From patchwork Fri Nov  4 15:35:20 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel De Graaf <dgdegra@tycho.nsa.gov>
X-Patchwork-Id: 9412735
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8D25D60722 for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri,  4 Nov 2016 15:38:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F5E428FB1
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri,  4 Nov 2016 15:38:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 745142B105; Fri,  4 Nov 2016 15:38:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.2 required=2.0 tests=BAYES_00,LONGWORDS,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id B7C6028FB1
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri,  4 Nov 2016 15:38:08 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1c2gWl-0007BP-Cy; Fri, 04 Nov 2016 15:35:35 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <dgdegra@tycho.nsa.gov>) id 1c2gWj-0007BJ-LX
	for xen-devel@lists.xen.org; Fri, 04 Nov 2016 15:35:33 +0000
Received: from [85.158.143.35] by server-2.bemta-6.messagelabs.com id
	82/50-27874-4CAAC185; Fri, 04 Nov 2016 15:35:32 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRWlGSWpSXmKPExsXCoZPKoXt4lUy
	EwYqllhZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8bas3YFv/grZi/rYmxg/MDbxcjBISHgI9H2
	wLyLkYuDU+AMi8S0nlesII6EwG1GiQXTLoI5QgLtjBIN3f+hnK2MEn/u7GDuYuTkYBPQlVhwc
	CUTiC0iIC1x7fNlRhCbWSBO4u2XJjYQW1jAWWLX1otgNSwCqhIn29+wgNi8Aq4S6x4vAbMlBO
	Qkbp7rZJ7AyLOAkWEVo0ZxalFZapGuoZleUlFmekZJbmJmjq6hgZlebmpxcWJ6ak5iUrFecn7
	uJkag5xmAYAfj/Y0BhxglOZiURHlP28tECPEl5adUZiQWZ8QXleakFh9ilOHgUJLg/bMSKCdY
	lJqeWpGWmQMMQZi0BAePkghvLkiat7ggMbc4Mx0idYrRkuPHiecPmDje7HoJJFft/fyASYglL
	z8vVUqc9xJIgwBIQ0ZpHtw4WJxcYpSVEuZlBDpQiKcgtSg3swRV/hWjOAejkjCvF8gUnsy8Er
	itr4AOYgI6yC0E7KCSRISUVAOj/b1dMZOO+j6I3FxnXsNzYtHhm9zzJna1G726Iey/zeeWUfb
	vH8+047o7maZ+LsszOal6+6TYxpMLBG4f3pgn/bpSteNv8ldTIVftBRWbWn6ELdhre+h8YHrT
	rIYAb5Wk4tc6UrVsu5M4VCuez35r+TV7b5LOmd6cmSaCXacVNFcI/nZjj4xXYinOSDTUYi4qT
	gQAPD8SKI4CAAA=
X-Env-Sender: dgdegra@tycho.nsa.gov
X-Msg-Ref: server-3.tower-21.messagelabs.com!1478273730!41105367!1
X-Originating-IP: [8.44.101.8]
X-SpamReason: No, hits=2.5 required=7.0 tests=BODY_RANDOM_LONG,LONGWORDS
X-StarScan-Received: 
X-StarScan-Version: 9.0.13; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 37434 invoked from network); 4 Nov 2016 15:35:31 -0000
Received: from emsm-gh1-uea10.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	(8.44.101.8)
	by server-3.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 4 Nov 2016 15:35:31 -0000
X-IronPort-AV: E=Sophos;i="5.31,443,1473120000"; d="scan'208";a="625651"
IronPort-PHdr: =?us-ascii?q?9a23=3ARJNpsRQjv7UuXQp6URDE0Theh9psv+yvbD5Q0YIu?=
	=?us-ascii?q?jvd0So/mwa64YxKN2/xhgRfzUJnB7Loc0qyN4vqmCT1LvsbJmUtBWaQEbwUCh8?=
	=?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?=
	=?us-ascii?q?Ov7yUtaLyZ/mjabiqtaMM01hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm2dfv/SXn?=
	=?us-ascii?q?YUPPoyFEEzZerh0dEwXDqR33QJr1mi/7rfZmnjmXO4vxV79ndy6l6vJHQRnphS?=
	=?us-ascii?q?NPGzNx33veg8I42K5UrB+uvRVX35/fYIbTMuF3OKzaY4VJFiJ6Qs9NWnkZUcuH?=
	=?us-ascii?q?ZIwVAr9EZLwAog=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2HiBABCqhxY/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgwM?=
	=?us-ascii?q?BAQEBAR+BVLZvhBcYhguCGFMBAQEBAQEBAQIBAl8ogjMEARUBBIMPKIEpiFi8V?=
	=?us-ascii?q?TGPK3yFFAWaI5BAAooKhXwCkSVVWhKFPSI0hThugU4BAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 04 Nov 2016 15:35:29 +0000
Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	uA4FZP63014797; Fri, 4 Nov 2016 11:35:27 -0400
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xen.org
Date: Fri,  4 Nov 2016 11:35:20 -0400
Message-Id: <1478273720-26479-1-git-send-email-dgdegra@tycho.nsa.gov>
X-Mailer: git-send-email 2.7.4
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [Xen-devel] [PATCH] xsm: add missing permissions discovered in
	testing
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Add two missing allow rules:

1. Device model domain construction uses getvcpucontext, discovered by
Andrew Cooper in an (apparently) unrelated bisection.

2. When a domain is destroyed with a device passthrough active, the
calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself
(which results in an XSM check with the source xen_t).  It does not make
sense to deny these permissions; no domain should be using xen_t, and
forbidding the hypervisor from performing cleanup is not useful.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
 tools/flask/policy/modules/xen.if | 2 +-
 tools/flask/policy/modules/xen.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index d83f031..eb646f5 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -49,7 +49,7 @@ define(`create_domain_common', `
 	allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
 			getdomaininfo hypercall setvcpucontext getscheduler
 			getvcpuinfo getaddrsize getaffinity setaffinity
-			settime setdomainhandle };
+			settime setdomainhandle getvcpucontext };
 	allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
 			set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
 			psr_cmt_op psr_cat_op soft_reset };
diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te
index b52edc2..0cff2df 100644
--- a/tools/flask/policy/modules/xen.te
+++ b/tools/flask/policy/modules/xen.te
@@ -49,6 +49,10 @@ type ioport_t, resource_type;
 type iomem_t, resource_type;
 type device_t, resource_type;
 
+# Domain destruction can result in some access checks for actions performed by
+# the hypervisor.  These should always be allowed.
+allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem };
+
 ################################################################################
 #
 # Policy constraints