From: sds@tycho.nsa.gov (Stephen Smalley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Refine xen policy
Date: Thu, 10 Feb 2011 11:17:33 -0500 [thread overview]
Message-ID: <1297354653.31980.8.camel@moss-pluto> (raw)
Various changes to the Xen userspace policy, including:
- Add gntdev and gntalloc device node labeling.
- Create separate domains for blktap and qemu-dm rather than leaving them in xend_t.
- No need to allow xen userspace to create its own device nodes anymore;
this is handled automatically by the kernel/udev.
- No need to allow xen userspace access to generic raw storage; even if
using dedicated partitions/LVs for disk images, you can just label them
with xen_image_t.
The blktap and qemu-dm domains are stubs and will likely need to be
further expanded, but they should definitely not be left in xend_t. Not
sure if I should try to use qemu_domain_template() instead for qemu-dm,
but I don't see any current users of that template (qemu_t uses
virt_domain_template instead), and qemu-dm has specific interactions
with Xen.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
policy/modules/kernel/devices.fc | 2
policy/modules/system/xen.fc | 5 +
policy/modules/system/xen.te | 114 +++++++++++++++++++++++++++++++++------
3 files changed, 104 insertions(+), 17 deletions(-)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..8ac94e4 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -173,6 +173,8 @@ ifdef(`distro_suse', `
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index 8c827f8..1872b74 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -4,6 +4,11 @@
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+
+/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index f661f5a..e25619f 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -72,6 +72,7 @@ files_tmp_file(xenstored_tmp_t)
# var/lib files
type xenstored_var_lib_t;
files_type(xenstored_var_lib_t)
+files_mountpoint(xenstored_var_lib_t)
# log files
type xenstored_var_log_t;
@@ -94,6 +95,38 @@ type xm_exec_t;
domain_type(xm_t)
init_system_domain(xm_t, xm_exec_t)
+## <desc>
+## <p>
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+## </p>
+## </desc>
+gen_tunable(xend_run_qemu, true)
+
+type qemu_dm_t;
+domain_type(qemu_dm_t)
+type qemu_dm_exec_t;
+files_type(qemu_dm_exec_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+## <desc>
+## <p>
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
+## </p>
+## </desc>
+gen_tunable(xend_run_blktap, true)
+
+type blktap_t;
+domain_type(blktap_t)
+role system_r types blktap_t;
+type blktap_exec_t;
+files_type(blktap_exec_t)
+domain_entry_file(blktap_t, blktap_exec_t)
+type blktap_var_run_t;
+files_pid_file(blktap_var_run_t)
+
#######################################
#
# evtchnd local policy
@@ -113,7 +146,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
# xend local policy
#
-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
@@ -161,6 +194,12 @@ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
# transition to store
domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+# manage xenstored pid file
+manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
+
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
+
# transition to console
domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -193,12 +232,10 @@ corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
dev_read_urand(xend_t)
-dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
dev_rw_xen(xend_t)
-domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
domain_dontaudit_ptrace_all_domains(xend_t)
@@ -210,10 +247,6 @@ files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
files_read_default_symlinks(xend_t)
-storage_raw_read_fixed_disk(xend_t)
-storage_raw_write_fixed_disk(xend_t)
-storage_raw_read_removable_device(xend_t)
-
term_getattr_all_ptys(xend_t)
term_use_generic_ptys(xend_t)
term_use_ptmx(xend_t)
@@ -228,6 +261,7 @@ logging_send_syslog_msg(xend_t)
lvm_domtrans(xend_t)
miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
mount_domtrans(xend_t)
@@ -274,7 +308,7 @@ kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)
-dev_manage_xen(xenconsoled_t)
+dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -308,7 +342,7 @@ optional_policy(`
# Xen store local policy
#
-allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
+allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
@@ -338,20 +372,16 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
-dev_create_generic_dirs(xenstored_t)
-dev_manage_xen(xenstored_t)
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
+files_read_etc_files(xenstored_t)
+
files_read_usr_files(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
-storage_raw_read_fixed_disk(xenstored_t)
-storage_raw_write_fixed_disk(xenstored_t)
-storage_raw_read_removable_device(xenstored_t)
-
term_use_generic_ptys(xenstored_t)
init_use_fds(xenstored_t)
@@ -411,8 +441,6 @@ fs_getattr_all_fs(xm_t)
fs_manage_xenfs_dirs(xm_t)
fs_manage_xenfs_files(xm_t)
-storage_raw_read_fixed_disk(xm_t)
-
term_use_all_terms(xm_t)
init_stream_connect_script(xm_t)
@@ -474,3 +502,55 @@ optional_policy(`
unconfined_domain(xend_t)
')
')
+
+########################################
+#
+# qemu-dm local policy
+#
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+ allow qemu_dm_t self:capability sys_resource;
+ allow qemu_dm_t self:process setrlimit;
+ allow qemu_dm_t self:fifo_file { read write };
+ allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+ libs_use_ld_so(qemu_dm_t)
+ libs_use_shared_libs(qemu_dm_t)
+ files_read_etc_files(qemu_dm_t)
+ files_read_usr_files(qemu_dm_t)
+ miscfiles_read_localization(qemu_dm_t)
+ corenet_tcp_bind_generic_node(qemu_dm_t)
+ corenet_tcp_bind_vnc_port(qemu_dm_t)
+ dev_rw_xen(qemu_dm_t)
+ xen_stream_connect_xenstore(qemu_dm_t)
+ fs_manage_xenfs_dirs(qemu_dm_t)
+ fs_manage_xenfs_files(qemu_dm_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+#
+# blktap local policy
+#
+# Do we need to allow execution of blktap?
+tunable_policy(`xend_run_blktap',`
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+ allow blktap_t self:fifo_file { read write };
+ libs_use_ld_so(blktap_t)
+ libs_use_shared_libs(blktap_t)
+ miscfiles_read_localization(blktap_t)
+ files_read_etc_files(blktap_t)
+ dev_read_sysfs(blktap_t)
+ logging_send_syslog_msg(blktap_t)
+ dev_rw_xen(blktap_t)
+ xen_stream_connect_xenstore(blktap_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')
--
Stephen Smalley
National Security Agency
next reply other threads:[~2011-02-10 16:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-10 16:17 Stephen Smalley [this message]
2011-02-15 18:58 ` [refpolicy] [PATCH] Refine xen policy Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1297354653.31980.8.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.