* [PATCH for-4.5] flask/policy: Example policy updates for migration
@ 2014-12-05 17:03 Daniel De Graaf
2014-12-08 9:48 ` Ian Campbell
0 siblings, 1 reply; 6+ messages in thread
From: Daniel De Graaf @ 2014-12-05 17:03 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf, wei.liu2, Ian.Campbell
The example XSM policy was missing permission for dom0_t to migrate
domains; add these permissions.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
This has been tested with xl save/restore on a PV domain, which now
succeeds without producing AVC denials.
tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
tools/flask/policy/policy/modules/xen/xen.te | 3 +++
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index fa69c9d..bf5e135 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -48,11 +48,13 @@ define(`create_domain_common', `
allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
getdomaininfo hypercall setvcpucontext setextvcpucontext
getscheduler getvcpuinfo getvcpuextstate getaddrsize
- getaffinity setaffinity };
- allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
+ getaffinity setaffinity setvcpuextstate };
+ allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
+ set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
+ psr_cmt_op configure_domain };
allow $1 $2:security check_context;
allow $1 $2:shadow enable;
- allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
+ allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
allow $1 $2:grant setup;
allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
setparam pcilevel trackdirtyvram nested };
@@ -80,7 +82,7 @@ define(`create_domain_build_label', `
define(`manage_domain', `
allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
getaddrsize pause unpause trigger shutdown destroy
- setaffinity setdomainmaxmem getscheduler };
+ setaffinity setdomainmaxmem getscheduler resume };
allow $1 $2:domain2 set_vnumainfo;
')
@@ -88,6 +90,7 @@ define(`manage_domain', `
# Allow creation of a snapshot or migration image from a domain
# (inbound migration is the same as domain creation)
define(`migrate_domain_out', `
+ allow $1 domxen_t:mmu map_read;
allow $1 $2:hvm { gethvmc getparam irqlevel };
allow $1 $2:mmu { stat pageinfo map_read };
allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index d214470..c0128aa 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
manage_domain(dom0_t, domU_t)
domain_comms(dom0_t, domU_t)
domain_comms(domU_t, domU_t)
+migrate_domain_out(dom0_t, domU_t)
domain_self_comms(domU_t)
declare_domain(isolated_domU_t)
create_domain(dom0_t, isolated_domU_t)
manage_domain(dom0_t, isolated_domU_t)
domain_comms(dom0_t, isolated_domU_t)
+migrate_domain_out(dom0_t, isolated_domU_t)
domain_self_comms(isolated_domU_t)
# Declare a boolean that denies creation of prot_domU_t domains
@@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
declare_domain(prot_domU_t)
if (!prot_doms_locked) {
create_domain(dom0_t, prot_domU_t)
+ migrate_domain_out(dom0_t, prot_domU_t)
}
domain_comms(dom0_t, prot_domU_t)
domain_comms(domU_t, prot_domU_t)
--
1.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
2014-12-05 17:03 [PATCH for-4.5] flask/policy: Example policy updates for migration Daniel De Graaf
@ 2014-12-08 9:48 ` Ian Campbell
2014-12-08 15:52 ` Konrad Rzeszutek Wilk
0 siblings, 1 reply; 6+ messages in thread
From: Ian Campbell @ 2014-12-08 9:48 UTC (permalink / raw)
To: Daniel De Graaf, Konrad Rzeszutek Wilk; +Cc: wei.liu2, xen-devel
On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> The example XSM policy was missing permission for dom0_t to migrate
> domains; add these permissions.
>
> Reported-by: Wei Liu <wei.liu2@citrix.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Konrad, we should take this for 4.5, in order to have a working example
XSM policy. There's 0 risk to non-XSM systems, or systems with custom
XSM policies and clear benefits to XSM systems using the example policy.
> ---
>
> This has been tested with xl save/restore on a PV domain, which now
> succeeds without producing AVC denials.
>
> tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
> tools/flask/policy/policy/modules/xen/xen.te | 3 +++
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> index fa69c9d..bf5e135 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.if
> +++ b/tools/flask/policy/policy/modules/xen/xen.if
> @@ -48,11 +48,13 @@ define(`create_domain_common', `
> allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> getdomaininfo hypercall setvcpucontext setextvcpucontext
> getscheduler getvcpuinfo getvcpuextstate getaddrsize
> - getaffinity setaffinity };
> - allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
> + getaffinity setaffinity setvcpuextstate };
> + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> + set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> + psr_cmt_op configure_domain };
> allow $1 $2:security check_context;
> allow $1 $2:shadow enable;
> - allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
> allow $1 $2:grant setup;
> allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
> setparam pcilevel trackdirtyvram nested };
> @@ -80,7 +82,7 @@ define(`create_domain_build_label', `
> define(`manage_domain', `
> allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> getaddrsize pause unpause trigger shutdown destroy
> - setaffinity setdomainmaxmem getscheduler };
> + setaffinity setdomainmaxmem getscheduler resume };
> allow $1 $2:domain2 set_vnumainfo;
> ')
>
> @@ -88,6 +90,7 @@ define(`manage_domain', `
> # Allow creation of a snapshot or migration image from a domain
> # (inbound migration is the same as domain creation)
> define(`migrate_domain_out', `
> + allow $1 domxen_t:mmu map_read;
> allow $1 $2:hvm { gethvmc getparam irqlevel };
> allow $1 $2:mmu { stat pageinfo map_read };
> allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index d214470..c0128aa 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
> manage_domain(dom0_t, domU_t)
> domain_comms(dom0_t, domU_t)
> domain_comms(domU_t, domU_t)
> +migrate_domain_out(dom0_t, domU_t)
> domain_self_comms(domU_t)
>
> declare_domain(isolated_domU_t)
> create_domain(dom0_t, isolated_domU_t)
> manage_domain(dom0_t, isolated_domU_t)
> domain_comms(dom0_t, isolated_domU_t)
> +migrate_domain_out(dom0_t, isolated_domU_t)
> domain_self_comms(isolated_domU_t)
>
> # Declare a boolean that denies creation of prot_domU_t domains
> @@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
> declare_domain(prot_domU_t)
> if (!prot_doms_locked) {
> create_domain(dom0_t, prot_domU_t)
> + migrate_domain_out(dom0_t, prot_domU_t)
> }
> domain_comms(dom0_t, prot_domU_t)
> domain_comms(domU_t, prot_domU_t)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
2014-12-08 9:48 ` Ian Campbell
@ 2014-12-08 15:52 ` Konrad Rzeszutek Wilk
2014-12-08 15:54 ` Ian Campbell
0 siblings, 1 reply; 6+ messages in thread
From: Konrad Rzeszutek Wilk @ 2014-12-08 15:52 UTC (permalink / raw)
To: Ian Campbell; +Cc: Daniel De Graaf, wei.liu2, xen-devel
On Mon, Dec 08, 2014 at 09:48:07AM +0000, Ian Campbell wrote:
> On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> > The example XSM policy was missing permission for dom0_t to migrate
> > domains; add these permissions.
> >
> > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> Acked-by: Ian Campbell <ian.campbell@citrix.com>
>
> Konrad, we should take this for 4.5, in order to have a working example
> XSM policy. There's 0 risk to non-XSM systems, or systems with custom
Thought this looks like it never worked in the past then? As in, this
is not a regression but a bug that had existed for quite a while?
> XSM policies and clear benefits to XSM systems using the example policy.
>
> > ---
> >
> > This has been tested with xl save/restore on a PV domain, which now
> > succeeds without producing AVC denials.
> >
> > tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
> > tools/flask/policy/policy/modules/xen/xen.te | 3 +++
> > 2 files changed, 10 insertions(+), 4 deletions(-)
> >
> > diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> > index fa69c9d..bf5e135 100644
> > --- a/tools/flask/policy/policy/modules/xen/xen.if
> > +++ b/tools/flask/policy/policy/modules/xen/xen.if
> > @@ -48,11 +48,13 @@ define(`create_domain_common', `
> > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> > getdomaininfo hypercall setvcpucontext setextvcpucontext
