|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] flask/policy: fix static device labeling examples
(CC Ian and Jan) Hi, Is there any blocker to push this patch? It's useful for using XSM with passthrough. Regards, On 11/03/15 14:59, Daniel De Graaf wrote: > The definitions of static device labels must be placed at the end of the > policy.conf before passing it to checkpolicy; the existing examples > (which are commented out) are in the wrong location. Create a new file > for device contexts which will place them in the proper location. > > This also removes some directions about using the xen policy type in > checkpolicy which is no longer needed. > > Reported-by: Julien Grall <julien.grall@xxxxxxxxxx> > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> > --- > docs/misc/xsm-flask.txt | 31 +++-------------------- > tools/flask/policy/Makefile | 3 ++- > tools/flask/policy/policy/device_contexts | 32 +++++++++++++++++++++++ > tools/flask/policy/policy/modules/xen/xen.te | 38 > +++------------------------- > 4 files changed, 41 insertions(+), 63 deletions(-) > create mode 100644 tools/flask/policy/policy/device_contexts > > diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt > index ab05913..e169937 100644 > --- a/docs/misc/xsm-flask.txt > +++ b/docs/misc/xsm-flask.txt > @@ -335,33 +335,8 @@ memory, or even changing certain BIOS settings). Dynamic > labeling requires that > the domain performing the labeling be trusted to label all the devices in the > system properly. > > -To enable static device labeling, a checkpolicy >= 2.0.20 and libsepol > >=2.0.39 > -are required. The policy Makefile (tools/flask/policy/Makefile) must also be > -changed as follows: > - > -######################################## > -# > -# Build a binary policy locally > -# > -$(POLVER): policy.conf > - @echo "Compiling $(NAME) $(POLVER)" > - $(QUIET) $(CHECKPOLICY) $^ -o $@ (Comment out this line) > -# Uncomment line below to enable policies for devices > -# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ (Uncomment this line) > - > -######################################## > -# > -# Install a binary policy > -# > -$(LOADPATH): policy.conf > - @echo "Compiling and installing $(NAME) $(LOADPATH)" > - $(QUIET) $(CHECKPOLICY) $^ -o $@ (Comment out this line) > -# Uncomment line below to enable policies for devices > -# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ (Uncomment this line) > - > - > -IRQs, PCI devices, I/O memory and ports can all be labeled. There are > -commented out lines in xen.te policy for examples on how to label devices. > +IRQs, PCI devices, I/O memory and x86 IO ports can all have labels defined. > +There are examples commented out in > tools/flask/policy/policy/device_contexts. > > Device Labeling > --------------- > @@ -378,7 +353,7 @@ lspci output is.. > Region 2: I/O ports at ecc0 [size=32] > Kernel modules: e1000e > > -The labeling can be done with these commands > +The labeling can be done with these lines in device_contexts: > > pirqcon 33 system_u:object_r:nicP_t > iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t > diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile > index 58d9ce1..e564396 100644 > --- a/tools/flask/policy/Makefile > +++ b/tools/flask/policy/Makefile > @@ -56,6 +56,7 @@ MLSSUPPORT := $(POLDIR)/mls > USERS := $(POLDIR)/users > CONSTRAINTS := $(POLDIR)/constraints > ISID_DEFS := $(POLDIR)/initial_sids > +DEV_OCONS := $(POLDIR)/device_contexts > > # config file paths > GLOBALTUN := $(POLDIR)/global_tunables > @@ -98,7 +99,7 @@ POLICY_SECTIONS += $(M4SUPPORT) $(MLSSUPPORT) > POLICY_SECTIONS += $(ALL_INTERFACES) > POLICY_SECTIONS += $(GLOBALTUN) > POLICY_SECTIONS += $(ALL_MODULES) > -POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS) > +POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS) $(DEV_OCONS) > > all: $(POLICY_FILENAME) > > diff --git a/tools/flask/policy/policy/device_contexts > b/tools/flask/policy/policy/device_contexts > new file mode 100644 > index 0000000..c2de7e7 > --- /dev/null > +++ b/tools/flask/policy/policy/device_contexts > @@ -0,0 +1,32 @@ > +############################################################################### > +# > +# Label devices for delegation > +# > +# The PCI, IRQ, memory, and I/O port ranges are hardware-specific. > +# > +############################################################################### > + > +# label e1000e nic > +#pirqcon 33 system_u:object_r:nic_dev_t > +#pirqcon 55 system_u:object_r:nic_dev_t > +#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t > +#iomemcon 0xfebd9 system_u:object_r:nic_dev_t > +#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t > +#pcidevicecon 0xc800 system_u:object_r:nic_dev_t > + > +# label e100 nic > +#pirqcon 16 system_u:object_r:nic_dev_t > +#iomemcon 0xfe5df system_u:object_r:nic_dev_t > +#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t > +#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t > +#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t > + > +# label usb 1d.0-2 1d.7 > +#pirqcon 23 system_u:object_r:nic_dev_t > +#pirqcon 17 system_u:object_r:nic_dev_t > +#pirqcon 18 system_u:object_r:nic_dev_t > +#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t > +#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t > +#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t > +#iomemcon 0xff980 system_u:object_r:nic_dev_t > +#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t > diff --git a/tools/flask/policy/policy/modules/xen/xen.te > b/tools/flask/policy/policy/modules/xen/xen.te > index c0128aa..e555d11 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -177,6 +177,10 @@ domain_self_comms(nomigrate_t) > # > # Device delegation > # > +# This requires that the device be labeled with a type defined here. You can > +# use flask-label-pci to dynamically label devices on each boot or define the > +# labels statically in tools/flask/policy/policy/device_contexts > +# > > ############################################################################### > > type nic_dev_t, resource_type; > @@ -186,40 +190,6 @@ use_device(domU_t, nic_dev_t) > > delegate_devices(dom0_t, domU_t) > > -############################################################################### > -# > -# Label devices for delegation > -# > -# The PCI, IRQ, memory, and I/O port ranges are hardware-specific. > -# You may also use flask-label-pci to dynamically label devices on each boot. > -# > -############################################################################### > - > -# label e1000e nic > -#pirqcon 33 system_u:object_r:nic_dev_t > -#pirqcon 55 system_u:object_r:nic_dev_t > -#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t > -#iomemcon 0xfebd9 system_u:object_r:nic_dev_t > -#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t > -#pcidevicecon 0xc800 system_u:object_r:nic_dev_t > - > -# label e100 nic > -#pirqcon 16 system_u:object_r:nic_dev_t > -#iomemcon 0xfe5df system_u:object_r:nic_dev_t > -#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t > -#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t > -#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t > - > -# label usb 1d.0-2 1d.7 > -#pirqcon 23 system_u:object_r:nic_dev_t > -#pirqcon 17 system_u:object_r:nic_dev_t > -#pirqcon 18 system_u:object_r:nic_dev_t > -#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t > -#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t > -#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t > -#iomemcon 0xff980 system_u:object_r:nic_dev_t > -#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t > - > > ################################################################################ > # > # Policy constraints > -- Julien Grall _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |