WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xen-devel] Re: [Xense-devel] [XSM:ACM][PATCH] nulldereference bug f

To: Stefan Berger <stefanb@xxxxxxxxxx>
Subject: Re: [Xen-devel] Re: [Xense-devel] [XSM:ACM][PATCH] nulldereference bug fix
From: "George S. Coker, II" <gscoker@xxxxxxxxxxxxxx>
Date: Fri, 28 Sep 2007 11:05:27 -0400
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 28 Sep 2007 08:07:17 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OF93FD03BF.C3CD9044-ON85257364.004E013C-85257364.004EE005@xxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OF93FD03BF.C3CD9044-ON85257364.004E013C-85257364.004EE005@xxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Fri, 2007-09-28 at 10:21 -0400, Stefan Berger wrote:

> The problem is that the roll-back related to chinese wall must *only*
> be done when the check on the chinese wall was successful and NOT when
> it was not successful. 
> Following the test Syunsuke HAYASHI describes in 
> 
> http://lists.xensource.com/archives/html/xen-devel/2007-09/msg00514.html 
> 
> 
> I get the following after creating the 1st domain when doing an 'xm
> dumppolicy': 
> 
> 
> 
> Policy dump:
> ============
> POLICY REFERENCE = example.client_v1.
> PolicyVer = 8c000000.
> XML Vers. = 1.24
> Magic     = 1debc.
> Len       = 178.
> Primary   = CHINESE WALL (c=1, off=40).
> Secondary = SIMPLE TYPE ENFORCEMENT (c=2, off=b8).
> 
> 
> Chinese Wall policy:
> ====================
> Policy version= ffffe849.
> Max Types     = 4.
> Max Ssidrefs  = 7.
> Max ConfSets  = 1.
> Ssidrefs Off  = 24.
> Conflicts Off = 5c.
> Runing T. Off = 64.
> C. Agg. Off   = 6c.
> 
> SSID To CHWALL-Type matrix:
> 
>   ssidref 0:  00 00 00 00 
>   ssidref 1:  00 00 00 01  <-- Domain-0
>   ssidref 2:  00 01 00 00 
>   ssidref 3:  01 00 00 00 
>   ssidref 4:  00 00 01 00 
>   ssidref 5:  00 00 00 01 
>   ssidref 6:  00 00 00 01 
> 
> Confict Sets:
> 
>   c-set 0:    01 00 01 00 
> 
> Running
> Types:         00 00 01 01 
> 
> Conflict
> Aggregate Set: 01 00 00 00 
> 
> 
> Simple Type Enforcement policy:
> ===============================
> Policy version= cef6c202.
> Max Types     = 6.
> Max Ssidrefs  = e.
> Ssidrefs Off  = 14.
> 
> SSID To STE-Type matrix:
> 
>   ssidref 0: 00 00 00 00 00 00 
>   ssidref 1: 01 01 01 01 01 01  <-- Domain-0
>   ssidref 2: 01 00 00 00 00 00 
>   ssidref 3: 00 01 00 00 00 00 
>   ssidref 4: 00 00 00 00 01 00 
>   ssidref 5: 01 01 01 00 01 00 
>   ssidref 6: 00 01 00 01 01 00 
>   ssidref 7: 00 00 01 00 00 00 
>   ssidref 8: 00 00 00 00 00 01 
>   ssidref 9: 00 00 00 01 00 00 
>   ssidref a: 00 00 00 00 01 00 
>   ssidref b: 00 01 00 00 00 00 
>   ssidref c: 00 00 00 00 00 01 
>   ssidref d: 00 00 00 00 01 00 
> 
> 
> 
> 
> This is output is correct. 
> 
> 
> After trying to start the 2nd domain I now get: 
> 
> 
> 
> Policy dump:
> ============
> POLICY REFERENCE = example.client_v1.
> PolicyVer = 0.
> XML Vers. = 1.24
> Magic     = 1debc.
> Len       = 178.
> Primary   = CHINESE WALL (c=1, off=40).
> Secondary = SIMPLE TYPE ENFORCEMENT (c=2, off=b8).
> 
> 
> Chinese Wall policy:
> ====================
> Policy version= 100ff00.
> Max Types     = 4.
> Max Ssidrefs  = 7.
> Max ConfSets  = 1.
> Ssidrefs Off  = 24.
> Conflicts Off = 5c.
> Runing T. Off = 64.
> C. Agg. Off   = 6c.
> 
> SSID To CHWALL-Type matrix:
> 
>   ssidref 0:  00 00 00 00 
>   ssidref 1:  00 00 00 01  <-- Domain-0
>   ssidref 2:  00 01 00 00 
>   ssidref 3:  01 00 00 00 
>   ssidref 4:  00 00 01 00 
>   ssidref 5:  00 00 00 01 
>   ssidref 6:  00 00 00 01 
> 
> Confict Sets:
> 
>   c-set 0:    01 00 01 00 
> 
> Running
> Types:         ffff 00 01 01 
> 
> Conflict
> Aggregate Set: 01 00 ffff 00 
> 
> 
> Simple Type Enforcement policy:
> ===============================
> Policy version= 0.
> Max Types     = 6.
> Max Ssidrefs  = e.
> Ssidrefs Off  = 14.
> 
> SSID To STE-Type matrix:
> 
>   ssidref 0: 00 00 00 00 00 00 
>   ssidref 1: 01 01 01 01 01 01  <-- Domain-0
>   ssidref 2: 01 00 00 00 00 00 
>   ssidref 3: 00 01 00 00 00 00 
>   ssidref 4: 00 00 00 00 01 00 
>   ssidref 5: 01 01 01 00 01 00 
>   ssidref 6: 00 01 00 01 01 00 
>   ssidref 7: 00 00 01 00 00 00 
>   ssidref 8: 00 00 00 00 00 01 
>   ssidref 9: 00 00 00 01 00 00 
>   ssidref a: 00 00 00 00 01 00 
>   ssidref b: 00 01 00 00 00 00 
>   ssidref c: 00 00 00 00 00 01 
>   ssidref d: 00 00 00 00 01 00 
> 
> 
> 
> Obviously the 'Running Types' and 'Conflict Aggregate Set' are showing
> wrong numbers due to the state on the chinese wall having been rolled
> back, although it should not have been. Also, the reason why this
> operation was protected through the surrounding lock is that while
> this test happens no policy change may occur, which would recalculate
> all the state. So I'd rather have this unrolling left where it was. 
> 

> > 
> > > static inline int acm_domain_create(struct domain *d, ssidref_t
> > > ssidref)
> > > {
> > >    void *subject_ssid = current->domain->ssid;
> > >    domid_t domid = d->domain_id;
> > >    int rc;
> > > 
> > >    read_lock(&acm_bin_pol_rwlock);
> > >    /*
> > >       To be called when a domain is created; returns '0' if the
> > >       domain is allowed to be created, != '0' if not.
> > >     */
> > >    rc = acm_init_domain_ssid(d, ssidref);
> > >    if (rc != ACM_OK)
> > >        goto error_out;
> > > 
> > >    if ((acm_primary_ops->domain_create != NULL) &&
> > >        acm_primary_ops->domain_create(subject_ssid, ssidref,
> domid)) {
> > >        rc = ACM_ACCESS_DENIED;
> > >    } else if ((acm_secondary_ops->domain_create != NULL) &&
> > >                acm_secondary_ops->domain_create(subject_ssid,
> ssidref,
> > >                                                 domid)) {
> > >        /* roll-back primary */
> > >        if (acm_primary_ops->domain_destroy != NULL)
> > >            acm_primary_ops->domain_destroy(d->ssid, d);
> > >        rc = ACM_ACCESS_DENIED;
> > >    }
> > > 
> > >    if ( rc == ACM_OK )
> > >    {
> > >        acm_domain_ssid_onto_list(d->ssid);
> > >    } else {
> > >        acm_free_domain_ssid(d->ssid);
> > >    }
> > > 
> > > error_out:
> > >    read_unlock(&acm_bin_pol_rwlock);
> > >    return rc;
> > > } 
> > > 

Ok, but then the null dereference issue still exists within the context
of XSM.  The options are:

1) Follow acm_free_domain_ssid(d->ssid) with d->ssid = NULL
(I've tested this and it maintains the desired policy state:

Confict Sets:

   c-set 0:    00 01 00 01

Running
Types:         01 01 00 00

Conflict
Aggregate Set: 00 00 00 01

but seems less attractive from a coding style perspective)

or 

2) Chance acm_free_domain_ssid to pass d instead of ssid and ensure that
d->ssid = NULL in acm_free_domain_ssid.

George

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel