[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Date: Fri, 17 Jun 2016 11:45:48 -0400
Cc: xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 17 Jun 2016 15:46:10 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Thu, Jun 09, 2016 at 10:47:14AM -0400, Daniel De Graaf wrote:
> When an unknown domctl, sysctl, or other operation is encountered in the
> FLASK security server, use the allow_unknown bit in the security policy
> to decide if the permission should be allowed or denied.  This bit is
> off by default, but it can be set by using checkpolicy -U allow when
> compiling the policy.  This allows new operations to be tested without
> needing to immediately add security checks; however, it is not flexible
> enough to avoid adding the actual permission checks.  An error message
> is printed to the hypervisor console when this fallback is encountered.

.. and the operation is permitted.

> 
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> ---
>  xen/xsm/flask/hooks.c            | 44 
> +++++++++++++++++++++++++---------------
>  xen/xsm/flask/include/security.h |  2 ++
>  xen/xsm/flask/ss/policydb.c      |  1 +
>  xen/xsm/flask/ss/policydb.h      |  6 ++++++
>  xen/xsm/flask/ss/services.c      |  5 +++++
>  5 files changed, 42 insertions(+), 16 deletions(-)
> 
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index a8d45e7..3ab3fbf 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -136,6 +136,23 @@ static int get_irq_sid(int irq, u32 *sid, struct 
> avc_audit_data *ad)
>      return 0;
>  }
>  
> +static int avc_unknown_permission(const char *name, int id)
> +{
> +    int rc;

I would add a new line here.
> +    if ( !flask_enforcing || security_get_allow_unknown() )
> +    {
> +        printk(XENLOG_G_WARNING "FLASK: Allowing unknown %s: %d.\n", name, 
> id);
> +        rc = 0;
> +    }
> +    else
> +    {
> +        printk(XENLOG_G_ERR "FLASK: Denying unknown %s: %d.\n", name, id);
> +        rc = -EPERM;
> +    }
> +
> +    return rc;
> +}
> +

The rest looks OK, but I have a question: Is this how Linux operates?


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling
  - From: Daniel De Graaf

References:
- [Xen-devel] [PATCH 00/15] XSM/FLASK updates for 4.8
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling
  - From: Daniel De Graaf

Prev by Date: Re: [Xen-devel] [PATCH 07/15] flask: unify {get, set}vcpucontext permissions
Next by Date: Re: [Xen-devel] [PATCH 12/15] xen/xsm: remove .xsm_initcall.init section
Previous by thread: [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling
Next by thread: Re: [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.