Xen project Mailing List

[XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg

Date: Fri, 23 Jul 2021 00:47:31 -0400

Cc: Scott Davis <scott.davis@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Nick Rosbrook <rosbrookn@xxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 23 Jul 2021 04:47:56 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

This adds an option to the xl domain configuration syntax for specifying a build-time XSM security label for device-model stubdomains separate from the run-time label specified by 'device_model_stubdomain_seclabel'. Fields are also added to the 'libxl_domain_build_info' struct to contain the new information, and a new call to 'xc_flask_relabel_domain' inserted to affect the change at the appropriate time. The implementation mirrors that of the 'seclabel' and 'init_seclabel' options for user domains. When all used in concert, this enables the creation of security policies that minimize run-time privileges between the toolstack domain, device-model stubdomains, and user domains. Signed-off-by: Scott Davis <scott.davis@xxxxxxxxxx> --- docs/man/xl.cfg.5.pod.in | 10 ++++++++++ tools/golang/xenlight/helpers.gen.go | 5 +++++ tools/golang/xenlight/types.gen.go | 2 ++ tools/include/libxl.h | 10 ++++++++++ tools/libs/light/libxl_create.c | 28 ++++++++++++++++++++++++++-- tools/libs/light/libxl_dm.c | 14 +++++++++----- tools/libs/light/libxl_types.idl | 2 ++ tools/xl/xl_parse.c | 12 +++++++++++- 8 files changed, 75 insertions(+), 8 deletions(-) diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in index 56370a37db..3458d357fc 100644 --- a/docs/man/xl.cfg.5.pod.in +++ b/docs/man/xl.cfg.5.pod.in @@ -2762,6 +2762,16 @@ you have selected. Assign an XSM security label to the device-model stubdomain. +=item B<device_model_stubdomain_init_seclabel="LABEL"> + +Specify a temporary XSM security label for the device-model stubdomain used +during creation of it and its associated guest. The stubdomain's XSM label will +then be changed to the execution seclabel (as specified by +B<device_model_stubdomain_seclabel>) once creation is complete, prior to +unpausing the stubdomain's guest. With proper (re)labeling, a security policy +can be constructed that minimizes run-time privileges between the toolstack +domain, device-model stubdomains, and user domains. + =item B<device_model_args=[ "ARG", "ARG", ...]> Pass additional arbitrary options on the device-model command diff --git a/tools/golang/xenlight/helpers.gen.go b/tools/golang/xenlight/helpers.gen.go index db82537b42..e961cb5f75 100644 --- a/tools/golang/xenlight/helpers.gen.go +++ b/tools/golang/xenlight/helpers.gen.go @@ -1022,6 +1022,8 @@ x.StubdomainRamdisk = C.GoString(xc.stubdomain_ramdisk) x.DeviceModel = C.GoString(xc.device_model) x.DeviceModelSsidref = uint32(xc.device_model_ssidref) x.DeviceModelSsidLabel = C.GoString(xc.device_model_ssid_label) +x.DeviceModelExecSsidref = uint32(xc.device_model_exec_ssidref) +x.DeviceModelExecSsidLabel = C.GoString(xc.device_model_exec_ssid_label) x.DeviceModelUser = C.GoString(xc.device_model_user) if err := x.Extra.fromC(&xc.extra);err != nil { return fmt.Errorf("converting field Extra: %v", err) @@ -1351,6 +1353,9 @@ xc.device_model = C.CString(x.DeviceModel)} xc.device_model_ssidref = C.uint32_t(x.DeviceModelSsidref) if x.DeviceModelSsidLabel != "" { xc.device_model_ssid_label = C.CString(x.DeviceModelSsidLabel)} +xc.device_model_exec_ssidref = C.uint32_t(x.DeviceModelExecSsidref) +if x.DeviceModelExecSsidLabel != "" { +xc.device_model_exec_ssid_label = C.CString(x.DeviceModelExecSsidLabel)} if x.DeviceModelUser != "" { xc.device_model_user = C.CString(x.DeviceModelUser)} if err := x.Extra.toC(&xc.extra); err != nil { diff --git a/tools/golang/xenlight/types.gen.go b/tools/golang/xenlight/types.gen.go index a214dd9df6..45061d1afa 100644 --- a/tools/golang/xenlight/types.gen.go +++ b/tools/golang/xenlight/types.gen.go @@ -487,6 +487,8 @@ StubdomainRamdisk string DeviceModel string DeviceModelSsidref uint32 DeviceModelSsidLabel string +DeviceModelExecSsidref uint32 +DeviceModelExecSsidLabel string DeviceModelUser string Extra StringList ExtraPv StringList diff --git a/tools/include/libxl.h b/tools/include/libxl.h index ae7fe27c1f..62b69222f6 100644 --- a/tools/include/libxl.h +++ b/tools/include/libxl.h @@ -1069,6 +1069,16 @@ typedef struct libxl__ctx libxl_ctx; */ #define LIBXL_HAVE_SSID_LABEL 1 +/* + * LIBXL_HAVE_BUILDINFO_DEVICE_MODEL_STUBDOMAIN_EXEC_SSID + * + * If this is defined, then the libxl_domain_build_info structure will + * contain 'device_model_exec_ssidref' and 'device_model_exec_ssid_label' for + * specifying a run-time XSM security label separate from the build-time label + * specified in 'device_model_ssidref' and 'device_model_ssid_label'. + */ +#define LIBXL_HAVE_BUILDINFO_DEVICE_MODEL_STUBDOMAIN_EXEC_SSID 1 + /* * LIBXL_HAVE_CPUPOOL_NAME * diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c index e356b2106d..a12da5531d 100644 --- a/tools/libs/light/libxl_create.c +++ b/tools/libs/light/libxl_create.c @@ -1060,13 +1060,31 @@ int libxl__domain_config_setdefault(libxl__gc *gc, char *s = d_config->b_info.device_model_ssid_label; ret = libxl_flask_context_to_sid(ctx, s, strlen(s), &d_config->b_info.device_model_ssidref); + if (ret) { + if (errno == ENOSYS) { + LOGD(WARN, domid, + "XSM Disabled: device_model_stubdomain_init_seclabel not supported"); + ret = 0; + } else { + LOGD(ERROR, domid, + "Invalid device_model_stubdomain_init_seclabel: %s", s); + goto error_out; + } + } + } + + if (d_config->b_info.device_model_exec_ssid_label) { + char *s = d_config->b_info.device_model_exec_ssid_label; + ret = libxl_flask_context_to_sid(ctx, s, strlen(s), + &d_config->b_info.device_model_exec_ssidref); if (ret) { if (errno == ENOSYS) { LOGD(WARN, domid, "XSM Disabled: device_model_stubdomain_seclabel not supported"); ret = 0; } else { - LOGD(ERROR, domid, "Invalid device_model_stubdomain_seclabel: %s", s); + LOGD(ERROR, domid, + "Invalid device_model_stubdomain_seclabel: %s", s); goto error_out; } } @@ -1935,7 +1953,13 @@ static void domcreate_complete(libxl__egc *egc, libxl__domain_build_state_dispose(&dcs->build_state); if (!rc && d_config->b_info.exec_ssidref) - rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref); + rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, + d_config->b_info.exec_ssidref); + + if (!rc && dcs->sdss.pvqemu.guest_domid != INVALID_DOMID && + d_config->b_info.device_model_exec_ssidref) + rc = xc_flask_relabel_domain(CTX->xch, dcs->sdss.pvqemu.guest_domid, + d_config->b_info.device_model_exec_ssidref); bool retain_domain = !rc || rc == ERROR_ABORTED; diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index dbd3c7f278..2b69b207c4 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -2300,20 +2300,24 @@ void libxl__spawn_stub_dm(libxl__egc *egc, libxl__stub_dm_spawn_state *sdss) sdss->pvqemu.guest_domid = INVALID_DOMID; libxl_domain_create_info_init(&dm_config->c_info); + libxl_domain_build_info_init(&dm_config->b_info); + libxl_domain_build_info_init_type(&dm_config->b_info, LIBXL_DOMAIN_TYPE_PV); + dm_config->c_info.type = LIBXL_DOMAIN_TYPE_PV; dm_config->c_info.name = libxl__stub_dm_name(gc, libxl__domid_to_name(gc, guest_domid)); - /* When we are here to launch stubdom, ssidref is a valid value - * already, no need to parse it again. + + /* When we are here to launch stubdom, ssidrefs are valid values already, + * no need to parse them again. */ dm_config->c_info.ssidref = guest_config->b_info.device_model_ssidref; dm_config->c_info.ssid_label = NULL; + dm_config->b_info.exec_ssidref = + guest_config->b_info.device_model_exec_ssidref; + dm_config->b_info.exec_ssid_label = NULL; libxl_uuid_generate(&dm_config->c_info.uuid); - libxl_domain_build_info_init(&dm_config->b_info); - libxl_domain_build_info_init_type(&dm_config->b_info, LIBXL_DOMAIN_TYPE_PV); - dm_config->b_info.shadow_memkb = 0; dm_config->b_info.max_vcpus = 1; dm_config->b_info.max_memkb = guest_config->b_info.stubdomain_memkb; diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl index f45adddab0..b483729b9c 100644 --- a/tools/libs/light/libxl_types.idl +++ b/tools/libs/light/libxl_types.idl @@ -528,6 +528,8 @@ libxl_domain_build_info = Struct("domain_build_info",[ ("device_model", string), ("device_model_ssidref", uint32), ("device_model_ssid_label", string), + ("device_model_exec_ssidref", uint32), + ("device_model_exec_ssid_label", string), ("device_model_user", string), # extra parameters pass directly to qemu, NULL terminated diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c index 9fb0791429..236f8b2fc0 100644 --- a/tools/xl/xl_parse.c +++ b/tools/xl/xl_parse.c @@ -2523,10 +2523,20 @@ skip_usbdev: xlu_cfg_get_defbool (config, "device_model_stubdomain_override", &b_info->device_model_stubdomain, 0); - if (!xlu_cfg_get_string (config, "device_model_stubdomain_seclabel", + if (!xlu_cfg_get_string (config, "device_model_stubdomain_init_seclabel", &buf, 0)) + xlu_cfg_replace_string(config, "device_model_stubdomain_init_seclabel", + &b_info->device_model_ssid_label, 0); + + if (!xlu_cfg_get_string (config, "device_model_stubdomain_seclabel", + &buf, 0)) { + if (b_info->device_model_ssid_label) + xlu_cfg_replace_string(config, "device_model_stubdomain_seclabel", + &b_info->device_model_exec_ssid_label, 0); + else xlu_cfg_replace_string(config, "device_model_stubdomain_seclabel", &b_info->device_model_ssid_label, 0); + } xlu_cfg_replace_string(config, "device_model_user", &b_info->device_model_user, 0); -- 2.25.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.