[PATCH v2 0/6] Assign a default SSID to guests

[PATCH v2 0/6] Assign a default SSID to guests

[Ian Campbell]

This series replaces "libxl: assigned a default ssid_label (XSM label)
to guests" with a scheme which uses a new initialssid for domU as
discussed.

Daniel, one of the patches ("flask/policy: Add SECINITSID_DOMU as
default domU SSID") is from you and needs a S-o-b, please.

Tested with and without XSM enabled.

Ian.

[PATCH v2 1/6] tools: Add AWK to set of tools checked for by configure

[Ian Campbell]

We are going to need this to generate the userspace flask.h header.

Please rerun autogen.sh when committing.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
 config/Tools.mk.in |    1 +
 tools/configure.ac |    2 ++
 2 files changed, 3 insertions(+)

diff --git a/config/Tools.mk.in b/config/Tools.mk.in
index e7da99d..d67352e 100644
--- a/config/Tools.mk.in
+++ b/config/Tools.mk.in
@@ -23,6 +23,7 @@ AS86                := @AS86@
 LD86                := @LD86@
 BCC                 := @BCC@
 IASL                := @IASL@
+AWK                 := @AWK@
 FETCHER             := @FETCHER@
 SEABIOS_PATH        := @seabios_path@
 OVMF_PATH           := @ovmf_path@
diff --git a/tools/configure.ac b/tools/configure.ac
index d31c2f3..c975dfc 100644
--- a/tools/configure.ac
+++ b/tools/configure.ac
@@ -247,6 +247,7 @@ AC_ARG_VAR([AS86], [Path to as86 tool])
 AC_ARG_VAR([LD86], [Path to ld86 tool])
 AC_ARG_VAR([BCC], [Path to bcc tool])
 AC_ARG_VAR([IASL], [Path to iasl tool])
+AC_ARG_VAR([AWK], [Path to awk tool])
 
 # Checks for programs.
 AC_PROG_CC
@@ -255,6 +256,7 @@ AC_PROG_INSTALL
 AC_PATH_PROG([BISON], [bison])
 AC_PATH_PROG([FLEX], [flex])
 AX_PATH_PROG_OR_FAIL([PERL], [perl])
+AX_PATH_PROG_OR_FAIL([AWK], [awk])
 
 AC_PROG_OCAML
 AC_PROG_FINDLIB
-- 
1.7.10.4

[PATCH v2 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh

[Ian Campbell]

When called from the tools side in a later patch we will want to
direct its output to the appropriate place.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
 xen/xsm/flask/Makefile          |    2 +-
 xen/xsm/flask/policy/mkflask.sh |    9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 1256512..12fc3a9 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -22,7 +22,7 @@ ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
 $(obj-y) ss/built_in.o: $(ALL_H_FILES)
 
 $(FLASK_H_FILES): $(FLASK_H_DEPEND)
-	$(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+	$(CONFIG_SHELL) policy/mkflask.sh $(AWK) include $(FLASK_H_DEPEND)
 
 $(AV_H_FILES): $(AV_H_DEPEND)
 	$(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
index e8d8fb5..9e24020 100644
--- a/xen/xsm/flask/policy/mkflask.sh
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -8,10 +8,13 @@ set -e
 awk=$1
 shift 1
 
+output_dir=$1
+shift 1
+
 # output file
-output_file="include/flask.h"
-debug_file="include/class_to_string.h"
-debug_file2="include/initial_sid_to_string.h"
+output_file="$output_dir/flask.h"
+debug_file="$output_dir/class_to_string.h"
+debug_file2="$output_dir/initial_sid_to_string.h"
 
 cat $* | $awk "
 BEGIN	{
-- 
1.7.10.4

[PATCH v2 3/6] xen: flask: Restrict generated header to xen + tools

[Ian Campbell]

This isn't strictly necessary but since it is going to be exposed via
tools/include in a later patch this will help prevent accidental
leakage beyond the tools.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
 xen/xsm/flask/policy/mkflask.sh |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
index 9e24020..989a323 100644
--- a/xen/xsm/flask/policy/mkflask.sh
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -28,6 +28,7 @@ BEGIN	{
 
 		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
 		printf("#define _SELINUX_FLASK_H_\n") > outfile;
+		printf("\n#if defined(__XEN__) || defined(__XEN_TOOLS__)\n") > outfile;
 		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
 		printf("/*\n * Security object class definitions\n */\n") > debugfile;
@@ -91,6 +92,7 @@ END	{
 		for (i = 0; i < 34; i++) 
 			printf(" ") > outfile; 
 		printf("%d\n", sid_value) > outfile; 
+		printf("\n#endif /* __XEN__ || __XEN_TOOLS__ */\n") > outfile;
 		printf("\n#endif\n") > outfile;
 		printf("};\n\n") > debugfile2;
 	}'
-- 
1.7.10.4

[PATCH v2 4/6] tools: Expose XSM Flask initial SIDs list to tools

[Ian Campbell]

By generating tools/include/xen-xsm/flask/flask.h using the same tool
as used during the hypervisor build.

Note that this is done regardless of whether XSM is enabled, since we
want the tools to be agnostic to whether or not XSM is enabled in the
hypervisor

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
 .gitignore             |    1 +
 tools/include/Makefile |   16 ++++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index c6185a0..3bc9cd9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -147,6 +147,7 @@ tools/hotplug/Linux/xen-hotplug-common.sh
 tools/hotplug/Linux/xendomains
 tools/hotplug/NetBSD/rc.d/xencommons
 tools/include/xen/*
+tools/include/xen-xsm/*
 tools/include/xen-foreign/*.(c|h|size)
 tools/include/xen-foreign/checker
 tools/libxl/libxlu_cfg_y.output
diff --git a/tools/include/Makefile b/tools/include/Makefile
index 601f79c..869b3f3 100644
--- a/tools/include/Makefile
+++ b/tools/include/Makefile
@@ -1,8 +1,11 @@
 XEN_ROOT = $(CURDIR)/../..
 include $(XEN_ROOT)/tools/Rules.mk
 
+# Relative to $(XEN_ROOT)/xen/xsm/flask
+FLASK_H_DEPEND := policy/initial_sids
+
 .PHONY: all
-all: xen-foreign xen/.dir
+all: xen-foreign xen/.dir xen-xsm/.dir
 
 .PHONY: xen-foreign
 xen-foreign:
@@ -19,6 +22,15 @@ xen/.dir:
 	ln -s ../xen-foreign xen/foreign
 	touch $@
 
+# Not xen/xsm as that clashes with link to
+# $(XEN_ROOT)/xen/include/public/xsm above.
+xen-xsm/.dir: $(XEN_ROOT)/xen/xsm/flask/policy/mkflask.sh \
+	      $(patsubst %,$(XEN_ROOT)/xen/xsm/flask/%,$(FLASK_H_DEPEND))
+	mkdir -p xen-xsm/flask
+	cd $(XEN_ROOT)/xen/xsm/flask/ && \
+		$(SHELL) policy/mkflask.sh $(AWK) $(CURDIR)/xen-xsm/flask $(FLASK_H_DEPEND)
+	touch $@
+
 .PHONY: install
 install: all
 	$(INSTALL_DIR) $(DESTDIR)$(INCLUDEDIR)/xen/arch-x86
@@ -47,7 +59,7 @@ install: all
 
 .PHONY: clean
 clean:
-	rm -rf xen
+	rm -rf xen xen-xsm
 	$(MAKE) -C xen-foreign clean
 
 
-- 
1.7.10.4

[PATCH v2 5/6] flask/policy: Add SECINITSID_DOMU as default domU SSID

[Ian Campbell]

From: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
Daniel -- this is from your example patch in
<55552B0E.8050807@tycho.nsa.gov> and so needs your S-o-b, please.
---
 tools/flask/policy/policy/initial_sids |    1 +
 xen/xsm/flask/policy/initial_sids      |    1 +
 2 files changed, 2 insertions(+)

diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
index 5de0bbf..48aad17 100644
--- a/tools/flask/policy/policy/initial_sids
+++ b/tools/flask/policy/policy/initial_sids
@@ -12,3 +12,4 @@ sid irq gen_context(system_u:object_r:irq_t,s0)
 sid iomem gen_context(system_u:object_r:iomem_t,s0)
 sid ioport gen_context(system_u:object_r:ioport_t,s0)
 sid device gen_context(system_u:object_r:device_t,s0)
+sid domU gen_context(system_u:system_r:domU_t,s0)
diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids
index e508bde..a442a38 100644
--- a/xen/xsm/flask/policy/initial_sids
+++ b/xen/xsm/flask/policy/initial_sids
@@ -13,4 +13,5 @@ sid ioport
 sid iomem
 sid irq
 sid device
+sid domU
 # FLASK
-- 
1.7.10.4

[PATCH v2 6/6] libxl: assign a default ssidref (XSM label) to guests

[Ian Campbell]

We have now arranged for SECINITSID_DOMU to be defined (it corresponds
to system_u:system_r:domU_t in the default policy). Use it as the
default for the SSID of every domain.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Wei.Liu2@citrix.com
---
v2: Set ssidref rather than label. It is no longer necessary to
    reorder things in libxl.c.
---
 tools/libxl/libxl_create.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
index f0da7dc..c9b2fec 100644
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -25,6 +25,8 @@
 #include <xen/hvm/hvm_info_table.h>
 #include <xen/hvm/e820.h>
 
+#include <xen-xsm/flask/flask.h>
+
 int libxl__domain_create_info_setdefault(libxl__gc *gc,
                                          libxl_domain_create_info *c_info)
 {
@@ -42,6 +44,9 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
     libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
     libxl_defbool_setdefault(&c_info->driver_domain, false);
 
+    if (!c_info->ssidref)
+        c_info->ssidref = SECINITSID_DOMU;
+
     return 0;
 }
 
-- 
1.7.10.4

Re: [PATCH v2 1/6] tools: Add AWK to set of tools checked for by configure

[Wei Liu]

On Tue, May 19, 2015 at 02:44:33PM +0100, Ian Campbell wrote:
> We are going to need this to generate the userspace flask.h header.
> 
> Please rerun autogen.sh when committing.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

> ---
>  config/Tools.mk.in |    1 +
>  tools/configure.ac |    2 ++
>  2 files changed, 3 insertions(+)
> 
> diff --git a/config/Tools.mk.in b/config/Tools.mk.in
> index e7da99d..d67352e 100644
> --- a/config/Tools.mk.in
> +++ b/config/Tools.mk.in
> @@ -23,6 +23,7 @@ AS86                := @AS86@
>  LD86                := @LD86@
>  BCC                 := @BCC@
>  IASL                := @IASL@
> +AWK                 := @AWK@
>  FETCHER             := @FETCHER@
>  SEABIOS_PATH        := @seabios_path@
>  OVMF_PATH           := @ovmf_path@
> diff --git a/tools/configure.ac b/tools/configure.ac
> index d31c2f3..c975dfc 100644
> --- a/tools/configure.ac
> +++ b/tools/configure.ac
> @@ -247,6 +247,7 @@ AC_ARG_VAR([AS86], [Path to as86 tool])
>  AC_ARG_VAR([LD86], [Path to ld86 tool])
>  AC_ARG_VAR([BCC], [Path to bcc tool])
>  AC_ARG_VAR([IASL], [Path to iasl tool])
> +AC_ARG_VAR([AWK], [Path to awk tool])
>  
>  # Checks for programs.
>  AC_PROG_CC
> @@ -255,6 +256,7 @@ AC_PROG_INSTALL
>  AC_PATH_PROG([BISON], [bison])
>  AC_PATH_PROG([FLEX], [flex])
>  AX_PATH_PROG_OR_FAIL([PERL], [perl])
> +AX_PATH_PROG_OR_FAIL([AWK], [awk])
>  
>  AC_PROG_OCAML
>  AC_PROG_FINDLIB
> -- 
> 1.7.10.4

Re: [PATCH v2 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh

[Wei Liu]

On Tue, May 19, 2015 at 02:44:34PM +0100, Ian Campbell wrote:
> When called from the tools side in a later patch we will want to
> direct its output to the appropriate place.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

> ---
>  xen/xsm/flask/Makefile          |    2 +-
>  xen/xsm/flask/policy/mkflask.sh |    9 ++++++---
>  2 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
> index 1256512..12fc3a9 100644
> --- a/xen/xsm/flask/Makefile
> +++ b/xen/xsm/flask/Makefile
> @@ -22,7 +22,7 @@ ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
>  $(obj-y) ss/built_in.o: $(ALL_H_FILES)
>  
>  $(FLASK_H_FILES): $(FLASK_H_DEPEND)
> -	$(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND)
> +	$(CONFIG_SHELL) policy/mkflask.sh $(AWK) include $(FLASK_H_DEPEND)
>  
>  $(AV_H_FILES): $(AV_H_DEPEND)
>  	$(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
> diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
> index e8d8fb5..9e24020 100644
> --- a/xen/xsm/flask/policy/mkflask.sh
> +++ b/xen/xsm/flask/policy/mkflask.sh
> @@ -8,10 +8,13 @@ set -e
>  awk=$1
>  shift 1
>  
> +output_dir=$1
> +shift 1
> +
>  # output file
> -output_file="include/flask.h"
> -debug_file="include/class_to_string.h"
> -debug_file2="include/initial_sid_to_string.h"
> +output_file="$output_dir/flask.h"
> +debug_file="$output_dir/class_to_string.h"
> +debug_file2="$output_dir/initial_sid_to_string.h"
>  
>  cat $* | $awk "
>  BEGIN	{
> -- 
> 1.7.10.4

Re: [PATCH v2 3/6] xen: flask: Restrict generated header to xen + tools

[Wei Liu]

On Tue, May 19, 2015 at 02:44:35PM +0100, Ian Campbell wrote:
> This isn't strictly necessary but since it is going to be exposed via
> tools/include in a later patch this will help prevent accidental
> leakage beyond the tools.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

> ---
>  xen/xsm/flask/policy/mkflask.sh |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
> index 9e24020..989a323 100644
> --- a/xen/xsm/flask/policy/mkflask.sh
> +++ b/xen/xsm/flask/policy/mkflask.sh
> @@ -28,6 +28,7 @@ BEGIN	{
>  
>  		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
>  		printf("#define _SELINUX_FLASK_H_\n") > outfile;
> +		printf("\n#if defined(__XEN__) || defined(__XEN_TOOLS__)\n") > outfile;
>  		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
>  		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
>  		printf("/*\n * Security object class definitions\n */\n") > debugfile;
> @@ -91,6 +92,7 @@ END	{
>  		for (i = 0; i < 34; i++) 
>  			printf(" ") > outfile; 
>  		printf("%d\n", sid_value) > outfile; 
> +		printf("\n#endif /* __XEN__ || __XEN_TOOLS__ */\n") > outfile;
>  		printf("\n#endif\n") > outfile;
>  		printf("};\n\n") > debugfile2;
>  	}'
> -- 
> 1.7.10.4

Re: [PATCH v2 4/6] tools: Expose XSM Flask initial SIDs list to tools

[Wei Liu]

On Tue, May 19, 2015 at 02:44:36PM +0100, Ian Campbell wrote:
> By generating tools/include/xen-xsm/flask/flask.h using the same tool
> as used during the hypervisor build.
> 
> Note that this is done regardless of whether XSM is enabled, since we
> want the tools to be agnostic to whether or not XSM is enabled in the
> hypervisor
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

> ---
>  .gitignore             |    1 +
>  tools/include/Makefile |   16 ++++++++++++++--
>  2 files changed, 15 insertions(+), 2 deletions(-)
> 
> diff --git a/.gitignore b/.gitignore
> index c6185a0..3bc9cd9 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -147,6 +147,7 @@ tools/hotplug/Linux/xen-hotplug-common.sh
>  tools/hotplug/Linux/xendomains
>  tools/hotplug/NetBSD/rc.d/xencommons
>  tools/include/xen/*
> +tools/include/xen-xsm/*
>  tools/include/xen-foreign/*.(c|h|size)
>  tools/include/xen-foreign/checker
>  tools/libxl/libxlu_cfg_y.output
> diff --git a/tools/include/Makefile b/tools/include/Makefile
> index 601f79c..869b3f3 100644
> --- a/tools/include/Makefile
> +++ b/tools/include/Makefile
> @@ -1,8 +1,11 @@
>  XEN_ROOT = $(CURDIR)/../..
>  include $(XEN_ROOT)/tools/Rules.mk
>  
> +# Relative to $(XEN_ROOT)/xen/xsm/flask
> +FLASK_H_DEPEND := policy/initial_sids
> +
>  .PHONY: all
> -all: xen-foreign xen/.dir
> +all: xen-foreign xen/.dir xen-xsm/.dir
>  
>  .PHONY: xen-foreign
>  xen-foreign:
> @@ -19,6 +22,15 @@ xen/.dir:
>  	ln -s ../xen-foreign xen/foreign
>  	touch $@
>  
> +# Not xen/xsm as that clashes with link to
> +# $(XEN_ROOT)/xen/include/public/xsm above.
> +xen-xsm/.dir: $(XEN_ROOT)/xen/xsm/flask/policy/mkflask.sh \
> +	      $(patsubst %,$(XEN_ROOT)/xen/xsm/flask/%,$(FLASK_H_DEPEND))
> +	mkdir -p xen-xsm/flask
> +	cd $(XEN_ROOT)/xen/xsm/flask/ && \
> +		$(SHELL) policy/mkflask.sh $(AWK) $(CURDIR)/xen-xsm/flask $(FLASK_H_DEPEND)
> +	touch $@
> +
>  .PHONY: install
>  install: all
>  	$(INSTALL_DIR) $(DESTDIR)$(INCLUDEDIR)/xen/arch-x86
> @@ -47,7 +59,7 @@ install: all
>  
>  .PHONY: clean
>  clean:
> -	rm -rf xen
> +	rm -rf xen xen-xsm
>  	$(MAKE) -C xen-foreign clean
>  
>  
> -- 
> 1.7.10.4

Re: [PATCH v2 6/6] libxl: assign a default ssidref (XSM label) to guests

[Wei Liu]

On Tue, May 19, 2015 at 02:44:38PM +0100, Ian Campbell wrote:
> We have now arranged for SECINITSID_DOMU to be defined (it corresponds
> to system_u:system_r:domU_t in the default policy). Use it as the
> default for the SSID of every domain.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Wei.Liu2@citrix.com
> ---
> v2: Set ssidref rather than label. It is no longer necessary to
>     reorder things in libxl.c.
> ---
>  tools/libxl/libxl_create.c |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
> index f0da7dc..c9b2fec 100644
> --- a/tools/libxl/libxl_create.c
> +++ b/tools/libxl/libxl_create.c
> @@ -25,6 +25,8 @@
>  #include <xen/hvm/hvm_info_table.h>
>  #include <xen/hvm/e820.h>
>  
> +#include <xen-xsm/flask/flask.h>
> +
>  int libxl__domain_create_info_setdefault(libxl__gc *gc,
>                                           libxl_domain_create_info *c_info)
>  {
> @@ -42,6 +44,9 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
>      libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
>      libxl_defbool_setdefault(&c_info->driver_domain, false);
>  
> +    if (!c_info->ssidref)
> +        c_info->ssidref = SECINITSID_DOMU;
> +

Do we want to add SECINITSID_DM in previous patch and set
device_model_ssidref here?

Wei.

>      return 0;
>  }
>  
> -- 
> 1.7.10.4

Re: [PATCH v2 6/6] libxl: assign a default ssidref (XSM label) to guests

[Ian Campbell]

On Tue, 2015-05-19 at 16:54 +0100, Wei Liu wrote:

> > @@ -42,6 +44,9 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
> >      libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
> >      libxl_defbool_setdefault(&c_info->driver_domain, false);
> >  
> > +    if (!c_info->ssidref)
> > +        c_info->ssidref = SECINITSID_DOMU;
> > +
> 
> Do we want to add SECINITSID_DM in previous patch and set
> device_model_ssidref here?

Daniel proposed something which involved changes to the policy, so I was
deferring that change until after that.

The relevant bit of the previous thread is up until
<1431946593.4944.36.camel@citrix.com>.

Ian.

Re: [PATCH v2 6/6] libxl: assign a default ssidref (XSM label) to guests

[Wei Liu]

On Tue, May 19, 2015 at 05:23:21PM +0100, Ian Campbell wrote:
> On Tue, 2015-05-19 at 16:54 +0100, Wei Liu wrote:
> 
> > > @@ -42,6 +44,9 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
> > >      libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
> > >      libxl_defbool_setdefault(&c_info->driver_domain, false);
> > >  
> > > +    if (!c_info->ssidref)
> > > +        c_info->ssidref = SECINITSID_DOMU;
> > > +
> > 
> > Do we want to add SECINITSID_DM in previous patch and set
> > device_model_ssidref here?
> 
> Daniel proposed something which involved changes to the policy, so I was
> deferring that change until after that.
> 
> The relevant bit of the previous thread is up until
> <1431946593.4944.36.camel@citrix.com>.
> 

Right. I missed that one.

Acked-by: Wei Liu <wei.liu2@citrix.com>

Wei.

> Ian.

Re: [PATCH v2 5/6] flask/policy: Add SECINITSID_DOMU as default domU SSID

[Daniel De Graaf]

On 05/19/2015 09:44 AM, Ian Campbell wrote:
> From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> Acked-by: Ian Campbell <ian.campbell@citrix.com>
> ---
> Daniel -- this is from your example patch in
> <55552B0E.8050807@tycho.nsa.gov> and so needs your S-o-b, please.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Or you can apply the combined patch that I am also sending that adds
INITSIDs for both domU and domDM.

[PATCH] flask/policy: add initial SIDs for domU/domDM

[Daniel De Graaf]

Add default security contexts to the XSM policy for use by the toolstack
when a domain is created without specifying an explicit security label.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---

 docs/misc/xsm-flask.txt                      |  6 +++---
 tools/flask/policy/policy/initial_sids       |  4 ++++
 tools/flask/policy/policy/modules/xen/xen.te | 11 +++--------
 xen/xsm/flask/policy/initial_sids            |  2 ++
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index d63a8a7..7249f40 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -213,9 +213,9 @@ that can be used without dom0 disaggregation. The main types for domUs are:
  - nomigrate_t is a domain that must be created via the nomigrate_t_building
    type, and whose memory cannot be read by dom0 once created
 
-HVM domains with stubdomain device models use two types (one per domain):
- - domHVM_t is an HVM domain that uses a stubdomain device model
- - dm_dom_t is the device model for a domain with type domHVM_t
+HVM domains with stubdomain device models also need a type for the stub domain.
+The example policy defines dm_dom_t for the device model of a domU_t domain;
+there are no device model types defined for the other domU types.
 
 One disadvantage of using type enforcement to enforce isolation is that a new
 type is needed for each group of domains. The user field can be used to address
diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
index 5de0bbf..6b7b7ef 100644
--- a/tools/flask/policy/policy/initial_sids
+++ b/tools/flask/policy/policy/initial_sids
@@ -12,3 +12,7 @@ sid irq gen_context(system_u:object_r:irq_t,s0)
 sid iomem gen_context(system_u:object_r:iomem_t,s0)
 sid ioport gen_context(system_u:object_r:ioport_t,s0)
 sid device gen_context(system_u:object_r:device_t,s0)
+
+# Initial SIDs used by the toolstack for domains without defined labels
+sid domU gen_context(system_u:system_r:domU_t,s0)
+sid domDM gen_context(system_u:system_r:dm_dom_t,s0)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index e555d11..ce70639 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -151,18 +151,13 @@ domain_comms(domU_t, prot_domU_t)
 domain_comms(prot_domU_t, prot_domU_t)
 domain_self_comms(prot_domU_t)
 
-# domHVM_t is meant to be paired with a qemu-dm stub domain of type dm_dom_t
-declare_domain(domHVM_t)
-create_domain(dom0_t, domHVM_t)
-manage_domain(dom0_t, domHVM_t)
-domain_comms(dom0_t, domHVM_t)
-domain_self_comms(domHVM_t)
-
+# Device model for domU_t.  You can define distinct types for device models for
+# domains of other types, or add more make_device_model lines for this type.
 declare_domain(dm_dom_t)
 create_domain(dom0_t, dm_dom_t)
 manage_domain(dom0_t, dm_dom_t)
 domain_comms(dom0_t, dm_dom_t)
-make_device_model(dom0_t, dm_dom_t, domHVM_t)
+make_device_model(dom0_t, dm_dom_t, domU_t)
 
 # nomigrate_t must be built via the nomigrate_t_building label; once built,
 # dom0 cannot read its memory.
diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids
index e508bde..7eca70d 100644
--- a/xen/xsm/flask/policy/initial_sids
+++ b/xen/xsm/flask/policy/initial_sids
@@ -13,4 +13,6 @@ sid ioport
 sid iomem
 sid irq
 sid device
+sid domU
+sid domDM
 # FLASK
-- 
2.1.0

Re: [PATCH v2 5/6] flask/policy: Add SECINITSID_DOMU as default domU SSID

[Ian Campbell]

On Tue, 2015-05-19 at 13:02 -0400, Daniel De Graaf wrote:
> On 05/19/2015 09:44 AM, Ian Campbell wrote:
> > From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >
> > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > ---
> > Daniel -- this is from your example patch in
> > <55552B0E.8050807@tycho.nsa.gov> and so needs your S-o-b, please.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> 
> Or you can apply the combined patch that I am also sending that adds
> INITSIDs for both domU and domDM.

I might as well to this and handle setting a default ssid for the
stubdom in the following patch in a v3 series at the same time.

Thanks!

Ian.

Re: [PATCH v2 5/6] flask/policy: Add SECINITSID_DOMU as default domU SSID

[Ian Campbell]

On Tue, 2015-05-19 at 13:02 -0400, Daniel De Graaf wrote:
> On 05/19/2015 09:44 AM, Ian Campbell wrote:
> > From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> >
> > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > ---
> > Daniel -- this is from your example patch in
> > <55552B0E.8050807@tycho.nsa.gov> and so needs your S-o-b, please.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Thanks. I think patches #2, #3 and #4 need your Ack too and I think it
would be useful if you could take a look at #6 (in the forthcoming v3
series) too if you have time.

Ian.