[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] xsm: add missing permissions discovered in testing


  • To: xen-devel@xxxxxxxxxxxxx
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Fri, 4 Nov 2016 11:35:20 -0400
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Delivery-date: Fri, 04 Nov 2016 15:35:55 +0000
  • Ironport-phdr: 9a23:RJNpsRQjv7UuXQp6URDE0Theh9psv+yvbD5Q0YIujvd0So/mwa64YxKN2/xhgRfzUJnB7Loc0qyN4vqmCT1LvsbJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/mjabiqtaMM01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm2dfv/SXnYUPPoyFEEzZerh0dEwXDqR33QJr1mi/7rfZmnjmXO4vxV79ndy6l6vJHQRnphSNPGzNx33veg8I42K5UrB+uvRVX35/fYIbTMuF3OKzaY4VJFiJ6Qs9NWnkZUcuHZIwVAr9EZLwAog==
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

Add two missing allow rules:

1. Device model domain construction uses getvcpucontext, discovered by
Andrew Cooper in an (apparently) unrelated bisection.

2. When a domain is destroyed with a device passthrough active, the
calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself
(which results in an XSM check with the source xen_t).  It does not make
sense to deny these permissions; no domain should be using xen_t, and
forbidding the hypervisor from performing cleanup is not useful.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 tools/flask/policy/modules/xen.if | 2 +-
 tools/flask/policy/modules/xen.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/modules/xen.if 
b/tools/flask/policy/modules/xen.if
index d83f031..eb646f5 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -49,7 +49,7 @@ define(`create_domain_common', `
        allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
                        getdomaininfo hypercall setvcpucontext getscheduler
                        getvcpuinfo getaddrsize getaffinity setaffinity
-                       settime setdomainhandle };
+                       settime setdomainhandle getvcpucontext };
        allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
                        set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
                        psr_cmt_op psr_cat_op soft_reset };
diff --git a/tools/flask/policy/modules/xen.te 
b/tools/flask/policy/modules/xen.te
index b52edc2..0cff2df 100644
--- a/tools/flask/policy/modules/xen.te
+++ b/tools/flask/policy/modules/xen.te
@@ -49,6 +49,10 @@ type ioport_t, resource_type;
 type iomem_t, resource_type;
 type device_t, resource_type;
 
+# Domain destruction can result in some access checks for actions performed by
+# the hypervisor.  These should always be allowed.
+allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem };
+
 
################################################################################
 #
 # Policy constraints
-- 
2.7.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.