xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: anshul makkar <anshul.makkar@citrix.com>, xen-devel@lists.xenproject.org
Cc: andrew.cooper3@citrix.com, cardoe@cardoe.com
Subject: Re: default XSM policy for PCI passthrough for unlabeled resources.
Date: Wed, 6 Jul 2016 11:59:05 -0400	[thread overview]
Message-ID: <6be3e7fc-f3c6-8c9c-39fb-0c1c1d9a4389@tycho.nsa.gov> (raw)
In-Reply-To: <577D24FE.6060004@citrix.com>

On 07/06/2016 11:34 AM, anshul makkar wrote:
> Hi,
> Default XSM policy doesn't allow the use of unlabeled PCI resources that have been passed through to target domain.
> xen.te
> # Resources must be declared using . resource_type
> neverallow * ~resource_type:resource use;
> It allows the resource to be added and removed by the source domain to target domain, but its use by target domain is blocked.

This rule only mandates the use of resource_type for resource types.  If you are creating a new resource type, follow the example in nic_dev.te.

> The resource can be used only if it has been labeled using flask-label-pci command which needs to be rerun after every boot and after every policy reload.

Yes; this gives the most control over what resources can be delegated.  Policy reloads are supposed to be rare (on a production system) and you already need special boot scripts (or parameters) to set up the device for passthrough, so this can be added there.  However, I agree this can be more work than a "default" FLASK policy should require.

> The above approach reduces the flexibility and necessitates admin intervention to give passthrough rights after host has booted. Also, in general if I want to allow all domUs to have PCI passthough access to all PCI device, I have no other way apart from disabling the "neverallow" rule.

Try adding a module with the following rules, which should allow domU to use unlabeled devices:

use_device(domU_t, irq_t)
use_device(domU_t, ioport_t)
use_device(domU_t, iomem_t)
use_device(domU_t, device_t)

If this works, that module could be added to the default policy.

> Given that what we ship is just a sample default policy for reference which is expected to be permissive in most of the scenarios so that it doesn't affect the basic functionalities, is this "neverallow" rule needed ?
> Thanks
> Anshul Makkar

The neverallow rules are just there to ensure that the attributes are being used correctly.

Daniel De Graaf
National Security Agency

Xen-devel mailing list

  reply	other threads:[~2016-07-06 15:59 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-23 15:05 [PATCH 0/5] flask/policy: Updates for Xen 4.8 Daniel De Graaf
2016-05-23 15:05 ` [PATCH 1/5] flask/policy: split into modules Daniel De Graaf
2016-06-07 19:22   ` Konrad Rzeszutek Wilk
2016-06-07 19:39     ` Daniel De Graaf
2016-06-07 19:57       ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 2/5] flask/policy: move user definitions and constraints " Daniel De Graaf
2016-06-07 19:37   ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 3/5] flask/policy: Remove unused support for binary modules Daniel De Graaf
2016-06-07 19:41   ` Konrad Rzeszutek Wilk
2016-05-23 15:05 ` [PATCH 4/5] flask/policy: xenstore stubdom policy Daniel De Graaf
2016-06-07 19:44   ` Konrad Rzeszutek Wilk
2016-06-07 19:48     ` Daniel De Graaf
2016-06-07 20:02       ` Konrad Rzeszutek Wilk
2016-07-06 15:34   ` default XSM policy for PCI passthrough for unlabeled resources anshul makkar
2016-07-06 15:59     ` Daniel De Graaf [this message]
2016-07-06 16:19       ` anshul makkar
2016-07-07 15:36         ` Daniel De Graaf
2016-07-07 16:29           ` anshul makkar
2016-05-23 15:05 ` [PATCH 5/5] flask/policy: comment out unused xenstore example Daniel De Graaf
2016-06-07 19:45   ` Konrad Rzeszutek Wilk
2016-06-07 19:51     ` Daniel De Graaf
2016-06-07 20:02       ` Konrad Rzeszutek Wilk
2016-06-07 20:04         ` Daniel De Graaf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6be3e7fc-f3c6-8c9c-39fb-0c1c1d9a4389@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=andrew.cooper3@citrix.com \
    --cc=anshul.makkar@citrix.com \
    --cc=cardoe@cardoe.com \
    --cc=xen-devel@lists.xenproject.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).