[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 04/23] xsm/flask: add domain relabel support



This adds the ability to change a domain's XSM label after creation.
The new label will be used for all future access checks; however,
existing event channels and memory mappings will remain valid even if
their creation would be denied by the new label.

With appropriate security policy and hooks in the domain builder, this
can be used to create domains that the domain builder does not have
access to after building. It can also be used to allow a domain to drop
privileges - for example, prior to launching a user-supplied kernel
loaded by a pv-grub stubdom.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 tools/flask/policy/policy/flask/access_vectors   |  7 ++++
 tools/flask/policy/policy/flask/security_classes |  1 +
 tools/flask/policy/policy/modules/xen/xen.te     |  2 +-
 xen/include/public/xsm/flask_op.h                |  8 ++++
 xen/xsm/flask/flask_op.c                         | 49 ++++++++++++++++++++++++
 xen/xsm/flask/include/av_perm_to_string.h        |  3 ++
 xen/xsm/flask/include/av_permissions.h           |  4 ++
 xen/xsm/flask/include/class_to_string.h          |  1 +
 xen/xsm/flask/include/flask.h                    | 15 ++++----
 9 files changed, 82 insertions(+), 8 deletions(-)

diff --git a/tools/flask/policy/policy/flask/access_vectors 
b/tools/flask/policy/policy/flask/access_vectors
index a884312..c7e29ab 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -73,6 +73,13 @@ class domain
        set_virq_handler
 }
 
+class domain2
+{
+       relabelfrom
+       relabelto
+       relabelself
+}
+
 class hvm
 {
     sethvmc
diff --git a/tools/flask/policy/policy/flask/security_classes 
b/tools/flask/policy/policy/flask/security_classes
index 2ca35d2..ef134a7 100644
--- a/tools/flask/policy/policy/flask/security_classes
+++ b/tools/flask/policy/policy/flask/security_classes
@@ -9,6 +9,7 @@
 
 class xen
 class domain
+class domain2
 class hvm
 class mmu
 class resource
diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index 9cc5240..9550397 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -169,7 +169,7 @@ delegate_devices(dom0_t, domU_t)
 
################################################################################
 
 # Domains must be declared using domain_type
-neverallow * ~domain_type:domain create;
+neverallow * ~domain_type:domain { create transition };
 
 # Resources must be declared using resource_type
 neverallow * ~resource_type:resource use;
diff --git a/xen/include/public/xsm/flask_op.h 
b/xen/include/public/xsm/flask_op.h
index 1a251c9..233de81 100644
--- a/xen/include/public/xsm/flask_op.h
+++ b/xen/include/public/xsm/flask_op.h
@@ -142,6 +142,12 @@ struct xen_flask_peersid {
     uint32_t sid;
 };
 
+struct xen_flask_relabel {
+    /* IN */
+    uint32_t domid;
+    uint32_t sid;
+};
+
 struct xen_flask_op {
     uint32_t cmd;
 #define FLASK_LOAD              1
@@ -167,6 +173,7 @@ struct xen_flask_op {
 #define FLASK_ADD_OCONTEXT      21
 #define FLASK_DEL_OCONTEXT      22
 #define FLASK_GET_PEER_SID      23
+#define FLASK_RELABEL_DOMAIN    24
     uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
     union {
         struct xen_flask_load load;
@@ -185,6 +192,7 @@ struct xen_flask_op {
         /* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
         struct xen_flask_ocontext ocontext;
         struct xen_flask_peersid peersid;
+        struct xen_flask_relabel relabel;
     } u;
 };
 typedef struct xen_flask_op xen_flask_op_t;
diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index bd4db37..9c8dfe7 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -573,6 +573,51 @@ static int flask_get_peer_sid(struct xen_flask_peersid 
*arg)
     return rv;
 }
 
