[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH] flask: Remove magic SID setting



On Thu, Jul 7, 2022 at 6:14 AM Daniel P. Smith
<dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On 7/6/22 15:13, Jason Andryuk wrote:
> > flask_domain_alloc_security and flask_domain_create has special code to
> > magically label dom0 as dom0_t.  This can all be streamlined by making
> > create_dom0 set ssidref before creating dom0.
>
> Hmm, I wouldn't call it magical, it is the initialization policy for a
> domain labeling, which is specific to each policy module. I considered
> this approach already and my concern here is two fold. First, it now
> hard codes the concept of dom0 vs domU into the XSM API. There is an
> ever growing desire by solution providers to not have a dom0 and at most
> have a hardware domain if at all and this is a step backwards from that
> movement. Second, and related, is this now pushes the initial label
> policy up into the domain builder code away from the policy module and
> spreads it out. Hopefully Xen will evolve to have a richer set of
> initial domains and an appropriate initial label policy will be needed
> for this case. This approach will result in having to continually expand
> the XSM API for each new initial domain type.

Yeah, adding dom0 vs. domU into the XSM API isn't nice.  My original
idea was just for dom0, but I added the domU hook after you basically
said in your other email that dom0less had to work.  There should not
be any more of these since they are just to provide backwards
compatibility.

A dom0/domU flask policy is not interesting for dom0less/hyperlaunch.
So I don't see why xen/flask needs support for determining sids for
domains.  If you have dom0less/hyperlaunch + flask, every domain
should have a ssidref defined in its config when building.  If you
require ssidrefs for dom0less/hyperlaunch + flask, then there is less
initial label policy.  An unspecified ssidref defaulting to
unlabeled_t is fine.

I saw your other patch as adding more "initial label policy" since it
adds more special cases.  I see requiring an explicit ssidref or
getting unlabeled_t as a feature.  Automatic labeling seems like a
misfeature to me.

Regards,
Jason



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.