From: Chao Peng <chao.p.peng@linux.intel.com>
To: xen-devel@lists.xen.org
Cc: keir@xen.org, Ian.Campbell@citrix.com,
stefano.stabellini@eu.citrix.com, George.Dunlap@eu.citrix.com,
andrew.cooper3@citrix.com, Ian.Jackson@eu.citrix.com,
JBeulich@suse.com, dgdegra@tycho.nsa.gov
Subject: [PATCH v17 02/10] xsm: add resource operation related xsm policy
Date: Mon, 29 Sep 2014 18:40:31 +0800 [thread overview]
Message-ID: <1411987239-3509-3-git-send-email-chao.p.peng@linux.intel.com> (raw)
In-Reply-To: <1411987239-3509-1-git-send-email-chao.p.peng@linux.intel.com>
Add xsm policies for resource access related hypercall, such as MSR
access, port I/O read/write, and other related resource operations.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/policy/modules/xen/xen.te | 3 +++
xen/xsm/flask/hooks.c | 4 ++++
xen/xsm/flask/policy/access_vectors | 14 +++++++++++---
xen/xsm/flask/policy/security_classes | 1 +
4 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 1937883..6cecf97 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -64,6 +64,9 @@ allow dom0_t xen_t:xen {
getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op
tmem_control getscheduler setscheduler
};
+allow dom0_t xen_t:xen2 {
+ resource_op
+};
allow dom0_t xen_t:mmu memorymap;
# Allow dom0 to use these domctls on itself. For domctls acting on other
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index df05566..9f36503 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -1391,6 +1391,10 @@ static int flask_platform_op(uint32_t op)
case XENPF_get_cpuinfo:
return domain_has_xen(current->domain, XEN__GETCPUINFO);
+ case XENPF_resource_op:
+ return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2,
+ XEN2__RESOURCE_OP, NULL);
+
default:
printk("flask_platform_op: Unknown op %d\n", op);
return -EPERM;
diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
index d279841..daf0de5 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -3,9 +3,9 @@
#
# class class_name { permission_name ... }
-# Class xen consists of dom0-only operations dealing with the hypervisor itself.
-# Unless otherwise specified, the source is the domain executing the hypercall,
-# and the target is the xen initial sid (type xen_t).
+# Class xen and xen2 consists of dom0-only operations dealing with the
+# hypervisor itself. Unless otherwise specified, the source is the domain
+# executing the hypercall, and the target is the xen initial sid (type xen_t).
class xen
{
# XENPF_settime
@@ -75,6 +75,14 @@ class xen
setscheduler
}
+# This is a continuation of class xen, since only 32 permissions can be
+# defined per class
+class xen2
+{
+# XENPF_resource_op
+ resource_op
+}
+
# Classes domain and domain2 consist of operations that a domain performs on
# another domain or on itself. Unless otherwise specified, the source is the
# domain executing the hypercall, and the target is the domain being operated on
diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes
index ef134a7..ca191db 100644
--- a/xen/xsm/flask/policy/security_classes
+++ b/xen/xsm/flask/policy/security_classes
@@ -8,6 +8,7 @@
# for userspace object managers
class xen
+class xen2
class domain
class domain2
class hvm
--
1.7.9.5
next prev parent reply other threads:[~2014-09-29 10:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 10:40 [PATCH v17 00/10] enable Cache Monitoring Technology (CMT) feature Chao Peng
2014-09-29 10:40 ` [PATCH v17 01/10] x86: add generic resource (e.g. MSR) access hypercall Chao Peng
2014-09-29 13:47 ` Andrew Cooper
2014-09-29 13:55 ` Jan Beulich
2014-09-29 10:40 ` Chao Peng [this message]
2014-09-29 10:40 ` [PATCH v17 03/10] tools: provide interface for generic resource access Chao Peng
2014-09-29 10:40 ` [PATCH v17 04/10] x86: detect and initialize Cache Monitoring Technology feature Chao Peng
2014-09-29 14:03 ` Andrew Cooper
2014-09-29 10:40 ` [PATCH v17 05/10] x86: dynamically attach/detach CMT service for a guest Chao Peng
2014-09-29 14:05 ` Andrew Cooper
2014-09-29 10:40 ` [PATCH v17 06/10] x86: collect global CMT information Chao Peng
2014-09-29 14:07 ` Andrew Cooper
2014-09-29 10:40 ` [PATCH v17 07/10] x86: enable CMT for each domain RMID Chao Peng
2014-09-29 14:08 ` Andrew Cooper
2014-09-29 10:40 ` [PATCH v17 08/10] x86: add CMT related MSRs in allowed list Chao Peng
2014-09-29 14:09 ` Andrew Cooper
2014-09-29 10:40 ` [PATCH v17 09/10] xsm: add CMT related xsm policies Chao Peng
2014-09-29 10:40 ` [PATCH v17 10/10] tools: CMDs and APIs for Cache Monitoring Technology Chao Peng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1411987239-3509-3-git-send-email-chao.p.peng@linux.intel.com \
--to=chao.p.peng@linux.intel.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).