Safe Haskell | Unsafe |
---|
- data DBConf = DBConf {}
- type DCAction = Action DCLabel DCPrivTCB ()
- dcAccess :: Database DCLabel -> DCAction a -> DC (Either Failure a)
- labelDatabase :: DBConf -> DCLabel -> DCLabel -> DC (Database DCLabel)
- class DatabasePolicy dbp where
- class DatabasePolicy dbp => PolicyGroup dbp where
- expandGroup :: dbp -> Principal -> DCAction [Principal]
- relabelGroups :: dbp -> DCLabeled a -> DC (DCLabeled a)
- relabelGroupsP :: PolicyGroup dbp => dbp -> DCPrivTCB -> Labeled DCLabel a -> DC (DCLabeled a)
- relabelGroupsSafe :: PolicyGroup dbp => dbp -> Labeled DCLabel a -> DC (DCLabeled a)
- class DatabasePolicy dbp => PrivilegeGrantGate dbp where
- withLabel :: DCPrivTCB -> DCLabel -> DC a -> DC a
- gateToLabeled :: DCPrivTCB -> DCLabeled (Document DCLabel) -> (Document DCLabel -> DC a) -> DC (DCLabeled a)
Documentation
Database configuration, used to invoke withDB
dcAccess :: Database DCLabel -> DCAction a -> DC (Either Failure a)Source
Open a pipe to a supplied server, or localhost
.
TODO: add support for connecting to replicas.
:: DBConf | Database configuratoin |
-> DCLabel | Label of collection policies |
-> DCLabel | Database label |
-> DC (Database DCLabel) |
The withDB
functions should use this function to label
their databases.
TODO (DS/AL(: make every searchable field indexable.
class DatabasePolicy dbp whereSource
Policy modules are instances of this class. In particular, when
an application accesses a database, the runtime invokes
createDatabasePolicy
in the appropriate policy module.
createDatabasePolicy :: DBConf -> DCPrivTCB -> DC dbpSource
Given a DBConf
generate an instance of this
DatabasePolicy
. This is the main entry point for policy
modules. Policies should, in general, ether discard DBConf
or
store it in such a way that it is inaccessible to other modules
since it contains the priviledge of the policy.
policyDB :: dbp -> Database DCLabelSource
Get the actual underlying Database
instance for this policy.
Groups
class DatabasePolicy dbp => PolicyGroup dbp whereSource
Class used to define groups in a policy-specific manner.
expandGroup :: dbp -> Principal -> DCAction [Principal]Source
Expands a principal of the form "#group_name" into a list of
Principal
s
relabelGroups :: dbp -> DCLabeled a -> DC (DCLabeled a)Source
Relabeles the Labeled
value by using the policy's privilege
to downgrade the label and optionally re-taint in an application
specific way, e.g. exanding groups of the form "#group_name"
to a policy specified disjuction of real principals.
Policies are expected to implement this function by wrapping
relabelGroupsP
using their privilege and implementing
expandGroup
, which is called by relabelGroupsP
.
relabelGroupsP :: PolicyGroup dbp => dbp -> DCPrivTCB -> Labeled DCLabel a -> DC (DCLabeled a)Source
Looks for disjuctions the privilege is able to downgrade and
rewrites them by invoking expandGroup
on each principle in the
disjuction. Using the result, the function relabels the Labeled
value. Clients should not call this directly, instead clients
should call relabelGroups
which policies may implement by
wrapping this function.
relabelGroupsSafe :: PolicyGroup dbp => dbp -> Labeled DCLabel a -> DC (DCLabeled a)Source
A wrapper around relabelGroups
that drops the current
privileges and restores them after getting a result from
relabelGroups
.
Privilege granting gate
class DatabasePolicy dbp => PrivilegeGrantGate dbp whereSource
Class used to define policy-specifi privilege granting gate.
withLabel :: DCPrivTCB -> DCLabel -> DC a -> DC aSource
Given a set of privileges, a desired label and action. Lower the current label as close tothe desired label as possible, execute the action and raise the current label.
gateToLabeled :: DCPrivTCB -> DCLabeled (Document DCLabel) -> (Document DCLabel -> DC a) -> DC (DCLabeled a)Source
Given a set of privileges, a labeled document and computaiton on the (unlabeled version of the) documnet, downgrade the current label with the supplied privileges execute (only integrity), unlabel the document and apply the computation to it. The result is then labeled with the current label and the current label is reset to the original (if possible).