[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 2/2] flask: implement xsm_transtion_running
- To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Thu, 21 Apr 2022 11:22:32 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D/ZlOqVFCb6lqWPaD9Ie2gDedpd7uWNY7wAaDj5S0og=; b=dwnkGWsAd8kuUHWnTayrfKlpQxVbzFyHtUJ18k8xWarpBpAt08ARFmS14isglVpviTmiTL1811YE4lz1OzECxt2RNz+6g6waaA3NeKuioN1Cp3Dx9OjTYVNrFTarEpGBqNqV4yEiLBJKTtO9OT1t8liMbcuazcDqKDGPcVDB+TGUMiy5tCpho9YRJe8Gc2LDJQ6cKusdfEyRQWaoCzG//1AS0+RGUPr47xOb2sNZbKj1EE/DF8e1LQ87zCV3qogiZJ/+ErQycUR5k+gBxlN3AOJYgs8hQph/Ch6LgwU4cbV4R4hGjDi0jBNCgmSXxkj1AWAoidHNAOUHvdfUWqvmBw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZSiYtQW0BdkUCZQ8h+ZF58pFPmoikLrEui1bvFS22TBkpmuk/nu+OMnz8csn7Ki74/bOHhQoOdsMpn8cOC0PJBY9Oe4YqT06+FU7TBN+qijPf3Sm2eZR+E1m9EGQKquFGlTZBJ62OwfsmLTwslmkhQge2n7rw8KFRGQ73iafiPRD3k1+uaIM4/1mntpzFcXDNKtqJpI4N7Y7rEKR2U5E+tvS7gSKJRAad1oPq1YCfz5WNf305B23Xe9F3ES3Xqh4QCYZNKMXrNrny6fAlXwNPmsn17FQZHB6biNpx4+Yay+tXCMogQVndQbbyEP3pOFJ8gKNPSohIqTg93oEeUYnCQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
- Delivery-date: Thu, 21 Apr 2022 09:22:49 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 21.04.2022 00:28, Daniel P. Smith wrote:
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct
> domain *d)
> switch ( d->domain_id )
> {
> case DOMID_IDLE:
> - dsec->sid = SECINITSID_XEN;
> + dsec->sid = SECINITSID_XENBOOT;
> break;
> case DOMID_XEN:
> dsec->sid = SECINITSID_DOMXEN;
> @@ -188,6 +188,7 @@ static int cf_check flask_domain_alloc_security(struct
> domain *d)
>
> static void cf_check flask_transition_running(void)
> {
> + struct domain_security_struct *dsec;
> struct domain *d = current->domain;
>
> if ( d->domain_id != DOMID_IDLE )
> @@ -198,6 +199,10 @@ static void cf_check flask_transition_running(void)
> * set to false for the consistency check(s) in the setup code.
> */
> d->is_privileged = false;
> +
> + dsec = d->ssid;
> + dsec->sid = SECINITSID_XEN;
> + dsec->self_sid = dsec->sid;
> }
If replacing SIDs is an okay thing to do, perhaps assert that the
values haven't changed from SECINITSID_XENBOOT prior to replacing
them?
Jan
|