From patchwork Thu Jun 9 14:47:05 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel De Graaf X-Patchwork-Id: 9167197 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E84FB604DB for ; Thu, 9 Jun 2016 14:49:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DAB13264F4 for ; Thu, 9 Jun 2016 14:49:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CF6BB2834F; Thu, 9 Jun 2016 14:49:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7ACC9264F4 for ; Thu, 9 Jun 2016 14:49:35 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bB1F7-0004uj-Jd; Thu, 09 Jun 2016 14:47:33 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bB1F6-0004tx-DI for xen-devel@lists.xen.org; Thu, 09 Jun 2016 14:47:32 +0000 Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id 20/CD-15536-38189575; Thu, 09 Jun 2016 14:47:31 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRWlGSWpSXmKPExsXCoZPKqdvcGBl usPQep8WSj4tZHBg9ju7+zRTAGMWamZeUX5HAmrHr9neWgrmSFVde7GNsYNwn2sXIySEh4Cex 9doExi5GLg5OgdksEoubr4M5EgK7GCVOf17HBOIICSxllNh64xsLhLOVUWLHxfdsIP1sAroSC w6uZAKxRQSkJa59vswIYjMLaEs0v5vJDmILCzhKHG16DGazCKhK9P07zQxi8wq4SKycs4IF4g 45iW1b9oD1cgq4Srw5/xJoPgfQMheJhT+9JjDyLWBkWMWoXpxaVJZapGuml1SUmZ5RkpuYmaN raGCsl5taXJyYnpqTmFSsl5yfu4kRGCj1DAyMOxivtDkfYpTkYFIS5fUuiQwX4kvKT6nMSCzO iC8qzUktPsQow8GhJMFb0gCUEyxKTU+tSMvMAYYsTFqCg0dJhPdDPVCat7ggMbc4Mx0idYpRU Uqc1wKkTwAkkVGaB9cGi5NLjLJSwryMDAwMQjwFqUW5mSWo8q8YxTkYlYR57UGm8GTmlcBNfw W0mAlo8fIj4SCLSxIRUlINjFMebGKVZNy54tUiz5ULnLZFS79iuMd5v3yn7zpHo2fZcY42jz7 O7++Q/GBT33D0bfyl/041umXs+7sfh6x5Mj9t4epNz9/JbFitPsWhx/FMddTszb94eacrlayd IWE9P+uI3Ry7DU17cxcbzXtc+OfT9TVOaXFOXcaN4VHSr+4tuWwv/9WL+Z0SS3FGoqEWc1FxI gBjPZawjgIAAA== X-Env-Sender: dgdegra@tycho.nsa.gov X-Msg-Ref: server-6.tower-31.messagelabs.com!1465483649!18348707!2 X-Originating-IP: [8.44.101.9] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.46; banners=-,-,- X-VirusChecked: Checked Received: (qmail 62644 invoked from network); 9 Jun 2016 14:47:30 -0000 Received: from emsm-gh1-uea11.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) (8.44.101.9) by server-6.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 9 Jun 2016 14:47:30 -0000 X-IronPort-AV: E=Sophos;i="5.26,445,1459814400"; d="scan'208";a="16783281" IronPort-PHdr: =?us-ascii?q?9a23=3AmZgQUh+GBovYYv9uRHKM819IXTAuvvDOBiVQ1KB9?= =?us-ascii?q?1escTK2v8tzYMVDF4r011RmSDdSdtK8P1LCempujcFJDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?= =?us-ascii?q?YL+lS8iN0o/ojaibwN76XUZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?= =?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCgJ+VrBYBfWSQrNSU56dPmsTHH?= =?us-ascii?q?TBCT/T0MX2NQlQBHUCbf6xSvcp73syb+/sZwkAaANMT4BeQ4Vjiv4L1iYAP5gy?= =?us-ascii?q?cAcTgi+SfYjdIm3/ETmw6ouxEqm92cW4qSLvcrO/mFcA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HHAwBJgFlX/wHyM5BeGgEBAQGDIIFTuQiECYYTAoE1TAE?= =?us-ascii?q?BAQEBAQICYieCMIIWAgR5EBg5VxmIL74qAQEIAgEklQ4FmFWOJwKJWYVFRo8fV?= =?us-ascii?q?IQKIDKKCAEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jun 2016 14:47:28 +0000 Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u59ElSN4018061; Thu, 9 Jun 2016 10:47:28 -0400 From: Daniel De Graaf To: xen-devel@lists.xen.org Date: Thu, 9 Jun 2016 10:47:05 -0400 Message-Id: <1465483638-9489-3-git-send-email-dgdegra@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov> References: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov> Cc: Daniel De Graaf Subject: [Xen-devel] [PATCH 02/15] flask/policy: split out rules for system_r X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP When the all_system_role module is enabled, any domain type can be created using the system_r role, which was the default. When it is disabled, domains not using the default types (dom0_t and domU_t) must use another role such as vm_r. Signed-off-by: Daniel De Graaf Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Doug Goldstein --- tools/flask/policy/modules/all_system_role.te | 8 ++++++++ tools/flask/policy/modules/domU.te | 3 +++ tools/flask/policy/modules/modules.conf | 5 +++++ tools/flask/policy/modules/xen.te | 11 +++-------- 4 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 tools/flask/policy/modules/all_system_role.te diff --git a/tools/flask/policy/modules/all_system_role.te b/tools/flask/policy/modules/all_system_role.te new file mode 100644 index 0000000..74f870f --- /dev/null +++ b/tools/flask/policy/modules/all_system_role.te @@ -0,0 +1,8 @@ +# Allow all domains to use system_r so that systems that are not using the +# user/role separation feature will work properly. +role system_r types domain_type; + +# The vm role is used as part of user separation. Allow all domain types to use +# this role except dom0. +role vm_r; +role vm_r types { domain_type -dom0_t }; diff --git a/tools/flask/policy/modules/domU.te b/tools/flask/policy/modules/domU.te index ca5eecd..b77df29 100644 --- a/tools/flask/policy/modules/domU.te +++ b/tools/flask/policy/modules/domU.te @@ -23,3 +23,6 @@ make_device_model(dom0_t, dm_dom_t, domU_t) # This is required for PCI (or other device) passthrough delegate_devices(dom0_t, domU_t) + +# Both of these domain types can be created using the default (system) role +role system_r types { domU_t dm_dom_t }; diff --git a/tools/flask/policy/modules/modules.conf b/tools/flask/policy/modules/modules.conf index dba4b40..d875dbf 100644 --- a/tools/flask/policy/modules/modules.conf +++ b/tools/flask/policy/modules/modules.conf @@ -32,3 +32,8 @@ nomigrate = on # Example device policy. Also see policy/device_contexts. nic_dev = on + +# This allows any domain type to be created using the system_r role. When it is +# disabled, domains not using the default types (dom0_t and domU_t) must use +# another role (such as vm_r) from the vm_role module. +all_system_role = on diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te index 3ee5e75..f374dc5 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -78,12 +78,7 @@ neverallow * ~event_type:event { create send status }; # The object role (object_r) is used for devices, resources, and event channels; # it does not need to be defined here and should not be used for domains. -# The system role is used for utility domains and pseudo-domains +# The system role is used for utility domains and pseudo-domains. If roles are +# not being used for separation, all domains can use the system role. role system_r; -role system_r types { xen_type domain_type }; -# If you want to prevent domUs from being placed in system_r: -##role system_r types { xen_type dom0_t }; - -# The vm role is used for customer virtual machines -role vm_r; -role vm_r types { domain_type -dom0_t }; +role system_r types { xen_type dom0_t };