All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Campbell <Ian.Campbell@citrix.com>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	wei.liu2@citrix.com, xen-devel@lists.xen.org
Subject: Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
Date: Mon, 8 Dec 2014 15:54:06 +0000	[thread overview]
Message-ID: <1418054046.2827.18.camel@citrix.com> (raw)
In-Reply-To: <20141208155205.GC7745@laptop.dumpdata.com>

On Mon, 2014-12-08 at 10:52 -0500, Konrad Rzeszutek Wilk wrote:
> On Mon, Dec 08, 2014 at 09:48:07AM +0000, Ian Campbell wrote:
> > On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> > > The example XSM policy was missing permission for dom0_t to migrate
> > > domains; add these permissions.
> > > 
> > > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > 
> > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > 
> > Konrad, we should take this for 4.5, in order to have a working example
> > XSM policy. There's 0 risk to non-XSM systems, or systems with custom
> 
> Thought this looks like it never worked in the past then? As in, this
> is not a regression but a bug that had existed for quite a while?

AIUI it has worked in the past, i.e. I remember applying other series
from Daniel to fix it for previous releases. This patch is the policy
catching up with the developments during 4.5.

> 
> > XSM policies and clear benefits to XSM systems using the example policy.
> > 
> > > ---
> > > 
> > > This has been tested with xl save/restore on a PV domain, which now
> > > succeeds without producing AVC denials.
> > > 
> > >  tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
> > >  tools/flask/policy/policy/modules/xen/xen.te |  3 +++
> > >  2 files changed, 10 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> > > index fa69c9d..bf5e135 100644
> > > --- a/tools/flask/policy/policy/modules/xen/xen.if
> > > +++ b/tools/flask/policy/policy/modules/xen/xen.if
> > > @@ -48,11 +48,13 @@ define(`create_domain_common', `
> > >  	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> > >  			getdomaininfo hypercall setvcpucontext setextvcpucontext
> > >  			getscheduler getvcpuinfo getvcpuextstate getaddrsize
> > > -			getaffinity setaffinity };
> > > -	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
> > > +			getaffinity setaffinity setvcpuextstate };
> > > +	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> > > +			set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> > > +			psr_cmt_op configure_domain };
> > >  	allow $1 $2:security check_context;
> > >  	allow $1 $2:shadow enable;
> > > -	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> > > +	allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
> > >  	allow $1 $2:grant setup;
> > >  	allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
> > >  			setparam pcilevel trackdirtyvram nested };
> > > @@ -80,7 +82,7 @@ define(`create_domain_build_label', `
> > >  define(`manage_domain', `
> > >  	allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> > >  			getaddrsize pause unpause trigger shutdown destroy
> > > -			setaffinity setdomainmaxmem getscheduler };
> > > +			setaffinity setdomainmaxmem getscheduler resume };
> > >      allow $1 $2:domain2 set_vnumainfo;
> > >  ')
> > >  
> > > @@ -88,6 +90,7 @@ define(`manage_domain', `
> > >  #   Allow creation of a snapshot or migration image from a domain
> > >  #   (inbound migration is the same as domain creation)
> > >  define(`migrate_domain_out', `
> > > +	allow $1 domxen_t:mmu map_read;
> > >  	allow $1 $2:hvm { gethvmc getparam irqlevel };
> > >  	allow $1 $2:mmu { stat pageinfo map_read };
> > >  	allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> > > index d214470..c0128aa 100644
> > > --- a/tools/flask/policy/policy/modules/xen/xen.te
> > > +++ b/tools/flask/policy/policy/modules/xen/xen.te
> > > @@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
> > >  manage_domain(dom0_t, domU_t)
> > >  domain_comms(dom0_t, domU_t)
> > >  domain_comms(domU_t, domU_t)
> > > +migrate_domain_out(dom0_t, domU_t)
> > >  domain_self_comms(domU_t)
> > >  
> > >  declare_domain(isolated_domU_t)
> > >  create_domain(dom0_t, isolated_domU_t)
> > >  manage_domain(dom0_t, isolated_domU_t)
> > >  domain_comms(dom0_t, isolated_domU_t)
> > > +migrate_domain_out(dom0_t, isolated_domU_t)
> > >  domain_self_comms(isolated_domU_t)
> > >  
> > >  # Declare a boolean that denies creation of prot_domU_t domains
> > > @@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
> > >  declare_domain(prot_domU_t)
> > >  if (!prot_doms_locked) {
> > >  	create_domain(dom0_t, prot_domU_t)
> > > +	migrate_domain_out(dom0_t, prot_domU_t)
> > >  }
> > >  domain_comms(dom0_t, prot_domU_t)
> > >  domain_comms(domU_t, prot_domU_t)
> > 
> > 

  reply	other threads:[~2014-12-08 15:54 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-05 17:03 [PATCH for-4.5] flask/policy: Example policy updates for migration Daniel De Graaf
2014-12-08  9:48 ` Ian Campbell
2014-12-08 15:52   ` Konrad Rzeszutek Wilk
2014-12-08 15:54     ` Ian Campbell [this message]
2014-12-08 16:07       ` Konrad Rzeszutek Wilk
2014-12-09 15:07         ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1418054046.2827.18.camel@citrix.com \
    --to=ian.campbell@citrix.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=konrad.wilk@oracle.com \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.