+static int flask_relabel_domain(struct xen_flask_relabel *arg)
+{
+    int rc;
+    struct domain *d;
+    struct domain_security_struct *csec = current->domain->ssid;
+    struct domain_security_struct *dsec;
+    struct avc_audit_data ad;
+    AVC_AUDIT_DATA_INIT(&ad, NONE);
+
+    d = rcu_lock_domain_by_any_id(arg->domid);
+    if ( d == NULL )
+        return -ESRCH;
+
+    ad.sdom = current->domain;
+    ad.tdom = d;
+    dsec = d->ssid;
+
+    if ( arg->domid == DOMID_SELF )
+    {
+        rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2, 
DOMAIN2__RELABELSELF, &ad);
+        if ( rc )
+            goto out;
+    }
+    else
+    {
+        rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2, 
DOMAIN2__RELABELFROM, &ad);
+        if ( rc )
+            goto out;
+
+        rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2, 
DOMAIN2__RELABELTO, &ad);
+        if ( rc )
+            goto out;
+    }
+
+    rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN, 
DOMAIN__TRANSITION, &ad);
+    if ( rc )
+        goto out;
+
+    dsec->sid = arg->sid;
+
+ out:
+    rcu_unlock_domain(d);
+    return rc;
+}
+
 long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op)
 {
     xen_flask_op_t op;
@@ -680,6 +725,10 @@ long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op)
         rv = flask_get_peer_sid(&op.u.peersid);
         break;
 
+    case FLASK_RELABEL_DOMAIN:
+        rv = flask_relabel_domain(&op.u.relabel);
+        break;
+
     default:
         rv = -ENOSYS;
     }
diff --git a/xen/xsm/flask/include/av_perm_to_string.h 
b/xen/xsm/flask/include/av_perm_to_string.h
index 17a1c36..e7e2058 100644
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -61,6 +61,9 @@
    S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
    S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
    S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
+   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
+   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
+   S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
    S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
    S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
    S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
diff --git a/xen/xsm/flask/include/av_permissions.h 
b/xen/xsm/flask/include/av_permissions.h
index 42eaf81..cb1c5dc 100644
--- a/xen/xsm/flask/include/av_permissions.h
+++ b/xen/xsm/flask/include/av_permissions.h
@@ -63,6 +63,10 @@
 #define DOMAIN__SET_MISC_INFO                     0x40000000UL
 #define DOMAIN__SET_VIRQ_HANDLER                  0x80000000UL
 
+#define DOMAIN2__RELABELFROM                      0x00000001UL
+#define DOMAIN2__RELABELTO                        0x00000002UL
+#define DOMAIN2__RELABELSELF                      0x00000004UL
+
 #define HVM__SETHVMC                              0x00000001UL
 #define HVM__GETHVMC                              0x00000002UL
 #define HVM__SETPARAM                             0x00000004UL
diff --git a/xen/xsm/flask/include/class_to_string.h 
b/xen/xsm/flask/include/class_to_string.h
index ab55700..7716645 100644
--- a/xen/xsm/flask/include/class_to_string.h
+++ b/xen/xsm/flask/include/class_to_string.h
@@ -5,6 +5,7 @@
     S_("null")
     S_("xen")
     S_("domain")
+    S_("domain2")
     S_("hvm")
     S_("mmu")
     S_("resource")
diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
index 6d29c5a..3bff998 100644
--- a/xen/xsm/flask/include/flask.h
+++ b/xen/xsm/flask/include/flask.h
@@ -7,13 +7,14 @@
  */
 #define SECCLASS_XEN                                     1
 #define SECCLASS_DOMAIN                                  2
-#define SECCLASS_HVM                                     3
-#define SECCLASS_MMU                                     4
-#define SECCLASS_RESOURCE                                5
-#define SECCLASS_SHADOW                                  6
-#define SECCLASS_EVENT                                   7
-#define SECCLASS_GRANT                                   8
-#define SECCLASS_SECURITY                                9
+#define SECCLASS_DOMAIN2                                 3
+#define SECCLASS_HVM                                     4
+#define SECCLASS_MMU                                     5
+#define SECCLASS_RESOURCE                                6
+#define SECCLASS_SHADOW                                  7
+#define SECCLASS_EVENT                                   8
+#define SECCLASS_GRANT                                   9
+#define SECCLASS_SECURITY                                10
 
 /*
  * Security identifier indices for initial entities
-- 
1.7.11.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.