[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 21/22] xsm/flask: document the access vectors



This adds comments to the FLASK access_vectors file describing what
operations each access vector controls and the meanings of the source
and target fields in the permission check. This also makes the
indentation of the file consistent; no functionality changes are made.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Cc: Keir Fraser <keir@xxxxxxx>
---
 xen/xsm/flask/policy/access_vectors | 459 ++++++++++++++++++++++++++++--------
 1 file changed, 355 insertions(+), 104 deletions(-)

diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index b982cf5..d144333 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -3,189 +3,440 @@
 #
 # class class_name { permission_name ... }
 
+# Class xen consists of dom0-only operations dealing with the hypervisor 
itself.
+# Unless otherwise specified, the source is the domain executing the hypercall,
+# and the target is the xen initial sid (type xen_t).
 class xen
 {
-       settime
-       tbufcontrol
-       readconsole
-       clearconsole
-       perfcontrol
-       mtrr_add
-       mtrr_del
-       mtrr_read
-       microcode
-       physinfo
-       quirk
+# XENPF_settime
+    settime
+# XEN_SYSCTL_tbuf_op
+    tbufcontrol
+# CONSOLEIO_read, XEN_SYSCTL_readconsole
+    readconsole
+# XEN_SYSCTL_readconsole with clear=1
+    clearconsole
+# XEN_SYSCTL_perfc_op
+    perfcontrol
+# XENPF_add_memtype
+    mtrr_add
+# XENPF_del_memtype
+    mtrr_del
+# XENPF_read_memtype
+    mtrr_read
+# XENPF_microcode_update
+    microcode
+# XEN_SYSCTL_physinfo, XEN_SYSCTL_topologyinfo, XEN_SYSCTL_numainfo
+    physinfo
+# XENPF_platform_quirk
+    quirk
+# CONSOLEIO_write
     writeconsole
+# PHYSDEVOP_apic_read, PHYSDEVOP_alloc_irq_vector
     readapic
+# PHYSDEVOP_apic_write
     writeapic
+# Most XENOPROF_*
     privprofile
+# XENOPROF_{init,enable_virq,disable_virq,get_buffer}
     nonprivprofile
+# kexec hypercall
     kexec
-       firmware
-       sleep
-       frequency
-       getidle
-       debug
-       getcpuinfo
-       heap
-       pm_op
-       mca_op
-       lockprof
-       cpupool_op
-       tmem_op
-       tmem_control
-       getscheduler
-       setscheduler
+# XENPF_firmware_info, XENPF_efi_runtime_call
+    firmware
+# XENPF_enter_acpi_sleep
+    sleep
+# XENPF_change_freq
+    frequency
+# XENPF_getidletime
+    getidle
+# XEN_SYSCTL_debug_keys
+    debug
+# XEN_SYSCTL_getcpuinfo, XENPF_get_cpu_version, XENPF_get_cpuinfo
+    getcpuinfo
+# XEN_SYSCTL_availheap
+    heap
+# XEN_SYSCTL_get_pmstat, XEN_SYSCTL_pm_op, XENPF_set_processor_pminfo,
+# XENPF_core_parking
+    pm_op
+# mca hypercall
+    mca_op
+# XEN_SYSCTL_lockprof_op
+    lockprof
+# XEN_SYSCTL_cpupool_op
+    cpupool_op
+# tmem hypercall (any access)
+    tmem_op
+# TMEM_CONTROL command of tmem hypercall
+    tmem_control
+# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo, XEN_SYSCTL_sched_id
+    getscheduler
+# XEN_SYSCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
+    setscheduler
 }
 
+# Classes domain and domain2 consist of operations that a domain performs on
+# another domain or on itself.  Unless otherwise specified, the source is the
+# domain executing the hypercall, and the target is the domain being operated 
on
+# (which may result in a _self or _target type).
+#
+# transitions in class domain are used to produce the _self and _target types;
+# see docs/misc/xsm-flask.txt and the example XSM policy for details.
 class domain
 {
-       setvcpucontext
-       pause
-       unpause
+# XEN_DOMCTL_setvcpucontext
+    setvcpucontext
+# XEN_DOMCTL_pausedomain
+    pause
+# XEN_DOMCTL_unpausedomain
+    unpause
+# XEN_DOMCTL_resumedomain
     resume
+# XEN_DOMCTL_createdomain
     create
+# checked in FLASK_RELABEL_DOMAIN for any relabel operation:
+#  source = the old label of the domain
+#  target = the new label of the domain
+# see also the domain2 relabel{from,to,self} permissions
     transition
+# XEN_DOMCTL_max_vcpus
     max_vcpus
+# XEN_DOMCTL_destroydomain
     destroy
+# XEN_DOMCTL_setvcpuaffinity
     setvcpuaffinity
-       getvcpuaffinity
-       getscheduler
-       getdomaininfo
-       getvcpuinfo
-       getvcpucontext
-       setdomainmaxmem
-       setdomainhandle
-       setdebugging
-       hypercall
+# XEN_DOMCTL_getvcpuaffinity
+    getvcpuaffinity
+# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_getinfo
+    getscheduler
+# XEN_DOMCTL_getdomaininfo, XEN_SYSCTL_getdomaininfolist
+    getdomaininfo
+# XEN_DOMCTL_getvcpuinfo
+    getvcpuinfo
+# XEN_DOMCTL_getvcpucontext
+    getvcpucontext
+# XEN_DOMCTL_max_mem
+    setdomainmaxmem
+# XEN_DOMCTL_setdomainhandle
+    setdomainhandle
+# XEN_DOMCTL_setdebugging
+    setdebugging
+# XEN_DOMCTL_hypercall_init
+    hypercall
+# XEN_DOMCTL_settimeoffset
     settime
+# checked in XEN_DOMCTL_set_target:
+#  source = the new device model domain
+#  target = the new target domain
+# see also the domain2 make_priv_for and set_as_target checks
     set_target
+# SCHEDOP_remote_shutdown
     shutdown
+# XEN_DOMCTL_set{,_machine}_address_size
     setaddrsize
+# XEN_DOMCTL_get{,_machine}_address_size
     getaddrsize
-       trigger
-       getextvcpucontext
-       setextvcpucontext
-       getvcpuextstate
-       setvcpuextstate
-       getpodtarget
-       setpodtarget
-       set_misc_info
-       set_virq_handler
+# XEN_DOMCTL_sendtrigger
+    trigger
+# XEN_DOMCTL_get_ext_vcpucontext
+    getextvcpucontext
+# XEN_DOMCTL_set_ext_vcpucontext
+    setextvcpucontext
+# XEN_DOMCTL_getvcpuextstate
+    getvcpuextstate
+# XEN_DOMCTL_setvcpuextstate
+    setvcpuextstate
+# XENMEM_get_pod_target
+    getpodtarget
+# XENMEM_set_pod_target
+    setpodtarget
+# XEN_DOMCTL_subscribe, XEN_DOMCTL_disable_migrate,
+# XEN_DOMCTL_suppress_spurious_page_faults
+    set_misc_info
+# XEN_DOMCTL_set_virq_handler
+    set_virq_handler
 }
 
+# This is a continuation of class domain, since only 32 permissions can be
+# defined per class
 class domain2
 {
-       relabelfrom
-       relabelto
-       relabelself
-       make_priv_for
-       set_as_target
-       set_cpuid
-       gettsc
-       settsc
-       setscheduler
+# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
+#  source = the domain making the hypercall
+#  target = the old label of the domain being relabeled
+    relabelfrom
+# checked in FLASK_RELABEL_DOMAIN with non-DOMID_SELF:
+#  source = the domain making the hypercall
+#  target = the new label of the domain being relabeled
+    relabelto
+# checked in FLASK_RELABEL_DOMAIN, only with DOMID_SELF:
+#  source = the old label of the domain
+#  target = the new label of the domain
+# see also domain__transition
+    relabelself
+# checked in XEN_DOMCTL_set_target:
+#  source = the domain making the hypercall
+#  target = the new device model domain
+    make_priv_for
+# checked in XEN_DOMCTL_set_target:
+#  source = the domain making the hypercall
+#  target = the new target domain
+    set_as_target
+# XEN_DOMCTL_set_cpuid
+    set_cpuid
+# XEN_DOMCTL_gettscinfo
+    gettsc
+# XEN_DOMCTL_settscinfo
+    settsc
+# XEN_DOMCTL_scheduler_op with XEN_DOMCTL_SCHEDOP_putinfo
+    setscheduler
 }
 
+# Similar to class domain, but primarily contains domctls related to HVM 
domains
 class hvm
 {
+# XEN_DOMCTL_sethvmcontext
     sethvmc
+# XEN_DOMCTL_gethvmcontext, XEN_DOMCTL_gethvmcontext_partial
     gethvmc
+# HVMOP_set_param
     setparam
+# HVMOP_get_param
     getparam
+# HVMOP_set_pci_intx_level (also needs hvmctl)
     pcilevel
+# HVMOP_set_isa_irq_level
     irqlevel
+# HVMOP_set_pci_link_route
     pciroute
-       bind_irq
-       cacheattr
+    bind_irq
+# XEN_DOMCTL_pin_mem_cacheattr
+    cacheattr
+# HVMOP_track_dirty_vram
     trackdirtyvram
+# HVMOP_modified_memory, HVMOP_get_mem_type, HVMOP_set_mem_type,
+# HVMOP_set_mem_access, HVMOP_get_mem_access, HVMOP_pagetable_dying,
+# HVMOP_inject_trap
     hvmctl
+# XEN_DOMCTL_set_access_required
     mem_event
+# XEN_DOMCTL_mem_sharing_op and XENMEM_sharing_op_{share,add_physmap} with:
+#  source = the domain making the hypercall
+#  target = domain whose memory is being shared
     mem_sharing
+# XEN_DOMCTL_audit_p2m
     audit_p2m
+# HVMOP_inject_msi
     send_irq
+# checked in XENMEM_sharing_op_{share,add_physmap} with:
+#  source = domain whose memory is being shared
+#  target = client domain
     share_mem
 }
 
+# Class event describes event channels.  Interdomain event channels have their
+# own security label which is computed using a type transition between the
+# source and target domains.  Each endpoint has its own label, and the
+# permission checks must pass on both endpoints for an event channel to be
+# established.
 class event
 {
-       bind
-       send
-       status
-       notify
-       create
+# when creating an interdomain event channel endpoint:
+#  source = event channel label
+#  target = remote domain the event channel binds to.  This may be a _self or
+#           _target label if the endpoints are related as such.
+# This permission is checked when creating an unbound event channel and when 
the
+# interdomain event channel is established.
+    bind
+# EVTCHNOP_send:
+#  source = domain sending the event
+#  target = event channel label
+    send
+# EVTCHNOP_status; same as _send
+    status
+# <unused>
+    notify
+# when creating an interdomain event channel endpoint:
+#  source = the domain creating the channel (which might not be an endpoint)
+#  target = event channel label
+    create
+# EVTCHNOP_reset:
+#  source = domain making the hypercall
+#  target = domain whose event channels are being reset
     reset
 }
 
+# Class grant describes pages shared by grant mappings.  Pages use the security
+# label of their owning domain.
 class grant
 {
-       map_read
-       map_write
-       unmap
-       transfer
-       setup
+# GNTTABOP_map_grant_ref with any access
+    map_read
+# GNTTABOP_map_grant_ref with write access
+    map_write
+# GNTTABOP_unmap_grant_ref
+    unmap
+# GNTTABOP_transfer
+    transfer
+# GNTTABOP_setup_table, GNTTABOP_get_status_frames (target is commonly _self)
+    setup
+# GNTTABOP_copy
     copy
+# GNTTABOP_query_size, GNTTABOP_get_version
     query
 }
 
+# Class mmu describes pages of memory not accessed using grants.  Permissions
+# are checked using the domain ID used to access the page - the most common 
case
+# is a domain's own ID (the _self label).  Using DOMID_IO in the map command to
+# restrict the mapping to IO memory will result in the target being domio_t, 
and
+# migration uses read-only mappings with a target of DOMID_XEN (domxen_t).
 class mmu
 {
-       map_read
-       map_write
-       pageinfo
-       pagelist
+# checked when using mmu_update to map a page readably
+#  source = domain making the hypercall (which might not own the page table)
+#  target = domain whose pages are being mapped
+    map_read
+# checked when using mmu_update to map a page writably
+#  source = domain making the hypercall
+#  target = domain whose pages are being mapped
+    map_write
+# XEN_DOMCTL_getpageframeinfo*
+    pageinfo
+# XEN_DOMCTL_getmemlist
+    pagelist
+# XENMEM_{increase,decrease}_reservation, XENMEM_populate_physmap
     adjust
+# XENMEM_{current,maximum}_reservation, XENMEM_maximum_gpfn
     stat
+# <unused>
     translategp
-       updatemp
+# mmu_update MMU_MACHPHYS_UPDATE
+    updatemp
+# XENMEM_add_to_physmap, XENMEM_remove_from_physmap
     physmap
+# MMUEXT_PIN_L*_TABLE
     pinpage
+# <unused>
     mfnlist
+# XENMEM_machine_memory_map (with target xen_t)
+# XENMEM_set_memory_map (with domain target)
     memorymap
+# checked when using mmu_update to update the page tables of another domain
+#  source = domain making the hypercall
+#  target = domain whose page tables are being modified
     remote_remap
-       mmuext_op
-       exchange
+# the mmuext_op hypercall acting on the target domain
+    mmuext_op
+# XENMEM_exchange:
+#  source = domain making the hypercall
+#  target = domain whose pages are being exchanged
+    exchange
 }
 
+# control of the paging_domctl split by subop
 class shadow
 {
-       disable
-       enable
+# XEN_DOMCTL_SHADOW_OP_OFF
+    disable
+# enable, get/set allocation
+    enable
+# enable, read, and clean log
     logdirty
 }
 
+# Class resource is used to describe the resources used in hardware device
+# passthrough.  Resources include: hardware IRQs, MMIO regions, x86 I/O ports,
+# and PCI devices; see docs/misc/xsm-flask.txt for how to label them.
+#
+# Access to the legacy PCI configuration space on x86 via port 0xCF8/CFC
+# requires IS_PRIV, even with FLASK.  Writes to the BARs are checked as 
"setup",
+# while other reads/writes are "use"; the target is the PCI device whose
+# configuration space is being modified.  Accesses to the MMIO-based PCI 
express
+# configuration space described by the ACPI MCFG table are controlled as MMIO
+# accesses, and cannot special-case BAR writes.
+#
+# The {add,remove}_{irq,ioport,iomem,device} permissions use:
+#  source = domain making the hypercall
+#  target = resource's security label
 class resource
 {
-       add
-       remove
-       use
-       add_irq
-       remove_irq
-       add_ioport
-       remove_ioport
-       add_iomem
-       remove_iomem
-       stat_device
-       add_device
-       remove_device
-       plug
-       unplug
-       setup
+# checked when adding a resource to a domain:
+#  source = domain making the hypercall
+#  target = domain which will have access to the resource
+    add
+# checked when removing a resource from a domain:
+#  source = domain making the hypercall
+#  target = domain which will no longer have access to the resource
+    remove
+# checked when adding a resource to a domain:
+#  source = domain which will have access to the resource
+#  target = resource's security label
+# also checked when using some core Xen devices (target xen_t)
+    use
+# PHYSDEVOP_map_pirq and ioapic writes for dom0
+#  For GSI interrupts, the IRQ's label is indexed by the IRQ number
+#  For MSI interrupts, the label of the PCI device is used
+    add_irq
+# PHYSDEVOP_unmap_pirq:
+#  This is currently only checked for GSI interrupts
+    remove_irq
+# XEN_DOMCTL_ioport_permission, XEN_DOMCTL_ioport_mapping
+    add_ioport
+    remove_ioport
+# XEN_DOMCTL_iomem_permission, XEN_DOMCTL_memory_mapping
+    add_iomem
+    remove_iomem
+# XEN_DOMCTL_get_device_group, XEN_DOMCTL_test_assign_device:
+#  source = domain making the hypercall
+#  target = PCI device being queried
+    stat_device
+# XEN_DOMCTL_assign_device
+    add_device
+# XEN_DOMCTL_deassign_device
+    remove_device
+# checked for PCI hot and cold-plug hypercalls, with target as the PCI device
+# checked for CPU and memory hotplug with xen_t as the target
+    plug
+# checked for PCI hot-unplug hypercalls, with target as the PCI device
+# checked for CPU offlining with xen_t as the target
+    unplug
+# checked for PHYSDEVOP_restore_msi* (target PCI device)
+# checked for PHYSDEVOP_setup_gsi (target IRQ)
+# checked for PHYSDEVOP_pci_mmcfg_reserved (target xen_t)
+    setup
 }
 
+# Class security describes the FLASK security server itself; these operations
+# are accessed using the xsm_op hypercall.  The source is the domain invoking
+# the hypercall, and the target is security_t.
+#
+# Any domain with access to load_policy or setenforce must be trusted, since it
+# can bypass the rest of the security policy.
 class security
 {
-       compute_av
-       compute_create
-       compute_member
-       check_context
-       load_policy
-       compute_relabel
-       compute_user
-       setenforce
-       setbool
-       setsecparam
-        add_ocontext
-        del_ocontext
+# use the security server to compute an access check
+    compute_av
+# use the security server to compute a type transition
+    compute_create
+# use the security server to compute member selection
+    compute_member
+# sid <-> context string conversions
+    check_context
+# allow loading a new XSM/FLASK policy
+    load_policy
+# use the security server to compute an object relabel
+    compute_relabel
+# use the security server to list the SIDs reachable by a given user
+    compute_user
+# allow switching between enforcing and permissive mode
+    setenforce
+# allow changing policy booleans
+    setbool
+# allow changing security server configuration parmeters
+    setsecparam
+# add ocontext label definitions for resources
+    add_ocontext
+# remove ocontext label definitions for resources
+    del_ocontext
 }
-- 
1.7.11.7


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.