Xen project Mailing List

Re: [PATCH v7 2/2] flask: implement xsm_set_system_active

To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

From: Rahul Singh <Rahul.Singh@xxxxxxx>

Date: Thu, 12 May 2022 14:49:36 +0000

Accept-language: en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R34zatSsJDgZlU2Csru8AdOxDWJ7Q+JOYSjBjoXRWW8=; b=NW5j5wXyP+FHzAyOYDsixgkqqhvtrhF5k7loJjE2xVzns4S90QAjJ01y3x2319qsdEKo8j93NakqFcRK1iat4I4SpsJa7awyb5DD8ZCSQ/RTrp4YUBQ+UkuCH9JlUvrPgqhu26nL0QUDmsLebzy4rjdivnfbLRQ6T827vr3MkHx3BlAjd4udJ2YNB3ibU0aPKTLtVrgG903utHL7yPoWMbaxvfXipA1B5UP3WhsQnJ2bhdm4dQZGzHopLvbBr75sBp0JGyN8tIJuFzV5FXDkv1uAgALl0P4UfS9gdkrpqjTBOQ/e4rMjlqV1b+0+IV6IC+ZPFtMHgnZD6BsqWwbo9A==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R34zatSsJDgZlU2Csru8AdOxDWJ7Q+JOYSjBjoXRWW8=; b=XXw4qZB+yCz38/evpZBp2Fj/CrPnBdxVd4chNXASm+L14H3qPv31W1m/gOyeD2ZUMgrLiGts9w/ZX8spN+YEmVVJXOSPac6h71b+UtojeruGF2yFBFhidNb63+811hB+12IPhtcpjjzTI1zBhxTlXkbAXg9/MeJXafWNkxGke8xcq547pqR8EEbYfpAoXCWF6EWzqXzNwLLt+0dBDe8QDoKtUkXCJBs5/NGTbN+IL1yK1ZLQwh0VmQkaW+cfdPGg/8KCjjFoI6EZr9U7TUChJeJz2NisK7IV6HpOEc14ZH/8yveGXlz4gbBljYLQaSJXOO/nD6TQXTB1+YKPv6aNyQ==

Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=Ps987oW8EXj3l6pY4huZe8VoZ2PUTyD2wr1r9V11rPahe6HvzTIicrwvxTujfPLffisfst3WqWLx+TMJKGXzRwyYmZntDhcMUVhGaoTnNxh8Ni0ZGEVHuusvngqR2av4PnY8jO6wY5rDpk3rS975+AAgT1zDouzq06Ll83lPkzEYR8ZtfWnfr+CRGKK+VwtyjGaWTzI0Y4Lg76Zl1+BUwDC2H8aNSvPzkFMXFzAYSTc2t9EnvXMh63yIHVtBp9Un/VTVzOyKURAGacuOYHHzdePwh9TTNRZsiCKJGHHVViV0nLD1ogKI/TnWUpG8vaX/D3ThuUZdNJaj2pBqIaYFlQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HEWBAAlyqb/lFn+xG/w8ILzj3etTzIjCT4bdDfDj60v8aikPSxlgJ1ZCFN/Vf27mrIIOjZOaFr0pjjk9ZAgnbT3ckPVAm/zQr2j7OVu2Sywq/xsuzGbZpds1+4B47HOXVA9Q4ndKFYHi/wTIhPbHMUiV5ZS9pUOSDqgw8LqONB6xtL9xevq0O3umTt2gefc7YmYtRZvsrXiradyO0hnsnNzb5XORRqln+BOuTLBp4nxug5B7iupOxgzMIgzivvaauEAu4O8QrOFJ8GWWNZdiLUfbfd/0/VMp463VafuGJQVx1Qqupo0pRhNYSezGPFDGk3i+p8ijzuLe0djsBSKzlw==

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "scott.davis@xxxxxxxxxx" <scott.davis@xxxxxxxxxx>, "jandryuk@xxxxxxxxx" <jandryuk@xxxxxxxxx>, "christopher.clark@xxxxxxxxxx" <christopher.clark@xxxxxxxxxx>, Luca Fancellu <Luca.Fancellu@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>

Delivery-date: Thu, 12 May 2022 14:49:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Thread-index: AQHYZSqr0Uc8/+XCjEWwTmvXksGA0K0bVKoA

Thread-topic: [PATCH v7 2/2] flask: implement xsm_set_system_active

Hi Daniel, > On 11 May 2022, at 12:30 pm, Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > wrote: > > This commit implements full support for starting the idle domain privileged by > introducing a new flask label xenboot_t which the idle domain is labeled with > at creation. It then provides the implementation for the XSM hook > xsm_set_system_active to relabel the idle domain to the existing xen_t flask > label. > > In the reference flask policy a new macro, xen_build_domain(target), is > introduced for creating policies for dom0less/hyperlaunch allowing the > hypervisor to create and assign the necessary resources for domain > construction. > > Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > Reviewed-by: Jason Andryuk <jandryuk@xxxxxxxxx> > Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx> > Tested-by: Luca Fancellu <luca.fancellu@xxxxxxx> Reviewed-by: Rahul Singh <rahul.singh@xxxxxxx> Tested-by: Rahul Singh <rahul.singh@xxxxxxx> Regards, Rahul > --- > tools/flask/policy/modules/xen.if | 6 ++++++ > tools/flask/policy/modules/xen.te | 1 + > tools/flask/policy/policy/initial_sids | 1 + > xen/xsm/flask/hooks.c | 9 ++++++++- > xen/xsm/flask/policy/initial_sids | 1 + > 5 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/tools/flask/policy/modules/xen.if > b/tools/flask/policy/modules/xen.if > index 5e2aa472b6..4ec676fff1 100644 > --- a/tools/flask/policy/modules/xen.if > +++ b/tools/flask/policy/modules/xen.if > @@ -62,6 +62,12 @@ define(`create_domain_common', ` > setparam altp2mhvm altp2mhvm_op dm }; > ') > > +# xen_build_domain(target) > +# Allow a domain to be created at boot by the hypervisor > +define(`xen_build_domain', ` > + allow xenboot_t $1_channel:event create; > +') > + > # create_domain(priv, target) > # Allow a domain to be created directly > define(`create_domain', ` > diff --git a/tools/flask/policy/modules/xen.te > b/tools/flask/policy/modules/xen.te > index 3dbf93d2b8..de98206fdd 100644 > --- a/tools/flask/policy/modules/xen.te > +++ b/tools/flask/policy/modules/xen.te > @@ -24,6 +24,7 @@ attribute mls_priv; > ################################################################################ > > # The hypervisor itself > +type xenboot_t, xen_type, mls_priv; > type xen_t, xen_type, mls_priv; > > # Domain 0 > diff --git a/tools/flask/policy/policy/initial_sids > b/tools/flask/policy/policy/initial_sids > index 6b7b7eff21..ec729d3ba3 100644 > --- a/tools/flask/policy/policy/initial_sids > +++ b/tools/flask/policy/policy/initial_sids > @@ -2,6 +2,7 @@ > # objects created before the policy is loaded or for objects that do not have > a > # label defined in some other manner. > > +sid xenboot gen_context(system_u:system_r:xenboot_t,s0) > sid xen gen_context(system_u:system_r:xen_t,s0) > sid dom0 gen_context(system_u:system_r:dom0_t,s0) > sid domxen gen_context(system_u:system_r:domxen_t,s0) > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 54745e6c6a..80b36cc2d8 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct > domain *d) > switch ( d->domain_id ) > { > case DOMID_IDLE: > - dsec->sid = SECINITSID_XEN; > + dsec->sid = SECINITSID_XENBOOT; > break; > case DOMID_XEN: > dsec->sid = SECINITSID_DOMXEN; > @@ -188,9 +188,14 @@ static int cf_check flask_domain_alloc_security(struct > domain *d) > > static int cf_check flask_set_system_active(void) > { > + struct domain_security_struct *dsec; > struct domain *d = current->domain; > > + dsec = d->ssid; > + > ASSERT(d->is_privileged); > + ASSERT(dsec->sid == SECINITSID_XENBOOT); > + ASSERT(dsec->self_sid == SECINITSID_XENBOOT); > > if ( d->domain_id != DOMID_IDLE ) > { > @@ -205,6 +210,8 @@ static int cf_check flask_set_system_active(void) > */ > d->is_privileged = false; > > + dsec->self_sid = dsec->sid = SECINITSID_XEN; > + > return 0; > } > > diff --git a/xen/xsm/flask/policy/initial_sids > b/xen/xsm/flask/policy/initial_sids > index 7eca70d339..e8b55b8368 100644 > --- a/xen/xsm/flask/policy/initial_sids > +++ b/xen/xsm/flask/policy/initial_sids > @@ -3,6 +3,7 @@ > # > # Define initial security identifiers > # > +sid xenboot > sid xen > sid dom0 > sid domio > -- > 2.20.1 > >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.