Various changes to the Xen userspace policy, including:
- Add gntdev and gntalloc device node labeling.
- Create separate domains for blktap and qemu-dm rather than leaving them in xend_t.
- No need to allow xen userspace to create its own device nodes anymore;
this is handled automatically by the kernel/udev.
- No need to allow xen userspace access to generic raw storage; even if
using dedicated partitions/LVs for disk images, you can just label them
with xen_image_t.
The blktap and qemu-dm domains are stubs and will likely need to be
further expanded, but they should definitely not be left in xend_t. Not
sure if I should try to use qemu_domain_template() instead for qemu-dm,
but I don't see any current users of that template (qemu_t uses
virt_domain_template instead), and qemu-dm has specific interactions
with Xen.
Signed-off-by: Stephen Smalley <[email protected]>
---
policy/modules/kernel/devices.fc | 2
policy/modules/system/xen.fc | 5 +
policy/modules/system/xen.te | 114 +++++++++++++++++++++++++++++++++------
3 files changed, 104 insertions(+), 17 deletions(-)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..8ac94e4 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -173,6 +173,8 @@ ifdef(`distro_suse', `
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index 8c827f8..1872b74 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -4,6 +4,11 @@
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
+/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+
+/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index f661f5a..e25619f 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -72,6 +72,7 @@ files_tmp_file(xenstored_tmp_t)
# var/lib files
type xenstored_var_lib_t;
files_type(xenstored_var_lib_t)
+files_mountpoint(xenstored_var_lib_t)
# log files
type xenstored_var_log_t;
@@ -94,6 +95,38 @@ type xm_exec_t;
domain_type(xm_t)
init_system_domain(xm_t, xm_exec_t)
+## <desc>
+## <p>
+## Allow xend to run qemu-dm.
+## Not required if using paravirt and no vfb.
+## </p>
+## </desc>
+gen_tunable(xend_run_qemu, true)
+
+type qemu_dm_t;
+domain_type(qemu_dm_t)
+type qemu_dm_exec_t;
+files_type(qemu_dm_exec_t)
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
+role system_r types qemu_dm_t;
+
+## <desc>
+## <p>
+## Allow xend to run blktapctrl/tapdisk.
+## Not required if using dedicated logical volumes for disk images.
+## </p>
+## </desc>
+gen_tunable(xend_run_blktap, true)
+
+type blktap_t;
+domain_type(blktap_t)
+role system_r types blktap_t;
+type blktap_exec_t;
+files_type(blktap_exec_t)
+domain_entry_file(blktap_t, blktap_exec_t)
+type blktap_var_run_t;
+files_pid_file(blktap_var_run_t)
+
#######################################
#
# evtchnd local policy
@@ -113,7 +146,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
# xend local policy
#
-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
@@ -161,6 +194,12 @@ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
# transition to store
domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+# manage xenstored pid file
+manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
+
+# mount tmpfs on /var/lib/xenstored
+allow xend_t xenstored_var_lib_t:dir read;
+
# transition to console
domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -193,12 +232,10 @@ corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
dev_read_urand(xend_t)
-dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
dev_rw_xen(xend_t)
-domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
domain_dontaudit_ptrace_all_domains(xend_t)
@@ -210,10 +247,6 @@ files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
files_read_default_symlinks(xend_t)
-storage_raw_read_fixed_disk(xend_t)
-storage_raw_write_fixed_disk(xend_t)
-storage_raw_read_removable_device(xend_t)
-
term_getattr_all_ptys(xend_t)
term_use_generic_ptys(xend_t)
term_use_ptmx(xend_t)
@@ -228,6 +261,7 @@ logging_send_syslog_msg(xend_t)
lvm_domtrans(xend_t)
miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
mount_domtrans(xend_t)
@@ -274,7 +308,7 @@ kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)
-dev_manage_xen(xenconsoled_t)
+dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -308,7 +342,7 @@ optional_policy(`
# Xen store local policy
#
-allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
+allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
@@ -338,20 +372,16 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
-dev_create_generic_dirs(xenstored_t)
-dev_manage_xen(xenstored_t)
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
+files_read_etc_files(xenstored_t)
+
files_read_usr_files(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
-storage_raw_read_fixed_disk(xenstored_t)
-storage_raw_write_fixed_disk(xenstored_t)
-storage_raw_read_removable_device(xenstored_t)
-
term_use_generic_ptys(xenstored_t)
init_use_fds(xenstored_t)
@@ -411,8 +441,6 @@ fs_getattr_all_fs(xm_t)
fs_manage_xenfs_dirs(xm_t)
fs_manage_xenfs_files(xm_t)
-storage_raw_read_fixed_disk(xm_t)
-
term_use_all_terms(xm_t)
init_stream_connect_script(xm_t)
@@ -474,3 +502,55 @@ optional_policy(`
unconfined_domain(xend_t)
')
')
+
+########################################
+#
+# qemu-dm local policy
+#
+# Do we need to allow execution of qemu-dm?
+tunable_policy(`xend_run_qemu',`
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
+ allow qemu_dm_t self:capability sys_resource;
+ allow qemu_dm_t self:process setrlimit;
+ allow qemu_dm_t self:fifo_file { read write };
+ allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
+ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
+ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
+ libs_use_ld_so(qemu_dm_t)
+ libs_use_shared_libs(qemu_dm_t)
+ files_read_etc_files(qemu_dm_t)
+ files_read_usr_files(qemu_dm_t)
+ miscfiles_read_localization(qemu_dm_t)
+ corenet_tcp_bind_generic_node(qemu_dm_t)
+ corenet_tcp_bind_vnc_port(qemu_dm_t)
+ dev_rw_xen(qemu_dm_t)
+ xen_stream_connect_xenstore(qemu_dm_t)
+ fs_manage_xenfs_dirs(qemu_dm_t)
+ fs_manage_xenfs_files(qemu_dm_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+#
+# blktap local policy
+#
+# Do we need to allow execution of blktap?
+tunable_policy(`xend_run_blktap',`
+ # If yes, transition to its own domain.
+ domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
+ allow blktap_t self:fifo_file { read write };
+ libs_use_ld_so(blktap_t)
+ libs_use_shared_libs(blktap_t)
+ miscfiles_read_localization(blktap_t)
+ files_read_etc_files(blktap_t)
+ dev_read_sysfs(blktap_t)
+ logging_send_syslog_msg(blktap_t)
+ dev_rw_xen(blktap_t)
+ xen_stream_connect_xenstore(blktap_t)
+',`
+ # If no, then silently refuse to run it.
+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
+')
--
Stephen Smalley
National Security Agency
On 2/10/2011 11:17 AM, Stephen Smalley wrote:
> Various changes to the Xen userspace policy, including:
> - Add gntdev and gntalloc device node labeling.
> - Create separate domains for blktap and qemu-dm rather than leaving them in xend_t.
> - No need to allow xen userspace to create its own device nodes anymore;
> this is handled automatically by the kernel/udev.
> - No need to allow xen userspace access to generic raw storage; even if
> using dedicated partitions/LVs for disk images, you can just label them
> with xen_image_t.
>
> The blktap and qemu-dm domains are stubs and will likely need to be
> further expanded, but they should definitely not be left in xend_t. Not
> sure if I should try to use qemu_domain_template() instead for qemu-dm,
> but I don't see any current users of that template (qemu_t uses
> virt_domain_template instead), and qemu-dm has specific interactions
> with Xen.
Merged. I made a few rearrangements.
> Signed-off-by: Stephen Smalley<[email protected]>
>
> ---
>
> policy/modules/kernel/devices.fc | 2
> policy/modules/system/xen.fc | 5 +
> policy/modules/system/xen.te | 114 +++++++++++++++++++++++++++++++++------
> 3 files changed, 104 insertions(+), 17 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index 3b2da10..8ac94e4 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -173,6 +173,8 @@ ifdef(`distro_suse', `
>
> /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
> /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
> +/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
> +/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
>
> /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
>
> diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
> index 8c827f8..1872b74 100644
> --- a/policy/modules/system/xen.fc
> +++ b/policy/modules/system/xen.fc
> @@ -4,6 +4,11 @@
>
> /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
>
> +/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
> +/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
> +
> +/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
> +
> ifdef(`distro_debian',`
> /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
> /usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
> diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
> index f661f5a..e25619f 100644
> --- a/policy/modules/system/xen.te
> +++ b/policy/modules/system/xen.te
> @@ -72,6 +72,7 @@ files_tmp_file(xenstored_tmp_t)
> # var/lib files
> type xenstored_var_lib_t;
> files_type(xenstored_var_lib_t)
> +files_mountpoint(xenstored_var_lib_t)
>
> # log files
> type xenstored_var_log_t;
> @@ -94,6 +95,38 @@ type xm_exec_t;
> domain_type(xm_t)
> init_system_domain(xm_t, xm_exec_t)
>
> +##<desc>
> +##<p>
> +## Allow xend to run qemu-dm.
> +## Not required if using paravirt and no vfb.
> +##</p>
> +##</desc>
> +gen_tunable(xend_run_qemu, true)
> +
> +type qemu_dm_t;
> +domain_type(qemu_dm_t)
> +type qemu_dm_exec_t;
> +files_type(qemu_dm_exec_t)
> +domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
> +role system_r types qemu_dm_t;
> +
> +##<desc>
> +##<p>
> +## Allow xend to run blktapctrl/tapdisk.
> +## Not required if using dedicated logical volumes for disk images.
> +##</p>
> +##</desc>
> +gen_tunable(xend_run_blktap, true)
> +
> +type blktap_t;
> +domain_type(blktap_t)
> +role system_r types blktap_t;
> +type blktap_exec_t;
> +files_type(blktap_exec_t)
> +domain_entry_file(blktap_t, blktap_exec_t)
> +type blktap_var_run_t;
> +files_pid_file(blktap_var_run_t)
> +
> #######################################
> #
> # evtchnd local policy
> @@ -113,7 +146,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
> # xend local policy
> #
>
> -allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
> +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
> dontaudit xend_t self:capability { sys_ptrace };
> allow xend_t self:process { signal sigkill };
> dontaudit xend_t self:process ptrace;
> @@ -161,6 +194,12 @@ files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
> # transition to store
> domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
>
> +# manage xenstored pid file
> +manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
> +
> +# mount tmpfs on /var/lib/xenstored
> +allow xend_t xenstored_var_lib_t:dir read;
> +
> # transition to console
> domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
>
> @@ -193,12 +232,10 @@ corenet_sendrecv_soundd_server_packets(xend_t)
> corenet_rw_tun_tap_dev(xend_t)
>
> dev_read_urand(xend_t)
> -dev_manage_xen(xend_t)
> dev_filetrans_xen(xend_t)
> dev_rw_sysfs(xend_t)
> dev_rw_xen(xend_t)
>
> -domain_read_all_domains_state(xend_t)
> domain_dontaudit_read_all_domains_state(xend_t)
> domain_dontaudit_ptrace_all_domains(xend_t)
>
> @@ -210,10 +247,6 @@ files_etc_filetrans_etc_runtime(xend_t, file)
> files_read_usr_files(xend_t)
> files_read_default_symlinks(xend_t)
>
> -storage_raw_read_fixed_disk(xend_t)
> -storage_raw_write_fixed_disk(xend_t)
> -storage_raw_read_removable_device(xend_t)
> -
> term_getattr_all_ptys(xend_t)
> term_use_generic_ptys(xend_t)
> term_use_ptmx(xend_t)
> @@ -228,6 +261,7 @@ logging_send_syslog_msg(xend_t)
> lvm_domtrans(xend_t)
>
> miscfiles_read_localization(xend_t)
> +miscfiles_read_hwdata(xend_t)
>
> mount_domtrans(xend_t)
>
> @@ -274,7 +308,7 @@ kernel_read_kernel_sysctls(xenconsoled_t)
> kernel_write_xen_state(xenconsoled_t)
> kernel_read_xen_state(xenconsoled_t)
>
> -dev_manage_xen(xenconsoled_t)
> +dev_rw_xen(xenconsoled_t)
> dev_filetrans_xen(xenconsoled_t)
> dev_rw_sysfs(xenconsoled_t)
>
> @@ -308,7 +342,7 @@ optional_policy(`
> # Xen store local policy
> #
>
> -allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
> +allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
> allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
> allow xenstored_t self:unix_dgram_socket create_socket_perms;
>
> @@ -338,20 +372,16 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
> kernel_write_xen_state(xenstored_t)
> kernel_read_xen_state(xenstored_t)
>
> -dev_create_generic_dirs(xenstored_t)
> -dev_manage_xen(xenstored_t)
> dev_filetrans_xen(xenstored_t)
> dev_rw_xen(xenstored_t)
> dev_read_sysfs(xenstored_t)
>
> +files_read_etc_files(xenstored_t)
> +
> files_read_usr_files(xenstored_t)
>
> fs_manage_xenfs_files(xenstored_t)
>
> -storage_raw_read_fixed_disk(xenstored_t)
> -storage_raw_write_fixed_disk(xenstored_t)
> -storage_raw_read_removable_device(xenstored_t)
> -
> term_use_generic_ptys(xenstored_t)
>
> init_use_fds(xenstored_t)
> @@ -411,8 +441,6 @@ fs_getattr_all_fs(xm_t)
> fs_manage_xenfs_dirs(xm_t)
> fs_manage_xenfs_files(xm_t)
>
> -storage_raw_read_fixed_disk(xm_t)
> -
> term_use_all_terms(xm_t)
>
> init_stream_connect_script(xm_t)
> @@ -474,3 +502,55 @@ optional_policy(`
> unconfined_domain(xend_t)
> ')
> ')
> +
> +########################################
> +#
> +# qemu-dm local policy
> +#
> +# Do we need to allow execution of qemu-dm?
> +tunable_policy(`xend_run_qemu',`
> + # If yes, transition to its own domain.
> + domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
> + allow qemu_dm_t self:capability sys_resource;
> + allow qemu_dm_t self:process setrlimit;
> + allow qemu_dm_t self:fifo_file { read write };
> + allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
> + rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
> + append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
> + libs_use_ld_so(qemu_dm_t)
> + libs_use_shared_libs(qemu_dm_t)
> + files_read_etc_files(qemu_dm_t)
> + files_read_usr_files(qemu_dm_t)
> + miscfiles_read_localization(qemu_dm_t)
> + corenet_tcp_bind_generic_node(qemu_dm_t)
> + corenet_tcp_bind_vnc_port(qemu_dm_t)
> + dev_rw_xen(qemu_dm_t)
> + xen_stream_connect_xenstore(qemu_dm_t)
> + fs_manage_xenfs_dirs(qemu_dm_t)
> + fs_manage_xenfs_files(qemu_dm_t)
> +',`
> + # If no, then silently refuse to run it.
> + dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
> +')
> +
> +########################################
> +#
> +# blktap local policy
> +#
> +# Do we need to allow execution of blktap?
> +tunable_policy(`xend_run_blktap',`
> + # If yes, transition to its own domain.
> + domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
> + allow blktap_t self:fifo_file { read write };
> + libs_use_ld_so(blktap_t)
> + libs_use_shared_libs(blktap_t)
> + miscfiles_read_localization(blktap_t)
> + files_read_etc_files(blktap_t)
> + dev_read_sysfs(blktap_t)
> + logging_send_syslog_msg(blktap_t)
> + dev_rw_xen(blktap_t)
> + xen_stream_connect_xenstore(blktap_t)
> +',`
> + # If no, then silently refuse to run it.
> + dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
> +')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com