[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall.

On 06/11/15 14:36, Konrad Rzeszutek Wilk wrote:

All of XENVER_* have now an XSM check.

The subops for XENVER_[compile_info|changeset|commandline|
extraversion] are now priviliged operations. To not break
guests we still return an string - but it is just '<denied>'.

The rest: XENVER_[version|capabilities|
parameters|get_features|page_size|guest_handle] behave
as before - allowed by default for all guests.

This is with the XSM default policy and with the dummy ones.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>


Comments below, inline.

[...]

diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index d35ae22..1ca0e65 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -73,6 +73,12 @@ allow dom0_t xen_t:xen2 {
      pmu_ctrl
      get_symbol
  };
+
+# Allow dom0 to use XENVER_compile_info|changeset|commandline]extraversion
+allow dom0_t xen_t:xen2 {
+    version_priv
+};
+
  allow dom0_t xen_t:mmu memorymap;

  # Allow dom0 to use these domctls on itself. For domctls acting on other


Minor tweak: if you don't want to add the new to the block a few lines above,
the one-line permission syntax without braces (as seen below) looks better.

[...]

  DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
  {
+    bool_t deny = !!xsm_version_op(XSM_HOOK, cmd);
+


Since this call produces denials in the default policy, it should be marked
as XSM_OTHER.


diff --git a/xen/xsm/flask/policy/access_vectors 
b/xen/xsm/flask/policy/access_vectors
index effb59f..273459f 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -93,6 +93,8 @@ class xen2
      pmu_ctrl
  # PMU use (domains, including unprivileged ones, will be using this operation)
      pmu_use
+# XENVER_[compile_info|changeset|commandline|extraversion] usage.
+   version_priv
  }

  # Classes domain and domain2 consist of operations that a domain performs on
@@ -242,6 +244,8 @@ class domain2
      mem_sharing
  # XEN_DOMCTL_psr_cat_op
      psr_cat_op
+# XENVER_[version|capabilities|parameters|get_features|page_size|guest_handle].
+    version_use
  }

  # Similar to class domain, but primarily contains domctls related to HVM 
domains



I think that both version_priv and version_use belong in the same access
vector (xen2) rather than placing version_use in domain2.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.