[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

  • To: anshul makkar <anshul.makkar@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Wed, 6 Jul 2016 11:59:05 -0400
  • Cc: andrew.cooper3@xxxxxxxxxx, cardoe@xxxxxxxxxx
  • Delivery-date: Wed, 06 Jul 2016 15:59:29 +0000
  • Ironport-phdr: 9a23:xZiXahFJBTDqYiYNXjQv2J1GYnF86YWxBRYc798ds5kLTJ74pcmwAkXT6L1XgUPTWs2DsrQf2rKQ6f6rCDVIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBybrysXNWD14LtiavjotX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu5blitCLFOXmAvgtI/rpMYwuwwZgf8q9tZBXKPmZOx4COUAVHV1DnoxrPHPmVGDCFHXpyhUbmJDmxxTAxXBpBTzXZT4qGOuv+xm2DSee8j/TrM9Qxyp7rtxSQ+ugyACYXpx4GzRz8B9kq9fiBagvABkhZ7ZZpmPM/hzdb+beskVFkRbWcMEeyVHA464J6cCR8UbNO9W593xqFcDogG3LRW9D+PojDlTjzn52rNsgLdpKh3PwAF1R4FGi3/Tttigcf5ICe0=
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
On 07/06/2016 11:34 AM, anshul makkar wrote:

Hi,

Default XSM policy doesn't allow the use of unlabeled PCI resources that have 
been passed through to target domain.

xen.te
# Resources must be declared using . resource_type
neverallow * ~resource_type:resource use;

It allows the resource to be added and removed by the source domain to target 
domain, but its use by target domain is blocked.


This rule only mandates the use of resource_type for resource types.  If you 
are creating a new resource type, follow the example in nic_dev.te.


The resource can be used only if it has been labeled using flask-label-pci 
command which needs to be rerun after every boot and after every policy reload.


Yes; this gives the most control over what resources can be delegated.  Policy reloads 
are supposed to be rare (on a production system) and you already need special boot 
scripts (or parameters) to set up the device for passthrough, so this can be added there. 
 However, I agree this can be more work than a "default" FLASK policy should 
require.


The above approach reduces the flexibility and necessitates admin intervention to give 
passthrough rights after host has booted. Also, in general if I want to allow all domUs 
to have PCI passthough access to all PCI device, I have no other way apart from disabling 
the "neverallow" rule.


Try adding a module with the following rules, which should allow domU to use 
unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)

If this works, that module could be added to the default policy.


Given that what we ship is just a sample default policy for reference which is expected 
to be permissive in most of the scenarios so that it doesn't affect the basic 
functionalities, is this "neverallow" rule needed ?

Thanks
Anshul Makkar


The neverallow rules are just there to ensure that the attributes are being 
used correctly.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.