xsm-policy: Define and allow v4v use permission where appropriate

The v4v use permission is now required in order to use any v4v hypercall interface. The permission is checked between the domain and itself since it is merely a usage control and there is no other object in view, unlike the send permission. Allow v4v use permission wherever we previously allowed v4v send except for guest HVMs. Comment out v4v send permission from the guesthvm domain since the v4v firewall no longer allows any v4v sends for regular guests. If specific derived products wish to allow regular guests to use v4v, they can uncomment those lines in guesthvm.te. OXT-666 Signed-off-by: Stephen Smalley <[email protected]> (cherry picked from commit feb8a53)
OpenXT · Jul 27, 2016 · 537a7ad · 537a7ad
1 parent 8e11090
commit 537a7ad
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 20 deletions.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
@@ -458,4 +458,5 @@ class security
 class v4v
 {
     send
+    use
 }
diff --git a/policy/modules/xen/dom0.if b/policy/modules/xen/dom0.if
@@ -104,6 +104,7 @@ interface(`dom0_send_v4v',`
 		type dom0_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 dom0_t:v4v send;
 ')
 ########################################
@@ -122,6 +123,7 @@ interface(`dom0_recv_v4v',`
 		type dom0_t;
 	')
 
+	allow dom0_t self:v4v use;
 	allow dom0_t $1:v4v send;
 ')
 ########################################

diff --git a/policy/modules/xen/dom0.te b/policy/modules/xen/dom0.te
@@ -45,7 +45,7 @@ allow dom0_t self:domain2 { setscheduler iommu_map_batch iommu_x_mapping apertur
 
 allow dom0_t self:event { bind create };
 allow dom0_t self:resource { add remove setup };
-allow dom0_t self:v4v send;
+dom0_send_v4v(dom0_t)
 
 allow dom0_t evchn0-0_t:event send;
 

diff --git a/policy/modules/xen/guesthvm.te b/policy/modules/xen/guesthvm.te
@@ -80,6 +80,7 @@ nilfvm_use(hvm_guest_t)
 dom0_copy_grant(hvm_guest_t)
 dom0_map_write_grant_guest(hvm_guest_t)
 dom0_pt_guest(hvm_guest_t)
-dom0_send_v4v(hvm_guest_t)
-dom0_recv_v4v(hvm_guest_t)
+# Uncomment these if you wish to allow guests to use v4v.
+#dom0_send_v4v(hvm_guest_t)
+#dom0_recv_v4v(hvm_guest_t)
 stubdom_ioemu(hvm_guest_t)
diff --git a/policy/modules/xen/ndvm.if b/policy/modules/xen/ndvm.if
@@ -88,6 +88,7 @@ interface(`ndvm_send_v4v',`
 		type ndvm_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 ndvm_t:v4v send;
 ')
 ########################################

diff --git a/policy/modules/xen/stubdom.if b/policy/modules/xen/stubdom.if
@@ -129,6 +129,7 @@ interface(`stubdom_send_v4v',`
 		type stubdom_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 stubdom_t:v4v send;
 ')
 ########################################

diff --git a/policy/modules/xen/uivm.if b/policy/modules/xen/uivm.if
@@ -34,26 +34,10 @@ interface(`uivm_send_v4v',`
 		type uivm_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 uivm_t:v4v send;
 ')
-########################################
-## <summary>
-##	Allow the specified domain to
-##	send data to the UIVM via v4v.
-## </summary>
-## <param name="type">
-##	<summary>
-##	Type of the domain allowe access.
-##	</summary>
-## </param>
-#
-interface(`uivm_send_v4v',`
-	gen_require(`
-		type uivm_t;
-	')
 
-	allow $1 uivm_t:v4v send;
-')
 ########################################
 ## <summary>
 ##	Allow the specified type to map write uivm grants.