| Message ID | 1478273720-26479-1-git-send-email-dgdegra@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 04/11/16 15:35, Daniel De Graaf wrote: > Add two missing allow rules: > > 1. Device model domain construction uses getvcpucontext, discovered by > Andrew Cooper in an (apparently) unrelated bisection. Merely observation of the logs while chasing an unrelated issue. ~Andrew > > 2. When a domain is destroyed with a device passthrough active, the > calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself > (which results in an XSM check with the source xen_t). It does not make > sense to deny these permissions; no domain should be using xen_t, and > forbidding the hypervisor from performing cleanup is not useful. > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Cc: Andrew Cooper <andrew.cooper3@citrix.com> > --- > tools/flask/policy/modules/xen.if | 2 +- > tools/flask/policy/modules/xen.te | 4 ++++ > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if > index d83f031..eb646f5 100644 > --- a/tools/flask/policy/modules/xen.if > +++ b/tools/flask/policy/modules/xen.if > @@ -49,7 +49,7 @@ define(`create_domain_common', ` > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize > getdomaininfo hypercall setvcpucontext getscheduler > getvcpuinfo getaddrsize getaffinity setaffinity > - settime setdomainhandle }; > + settime setdomainhandle getvcpucontext }; > allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim > set_max_evtchn set_vnumainfo get_vnumainfo cacheflush > psr_cmt_op psr_cat_op soft_reset }; > diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te > index b52edc2..0cff2df 100644 > --- a/tools/flask/policy/modules/xen.te > +++ b/tools/flask/policy/modules/xen.te > @@ -49,6 +49,10 @@ type ioport_t, resource_type; > type iomem_t, resource_type; > type device_t, resource_type; > > +# Domain destruction can result in some access checks for actions performed by > +# the hypervisor. These should always be allowed. > +allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem }; > + > ################################################################################ > # > # Policy constraints
On Fri, Nov 04, 2016 at 11:35:20AM -0400, Daniel De Graaf wrote: > Add two missing allow rules: > > 1. Device model domain construction uses getvcpucontext, discovered by > Andrew Cooper in an (apparently) unrelated bisection. > > 2. When a domain is destroyed with a device passthrough active, the > calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself > (which results in an XSM check with the source xen_t). It does not make > sense to deny these permissions; no domain should be using xen_t, and > forbidding the hypervisor from performing cleanup is not useful. > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Cc: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> I will pick this up for 4.8.
On Mon, Nov 07, 2016 at 07:22:40AM +0000, Wei Liu wrote: > On Fri, Nov 04, 2016 at 11:35:20AM -0400, Daniel De Graaf wrote: > > Add two missing allow rules: > > > > 1. Device model domain construction uses getvcpucontext, discovered by > > Andrew Cooper in an (apparently) unrelated bisection. > > > > 2. When a domain is destroyed with a device passthrough active, the > > calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself > > (which results in an XSM check with the source xen_t). It does not make > > sense to deny these permissions; no domain should be using xen_t, and > > forbidding the hypervisor from performing cleanup is not useful. > > > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > > Cc: Andrew Cooper <andrew.cooper3@citrix.com> > > Acked-by: Wei Liu <wei.liu2@citrix.com> > > I will pick this up for 4.8. Updated commit message and applied.
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index d83f031..eb646f5 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext getscheduler getvcpuinfo getaddrsize getaffinity setaffinity - settime setdomainhandle }; + settime setdomainhandle getvcpucontext }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te index b52edc2..0cff2df 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -49,6 +49,10 @@ type ioport_t, resource_type; type iomem_t, resource_type; type device_t, resource_type; +# Domain destruction can result in some access checks for actions performed by +# the hypervisor. These should always be allowed. +allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem }; + ################################################################################ # # Policy constraints
Add two missing allow rules: 1. Device model domain construction uses getvcpucontext, discovered by Andrew Cooper in an (apparently) unrelated bisection. 2. When a domain is destroyed with a device passthrough active, the calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself (which results in an XSM check with the source xen_t). It does not make sense to deny these permissions; no domain should be using xen_t, and forbidding the hypervisor from performing cleanup is not useful. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Cc: Andrew Cooper <andrew.cooper3@citrix.com> --- tools/flask/policy/modules/xen.if | 2 +- tools/flask/policy/modules/xen.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-)