|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] flask/policy: updates from osstest runs
commit 4f835b64cf7425d7f1527ef2b4a9d8c171115137
Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
AuthorDate: Tue May 26 14:13:27 2015 -0400
Commit: Ian Campbell <ian.campbell@xxxxxxxxxx>
CommitDate: Wed Jun 3 11:12:01 2015 +0100
flask/policy: updates from osstest runs
Migration and HVM domain creation both trigger AVC denials that should
be allowed in the default policy; add these rules.
Guest console writes need to be either allowed or denied without audit
depending on the decision of the local administrator; introduce a policy
boolean to switch between these possibilities.
Reported-by: Wei Liu <wei.liu2@xxxxxxxxxx>
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
tools/flask/policy/policy/modules/xen/xen.if | 2 ++
tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/tools/flask/policy/policy/modules/xen/xen.if
b/tools/flask/policy/policy/modules/xen/xen.if
index 620d151..f4cde11 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -9,6 +9,7 @@ define(`declare_domain_common', `
allow $1 $2:grant { query setup };
allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage
updatemp mmuext_op };
allow $1 $2:hvm { getparam setparam };
+ allow $1 $2:domain2 get_vnumainfo;
')
# declare_domain(type, attrs...)
@@ -95,6 +96,7 @@ define(`migrate_domain_out', `
allow $1 $2:mmu { stat pageinfo map_read };
allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext
getvcpuextstate pause destroy };
allow $1 $2:domain2 gettsc;
+ allow $1 $2:shadow { enable disable logdirty };
')
################################################################################
diff --git a/tools/flask/policy/policy/modules/xen/xen.te
b/tools/flask/policy/policy/modules/xen/xen.te
index ce70639..51f59c5 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -117,6 +117,16 @@ domain_comms(dom0_t, dom0_t)
# Allow all domains to use (unprivileged parts of) the tmem hypercall
allow domain_type xen_t:xen tmem_op;
+# Allow guest console output to the serial console. This is used by PV Linux
+# and stub domains for early boot output, so don't audit even when we deny it.
+# Without XSM, this is enabled only if the Xen was compiled in debug mode.
+gen_bool(guest_writeconsole, true)
+if (guest_writeconsole) {
+ allow domain_type xen_t : xen writeconsole;
+} else {
+ dontaudit domain_type xen_t : xen writeconsole;
+}
+
###############################################################################
#
# Domain creation
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |