[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 0/3] Xen/FLASK policy updates for device contexts

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "selinux@xxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxx>
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Fri, 20 Mar 2015 16:59:06 +0000
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 20 Mar 2015 17:12:45 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

I've been testing this and found a few problems:

1) I could not read a policy with sedispol (in the checkpolicy/test directory)
    when the devicetreecon statement was included (checkpolicy built ok).
    I've attached a patch that fixes this problem and included CIL Ref Guide
   updates for the new features.

2) When building policy with the CIL compiler secilc I get core dumps but
    only if I include the devicetreecon statement. I think its related to not 
releasing
    the devicetreepath "path" when sepol_policydb_free is called. I've been
    trying to track it down and failed - any ideas !!!
   sedispol will read the generated CIL policy with the above fix applied.


Richard



----- Original Message -----
> From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> To: selinux@xxxxxxxxxxxxx
> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
> Sent: Tuesday, 17 March 2015, 20:43
> Subject: [PATCH v3 0/3] Xen/FLASK policy updates for device contexts
> 
> In order to support assigning security lables to ARM device tree nodes
> in Xen's XSM policy, a new ocontext type is needed in the security
> policy.
> 
> In addition to adding the new ocontext, the existing I/O memory range
> ocontext is expanded to 64 bits in order to support hardware with more
> than 44 bits of physical address space (32-bit count of 4K pages).
> 
> Changes from v2:
> - Clean up printf format strings for 32-bit builds
> 
> Changes from v1:
> - Use policy version 30 instead of forking the version numbers for Xen;
>    this removes the need for v1's patch 3.
> - Report an error when attempting to use an I/O memory range that
>    requires a 64-bit representation with an old policy output version
>    that cannot support this
> - Fix a few incorrect references to PCIDEVICECON
> - Reorder patches to clarify the allowed characterset of device tree
>    paths
> 
> [PATCH 1/3] checkpolicy: Expand allowed character set in paths
> [PATCH 2/3] libsepol, checkpolicy: widen Xen IOMEM ocontext entries
> [PATCH 3/3] libsepol, checkpolicy: add device tree ocontext nodes to
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxxx
> To get help, send an email containing "help" to 
> Selinux-request@xxxxxxxxxxxxxx
>

Attachment: 0001-libsepol-Fix-reading-Xen-policy-with-devicetreecon.patch
Description: Text Data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v3 0/3] Xen/FLASK policy updates for device contexts
  - From: Steve Lawrence

References:
- [Xen-devel] [PATCH v3 0/3] Xen/FLASK policy updates for device contexts
  - From: Daniel De Graaf

Prev by Date: Re: [Xen-devel] [PATCH v2 08/13] libxc: Check xc_domain_maximum_gpfn for negative return values
Next by Date: Re: [Xen-devel] [PATCH v2 4/7] x86: add support for COS/CBM manangement
Previous by thread: Re: [Xen-devel] [PATCH v3 0/3] Xen/FLASK policy updates for device contexts
Next by thread: Re: [Xen-devel] [PATCH v3 0/3] Xen/FLASK policy updates for device contexts
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.