| Message ID | 20220511113035.27070-3-dpsmith@apertussolutions.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Adds starting the idle domain privileged | expand |
Hi Daniel, > On 11 May 2022, at 12:30 pm, Daniel P. Smith <dpsmith@apertussolutions.com> wrote: > > This commit implements full support for starting the idle domain privileged by > introducing a new flask label xenboot_t which the idle domain is labeled with > at creation. It then provides the implementation for the XSM hook > xsm_set_system_active to relabel the idle domain to the existing xen_t flask > label. > > In the reference flask policy a new macro, xen_build_domain(target), is > introduced for creating policies for dom0less/hyperlaunch allowing the > hypervisor to create and assign the necessary resources for domain > construction. > > Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com> > Reviewed-by: Jason Andryuk <jandryuk@gmail.com> > Reviewed-by: Luca Fancellu <luca.fancellu@arm.com> > Tested-by: Luca Fancellu <luca.fancellu@arm.com> Reviewed-by: Rahul Singh <rahul.singh@arm.com> Tested-by: Rahul Singh <rahul.singh@arm.com> Regards, Rahul > --- > tools/flask/policy/modules/xen.if | 6 ++++++ > tools/flask/policy/modules/xen.te | 1 + > tools/flask/policy/policy/initial_sids | 1 + > xen/xsm/flask/hooks.c | 9 ++++++++- > xen/xsm/flask/policy/initial_sids | 1 + > 5 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if > index 5e2aa472b6..4ec676fff1 100644 > --- a/tools/flask/policy/modules/xen.if > +++ b/tools/flask/policy/modules/xen.if > @@ -62,6 +62,12 @@ define(`create_domain_common', ` > setparam altp2mhvm altp2mhvm_op dm }; > ') > > +# xen_build_domain(target) > +# Allow a domain to be created at boot by the hypervisor > +define(`xen_build_domain', ` > + allow xenboot_t $1_channel:event create; > +') > + > # create_domain(priv, target) > # Allow a domain to be created directly > define(`create_domain', ` > diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te > index 3dbf93d2b8..de98206fdd 100644 > --- a/tools/flask/policy/modules/xen.te > +++ b/tools/flask/policy/modules/xen.te > @@ -24,6 +24,7 @@ attribute mls_priv; > ################################################################################ > > # The hypervisor itself > +type xenboot_t, xen_type, mls_priv; > type xen_t, xen_type, mls_priv; > > # Domain 0 > diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids > index 6b7b7eff21..ec729d3ba3 100644 > --- a/tools/flask/policy/policy/initial_sids > +++ b/tools/flask/policy/policy/initial_sids > @@ -2,6 +2,7 @@ > # objects created before the policy is loaded or for objects that do not have a > # label defined in some other manner. > > +sid xenboot gen_context(system_u:system_r:xenboot_t,s0) > sid xen gen_context(system_u:system_r:xen_t,s0) > sid dom0 gen_context(system_u:system_r:dom0_t,s0) > sid domxen gen_context(system_u:system_r:domxen_t,s0) > diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c > index 54745e6c6a..80b36cc2d8 100644 > --- a/xen/xsm/flask/hooks.c > +++ b/xen/xsm/flask/hooks.c > @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct domain *d) > switch ( d->domain_id ) > { > case DOMID_IDLE: > - dsec->sid = SECINITSID_XEN; > + dsec->sid = SECINITSID_XENBOOT; > break; > case DOMID_XEN: > dsec->sid = SECINITSID_DOMXEN; > @@ -188,9 +188,14 @@ static int cf_check flask_domain_alloc_security(struct domain *d) > > static int cf_check flask_set_system_active(void) > { > + struct domain_security_struct *dsec; > struct domain *d = current->domain; > > + dsec = d->ssid; > + > ASSERT(d->is_privileged); > + ASSERT(dsec->sid == SECINITSID_XENBOOT); > + ASSERT(dsec->self_sid == SECINITSID_XENBOOT); > > if ( d->domain_id != DOMID_IDLE ) > { > @@ -205,6 +210,8 @@ static int cf_check flask_set_system_active(void) > */ > d->is_privileged = false; > > + dsec->self_sid = dsec->sid = SECINITSID_XEN; > + > return 0; > } > > diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids > index 7eca70d339..e8b55b8368 100644 > --- a/xen/xsm/flask/policy/initial_sids > +++ b/xen/xsm/flask/policy/initial_sids > @@ -3,6 +3,7 @@ > # > # Define initial security identifiers > # > +sid xenboot > sid xen > sid dom0 > sid domio > -- > 2.20.1 > >
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 5e2aa472b6..4ec676fff1 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -62,6 +62,12 @@ define(`create_domain_common', ` setparam altp2mhvm altp2mhvm_op dm }; ') +# xen_build_domain(target) +# Allow a domain to be created at boot by the hypervisor +define(`xen_build_domain', ` + allow xenboot_t $1_channel:event create; +') + # create_domain(priv, target) # Allow a domain to be created directly define(`create_domain', ` diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te index 3dbf93d2b8..de98206fdd 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -24,6 +24,7 @@ attribute mls_priv; ################################################################################ # The hypervisor itself +type xenboot_t, xen_type, mls_priv; type xen_t, xen_type, mls_priv; # Domain 0 diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids index 6b7b7eff21..ec729d3ba3 100644 --- a/tools/flask/policy/policy/initial_sids +++ b/tools/flask/policy/policy/initial_sids @@ -2,6 +2,7 @@ # objects created before the policy is loaded or for objects that do not have a # label defined in some other manner. +sid xenboot gen_context(system_u:system_r:xenboot_t,s0) sid xen gen_context(system_u:system_r:xen_t,s0) sid dom0 gen_context(system_u:system_r:dom0_t,s0) sid domxen gen_context(system_u:system_r:domxen_t,s0) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 54745e6c6a..80b36cc2d8 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct domain *d) switch ( d->domain_id ) { case DOMID_IDLE: - dsec->sid = SECINITSID_XEN; + dsec->sid = SECINITSID_XENBOOT; break; case DOMID_XEN: dsec->sid = SECINITSID_DOMXEN; @@ -188,9 +188,14 @@ static int cf_check flask_domain_alloc_security(struct domain *d) static int cf_check flask_set_system_active(void) { + struct domain_security_struct *dsec; struct domain *d = current->domain; + dsec = d->ssid; + ASSERT(d->is_privileged); + ASSERT(dsec->sid == SECINITSID_XENBOOT); + ASSERT(dsec->self_sid == SECINITSID_XENBOOT); if ( d->domain_id != DOMID_IDLE ) { @@ -205,6 +210,8 @@ static int cf_check flask_set_system_active(void) */ d->is_privileged = false; + dsec->self_sid = dsec->sid = SECINITSID_XEN; + return 0; } diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids index 7eca70d339..e8b55b8368 100644 --- a/xen/xsm/flask/policy/initial_sids +++ b/xen/xsm/flask/policy/initial_sids @@ -3,6 +3,7 @@ # # Define initial security identifiers # +sid xenboot sid xen sid dom0 sid domio