func addContainerRules(host string, domain *tao.Domain) {
dt := template()
if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
for _, c := range dt.ContainerPaths {
prin, err := makeContainerSubPrin(c)
if err != nil {
continue
}
pt := auth.PrinTail{Ext: prin}
pred := auth.MakePredicate(dt.GetContainerPredicateName(), pt)
err = domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
}
} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" && host != "" {
prin := makeHostPrin(host)
for _, p := range dt.ContainerPaths {
subprin, err := makeContainerSubPrin(p)
if err != nil {
continue
}
prog := prin.MakeSubprincipal(subprin)
err = domain.Guard.Authorize(prog, "Execute", nil)
options.FailIf(err, "Can't authorize program in domain")
}
}
err := domain.Save()
options.FailIf(err, "Can't save domain")
}
func makeDatalogGuard() (*DatalogGuard, *Keys, string, error) {
tmpdir, err := ioutil.TempDir("", "test_datalog_guard")
if err != nil {
return nil, nil, "",
fmt.Errorf("Couldn't get a temp directory for the datalog guard test")
}
keys, err := NewTemporaryKeys(Signing)
if err != nil {
return nil, nil, "", err
}
g, err := NewDatalogGuardFromConfig(keys.VerifyingKey, DatalogGuardDetails{
SignedRulesPath: proto.String(tmpdir + "/rules"),
})
if err != nil {
return nil, nil, "", err
}
// Add a bogus rule.
bogusOSString := `ext.PCRs("17, 18", "000, 000")`
var prin auth.PrinTail
fmt.Sscanf(bogusOSString, "%s", &prin)
pred := auth.MakePredicate("BogusTPM", prin)
if err = g.AddRule(fmt.Sprint(pred)); err != nil {
return nil, nil, "", err
}
return g, keys, tmpdir, nil
}
func makeDatalogPredicate(p auth.Prin, op string, args []string) auth.Pred {
a := []interface{}{p, op}
for _, s := range args {
a = append(a, s)
}
return auth.MakePredicate("Authorized", a...)
}
// This function returns a secret disclosure directive signed by key with the statement:
// 'delegator says delegate predicate protectedObjectId'.
func CreateSecretDisclosureDirective(key *tao.Keys, delegator, delegate *auth.Prin,
predicate string, protectedObjId *po.ObjectIdMessage) (*DirectiveMessage, error) {
// Construct serialized 'says' statement.
serializedObjId, err := proto.Marshal(protectedObjId)
if err != nil {
return nil, err
}
pred := auth.MakePredicate(predicate, *delegate, serializedObjId)
statement := auth.Says{
Speaker: *delegator,
Time: nil, // TODO: For now, time and exp not implemented.
Expiration: nil,
Message: pred,
}
serializedStatement := auth.Marshal(statement)
// Sign serialized statement.
signature, err := key.SigningKey.Sign(serializedStatement, SigningContext)
if err != nil {
return nil, err
}
// Construct and return directive.
directive := &DirectiveMessage{
Type: DirectiveMessage_SECRET_DISCLOSURE.Enum(),
SerializedStatement: serializedStatement,
Signature: signature,
Signer: auth.Marshal(key.SigningKey.ToPrincipal()),
Cert: key.Cert.Raw,
}
return directive, nil
}
func addTPM2Rules(domain *tao.Domain) {
dt := template()
tpmPath, pcrNums := getTPM2Config()
prin := makeTPM2Prin(tpmPath, pcrNums)
// TrustedOS predicate from PCR principal tail.
prinPCRs := auth.PrinTail{Ext: prin.Ext}
predTrustedOS := auth.MakePredicate(dt.GetOsPredicateName(), prinPCRs)
err := domain.Guard.AddRule(fmt.Sprint(predTrustedOS))
options.FailIf(err, "Can't add rule to domain")
// TrustedTPM predicate from TPM principal.
prin.Ext = nil
predTrustedTPM2 := auth.MakePredicate(dt.GetTpm2PredicateName(), prin)
err = domain.Guard.AddRule(fmt.Sprint(predTrustedTPM2))
options.FailIf(err, "Can't add rule to domain")
err = domain.Save()
options.FailIf(err, "Can't save domain")
}
func addHostRules(host string, domain *tao.Domain) {
if host == "" {
return
}
dt := template()
prin := makeHostPrin(host)
pred := auth.MakePredicate(dt.GetHostPredicateName(), prin)
err := domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
err = domain.Save()
options.FailIf(err, "Can't save domain")
}
func formula(v interface{}, p *auth.Prin, key string, prefix ...string) auth.Form {
if m, ok := v.(Manifest); ok {
return m.Formula(p, append([]string{key}, prefix...)...)
}
var args []interface{}
// Manifest(p, prefix1, prefix2, prefix3, ..., key, v)
args = append(args, p)
for _, s := range prefix {
args = append(args, s)
}
args = append(args, key)
args = append(args, v)
return auth.MakePredicate("Manifest", args...)
}
func addLinuxHostRules(domain *tao.Domain) {
dt := template()
for _, c := range dt.LinuxHostPaths {
prin, err := makeLinuxHostSubPrin(c)
if err != nil {
continue
}
pt := auth.PrinTail{Ext: prin}
pred := auth.MakePredicate(dt.GetLinuxHostPredicateName(), pt)
err = domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
}
// The ACLs need the full name, so that only happens for containers and
// programs.
err := domain.Save()
options.FailIf(err, "Can't save domain")
}
func addProgramRules(host string, domain *tao.Domain) {
dt := template()
if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
// Add the hashes of any programs given in the template.
for _, p := range dt.ProgramPaths {
prin, err := makeProgramSubPrin(p)
if err != nil {
continue
}
pt := auth.PrinTail{Ext: prin}
pred := auth.MakePredicate(dt.GetProgramPredicateName(), pt)
err = domain.Guard.AddRule(fmt.Sprint(pred))
options.FailIf(err, "Can't add rule to domain")
}
} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" {
addACLPrograms(host, domain)
}
err := domain.Save()
options.FailIf(err, "Can't save domain")
}