[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 2/2] flask: implement xsm_transtion_running


  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 21 Apr 2022 11:22:32 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D/ZlOqVFCb6lqWPaD9Ie2gDedpd7uWNY7wAaDj5S0og=; b=dwnkGWsAd8kuUHWnTayrfKlpQxVbzFyHtUJ18k8xWarpBpAt08ARFmS14isglVpviTmiTL1811YE4lz1OzECxt2RNz+6g6waaA3NeKuioN1Cp3Dx9OjTYVNrFTarEpGBqNqV4yEiLBJKTtO9OT1t8liMbcuazcDqKDGPcVDB+TGUMiy5tCpho9YRJe8Gc2LDJQ6cKusdfEyRQWaoCzG//1AS0+RGUPr47xOb2sNZbKj1EE/DF8e1LQ87zCV3qogiZJ/+ErQycUR5k+gBxlN3AOJYgs8hQph/Ch6LgwU4cbV4R4hGjDi0jBNCgmSXxkj1AWAoidHNAOUHvdfUWqvmBw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZSiYtQW0BdkUCZQ8h+ZF58pFPmoikLrEui1bvFS22TBkpmuk/nu+OMnz8csn7Ki74/bOHhQoOdsMpn8cOC0PJBY9Oe4YqT06+FU7TBN+qijPf3Sm2eZR+E1m9EGQKquFGlTZBJ62OwfsmLTwslmkhQge2n7rw8KFRGQ73iafiPRD3k1+uaIM4/1mntpzFcXDNKtqJpI4N7Y7rEKR2U5E+tvS7gSKJRAad1oPq1YCfz5WNf305B23Xe9F3ES3Xqh4QCYZNKMXrNrny6fAlXwNPmsn17FQZHB6biNpx4+Yay+tXCMogQVndQbbyEP3pOFJ8gKNPSohIqTg93oEeUYnCQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 21 Apr 2022 09:22:49 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 21.04.2022 00:28, Daniel P. Smith wrote:
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct 
> domain *d)
>      switch ( d->domain_id )
>      {
>      case DOMID_IDLE:
> -        dsec->sid = SECINITSID_XEN;
> +        dsec->sid = SECINITSID_XENBOOT;
>          break;
>      case DOMID_XEN:
>          dsec->sid = SECINITSID_DOMXEN;
> @@ -188,6 +188,7 @@ static int cf_check flask_domain_alloc_security(struct 
> domain *d)
>  
>  static void cf_check flask_transition_running(void)
>  {
> +    struct domain_security_struct *dsec;
>      struct domain *d = current->domain;
>  
>      if ( d->domain_id != DOMID_IDLE )
> @@ -198,6 +199,10 @@ static void cf_check flask_transition_running(void)
>       * set to false for the consistency check(s) in the setup code.
>       */
>      d->is_privileged = false;
> +
> +    dsec = d->ssid;
> +    dsec->sid = SECINITSID_XEN;
> +    dsec->self_sid = dsec->sid;
>  }

If replacing SIDs is an okay thing to do, perhaps assert that the
values haven't changed from SECINITSID_XENBOOT prior to replacing
them?

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.