> > getscheduler getvcpuinfo getvcpuextstate getaddrsize
> > - getaffinity setaffinity };
> > - allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
> > + getaffinity setaffinity setvcpuextstate };
> > + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> > + set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> > + psr_cmt_op configure_domain };
> > allow $1 $2:security check_context;
> > allow $1 $2:shadow enable;
> > - allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> > + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
> > allow $1 $2:grant setup;
> > allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
> > setparam pcilevel trackdirtyvram nested };
> > @@ -80,7 +82,7 @@ define(`create_domain_build_label', `
> > define(`manage_domain', `
> > allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> > getaddrsize pause unpause trigger shutdown destroy
> > - setaffinity setdomainmaxmem getscheduler };
> > + setaffinity setdomainmaxmem getscheduler resume };
> > allow $1 $2:domain2 set_vnumainfo;
> > ')
> >
> > @@ -88,6 +90,7 @@ define(`manage_domain', `
> > # Allow creation of a snapshot or migration image from a domain
> > # (inbound migration is the same as domain creation)
> > define(`migrate_domain_out', `
> > + allow $1 domxen_t:mmu map_read;
> > allow $1 $2:hvm { gethvmc getparam irqlevel };
> > allow $1 $2:mmu { stat pageinfo map_read };
> > allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> > index d214470..c0128aa 100644
> > --- a/tools/flask/policy/policy/modules/xen/xen.te
> > +++ b/tools/flask/policy/policy/modules/xen/xen.te
> > @@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
> > manage_domain(dom0_t, domU_t)
> > domain_comms(dom0_t, domU_t)
> > domain_comms(domU_t, domU_t)
> > +migrate_domain_out(dom0_t, domU_t)
> > domain_self_comms(domU_t)
> >
> > declare_domain(isolated_domU_t)
> > create_domain(dom0_t, isolated_domU_t)
> > manage_domain(dom0_t, isolated_domU_t)
> > domain_comms(dom0_t, isolated_domU_t)
> > +migrate_domain_out(dom0_t, isolated_domU_t)
> > domain_self_comms(isolated_domU_t)
> >
> > # Declare a boolean that denies creation of prot_domU_t domains
> > @@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
> > declare_domain(prot_domU_t)
> > if (!prot_doms_locked) {
> > create_domain(dom0_t, prot_domU_t)
> > + migrate_domain_out(dom0_t, prot_domU_t)
> > }
> > domain_comms(dom0_t, prot_domU_t)
> > domain_comms(domU_t, prot_domU_t)
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
2014-12-08 15:52 ` Konrad Rzeszutek Wilk
@ 2014-12-08 15:54 ` Ian Campbell
2014-12-08 16:07 ` Konrad Rzeszutek Wilk
0 siblings, 1 reply; 6+ messages in thread
From: Ian Campbell @ 2014-12-08 15:54 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: Daniel De Graaf, wei.liu2, xen-devel
On Mon, 2014-12-08 at 10:52 -0500, Konrad Rzeszutek Wilk wrote:
> On Mon, Dec 08, 2014 at 09:48:07AM +0000, Ian Campbell wrote:
> > On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> > > The example XSM policy was missing permission for dom0_t to migrate
> > > domains; add these permissions.
> > >
> > > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >
> > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> >
> > Konrad, we should take this for 4.5, in order to have a working example
> > XSM policy. There's 0 risk to non-XSM systems, or systems with custom
>
> Thought this looks like it never worked in the past then? As in, this
> is not a regression but a bug that had existed for quite a while?
AIUI it has worked in the past, i.e. I remember applying other series
from Daniel to fix it for previous releases. This patch is the policy
catching up with the developments during 4.5.
>
> > XSM policies and clear benefits to XSM systems using the example policy.
> >
> > > ---
> > >
> > > This has been tested with xl save/restore on a PV domain, which now
> > > succeeds without producing AVC denials.
> > >
> > > tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
> > > tools/flask/policy/policy/modules/xen/xen.te | 3 +++
> > > 2 files changed, 10 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> > > index fa69c9d..bf5e135 100644
> > > --- a/tools/flask/policy/policy/modules/xen/xen.if
> > > +++ b/tools/flask/policy/policy/modules/xen/xen.if
> > > @@ -48,11 +48,13 @@ define(`create_domain_common', `
> > > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> > > getdomaininfo hypercall setvcpucontext setextvcpucontext
> > > getscheduler getvcpuinfo getvcpuextstate getaddrsize
> > > - getaffinity setaffinity };
> > > - allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
> > > + getaffinity setaffinity setvcpuextstate };
> > > + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> > > + set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> > > + psr_cmt_op configure_domain };
> > > allow $1 $2:security check_context;
> > > allow $1 $2:shadow enable;
> > > - allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> > > + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
> > > allow $1 $2:grant setup;
> > > allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
> > > setparam pcilevel trackdirtyvram nested };
> > > @@ -80,7 +82,7 @@ define(`create_domain_build_label', `
> > > define(`manage_domain', `
> > > allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> > > getaddrsize pause unpause trigger shutdown destroy
> > > - setaffinity setdomainmaxmem getscheduler };
> > > + setaffinity setdomainmaxmem getscheduler resume };
> > > allow $1 $2:domain2 set_vnumainfo;
> > > ')
> > >
> > > @@ -88,6 +90,7 @@ define(`manage_domain', `
> > > # Allow creation of a snapshot or migration image from a domain
> > > # (inbound migration is the same as domain creation)
> > > define(`migrate_domain_out', `
> > > + allow $1 domxen_t:mmu map_read;
> > > allow $1 $2:hvm { gethvmc getparam irqlevel };
> > > allow $1 $2:mmu { stat pageinfo map_read };
> > > allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> > > index d214470..c0128aa 100644
> > > --- a/tools/flask/policy/policy/modules/xen/xen.te
> > > +++ b/tools/flask/policy/policy/modules/xen/xen.te
> > > @@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
> > > manage_domain(dom0_t, domU_t)
> > > domain_comms(dom0_t, domU_t)
> > > domain_comms(domU_t, domU_t)
> > > +migrate_domain_out(dom0_t, domU_t)
> > > domain_self_comms(domU_t)
> > >
> > > declare_domain(isolated_domU_t)
> > > create_domain(dom0_t, isolated_domU_t)
> > > manage_domain(dom0_t, isolated_domU_t)
> > > domain_comms(dom0_t, isolated_domU_t)
> > > +migrate_domain_out(dom0_t, isolated_domU_t)
> > > domain_self_comms(isolated_domU_t)
> > >
> > > # Declare a boolean that denies creation of prot_domU_t domains
> > > @@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
> > > declare_domain(prot_domU_t)
> > > if (!prot_doms_locked) {
> > > create_domain(dom0_t, prot_domU_t)
> > > + migrate_domain_out(dom0_t, prot_domU_t)
> > > }
> > > domain_comms(dom0_t, prot_domU_t)
> > > domain_comms(domU_t, prot_domU_t)
> >
> >
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
2014-12-08 15:54 ` Ian Campbell
@ 2014-12-08 16:07 ` Konrad Rzeszutek Wilk
2014-12-09 15:07 ` Ian Campbell
0 siblings, 1 reply; 6+ messages in thread
From: Konrad Rzeszutek Wilk @ 2014-12-08 16:07 UTC (permalink / raw)
To: Ian Campbell; +Cc: Daniel De Graaf, wei.liu2, xen-devel
On Mon, Dec 08, 2014 at 03:54:06PM +0000, Ian Campbell wrote:
> On Mon, 2014-12-08 at 10:52 -0500, Konrad Rzeszutek Wilk wrote:
> > On Mon, Dec 08, 2014 at 09:48:07AM +0000, Ian Campbell wrote:
> > > On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> > > > The example XSM policy was missing permission for dom0_t to migrate
> > > > domains; add these permissions.
> > > >
> > > > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > >
> > > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > >
> > > Konrad, we should take this for 4.5, in order to have a working example
> > > XSM policy. There's 0 risk to non-XSM systems, or systems with custom
> >
> > Thought this looks like it never worked in the past then? As in, this
> > is not a regression but a bug that had existed for quite a while?
>
> AIUI it has worked in the past, i.e. I remember applying other series
> from Daniel to fix it for previous releases. This patch is the policy
> catching up with the developments during 4.5.
OK then definilty RElease-Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Thanks!
>
> >
> > > XSM policies and clear benefits to XSM systems using the example policy.
> > >
> > > > ---
> > > >
> > > > This has been tested with xl save/restore on a PV domain, which now
> > > > succeeds without producing AVC denials.
