Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Devel
[PATCH 7/8] xsm: clean up initial SIDs
dgdegra at tycho
Nov 30, 2011, 3:34 PM
Post #1 of 1 (62 views)
Permalink
The domU SID is never used before a policy load, and so does not belong
in the initial_sids list.

The PIRQ SID is now incorrectly named; it should simply be called IRQ.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/policy/flask/initial_sids | 3 +--
tools/flask/policy/policy/modules/xen/xen.if | 4 ++--
tools/flask/policy/policy/modules/xen/xen.te | 9 ++++-----
xen/xsm/flask/include/flask.h | 19 +++++++++----------
xen/xsm/flask/include/initial_sid_to_string.h | 3 +--
xen/xsm/flask/ss/services.c | 2 +-
6 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids
index 9b78fba..e508bde 100644
--- a/tools/flask/policy/policy/flask/initial_sids
+++ b/tools/flask/policy/policy/flask/initial_sids
@@ -5,13 +5,12 @@
#
sid xen
sid dom0
-sid domU
sid domio
sid domxen
sid unlabeled
sid security
sid ioport
sid iomem
-sid pirq
+sid irq
sid device
# FLASK
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index d12af74..1b50898 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -70,10 +70,10 @@ define(`create_passthrough_resource', `
allow $1 $2:resource {add remove};
allow $1 ioport_t:resource {add_ioport use};
allow $1 iomem_t:resource {add_iomem use};
- allow $1 pirq_t:resource {add_irq use};
+ allow $1 irq_t:resource {add_irq use};
allow $1 domio_t:mmu {map_read map_write};
allow $2 domio_t:mmu {map_write};
- allow $2 pirq_t:resource {use};
+ allow $2 irq_t:resource {use};
allow $1 $3:resource {add_irq add_iomem add_ioport remove_irq remove_iomem remove_ioport use add_device remove_device};
allow $2 $3:resource {use add_ioport add_iomem remove_ioport remove_iomem};
allow $2 $3:mmu {map_read map_write};
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 8113467..1a7f29a 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -16,7 +16,7 @@ type unlabeled_t, domain_type;

type security_t, domain_type;

-type pirq_t, resource_type;
+type irq_t, resource_type;
type ioport_t, resource_type;
type iomem_t, resource_type;
type device_t, resource_type;
@@ -43,8 +43,8 @@ allow xen_t ioport_t:resource {add_ioport remove_ioport};
allow dom0_t ioport_t:resource {use};
allow xen_t iomem_t:resource {add_iomem remove_iomem};
allow dom0_t iomem_t:resource {use};
-allow xen_t pirq_t:resource {add_irq remove_irq};
-allow dom0_t pirq_t:resource { add_irq remove_irq use};
+allow xen_t irq_t:resource {add_irq remove_irq};
+allow dom0_t irq_t:resource { add_irq remove_irq use};
allow dom0_t dom0_t:resource { add remove };
allow dom0_t xen_t:xen firmware;

@@ -140,12 +140,11 @@ manage_domain(dom0_t, domHU_t)
################################################################################
sid xen gen_context(system_u:system_r:xen_t,s0)
sid dom0 gen_context(system_u:system_r:dom0_t,s0)
-sid domU gen_context(system_u:system_r:domU_t,s0)
sid domxen gen_context(system_u:system_r:domxen_t,s0)
sid domio gen_context(system_u:system_r:domio_t,s0)
sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
sid security gen_context(system_u:system_r:security_t,s0)
-sid pirq gen_context(system_u:object_r:pirq_t,s0)
+sid irq gen_context(system_u:object_r:irq_t,s0)
sid iomem gen_context(system_u:object_r:iomem_t,s0)
sid ioport gen_context(system_u:object_r:ioport_t,s0)
sid device gen_context(system_u:object_r:device_t,s0)
diff --git a/xen/xsm/flask/include/flask.h b/xen/xsm/flask/include/flask.h
index 333edcd..6d29c5a 100644
--- a/xen/xsm/flask/include/flask.h
+++ b/xen/xsm/flask/include/flask.h
@@ -20,16 +20,15 @@
*/
#define SECINITSID_XEN 1
#define SECINITSID_DOM0 2
-#define SECINITSID_DOMU 3
-#define SECINITSID_DOMIO 4
-#define SECINITSID_DOMXEN 5
-#define SECINITSID_UNLABELED 6
-#define SECINITSID_SECURITY 7
-#define SECINITSID_IOPORT 8
-#define SECINITSID_IOMEM 9
-#define SECINITSID_PIRQ 10
-#define SECINITSID_DEVICE 11
+#define SECINITSID_DOMIO 3
+#define SECINITSID_DOMXEN 4
+#define SECINITSID_UNLABELED 5
+#define SECINITSID_SECURITY 6
+#define SECINITSID_IOPORT 7
+#define SECINITSID_IOMEM 8
+#define SECINITSID_IRQ 9
+#define SECINITSID_DEVICE 10

-#define SECINITSID_NUM 11
+#define SECINITSID_NUM 10

#endif
diff --git a/xen/xsm/flask/include/initial_sid_to_string.h b/xen/xsm/flask/include/initial_sid_to_string.h
index 3bf8ff2..814f4bf 100644
--- a/xen/xsm/flask/include/initial_sid_to_string.h
+++ b/xen/xsm/flask/include/initial_sid_to_string.h
@@ -4,14 +4,13 @@ static char *initial_sid_to_string[] =
"null",
"xen",
"dom0",
- "domU",
"domio",
"domxen",
"unlabeled",
"security",
"ioport",
"iomem",
- "pirq",
+ "irq",
"device",
};

diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c
index 1eb8e4c..c810e9b 100644
--- a/xen/xsm/flask/ss/services.c
+++ b/xen/xsm/flask/ss/services.c
@@ -1546,7 +1546,7 @@ int security_irq_sid(int pirq, u32 *out_sid)
}
else
{
- *out_sid = SECINITSID_PIRQ;
+ *out_sid = SECINITSID_IRQ;
}

out:
--
1.7.7.3


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal