[refpolicy] [PATCH] Refine xen policy

[refpolicy] [PATCH] Refine xen policy

[Stephen Smalley]

Various changes to the Xen userspace policy, including:
- Add gntdev and gntalloc device node labeling.
- Create separate domains for blktap and qemu-dm rather than leaving them in xend_t.
- No need to allow xen userspace to create its own device nodes anymore;
this is handled automatically by the kernel/udev.
- No need to allow xen userspace access to generic raw storage; even if
using dedicated partitions/LVs for disk images, you can just label them
with xen_image_t.

The blktap and qemu-dm domains are stubs and will likely need to be
further expanded, but they should definitely not be left in xend_t.  Not
sure if I should try to use qemu_domain_template() instead for qemu-dm,
but I don't see any current users of that template (qemu_t uses
virt_domain_template instead), and qemu-dm has specific interactions
with Xen.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>

---

 policy/modules/kernel/devices.fc |    2 
 policy/modules/system/xen.fc     |    5 +
 policy/modules/system/xen.te     |  114 +++++++++++++++++++++++++++++++++------
 3 files changed, 104 insertions(+), 17 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..8ac94e4 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -173,6 +173,8 @@ ifdef(`distro_suse', `
 
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
 
 /etc/udev/devices	-d	gen_context(system_u:object_r:device_t,s0)
 
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index 8c827f8..1872b74 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -4,6 +4,11 @@
 
 /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
 
+/usr/sbin/blktapctrl	--	gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/sbin/tapdisk	--	gen_context(system_u:object_r:blktap_exec_t,s0)
+
+/usr/lib(64)?/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
 ifdef(`distro_debian',`
 /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
 /usr/lib/xen-[^/]*/bin/xend --	gen_context(system_u:object_r:xend_exec_t,s0)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index f661f5a..e25619f 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -72,6 +72,7 @@ files_tmp_file(xenstored_tmp_t)
 # var/lib files
 type xenstored_var_lib_t;
 files_type(xenstored_var_lib_t)
+files_mountpoint(xenstored_var_lib_t)
 
 # log files
 type xenstored_var_log_t;
@@ -94,6 +95,38 @@ type xm_exec_t;
 domain_type(xm_t)
 init_system_domain(xm_t, xm_exec_t)
 
+## <desc>
+## <p>
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+## </p>
+## </desc>
+gen_tunable(xend_run_qemu, true)
+
+type qemu_dm_t;
+domain_type(qemu_dm_t)
+type qemu_dm_exec_t;
+files_type(qemu_dm_exec_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+## <desc>
+## <p>
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
+## </p>
+## </desc>
+gen_tunable(xend_run_blktap, true)
+
+type blktap_t;
+domain_type(blktap_t)
+role system_r types blktap_t;
+type blktap_exec_t;
+files_type(blktap_exec_t)
+domain_entry_file(blktap_t, blktap_exec_t)
+type blktap_var_run_t;
+files_pid_file(blktap_var_run_t)
+
 #######################################
 #
 # evtchnd local policy
@@ -113,7 +146,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
 # xend local policy
 #
 
-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
 dontaudit xend_t self:capability { sys_ptrace };
 allow xend_t self:process { signal sigkill };
 dontaudit xend_t self:process ptrace;
@@ -161,6 +194,12 @@ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
 # transition to store
 domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
 
+# manage xenstored pid file
+manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
+
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
+
 # transition to console
 domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
 
@@ -193,12 +232,10 @@ corenet_sendrecv_soundd_server_packets(xend_t)
 corenet_rw_tun_tap_dev(xend_t)
 
 dev_read_urand(xend_t)
-dev_manage_xen(xend_t)
 dev_filetrans_xen(xend_t)
 dev_rw_sysfs(xend_t)
 dev_rw_xen(xend_t)
 
-domain_read_all_domains_state(xend_t)
 domain_dontaudit_read_all_domains_state(xend_t)
 domain_dontaudit_ptrace_all_domains(xend_t)
 
@@ -210,10 +247,6 @@ files_etc_filetrans_etc_runtime(xend_t, file)
 files_read_usr_files(xend_t)
 files_read_default_symlinks(xend_t)
 
-storage_raw_read_fixed_disk(xend_t)
-storage_raw_write_fixed_disk(xend_t)
-storage_raw_read_removable_device(xend_t)
-
 term_getattr_all_ptys(xend_t)
 term_use_generic_ptys(xend_t)
 term_use_ptmx(xend_t)
@@ -228,6 +261,7 @@ logging_send_syslog_msg(xend_t)
 lvm_domtrans(xend_t)
 
 miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
 
 mount_domtrans(xend_t)
 
@@ -274,7 +308,7 @@ kernel_read_kernel_sysctls(xenconsoled_t)
 kernel_write_xen_state(xenconsoled_t)
 kernel_read_xen_state(xenconsoled_t)
 
-dev_manage_xen(xenconsoled_t)
+dev_rw_xen(xenconsoled_t)
 dev_filetrans_xen(xenconsoled_t)
 dev_rw_sysfs(xenconsoled_t)
 
@@ -308,7 +342,7 @@ optional_policy(`
 # Xen store local policy
 #
 
-allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
+allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
 allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
@@ -338,20 +372,16 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
 kernel_write_xen_state(xenstored_t)
 kernel_read_xen_state(xenstored_t)
 
-dev_create_generic_dirs(xenstored_t)
-dev_manage_xen(xenstored_t)
 dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 dev_read_sysfs(xenstored_t)
 
+files_read_etc_files(xenstored_t)
+
 files_read_usr_files(xenstored_t)
 
 fs_manage_xenfs_files(xenstored_t)
 
-storage_raw_read_fixed_disk(xenstored_t)
-storage_raw_write_fixed_disk(xenstored_t)
-storage_raw_read_removable_device(xenstored_t)
-
 term_use_generic_ptys(xenstored_t)
 
 init_use_fds(xenstored_t)
@@ -411,8 +441,6 @@ fs_getattr_all_fs(xm_t)
 fs_manage_xenfs_dirs(xm_t)
 fs_manage_xenfs_files(xm_t)
 
-storage_raw_read_fixed_disk(xm_t)
-
 term_use_all_terms(xm_t)
 
 init_stream_connect_script(xm_t)
@@ -474,3 +502,55 @@ optional_policy(`
 		unconfined_domain(xend_t)
 	')
 ')
+
+########################################
+#
+# qemu-dm local policy
+#
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+	# If yes, transition to its own domain.
+	domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+	allow qemu_dm_t self:capability sys_resource;
+	allow qemu_dm_t self:process setrlimit;
+	allow qemu_dm_t self:fifo_file { read write };
+	allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+	rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+	append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+	libs_use_ld_so(qemu_dm_t)
+	libs_use_shared_libs(qemu_dm_t)
+	files_read_etc_files(qemu_dm_t)
+	files_read_usr_files(qemu_dm_t)
+	miscfiles_read_localization(qemu_dm_t)
+	corenet_tcp_bind_generic_node(qemu_dm_t)
+	corenet_tcp_bind_vnc_port(qemu_dm_t)
+	dev_rw_xen(qemu_dm_t)
+	xen_stream_connect_xenstore(qemu_dm_t)
+	fs_manage_xenfs_dirs(qemu_dm_t)
+	fs_manage_xenfs_files(qemu_dm_t)
+',`
+	# If no, then silently refuse to run it.
+	dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+#
+# blktap local policy
+#
+# Do we need to allow execution of blktap?
+tunable_policy(`xend_run_blktap',`
+	# If yes, transition to its own domain.
+	domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+	allow blktap_t self:fifo_file { read write };
+	libs_use_ld_so(blktap_t)
+	libs_use_shared_libs(blktap_t)
+	miscfiles_read_localization(blktap_t)
+	files_read_etc_files(blktap_t)
+	dev_read_sysfs(blktap_t)
+	logging_send_syslog_msg(blktap_t)
+	dev_rw_xen(blktap_t)
+	xen_stream_connect_xenstore(blktap_t)
+',`
+	# If no, then silently refuse to run it.
+	dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')

-- 
Stephen Smalley
National Security Agency

[refpolicy] [PATCH] Refine xen policy

[Christopher J. PeBenito]

On 2/10/2011 11:17 AM, Stephen Smalley wrote:
> Various changes to the Xen userspace policy, including:
> - Add gntdev and gntalloc device node labeling.
> - Create separate domains for blktap and qemu-dm rather than leaving them in xend_t.
> - No need to allow xen userspace to create its own device nodes anymore;
> this is handled automatically by the kernel/udev.
> - No need to allow xen userspace access to generic raw storage; even if
> using dedicated partitions/LVs for disk images, you can just label them
> with xen_image_t.
>
> The blktap and qemu-dm domains are stubs and will likely need to be
> further expanded, but they should definitely not be left in xend_t.  Not
> sure if I should try to use qemu_domain_template() instead for qemu-dm,
> but I don't see any current users of that template (qemu_t uses
> virt_domain_template instead), and qemu-dm has specific interactions
> with Xen.

Merged.  I made a few rearrangements.

> Signed-off-by:  Stephen Smalley<sds@tycho.nsa.gov>
>
> ---
>
>   policy/modules/kernel/devices.fc |    2
>   policy/modules/system/xen.fc     |    5 +
>   policy/modules/system/xen.te     |  114 +++++++++++++++++++++++++++++++++------
>   3 files changed, 104 insertions(+), 17 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index 3b2da10..8ac94e4 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -173,6 +173,8 @@ ifdef(`distro_suse', `
>
>   /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
>   /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
> +/dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
> +/dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
>
>   /etc/udev/devices	-d	gen_context(system_u:object_r:device_t,s0)
>
> diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
> index 8c827f8..1872b74 100644
> --- a/policy/modules/system/xen.fc
> +++ b/policy/modules/system/xen.fc
> @@ -4,6 +4,11 @@
>
>   /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
>
> +/usr/sbin/blktapctrl	--	gen_context(system_u:object_r:blktap_exec_t,s0)
> +/usr/sbin/tapdisk	--	gen_context(system_u:object_r:blktap_exec_t,s0)
> +
> +/usr/lib(64)?/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
> +
>   ifdef(`distro_debian',`
>   /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
>   /usr/lib/xen-[^/]*/bin/xend --	gen_context(system_u:object_r:xend_exec_t,s0)
> diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
> index f661f5a..e25619f 100644
> --- a/policy/modules/system/xen.te
> +++ b/policy/modules/system/xen.te
> @@ -72,6 +72,7 @@ files_tmp_file(xenstored_tmp_t)
>   # var/lib files
>   type xenstored_var_lib_t;
>   files_type(xenstored_var_lib_t)
> +files_mountpoint(xenstored_var_lib_t)
>
>   # log files
>   type xenstored_var_log_t;
> @@ -94,6 +95,38 @@ type xm_exec_t;
>   domain_type(xm_t)
>   init_system_domain(xm_t, xm_exec_t)
>
> +##<desc>
> +##<p>
> +## Allow xend to run qemu-dm.
> +## Not required if using paravirt and no vfb.
> +##</p>
> +##</desc>
> +gen_tunable(xend_run_qemu, true)
> +
> +type qemu_dm_t;
> +domain_type(qemu_dm_t)
> +type qemu_dm_exec_t;
> +files_type(qemu_dm_exec_t)
> +domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
> +role system_r types qemu_dm_t;
> +
> +##<desc>
> +##<p>
> +## Allow xend to run blktapctrl/tapdisk.
> +## Not required if using dedicated logical volumes for disk images.
> +##</p>
> +##</desc>
> +gen_tunable(xend_run_blktap, true)
> +
> +type blktap_t;
> +domain_type(blktap_t)
> +role system_r types blktap_t;
> +type blktap_exec_t;
> +files_type(blktap_exec_t)
> +domain_entry_file(blktap_t, blktap_exec_t)
> +type blktap_var_run_t;
> +files_pid_file(blktap_var_run_t)
> +
>   #######################################
>   #
>   # evtchnd local policy
> @@ -113,7 +146,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
>   # xend local policy
>   #
>
> -allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
> +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
>   dontaudit xend_t self:capability { sys_ptrace };
>   allow xend_t self:process { signal sigkill };
>   dontaudit xend_t self:process ptrace;
> @@ -161,6 +194,12 @@ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
>   # transition to store
>   domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
>
> +# manage xenstored pid file
> +manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
> +
> +# mount tmpfs on /var/lib/xenstored
> +allow xend_t xenstored_var_lib_t:dir read;
> +
>   # transition to console
>   domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
>
> @@ -193,12 +232,10 @@ corenet_sendrecv_soundd_server_packets(xend_t)
>   corenet_rw_tun_tap_dev(xend_t)
>
>   dev_read_urand(xend_t)
> -dev_manage_xen(xend_t)
>   dev_filetrans_xen(xend_t)
>   dev_rw_sysfs(xend_t)
>   dev_rw_xen(xend_t)
>
> -domain_read_all_domains_state(xend_t)
>   domain_dontaudit_read_all_domains_state(xend_t)
>   domain_dontaudit_ptrace_all_domains(xend_t)
>
