Xen project Mailing List

[Xen-devel] [PATCH] xsm: add missing permissions discovered in testing

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Fri, 4 Nov 2016 11:35:20 -0400

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Fri, 04 Nov 2016 15:35:55 +0000

Ironport-phdr: 9a23:RJNpsRQjv7UuXQp6URDE0Theh9psv+yvbD5Q0YIujvd0So/mwa64YxKN2/xhgRfzUJnB7Loc0qyN4vqmCT1LvsbJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/mjabiqtaMM01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm2dfv/SXnYUPPoyFEEzZerh0dEwXDqR33QJr1mi/7rfZmnjmXO4vxV79ndy6l6vJHQRnphSNPGzNx33veg8I42K5UrB+uvRVX35/fYIbTMuF3OKzaY4VJFiJ6Qs9NWnkZUcuHZIwVAr9EZLwAog==

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Add two missing allow rules: 1. Device model domain construction uses getvcpucontext, discovered by Andrew Cooper in an (apparently) unrelated bisection. 2. When a domain is destroyed with a device passthrough active, the calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself (which results in an XSM check with the source xen_t). It does not make sense to deny these permissions; no domain should be using xen_t, and forbidding the hypervisor from performing cleanup is not useful. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- tools/flask/policy/modules/xen.if | 2 +- tools/flask/policy/modules/xen.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index d83f031..eb646f5 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext getscheduler getvcpuinfo getaddrsize getaffinity setaffinity - settime setdomainhandle }; + settime setdomainhandle getvcpucontext }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te index b52edc2..0cff2df 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -49,6 +49,10 @@ type ioport_t, resource_type; type iomem_t, resource_type; type device_t, resource_type; +# Domain destruction can result in some access checks for actions performed by +# the hypervisor. These should always be allowed. +allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem }; + ################################################################################ # # Policy constraints -- 2.7.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.