|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] libxl: assigned a default ssid_label (XSM label) to guests
On Fri, 2015-05-15 at 13:09 -0400, Daniel De Graaf wrote: > > I'd be inclined to go the other way and either have a default ssid for > > the DM or to fail if one isn't given (the latter would probably happen > > anyway due to enforcement?). > > Yes, it would probably fail at xc_domain_set_target in enforcing mode. > > > Sounds like the default ssidref should be either ~= domU_t of domHVM_t > > depending on the type of domain? (domU_t is really domPV_t?) > > The domU_t type also works for HVM domains with the device model in dom0. > > Looking at the problem again, I think a second initial SID for the device > model would be preferable, removing domHVM_t completely. There are already > other example types in the policy for domains that do not use a device model > (isolated_domU_t is probably the best example), and the result more closely > matches the permissions used in the hypervisor without XSM enabled. I'm aroundabout half sure what you are proposing here, but I trust it makes sense ;-). I think for now I will investigate using a default ssid for all domains, which AIUI from above will work out of the box with PV guests and HVM ones which have qemu in dom0. For the stubdom case I think I'll leave it to you to change the default policy, at which point I'll be happy to extend things to a default ssid for stubdom too. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |