From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: wei.liu2@citrix.com, ian.campbell@citrix.com,
andrew.cooper3@citrix.com, ian.jackson@eu.citrix.com,
mpohlack@amazon.de, JBeulich@suse.com,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall.
Date: Wed, 6 Jan 2016 12:49:27 -0500 [thread overview]
Message-ID: <20160106174927.GC8633@char.us.oracle.com> (raw)
In-Reply-To: <56424AC7.7040200@tycho.nsa.gov>
On Tue, Nov 10, 2015 at 02:51:35PM -0500, Daniel De Graaf wrote:
> On 06/11/15 14:36, Konrad Rzeszutek Wilk wrote:
> >All of XENVER_* have now an XSM check.
> >
> >The subops for XENVER_[compile_info|changeset|commandline|
> >extraversion] are now priviliged operations. To not break
> >guests we still return an string - but it is just '<denied>'.
> >
> >The rest: XENVER_[version|capabilities|
> >parameters|get_features|page_size|guest_handle] behave
> >as before - allowed by default for all guests.
> >
> >This is with the XSM default policy and with the dummy ones.
> >
> >Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>
> Comments below, inline.
>
> [...]
> >diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> >index d35ae22..1ca0e65 100644
> >--- a/tools/flask/policy/policy/modules/xen/xen.te
> >+++ b/tools/flask/policy/policy/modules/xen/xen.te
> >@@ -73,6 +73,12 @@ allow dom0_t xen_t:xen2 {
> > pmu_ctrl
> > get_symbol
> > };
> >+
> >+# Allow dom0 to use XENVER_compile_info|changeset|commandline]extraversion
> >+allow dom0_t xen_t:xen2 {
> >+ version_priv
> >+};
> >+
> > allow dom0_t xen_t:mmu memorymap;
> >
> > # Allow dom0 to use these domctls on itself. For domctls acting on other
>
> Minor tweak: if you don't want to add the new to the block a few lines above,
> the one-line permission syntax without braces (as seen below) looks better.
<nods>
>
> [...]
> > DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
> > {
> >+ bool_t deny = !!xsm_version_op(XSM_HOOK, cmd);
> >+
>
> Since this call produces denials in the default policy, it should be marked
> as XSM_OTHER.
<nods>
>
> >diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
> >index effb59f..273459f 100644
> >--- a/xen/xsm/flask/policy/access_vectors
> >+++ b/xen/xsm/flask/policy/access_vectors
> >@@ -93,6 +93,8 @@ class xen2
> > pmu_ctrl
> > # PMU use (domains, including unprivileged ones, will be using this operation)
> > pmu_use
> >+# XENVER_[compile_info|changeset|commandline|extraversion] usage.
> >+ version_priv
> > }
> >
> > # Classes domain and domain2 consist of operations that a domain performs on
> >@@ -242,6 +244,8 @@ class domain2
> > mem_sharing
> > # XEN_DOMCTL_psr_cat_op
> > psr_cat_op
> >+# XENVER_[version|capabilities|parameters|get_features|page_size|guest_handle].
> >+ version_use
> > }
> >
> > # Similar to class domain, but primarily contains domctls related to HVM domains
> >
>
> I think that both version_priv and version_use belong in the same access
> vector (xen2) rather than placing version_use in domain2.
Ok, modified.
>
> --
> Daniel De Graaf
> National Security Agency
next prev parent reply other threads:[~2016-01-06 17:49 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-06 19:36 [PATCH v2] Add build-id to XENVER hypercall Konrad Rzeszutek Wilk
2015-11-06 19:36 ` [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall Konrad Rzeszutek Wilk
2015-11-10 12:29 ` Jan Beulich
2016-01-06 17:41 ` Konrad Rzeszutek Wilk
2016-01-07 7:35 ` Jan Beulich
2016-01-08 17:31 ` Konrad Rzeszutek Wilk
2016-01-11 9:02 ` Jan Beulich
2016-01-11 16:01 ` Konrad Rzeszutek Wilk
2016-01-11 16:17 ` Jan Beulich
2016-01-12 16:37 ` Konrad Rzeszutek Wilk
2016-01-12 16:42 ` Jan Beulich
2015-11-10 19:51 ` Daniel De Graaf
2015-11-16 19:02 ` Konrad Rzeszutek Wilk
2016-01-06 17:49 ` Konrad Rzeszutek Wilk [this message]
2015-11-06 19:36 ` [PATCH v2 2/3] XENVER_build_id: Provide ld-embedded build-ids Konrad Rzeszutek Wilk
2015-11-09 17:26 ` Ross Lagerwall
2015-11-10 16:49 ` Jan Beulich
2016-01-06 17:27 ` Konrad Rzeszutek Wilk
2016-01-07 7:42 ` Jan Beulich
2015-11-06 19:36 ` [PATCH v2 3/3] libxl: info: Display build_id of the hypervisor Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160106174927.GC8633@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=mpohlack@amazon.de \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).