* [PATCH v3 0/6] Assign a default SSID to guests
@ 2015-05-20 14:30 Ian Campbell
2015-05-20 14:38 ` [PATCH v3 1/6] tools: Add AWK to set of tools checked for by configure Ian Campbell
` (7 more replies)
0 siblings, 8 replies; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:30 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, Ian Campbell
Compared with v3 this uses Daniel's more comprehensive policy patch and
adds a default ssidref for stubdoms too.
Tested with and without XSM enabled for normal guests and HVM guests
with qemu in dom0. Stubdoms appeared to be broken in the base case, so I
haven't tested that really.
Ian.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH v3 1/6] tools: Add AWK to set of tools checked for by configure
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
@ 2015-05-20 14:38 ` Ian Campbell
2015-05-20 14:38 ` [PATCH v3 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh Ian Campbell
` (6 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:38 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, Ian Campbell
We are going to need this to generate the userspace flask.h header.
Please rerun autogen.sh when committing.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
config/Tools.mk.in | 1 +
tools/configure.ac | 2 ++
2 files changed, 3 insertions(+)
diff --git a/config/Tools.mk.in b/config/Tools.mk.in
index e7da99d..d67352e 100644
--- a/config/Tools.mk.in
+++ b/config/Tools.mk.in
@@ -23,6 +23,7 @@ AS86 := @AS86@
LD86 := @LD86@
BCC := @BCC@
IASL := @IASL@
+AWK := @AWK@
FETCHER := @FETCHER@
SEABIOS_PATH := @seabios_path@
OVMF_PATH := @ovmf_path@
diff --git a/tools/configure.ac b/tools/configure.ac
index d31c2f3..c975dfc 100644
--- a/tools/configure.ac
+++ b/tools/configure.ac
@@ -247,6 +247,7 @@ AC_ARG_VAR([AS86], [Path to as86 tool])
AC_ARG_VAR([LD86], [Path to ld86 tool])
AC_ARG_VAR([BCC], [Path to bcc tool])
AC_ARG_VAR([IASL], [Path to iasl tool])
+AC_ARG_VAR([AWK], [Path to awk tool])
# Checks for programs.
AC_PROG_CC
@@ -255,6 +256,7 @@ AC_PROG_INSTALL
AC_PATH_PROG([BISON], [bison])
AC_PATH_PROG([FLEX], [flex])
AX_PATH_PROG_OR_FAIL([PERL], [perl])
+AX_PATH_PROG_OR_FAIL([AWK], [awk])
AC_PROG_OCAML
AC_PROG_FINDLIB
--
1.7.10.4
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH v3 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
2015-05-20 14:38 ` [PATCH v3 1/6] tools: Add AWK to set of tools checked for by configure Ian Campbell
@ 2015-05-20 14:38 ` Ian Campbell
2015-05-20 14:44 ` Daniel De Graaf
2015-05-20 14:38 ` [PATCH v3 3/6] xen: flask: Restrict generated header to xen + tools Ian Campbell
` (5 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:38 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, Ian Campbell
When called from the tools side in a later patch we will want to
direct its output to the appropriate place.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
xen/xsm/flask/Makefile | 2 +-
xen/xsm/flask/policy/mkflask.sh | 9 ++++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/xen/xsm/flask/Makefile b/xen/xsm/flask/Makefile
index 1256512..12fc3a9 100644
--- a/xen/xsm/flask/Makefile
+++ b/xen/xsm/flask/Makefile
@@ -22,7 +22,7 @@ ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
$(obj-y) ss/built_in.o: $(ALL_H_FILES)
$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) policy/mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) policy/mkflask.sh $(AWK) include $(FLASK_H_DEPEND)
$(AV_H_FILES): $(AV_H_DEPEND)
$(CONFIG_SHELL) policy/mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
index e8d8fb5..9e24020 100644
--- a/xen/xsm/flask/policy/mkflask.sh
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -8,10 +8,13 @@ set -e
awk=$1
shift 1
+output_dir=$1
+shift 1
+
# output file
-output_file="include/flask.h"
-debug_file="include/class_to_string.h"
-debug_file2="include/initial_sid_to_string.h"
+output_file="$output_dir/flask.h"
+debug_file="$output_dir/class_to_string.h"
+debug_file2="$output_dir/initial_sid_to_string.h"
cat $* | $awk "
BEGIN {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH v3 3/6] xen: flask: Restrict generated header to xen + tools
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
