From: sds@tycho.nsa.gov (Stephen Smalley) Date: Thu, 10 Feb 2011 11:17:33 -0500 Subject: [refpolicy] [PATCH] Refine xen policy Message-ID: <1297354653.31980.8.camel@moss-pluto> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Various changes to the Xen userspace policy, including: - Add gntdev and gntalloc device node labeling. - Create separate domains for blktap and qemu-dm rather than leaving them in xend_t. - No need to allow xen userspace to create its own device nodes anymore; this is handled automatically by the kernel/udev. - No need to allow xen userspace access to generic raw storage; even if using dedicated partitions/LVs for disk images, you can just label them with xen_image_t. The blktap and qemu-dm domains are stubs and will likely need to be further expanded, but they should definitely not be left in xend_t. Not sure if I should try to use qemu_domain_template() instead for qemu-dm, but I don't see any current users of that template (qemu_t uses virt_domain_template instead), and qemu-dm has specific interactions with Xen. Signed-off-by: Stephen Smalley --- policy/modules/kernel/devices.fc | 2 policy/modules/system/xen.fc | 5 + policy/modules/system/xen.te | 114 +++++++++++++++++++++++++++++++++------ 3 files changed, 104 insertions(+), 17 deletions(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 3b2da10..8ac94e4 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -173,6 +173,8 @@ ifdef(`distro_suse', ` /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) +/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0) +/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0) /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index 8c827f8..1872b74 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -4,6 +4,11 @@ /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) +/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) +/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) + +/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) + ifdef(`distro_debian',` /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) /usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index f661f5a..e25619f 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -72,6 +72,7 @@ files_tmp_file(xenstored_tmp_t) # var/lib files type xenstored_var_lib_t; files_type(xenstored_var_lib_t) +files_mountpoint(xenstored_var_lib_t) # log files type xenstored_var_log_t; @@ -94,6 +95,38 @@ type xm_exec_t; domain_type(xm_t) init_system_domain(xm_t, xm_exec_t) +## +##

+## Allow xend to run qemu-dm. +## Not required if using paravirt and no vfb. +##

+##
+gen_tunable(xend_run_qemu, true) + +type qemu_dm_t; +domain_type(qemu_dm_t) +type qemu_dm_exec_t; +files_type(qemu_dm_exec_t) +domain_entry_file(qemu_dm_t, qemu_dm_exec_t) +role system_r types qemu_dm_t; + +## +##

+## Allow xend to run blktapctrl/tapdisk. +## Not required if using dedicated logical volumes for disk images. +##

+##
+gen_tunable(xend_run_blktap, true) + +type blktap_t; +domain_type(blktap_t) +role system_r types blktap_t; +type blktap_exec_t; +files_type(blktap_exec_t) +domain_entry_file(blktap_t, blktap_exec_t) +type blktap_var_run_t; +files_pid_file(blktap_var_run_t) + ####################################### # # evtchnd local policy @@ -113,7 +146,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) # xend local policy # -allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw }; +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; dontaudit xend_t self:capability { sys_ptrace }; allow xend_t self:process { signal sigkill }; dontaudit xend_t self:process ptrace; @@ -161,6 +194,12 @@ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) # transition to store domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) +# manage xenstored pid file +manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) + +# mount tmpfs on /var/lib/xenstored +allow xend_t xenstored_var_lib_t:dir read; + # transition to console domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) @@ -193,12 +232,10 @@ corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) dev_read_urand(xend_t) -dev_manage_xen(xend_t) dev_filetrans_xen(xend_t) dev_rw_sysfs(xend_t) dev_rw_xen(xend_t) -domain_read_all_domains_state(xend_t) domain_dontaudit_read_all_domains_state(xend_t) domain_dontaudit_ptrace_all_domains(xend_t) @@ -210,10 +247,6 @@ files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) files_read_default_symlinks(xend_t) -storage_raw_read_fixed_disk(xend_t) -storage_raw_write_fixed_disk(xend_t) -storage_raw_read_removable_device(xend_t) - term_getattr_all_ptys(xend_t) term_use_generic_ptys(xend_t) term_use_ptmx(xend_t) @@ -228,6 +261,7 @@ logging_send_syslog_msg(xend_t) lvm_domtrans(xend_t) miscfiles_read_localization(xend_t) +miscfiles_read_hwdata(xend_t) mount_domtrans(xend_t) @@ -274,7 +308,7 @@ kernel_read_kernel_sysctls(xenconsoled_t) kernel_write_xen_state(xenconsoled_t) kernel_read_xen_state(xenconsoled_t) -dev_manage_xen(xenconsoled_t) +dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -308,7 +342,7 @@ optional_policy(` # Xen store local policy # -allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; +allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; @@ -338,20 +372,16 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) -dev_create_generic_dirs(xenstored_t) -dev_manage_xen(xenstored_t) dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) +files_read_etc_files(xenstored_t) + files_read_usr_files(xenstored_t) fs_manage_xenfs_files(xenstored_t) -storage_raw_read_fixed_disk(xenstored_t) -storage_raw_write_fixed_disk(xenstored_t) -storage_raw_read_removable_device(xenstored_t) - term_use_generic_ptys(xenstored_t) init_use_fds(xenstored_t) @@ -411,8 +441,6 @@ fs_getattr_all_fs(xm_t) fs_manage_xenfs_dirs(xm_t) fs_manage_xenfs_files(xm_t) -storage_raw_read_fixed_disk(xm_t) - term_use_all_terms(xm_t) init_stream_connect_script(xm_t) @@ -474,3 +502,55 @@ optional_policy(` unconfined_domain(xend_t) ') ') + +######################################## +# +# qemu-dm local policy +# +# Do we need to allow execution of qemu-dm? +tunable_policy(`xend_run_qemu',` + # If yes, transition to its own domain. + domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) + allow qemu_dm_t self:capability sys_resource; + allow qemu_dm_t self:process setrlimit; + allow qemu_dm_t self:fifo_file { read write }; + allow qemu_dm_t self:tcp_socket create_stream_socket_perms; + rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) + append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) + libs_use_ld_so(qemu_dm_t) + libs_use_shared_libs(qemu_dm_t) + files_read_etc_files(qemu_dm_t) + files_read_usr_files(qemu_dm_t) + miscfiles_read_localization(qemu_dm_t) + corenet_tcp_bind_generic_node(qemu_dm_t) + corenet_tcp_bind_vnc_port(qemu_dm_t) + dev_rw_xen(qemu_dm_t) + xen_stream_connect_xenstore(qemu_dm_t) + fs_manage_xenfs_dirs(qemu_dm_t) + fs_manage_xenfs_files(qemu_dm_t) +',` + # If no, then silently refuse to run it. + dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; +') + +######################################## +# +# blktap local policy +# +# Do we need to allow execution of blktap? +tunable_policy(`xend_run_blktap',` + # If yes, transition to its own domain. + domtrans_pattern(xend_t, blktap_exec_t, blktap_t) + allow blktap_t self:fifo_file { read write }; + libs_use_ld_so(blktap_t) + libs_use_shared_libs(blktap_t) + miscfiles_read_localization(blktap_t) + files_read_etc_files(blktap_t) + dev_read_sysfs(blktap_t) + logging_send_syslog_msg(blktap_t) + dev_rw_xen(blktap_t) + xen_stream_connect_xenstore(blktap_t) +',` + # If no, then silently refuse to run it. + dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; +') -- Stephen Smalley National Security Agency