[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v8 2/2] flask: implement xsm_set_system_active

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 2 Jun 2022 16:32:30 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1654202044; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=jmSMCc7An9p2x9gZRj95kKJbQaxi7b3qBXJ2yh2fLb4=; b=SZIdSomcZ8qoWC3N05KhHFUKgtZ1YWn9zki7C0n00KJe5SEKh6YU5prwA9fWJuV5F+niZGtAS0XffytG16w8PJQSxVbTj2N1vdBpI/z3ilgaE+M9/eYy+vtJ1f2551QtcDC1rZg/ARgnYsKHnK2UdTq8hogOcbOFxRIwBuWeXAY=
  • Arc-seal: i=1; a=rsa-sha256; t=1654202044; cv=none; d=zohomail.com; s=zohoarc; b=jI7oPNrdL9B7UXMz4sP5T3Td9d/l7FTXZagqhEHve1BSXm8wyVJAXn1Uh/OAt/dd2rO8XK+LAxDaBM41cFJMI6aQeTxLL3fZR+qS2sVzftN+UGu6teqThbI+ob4bu/kKrAxjWLSddEdIB8KCmIkMfc+K8V1eouvKWITWtpZlcEo=
  • Cc: scott.davis@xxxxxxxxxx, christopher.clark@xxxxxxxxxx, jandryuk@xxxxxxxxx, Luca Fancellu <luca.fancellu@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Delivery-date: Thu, 02 Jun 2022 20:34:29 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 5/31/22 10:56, Daniel P. Smith wrote:
> This commit implements full support for starting the idle domain privileged by
> introducing a new flask label xenboot_t which the idle domain is labeled with
> at creation.  It then provides the implementation for the XSM hook
> xsm_set_system_active to relabel the idle domain to the existing xen_t flask
> label.
> 
> In the reference flask policy a new macro, xen_build_domain(target), is
> introduced for creating policies for dom0less/hyperlaunch allowing the
> hypervisor to create and assign the necessary resources for domain
> construction.
> 
> Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> Reviewed-by: Jason Andryuk <jandryuk@xxxxxxxxx>
> Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>
> Tested-by: Luca Fancellu <luca.fancellu@xxxxxxx>

I am still debugging, but I now have a dom0 crashing due to an AVC that
is being tripped with this patch applied to the tip of staging. I just
wanted to give a heads-up, and I will follow back up once I can
determine the root cause.

v/r,
dps

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.