From patchwork Tue Jan 12 16:37:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 8019141 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 31D0E9F1CC for ; Tue, 12 Jan 2016 16:40:37 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 7FBAD203DF for ; Tue, 12 Jan 2016 16:40:31 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 77205203E1 for ; Tue, 12 Jan 2016 16:40:30 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aJ1wq-0005zs-74; Tue, 12 Jan 2016 16:37:32 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aJ1wo-0005zn-Hi for xen-devel@lists.xenproject.org; Tue, 12 Jan 2016 16:37:30 +0000 Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id 43/BF-02745-9CB25965; Tue, 12 Jan 2016 16:37:29 +0000 X-Env-Sender: konrad@char.us.oracle.com X-Msg-Ref: server-10.tower-31.messagelabs.com!1452616646!15379596!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTQxLjE0Ni4xMjYuNjkgPT4gMjc3MjE4\n X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 64031 invoked from network); 12 Jan 2016 16:37:29 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-10.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 12 Jan 2016 16:37:29 -0000 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0CGbI2w004800 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 12 Jan 2016 16:37:18 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u0CGbH2o016242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 12 Jan 2016 16:37:18 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u0CGbHq2018937; Tue, 12 Jan 2016 16:37:17 GMT Received: from char.us.oracle.com (/10.137.176.158) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 12 Jan 2016 08:37:16 -0800 Received: by char.us.oracle.com (Postfix, from userid 1000) id D06EA6A4DA1; Tue, 12 Jan 2016 11:37:12 -0500 (EST) Date: Tue, 12 Jan 2016 11:37:12 -0500 From: Konrad Rzeszutek Wilk To: Jan Beulich Message-ID: <20160112163712.GB17685@char.us.oracle.com> References: <1446838577-7563-1-git-send-email-konrad.wilk@oracle.com> <1446838577-7563-2-git-send-email-konrad.wilk@oracle.com> <5641F13F02000078000B35D3@prv-mh.provo.novell.com> <20160106174138.GB8633@char.us.oracle.com> <568E235702000078000C437E@prv-mh.provo.novell.com> <20160108173137.GA12321@char.us.oracle.com> <56937DCE02000078000C5516@prv-mh.provo.novell.com> <20160111160146.GC10641@char.us.oracle.com> <5693E3C502000078000C58D0@prv-mh.provo.novell.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <5693E3C502000078000C58D0@prv-mh.provo.novell.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Source-IP: userv0021.oracle.com [156.151.31.71] Cc: wei.liu2@citrix.com, ian.campbell@citrix.com, andrew.cooper3@citrix.com, ian.jackson@eu.citrix.com, mpohlack@amazon.de, xen-devel@lists.xenproject.org, dgdegra@tycho.nsa.gov Subject: Re: [Xen-devel] [PATCH v2 1/3] xsm/xen_version: Add XSM for the xen_version hypercall. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Jan 11, 2016 at 09:17:57AM -0700, Jan Beulich wrote: > >>> On 11.01.16 at 17:01, wrote: > > On Mon, Jan 11, 2016 at 02:02:54AM -0700, Jan Beulich wrote: > >> >>> On 08.01.16 at 18:31, wrote: > >> >> >> > The rest: XENVER_[version|capabilities| > >> >> >> > parameters|get_features|page_size|guest_handle] behave > >> >> >> > as before - allowed by default for all guests. > >> >> >> > > >> >> >> > This is with the XSM default policy and with the dummy ones. > >> >> >> > >> >> >> And with a non-default policy you now ignore one of the latter > >> >> >> ops to also get denied. > >> >> > > >> >> > No, but that is due to the 'deny' being only checked for certain subops. > >> >> > >> >> To me this reply seems contradictory in itself: The "no" doesn't > >> >> seem to match up with the rest. > >> >> > >> >> > I think what you are saying is that for XENVER_[version|capabilities| > >> >> > parameters|get_features|page_size|guest_handle] we should not have any > >> >> > XSM checks as they serve no purpose (which is what I had in the earlier > >> >> > versions of this patch). However Andrew mentioned that he would > >> >> > like _ALL_ of the sub-ops to be checked for. > >> >> > >> >> And I agree with Andrew, hence my earlier comment above (with > >> >> the reply I can't really make sense of). > >> > > >> > I am all confused now. > >> > > >> > There are two parts here: > >> > a) The XSM checks - which allow the XENVER_version..XENVER_guest_handle > >> > without any hinderance. For XENVER_commandline and XENVER_buildid > >> > they are evaluated. > >> > > >> > b) Acting on the XSM check. For most of them we cannot actually return > >> > -EFAULT and MUST return either an valid value or some form of a string. > >> > > >> > The ones for which we could return '' were changeset, compile_info, > >> > commandline, extraversion. To make it simpler we only do it for > >> > commandline. > >> > > >> > In essence we have an XSM check which is ignored by all XENVER_ subops > >> > except commandline (and build_id in later patch). > >> > > >> > I think both of you are OK with that? > >> > >> Iirc Andrew's request was to honor XSM denies on any sub-op > >> when a non-default policy is in place. Whereas in default mode > >> only command line and build id are the ones clearly needing > >> restricting. Which won't be possible if you ignore the return > >> value of the XSM check in some of the cases. > > > > That means we need two (as earlier patches had it) version labels. > > One for the command_line and build_id (version_priv) and one for > > the rest (version_use). By default version_use would be available > > to every guest. If a non-default policy wants to mess with it - that is OK. > > That would seem a little too coarse grained. Why can't we keep it > at the sub-op level, just that the default is "OK" for everything > except the two? So you thinking have a whole new XSM 'class' for this hypercall? As in (not compile tested of course): > > > Now comes the big question - for the XENVER_[version|capabilities| > > parameters|get_features|page_size|guest_handle] - if it is denied > > (so non-default version_use policy) - what should we return? > > "" just like for the others that return strings; page_size > and other numeric ones may need to return zero. > > > I can return '' for the strings, but what should we do > > for the page_size, capabilities and guest_handle ? -EPERM? > > guest_handle is particularly interesting: It seems to make very > little sense to deny a guest access to its own handle. > > Jan > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 17f304e..fca5809 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -141,6 +141,13 @@ if (guest_writeconsole) { # pmu_ctrl is for) allow domain_type xen_t:xen2 pmu_use; +allow dom0_t version:domain { + version parameters ... commandline build_id +}; +allow domain_type version:domain { + version parameters ... +} + ############################################################################### # # Domain creation diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index c123256..4b20d08 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -246,6 +246,18 @@ class domain2 psr_cat_op } +# defined by XENVER_hypercall +class xenver +{ +# XENVER_version + version +# XENVER_parameters + parameters +# ... snip.. + commandline + build_id +} + # Similar to class domain, but primarily contains domctls related to HVM domains class hvm {