Re: [PATCH] flask/policy: fix static device labeling examples

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Julien Grall <julien.grall@linaro.org>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>,
	xen-devel@lists.xenproject.org,
	Ian Campbell <ian.campbell@citrix.com>,
	Jan Beulich <jbeulich@suse.com>
Subject: Re: [PATCH] flask/policy: fix static device labeling examples
Date: Tue, 17 Mar 2015 13:03:02 +0000	[thread overview]
Message-ID: <55082606.3050405@linaro.org> (raw)
In-Reply-To: <1426085984-18653-1-git-send-email-dgdegra@tycho.nsa.gov>

(CC Ian and Jan)

Hi,

Is there any blocker to push this patch? It's useful for using XSM with
passthrough.

Regards,

On 11/03/15 14:59, Daniel De Graaf wrote:
> The definitions of static device labels must be placed at the end of the
> policy.conf before passing it to checkpolicy; the existing examples
> (which are commented out) are in the wrong location.  Create a new file
> for device contexts which will place them in the proper location.
> 
> This also removes some directions about using the xen policy type in
> checkpolicy which is no longer needed.
> 
> Reported-by: Julien Grall <julien.grall@linaro.org>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
>  docs/misc/xsm-flask.txt                      | 31 +++--------------------
>  tools/flask/policy/Makefile                  |  3 ++-
>  tools/flask/policy/policy/device_contexts    | 32 +++++++++++++++++++++++
>  tools/flask/policy/policy/modules/xen/xen.te | 38 +++-------------------------
>  4 files changed, 41 insertions(+), 63 deletions(-)
>  create mode 100644 tools/flask/policy/policy/device_contexts
> 
> diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
> index ab05913..e169937 100644
> --- a/docs/misc/xsm-flask.txt
> +++ b/docs/misc/xsm-flask.txt
> @@ -335,33 +335,8 @@ memory, or even changing certain BIOS settings). Dynamic labeling requires that
>  the domain performing the labeling be trusted to label all the devices in the
>  system properly.
>  
> -To enable static device labeling, a checkpolicy >= 2.0.20 and libsepol >=2.0.39
> -are required. The policy Makefile (tools/flask/policy/Makefile) must also be
> -changed as follows:
> -
> -########################################
> -#
> -# Build a binary policy locally
> -#
> -$(POLVER): policy.conf
> -        @echo "Compiling $(NAME) $(POLVER)"
> -       $(QUIET) $(CHECKPOLICY) $^ -o $@            (Comment out this line)
> -# Uncomment line below to enable policies for devices
> -#        $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@   (Uncomment this line)
> -
> -########################################
> -#
> -# Install a binary policy
> -#
> -$(LOADPATH): policy.conf
> -        @echo "Compiling and installing $(NAME) $(LOADPATH)"
> -       $(QUIET) $(CHECKPOLICY) $^ -o $@            (Comment out this line)
> -# Uncomment line below to enable policies for devices
> -#        $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@   (Uncomment this line)
> -
> -
> -IRQs, PCI devices, I/O memory and ports can all be labeled.  There are
> -commented out lines in xen.te policy for examples on how to label devices.
> +IRQs, PCI devices, I/O memory and x86 IO ports can all have labels defined.
> +There are examples commented out in tools/flask/policy/policy/device_contexts.
>  
>  Device Labeling
>  ---------------
> @@ -378,7 +353,7 @@ lspci output is..
>          Region 2: I/O ports at ecc0 [size=32]
>          Kernel modules: e1000e
>  
> -The labeling can be done with these commands
> +The labeling can be done with these lines in device_contexts:
>  
>  pirqcon 33 system_u:object_r:nicP_t
>  iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
> diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
> index 58d9ce1..e564396 100644
> --- a/tools/flask/policy/Makefile
> +++ b/tools/flask/policy/Makefile
> @@ -56,6 +56,7 @@ MLSSUPPORT := $(POLDIR)/mls
>  USERS := $(POLDIR)/users
>  CONSTRAINTS := $(POLDIR)/constraints
>  ISID_DEFS := $(POLDIR)/initial_sids
> +DEV_OCONS := $(POLDIR)/device_contexts
>  
>  # config file paths
>  GLOBALTUN := $(POLDIR)/global_tunables
> @@ -98,7 +99,7 @@ POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT)
>  POLICY_SECTIONS += $(ALL_INTERFACES)
>  POLICY_SECTIONS += $(GLOBALTUN)
>  POLICY_SECTIONS += $(ALL_MODULES)
> -POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS)
> +POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS) $(DEV_OCONS)
>  
>  all: $(POLICY_FILENAME)
>  
> diff --git a/tools/flask/policy/policy/device_contexts b/tools/flask/policy/policy/device_contexts
> new file mode 100644
> index 0000000..c2de7e7
> --- /dev/null
> +++ b/tools/flask/policy/policy/device_contexts
> @@ -0,0 +1,32 @@
> +###############################################################################
> +#
> +# Label devices for delegation
> +#
> +# The PCI, IRQ, memory, and I/O port ranges are hardware-specific.
> +#
> +###############################################################################
> +
> +# label e1000e nic
> +#pirqcon 33 system_u:object_r:nic_dev_t
> +#pirqcon 55 system_u:object_r:nic_dev_t
> +#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t
> +#iomemcon 0xfebd9 system_u:object_r:nic_dev_t
> +#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t
> +#pcidevicecon 0xc800 system_u:object_r:nic_dev_t
> +
> +# label e100 nic
> +#pirqcon 16 system_u:object_r:nic_dev_t
> +#iomemcon 0xfe5df system_u:object_r:nic_dev_t
> +#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t
> +#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t
> +#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t
> +
> +# label usb 1d.0-2 1d.7
> +#pirqcon 23 system_u:object_r:nic_dev_t
> +#pirqcon 17 system_u:object_r:nic_dev_t
> +#pirqcon 18 system_u:object_r:nic_dev_t
> +#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t
> +#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t
> +#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t
> +#iomemcon 0xff980 system_u:object_r:nic_dev_t
> +#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index c0128aa..e555d11 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -177,6 +177,10 @@ domain_self_comms(nomigrate_t)
>  #
>  # Device delegation
>  #
> +# This requires that the device be labeled with a type defined here.  You can
> +# use flask-label-pci to dynamically label devices on each boot or define the
> +# labels statically in tools/flask/policy/policy/device_contexts
> +#
>  ###############################################################################
>  
>  type nic_dev_t, resource_type;
> @@ -186,40 +190,6 @@ use_device(domU_t, nic_dev_t)
>  
>  delegate_devices(dom0_t, domU_t)
>  
> -###############################################################################
> -#
> -# Label devices for delegation
> -#
> -# The PCI, IRQ, memory, and I/O port ranges are hardware-specific.
> -# You may also use flask-label-pci to dynamically label devices on each boot.
> -#
> -###############################################################################
> -
> -# label e1000e nic
> -#pirqcon 33 system_u:object_r:nic_dev_t
> -#pirqcon 55 system_u:object_r:nic_dev_t
> -#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t
> -#iomemcon 0xfebd9 system_u:object_r:nic_dev_t
> -#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t
> -#pcidevicecon 0xc800 system_u:object_r:nic_dev_t
> -
> -# label e100 nic
> -#pirqcon 16 system_u:object_r:nic_dev_t
> -#iomemcon 0xfe5df system_u:object_r:nic_dev_t
> -#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t
> -#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t
> -#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t
> -
> -# label usb 1d.0-2 1d.7
> -#pirqcon 23 system_u:object_r:nic_dev_t
> -#pirqcon 17 system_u:object_r:nic_dev_t
> -#pirqcon 18 system_u:object_r:nic_dev_t
> -#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t
> -#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t
> -#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t
> -#iomemcon 0xff980 system_u:object_r:nic_dev_t
> -#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t
> -
>  ################################################################################
>  #
>  # Policy constraints
> 


-- 
Julien Grall

next prev parent reply	other threads:[~2015-03-17 13:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-11 14:59 [PATCH] flask/policy: fix static device labeling examples Daniel De Graaf
2015-03-11 16:29 ` Julien Grall
2015-03-17 13:03 ` Julien Grall [this message]
2015-03-17 13:31   ` Jan Beulich
2015-03-18 12:30 ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55082606.3050405@linaro.org \
    --to=julien.grall@linaro.org \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=ian.campbell@citrix.com \
    --cc=jbeulich@suse.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.