diff options
author | Dongxiao Xu <dongxiao.xu@intel.com> | 2014-10-06 12:29:16 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2014-10-06 12:29:16 +0200 |
commit | 2a5e086e0bd6729b4a25536b9f978dedf3be52de (patch) | |
tree | f52ee9ea613aa2fd64efab18a6f47d9dc4ae81d7 | |
parent | 443035c40ab6a0566133a55090532740c52d61d3 (diff) |
xsm: add resource operation related xsm policy
Add xsm policies for resource access related hypercall, such as MSR
access, port I/O read/write, and other related resource operations.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Release-Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 3 | ||||
-rw-r--r-- | xen/xsm/flask/hooks.c | 4 | ||||
-rw-r--r-- | xen/xsm/flask/policy/access_vectors | 14 | ||||
-rw-r--r-- | xen/xsm/flask/policy/security_classes | 1 |
4 files changed, 19 insertions, 3 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 193788362f..6cecf977c7 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -64,6 +64,9 @@ allow dom0_t xen_t:xen { getidle debug getcpuinfo heap pm_op mca_op lockprof cpupool_op tmem_op tmem_control getscheduler setscheduler }; +allow dom0_t xen_t:xen2 { + resource_op +}; allow dom0_t xen_t:mmu memorymap; # Allow dom0 to use these domctls on itself. For domctls acting on other diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8de5e49a4b..904aacf57d 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -1395,6 +1395,10 @@ static int flask_platform_op(uint32_t op) case XENPF_get_cpuinfo: return domain_has_xen(current->domain, XEN__GETCPUINFO); + case XENPF_resource_op: + return avc_current_has_perm(SECINITSID_XEN, SECCLASS_XEN2, + XEN2__RESOURCE_OP, NULL); + default: printk("flask_platform_op: Unknown op %d\n", op); return -EPERM; diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index d27984155c..daf0de599f 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -3,9 +3,9 @@ # # class class_name { permission_name ... } -# Class xen consists of dom0-only operations dealing with the hypervisor itself. -# Unless otherwise specified, the source is the domain executing the hypercall, -# and the target is the xen initial sid (type xen_t). +# Class xen and xen2 consists of dom0-only operations dealing with the +# hypervisor itself. Unless otherwise specified, the source is the domain +# executing the hypercall, and the target is the xen initial sid (type xen_t). class xen { # XENPF_settime @@ -75,6 +75,14 @@ class xen setscheduler } +# This is a continuation of class xen, since only 32 permissions can be +# defined per class +class xen2 +{ +# XENPF_resource_op + resource_op +} + # Classes domain and domain2 consist of operations that a domain performs on # another domain or on itself. Unless otherwise specified, the source is the # domain executing the hypercall, and the target is the domain being operated on diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes index ef134a7457..ca191dbc8b 100644 --- a/xen/xsm/flask/policy/security_classes +++ b/xen/xsm/flask/policy/security_classes @@ -8,6 +8,7 @@ # for userspace object managers class xen +class xen2 class domain class domain2 class hvm |