[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting

To: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
From: nicolas.poirot@xxxxxxxxx
Date: Tue, 2 Oct 2018 18:12:59 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, George Dunlap <dunlapg@xxxxxxxxx>
Delivery-date: Tue, 02 Oct 2018 16:13:40 +0000
Importance: Normal
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

> To: xen-devel@xxxxxxxxxxxxxxxxxxxx
> From: Daniel De Graaf 
> Sent by: "Xen-devel" 
> Date: 09/28/2018 09:13PM
> Cc: George Dunlap <dunlapg@xxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Subject: [Xen-devel] [PATCH] flask: Add check for io{port,mem}con sorting
>
> These entries are not always sorted by checkpolicy.  Enforce the sorting
> (which can be done manually if using an unpatched checkpolicy) when
> loading the policy so that later uses by the security server do not
> incorrectly use the initial sid.
>
> Reported-by: Nicolas Poirot <nicolas.poirot@xxxxxxxxx>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> ---
>  xen/xsm/flask/ss/policydb.c | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
> index 3a12d96ef9..fcf63693b9 100644
> --- a/xen/xsm/flask/ss/policydb.c
> +++ b/xen/xsm/flask/ss/policydb.c
> @@ -2007,7 +2007,6 @@ int policydb_read(struct policydb *p, void *fp)
>                  l->next = c;
>              else
>                  p->ocontexts[i] = c;
> -            l = c;
>              rc = -EINVAL;
>              switch ( i )
>              {
> @@ -2050,6 +2049,12 @@ int policydb_read(struct policydb *p, void *fp)
>                  rc = context_read_and_validate(&c->context, p, fp);
>                  if ( rc )
>                      goto bad;
> +                if ( l && l->u.ioport.high_ioport > c->u.ioport.low_ioport )
> +                {
> +                    printk(KERN_ERR
> +                        "Flask: Invalid policy, ioportcon not sorted\n");
> +                    goto bad;
> +                }
>                  break;
>              case OCON_IOMEM:
>                  if ( p->target_type != TARGET_XEN )
> @@ -2078,6 +2083,12 @@ int policydb_read(struct policydb *p, void *fp)
>                  rc = context_read_and_validate(&c->context, p, fp);
>                  if ( rc )
>                      goto bad;
> +                if ( l && l->u.iomem.high_iomem > c->u.iomem.low_iomem )
> +                {
> +                    printk(KERN_ERR
> +                        "Flask: Invalid policy, iomemcon not sorted\n");
> +                    goto bad;
> +                }
>                  break;
>              case OCON_DEVICE:
>                  if ( p->target_type != TARGET_XEN )
> @@ -2123,6 +2134,7 @@ int policydb_read(struct policydb *p, void *fp)
>                  rc = -EINVAL;
>                  goto bad;
>              }
> +            l = c;
>          }
>      }
> 
> -- 
> 2.14.4

Looks good to me.
Tested on RELEASE-4.11.0 on a juno-r2 platform, with checkpolicy 2.5.
Thank you.

Tested-by: Nicolas Poirot <nicolas.poirot@xxxxxxxxx>
Reviewed-by: Nicolas Poirot <nicolas.poirot@xxxxxxxxx>
.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Prev by Date: Re: [Xen-devel] [PATCH v4 01/12] x86: infrastructure to allow converting certain indirect calls to direct ones
Next by Date: Re: [Xen-devel] Weird altp2m behaviour when switching early to a new view
Previous by thread: Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting
Next by thread: Re: [Xen-devel] [PATCH] flask: Add check for io{port, mem}con sorting
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.