[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] flask: implement xsm_transtion_running



On Wed, Apr 20, 2022 at 1:03 PM Daniel P. Smith
<dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> This commit implements full support for starting the idle domain privileged by
> introducing a new flask label xenboot_t which the idle domain is labeled with
> at creation.  It then provides the implementation for the XSM hook
> xsm_transition_running to relabel the idle domain to the existing xen_t flask
> label.
>
> In the reference flask policy a new macro, xen_build_domain(target), is
> introduced for creating policies for dom0less/hyperlaunch allowing the
> hypervisor to create and assign the necessary resources for domain
> construction.
>
> Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> ---

> @@ -188,6 +188,7 @@ static int cf_check flask_domain_alloc_security(struct 
> domain *d)
>
>  static void cf_check flask_domain_runtime_security(void)
>  {
> +    struct domain_security_struct *dsec;
>      struct domain *d = current->domain;
>
>      if ( d->domain_id != DOMID_IDLE )
> @@ -198,6 +199,9 @@ static void cf_check flask_domain_runtime_security(void)
>       * set to false for the consistency check(s) in the setup code.
>       */
>      d->is_privileged = false;
> +
> +    dsec = d->ssid;
> +    dsec->sid = SECINITSID_XEN;

I think you also want
   dsec->self_sid = dsec->sid;
so self also changes to xen_t.

Otherwise I think it looks good,

I was wondering if you were going to require xenboot_t -> xen_t
permissions, but manually setting the sid fields side-steps that.
That seems nicer than requiring policy rules for the transition.

Hmmm, cross referencing other flask code, often after assigning
self_sid there is this call to potentially re-calculate it:
    security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN,
&dsec->self_sid);

But it isn't used for system domains, so omitting it seems fine.

Regards,
Jason



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.