[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg

To: Jason Andryuk <jandryuk@xxxxxxxxx>
From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Jul 2021 14:19:11 +0200
Cc: Scott Davis <scottwd@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Scott Davis <scott.davis@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Nick Rosbrook <rosbrookn@xxxxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 27 Jul 2021 12:19:30 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jul 26, 2021 at 09:07:03AM -0400, Jason Andryuk wrote:
> Sort of relatedly, is stubdom unpaused before the guest gets
> relabeled?  Quickly looking, I think stubdom is unpaused.  I would
> think you want them both relabeled before either is unpaused.  If the
> stubdom starts with the exec_label, but it sees the guest with the
> init_label, it may get an unexpected denial?  On the other hand,
> delayed unpausing of stubdom would slow down booting.

Some parts of the stubdomain setup are done after it's unpaused (but
before the guest is unpaused). Especially, PCI devices are hot-plugged
only when QEMU is already running (not sure why).

> With the stubdom getting unpaused before relabel, do you have to give
> the stubdom some extra flask policy permissions to handle that case?

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
  - From: Ian Jackson

References:
- [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
  - From: Scott Davis
- Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
  - From: Jason Andryuk

Prev by Date: Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
Next by Date: Re: Xen-Error: Disabling IOMMU on Stepping C2 5520 Host-Bridge
Previous by thread: Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
Next by thread: Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.