2015-05-20 14:38 ` [PATCH v3 1/6] tools: Add AWK to set of tools checked for by configure Ian Campbell
2015-05-20 14:38 ` [PATCH v3 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh Ian Campbell
@ 2015-05-20 14:38 ` Ian Campbell
2015-05-20 14:45 ` Daniel De Graaf
2015-05-20 14:38 ` [PATCH v3 4/6] tools: Expose XSM Flask initial SIDs list to tools Ian Campbell
` (4 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:38 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, Ian Campbell
This isn't strictly necessary but since it is going to be exposed via
tools/include in a later patch this will help prevent accidental
leakage beyond the tools.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
xen/xsm/flask/policy/mkflask.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xen/xsm/flask/policy/mkflask.sh b/xen/xsm/flask/policy/mkflask.sh
index 9e24020..989a323 100644
--- a/xen/xsm/flask/policy/mkflask.sh
+++ b/xen/xsm/flask/policy/mkflask.sh
@@ -28,6 +28,7 @@ BEGIN {
printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n#if defined(__XEN__) || defined(__XEN_TOOLS__)\n") > outfile;
printf("\n/*\n * Security object class definitions\n */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
printf("/*\n * Security object class definitions\n */\n") > debugfile;
@@ -91,6 +92,7 @@ END {
for (i = 0; i < 34; i++)
printf(" ") > outfile;
printf("%d\n", sid_value) > outfile;
+ printf("\n#endif /* __XEN__ || __XEN_TOOLS__ */\n") > outfile;
printf("\n#endif\n") > outfile;
printf("};\n\n") > debugfile2;
}'
--
1.7.10.4
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH v3 4/6] tools: Expose XSM Flask initial SIDs list to tools
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
` (2 preceding siblings ...)
2015-05-20 14:38 ` [PATCH v3 3/6] xen: flask: Restrict generated header to xen + tools Ian Campbell
@ 2015-05-20 14:38 ` Ian Campbell
2015-05-20 14:46 ` Daniel De Graaf
2015-05-20 14:38 ` [PATCH v3 5/6] flask/policy: add initial SIDs for domU/domDM Ian Campbell
` (3 subsequent siblings)
7 siblings, 1 reply; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:38 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, Ian Campbell
By generating tools/include/xen-xsm/flask/flask.h using the same tool
as used during the hypervisor build.
Note that this is done regardless of whether XSM is enabled, since we
want the tools to be agnostic to whether or not XSM is enabled in the
hypervisor
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
---
.gitignore | 1 +
tools/include/Makefile | 16 ++++++++++++++--
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/.gitignore b/.gitignore
index c6185a0..3bc9cd9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -147,6 +147,7 @@ tools/hotplug/Linux/xen-hotplug-common.sh
tools/hotplug/Linux/xendomains
tools/hotplug/NetBSD/rc.d/xencommons
tools/include/xen/*
+tools/include/xen-xsm/*
tools/include/xen-foreign/*.(c|h|size)
tools/include/xen-foreign/checker
tools/libxl/libxlu_cfg_y.output
diff --git a/tools/include/Makefile b/tools/include/Makefile
index 601f79c..869b3f3 100644
--- a/tools/include/Makefile
+++ b/tools/include/Makefile
@@ -1,8 +1,11 @@
XEN_ROOT = $(CURDIR)/../..
include $(XEN_ROOT)/tools/Rules.mk
+# Relative to $(XEN_ROOT)/xen/xsm/flask
+FLASK_H_DEPEND := policy/initial_sids
+
.PHONY: all
-all: xen-foreign xen/.dir
+all: xen-foreign xen/.dir xen-xsm/.dir
.PHONY: xen-foreign
xen-foreign:
@@ -19,6 +22,15 @@ xen/.dir:
ln -s ../xen-foreign xen/foreign
touch $@
+# Not xen/xsm as that clashes with link to
+# $(XEN_ROOT)/xen/include/public/xsm above.
+xen-xsm/.dir: $(XEN_ROOT)/xen/xsm/flask/policy/mkflask.sh \
+ $(patsubst %,$(XEN_ROOT)/xen/xsm/flask/%,$(FLASK_H_DEPEND))
+ mkdir -p xen-xsm/flask
+ cd $(XEN_ROOT)/xen/xsm/flask/ && \
+ $(SHELL) policy/mkflask.sh $(AWK) $(CURDIR)/xen-xsm/flask $(FLASK_H_DEPEND)
+ touch $@
+
.PHONY: install
install: all
$(INSTALL_DIR) $(DESTDIR)$(INCLUDEDIR)/xen/arch-x86
@@ -47,7 +59,7 @@ install: all
.PHONY: clean
clean:
- rm -rf xen
+ rm -rf xen xen-xsm
$(MAKE) -C xen-foreign clean
--
1.7.10.4
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH v3 5/6] flask/policy: add initial SIDs for domU/domDM
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
` (3 preceding siblings ...)
2015-05-20 14:38 ` [PATCH v3 4/6] tools: Expose XSM Flask initial SIDs list to tools Ian Campbell
@ 2015-05-20 14:38 ` Ian Campbell
2015-05-20 14:39 ` [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests Ian Campbell
` (2 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:38 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Add default security contexts to the XSM policy for use by the toolstack
when a domain is created without specifying an explicit security label.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
v3: New more comprehensive patch from Daniel
---
docs/misc/xsm-flask.txt | 6 +++---
tools/flask/policy/policy/initial_sids | 4 ++++
tools/flask/policy/policy/modules/xen/xen.te | 11 +++--------
xen/xsm/flask/policy/initial_sids | 2 ++
4 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/docs/misc/xsm-flask.txt b/docs/misc/xsm-flask.txt
index d63a8a7..7249f40 100644
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -213,9 +213,9 @@ that can be used without dom0 disaggregation. The main types for domUs are:
- nomigrate_t is a domain that must be created via the nomigrate_t_building
type, and whose memory cannot be read by dom0 once created
-HVM domains with stubdomain device models use two types (one per domain):
- - domHVM_t is an HVM domain that uses a stubdomain device model
- - dm_dom_t is the device model for a domain with type domHVM_t
+HVM domains with stubdomain device models also need a type for the stub domain.
+The example policy defines dm_dom_t for the device model of a domU_t domain;
+there are no device model types defined for the other domU types.
One disadvantage of using type enforcement to enforce isolation is that a new
type is needed for each group of domains. The user field can be used to address
diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
index 5de0bbf..6b7b7ef 100644
--- a/tools/flask/policy/policy/initial_sids
+++ b/tools/flask/policy/policy/initial_sids
@@ -12,3 +12,7 @@ sid irq gen_context(system_u:object_r:irq_t,s0)
sid iomem gen_context(system_u:object_r:iomem_t,s0)
sid ioport gen_context(system_u:object_r:ioport_t,s0)
sid device gen_context(system_u:object_r:device_t,s0)
+
+# Initial SIDs used by the toolstack for domains without defined labels
+sid domU gen_context(system_u:system_r:domU_t,s0)
+sid domDM gen_context(system_u:system_r:dm_dom_t,s0)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index e555d11..ce70639 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -151,18 +151,13 @@ domain_comms(domU_t, prot_domU_t)
domain_comms(prot_domU_t, prot_domU_t)
domain_self_comms(prot_domU_t)
-# domHVM_t is meant to be paired with a qemu-dm stub domain of type dm_dom_t
-declare_domain(domHVM_t)
-create_domain(dom0_t, domHVM_t)
-manage_domain(dom0_t, domHVM_t)
-domain_comms(dom0_t, domHVM_t)
-domain_self_comms(domHVM_t)
-
+# Device model for domU_t. You can define distinct types for device models for
+# domains of other types, or add more make_device_model lines for this type.
declare_domain(dm_dom_t)
create_domain(dom0_t, dm_dom_t)
manage_domain(dom0_t, dm_dom_t)
domain_comms(dom0_t, dm_dom_t)
-make_device_model(dom0_t, dm_dom_t, domHVM_t)
+make_device_model(dom0_t, dm_dom_t, domU_t)
# nomigrate_t must be built via the nomigrate_t_building label; once built,
# dom0 cannot read its memory.
diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids
index e508bde..7eca70d 100644
--- a/xen/xsm/flask/policy/initial_sids
+++ b/xen/xsm/flask/policy/initial_sids
@@ -13,4 +13,6 @@ sid ioport
sid iomem
sid irq
sid device
+sid domU
+sid domDM
# FLASK
--
1.7.10.4
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
` (4 preceding siblings ...)
2015-05-20 14:38 ` [PATCH v3 5/6] flask/policy: add initial SIDs for domU/domDM Ian Campbell
@ 2015-05-20 14:39 ` Ian Campbell
2015-05-20 14:41 ` Wei Liu
2015-05-20 14:51 ` Daniel De Graaf
2015-05-20 14:40 ` [PATCH v3 0/6] Assign a default SSID " Wei Liu
2015-05-21 9:54 ` Ian Campbell
7 siblings, 2 replies; 16+ messages in thread
From: Ian Campbell @ 2015-05-20 14:39 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, Wei.Liu2, Ian Campbell
We have now arranged for SECINITSID_DOMU and SECINITSID_DOMDM to be
defined (correspondng to system_u:system_r:domU_t and
system_u:system_r:dm_dom_t respectively in the default policy). Use
these as the default for the SSID of every (stub)domain.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Wei.Liu2@citrix.com
---
v2: Set ssidref rather than label. It is no longer necessary to
reorder things in libxl.c.
v3: Set device_model_ssidref too if stubdoms are enabled.
I didn't apply Wei's ack due to this change.
---
tools/libxl/libxl_create.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
index f0da7dc..853c252 100644
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -25,6 +25,8 @@
#include <xen/hvm/hvm_info_table.h>
#include <xen/hvm/e820.h>
+#include <xen-xsm/flask/flask.h>
+
int libxl__domain_create_info_setdefault(libxl__gc *gc,
libxl_domain_create_info *c_info)
{
@@ -42,6 +44,9 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
libxl_defbool_setdefault(&c_info->driver_domain, false);
+ if (!c_info->ssidref)
+ c_info->ssidref = SECINITSID_DOMU;
+
return 0;
}
@@ -111,6 +116,10 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc,
libxl_defbool_setdefault(&b_info->device_model_stubdomain, false);
+ if (libxl_defbool_val(b_info->device_model_stubdomain) &&
+ !b_info->device_model_ssidref)
+ b_info->device_model_ssidref = SECINITSID_DOMDM;
+
if (!b_info->device_model_version) {
if (b_info->type == LIBXL_DOMAIN_TYPE_HVM) {
if (libxl_defbool_val(b_info->device_model_stubdomain)) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH v3 0/6] Assign a default SSID to guests
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
` (5 preceding siblings ...)
2015-05-20 14:39 ` [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests Ian Campbell
@ 2015-05-20 14:40 ` Wei Liu
2015-05-21 9:54 ` Ian Campbell
7 siblings, 0 replies; 16+ messages in thread
From: Wei Liu @ 2015-05-20 14:40 UTC (permalink / raw)
To: Ian Campbell; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, xen-devel
On Wed, May 20, 2015 at 03:30:01PM +0100, Ian Campbell wrote:
> Compared with v3 this uses Daniel's more comprehensive policy patch and
> adds a default ssidref for stubdoms too.
>
> Tested with and without XSM enabled for normal guests and HVM guests
> with qemu in dom0. Stubdoms appeared to be broken in the base case, so I
> haven't tested that really.
>
Which changeset are you based this series on? I thought I fixed QEMU
stubdom sometime ago. Maybe I need to have a look at that again.
Wei.
> Ian.
>
>
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests
2015-05-20 14:39 ` [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests Ian Campbell
@ 2015-05-20 14:41 ` Wei Liu
2015-05-20 14:51 ` Daniel De Graaf
1 sibling, 0 replies; 16+ messages in thread
From: Wei Liu @ 2015-05-20 14:41 UTC (permalink / raw)
To: Ian Campbell; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, xen-devel
On Wed, May 20, 2015 at 03:39:00PM +0100, Ian Campbell wrote:
> We have now arranged for SECINITSID_DOMU and SECINITSID_DOMDM to be
> defined (correspondng to system_u:system_r:domU_t and
> system_u:system_r:dm_dom_t respectively in the default policy). Use
> these as the default for the SSID of every (stub)domain.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Wei.Liu2@citrix.com
Acked-by: Wei Liu <wei.liu2@citrix.com>
> ---
> v2: Set ssidref rather than label. It is no longer necessary to
> reorder things in libxl.c.
> v3: Set device_model_ssidref too if stubdoms are enabled.
> I didn't apply Wei's ack due to this change.
> ---
> tools/libxl/libxl_create.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
> index f0da7dc..853c252 100644
> --- a/tools/libxl/libxl_create.c
> +++ b/tools/libxl/libxl_create.c
> @@ -25,6 +25,8 @@
> #include <xen/hvm/hvm_info_table.h>
> #include <xen/hvm/e820.h>
>
> +#include <xen-xsm/flask/flask.h>
> +
> int libxl__domain_create_info_setdefault(libxl__gc *gc,
> libxl_domain_create_info *c_info)
> {
> @@ -42,6 +44,9 @@ int libxl__domain_create_info_setdefault(libxl__gc *gc,
> libxl_defbool_setdefault(&c_info->run_hotplug_scripts, true);
> libxl_defbool_setdefault(&c_info->driver_domain, false);
>
> + if (!c_info->ssidref)
> + c_info->ssidref = SECINITSID_DOMU;
> +
> return 0;
> }
>
> @@ -111,6 +116,10 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc,
>
> libxl_defbool_setdefault(&b_info->device_model_stubdomain, false);
>
> + if (libxl_defbool_val(b_info->device_model_stubdomain) &&
> + !b_info->device_model_ssidref)
> + b_info->device_model_ssidref = SECINITSID_DOMDM;
> +
> if (!b_info->device_model_version) {
> if (b_info->type == LIBXL_DOMAIN_TYPE_HVM) {
> if (libxl_defbool_val(b_info->device_model_stubdomain)) {
> --
> 1.7.10.4
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh
2015-05-20 14:38 ` [PATCH v3 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh Ian Campbell
@ 2015-05-20 14:44 ` Daniel De Graaf
0 siblings, 0 replies; 16+ messages in thread
From: Daniel De Graaf @ 2015-05-20 14:44 UTC (permalink / raw)
To: Ian Campbell, xen-devel; +Cc: ian.jackson, wei.liu2
On 05/20/2015 10:38 AM, Ian Campbell wrote:
> When called from the tools side in a later patch we will want to
> direct its output to the appropriate place.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 3/6] xen: flask: Restrict generated header to xen + tools
2015-05-20 14:38 ` [PATCH v3 3/6] xen: flask: Restrict generated header to xen + tools Ian Campbell
@ 2015-05-20 14:45 ` Daniel De Graaf
0 siblings, 0 replies; 16+ messages in thread
From: Daniel De Graaf @ 2015-05-20 14:45 UTC (permalink / raw)
To: Ian Campbell, xen-devel; +Cc: ian.jackson, wei.liu2
On 05/20/2015 10:38 AM, Ian Campbell wrote:
> This isn't strictly necessary but since it is going to be exposed via
> tools/include in a later patch this will help prevent accidental
> leakage beyond the tools.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 4/6] tools: Expose XSM Flask initial SIDs list to tools
2015-05-20 14:38 ` [PATCH v3 4/6] tools: Expose XSM Flask initial SIDs list to tools Ian Campbell
@ 2015-05-20 14:46 ` Daniel De Graaf
0 siblings, 0 replies; 16+ messages in thread
From: Daniel De Graaf @ 2015-05-20 14:46 UTC (permalink / raw)
To: Ian Campbell, xen-devel; +Cc: ian.jackson, wei.liu2
On 05/20/2015 10:38 AM, Ian Campbell wrote:
> By generating tools/include/xen-xsm/flask/flask.h using the same tool
> as used during the hypervisor build.
>
> Note that this is done regardless of whether XSM is enabled, since we
> want the tools to be agnostic to whether or not XSM is enabled in the
> hypervisor
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Acked-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests
2015-05-20 14:39 ` [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests Ian Campbell
2015-05-20 14:41 ` Wei Liu
@ 2015-05-20 14:51 ` Daniel De Graaf
2015-05-21 14:54 ` Ian Campbell
1 sibling, 1 reply; 16+ messages in thread
From: Daniel De Graaf @ 2015-05-20 14:51 UTC (permalink / raw)
To: Ian Campbell, xen-devel; +Cc: ian.jackson, wei.liu2
On 05/20/2015 10:39 AM, Ian Campbell wrote:
> We have now arranged for SECINITSID_DOMU and SECINITSID_DOMDM to be
> defined (correspondng to system_u:system_r:domU_t and
> system_u:system_r:dm_dom_t respectively in the default policy). Use
> these as the default for the SSID of every (stub)domain.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 0/6] Assign a default SSID to guests
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
` (6 preceding siblings ...)
2015-05-20 14:40 ` [PATCH v3 0/6] Assign a default SSID " Wei Liu
@ 2015-05-21 9:54 ` Ian Campbell
2015-05-21 9:57 ` Wei Liu
7 siblings, 1 reply; 16+ messages in thread
From: Ian Campbell @ 2015-05-21 9:54 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson, Daniel De Graaf, wei.liu2
On Wed, 2015-05-20 at 15:30 +0100, Ian Campbell wrote:
> Compared with v3 this uses Daniel's more comprehensive policy patch and
> adds a default ssidref for stubdoms too.
>
> Tested with and without XSM enabled for normal guests and HVM guests
> with qemu in dom0. Stubdoms appeared to be broken in the base case, so I
> haven't tested that really.
I rebased onto new staging (no changes needed) and now stubdoms seem to
work again and look to have been correctly labelled using the new
defaults:
# xl list -Z
Name ID Mem VCPUs State Time(s) Security Label
Domain-0 0 511 8 r----- 14.4 system_u:system_r:dom0_t
debianhvm.guest.osstest 1 768 2 -b---- 5.7 system_u:system_r:domU_t
debianhvm.guest.osstest-dm 2 32 1 -b---- 4.0 system_u:system_r:dm_dom_t
Ian.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 0/6] Assign a default SSID to guests
2015-05-21 9:54 ` Ian Campbell
@ 2015-05-21 9:57 ` Wei Liu
0 siblings, 0 replies; 16+ messages in thread
From: Wei Liu @ 2015-05-21 9:57 UTC (permalink / raw)
To: Ian Campbell; +Cc: ian.jackson, Daniel De Graaf, wei.liu2, xen-devel
On Thu, May 21, 2015 at 10:54:44AM +0100, Ian Campbell wrote:
> On Wed, 2015-05-20 at 15:30 +0100, Ian Campbell wrote:
> > Compared with v3 this uses Daniel's more comprehensive policy patch and
> > adds a default ssidref for stubdoms too.
> >
> > Tested with and without XSM enabled for normal guests and HVM guests
> > with qemu in dom0. Stubdoms appeared to be broken in the base case, so I
> > haven't tested that really.
>
> I rebased onto new staging (no changes needed) and now stubdoms seem to
> work again and look to have been correctly labelled using the new
> defaults:
>
> # xl list -Z
> Name ID Mem VCPUs State Time(s) Security Label
> Domain-0 0 511 8 r----- 14.4 system_u:system_r:dom0_t
> debianhvm.guest.osstest 1 768 2 -b---- 5.7 system_u:system_r:domU_t
> debianhvm.guest.osstest-dm 2 32 1 -b---- 4.0 system_u:system_r:dm_dom_t
>
Great!
> Ian.
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests
2015-05-20 14:51 ` Daniel De Graaf
@ 2015-05-21 14:54 ` Ian Campbell
0 siblings, 0 replies; 16+ messages in thread
From: Ian Campbell @ 2015-05-21 14:54 UTC (permalink / raw)
To: Daniel De Graaf; +Cc: ian.jackson, wei.liu2, xen-devel
On Wed, 2015-05-20 at 10:51 -0400, Daniel De Graaf wrote:
> On 05/20/2015 10:39 AM, Ian Campbell wrote:
> > We have now arranged for SECINITSID_DOMU and SECINITSID_DOMDM to be
> > defined (correspondng to system_u:system_r:domU_t and
> > system_u:system_r:dm_dom_t respectively in the default policy). Use
> > these as the default for the SSID of every (stub)domain.
> >
> > Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Thanks, all applied with Wei and your acks.
Ian.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2015-05-21 14:54 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-20 14:30 [PATCH v3 0/6] Assign a default SSID to guests Ian Campbell
2015-05-20 14:38 ` [PATCH v3 1/6] tools: Add AWK to set of tools checked for by configure Ian Campbell
2015-05-20 14:38 ` [PATCH v3 2/6] xen: flask: Pass output directory as a parameter to mkflask.sh Ian Campbell
2015-05-20 14:44 ` Daniel De Graaf
2015-05-20 14:38 ` [PATCH v3 3/6] xen: flask: Restrict generated header to xen + tools Ian Campbell
2015-05-20 14:45 ` Daniel De Graaf
2015-05-20 14:38 ` [PATCH v3 4/6] tools: Expose XSM Flask initial SIDs list to tools Ian Campbell
2015-05-20 14:46 ` Daniel De Graaf
2015-05-20 14:38 ` [PATCH v3 5/6] flask/policy: add initial SIDs for domU/domDM Ian Campbell
2015-05-20 14:39 ` [PATCH v3 6/6] libxl: assign a default ssidref (XSM label) to guests Ian Campbell
2015-05-20 14:41 ` Wei Liu
2015-05-20 14:51 ` Daniel De Graaf
2015-05-21 14:54 ` Ian Campbell
2015-05-20 14:40 ` [PATCH v3 0/6] Assign a default SSID " Wei Liu
2015-05-21 9:54 ` Ian Campbell
2015-05-21 9:57 ` Wei Liu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.