Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.
On 07/07/16 16:36, Daniel De Graaf wrote: On 07/06/2016 12:19 PM, anshul makkar wrote: On 06/07/16 16:59, Daniel De Graaf wrote: On 07/06/2016 11:34 AM, anshul makkar wrote: Hi, It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked. This rule only mandates the use of resource_type for resource types. If you are creating a new resource type, follow the example in nic_dev.te. Agreed, but inherently it means that "use" of any unlabeled resource be it irq, ioport or iomem or nic_dev is restricted. Restricted how? The fallback types have the resource_type attribute. Restricted if they are unlabeled. Neverallow rules are actually not present in the binary policy; they act as compile-time assertions in the policy build. Fine. The resource can be used only if it has been labeled using flask-label-pci command which needs to be rerun after every boot and after every policy reload. Try adding a module with the following rules, which should allow domU to use unlabeled devices: use_device(domU_t, irq_t) use_device(domU_t, ioport_t) use_device(domU_t, iomem_t) use_device(domU_t, device_t) Yes, it does work , but I have added these in delegate_device to make it restrict to the case where there is delegation. This prevents using delegate_devices without allowing access to unlabeled devices. If you think this should be a macro, I would suggest making a new one named something like "delegate_unlabeled_devices". Agreed. That's a better approach. I believe this macro can make the default policy more flexible and useful for more general audience, so it should be there in the policy. I can submit patch for the same. Your thoughts ? ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.
On 07/06/2016 12:19 PM, anshul makkar wrote: On 06/07/16 16:59, Daniel De Graaf wrote: On 07/06/2016 11:34 AM, anshul makkar wrote: Hi, It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked. This rule only mandates the use of resource_type for resource types. If you are creating a new resource type, follow the example in nic_dev.te. Agreed, but inherently it means that "use" of any unlabeled resource be it irq, ioport or iomem or nic_dev is restricted. Restricted how? The fallback types have the resource_type attribute. Neverallow rules are actually not present in the binary policy; they act as compile-time assertions in the policy build. The resource can be used only if it has been labeled using flask-label-pci command which needs to be rerun after every boot and after every policy reload. Yes; this gives the most control over what resources can be delegated. Policy reloads are supposed to be rare (on a production system) and you already need special boot scripts (or parameters) to set up the device for passthrough, so this can be added there. However, I agree this can be more work than a "default" FLASK policy should require. Try adding a module with the following rules, which should allow domU to use unlabeled devices: use_device(domU_t, irq_t) use_device(domU_t, ioport_t) use_device(domU_t, iomem_t) use_device(domU_t, device_t) Yes, it does work , but I have added these in delegate_device to make it restrict to the case where there is delegation. This prevents using delegate_devices without allowing access to unlabeled devices. If you think this should be a macro, I would suggest making a new one named something like "delegate_unlabeled_devices". -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.
On 06/07/16 16:59, Daniel De Graaf wrote: On 07/06/2016 11:34 AM, anshul makkar wrote: Hi, It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked. This rule only mandates the use of resource_type for resource types. If you are creating a new resource type, follow the example in nic_dev.te. Agreed, but inherently it means that "use" of any unlabeled resource be it irq, ioport or iomem or nic_dev is restricted. The resource can be used only if it has been labeled using flask-label-pci command which needs to be rerun after every boot and after every policy reload. Yes; this gives the most control over what resources can be delegated. Policy reloads are supposed to be rare (on a production system) and you already need special boot scripts (or parameters) to set up the device for passthrough, so this can be added there. However, I agree this can be more work than a "default" FLASK policy should require. Try adding a module with the following rules, which should allow domU to use unlabeled devices: use_device(domU_t, irq_t) use_device(domU_t, ioport_t) use_device(domU_t, iomem_t) use_device(domU_t, device_t) Yes, it does work , but I have added these in delegate_device to make it restrict to the case where there is delegation. If this works, that module could be added to the default policy. Given that what we ship is just a sample default policy for reference which is expected to be permissive in most of the scenarios so that it doesn't affect the basic functionalities, is this "neverallow" rule needed ? Thanks Anshul Makkar The neverallow rules are just there to ensure that the attributes are being used correctly. Anshul ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.
On 07/06/2016 11:34 AM, anshul makkar wrote: Hi, Default XSM policy doesn't allow the use of unlabeled PCI resources that have been passed through to target domain. xen.te # Resources must be declared using . resource_type neverallow * ~resource_type:resource use; It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked. This rule only mandates the use of resource_type for resource types. If you are creating a new resource type, follow the example in nic_dev.te. The resource can be used only if it has been labeled using flask-label-pci command which needs to be rerun after every boot and after every policy reload. Yes; this gives the most control over what resources can be delegated. Policy reloads are supposed to be rare (on a production system) and you already need special boot scripts (or parameters) to set up the device for passthrough, so this can be added there. However, I agree this can be more work than a "default" FLASK policy should require. The above approach reduces the flexibility and necessitates admin intervention to give passthrough rights after host has booted. Also, in general if I want to allow all domUs to have PCI passthough access to all PCI device, I have no other way apart from disabling the "neverallow" rule. Try adding a module with the following rules, which should allow domU to use unlabeled devices: use_device(domU_t, irq_t) use_device(domU_t, ioport_t) use_device(domU_t, iomem_t) use_device(domU_t, device_t) If this works, that module could be added to the default policy. Given that what we ship is just a sample default policy for reference which is expected to be permissive in most of the scenarios so that it doesn't affect the basic functionalities, is this "neverallow" rule needed ? Thanks Anshul Makkar The neverallow rules are just there to ensure that the attributes are being used correctly. -- Daniel De Graaf National Security Agency ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] default XSM policy for PCI passthrough for unlabeled resources.
Hi, Default XSM policy doesn't allow the use of unlabeled PCI resources that have been passed through to target domain. xen.te # Resources must be declared using . resource_type neverallow * ~resource_type:resource use; It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked. The resource can be used only if it has been labeled using flask-label-pci command which needs to be rerun after every boot and after every policy reload. The above approach reduces the flexibility and necessitates admin intervention to give passthrough rights after host has booted. Also, in general if I want to allow all domUs to have PCI passthough access to all PCI device, I have no other way apart from disabling the "neverallow" rule. Given that what we ship is just a sample default policy for reference which is expected to be permissive in most of the scenarios so that it doesn't affect the basic functionalities, is this "neverallow" rule needed ? Thanks Anshul Makkar ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel