[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 2/2] flask: implement xsm_transtion_running


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 21 Apr 2022 10:39:38 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1650552026; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=INRJ/oYyZWUNGp0FaIjHRLa1bulSIckxyOMlagQ3NGc=; b=l0tzb3V9O08FUO6S2NOObjAjxYqEyC6p0stPQSfQLDMZbZCpkixbZl5dZ4uuKuu73WGumbaugfcUEc/N5UwDwiJLM78EICYgBpFXtErtT2Rx4IaGyYBayZpZTexv0VRdioLMvvs+Apn4NkR9IhsQIXuxZdvEa5qusOCbrAMULs8=
  • Arc-seal: i=1; a=rsa-sha256; t=1650552026; cv=none; d=zohomail.com; s=zohoarc; b=fj+mQqyhFd+gi98MLfSQqZZ31QCRNBG1/Fw/zW1oqrKc0Gg1jR1LLHTQvf/QYXsRJcKMtG8xHzpjvSVi2zaev0iJzqmHXJnRiQ4VFtfOASOLWyAh6GFr2EDQRIocxCFqVVAUgNH95s4t1/Uc3JO3tb3e6YLF0e3Augxxvv5myzA=
  • Cc: scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 21 Apr 2022 14:40:41 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 4/21/22 05:22, Jan Beulich wrote:
> On 21.04.2022 00:28, Daniel P. Smith wrote:
>> --- a/xen/xsm/flask/hooks.c
>> +++ b/xen/xsm/flask/hooks.c
>> @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct 
>> domain *d)
>>      switch ( d->domain_id )
>>      {
>>      case DOMID_IDLE:
>> -        dsec->sid = SECINITSID_XEN;
>> +        dsec->sid = SECINITSID_XENBOOT;
>>          break;
>>      case DOMID_XEN:
>>          dsec->sid = SECINITSID_DOMXEN;
>> @@ -188,6 +188,7 @@ static int cf_check flask_domain_alloc_security(struct 
>> domain *d)
>>  
>>  static void cf_check flask_transition_running(void)
>>  {
>> +    struct domain_security_struct *dsec;
>>      struct domain *d = current->domain;
>>  
>>      if ( d->domain_id != DOMID_IDLE )
>> @@ -198,6 +199,10 @@ static void cf_check flask_transition_running(void)
>>       * set to false for the consistency check(s) in the setup code.
>>       */
>>      d->is_privileged = false;
>> +
>> +    dsec = d->ssid;
>> +    dsec->sid = SECINITSID_XEN;
>> +    dsec->self_sid = dsec->sid;
>>  }
> 
> If replacing SIDs is an okay thing to do, perhaps assert that the
> values haven't changed from SECINITSID_XENBOOT prior to replacing
> them?

Yes, changing a domain's SID is a legitimate action that could be done
today via the FLASK_RELABEL_DOMAIN subop of xsm_op hypercall that ends
up calling flask_relabel_domain(), when using flask policy. This is
where Jason was concerned if I was going to be using that call to change
the SID, which would require a policy rule to allow xenboot_t to relabel
itself as xen_t. As flask works today, the system domains use initial
SIDs which are effectively compile-time labels, which means the policy
rule is a static, fixed rule, i.e. it is not possible to use a different
set of labels, that must always be present. This also introduces the
risk for a custom policy writer to inadvertently leave the xenboot_t to
xen_t transitional rule out resulting in a failed access attempt which
would lead to a panic. This is unnecessary pain when we can just handle
the transition internal to the hypervisor as that where it is all really
occurring.

As for the ASSERT, that is a good point since there is a specific state
we are expecting to enter the hook. Pair that with some thinking I have
had to do in answering Jason, Roger, and yourself, I am going to rewire
the hook to return a success/error return value and move the panic
outside the check.

v/r,
dps



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.