[PATCH for-4.5] flask/policy: Updates for example XSM policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH for-4.5] flask/policy: Updates for example XSM policy
@ 2014-09-22 20:23 Daniel De Graaf
  2014-09-23  9:01 ` Wei Liu
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel De Graaf @ 2014-09-22 20:23 UTC (permalink / raw)
  To: xen-devel; +Cc: Daniel De Graaf

The example XSM policy was missing permission for dom0_t to migrate
domains with label domU_t; add these permissions.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 tools/flask/policy/policy/modules/xen/xen.if | 3 ++-
 tools/flask/policy/policy/modules/xen/xen.te | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 32b51b6..a2dcbe2 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -49,7 +49,8 @@ define(`create_domain_common', `
 			getdomaininfo hypercall setvcpucontext setextvcpucontext
 			getscheduler getvcpuinfo getvcpuextstate getaddrsize
 			getaffinity setaffinity };
-	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo };
+	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
+			set_max_evtchn set_vnumainfo get_vnumainfo cacheflush };
 	allow $1 $2:security check_context;
 	allow $1 $2:shadow enable;
 	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 1937883..6ca1046 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -125,12 +125,14 @@ create_domain(dom0_t, domU_t)
 manage_domain(dom0_t, domU_t)
 domain_comms(dom0_t, domU_t)
 domain_comms(domU_t, domU_t)
+migrate_domain_out(dom0_t, domU_t)
 domain_self_comms(domU_t)
 
 declare_domain(isolated_domU_t)
 create_domain(dom0_t, isolated_domU_t)
 manage_domain(dom0_t, isolated_domU_t)
 domain_comms(dom0_t, isolated_domU_t)
+migrate_domain_out(dom0_t, isolated_domU_t)
 domain_self_comms(isolated_domU_t)
 
 # Declare a boolean that denies creation of prot_domU_t domains
@@ -138,6 +140,7 @@ gen_bool(prot_doms_locked, false)
 declare_domain(prot_domU_t)
 if (!prot_doms_locked) {
 	create_domain(dom0_t, prot_domU_t)
+	migrate_domain_out(dom0_t, prot_domU_t)
 }
 domain_comms(dom0_t, prot_domU_t)
 domain_comms(domU_t, prot_domU_t)
-- 
1.9.3

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH for-4.5] flask/policy: Updates for example XSM policy
  2014-09-22 20:23 [PATCH for-4.5] flask/policy: Updates for example XSM policy Daniel De Graaf
@ 2014-09-23  9:01 ` Wei Liu
  2014-09-23  9:37   ` Wei Liu
  0 siblings, 1 reply; 7+ messages in thread
From: Wei Liu @ 2014-09-23  9:01 UTC (permalink / raw)
  To: Daniel De Graaf; +Cc: wei.liu2, xen-devel

On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> The example XSM policy was missing permission for dom0_t to migrate
> domains with label domU_t; add these permissions.
> 
> Reported-by: Wei Liu <wei.liu2@citrix.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Thanks.

This seems to work to a certain degree. I now hit a new error when
trying to save a domain (PV and HVM).

(XEN) avc:  denied  { map_read } for domid=0 target=32754 scontext=system_u:sysu

And HVM guest creation for both QEMU upstream and traditional works.

Wei.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH for-4.5] flask/policy: Updates for example XSM policy
  2014-09-23  9:01 ` Wei Liu
@ 2014-09-23  9:37   ` Wei Liu
  2014-09-23 15:30     ` Ian Campbell
  0 siblings, 1 reply; 7+ messages in thread
From: Wei Liu @ 2014-09-23  9:37 UTC (permalink / raw)
  To: Daniel De Graaf; +Cc: wei.liu2, xen-devel

On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
> On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> > The example XSM policy was missing permission for dom0_t to migrate
> > domains with label domU_t; add these permissions.
> > 
> > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> 
> Thanks.
> 
> This seems to work to a certain degree. I now hit a new error when
> trying to save a domain (PV and HVM).
> 
> (XEN) avc:  denied  { map_read } for domid=0 target=32754 scontext=system_u:sysu

The above line was trimmed.

(XEN) avc:  denied  { map_read } for domid=0 target=32754 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domxen_t tclass=mmu

I added the following lines in xen.te
 allow dom0_t domxen_t:mmu map_read;

Then came across another error when trying to resume DomU (that is the
operation after saving).

(XEN) avc:  denied  { resume } for domid=0 target=1 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain

Even if I ran it in permissive mode it still failed with the same error
because "resume" is not defined in policy (not sure if this is the right
term).

Wei.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH for-4.5] flask/policy: Updates for example XSM policy
  2014-09-23  9:37   ` Wei Liu
@ 2014-09-23 15:30     ` Ian Campbell
  2014-09-23 20:40       ` Daniel De Graaf
  0 siblings, 1 reply; 7+ messages in thread
From: Ian Campbell @ 2014-09-23 15:30 UTC (permalink / raw)
  To: Wei Liu; +Cc: Daniel De Graaf, xen-devel

On Tue, 2014-09-23 at 10:37 +0100, Wei Liu wrote:
> On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
> > On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> > > The example XSM policy was missing permission for dom0_t to migrate
> > > domains with label domU_t; add these permissions.

Daniel, would you prefer to iterate until a full batch of fixes or shall
I apply and expect "More updates for example XSM policy" later on?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH for-4.5] flask/policy: Updates for example XSM policy
  2014-09-23 15:30     ` Ian Campbell
@ 2014-09-23 20:40       ` Daniel De Graaf
  2014-09-24  9:14         ` Ian Campbell
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel De Graaf @ 2014-09-23 20:40 UTC (permalink / raw)
  To: Ian Campbell, Wei Liu; +Cc: xen-devel

On 09/23/2014 11:30 AM, Ian Campbell wrote:
> On Tue, 2014-09-23 at 10:37 +0100, Wei Liu wrote:
>> On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
>>> On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
>>>> The example XSM policy was missing permission for dom0_t to migrate
>>>> domains with label domU_t; add these permissions.
>
> Daniel, would you prefer to iterate until a full batch of fixes or shall
> I apply and expect "More updates for example XSM policy" later on?
>

I would prefer to iterate and apply the full set.

-- 
Daniel De Graaf
National Security Agency

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH for-4.5] flask/policy: Updates for example XSM policy
  2014-09-23 20:40       ` Daniel De Graaf
@ 2014-09-24  9:14         ` Ian Campbell
  2014-11-28 11:07           ` Ian Campbell
  0 siblings, 1 reply; 7+ messages in thread
From: Ian Campbell @ 2014-09-24  9:14 UTC (permalink / raw)
  To: Daniel De Graaf; +Cc: Wei Liu, xen-devel

On Tue, 2014-09-23 at 16:40 -0400, Daniel De Graaf wrote:
> On 09/23/2014 11:30 AM, Ian Campbell wrote:
> > On Tue, 2014-09-23 at 10:37 +0100, Wei Liu wrote:
> >> On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
> >>> On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> >>>> The example XSM policy was missing permission for dom0_t to migrate
> >>>> domains with label domU_t; add these permissions.
> >
> > Daniel, would you prefer to iterate until a full batch of fixes or shall
> > I apply and expect "More updates for example XSM policy" later on?
> >
> 
> I would prefer to iterate and apply the full set.

Ack.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH for-4.5] flask/policy: Updates for example XSM policy
  2014-09-24  9:14         ` Ian Campbell
@ 2014-11-28 11:07           ` Ian Campbell
  0 siblings, 0 replies; 7+ messages in thread
From: Ian Campbell @ 2014-11-28 11:07 UTC (permalink / raw)
  To: Daniel De Graaf; +Cc: Wei Liu, xen-devel

On Wed, 2014-09-24 at 10:14 +0100, Ian Campbell wrote:
> On Tue, 2014-09-23 at 16:40 -0400, Daniel De Graaf wrote:
> > On 09/23/2014 11:30 AM, Ian Campbell wrote:
> > > On Tue, 2014-09-23 at 10:37 +0100, Wei Liu wrote:
> > >> On Tue, Sep 23, 2014 at 10:01:48AM +0100, Wei Liu wrote:
> > >>> On Mon, Sep 22, 2014 at 04:23:18PM -0400, Daniel De Graaf wrote:
> > >>>> The example XSM policy was missing permission for dom0_t to migrate
> > >>>> domains with label domU_t; add these permissions.
> > >
> > > Daniel, would you prefer to iterate until a full batch of fixes or shall
> > > I apply and expect "More updates for example XSM policy" later on?
> > >
> > 
> > I would prefer to iterate and apply the full set.
> 
> Ack.

I've just spotted this in my queue, did this full set ever happen? I
don't see it in tree of in my queue folder. Maybe the issue went away
some other way?

Ian.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2014-11-28 11:07 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-22 20:23 [PATCH for-4.5] flask/policy: Updates for example XSM policy Daniel De Graaf
2014-09-23  9:01 ` Wei Liu
2014-09-23  9:37   ` Wei Liu
2014-09-23 15:30     ` Ian Campbell
2014-09-23 20:40       ` Daniel De Graaf
2014-09-24  9:14         ` Ian Campbell
2014-11-28 11:07           ` Ian Campbell

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.