From 537a7ad09076ca3c64d6a416fedc88eea1a8a083 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 15 Jul 2016 14:49:18 +0000 Subject: [PATCH] xsm-policy: Define and allow v4v use permission where appropriate The v4v use permission is now required in order to use any v4v hypercall interface. The permission is checked between the domain and itself since it is merely a usage control and there is no other object in view, unlike the send permission. Allow v4v use permission wherever we previously allowed v4v send except for guest HVMs. Comment out v4v send permission from the guesthvm domain since the v4v firewall no longer allows any v4v sends for regular guests. If specific derived products wish to allow regular guests to use v4v, they can uncomment those lines in guesthvm.te. OXT-666 Signed-off-by: Stephen Smalley (cherry picked from commit feb8a53bfcbe979dd3e3a6514a799627bf237f09) --- policy/flask/access_vectors | 1 + policy/modules/xen/dom0.if | 2 ++ policy/modules/xen/dom0.te | 2 +- policy/modules/xen/guesthvm.te | 5 +++-- policy/modules/xen/ndvm.if | 1 + policy/modules/xen/stubdom.if | 1 + policy/modules/xen/uivm.if | 18 +----------------- 7 files changed, 10 insertions(+), 20 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 4d0fb11..11a1a69 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -458,4 +458,5 @@ class security class v4v { send + use } diff --git a/policy/modules/xen/dom0.if b/policy/modules/xen/dom0.if index 3aca13d..15a62b0 100644 --- a/policy/modules/xen/dom0.if +++ b/policy/modules/xen/dom0.if @@ -104,6 +104,7 @@ interface(`dom0_send_v4v',` type dom0_t; ') + allow $1 self:v4v use; allow $1 dom0_t:v4v send; ') ######################################## @@ -122,6 +123,7 @@ interface(`dom0_recv_v4v',` type dom0_t; ') + allow dom0_t self:v4v use; allow dom0_t $1:v4v send; ') ######################################## diff --git a/policy/modules/xen/dom0.te b/policy/modules/xen/dom0.te index a749afc..88dfb3a 100644 --- a/policy/modules/xen/dom0.te +++ b/policy/modules/xen/dom0.te @@ -45,7 +45,7 @@ allow dom0_t self:domain2 { setscheduler iommu_map_batch iommu_x_mapping apertur allow dom0_t self:event { bind create }; allow dom0_t self:resource { add remove setup }; -allow dom0_t self:v4v send; +dom0_send_v4v(dom0_t) allow dom0_t evchn0-0_t:event send; diff --git a/policy/modules/xen/guesthvm.te b/policy/modules/xen/guesthvm.te index f9e4620..af6b36c 100644 --- a/policy/modules/xen/guesthvm.te +++ b/policy/modules/xen/guesthvm.te @@ -80,6 +80,7 @@ nilfvm_use(hvm_guest_t) dom0_copy_grant(hvm_guest_t) dom0_map_write_grant_guest(hvm_guest_t) dom0_pt_guest(hvm_guest_t) -dom0_send_v4v(hvm_guest_t) -dom0_recv_v4v(hvm_guest_t) +# Uncomment these if you wish to allow guests to use v4v. +#dom0_send_v4v(hvm_guest_t) +#dom0_recv_v4v(hvm_guest_t) stubdom_ioemu(hvm_guest_t) diff --git a/policy/modules/xen/ndvm.if b/policy/modules/xen/ndvm.if index 94c4761..02948f3 100644 --- a/policy/modules/xen/ndvm.if +++ b/policy/modules/xen/ndvm.if @@ -88,6 +88,7 @@ interface(`ndvm_send_v4v',` type ndvm_t; ') + allow $1 self:v4v use; allow $1 ndvm_t:v4v send; ') ######################################## diff --git a/policy/modules/xen/stubdom.if b/policy/modules/xen/stubdom.if index f2da469..4b955a2 100644 --- a/policy/modules/xen/stubdom.if +++ b/policy/modules/xen/stubdom.if @@ -129,6 +129,7 @@ interface(`stubdom_send_v4v',` type stubdom_t; ') + allow $1 self:v4v use; allow $1 stubdom_t:v4v send; ') ######################################## diff --git a/policy/modules/xen/uivm.if b/policy/modules/xen/uivm.if index 89015ad..cd84670 100644 --- a/policy/modules/xen/uivm.if +++ b/policy/modules/xen/uivm.if @@ -34,26 +34,10 @@ interface(`uivm_send_v4v',` type uivm_t; ') + allow $1 self:v4v use; allow $1 uivm_t:v4v send; ') -######################################## -## -## Allow the specified domain to -## send data to the UIVM via v4v. -## -## -## -## Type of the domain allowe access. -## -## -# -interface(`uivm_send_v4v',` - gen_require(` - type uivm_t; - ') - allow $1 uivm_t:v4v send; -') ######################################## ## ## Allow the specified type to map write uivm grants.