> > > >
> > > > tools/flask/policy/policy/modules/xen/xen.if | 11 +++++++----
> > > > tools/flask/policy/policy/modules/xen/xen.te | 3 +++
> > > > 2 files changed, 10 insertions(+), 4 deletions(-)
> > > >
> > > > diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
> > > > index fa69c9d..bf5e135 100644
> > > > --- a/tools/flask/policy/policy/modules/xen/xen.if
> > > > +++ b/tools/flask/policy/policy/modules/xen/xen.if
> > > > @@ -48,11 +48,13 @@ define(`create_domain_common', `
> > > > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> > > > getdomaininfo hypercall setvcpucontext setextvcpucontext
> > > > getscheduler getvcpuinfo getvcpuextstate getaddrsize
> > > > - getaffinity setaffinity };
> > > > - allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo psr_cmt_op configure_domain };
> > > > + getaffinity setaffinity setvcpuextstate };
> > > > + allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> > > > + set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> > > > + psr_cmt_op configure_domain };
> > > > allow $1 $2:security check_context;
> > > > allow $1 $2:shadow enable;
> > > > - allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op };
> > > > + allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op updatemp };
> > > > allow $1 $2:grant setup;
> > > > allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc
> > > > setparam pcilevel trackdirtyvram nested };
> > > > @@ -80,7 +82,7 @@ define(`create_domain_build_label', `
> > > > define(`manage_domain', `
> > > > allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
> > > > getaddrsize pause unpause trigger shutdown destroy
> > > > - setaffinity setdomainmaxmem getscheduler };
> > > > + setaffinity setdomainmaxmem getscheduler resume };
> > > > allow $1 $2:domain2 set_vnumainfo;
> > > > ')
> > > >
> > > > @@ -88,6 +90,7 @@ define(`manage_domain', `
> > > > # Allow creation of a snapshot or migration image from a domain
> > > > # (inbound migration is the same as domain creation)
> > > > define(`migrate_domain_out', `
> > > > + allow $1 domxen_t:mmu map_read;
> > > > allow $1 $2:hvm { gethvmc getparam irqlevel };
> > > > allow $1 $2:mmu { stat pageinfo map_read };
> > > > allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> > > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> > > > index d214470..c0128aa 100644
> > > > --- a/tools/flask/policy/policy/modules/xen/xen.te
> > > > +++ b/tools/flask/policy/policy/modules/xen/xen.te
> > > > @@ -129,12 +129,14 @@ create_domain(dom0_t, domU_t)
> > > > manage_domain(dom0_t, domU_t)
> > > > domain_comms(dom0_t, domU_t)
> > > > domain_comms(domU_t, domU_t)
> > > > +migrate_domain_out(dom0_t, domU_t)
> > > > domain_self_comms(domU_t)
> > > >
> > > > declare_domain(isolated_domU_t)
> > > > create_domain(dom0_t, isolated_domU_t)
> > > > manage_domain(dom0_t, isolated_domU_t)
> > > > domain_comms(dom0_t, isolated_domU_t)
> > > > +migrate_domain_out(dom0_t, isolated_domU_t)
> > > > domain_self_comms(isolated_domU_t)
> > > >
> > > > # Declare a boolean that denies creation of prot_domU_t domains
> > > > @@ -142,6 +144,7 @@ gen_bool(prot_doms_locked, false)
> > > > declare_domain(prot_domU_t)
> > > > if (!prot_doms_locked) {
> > > > create_domain(dom0_t, prot_domU_t)
> > > > + migrate_domain_out(dom0_t, prot_domU_t)
> > > > }
> > > > domain_comms(dom0_t, prot_domU_t)
> > > > domain_comms(domU_t, prot_domU_t)
> > >
> > >
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH for-4.5] flask/policy: Example policy updates for migration
2014-12-08 16:07 ` Konrad Rzeszutek Wilk
@ 2014-12-09 15:07 ` Ian Campbell
0 siblings, 0 replies; 6+ messages in thread
From: Ian Campbell @ 2014-12-09 15:07 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: Daniel De Graaf, wei.liu2, xen-devel
On Mon, 2014-12-08 at 11:07 -0500, Konrad Rzeszutek Wilk wrote:
> On Mon, Dec 08, 2014 at 03:54:06PM +0000, Ian Campbell wrote:
> > On Mon, 2014-12-08 at 10:52 -0500, Konrad Rzeszutek Wilk wrote:
> > > On Mon, Dec 08, 2014 at 09:48:07AM +0000, Ian Campbell wrote:
> > > > On Fri, 2014-12-05 at 12:03 -0500, Daniel De Graaf wrote:
> > > > > The example XSM policy was missing permission for dom0_t to migrate
> > > > > domains; add these permissions.
> > > > >
> > > > > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > > > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > > >
> > > > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > > >
> > > > Konrad, we should take this for 4.5, in order to have a working example
> > > > XSM policy. There's 0 risk to non-XSM systems, or systems with custom
> > >
> > > Thought this looks like it never worked in the past then? As in, this
> > > is not a regression but a bug that had existed for quite a while?
> >
> > AIUI it has worked in the past, i.e. I remember applying other series
> > from Daniel to fix it for previous releases. This patch is the policy
> > catching up with the developments during 4.5.
>
> OK then definilty RElease-Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
Applied.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-12-09 15:07 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-05 17:03 [PATCH for-4.5] flask/policy: Example policy updates for migration Daniel De Graaf
2014-12-08 9:48 ` Ian Campbell
2014-12-08 15:52 ` Konrad Rzeszutek Wilk
2014-12-08 15:54 ` Ian Campbell
2014-12-08 16:07 ` Konrad Rzeszutek Wilk
2014-12-09 15:07 ` Ian Campbell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.