From: Ian Campbell <Ian.Campbell@citrix.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: wei.liu2@citrix.com, xen-devel@lists.xen.org
Subject: Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
Date: Mon, 8 Dec 2014 09:48:07 +0000 [thread overview]
Message-ID: <1418032087.11028.5.camel@citrix.com> (raw)
In-Reply-To: <1417798987-10325-1-git-send-email-dgdegra@tycho.nsa.gov>
On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> The example XSM policy was missing permission for dom0_t to migrate
> domains; add these permissions.
>
> Reported-by: Wei Liu <wei.liu2@citrix.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Konrad, we should take this for 4.5, in order to have a working example
XSM policy. There's 0 risk to non-XSM systems, or systems with custom
XSM policies and clear benefits to XSM systems using the example policy.
> ---
>
> This has been tested with xl save/restore on a PV domain, which now
> succeeds without producing AVC denials.
>
> tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
> tools/flask/policy/policy/modules/xen/xen.te | 3 +++
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> index fa69c9d..bf5e135 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -48,11 +48,13 @@ define(`create_domain_common', `
> allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> getdomaininfo hypercall setvcpucontext setextvcpucontext
> getscheduler getvcpuinfo getvcpuextstate getaddrsize
> - getaffinity setaffinity };
> - allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
> + getaffinity setaffinity setvcpuextstate };
> + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> + set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> + psr_cmt_op configure_domain };
> allow $1 $2:security check_context;
> allow $1 $2:shadow enable;
> - allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
> allow $1 $2:grant setup;
> allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
> setparam pcilevel trackdirtyvram nested };
> @@ -80,7 +82,7 @@ define(`create_domain_build_label', `
> define(`manage_domain', `
> allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> getaddrsize pause unpause trigger shutdown destroy
> - setaffinity setdomainmaxmem getscheduler };
> + setaffinity setdomainmaxmem getscheduler resume };
> allow $1 $2:domain2 set_vnumainfo;
> ')
>
> @@ -88,6 +90,7 @@ define(`manage_domain', `
> # Allow creation of a snapshot or migration image from a domain
> # (inbound migration is the same as domain creation)
> define(`migrate_domain_out', `
> + allow $1 domxen_t:mmu map_read;
> allow $1 $2:hvm { gethvmc getparam irqlevel };
> allow $1 $2:mmu { stat pageinfo map_read };
> allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index d214470..c0128aa 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
> manage_domain(dom0_t, domU_t)
> domain_comms(dom0_t, domU_t)
> domain_comms(domU_t, domU_t)
> +migrate_domain_out(dom0_t, domU_t)
> domain_self_comms(domU_t)
>
> declare_domain(isolated_domU_t)
> create_domain(dom0_t, isolated_domU_t)
> manage_domain(dom0_t, isolated_domU_t)
> domain_comms(dom0_t, isolated_domU_t)
> +migrate_domain_out(dom0_t, isolated_domU_t)
> domain_self_comms(isolated_domU_t)
>
> # Declare a boolean that denies creation of prot_domU_t domains
> @@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
> declare_domain(prot_domU_t)
> if (!prot_doms_locked) {
> create_domain(dom0_t, prot_domU_t)
> + migrate_domain_out(dom0_t, prot_domU_t)
> }
> domain_comms(dom0_t, prot_domU_t)
> domain_comms(domU_t, prot_domU_t)
next prev parent reply other threads:[~2014-12-08 9:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-05 17:03 [PATCH for-4.5] flask/policy: Example policy updates for migration Daniel De Graaf
2014-12-08 9:48 ` Ian Campbell [this message]
2014-12-08 15:52 ` Konrad Rzeszutek Wilk
2014-12-08 15:54 ` Ian Campbell
2014-12-08 16:07 ` Konrad Rzeszutek Wilk
2014-12-09 15:07 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1418032087.11028.5.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=konrad.wilk@oracle.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.