[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.


  • To: anshul makkar <anshul.makkar@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Thu, 7 Jul 2016 11:36:46 -0400
  • Cc: andrew.cooper3@xxxxxxxxxx, cardoe@xxxxxxxxxx
  • Delivery-date: Thu, 07 Jul 2016 15:37:02 +0000
  • Ironport-phdr: 9a23:3kaqphTMKgCVZ/weUjyUkb+PQtpsv+yvbD5Q0YIujvd0So/mwa65ZhGN2/xhgRfzUJnB7Loc0qyN4vimAzxLscvJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/mj6boq9aDPk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm2dfv/SXnYUPPoyFEEzZerh0dCg7e7Az+FpL4sSjzrKIp0S+BPdDyC7U9Wjer9Y9gSQPyiTdBPDk8piWfmsF2ya5Wvh+ljxh+2JLPJpGYMuJkeaHQds9cQnBODehLUCkULoq6boYLR8YMdclCpoDz7w8CohezChOlLP/+wT9PwHnt1Os11Pp3QlKO5xApA99b6Cecl97yLqpHFLnvlKQ=
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 07/06/2016 12:19 PM, anshul makkar wrote:
On 06/07/16 16:59, Daniel De Graaf wrote:
On 07/06/2016 11:34 AM, anshul makkar wrote:
Hi,


It allows the resource to be added and removed by the source domain to
target domain, but its use by target domain is blocked.

This rule only mandates the use of resource_type for resource types.  If
you are creating a new resource type, follow the example in nic_dev.te.
Agreed, but inherently it means that "use" of any unlabeled resource be it irq, 
ioport or iomem or nic_dev is restricted.

Restricted how?  The fallback types have the resource_type attribute.

Neverallow rules are actually not present in the binary policy; they act as
compile-time assertions in the policy build.


The resource can be used only if it has been labeled using
flask-label-pci command which needs to be rerun after every boot and
after every policy reload.

Yes; this gives the most control over what resources can be delegated.
Policy reloads are supposed to be rare (on a production system) and you
already need special boot scripts (or parameters) to set up the device
for passthrough, so this can be added there.  However, I agree this can
be more work than a "default" FLASK policy should require.

Try adding a module with the following rules, which should allow domU to
use unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)
Yes, it does work , but I have added these in delegate_device to make it 
restrict to the case where there is delegation.

This prevents using delegate_devices without allowing access to unlabeled
devices.  If you think this should be a macro, I would suggest making a new
one named something like "delegate_unlabeled_devices".

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.