|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xsm/flask: add domain relabel support
# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1347912741 -3600
# Node ID d1c3375c3f118de2465e4b4ec5e8950aafe5a903
# Parent 383f0b427494a2b0f03ccd51b19d10042999f20e
xsm/flask: add domain relabel support
This adds the ability to change a domain's XSM label after creation.
The new label will be used for all future access checks; however,
existing event channels and memory mappings will remain valid even if
their creation would be denied by the new label.
With appropriate security policy and hooks in the domain builder, this
can be used to create domains that the domain builder does not have
access to after building. It can also be used to allow a domain to
drop privileges - for example, prior to launching a user-supplied
kernel loaded by a pv-grub stubdom.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---
diff -r 383f0b427494 -r d1c3375c3f11
tools/flask/policy/policy/flask/access_vectors
--- a/tools/flask/policy/policy/flask/access_vectors Mon Sep 17 21:10:39
2012 +0100
+++ b/tools/flask/policy/policy/flask/access_vectors Mon Sep 17 21:12:21
2012 +0100
@@ -73,6 +73,13 @@ class domain
set_virq_handler
}
+class domain2
+{
+ relabelfrom
+ relabelto
+ relabelself
+}
+
class hvm
{
sethvmc
diff -r 383f0b427494 -r d1c3375c3f11
tools/flask/policy/policy/flask/security_classes
--- a/tools/flask/policy/policy/flask/security_classes Mon Sep 17 21:10:39
2012 +0100
+++ b/tools/flask/policy/policy/flask/security_classes Mon Sep 17 21:12:21
2012 +0100
@@ -9,6 +9,7 @@
class xen
class domain
+class domain2
class hvm
class mmu
class resource
diff -r 383f0b427494 -r d1c3375c3f11
tools/flask/policy/policy/modules/xen/xen.te
--- a/tools/flask/policy/policy/modules/xen/xen.te Mon Sep 17 21:10:39
2012 +0100
+++ b/tools/flask/policy/policy/modules/xen/xen.te Mon Sep 17 21:12:21
2012 +0100
@@ -169,7 +169,7 @@ delegate_devices(dom0_t, domU_t)
################################################################################
# Domains must be declared using domain_type
-neverallow * ~domain_type:domain create;
+neverallow * ~domain_type:domain { create transition };
# Resources must be declared using resource_type
neverallow * ~resource_type:resource use;
diff -r 383f0b427494 -r d1c3375c3f11 xen/include/public/xsm/flask_op.h
--- a/xen/include/public/xsm/flask_op.h Mon Sep 17 21:10:39 2012 +0100
+++ b/xen/include/public/xsm/flask_op.h Mon Sep 17 21:12:21 2012 +0100
@@ -142,6 +142,12 @@ struct xen_flask_peersid {
uint32_t sid;
};
+struct xen_flask_relabel {
+ /* IN */
+ uint32_t domid;
+ uint32_t sid;
+};
+
struct xen_flask_op {
uint32_t cmd;
#define FLASK_LOAD 1
@@ -167,6 +173,7 @@ struct xen_flask_op {
#define FLASK_ADD_OCONTEXT 21
#define FLASK_DEL_OCONTEXT 22
#define FLASK_GET_PEER_SID 23
+#define FLASK_RELABEL_DOMAIN 24
uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
union {
struct xen_flask_load load;
@@ -185,6 +192,7 @@ struct xen_flask_op {
/* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
struct xen_flask_ocontext ocontext;
struct xen_flask_peersid peersid;
+ struct xen_flask_relabel relabel;
} u;
};
typedef struct xen_flask_op xen_flask_op_t;
diff -r 383f0b427494 -r d1c3375c3f11 xen/xsm/flask/flask_op.c
--- a/xen/xsm/flask/flask_op.c Mon Sep 17 21:10:39 2012 +0100
+++ b/xen/xsm/flask/flask_op.c Mon Sep 17 21:12:21 2012 +0100
@@ -573,6 +573,51 @@ static int flask_get_peer_sid(struct xen
return rv;
}
+static int flask_relabel_domain(struct xen_flask_relabel *arg)
+{
+ int rc;
+ struct domain *d;
+ struct domain_security_struct *csec = current->domain->ssid;
+ struct domain_security_struct *dsec;
+ struct avc_audit_data ad;
+ AVC_AUDIT_DATA_INIT(&ad, NONE);
+
+ d = rcu_lock_domain_by_any_id(arg->domid);
+ if ( d == NULL )
+ return -ESRCH;
+
+ ad.sdom = current->domain;
+ ad.tdom = d;
+ dsec = d->ssid;
+
+ if ( arg->domid == DOMID_SELF )
+ {
+ rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2,
DOMAIN2__RELABELSELF, &ad);
+ if ( rc )
+ goto out;
+ }
+ else
+ {
+ rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2,
DOMAIN2__RELABELFROM, &ad);
+ if ( rc )
+ goto out;
+
+ rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2,
DOMAIN2__RELABELTO, &ad);
+ if ( rc )
+ goto out;
+ }
+
+ rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN,
DOMAIN__TRANSITION, &ad);
+ if ( rc )
+ goto out;
+
+ dsec->sid = arg->sid;
+
+ out:
+ rcu_unlock_domain(d);
+ return rc;
+}
+
long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op)
{
xen_flask_op_t op;
@@ -680,6 +725,10 @@ long do_flask_op(XEN_GUEST_HANDLE(xsm_op
rv = flask_get_peer_sid(&op.u.peersid);
break;
+ case FLASK_RELABEL_DOMAIN:
+ rv = flask_relabel_domain(&op.u.relabel);
+ break;
+
default:
rv = -ENOSYS;
}
diff -r 383f0b427494 -r d1c3375c3f11 xen/xsm/flask/include/av_perm_to_string.h
--- a/xen/xsm/flask/include/av_perm_to_string.h Mon Sep 17 21:10:39 2012 +0100
+++ b/xen/xsm/flask/include/av_perm_to_string.h Mon Sep 17 21:12:21 2012 +0100
@@ -61,6 +61,9 @@
S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
+ S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
+ S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
+ S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
diff -r 383f0b427494 -r d1c3375c3f11 xen/xsm/flask/include/av_permissions.h
--- a/xen/xsm/flask/include/av_permissions.h Mon Sep 17 21:10:39 2012 +0100
+++ b/xen/xsm/flask/include/av_permissions.h Mon Sep 17 21:12:21 2012 +0100
@@ -63,6 +63,10 @@
#define DOMAIN__SET_MISC_INFO 0x40000000UL
#define DOMAIN__SET_VIRQ_HANDLER 0x80000000UL
+#define DOMAIN2__RELABELFROM 0x00000001UL
+#define DOMAIN2__RELABELTO 0x00000002UL
+#define DOMAIN2__RELABELSELF 0x00000004UL
+
#define HVM__SETHVMC 0x00000001UL
#define HVM__GETHVMC 0x00000002UL
#define HVM__SETPARAM 0x00000004UL
diff -r 383f0b427494 -r d1c3375c3f11 xen/xsm/flask/include/class_to_string.h
--- a/xen/xsm/flask/include/class_to_string.h Mon Sep 17 21:10:39 2012 +0100
+++ b/xen/xsm/flask/include/class_to_string.h Mon Sep 17 21:12:21 2012 +0100
@@ -5,6 +5,7 @@
S_("null")
S_("xen")
S_("domain")
+ S_("domain2")
S_("hvm")
S_("mmu")
S_("resource")
diff -r 383f0b427494 -r d1c3375c3f11 xen/xsm/flask/include/flask.h
--- a/xen/xsm/flask/include/flask.h Mon Sep 17 21:10:39 2012 +0100
+++ b/xen/xsm/flask/include/flask.h Mon Sep 17 21:12:21 2012 +0100
@@ -7,13 +7,14 @@
*/
#define SECCLASS_XEN 1
#define SECCLASS_DOMAIN 2
-#define SECCLASS_HVM 3
-#define SECCLASS_MMU 4
-#define SECCLASS_RESOURCE 5
-#define SECCLASS_SHADOW 6
-#define SECCLASS_EVENT 7
-#define SECCLASS_GRANT 8
-#define SECCLASS_SECURITY 9
+#define SECCLASS_DOMAIN2 3
+#define SECCLASS_HVM 4
+#define SECCLASS_MMU 5
+#define SECCLASS_RESOURCE 6
+#define SECCLASS_SHADOW 7
+#define SECCLASS_EVENT 8
+#define SECCLASS_GRANT 9
+#define SECCLASS_SECURITY 10
/*
* Security identifier indices for initial entities
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |