diff mbox series

[v5,2/2] flask: implement xsm_set_system_active

Message ID 20220502133027.920-3-dpsmith@apertussolutions.com (mailing list archive)
State Superseded
Headers show
Series Adds starting the idle domain privileged | expand

Commit Message

Daniel P. Smith May 2, 2022, 1:30 p.m. UTC 
This commit implements full support for starting the idle domain privileged by
introducing a new flask label xenboot_t which the idle domain is labeled with
at creation.  It then provides the implementation for the XSM hook
xsm_set_system_active to relabel the idle domain to the existing xen_t flask
label.

In the reference flask policy a new macro, xen_build_domain(target), is
introduced for creating policies for dom0less/hyperlaunch allowing the
hypervisor to create and assign the necessary resources for domain
construction.

Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
---
 tools/flask/policy/modules/xen.if      | 6 ++++++
 tools/flask/policy/modules/xen.te      | 1 +
 tools/flask/policy/policy/initial_sids | 1 +
 xen/xsm/flask/hooks.c                  | 8 +++++++-
 xen/xsm/flask/policy/initial_sids      | 1 +
 5 files changed, 16 insertions(+), 1 deletion(-)

Comments

Jason Andryuk May 2, 2022, 1:55 p.m. UTC | #1 
On Mon, May 2, 2022 at 9:31 AM Daniel P. Smith
<dpsmith@apertussolutions.com> wrote:

> @@ -188,14 +188,20 @@ static int cf_check flask_domain_alloc_security(struct domain *d)
>
>  static int cf_check flask_set_system_active(void)
>  {
> +    struct domain_security_struct *dsec;
>      struct domain *d = current->domain;
>
> +    dsec = d->ssid;
> +    ASSERT(dsec->sid == SECINITSID_XENBOOT);
> +
>      if ( d->domain_id != DOMID_IDLE )
>      {
>          printk("xsm_set_system_active should only be called by idle domain\n");
>          return -EPERM;
>      }
>
> +    dsec->self_sid = dsec->sid = SECINITSID_XEN;

I think you want to re-add setting is_privileged to false.  I think
from the other thread Roger just thought it should also have the
matching assert.  It doesn't matter for flask decisions, but it
changes the return of is_control_domain.  It seems to me it would be
better to have idle domains consistent between flask and non-flask
instead of having a potentially subtle difference.

Regards,
Jason
Jan Beulich May 2, 2022, 2:16 p.m. UTC | #2 
On 02.05.2022 15:30, Daniel P. Smith wrote:
> @@ -188,14 +188,20 @@ static int cf_check flask_domain_alloc_security(struct domain *d)
>  
>  static int cf_check flask_set_system_active(void)
>  {
> +    struct domain_security_struct *dsec;
>      struct domain *d = current->domain;
>  
> +    dsec = d->ssid;
> +    ASSERT(dsec->sid == SECINITSID_XENBOOT);

What about ->self_sid, which ...

> +
>      if ( d->domain_id != DOMID_IDLE )
>      {
>          printk("xsm_set_system_active should only be called by idle domain\n");
>          return -EPERM;
>      }
>  
> +    dsec->self_sid = dsec->sid = SECINITSID_XEN;

... you also overwrite here?

Jan
diff mbox series

Patch

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 5e2aa472b6..4ec676fff1 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -62,6 +62,12 @@  define(`create_domain_common', `
 			setparam altp2mhvm altp2mhvm_op dm };
 ')
 
+# xen_build_domain(target)
+#   Allow a domain to be created at boot by the hypervisor
+define(`xen_build_domain', `
+	allow xenboot_t $1_channel:event create;
+')
+
 # create_domain(priv, target)
 #   Allow a domain to be created directly
 define(`create_domain', `
diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te
index 3dbf93d2b8..de98206fdd 100644
--- a/tools/flask/policy/modules/xen.te
+++ b/tools/flask/policy/modules/xen.te
@@ -24,6 +24,7 @@  attribute mls_priv;
 ################################################################################
 
 # The hypervisor itself
+type xenboot_t, xen_type, mls_priv;
 type xen_t, xen_type, mls_priv;
 
 # Domain 0
diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
index 6b7b7eff21..ec729d3ba3 100644
--- a/tools/flask/policy/policy/initial_sids
+++ b/tools/flask/policy/policy/initial_sids
@@ -2,6 +2,7 @@ 
 # objects created before the policy is loaded or for objects that do not have a
 # label defined in some other manner.
 
+sid xenboot gen_context(system_u:system_r:xenboot_t,s0)
 sid xen gen_context(system_u:system_r:xen_t,s0)
 sid dom0 gen_context(system_u:system_r:dom0_t,s0)
 sid domxen gen_context(system_u:system_r:domxen_t,s0)
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 0bd4e8a4bd..3e5d084276 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -168,7 +168,7 @@  static int cf_check flask_domain_alloc_security(struct domain *d)
     switch ( d->domain_id )
     {
     case DOMID_IDLE:
-        dsec->sid = SECINITSID_XEN;
+        dsec->sid = SECINITSID_XENBOOT;
         break;
     case DOMID_XEN:
         dsec->sid = SECINITSID_DOMXEN;
@@ -188,14 +188,20 @@  static int cf_check flask_domain_alloc_security(struct domain *d)
 
 static int cf_check flask_set_system_active(void)
 {
+    struct domain_security_struct *dsec;
     struct domain *d = current->domain;
 
+    dsec = d->ssid;
+    ASSERT(dsec->sid == SECINITSID_XENBOOT);
+
     if ( d->domain_id != DOMID_IDLE )
     {
         printk("xsm_set_system_active should only be called by idle domain\n");
         return -EPERM;
     }
 
+    dsec->self_sid = dsec->sid = SECINITSID_XEN;
+
     return 0;
 }
 
diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids
index 7eca70d339..e8b55b8368 100644
--- a/xen/xsm/flask/policy/initial_sids
+++ b/xen/xsm/flask/policy/initial_sids
@@ -3,6 +3,7 @@ 
 #
 # Define initial security identifiers 
 #
+sid xenboot
 sid xen
 sid dom0
 sid domio