|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 07/17] flask: unify {get, set}vcpucontext permissions
These permissions were initially split because they were in separate
domctls, but this split is very unlikely to actually provide security
benefits: it would require a carefully contrived situation for a domain
to both need access to one type of CPU register and also need to be
prohibited from accessing another type.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
---
tools/flask/policy/modules/dom0.te | 1 -
tools/flask/policy/modules/xen.if | 7 +++----
xen/xsm/flask/hooks.c | 20 ++++++--------------
xen/xsm/flask/policy/access_vectors | 16 ++++++----------
4 files changed, 15 insertions(+), 29 deletions(-)
diff --git a/tools/flask/policy/modules/dom0.te
b/tools/flask/policy/modules/dom0.te
index ef6a986..d228b24 100644
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -34,7 +34,6 @@ allow dom0_t dom0_t:domain {
setvcpucontext max_vcpus setaffinity getaffinity getscheduler
getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle
setdebugging hypercall settime setaddrsize getaddrsize trigger
- getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate
getpodtarget setpodtarget set_misc_info set_virq_handler
};
allow dom0_t dom0_t:domain2 {
diff --git a/tools/flask/policy/modules/xen.if
b/tools/flask/policy/modules/xen.if
index 00d1bbb..fd96303 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -47,9 +47,8 @@ define(`declare_build_label', `
define(`create_domain_common', `
allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
- getdomaininfo hypercall setvcpucontext setextvcpucontext
- getscheduler getvcpuinfo getvcpuextstate getaddrsize
- getaffinity setaffinity setvcpuextstate };
+ getdomaininfo hypercall setvcpucontext getscheduler
+ getvcpuinfo getaddrsize getaffinity setaffinity };
allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
psr_cmt_op psr_cat_op soft_reset };
@@ -94,7 +93,7 @@ define(`migrate_domain_out', `
allow $1 domxen_t:mmu map_read;
allow $1 $2:hvm { gethvmc getparam irqlevel };
allow $1 $2:mmu { stat pageinfo map_read };
- allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext
getvcpuextstate pause destroy };
+ allow $1 $2:domain { getaddrsize getvcpucontext pause destroy };
allow $1 $2:domain2 gettsc;
allow $1 $2:shadow { enable disable logdirty };
')
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 20d46c8..a8d45e7 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -630,10 +630,16 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_setdomainhandle:
return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE);
+ case XEN_DOMCTL_set_ext_vcpucontext:
+ case XEN_DOMCTL_set_vcpu_msrs:
case XEN_DOMCTL_setvcpucontext:
+ case XEN_DOMCTL_setvcpuextstate:
return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT);
+ case XEN_DOMCTL_get_ext_vcpucontext:
+ case XEN_DOMCTL_get_vcpu_msrs:
case XEN_DOMCTL_getvcpucontext:
+ case XEN_DOMCTL_getvcpuextstate:
return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT);
case XEN_DOMCTL_getvcpuinfo:
@@ -675,20 +681,6 @@ static int flask_domctl(struct domain *d, int cmd)
case XEN_DOMCTL_pin_mem_cacheattr:
return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR);
- case XEN_DOMCTL_set_ext_vcpucontext:
- case XEN_DOMCTL_set_vcpu_msrs:
- return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT);
-
- case XEN_DOMCTL_get_ext_vcpucontext:
- case XEN_DOMCTL_get_vcpu_msrs:
- return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT);
-
- case XEN_DOMCTL_setvcpuextstate:
- return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE);
-
- case XEN_DOMCTL_getvcpuextstate:
- return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE);
-
case XEN_DOMCTL_sendtrigger:
return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER);
diff --git a/xen/xsm/flask/policy/access_vectors
b/xen/xsm/flask/policy/access_vectors
index 3d29042..7e69ede 100644
--- a/xen/xsm/flask/policy/access_vectors
+++ b/xen/xsm/flask/policy/access_vectors
@@ -111,6 +111,9 @@ class xen2
class domain
{
# XEN_DOMCTL_setvcpucontext
+# XEN_DOMCTL_setvcpuextstate
+# XEN_DOMCTL_set_ext_vcpucontext
+# XEN_DOMCTL_set_vcpu_msrs
setvcpucontext
# XEN_DOMCTL_pausedomain
pause
@@ -142,6 +145,9 @@ class domain
# XEN_DOMCTL_getvcpuinfo
getvcpuinfo
# XEN_DOMCTL_getvcpucontext
+# XEN_DOMCTL_get_ext_vcpucontext
+# XEN_DOMCTL_getvcpuextstate
+# XEN_DOMCTL_get_vcpu_msrs
getvcpucontext
# XEN_DOMCTL_max_mem
setdomainmaxmem
@@ -166,16 +172,6 @@ class domain
getaddrsize
# XEN_DOMCTL_sendtrigger
trigger
-# XEN_DOMCTL_get_ext_vcpucontext
-# XEN_DOMCTL_set_vcpu_msrs
- getextvcpucontext
-# XEN_DOMCTL_set_ext_vcpucontext
-# XEN_DOMCTL_get_vcpu_msrs
- setextvcpucontext
-# XEN_DOMCTL_getvcpuextstate
- getvcpuextstate
-# XEN_DOMCTL_setvcpuextstate
- setvcpuextstate
# XENMEM_get_pod_target
getpodtarget
# XENMEM_set_pod_target
--
2.7.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |