From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Daniel De Graaf <dgdegra@tycho.nsa.gov>, andrew.cooper3@citrix.com
Cc: xen-devel@lists.xen.org
Subject: Re: [PATCH 07/15] flask: unify {get, set}vcpucontext permissions
Date: Fri, 17 Jun 2016 11:37:38 -0400 [thread overview]
Message-ID: <20160617153738.GE1340@char.us.oracle.com> (raw)
In-Reply-To: <1465483638-9489-8-git-send-email-dgdegra@tycho.nsa.gov>
On Thu, Jun 09, 2016 at 10:47:10AM -0400, Daniel De Graaf wrote:
> These permissions were initially split because they were in separate
> domctls, but this split is very unlikely to actually provide security
> benefits: it would require a carefully contrived situation for a domain
> to both need access to one type of CPU register and also need to be
> prohibited from accessing another type.
>
CC-ing Andrew as I believe has been looking in this code when doing
miration and may have an opinion on this.
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> ---
> tools/flask/policy/modules/dom0.te | 1 -
> tools/flask/policy/modules/xen.if | 7 +++----
> xen/xsm/flask/hooks.c | 20 ++++++--------------
> xen/xsm/flask/policy/access_vectors | 16 ++++++----------
> 4 files changed, 15 insertions(+), 29 deletions(-)
>
> diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te
> index ef6a986..d228b24 100644
> --- a/tools/flask/policy/modules/dom0.te
> +++ b/tools/flask/policy/modules/dom0.te
> @@ -34,7 +34,6 @@ allow dom0_t dom0_t:domain {
> setvcpucontext max_vcpus setaffinity getaffinity getscheduler
> getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
> setdebugging hypercall settime setaddrsize getaddrsize trigger
> - getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
> getpodtarget setpodtarget set_misc_info set_virq_handler
> };
> allow dom0_t dom0_t:domain2 {
> diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
> index 00d1bbb..fd96303 100644
> --- a/tools/flask/policy/modules/xen.if
> +++ b/tools/flask/policy/modules/xen.if
> @@ -47,9 +47,8 @@ define(`declare_build_label', `
>
> define(`create_domain_common', `
> allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
> - getdomaininfo hypercall setvcpucontext setextvcpucontext
> - getscheduler getvcpuinfo getvcpuextstate getaddrsize
> - getaffinity setaffinity setvcpuextstate };
> + getdomaininfo hypercall setvcpucontext getscheduler
> + getvcpuinfo getaddrsize getaffinity setaffinity };
> allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
> set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
> psr_cmt_op psr_cat_op soft_reset };
> @@ -94,7 +93,7 @@ define(`migrate_domain_out', `
> allow $1 domxen_t:mmu map_read;
> allow $1 $2:hvm { gethvmc getparam irqlevel };
> allow $1 $2:mmu { stat pageinfo map_read };
> - allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
> + allow $1 $2:domain { getaddrsize getvcpucontext pause destroy };
> allow $1 $2:domain2 gettsc;
> allow $1 $2:shadow { enable disable logdirty };
> ')
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 20d46c8..a8d45e7 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -630,10 +630,16 @@ static int flask_domctl(struct domain *d, int cmd)
> case XEN_DOMCTL_setdomainhandle:
> return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE);
>
> + case XEN_DOMCTL_set_ext_vcpucontext:
> + case XEN_DOMCTL_set_vcpu_msrs:
> case XEN_DOMCTL_setvcpucontext:
> + case XEN_DOMCTL_setvcpuextstate:
> return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT);
>
> + case XEN_DOMCTL_get_ext_vcpucontext:
> + case XEN_DOMCTL_get_vcpu_msrs:
> case XEN_DOMCTL_getvcpucontext:
> + case XEN_DOMCTL_getvcpuextstate:
> return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT);
>
> case XEN_DOMCTL_getvcpuinfo:
> @@ -675,20 +681,6 @@ static int flask_domctl(struct domain *d, int cmd)
> case XEN_DOMCTL_pin_mem_cacheattr:
> return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR);
>
> - case XEN_DOMCTL_set_ext_vcpucontext:
> - case XEN_DOMCTL_set_vcpu_msrs:
> - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT);
> -
> - case XEN_DOMCTL_get_ext_vcpucontext:
> - case XEN_DOMCTL_get_vcpu_msrs:
> - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT);
> -
> - case XEN_DOMCTL_setvcpuextstate:
> - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE);
> -
> - case XEN_DOMCTL_getvcpuextstate:
> - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE);
> -
> case XEN_DOMCTL_sendtrigger:
> return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER);
>
> diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors
> index 3d29042..7e69ede 100644
> --- a/xen/xsm/flask/policy/access_vectors
> +++ b/xen/xsm/flask/policy/access_vectors
> @@ -111,6 +111,9 @@ class xen2
> class domain
> {
> # XEN_DOMCTL_setvcpucontext
> +# XEN_DOMCTL_setvcpuextstate
> +# XEN_DOMCTL_set_ext_vcpucontext
> +# XEN_DOMCTL_set_vcpu_msrs
> setvcpucontext
> # XEN_DOMCTL_pausedomain
> pause
> @@ -142,6 +145,9 @@ class domain
> # XEN_DOMCTL_getvcpuinfo
> getvcpuinfo
> # XEN_DOMCTL_getvcpucontext
> +# XEN_DOMCTL_get_ext_vcpucontext
> +# XEN_DOMCTL_getvcpuextstate
> +# XEN_DOMCTL_get_vcpu_msrs
> getvcpucontext
> # XEN_DOMCTL_max_mem
> setdomainmaxmem
> @@ -166,16 +172,6 @@ class domain
> getaddrsize
> # XEN_DOMCTL_sendtrigger
> trigger
> -# XEN_DOMCTL_get_ext_vcpucontext
> -# XEN_DOMCTL_set_vcpu_msrs
> - getextvcpucontext
> -# XEN_DOMCTL_set_ext_vcpucontext
> -# XEN_DOMCTL_get_vcpu_msrs
> - setextvcpucontext
> -# XEN_DOMCTL_getvcpuextstate
> - getvcpuextstate
> -# XEN_DOMCTL_setvcpuextstate
> - setvcpuextstate
> # XENMEM_get_pod_target
> getpodtarget
> # XENMEM_set_pod_target
> --
> 2.5.5
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-06-17 15:37 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-09 14:47 [PATCH 00/15] XSM/FLASK updates for 4.8 Daniel De Graaf
2016-06-09 14:47 ` [PATCH 01/15] flask/policy: split into modules Daniel De Graaf
2016-06-14 18:55 ` Konrad Rzeszutek Wilk
2016-06-20 5:15 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 02/15] flask/policy: split out rules for system_r Daniel De Graaf
2016-06-14 19:08 ` Konrad Rzeszutek Wilk
2016-06-20 5:21 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 03/15] flask/policy: move user definitions and constraints into modules Daniel De Graaf
2016-06-17 15:28 ` Konrad Rzeszutek Wilk
2016-06-17 16:49 ` Daniel De Graaf
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 04/15] flask/policy: remove unused support for binary modules Daniel De Graaf
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 05/15] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-17 15:34 ` Konrad Rzeszutek Wilk
2016-06-20 5:22 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 06/15] flask/policy: remove unused example Daniel De Graaf
2016-06-17 15:34 ` Konrad Rzeszutek Wilk
2016-06-20 5:23 ` Doug Goldstein
2016-06-09 14:47 ` [PATCH 07/15] flask: unify {get, set}vcpucontext permissions Daniel De Graaf
2016-06-17 15:37 ` Konrad Rzeszutek Wilk [this message]
2016-06-09 14:47 ` [PATCH 08/15] flask: remove unused secondary context in ocontext Daniel De Graaf
2016-06-09 16:01 ` Jan Beulich
2016-06-09 16:38 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 09/15] flask: remove unused AVC callback functions Daniel De Graaf
2016-06-09 14:47 ` [PATCH 10/15] flask: remove xen_flask_userlist operation Daniel De Graaf
2016-06-09 16:07 ` Jan Beulich
2016-06-09 16:43 ` Daniel De Graaf
2016-06-10 6:51 ` Jan Beulich
2016-06-10 13:08 ` Daniel De Graaf
2016-06-10 14:28 ` Jan Beulich
2016-06-09 14:47 ` [PATCH 11/15] flask: improve unknown permission handling Daniel De Graaf
2016-06-17 15:45 ` Konrad Rzeszutek Wilk
2016-06-17 17:02 ` Daniel De Graaf
2016-06-17 17:13 ` Konrad Rzeszutek Wilk
2016-06-17 17:20 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section Daniel De Graaf
2016-06-09 15:14 ` Andrew Cooper
2016-06-09 16:11 ` Jan Beulich
2016-06-09 16:42 ` Daniel De Graaf
2016-06-17 15:50 ` Konrad Rzeszutek Wilk
2016-06-17 17:04 ` Daniel De Graaf
2016-06-17 17:14 ` Konrad Rzeszutek Wilk
2016-06-17 17:18 ` Daniel De Graaf
2016-06-17 17:21 ` Konrad Rzeszutek Wilk
2016-06-17 23:17 ` Daniel De Graaf
2016-06-09 14:47 ` [PATCH 13/15] xsm: annotate setup functions with __init Daniel De Graaf
2016-06-09 15:15 ` Andrew Cooper
2016-06-09 14:47 ` [PATCH 14/15] xsm: clean up unregistration Daniel De Graaf
2016-06-09 15:16 ` Andrew Cooper
2016-06-17 15:51 ` Konrad Rzeszutek Wilk
2016-06-09 14:47 ` [PATCH 15/15] xsm: add a default policy to .init.data Daniel De Graaf
2016-06-09 15:30 ` Andrew Cooper
2016-06-09 16:58 ` Daniel De Graaf
2016-06-10 7:15 ` Jan Beulich
2016-06-09 16:15 ` Jan Beulich
2016-06-09 16:53 ` Daniel De Graaf
2016-06-09 21:54 ` Doug Goldstein
2016-06-10 14:50 ` Daniel De Graaf
2016-06-10 6:53 ` Jan Beulich
2016-06-17 15:54 ` Konrad Rzeszutek Wilk
2016-06-17 16:00 ` [PATCH 00/15] XSM/FLASK updates for 4.8 Konrad Rzeszutek Wilk
2016-06-20 5:40 ` Doug Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160617153738.GE1340@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).