[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [PATCH 11/15] flask: improve unknown permission handling
- To: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
- From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
- Date: Fri, 17 Jun 2016 13:02:58 -0400
- Cc: xen-devel@xxxxxxxxxxxxx
- Delivery-date: Fri, 17 Jun 2016 17:03:14 +0000
- Ironport-phdr: 9a23:F++voBCVDkyZ+wbF3slXUyQJP3N1i/DPJgcQr6AfoPdwSP/7oMbcNUDSrc9gkEXOFd2CrakU2qyH6+u5ADRIyK3CmU5BWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/nhqbjo9aKOl0ArQH+SI0xBS3+lR/WuMgSjNkqAYcK4TyNnEF1ff9Lz3hjP1OZkkW0zM6x+Jl+73YY4Kp5pIZoGJ/3dKUgTLFeEC9ucyVsvJWq5iTZSUOzwldUEiBMylsbSzTCuTL9WI34vmPApOdmyjSGMM6+crEwWnz27KBtUhbkzjgGMz0R93vegch9yqlcpUTyiQZ4xtv4aYeUOf42Uq6VUskTTGQJCspeWyFOGIqUc5oED+1HO/1R6Yb6uQ1d/lOFGQCwCba3mXdzjXjs0Ph/ir55HA==
- List-id: Xen developer discussion <xen-devel.lists.xen.org>
On 06/17/2016 11:45 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Jun 09, 2016 at 10:47:14AM -0400, Daniel De Graaf wrote:
When an unknown domctl, sysctl, or other operation is encountered in the
FLASK security server, use the allow_unknown bit in the security policy
to decide if the permission should be allowed or denied. This bit is
off by default, but it can be set by using checkpolicy -U allow when
compiling the policy. This allows new operations to be tested without
needing to immediately add security checks; however, it is not flexible
enough to avoid adding the actual permission checks. An error message
is printed to the hypervisor console when this fallback is encountered.
.. and the operation is permitted.
The error message is printed either way (with a different priority). Were
you suggesting I expand this explanation to include both the error and
warning messages separately?
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
xen/xsm/flask/hooks.c | 44 +++++++++++++++++++++++++---------------
xen/xsm/flask/include/security.h | 2 ++
xen/xsm/flask/ss/policydb.c | 1 +
xen/xsm/flask/ss/policydb.h | 6 ++++++
xen/xsm/flask/ss/services.c | 5 +++++
5 files changed, 42 insertions(+), 16 deletions(-)
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index a8d45e7..3ab3fbf 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -136,6 +136,23 @@ static int get_irq_sid(int irq, u32 *sid, struct
avc_audit_data *ad)
return 0;
}
+static int avc_unknown_permission(const char *name, int id)
+{
+ int rc;
I would add a new line here.
OK
+ if ( !flask_enforcing || security_get_allow_unknown() )
+ {
+ printk(XENLOG_G_WARNING "FLASK: Allowing unknown %s: %d.\n", name, id);
+ rc = 0;
+ }
+ else
+ {
+ printk(XENLOG_G_ERR "FLASK: Denying unknown %s: %d.\n", name, id);
+ rc = -EPERM;
+ }
+
+ return rc;
+}
+
The rest looks OK, but I have a question: Is this how Linux operates?
Yes; selinux_nlmsg_perm for an unknown netlink message seems to be an
example there.
--
Daniel De Graaf
National Security Agency
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
