xsm/flask: Fix permission tables

At some point, it seems that someone manually added Flask permission
definitions to one header file without updating the corresponding
policy configuration or the other related table.  The end result is
that we can get uninterpretable AVC messages like this:
# xl dmesg | grep avc
(XEN) avc:  denied  { 0x4000000 } for domid=0
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t
tclass=domain

Fix this by updating the flask config and regenerating the headers
from it.  In the future, this can be further improved by integrating
the automatic generation of the headers into the build process as is
presently done in SELinux.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index f835eb5a324b2fae06186a172ee973caf6daf2a7..27fb9d7913500f6737814278302ffe58b61287f9 100644 (file)
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -75,6 +75,8 @@ class domain
        trigger
        getextvcpucontext
        setextvcpucontext
+       getvcpuextstate
+       setvcpuextstate
 }
 
 class hvm

diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h
index da56d563c979e462729473db5e69b0d010d556f9..b10a2525890bbde379d06e4e1e22adc34e9029cf 100644 (file)
--- a/xen/xsm/flask/include/av_perm_to_string.h
+++ b/xen/xsm/flask/include/av_perm_to_string.h
@@ -50,6 +50,8 @@
    S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger")
    S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext")
    S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext")
+   S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate")
+   S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate")
    S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
    S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
    S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")