[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v11 2/9] xsm: add MSR operation related xsm policy
Add xsm policies for MSR access related hypercall. Signed-off-by: Dongxiao Xu <dongxiao.xu@xxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.te | 3 +++ xen/xsm/flask/hooks.c | 4 ++++ xen/xsm/flask/policy/access_vectors | 14 +++++++++++--- xen/xsm/flask/policy/security_classes | 1 + 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bb59fe8..0e63e76 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -64,6 +64,9 @@ allow dom0_t xen_t:xen { getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op tmem_control getscheduler setscheduler }; +allow dom0_t xen_t:xen2 { + msr_op +}; allow dom0_t xen_t:mmu memorymap; # Allow dom0 to use these domctls on itself. For domctls acting on other diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c008398..277a5de 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -770,6 +770,10 @@ static int flask_sysctl(int cmd) case XEN_SYSCTL_numainfo: return domain_has_xen(current->domain, XEN__PHYSINFO); + case XEN_SYSCTL_msr_op: + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, + XEN2__MSR_OP, NULL); + default: printk("flask_sysctl: Unknown op %d\n", cmd); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 32371a9..82b5484 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -3,9 +3,9 @@ # # class class_name { permission_name ... } -# Class xen consists of dom0-only operations dealing with the hypervisor itself. -# Unless otherwise specified, the source is the domain executing the hypercall, -# and the target is the xen initial sid (type xen_t). +# Class xen and xen2 consists of dom0-only operations dealing with the +# hypervisor itself. Unless otherwise specified, the source is the domain +# executing the hypercall, and the target is the xen initial sid (type xen_t). class xen { # XENPF_settime @@ -75,6 +75,14 @@ class xen setscheduler } +# This is a continuation of class xen, since only 32 permissions can be +# defined per class +class xen2 +{ +# XEN_SYSCTL_msr_op + msr_op +} + # Classes domain and domain2 consist of operations that a domain performs on # another domain or on itself. Unless otherwise specified, the source is the # domain executing the hypercall, and the target is the domain being operated on diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes index ef134a7..ca191db 100644 --- a/xen/xsm/flask/policy/security_classes +++ b/xen/xsm/flask/policy/security_classes @@ -8,6 +8,7 @@ # for userspace object managers class xen +class xen2 class domain class domain2 class hvm -- 1.8.1.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |