[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v12 2/9] xsm: add resource operation related xsm policy
Add xsm policies for resource access related hypercall, such as MSR access, port I/O read/write, and other related resource operations. Signed-off-by: Dongxiao Xu <dongxiao.xu@xxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.te | 3 +++ xen/xsm/flask/hooks.c | 4 ++++ xen/xsm/flask/policy/access_vectors | 14 +++++++++++--- xen/xsm/flask/policy/security_classes | 1 + 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bb59fe8..562b8df 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -64,6 +64,9 @@ allow dom0_t xen_t:xen { getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op tmem_control getscheduler setscheduler }; +allow dom0_t xen_t:xen2 { + resource_op +}; allow dom0_t xen_t:mmu memorymap; # Allow dom0 to use these domctls on itself. For domctls acting on other diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index f2f59ea..fcfed25 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1383,6 +1383,10 @@ static int flask_platform_op(uint32_t op) case XENPF_get_cpuinfo: return domain_has_xen(current->domain, XEN__GETCPUINFO); + case XENPF_resource_op: + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, + XEN2__RESOURCE_OP, NULL); + default: printk("flask_platform_op: Unknown op %d\n", op); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 32371a9..b606441 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -3,9 +3,9 @@ # # class class_name { permission_name ... } -# Class xen consists of dom0-only operations dealing with the hypervisor itself. -# Unless otherwise specified, the source is the domain executing the hypercall, -# and the target is the xen initial sid (type xen_t). +# Class xen and xen2 consists of dom0-only operations dealing with the +# hypervisor itself. Unless otherwise specified, the source is the domain +# executing the hypercall, and the target is the xen initial sid (type xen_t). class xen { # XENPF_settime @@ -75,6 +75,14 @@ class xen setscheduler } +# This is a continuation of class xen, since only 32 permissions can be +# defined per class +class xen2 +{ +# XENPF_resource_op + resource_op +} + # Classes domain and domain2 consist of operations that a domain performs on # another domain or on itself. Unless otherwise specified, the source is the # domain executing the hypercall, and the target is the domain being operated on diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes index ef134a7..ca191db 100644 --- a/xen/xsm/flask/policy/security_classes +++ b/xen/xsm/flask/policy/security_classes @@ -8,6 +8,7 @@ # for userspace object managers class xen +class xen2 class domain class domain2 class hvm -- 1.7.9.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |