From patchwork Thu Jun 9 14:47:10 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel De Graaf X-Patchwork-Id: 9167189 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2921E604DB for ; Thu, 9 Jun 2016 14:49:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B094264F4 for ; Thu, 9 Jun 2016 14:49:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0FFD42834F; Thu, 9 Jun 2016 14:49:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=2.0 tests=BAYES_00,LONGWORDS, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7A0C5264F4 for ; Thu, 9 Jun 2016 14:49:29 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bB1F8-0004vX-2E; Thu, 09 Jun 2016 14:47:34 +0000 Received: from mail6.bemta6.messagelabs.com ([85.158.143.247]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bB1F6-0004tz-RN for xen-devel@lists.xen.org; Thu, 09 Jun 2016 14:47:32 +0000 Received: from [85.158.143.35] by server-1.bemta-6.messagelabs.com id A0/24-30266-48189575; Thu, 09 Jun 2016 14:47:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjkeJIrShJLcpLzFFi42Lh0Enl1G1ujAw 3OLHSwGLJx8UsDoweR3f/ZgpgjGLNzEvKr0hgzZjzu5WxYLlmxfUt75gbGNcrdzFyckgI+En0 Te5n72Lk4uAUmM8icXL9AlaIxCFGiRUXg0ASQgJLGSW23vjGAuFsZZR4/Wc5WBWbgK7EgoMrm UBsEQFpiWufLzOC2MwC2hLN72ayg9jCAi4Sh461gNksAqoSUzfdBrN5geIfly6H2iYnsW3LHr BeTgFXiTfnX7J1MXIALXORWPjTawIj3wJGhlWM6sWpRWWpRbpGeklFmekZJbmJmTm6hgZmerm pxcWJ6ak5iUnFesn5uZsYgWHCAAQ7GJf9dTrEKMnBpCTK610SGS7El5SfUpmRWJwRX1Sak1p8 iFGGg0NJgpe7ASgnWJSanlqRlpkDDFiYtAQHj5II74d6oDRvcUFibnFmOkTqFKMux4ldD9YyC bHk5eelSonzWoDMEAApyijNgxsBi55LjLJSwryMQEcJ8RSkFuVmlqDKv2IU52BUEua1B5nCk5 lXArfpFdARTEBHLD8SDnJESSJCSqqBMV90p1DhLjXG3aF/5uaXsXAFm/obif4K2tO9xt3bJCv n65M/p0zdYt9skV176tDvkLMcl//MqXgbt1auprV498f3s04HL799pp1n+sbqG+dvqFVrScyc WJkqUXfMcaN90nxbFe23T4Lmllb9OWydPcdkhuxPln6RuN2zjqmdrUv8r6Zx95qJohJLcUaio RZzUXEiAMGUUNyZAgAA X-Env-Sender: dgdegra@tycho.nsa.gov X-Msg-Ref: server-12.tower-21.messagelabs.com!1465483650!18280129!2 X-Originating-IP: [8.44.101.9] X-SpamReason: No, hits=2.5 required=7.0 tests=BODY_RANDOM_LONG,LONGWORDS X-StarScan-Received: X-StarScan-Version: 8.46; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16133 invoked from network); 9 Jun 2016 14:47:31 -0000 Received: from emsm-gh1-uea11.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) (8.44.101.9) by server-12.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 9 Jun 2016 14:47:31 -0000 X-IronPort-AV: E=Sophos;i="5.26,445,1459814400"; d="scan'208";a="16783285" IronPort-PHdr: =?us-ascii?q?9a23=3AjDE2IRfNwJoym3bwW5fwOV0JlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc68ZR7h7PlgxGXEQZ/co6odzbGG4ua/BCdfu96oizMrTt9lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?= =?us-ascii?q?HOnpAIma153xjLDjvcKOKFoSzBOGIppMbzyO5T3LsccXhYYwYo0Q8TDu5kVyRu?= =?us-ascii?q?JN2GlzLkiSlRuvru25/Zpk7jgC86l5r50IbL/+N5gcYfQYSW5+cjN92Mq+pRTF?= =?us-ascii?q?CAeC+HYYemEXiQZTRRjI6lf9RJiinDH9s79R0S+bMMm+Yb18di6r5qkjHBPnhC?= =?us-ascii?q?oILTcR7HDciss2irlS5h2muUoskMbvfIiJOa8mLevmdtQASD8EBJ5c?= X-IPAS-Result: =?us-ascii?q?A2FtBABJgFlX/wHyM5BeGwEBAYMggVO5CIQJhhMCgTVMAQE?= =?us-ascii?q?BAQEBAgJiJ4IwghYCBHkQGDlXGYgvvioBAQEBBgIBJI58hhIFiAiQTY4nAolZh?= =?us-ascii?q?UWPZVSECiAyiFOBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jun 2016 14:47:28 +0000 Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u59ElSN9018061; Thu, 9 Jun 2016 10:47:28 -0400 From: Daniel De Graaf To: xen-devel@lists.xen.org Date: Thu, 9 Jun 2016 10:47:10 -0400 Message-Id: <1465483638-9489-8-git-send-email-dgdegra@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov> References: <1465483638-9489-1-git-send-email-dgdegra@tycho.nsa.gov> Cc: Daniel De Graaf Subject: [Xen-devel] [PATCH 07/15] flask: unify {get, set}vcpucontext permissions X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP These permissions were initially split because they were in separate domctls, but this split is very unlikely to actually provide security benefits: it would require a carefully contrived situation for a domain to both need access to one type of CPU register and also need to be prohibited from accessing another type. Signed-off-by: Daniel De Graaf Reviewed-by: Konrad Rzeszutek Wilk --- tools/flask/policy/modules/dom0.te | 1 - tools/flask/policy/modules/xen.if | 7 +++---- xen/xsm/flask/hooks.c | 20 ++++++-------------- xen/xsm/flask/policy/access_vectors | 16 ++++++---------- 4 files changed, 15 insertions(+), 29 deletions(-) diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te index ef6a986..d228b24 100644 --- a/tools/flask/policy/modules/dom0.te +++ b/tools/flask/policy/modules/dom0.te @@ -34,7 +34,6 @@ allow dom0_t dom0_t:domain { setvcpucontext max_vcpus setaffinity getaffinity getscheduler getdomaininfo getvcpuinfo getvcpucontext setdomainmaxmem setdomainhandle setdebugging hypercall settime setaddrsize getaddrsize trigger - getextvcpucontext setextvcpucontext getvcpuextstate setvcpuextstate getpodtarget setpodtarget set_misc_info set_virq_handler }; allow dom0_t dom0_t:domain2 { diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 00d1bbb..fd96303 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -47,9 +47,8 @@ define(`declare_build_label', ` define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize - getdomaininfo hypercall setvcpucontext setextvcpucontext - getscheduler getvcpuinfo getvcpuextstate getaddrsize - getaffinity setaffinity setvcpuextstate }; + getdomaininfo hypercall setvcpucontext getscheduler + getvcpuinfo getaddrsize getaffinity setaffinity }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; @@ -94,7 +93,7 @@ define(`migrate_domain_out', ` allow $1 domxen_t:mmu map_read; allow $1 $2:hvm { gethvmc getparam irqlevel }; allow $1 $2:mmu { stat pageinfo map_read }; - allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy }; + allow $1 $2:domain { getaddrsize getvcpucontext pause destroy }; allow $1 $2:domain2 gettsc; allow $1 $2:shadow { enable disable logdirty }; ') diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 20d46c8..a8d45e7 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -630,10 +630,16 @@ static int flask_domctl(struct domain *d, int cmd) case XEN_DOMCTL_setdomainhandle: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE); + case XEN_DOMCTL_set_ext_vcpucontext: + case XEN_DOMCTL_set_vcpu_msrs: case XEN_DOMCTL_setvcpucontext: + case XEN_DOMCTL_setvcpuextstate: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT); + case XEN_DOMCTL_get_ext_vcpucontext: + case XEN_DOMCTL_get_vcpu_msrs: case XEN_DOMCTL_getvcpucontext: + case XEN_DOMCTL_getvcpuextstate: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT); case XEN_DOMCTL_getvcpuinfo: @@ -675,20 +681,6 @@ static int flask_domctl(struct domain *d, int cmd) case XEN_DOMCTL_pin_mem_cacheattr: return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR); - case XEN_DOMCTL_set_ext_vcpucontext: - case XEN_DOMCTL_set_vcpu_msrs: - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT); - - case XEN_DOMCTL_get_ext_vcpucontext: - case XEN_DOMCTL_get_vcpu_msrs: - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT); - - case XEN_DOMCTL_setvcpuextstate: - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE); - - case XEN_DOMCTL_getvcpuextstate: - return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE); - case XEN_DOMCTL_sendtrigger: return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER); diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 3d29042..7e69ede 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -111,6 +111,9 @@ class xen2 class domain { # XEN_DOMCTL_setvcpucontext +# XEN_DOMCTL_setvcpuextstate +# XEN_DOMCTL_set_ext_vcpucontext +# XEN_DOMCTL_set_vcpu_msrs setvcpucontext # XEN_DOMCTL_pausedomain pause @@ -142,6 +145,9 @@ class domain # XEN_DOMCTL_getvcpuinfo getvcpuinfo # XEN_DOMCTL_getvcpucontext +# XEN_DOMCTL_get_ext_vcpucontext +# XEN_DOMCTL_getvcpuextstate +# XEN_DOMCTL_get_vcpu_msrs getvcpucontext # XEN_DOMCTL_max_mem setdomainmaxmem @@ -166,16 +172,6 @@ class domain getaddrsize # XEN_DOMCTL_sendtrigger trigger -# XEN_DOMCTL_get_ext_vcpucontext -# XEN_DOMCTL_set_vcpu_msrs - getextvcpucontext -# XEN_DOMCTL_set_ext_vcpucontext -# XEN_DOMCTL_get_vcpu_msrs - setextvcpucontext -# XEN_DOMCTL_getvcpuextstate - getvcpuextstate -# XEN_DOMCTL_setvcpuextstate - setvcpuextstate # XENMEM_get_pod_target getpodtarget # XENMEM_set_pod_target