[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xsm: add missing permissions discovered in testing

On 04/11/16 15:35, Daniel De Graaf wrote:
> Add two missing allow rules:
>
> 1. Device model domain construction uses getvcpucontext, discovered by
> Andrew Cooper in an (apparently) unrelated bisection.

Merely observation of the logs while chasing an unrelated issue.

~Andrew

>
> 2. When a domain is destroyed with a device passthrough active, the
> calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself
> (which results in an XSM check with the source xen_t).  It does not make
> sense to deny these permissions; no domain should be using xen_t, and
> forbidding the hypervisor from performing cleanup is not useful.
>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
>  tools/flask/policy/modules/xen.if | 2 +-
>  tools/flask/policy/modules/xen.te | 4 ++++
>  2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/tools/flask/policy/modules/xen.if 
> b/tools/flask/policy/modules/xen.if
> index d83f031..eb646f5 100644
> --- a/tools/flask/policy/modules/xen.if
> +++ b/tools/flask/policy/modules/xen.if
> @@ -49,7 +49,7 @@ define(`create_domain_common', `
>       allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
>                       getdomaininfo hypercall setvcpucontext getscheduler
>                       getvcpuinfo getaddrsize getaffinity setaffinity
> -                     settime setdomainhandle };
> +                     settime setdomainhandle getvcpucontext };
>       allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
>                       set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
>                       psr_cmt_op psr_cat_op soft_reset };
> diff --git a/tools/flask/policy/modules/xen.te 
> b/tools/flask/policy/modules/xen.te
> index b52edc2..0cff2df 100644
> --- a/tools/flask/policy/modules/xen.te
> +++ b/tools/flask/policy/modules/xen.te
> @@ -49,6 +49,10 @@ type ioport_t, resource_type;
>  type iomem_t, resource_type;
>  type device_t, resource_type;
>  
> +# Domain destruction can result in some access checks for actions performed 
> by
> +# the hypervisor.  These should always be allowed.
> +allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem 
> };
> +
>  
> ################################################################################
>  #
>  # Policy constraints


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.