[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg

On Mon, Jul 26, 2021 at 09:07:03AM -0400, Jason Andryuk wrote:
> Sort of relatedly, is stubdom unpaused before the guest gets
> relabeled?  Quickly looking, I think stubdom is unpaused.  I would
> think you want them both relabeled before either is unpaused.  If the
> stubdom starts with the exec_label, but it sees the guest with the
> init_label, it may get an unexpected denial?  On the other hand,
> delayed unpausing of stubdom would slow down booting.

Some parts of the stubdomain setup are done after it's unpaused (but
before the guest is unpaused). Especially, PCI devices are hot-plugged
only when QEMU is already running (not sure why).

> With the stubdom getting unpaused before relabel, do you have to give
> the stubdom some extra flask policy permissions to handle that case?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.