> @@ -210,10 +247,6 @@ files_etc_filetrans_etc_runtime(xend_t, file)
>   files_read_usr_files(xend_t)
>   files_read_default_symlinks(xend_t)
>
> -storage_raw_read_fixed_disk(xend_t)
> -storage_raw_write_fixed_disk(xend_t)
> -storage_raw_read_removable_device(xend_t)
> -
>   term_getattr_all_ptys(xend_t)
>   term_use_generic_ptys(xend_t)
>   term_use_ptmx(xend_t)
> @@ -228,6 +261,7 @@ logging_send_syslog_msg(xend_t)
>   lvm_domtrans(xend_t)
>
>   miscfiles_read_localization(xend_t)
> +miscfiles_read_hwdata(xend_t)
>
>   mount_domtrans(xend_t)
>
> @@ -274,7 +308,7 @@ kernel_read_kernel_sysctls(xenconsoled_t)
>   kernel_write_xen_state(xenconsoled_t)
>   kernel_read_xen_state(xenconsoled_t)
>
> -dev_manage_xen(xenconsoled_t)
> +dev_rw_xen(xenconsoled_t)
>   dev_filetrans_xen(xenconsoled_t)
>   dev_rw_sysfs(xenconsoled_t)
>
> @@ -308,7 +342,7 @@ optional_policy(`
>   # Xen store local policy
>   #
>
> -allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
> +allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
>   allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
>   allow xenstored_t self:unix_dgram_socket create_socket_perms;
>
> @@ -338,20 +372,16 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
>   kernel_write_xen_state(xenstored_t)
>   kernel_read_xen_state(xenstored_t)
>
> -dev_create_generic_dirs(xenstored_t)
> -dev_manage_xen(xenstored_t)
>   dev_filetrans_xen(xenstored_t)
>   dev_rw_xen(xenstored_t)
>   dev_read_sysfs(xenstored_t)
>
> +files_read_etc_files(xenstored_t)
> +
>   files_read_usr_files(xenstored_t)
>
>   fs_manage_xenfs_files(xenstored_t)
>
> -storage_raw_read_fixed_disk(xenstored_t)
> -storage_raw_write_fixed_disk(xenstored_t)
> -storage_raw_read_removable_device(xenstored_t)
> -
>   term_use_generic_ptys(xenstored_t)
>
>   init_use_fds(xenstored_t)
> @@ -411,8 +441,6 @@ fs_getattr_all_fs(xm_t)
>   fs_manage_xenfs_dirs(xm_t)
>   fs_manage_xenfs_files(xm_t)
>
> -storage_raw_read_fixed_disk(xm_t)
> -
>   term_use_all_terms(xm_t)
>
>   init_stream_connect_script(xm_t)
> @@ -474,3 +502,55 @@ optional_policy(`
>   		unconfined_domain(xend_t)
>   	')
>   ')
> +
> +########################################
> +#
> +# qemu-dm local policy
> +#
> +# Do we need to allow execution of qemu-dm?
> +tunable_policy(`xend_run_qemu',`
> +	# If yes, transition to its own domain.
> +	domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
> +	allow qemu_dm_t self:capability sys_resource;
> +	allow qemu_dm_t self:process setrlimit;
> +	allow qemu_dm_t self:fifo_file { read write };
> +	allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
> +	rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
> +	append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
> +	libs_use_ld_so(qemu_dm_t)
> +	libs_use_shared_libs(qemu_dm_t)
> +	files_read_etc_files(qemu_dm_t)
> +	files_read_usr_files(qemu_dm_t)
> +	miscfiles_read_localization(qemu_dm_t)
> +	corenet_tcp_bind_generic_node(qemu_dm_t)
> +	corenet_tcp_bind_vnc_port(qemu_dm_t)
> +	dev_rw_xen(qemu_dm_t)
> +	xen_stream_connect_xenstore(qemu_dm_t)
> +	fs_manage_xenfs_dirs(qemu_dm_t)
> +	fs_manage_xenfs_files(qemu_dm_t)
> +',`
> +	# If no, then silently refuse to run it.
> +	dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
> +')
> +
> +########################################
> +#
> +# blktap local policy
> +#
> +# Do we need to allow execution of blktap?
> +tunable_policy(`xend_run_blktap',`
> +	# If yes, transition to its own domain.
> +	domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
> +	allow blktap_t self:fifo_file { read write };
> +	libs_use_ld_so(blktap_t)
> +	libs_use_shared_libs(blktap_t)
> +	miscfiles_read_localization(blktap_t)
> +	files_read_etc_files(blktap_t)
> +	dev_read_sysfs(blktap_t)
> +	logging_send_syslog_msg(blktap_t)
> +	dev_rw_xen(blktap_t)
> +	xen_stream_connect_xenstore(blktap_t)
> +',`
> +	# If no, then silently refuse to run it.
> +	dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
> +')
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com