From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Grall <julien.grall@citrix.com>
Subject: Re: [PATCH] libxl: assigned a default ssid_label (XSM
 label) to guests
Date: Thu, 14 May 2015 12:21:55 +0100
Message-ID: <55548553.7060700@citrix.com>
References: <1431599625-9572-1-git-send-email-ian.campbell@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1431599625-9572-1-git-send-email-ian.campbell@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <ian.campbell@citrix.com>, xen-devel@lists.xen.org, ian.jackson@eu.citrix.com, wei.liu2@citrix.com
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
List-Id: xen-devel@lists.xenproject.org

Hi Ian,

On 14/05/15 11:33, Ian Campbell wrote:
> system_u:system_r:domU_t is defined in the default policy and makes as
> much sense as anything for a default.

So you rule out the possibility to run an unlabelled domain? This is
possible if the policy explicitly authorized it. That's a significant
change in the libxl behavior.

IHMO, having a default policy doesn't mean libxl should set a default
ssid to make XSM transparent to the user.

The explicit ssid makes clear that the guest is using a ssid foo and if
it's not provided then it will fail to boot.

Setting a default value may hide a bigger issue and take the wrong
policy the user forgot to set up an ssid.

> This change required moving the call to domain_create_info_setdefault
> to be before the ssid_label is translated into ssidref, which also
> moves it before some other stuff which consumes things from c_info,
> which is correct since setdefault should always be called first. Apart
> from the SSID handling there should be no functional change (since
> setdefault doesn't actually act on anything which that other stuff
> uses).
> 
> There is no need to set exec_ssid_label since the default is to leave
> the domain using the ssid_label after build.

By setting a ssid label, libxl will print a new warning on Xen not built
with XSM which will confuse the user:

libxl: warning: libxl_create.c:813:initiate_domain_create: XSM Disabled:
init_seclabel not supported

> 
> I haven't done anything with the device model ssid.
> 
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Wei.Liu2@citrix.com
> ---
>  docs/man/xl.cfg.pod.5      |    4 +++-
>  tools/libxl/libxl_create.c |   11 ++++++++---
>  2 files changed, 11 insertions(+), 4 deletions(-)
> 
> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> index 8e4154f..fcca1cc 100644
> --- a/docs/man/xl.cfg.pod.5
> +++ b/docs/man/xl.cfg.pod.5
> @@ -437,7 +437,9 @@ UUID will be generated.
>  
>  =item B<seclabel="LABEL">
>  
> -Assign an XSM security label to this domain.
> +Assign an XSM security label to this domain. By default a domain is
> +assigned the label B<system_u:system_r:domU_t>, which is defined in
> +the default policy.

It's not easy to know that seclabel will be stored in ssid_label.

It would be good to have this explanation into the toolstack API.

Regards,

-- 
Julien Grall