xen/xen - xen

	Commit message (Collapse)	Author	Age	Files	Lines
*	xsm/flask: add distinct SIDs for self/target access	Daniel De Graaf	2013-01-11	1	-4/+39
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Because the FLASK XSM module no longer checks IS_PRIV for remote domain accesses covered by XSM permissions, domains now have the ability to perform memory management and other functions on all domains that have the same type. While it is possible to prevent this by only creating one domain per type, this solution significantly limits the flexibility of the type system. This patch introduces a domain type transition to represent a domain that is operating on itself. In the example policy, this is demonstrated by creating a type with _self appended when declaring a domain type which will be used for reflexive operations. AVCs for a domain of type domU_t will look like the following: scontext=system_u:system_r:domU_t tcontext=system_u:system_r:domU_t_self This change also allows policy to distinguish between event channels a domain creates to itself and event channels created between domains of the same type. The IS_PRIV_FOR check used for device model domains is also no longer checked by FLASK; a similar transition is performed when the target is set and used when the device model accesses its target domain. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Keir Fraser <keir@xen.org>
*	libxl: introduce XSM relabel on build	Daniel De Graaf	2012-12-13	1	-0/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Allow a domain to be built under one security label and run using a different label. This can be used to prevent the domain builder or control domain from having the ability to access a guest domain's memory via map_foreign_range except during the build process where this is required. Example domain configuration snippet: seclabel='customer_1:vm_r:nomigrate_t' init_seclabel='customer_1:vm_r:nomigrate_t_building' Note: this does not provide complete protection from a malicious dom0; mappings created during the build process may persist after the relabel, and could be used to indirectly access the guest's memory. However, if dom0 correctly unmaps the domain upon building, a the domU is protected against dom0 becoming malicious in the future. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> acked-by: Ian Campbell <ian.campbell@citrix.com> Committed-by: Ian Campbell <ian.campbell@citrix.com>
*	docs: various typos	Tim Deegan	2012-06-28	1	-1/+1
\| \| \| \| \| \|	Signed-off-by: Tim Deegan <tim@xen.org> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson.citrix.com>
*	flask/policy: add device model types to example policy	Daniel De Graaf	2012-02-09	1	-0/+4
\| \| \| \| \| \| \|	This adds an example user for device_model_stubdomain_seclabel. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
*	flask/policy: Add boolean example	Daniel De Graaf	2012-02-02	1	-1/+2
\| \| \| \| \| \| \| \| \|	This shows an example boolean (prot_doms_locked) which can be set at runtime to prevent dom0 from mapping memory of domains of type prot_domU_t. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Keir Fraser <keir@xen.org>
*	flask/policy: Add user and constraint examples	Daniel De Graaf	2012-02-02	1	-10/+32
\| \| \| \| \| \| \| \| \|	These examples show how to use constraints and the user field of the security label to prevent communication between virtual machines of different customers in a multi-tenant environment. Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Keir Fraser <keir@xen.org>
*	docs: Update xsm-flask documentation	Daniel De Graaf	2012-01-10	1	-144/+96
\| \| \| \| \|	Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed-by: Ian Jackson <ian.jackson.citrix.com>
*	Remove unmaintained Access Control Module (ACM) from hypervisor.	Keir Fraser	2011-03-25	1	-1/+0
\| \| \| \|	Signed-off-by: Keir Fraser <keir@xen.org>
*	xsm: Add support for Xen device policies	Keir Fraser	2009-10-27	1	-0/+64
\| \| \| \| \| \| \| \| \| \| \| \| \|	Add support for Xen ocontext records to enable device polices. The default policy will not be changed and instructions have been added to enable the new functionality. Examples on how to use the new policy language have been added but commented out. The newest version of checkpolicy (>= 2.0.20) and libsepol (>= 2.0.39) is needed in order to compile it. Devices can be labeled and enforced using the following new commands; pirqcon, iomemcon, ioportcon and pcidevicecon. Signed-off-by : George Coker <gscoker@alpha.ncsc.mil> Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
*	docs/misc: Update XSM Flask documentation	Keir Fraser	2009-08-21	1	-14/+64
\| \| \| \| \| \| \| \| \|	Update the XSM Flask documentation to reflect the support for policy.24, the updated policy and policy build infrastructure, and how to enable the optional MLS policy. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil>
*	typo: occured -> occurred	Keir Fraser	2009-06-03	1	-1/+1
\| \| \| \|	Signed-off-by: Masaki Kanno <kanno.masaki@jp.fujitsu.com>
*	[XSM][FLASK] basic documentation and a type cast error for x86_64	Keir Fraser	2009-02-13	1	-0/+148
	- A simple txt howto based on previous list discussions and observations - A oneliner patch to address a compiler type cast error for x86_64 Signed-off-by: George S. Coker, II <gscoker@alpha.ncsc.mil>