[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 03/15] flask/policy: move user definitions and constraints into modules

To: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Date: Fri, 17 Jun 2016 12:49:11 -0400
Cc: xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 17 Jun 2016 16:49:25 +0000
Ironport-phdr: 9a23:2covRR+oTaqnXv9uRHKM819IXTAuvvDOBiVQ1KB80+0cTK2v8tzYMVDF4r011RmSDdSduqoP0rKK+4nbGkU+or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkItf6KuSt+U3pz8jrjus7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP5Xz247bXianhL7+9vitMU7q3cYk7sb+sVBSaT3ebgjBfwdVWx+cjMI/smjiT3vBUvKvCNdAS0qlU9rBA7f5R2yZIX8qTnnqud+kBabOc6+GbMzXy6r4+F0SRvroCAdPjU9/Sfcjckm34xBpxf0ixV5woPQKK2YfNVkd6rTNYcWSmZMUdxYfzBQCYO7KY0UBqwOOvgO/Nq1nEcHsRbrXVrkP+jo0DIdwyashaA=
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/17/2016 11:28 AM, Konrad Rzeszutek Wilk wrote:

diff --git a/tools/flask/policy/modules/modules.conf 
b/tools/flask/policy/modules/modules.conf
index d875dbf..9aac6a0 100644
--- a/tools/flask/policy/modules/modules.conf
+++ b/tools/flask/policy/modules/modules.conf
@@ -34,6 +34,13 @@ nomigrate = on
 nic_dev = on

 # This allows any domain type to be created using the system_r role.  When it 
is
-# disabled, domains not using the default types (dom0_t and domU_t) must use
-# another role (such as vm_r) from the vm_role module.
+# disabled, domains not using the default types (dom0_t, domU_t, dm_dom_t) must
+# use another role (such as vm_r from the vm_role module below).
 all_system_role = on
+
+# Example users, roles, and constraints for user-based separation.
+#
+# The three users defined here can set up grant/event channel communication
+# (vchan, device frontend/backend) between their own VMs, but cannot set up a
+# channel to a VM under a different user.
+vm_role = on


So should this be off? As by default we would want all_system_role ?

Ah wait, it can be loaded - even if not used.


Yes, enabling both of these modules gives you flexibility to use either or
both types for domains.  Enabling only one would be useful to enforce its
use, and disabling both doesn't make much sense unless you were adding
another module.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 00/15] XSM/FLASK updates for 4.8
  - From: Daniel De Graaf
- [Xen-devel] [PATCH 03/15] flask/policy: move user definitions and constraints into modules
  - From: Daniel De Graaf
- Re: [Xen-devel] [PATCH 03/15] flask/policy: move user definitions and constraints into modules
  - From: Konrad Rzeszutek Wilk

Prev by Date: Re: [Xen-devel] [PATCH v2 1/2] libs, libxc: Interface for grant copy operation
Next by Date: Re: [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling
Previous by thread: Re: [Xen-devel] [PATCH 03/15] flask/policy: move user definitions and constraints into modules
Next by thread: Re: [Xen-devel] [PATCH 03/15] flask/policy: move user definitions and constraints into modules
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.