[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v11] xsm: refactor flask sid alloc and domain check

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 3 Aug 2022 11:52:04 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1659541965; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=vrq9T6KffAmMrEcdjJdEcGzwsQbVuYfSpqEXivIpH2g=; b=bdG5F3wPIPuhGolc7DZ3B3jKExEj5PK6k+FkZmKdj/yY/Fkylv/MDtgcK/36NRxouYryPIPRurOpB+08PixyzPHChFaMNvL4+H4X/1TvAWnEyqApUrpUr5zHhRsSVHSnYKd9ifXkbpHkyqlKyWJOBsHnlC9qj0TYP7XxTLMvIIo=
  • Arc-seal: i=1; a=rsa-sha256; t=1659541965; cv=none; d=zohomail.com; s=zohoarc; b=TVtyRiWUtsKmJNTug91pv6BLryWvOOhRc5uZ+D6EHWZDehjC4KMkK2z9M8HnrLJrGK7/fc4Dp0uxwGj1ZfMd8t85ZbUA64Ie9+y+62g9oa+3CltrRYnHJqQ7yDdlOZvSrfisZpzFB+WrfCAFOniCOvRqWFJXgQFQeQlg0gTJpoo=
  • Cc: jandryuk@xxxxxxxxx, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 03 Aug 2022 15:52:53 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 8/3/22 11:26, Jan Beulich wrote:
> On 03.08.2022 17:17, Daniel P. Smith wrote:
>> Changes in v11:
>> - put back dom0_created variable in flask_domain_create() to ensure the
>>   enforcement that dom0_t is a singleton label
> 
> Stale patch or bad rev log?

Nope, having a bad day. Staged the change but didn't amend commit it
before my usual sequence of test and cut patch. My apologies.

>> @@ -548,22 +556,19 @@ static int cf_check flask_domain_create(struct domain 
>> *d, uint32_t ssidref)
>>  {
>>      int rc;
>>      struct domain_security_struct *dsec = d->ssid;
>> -    static int dom0_created = 0;
> 
> The variable is going away here, and it is not re-appearing elsewhere.
> 
> Jan
> 
>> -    if ( is_idle_domain(current->domain) && !dom0_created )
>> -    {
>> -        dsec->sid = SECINITSID_DOM0;
>> -        dom0_created = 1;
>> -    }
>> -    else
>> -    {
>> -        rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN,
>> -                          DOMAIN__CREATE, NULL);
>> -        if ( rc )
>> -            return rc;
>> +    /*
>> +     * If the null label is passed, then use the label from security context
>> +     * allocation.
>> +     */
>> +    if ( ssidref == 0 )
>> +        ssidref = dsec->sid;
>>  
>> -        dsec->sid = ssidref;
>> -    }
>> +    rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, 
>> NULL);
>> +    if ( rc )
>> +        return rc;
>> +
>> +    dsec->sid = ssidref;
>>      dsec->self_sid = dsec->sid;
>>  
>>      rc = security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN,
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.