[PATCH 1/3] flask/policy: updates from osstest runs

[PATCH 1/3] flask/policy: updates from osstest runs

[Daniel De Graaf]

Migration and HVM domain creation both trigger AVC denials that should
be allowed in the default policy; add these rules.

Guest console writes need to be either allowed or denied without audit
depending on the decision of the local administrator; introduce a policy
boolean to switch between these possibilities.

Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 tools/flask/policy/policy/modules/xen/xen.if |  2 ++
 tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 620d151..f4cde11 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -9,6 +9,7 @@ define(`declare_domain_common', `
 	allow $1 $2:grant { query setup };
 	allow $1 $2:mmu { adjust physmap map_read map_write stat pinpage updatemp mmuext_op };
 	allow $1 $2:hvm { getparam setparam };
+	allow $1 $2:domain2 get_vnumainfo;
 ')
 
 # declare_domain(type, attrs...)
@@ -95,6 +96,7 @@ define(`migrate_domain_out', `
 	allow $1 $2:mmu { stat pageinfo map_read };
 	allow $1 $2:domain { getaddrsize getvcpucontext getextvcpucontext getvcpuextstate pause destroy };
 	allow $1 $2:domain2 gettsc;
+	allow $1 $2:shadow { enable disable logdirty };
 ')
 
 ################################################################################
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index ce70639..51f59c5 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -117,6 +117,16 @@ domain_comms(dom0_t, dom0_t)
 # Allow all domains to use (unprivileged parts of) the tmem hypercall
 allow domain_type xen_t:xen tmem_op;
 
+# Allow guest console output to the serial console.  This is used by PV Linux
+# and stub domains for early boot output, so don't audit even when we deny it.
+# Without XSM, this is enabled only if the Xen was compiled in debug mode.
+gen_bool(guest_writeconsole, true)
+if (guest_writeconsole) {
+	allow domain_type xen_t : xen writeconsole;
+} else {
+	dontaudit domain_type xen_t : xen writeconsole;
+}
+
 ###############################################################################
 #
 # Domain creation
-- 
2.1.0

[PATCH 2/3] xen/flask: change bool_maxstr to PAGE_SIZE

[Daniel De Graaf]

When FLASK_{GET,SET}BOOL is called with a named boolean, the call to
flask_security_resolve_bool is made prior to bool_maxstr being populated
by flask_security_make_bools.  This results in the maximum string length
being specified as zero, which is not useful.  While it would be
possible to initialize bool_maxstr correctly prior to its use, it is
simpler to use a fixed maximum of PAGE_SIZE as is done for the other
calls to safe_copy_string_from_guest.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 xen/xsm/flask/flask_op.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
index 8dee021..f4f5dd1 100644
--- a/xen/xsm/flask/flask_op.c
+++ b/xen/xsm/flask/flask_op.c
@@ -55,7 +55,6 @@ static DEFINE_SPINLOCK(sel_sem);
 /* global data for booleans */
 static int bool_num = 0;
 static int *bool_pending_values = NULL;
-static size_t bool_maxstr;
 static int flask_security_make_bools(void);
 
 extern int ss_initialized;
@@ -318,7 +317,7 @@ static int flask_security_resolve_bool(struct xen_flask_boolean *arg)
     if ( arg->bool_id != -1 )
         return 0;
 
-    name = safe_copy_string_from_guest(arg->name, arg->size, bool_maxstr);
+    name = safe_copy_string_from_guest(arg->name, arg->size, PAGE_SIZE);
     if ( IS_ERR(name) )
         return PTR_ERR(name);
 
@@ -459,7 +458,7 @@ static int flask_security_make_bools(void)
     
     xfree(bool_pending_values);
     
-    ret = security_get_bools(&num, NULL, &values, &bool_maxstr);
+    ret = security_get_bools(&num, NULL, &values, NULL);
     if ( ret != 0 )
         goto out;
 
-- 
2.1.0

[PATCH 3/3] libxc: add missing xc_hypercall_bounce_pre calls

[Daniel De Graaf]

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
 tools/libxc/xc_flask.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c
index bb117f7..e24a2e7 100644
--- a/tools/libxc/xc_flask.c
+++ b/tools/libxc/xc_flask.c
@@ -191,6 +191,12 @@ int xc_flask_getbool_byname(xc_interface *xch, char *name, int *curr, int *pend)
     DECLARE_FLASK_OP;
     DECLARE_HYPERCALL_BOUNCE(name, strlen(name), XC_HYPERCALL_BUFFER_BOUNCE_IN);
 
+    if ( xc_hypercall_bounce_pre(xch, name) )
+    {
+        PERROR("Could not bounce memory for flask op hypercall");
+        return -1;
+    }
+
     op.cmd = FLASK_GETBOOL;
     op.u.boolean.bool_id = -1;
     op.u.boolean.size = strlen(name);
@@ -217,6 +223,12 @@ int xc_flask_setbool(xc_interface *xch, char *name, int value, int commit)
     DECLARE_FLASK_OP;
     DECLARE_HYPERCALL_BOUNCE(name, strlen(name), XC_HYPERCALL_BUFFER_BOUNCE_IN);
 
+    if ( xc_hypercall_bounce_pre(xch, name) )
+    {
+        PERROR("Could not bounce memory for flask op hypercall");
+        return -1;
+    }
+
     op.cmd = FLASK_SETBOOL;
     op.u.boolean.bool_id = -1;
     op.u.boolean.new_value = value;
-- 
2.1.0

Re: [PATCH 3/3] libxc: add missing xc_hypercall_bounce_pre calls

[Ian Campbell]

On Tue, 2015-05-26 at 14:13 -0400, Daniel De Graaf wrote:
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Acked-by: Ian Campbell <ian.campbell@citrix.com>

Re: [PATCH 1/3] flask/policy: updates from osstest runs

[Ian Campbell]

On Tue, 2015-05-26 at 14:13 -0400, Daniel De Graaf wrote:
> Migration and HVM domain creation both trigger AVC denials that should
> be allowed in the default policy; add these rules.
> 
> Guest console writes need to be either allowed or denied without audit
> depending on the decision of the local administrator; introduce a policy
> boolean to switch between these possibilities.
> 
> Reported-by: Wei Liu <wei.liu2@citrix.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Acked-by: Ian Campbell <ian.campbell@citrix.com>

Re: [PATCH 2/3] xen/flask: change bool_maxstr to PAGE_SIZE

[Ian Campbell]

On Tue, 2015-05-26 at 14:13 -0400, Daniel De Graaf wrote:
> When FLASK_{GET,SET}BOOL is called with a named boolean, the call to
> flask_security_resolve_bool is made prior to bool_maxstr being populated
> by flask_security_make_bools.  This results in the maximum string length
> being specified as zero, which is not useful.  While it would be
> possible to initialize bool_maxstr correctly prior to its use, it is
> simpler to use a fixed maximum of PAGE_SIZE as is done for the other
> calls to safe_copy_string_from_guest.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Acked-by: Ian Campbell <ian.campbell@citrix.com>

Re: [PATCH 1/3] flask/policy: updates from osstest runs

[Ian Campbell]

On Wed, 2015-05-27 at 09:13 +0100, Ian Campbell wrote:
> On Tue, 2015-05-26 at 14:13 -0400, Daniel De Graaf wrote:
> > Migration and HVM domain creation both trigger AVC denials that should
> > be allowed in the default policy; add these rules.
> > 
> > Guest console writes need to be either allowed or denied without audit
> > depending on the decision of the local administrator; introduce a policy
> > boolean to switch between these possibilities.
> > 
> > Reported-by: Wei Liu <wei.liu2@citrix.com>
> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> 
> Acked-by: Ian Campbell <ian.campbell@citrix.com>

and applied all 3.