prin := makeTPM2Prin(tpmPath, pcrNums)
// TrustedOS predicate from PCR principal tail.
prinPCRs := auth.PrinTail{Ext: prin.Ext}
predTrustedOS := auth.MakePredicate(dt.GetOsPredicateName(), prinPCRs)
err := domain.Guard.AddRule(fmt.Sprint(predTrustedOS))
options.FailIf(err, "Can't add rule to domain")
// TrustedTPM predicate from TPM principal.
prin.Ext = nil
predTrustedTPM2 := auth.MakePredicate(dt.GetTpm2PredicateName(), prin)
err = domain.Guard.AddRule(fmt.Sprint(predTrustedTPM2))
options.FailIf(err, "Can't add rule to domain")
err = domain.Save()
options.FailIf(err, "Can't save domain")
}
func addProgramRules(host string, domain *tao.Domain) {
dt := template()
if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
// Add the hashes of any programs given in the template.
for _, p := range dt.ProgramPaths {
prin, err := makeProgramSubPrin(p)
if err != nil {
continue
}
pt := auth.PrinTail{Ext: prin}
pred := auth.MakePredicate(dt.GetProgramPredicateName(), pt)
err = domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
}
} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" {
addACLPrograms(host, domain)
}
err := domain.Save()
options.FailIf(err, "Can't save domain")
}
