Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

2016-07-07 Thread anshul makkar

On 07/07/16 16:36, Daniel De Graaf wrote:

On 07/06/2016 12:19 PM, anshul makkar wrote:

On 06/07/16 16:59, Daniel De Graaf wrote:

On 07/06/2016 11:34 AM, anshul makkar wrote:

Hi,


It allows the resource to be added and removed by the source domain to
target domain, but its use by target domain is blocked.


This rule only mandates the use of resource_type for resource types.  If
you are creating a new resource type, follow the example in nic_dev.te.

Agreed, but inherently it means that "use" of any unlabeled resource
be it irq, ioport or iomem or nic_dev is restricted.


Restricted how?  The fallback types have the resource_type attribute.

Restricted if they are unlabeled.


Neverallow rules are actually not present in the binary policy; they act as
compile-time assertions in the policy build.


Fine.



The resource can be used only if it has been labeled using
flask-label-pci command which needs to be rerun after every boot and
after every policy reload.



Try adding a module with the following rules, which should allow domU to
use unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)

Yes, it does work , but I have added these in delegate_device to make
it restrict to the case where there is delegation.


This prevents using delegate_devices without allowing access to unlabeled
devices.  If you think this should be a macro, I would suggest making a new
one named something like "delegate_unlabeled_devices".



Agreed. That's a better approach.
I believe this macro can make the default policy more flexible and 
useful for more general audience, so it should be there in the policy. I 
can submit patch for the same. Your thoughts ?


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel


Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

2016-07-07 Thread Daniel De Graaf

On 07/06/2016 12:19 PM, anshul makkar wrote:

On 06/07/16 16:59, Daniel De Graaf wrote:

On 07/06/2016 11:34 AM, anshul makkar wrote:

Hi,


It allows the resource to be added and removed by the source domain to
target domain, but its use by target domain is blocked.


This rule only mandates the use of resource_type for resource types.  If
you are creating a new resource type, follow the example in nic_dev.te.

Agreed, but inherently it means that "use" of any unlabeled resource be it irq, 
ioport or iomem or nic_dev is restricted.


Restricted how?  The fallback types have the resource_type attribute.

Neverallow rules are actually not present in the binary policy; they act as
compile-time assertions in the policy build.




The resource can be used only if it has been labeled using
flask-label-pci command which needs to be rerun after every boot and
after every policy reload.


Yes; this gives the most control over what resources can be delegated.
Policy reloads are supposed to be rare (on a production system) and you
already need special boot scripts (or parameters) to set up the device
for passthrough, so this can be added there.  However, I agree this can
be more work than a "default" FLASK policy should require.

Try adding a module with the following rules, which should allow domU to
use unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)

Yes, it does work , but I have added these in delegate_device to make it 
restrict to the case where there is delegation.


This prevents using delegate_devices without allowing access to unlabeled
devices.  If you think this should be a macro, I would suggest making a new
one named something like "delegate_unlabeled_devices".

--
Daniel De Graaf
National Security Agency

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel


Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

2016-07-06 Thread anshul makkar

On 06/07/16 16:59, Daniel De Graaf wrote:

On 07/06/2016 11:34 AM, anshul makkar wrote:

Hi,


It allows the resource to be added and removed by the source domain to
target domain, but its use by target domain is blocked.


This rule only mandates the use of resource_type for resource types.  If
you are creating a new resource type, follow the example in nic_dev.te.
Agreed, but inherently it means that "use" of any unlabeled resource be 
it irq, ioport or iomem or nic_dev is restricted.



The resource can be used only if it has been labeled using
flask-label-pci command which needs to be rerun after every boot and
after every policy reload.


Yes; this gives the most control over what resources can be delegated.
Policy reloads are supposed to be rare (on a production system) and you
already need special boot scripts (or parameters) to set up the device
for passthrough, so this can be added there.  However, I agree this can
be more work than a "default" FLASK policy should require.

Try adding a module with the following rules, which should allow domU to
use unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)
Yes, it does work , but I have added these in delegate_device to make it 
restrict to the case where there is delegation.


If this works, that module could be added to the default policy.


Given that what we ship is just a sample default policy for reference
which is expected to be permissive in most of the scenarios so that it
doesn't affect the basic functionalities, is this "neverallow" rule
needed ?

Thanks
Anshul Makkar


The neverallow rules are just there to ensure that the attributes are
being used correctly.


Anshul

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel


Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

2016-07-06 Thread Daniel De Graaf

On 07/06/2016 11:34 AM, anshul makkar wrote:

Hi,

Default XSM policy doesn't allow the use of unlabeled PCI resources that have 
been passed through to target domain.

xen.te
# Resources must be declared using . resource_type
neverallow * ~resource_type:resource use;

It allows the resource to be added and removed by the source domain to target 
domain, but its use by target domain is blocked.


This rule only mandates the use of resource_type for resource types.  If you 
are creating a new resource type, follow the example in nic_dev.te.


The resource can be used only if it has been labeled using flask-label-pci 
command which needs to be rerun after every boot and after every policy reload.


Yes; this gives the most control over what resources can be delegated.  Policy reloads 
are supposed to be rare (on a production system) and you already need special boot 
scripts (or parameters) to set up the device for passthrough, so this can be added there. 
 However, I agree this can be more work than a "default" FLASK policy should 
require.


The above approach reduces the flexibility and necessitates admin intervention to give 
passthrough rights after host has booted. Also, in general if I want to allow all domUs 
to have PCI passthough access to all PCI device, I have no other way apart from disabling 
the "neverallow" rule.


Try adding a module with the following rules, which should allow domU to use 
unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)

If this works, that module could be added to the default policy.


Given that what we ship is just a sample default policy for reference which is expected 
to be permissive in most of the scenarios so that it doesn't affect the basic 
functionalities, is this "neverallow" rule needed ?

Thanks
Anshul Makkar


The neverallow rules are just there to ensure that the attributes are being 
used correctly.

--
Daniel De Graaf
National Security Agency

___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel


[Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.

2016-07-06 Thread anshul makkar

Hi,

Default XSM policy doesn't allow the use of unlabeled PCI resources that 
have been passed through to target domain.


xen.te
# Resources must be declared using . resource_type 


neverallow * ~resource_type:resource use;

It allows the resource to be added and removed by the source domain to 
target domain, but its use by target domain is blocked.


The resource can be used only if it has been labeled using 
flask-label-pci command which needs to be rerun after every boot and 
after every policy reload.


The above approach reduces the flexibility and necessitates admin 
intervention to give passthrough rights after host has booted. Also, in 
general if I want to allow all domUs to have PCI passthough access to 
all PCI device, I have no other way apart from disabling the 
"neverallow" rule.


Given that what we ship is just a sample default policy for reference 
which is expected to be permissive in most of the scenarios so that it 
doesn't affect the basic functionalities, is this "neverallow" rule needed ?


Thanks
Anshul Makkar









___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel