[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 04/23] xsm/flask: add domain relabel support
This adds the ability to change a domain's XSM label after creation. The new label will be used for all future access checks; however, existing event channels and memory mappings will remain valid even if their creation would be denied by the new label. With appropriate security policy and hooks in the domain builder, this can be used to create domains that the domain builder does not have access to after building. It can also be used to allow a domain to drop privileges - for example, prior to launching a user-supplied kernel loaded by a pv-grub stubdom. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/policy/policy/flask/access_vectors | 7 ++++ tools/flask/policy/policy/flask/security_classes | 1 + tools/flask/policy/policy/modules/xen/xen.te | 2 +- xen/include/public/xsm/flask_op.h | 8 ++++ xen/xsm/flask/flask_op.c | 49 ++++++++++++++++++++++++ xen/xsm/flask/include/av_perm_to_string.h | 3 ++ xen/xsm/flask/include/av_permissions.h | 4 ++ xen/xsm/flask/include/class_to_string.h | 1 + xen/xsm/flask/include/flask.h | 15 ++++---- 9 files changed, 82 insertions(+), 8 deletions(-) diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index a884312..c7e29ab 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -73,6 +73,13 @@ class domain set_virq_handler } +class domain2 +{ + relabelfrom + relabelto + relabelself +} + class hvm { sethvmc diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes index 2ca35d2..ef134a7 100644 --- a/tools/flask/policy/policy/flask/security_classes +++ b/tools/flask/policy/policy/flask/security_classes @@ -9,6 +9,7 @@ class xen class domain +class domain2 class hvm class mmu class resource diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 9cc5240..9550397 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -169,7 +169,7 @@ delegate_devices(dom0_t, domU_t) ################################################################################ # Domains must be declared using domain_type -neverallow * ~domain_type:domain create; +neverallow * ~domain_type:domain { create transition }; # Resources must be declared using resource_type neverallow * ~resource_type:resource use; diff --git a/xen/include/public/xsm/flask_op.h b/xen/include/public/xsm/flask_op.h index 1a251c9..233de81 100644 --- a/xen/include/public/xsm/flask_op.h +++ b/xen/include/public/xsm/flask_op.h @@ -142,6 +142,12 @@ struct xen_flask_peersid { uint32_t sid; }; +struct xen_flask_relabel { + /* IN */ + uint32_t domid; + uint32_t sid; +}; + struct xen_flask_op { uint32_t cmd; #define FLASK_LOAD 1 @@ -167,6 +173,7 @@ struct xen_flask_op { #define FLASK_ADD_OCONTEXT 21 #define FLASK_DEL_OCONTEXT 22 #define FLASK_GET_PEER_SID 23 +#define FLASK_RELABEL_DOMAIN 24 uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */ union { struct xen_flask_load load; @@ -185,6 +192,7 @@ struct xen_flask_op { /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */ struct xen_flask_ocontext ocontext; struct xen_flask_peersid peersid; + struct xen_flask_relabel relabel; } u; }; typedef struct xen_flask_op xen_flask_op_t; diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c index bd4db37..9c8dfe7 100644 --- a/xen/xsm/flask/flask_op.c +++ b/xen/xsm/flask/flask_op.c @@ -573,6 +573,51 @@ static int flask_get_peer_sid(struct xen_flask_peersid *arg) return rv; } +static int flask_relabel_domain(struct xen_flask_relabel *arg) +{ + int rc; + struct domain *d; + struct domain_security_struct *csec = current->domain->ssid; + struct domain_security_struct *dsec; + struct avc_audit_data ad; + AVC_AUDIT_DATA_INIT(&ad, NONE); + + d = rcu_lock_domain_by_any_id(arg->domid); + if ( d == NULL ) + return -ESRCH; + + ad.sdom = current->domain; + ad.tdom = d; + dsec = d->ssid; + + if ( arg->domid == DOMID_SELF ) + { + rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, &ad); + if ( rc ) + goto out; + } + else + { + rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, &ad); + if ( rc ) + goto out; + + rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, &ad); + if ( rc ) + goto out; + } + + rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN, DOMAIN__TRANSITION, &ad); + if ( rc ) + goto out; + + dsec->sid = arg->sid; + + out: + rcu_unlock_domain(d); + return rc; +} + long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op) { xen_flask_op_t op; @@ -680,6 +725,10 @@ long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op) rv = flask_get_peer_sid(&op.u.peersid); break; + case FLASK_RELABEL_DOMAIN: + rv = flask_relabel_domain(&op.u.relabel); + break; + default: rv = -ENOSYS; } diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h index 17a1c36..e7e2058 100644 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ b/xen/xsm/flask/include/av_perm_to_string.h @@ -61,6 +61,9 @@ S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget") S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info") S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler") + S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom") + S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto") + S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself") S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc") S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") diff --git a/xen/xsm/flask/include/av_permissions.h b/xen/xsm/flask/include/av_permissions.h index 42eaf81..cb1c5dc 100644 --- a/xen/xsm/flask/include/av_permissions.h +++ b/xen/xsm/flask/include/av_permissions.h @@ -63,6 +63,10 @@ #define DOMAIN__SET_MISC_INFO 0x40000000UL #define DOMAIN__SET_VIRQ_HANDLER 0x80000000UL +#define DOMAIN2__RELABELFROM 0x00000001UL +#define DOMAIN2__RELABELTO 0x00000002UL +#define DOMAIN2__RELABELSELF 0x00000004UL + #define HVM__SETHVMC 0x00000001UL #define HVM__GETHVMC 0x00000002UL #define HVM__SETPARAM 0x00000004UL diff --git a/xen/xsm/flask/include/class_to_string.h b/xen/xsm/flask/include/class_to_string.h index ab55700..7716645 100644 --- a/xen/xsm/flask/include/class_to_string.h +++ b/xen/xsm/flask/include/class_to_string.h @@ -5,6 +5,7 @@ S_("null") S_("xen") S_("domain") + S_("domain2") S_("hvm") S_("mmu") S_("resource") diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h index 6d29c5a..3bff998 100644 --- a/xen/xsm/flask/include/flask.h +++ b/xen/xsm/flask/include/flask.h @@ -7,13 +7,14 @@ */ #define SECCLASS_XEN 1 #define SECCLASS_DOMAIN 2 -#define SECCLASS_HVM 3 -#define SECCLASS_MMU 4 -#define SECCLASS_RESOURCE 5 -#define SECCLASS_SHADOW 6 -#define SECCLASS_EVENT 7 -#define SECCLASS_GRANT 8 -#define SECCLASS_SECURITY 9 +#define SECCLASS_DOMAIN2 3 +#define SECCLASS_HVM 4 +#define SECCLASS_MMU 5 +#define SECCLASS_RESOURCE 6 +#define SECCLASS_SHADOW 7 +#define SECCLASS_EVENT 8 +#define SECCLASS_GRANT 9 +#define SECCLASS_SECURITY 10 /* * Security identifier indices for initial entities -- 1.7.11.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |