[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSM denials with 4.7.0 RC1



On Wed, May 04, 2016 at 03:05:38PM +0100, Wei Liu wrote:
> CC Konrad and Ross
> 
> On Wed, May 04, 2016 at 08:52:24AM -0500, Doug Goldstein wrote:
> > Hi all,
> > 
> > Sometime after d4cd5a205973171475b8c63bc250c2803e0f51fa, I get the
> > following denials for any domU that attempts to run "xl". In my
> > situation my domU needs to run "xl devd" because its a driver domain.
> > 
> > (XEN) avc:  denied  { xen_extraversion } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_extraversion } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_compile_info } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_capabilities } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_changeset } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_pagesize } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_commandline } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > (XEN) avc:  denied  { xen_build_id } for domid=1
> > scontext=system_u:system_r:domU_t tcontext=system_u:system_r:xen_t
> > tclass=version
> > 
> > I'm guessing a changed happened to xl so that it queries the version
> > info everytime it is run.
> > 
> 
> I think the root cause is that we have now altered xen_version hypercall
> for xsplice.
> 
> We might need to update the hook, the default policy (assuming that's
> what you use) or both.

The policy:
# For normal guests all possible except XENVER_commandline.                     
allow domain_type xen_t:version {                                               
    xen_extraversion xen_compile_info xen_capabilities                          
    xen_changeset xen_pagesize xen_guest_handle                                 
};                                                                              


So not sure why you are seeing those. Did you rebuild your policy against
4.7.0-1rc?

The xen_build_id and xen_commandline should definitly error out per:

a2fc8d514df2b38c310d4f4432fe06520b0769ed
Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Date:   Fri Mar 11 21:40:43 2016 -0500

    xsm/xen_version: Add XSM for most of xen_version hypercall

    The subop for XENVER_commandline is now a priviliged operation.
    To not break guests we still return an string - but it is
    just '<denied>\0'.

And the XSM checks would trigger for XENVER_commandline - it just that
instead of -EPERM being returned we return '<denied>\0'.

Is that not the case?



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.