Xen project Mailing List

Re: [Xen-devel] [PATCH 02/19] flask/policy: Add domain relabel example

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Tue, 20 Nov 2012 12:26:27 -0500

Cc: "Keir \(Xen.org\)" <keir@xxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Tue, 20 Nov 2012 17:26:41 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 11/19/2012 05:46 AM, Ian Campbell wrote: > On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote: >> This adds the nomigrate_t type to the example FLASK policy which allows >> domains to be created that dom0 cannot access after building. > > This is a very cool example of how even dom0's privileges can be > curtailed, I like it! > > The fact that the domain can't be migrated is more of a side-effect > though I guess, but I can't really think of a better name (e.g. > "securedom_t" suggests other domains aren't etc...) Especially as I have already used some of the other choices (protected, isolated) for other examples. The inability to migrate actually sums up the protection this provides: since the only reason dom0 has to read a domain's memory is to migrate it, preventing migration should (in theory) prevent that access. > I'd ack it but this stuff is all Greek to me ;-) FLASK policies in general tend to be hard to read, especially since using the M4 macros is almost required to make a sane policy. There is some work at making a higher-level language for SELinux policy definition, so that can be applied to Xen at some point. Using sesearch on the Xen policy can also be useful to see what the result of the definitions is. >> >> Example domain configuration snippet: >> seclabel='customer_1:vm_r:nomigrate_t' >> init_seclabel='customer_1:vm_r:nomigrate_t_building' >> >> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> >> --- >> docs/misc/xsm-flask.txt | 2 + >> tools/flask/policy/policy/modules/xen/xen.if | 56 >> +++++++++++++++++++++------- >> tools/flask/policy/policy/modules/xen/xen.te | 10 +++++ >> 3 files changed, 55 insertions(+), 13 deletions(-) >> >> diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt >> index 6b0d327..0778a28 100644 >> --- a/docs/misc/xsm-flask.txt >> +++ b/docs/misc/xsm-flask.txt >> @@ -60,6 +60,8 @@ that can be used without dom0 disaggregation. The main >> types for domUs are: >> - domU_t is a domain that can communicate with any other domU_t >> - isolated_domU_t can only communicate with dom0 >> - prot_domU_t is a domain type whose creation can be disabled with a >> boolean >> + - nomigrate_t is a domain that must be created via the nomigrate_t_building >> + type, and whose memory cannot be read by dom0 once created >> >> HVM domains with stubdomain device models use two types (one per domain): >> - domHVM_t is an HVM domain that uses a stubdomain device model _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.