[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 02/19] flask/policy: Add domain relabel example
On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote: > This adds the nomigrate_t type to the example FLASK policy which allows > domains to be created that dom0 cannot access after building. This is a very cool example of how even dom0's privileges can be curtailed, I like it! The fact that the domain can't be migrated is more of a side-effect though I guess, but I can't really think of a better name (e.g. "securedom_t" suggests other domains aren't etc...) I'd ack it but this stuff is all Greek to me ;-) > > Example domain configuration snippet: > seclabel='customer_1:vm_r:nomigrate_t' > init_seclabel='customer_1:vm_r:nomigrate_t_building' > > Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> > --- > docs/misc/xsm-flask.txt | 2 + > tools/flask/policy/policy/modules/xen/xen.if | 56 > +++++++++++++++++++++------- > tools/flask/policy/policy/modules/xen/xen.te | 10 +++++ > 3 files changed, 55 insertions(+), 13 deletions(-) > > diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt > index 6b0d327..0778a28 100644 > --- a/docs/misc/xsm-flask.txt > +++ b/docs/misc/xsm-flask.txt > @@ -60,6 +60,8 @@ that can be used without dom0 disaggregation. The main > types for domUs are: > - domU_t is a domain that can communicate with any other domU_t > - isolated_domU_t can only communicate with dom0 > - prot_domU_t is a domain type whose creation can be disabled with a boolean > + - nomigrate_t is a domain that must be created via the nomigrate_t_building > + type, and whose memory cannot be read by dom0 once created > > HVM domains with stubdomain device models use two types (one per domain): > - domHVM_t is an HVM domain that uses a stubdomain device model > diff --git a/tools/flask/policy/policy/modules/xen/xen.if > b/tools/flask/policy/policy/modules/xen/xen.if > index 3f58909..2ad11b2 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.if > +++ b/tools/flask/policy/policy/modules/xen/xen.if > @@ -9,24 +9,47 @@ > # Declare a type as a domain type, and allow basic domain setup > define(`declare_domain', ` > type $1, domain_type`'ifelse(`$#', `1', `', `,shift($@)'); > + type $1_channel, event_type; > + type_transition $1 domain_type:event $1_channel; > allow $1 $1:grant { query setup }; > allow $1 $1:mmu { adjust physmap map_read map_write stat pinpage }; > allow $1 $1:hvm { getparam setparam }; > ') > > -# create_domain(priv, target) > -# Allow a domain to be created > -define(`create_domain', ` > +# declare_build_label(type) > +# Declare a paired _building type for the given domain type > +define(`declare_build_label', ` > + type $1_building, domain_type; > + type_transition $1_building domain_type:event $1_channel; > + allow $1_building $1 : domain transition; > +') > + > +define(`create_domain_common', ` > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize > - getdomaininfo hypercall setvcpucontext scheduler > - unpause getvcpuinfo getvcpuextstate getaddrsize > - getvcpuaffinity }; > + getdomaininfo hypercall setvcpucontext setextvcpucontext > + scheduler getvcpuinfo getvcpuextstate getaddrsize > + getvcpuaffinity setvcpuaffinity }; > allow $1 $2:security check_context; > allow $1 $2:shadow enable; > allow $1 $2:mmu {map_read map_write adjust memorymap physmap pinpage}; > allow $1 $2:grant setup; > - allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute setparam > pcilevel trackdirtyvram }; > - allow $1 $2_$1_channel:event create; > + allow $1 $2:hvm { cacheattr getparam hvmctl irqlevel pciroute sethvmc > setparam pcilevel trackdirtyvram }; > +') > + > +# create_domain(priv, target) > +# Allow a domain to be created directly > +define(`create_domain', ` > + create_domain_common($1, $2) > + allow $1 $2_channel:event create; > +') > + > +# create_domain_build_label(priv, target) > +# Allow a domain to be created via its domain build label > +define(`create_domain_build_label', ` > + create_domain_common($1, $2_building) > + allow $1 $2_channel:event create; > + allow $1 $2_building:domain2 relabelfrom; > + allow $1 $2:domain2 relabelto; > ') > > # manage_domain(priv, target) > @@ -37,6 +60,15 @@ define(`manage_domain', ` > setvcpuaffinity setdomainmaxmem }; > ') > > +# migrate_domain_out(priv, target) > +# Allow creation of a snapshot or migration image from a domain > +# (inbound migration is the same as domain creation) > +define(`migrate_domain_out', ` > + allow $1 $2:hvm { gethvmc getparam irqlevel }; > + allow $1 $2:mmu { stat pageinfo map_read }; > + allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext > getvcpuextstate pause destroy }; > +') > + > > ################################################################################ > # > # Inter-domain communication > @@ -47,8 +79,6 @@ define(`manage_domain', ` > # This allows an event channel to be created from domains with labels > # <source> to <dest> and will label it <chan-label> > define(`create_channel', ` > - type $3, event_type; > - type_transition $1 $2:event $3; > allow $1 $3:event { create send status }; > allow $3 $2:event { bind }; > ') > @@ -56,8 +86,8 @@ define(`create_channel', ` > # domain_event_comms(dom1, dom2) > # Allow two domain types to communicate using event channels > define(`domain_event_comms', ` > - create_channel($1, $2, $1_$2_channel) > - create_channel($2, $1, $2_$1_channel) > + create_channel($1, $2, $1_channel) > + create_channel($2, $1, $2_channel) > ') > > # domain_comms(dom1, dom2) > @@ -72,7 +102,7 @@ define(`domain_comms', ` > # Allow a domain types to communicate with others of its type using grants > # and event channels (this includes event channels to DOMID_SELF) > define(`domain_self_comms', ` > - create_channel($1, $1, $1_self_channel) > + create_channel($1, $1, $1_channel) > allow $1 $1:grant { map_read map_write copy unmap }; > ') > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te > b/tools/flask/policy/policy/modules/xen/xen.te > index 9550397..1162153 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -90,6 +90,7 @@ create_domain(dom0_t, isolated_domU_t) > manage_domain(dom0_t, isolated_domU_t) > domain_comms(dom0_t, isolated_domU_t) > > +# Declare a boolean that denies creation of prot_domU_t domains > gen_bool(prot_doms_locked, false) > declare_domain(prot_domU_t) > if (!prot_doms_locked) { > @@ -111,6 +112,15 @@ manage_domain(dom0_t, dm_dom_t) > domain_comms(dom0_t, dm_dom_t) > device_model(dm_dom_t, domHVM_t) > > +# nomigrate_t must be built via the nomigrate_t_building label; once built, > +# dom0 cannot read its memory. > +declare_domain(nomigrate_t) > +declare_build_label(nomigrate_t) > +create_domain_build_label(dom0_t, nomigrate_t) > +manage_domain(dom0_t, nomigrate_t) > +domain_comms(dom0_t, nomigrate_t) > +domain_self_comms(nomigrate_t) > + > > ############################################################################### > # > # Device delegation _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |