Merge pull request #6 from stephensmalley/stable-6-oxt666

jean-edouard · web-flow · commit 8ac915d8593a · 2016-07-28T14:49:24.000-04:00
xsm-policy: Define and allow v4v use permission where appropriate
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
@@ -458,4 +458,5 @@ class security
 class v4v
 {
     send
+    use
 }
diff --git a/policy/modules/xen/dom0.if b/policy/modules/xen/dom0.if
@@ -104,6 +104,7 @@ interface(`dom0_send_v4v',`
 		type dom0_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 dom0_t:v4v send;
 ')
 ########################################
@@ -122,6 +123,7 @@ interface(`dom0_recv_v4v',`
 		type dom0_t;
 	')
 
+	allow dom0_t self:v4v use;
 	allow dom0_t $1:v4v send;
 ')
 ########################################
diff --git a/policy/modules/xen/dom0.te b/policy/modules/xen/dom0.te
@@ -45,7 +45,7 @@ allow dom0_t self:domain2 { setscheduler iommu_map_batch iommu_x_mapping apertur
 
 allow dom0_t self:event { bind create };
 allow dom0_t self:resource { add remove setup };
-allow dom0_t self:v4v send;
+dom0_send_v4v(dom0_t)
 
 allow dom0_t evchn0-0_t:event send;
 
diff --git a/policy/modules/xen/guesthvm.te b/policy/modules/xen/guesthvm.te
@@ -80,6 +80,7 @@ nilfvm_use(hvm_guest_t)
 dom0_copy_grant(hvm_guest_t)
 dom0_map_write_grant_guest(hvm_guest_t)
 dom0_pt_guest(hvm_guest_t)
-dom0_send_v4v(hvm_guest_t)
-dom0_recv_v4v(hvm_guest_t)
+# Uncomment these if you wish to allow guests to use v4v.
+#dom0_send_v4v(hvm_guest_t)
+#dom0_recv_v4v(hvm_guest_t)
 stubdom_ioemu(hvm_guest_t)
diff --git a/policy/modules/xen/ndvm.if b/policy/modules/xen/ndvm.if
@@ -88,6 +88,7 @@ interface(`ndvm_send_v4v',`
 		type ndvm_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 ndvm_t:v4v send;
 ')
 ########################################
diff --git a/policy/modules/xen/stubdom.if b/policy/modules/xen/stubdom.if
@@ -129,6 +129,7 @@ interface(`stubdom_send_v4v',`
 		type stubdom_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 stubdom_t:v4v send;
 ')
 ########################################
diff --git a/policy/modules/xen/uivm.if b/policy/modules/xen/uivm.if
@@ -34,26 +34,10 @@ interface(`uivm_send_v4v',`
 		type uivm_t;
 	')
 
+	allow $1 self:v4v use;
 	allow $1 uivm_t:v4v send;
 ')
-########################################
-## <summary>
-##	Allow the specified domain to
-##	send data to the UIVM via v4v.
-## </summary>
-## <param name="type">
-##	<summary>
-##	Type of the domain allowe access.
-##	</summary>
-## </param>
-#
-interface(`uivm_send_v4v',`
-	gen_require(`
-		type uivm_t;
-	')
 
-	allow $1 uivm_t:v4v send;
-')
 ########################################
 ## <summary>
 ##	Allow the specified type to map write uivm grants.

Original file line number	Diff line number	Diff line change
`@@ -458,4 +458,5 @@ class security`
`458`	`458`	`class v4v`
`459`	`459`	`{`
`460`	`460`	`send`
	`461`	`+ use`
`461`	`462`	`}`