Re: [Xen-devel] [PATCH] xsm: add missing permissions discovered in testing
On Mon, Nov 07, 2016 at 07:22:40AM +, Wei Liu wrote: > On Fri, Nov 04, 2016 at 11:35:20AM -0400, Daniel De Graaf wrote: > > Add two missing allow rules: > > > > 1. Device model domain construction uses getvcpucontext, discovered by > > Andrew Cooper in an (apparently) unrelated bisection. > > > > 2. When a domain is destroyed with a device passthrough active, the > > calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself > > (which results in an XSM check with the source xen_t). It does not make > > sense to deny these permissions; no domain should be using xen_t, and > > forbidding the hypervisor from performing cleanup is not useful. > > > > Signed-off-by: Daniel De Graaf> > Cc: Andrew Cooper > > Acked-by: Wei Liu > > I will pick this up for 4.8. Updated commit message and applied. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: add missing permissions discovered in testing
On Fri, Nov 04, 2016 at 11:35:20AM -0400, Daniel De Graaf wrote: > Add two missing allow rules: > > 1. Device model domain construction uses getvcpucontext, discovered by > Andrew Cooper in an (apparently) unrelated bisection. > > 2. When a domain is destroyed with a device passthrough active, the > calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself > (which results in an XSM check with the source xen_t). It does not make > sense to deny these permissions; no domain should be using xen_t, and > forbidding the hypervisor from performing cleanup is not useful. > > Signed-off-by: Daniel De Graaf> Cc: Andrew Cooper Acked-by: Wei Liu I will pick this up for 4.8. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH] xsm: add missing permissions discovered in testing
On 04/11/16 15:35, Daniel De Graaf wrote: > Add two missing allow rules: > > 1. Device model domain construction uses getvcpucontext, discovered by > Andrew Cooper in an (apparently) unrelated bisection. Merely observation of the logs while chasing an unrelated issue. ~Andrew > > 2. When a domain is destroyed with a device passthrough active, the > calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself > (which results in an XSM check with the source xen_t). It does not make > sense to deny these permissions; no domain should be using xen_t, and > forbidding the hypervisor from performing cleanup is not useful. > > Signed-off-by: Daniel De Graaf> Cc: Andrew Cooper > --- > tools/flask/policy/modules/xen.if | 2 +- > tools/flask/policy/modules/xen.te | 4 > 2 files changed, 5 insertions(+), 1 deletion(-) > > diff --git a/tools/flask/policy/modules/xen.if > b/tools/flask/policy/modules/xen.if > index d83f031..eb646f5 100644 > --- a/tools/flask/policy/modules/xen.if > +++ b/tools/flask/policy/modules/xen.if > @@ -49,7 +49,7 @@ define(`create_domain_common', ` > allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize > getdomaininfo hypercall setvcpucontext getscheduler > getvcpuinfo getaddrsize getaffinity setaffinity > - settime setdomainhandle }; > + settime setdomainhandle getvcpucontext }; > allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim > set_max_evtchn set_vnumainfo get_vnumainfo cacheflush > psr_cmt_op psr_cat_op soft_reset }; > diff --git a/tools/flask/policy/modules/xen.te > b/tools/flask/policy/modules/xen.te > index b52edc2..0cff2df 100644 > --- a/tools/flask/policy/modules/xen.te > +++ b/tools/flask/policy/modules/xen.te > @@ -49,6 +49,10 @@ type ioport_t, resource_type; > type iomem_t, resource_type; > type device_t, resource_type; > > +# Domain destruction can result in some access checks for actions performed > by > +# the hypervisor. These should always be allowed. > +allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem > }; > + > > > # > # Policy constraints ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] [PATCH] xsm: add missing permissions discovered in testing
Add two missing allow rules: 1. Device model domain construction uses getvcpucontext, discovered by Andrew Cooper in an (apparently) unrelated bisection. 2. When a domain is destroyed with a device passthrough active, the calls to remove_{irq,ioport,iomem} can be made by the hypervisor itself (which results in an XSM check with the source xen_t). It does not make sense to deny these permissions; no domain should be using xen_t, and forbidding the hypervisor from performing cleanup is not useful. Signed-off-by: Daniel De GraafCc: Andrew Cooper --- tools/flask/policy/modules/xen.if | 2 +- tools/flask/policy/modules/xen.te | 4 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index d83f031..eb646f5 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -49,7 +49,7 @@ define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext getscheduler getvcpuinfo getaddrsize getaffinity setaffinity - settime setdomainhandle }; + settime setdomainhandle getvcpucontext }; allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim set_max_evtchn set_vnumainfo get_vnumainfo cacheflush psr_cmt_op psr_cat_op soft_reset }; diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te index b52edc2..0cff2df 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -49,6 +49,10 @@ type ioport_t, resource_type; type iomem_t, resource_type; type device_t, resource_type; +# Domain destruction can result in some access checks for actions performed by +# the hypervisor. These should always be allowed. +allow xen_t resource_type : resource { remove_irq remove_ioport remove_iomem }; + # # Policy constraints -- 2.7.4 ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel