From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: xen-devel@lists.xenproject.org, cardoe@cardoe.com, steve@zentific.com
Subject: Re: [PATCH 1/5] flask/policy: split into modules
Date: Tue, 7 Jun 2016 15:57:56 -0400 [thread overview]
Message-ID: <20160607195756.GA23168@char.us.oracle.com> (raw)
In-Reply-To: <cfbc1e39-1856-95c3-ff0f-1c0d999f2abb@tycho.nsa.gov>
On Tue, Jun 07, 2016 at 03:39:59PM -0400, Daniel De Graaf wrote:
> On 06/07/2016 03:22 PM, Konrad Rzeszutek Wilk wrote:
> >On Mon, May 23, 2016 at 11:05:29AM -0400, Daniel De Graaf wrote:
> >>This makes it easier to enable or disable parts of the XSM policy.
> >>
> >
> >Hey Daniel,
> >
> >I am no expert on this so please take it with a grain of salt.
>
> That can actually be helpful to spot documentation problems :)
>
> >.. snip..
> >>diff --git a/tools/flask/policy/modules/default_role.te b/tools/flask/policy/modules/default_role.te
> >>new file mode 100644
> >>index 0000000..74f870f
> >>--- /dev/null
> >>+++ b/tools/flask/policy/modules/default_role.te
> >>@@ -0,0 +1,8 @@
> >>+# Allow all domains to use system_r so that systems that are not using the
> >>+# user/role separation feature will work properly.
> >>+role system_r types domain_type;
> >
> >In the 'original' code it also had : xen_type :
> >
> >266 role system_r types { xen_type domain_type };
> >
> >Is this change done on purpose? Reading the xen.te it describes the 'system_r' as:
> > "The system role is used for utility domains and pseudo-domains "
> >
> >which is .. confusing. What is an utility domain? Pseudo-domain?
>
> Utility domains would be a domain that is not actually a part of a guest,
> such as xenstore, vtpm-manager, and disaggregated components of dom0.
Ah, stubdomains!
Could there be an s/utility domain/utility domain (stubdomains)/ ?
>
> Pseudo-domain is the term used here to refer to DOMID_XEN and DOMID_IO.
> Is there a better name for this?
Yes pls. That way it is easier to do a grep and find what it can refere to.
>
> >[Looking in the new xen.te I see that it has the same syntax]
> >>+
> >>+# The vm role is used as part of user separation. Allow all domain types to use
> >>+# this role except dom0.
> >>+role vm_r;
> >>+role vm_r types { domain_type -dom0_t };
> >>diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
> >>new file mode 100644
> >>index 0000000..dd4d7dd
> >>--- /dev/null
> >>+++ b/tools/flask/policy/modules/dom0.te
> >>@@ -0,0 +1,74 @@
> >>+################################################################################
> >>+#
> >>+# Allow dom0 access to all sysctls, devices, and the security server.
> >>+#
> >>+# While this could be written more briefly using wildcards, the permissions are
> >>+# listed out to make removing specific permissions simpler.
> >>+#
> >>+################################################################################
> >>+allow dom0_t xen_t:xen {
> >>+ settime tbufcontrol readconsole clearconsole perfcontrol mtrr_add
> >>+ mtrr_del mtrr_read microcode physinfo quirk writeconsole readapic
> >>+ writeapic privprofile nonprivprofile kexec firmware sleep frequency
> >>+ getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
> >>+ tmem_control getscheduler setscheduler
> >>+};
> >>+allow dom0_t xen_t:xen2 {
> >>+ resource_op psr_cmt_op psr_cat_op pmu_ctrl get_symbol
> >>+ get_cpu_levelling_caps get_cpu_featureset xsplice_op
> >
> >Hehe. livepatch_op now :-)
> >
>
> I have a corrected series that also has some other pending hypervisor
> patches, which I can post whenever the 4.8 merging window is fully
> open.
/me nods.
>
> >.. giant snip...
> >
> >>diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te
> >>new file mode 100644
> >>index 0000000..f374dc5
> >>--- /dev/null
> >>+++ b/tools/flask/policy/modules/xen.te
> >.. snip..
> >
> >>+################################################################################
> >>+#
> >>+# Roles
> >>+#
> >>+################################################################################
> >>+
> >>+# The object role (object_r) is used for devices, resources, and event channels;
> >>+# it does not need to be defined here and should not be used for domains.
> >>+
> >>+# The system role is used for utility domains and pseudo-domains. If roles are
> >>+# not being used for separation, all domains can use the system role.
> >>+role system_r;
> >>+role system_r types { xen_type dom0_t };
> >
> >Right here it is back again.
> >
> >Is the 'default_role' neccessary then?
>
> Specifying some role is necessary to create a valid security label
> (which is a user:role:type tuple).
>
> The line in xen.te only allows the pseudo-domains and dom0 to use
> system_r; this is a useful minimum, if you are going to place any
> actual guests in another role. If you include default_role.te,
> then this expands to allowing all domains to use system_r.
Would it be better to rename 'default_role' to 'all_domains_access'
or such?
>
> I could split the default_role extraction into a separate patch if
> you think this explanation belongs in a commit message.
It may be good for other newbies (like me) to get a gently introduction
via reading patches/code?
>
> >I've looked at the original xen.te and them splitting out to individual and there were no
> >missing copy-n-paste (except the above 'default_role.te' which I am not
> >clear about).
> >
> >Thanks!
> >
>
>
> --
> Daniel De Graaf
> National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-06-07 19:58 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-23 15:05 [PATCH 0/5] flask/policy: Updates for Xen 4.8 Daniel De Graaf
2016-05-23 15:05 ` [PATCH 1/5] flask/policy: split into modules Daniel De Graaf
2016-06-07 19:22 ` Konrad Rzeszutek Wilk
2016-06-07 19:39 ` Daniel De Graaf
2016-06-07 19:57 ` Konrad Rzeszutek Wilk [this message]
2016-05-23 15:05 ` [PATCH 2/5] flask/policy: move user definitions and constraints " Daniel De Graaf
2016-06-07 19:37 ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 3/5] flask/policy: Remove unused support for binary modules Daniel De Graaf
2016-06-07 19:41 ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 4/5] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-07 19:44 ` Konrad Rzeszutek Wilk
2016-06-07 19:48 ` Daniel De Graaf
2016-06-07 20:02 ` Konrad Rzeszutek Wilk
2016-07-06 15:34 ` default XSM policy for PCI passthrough for unlabeled resources anshul makkar
2016-07-06 15:59 ` Daniel De Graaf
2016-07-06 16:19 ` anshul makkar
2016-07-07 15:36 ` Daniel De Graaf
2016-07-07 16:29 ` anshul makkar
2016-05-23 15:05 ` [PATCH 5/5] flask/policy: comment out unused xenstore example Daniel De Graaf
2016-06-07 19:45 ` Konrad Rzeszutek Wilk
2016-06-07 19:51 ` Daniel De Graaf
2016-06-07 20:02 ` Konrad Rzeszutek Wilk
2016-06-07 20:04 ` Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160607195756.GA23168@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=cardoe@cardoe.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=steve@zentific.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.