Re: [PATCH v7 2/2] flask: implement xsm_set_system_active

From: Rahul Singh <Rahul.Singh@arm.com>
To: "Daniel P. Smith" <dpsmith@apertussolutions.com>
Cc: xen-devel <xen-devel@lists.xenproject.org>,
	"scott.davis@starlab.io" <scott.davis@starlab.io>,
	"jandryuk@gmail.com" <jandryuk@gmail.com>,
	"christopher.clark@starlab.io" <christopher.clark@starlab.io>,
	Luca Fancellu <Luca.Fancellu@arm.com>,
	Daniel De Graaf <dgdegra@tycho.nsa.gov>, Wei Liu <wl@xen.org>,
	Anthony PERARD <anthony.perard@citrix.com>
Subject: Re: [PATCH v7 2/2] flask: implement xsm_set_system_active
Date: Thu, 12 May 2022 14:49:36 +0000	[thread overview]
Message-ID: <7565B32C-66DD-4820-8D5E-3A62FE87008C@arm.com> (raw)
In-Reply-To: <20220511113035.27070-3-dpsmith@apertussolutions.com>

Hi Daniel,

> On 11 May 2022, at 12:30 pm, Daniel P. Smith <dpsmith@apertussolutions.com> wrote:
> 
> This commit implements full support for starting the idle domain privileged by
> introducing a new flask label xenboot_t which the idle domain is labeled with
> at creation.  It then provides the implementation for the XSM hook
> xsm_set_system_active to relabel the idle domain to the existing xen_t flask
> label.
> 
> In the reference flask policy a new macro, xen_build_domain(target), is
> introduced for creating policies for dom0less/hyperlaunch allowing the
> hypervisor to create and assign the necessary resources for domain
> construction.
> 
> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
> Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
> Reviewed-by: Luca Fancellu <luca.fancellu@arm.com>
> Tested-by: Luca Fancellu <luca.fancellu@arm.com>

Reviewed-by: Rahul Singh <rahul.singh@arm.com>
Tested-by: Rahul Singh <rahul.singh@arm.com>

Regards,
Rahul
> ---
> tools/flask/policy/modules/xen.if      | 6 ++++++
> tools/flask/policy/modules/xen.te      | 1 +
> tools/flask/policy/policy/initial_sids | 1 +
> xen/xsm/flask/hooks.c                  | 9 ++++++++-
> xen/xsm/flask/policy/initial_sids      | 1 +
> 5 files changed, 17 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
> index 5e2aa472b6..4ec676fff1 100644
> --- a/tools/flask/policy/modules/xen.if
> +++ b/tools/flask/policy/modules/xen.if
> @@ -62,6 +62,12 @@ define(`create_domain_common', `
> 			setparam altp2mhvm altp2mhvm_op dm };
> ')
> 
> +# xen_build_domain(target)
> +#   Allow a domain to be created at boot by the hypervisor
> +define(`xen_build_domain', `
> +	allow xenboot_t $1_channel:event create;
> +')
> +
> # create_domain(priv, target)
> #   Allow a domain to be created directly
> define(`create_domain', `
> diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules/xen.te
> index 3dbf93d2b8..de98206fdd 100644
> --- a/tools/flask/policy/modules/xen.te
> +++ b/tools/flask/policy/modules/xen.te
> @@ -24,6 +24,7 @@ attribute mls_priv;
> ################################################################################
> 
> # The hypervisor itself
> +type xenboot_t, xen_type, mls_priv;
> type xen_t, xen_type, mls_priv;
> 
> # Domain 0
> diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
> index 6b7b7eff21..ec729d3ba3 100644
> --- a/tools/flask/policy/policy/initial_sids
> +++ b/tools/flask/policy/policy/initial_sids
> @@ -2,6 +2,7 @@
> # objects created before the policy is loaded or for objects that do not have a
> # label defined in some other manner.
> 
> +sid xenboot gen_context(system_u:system_r:xenboot_t,s0)
> sid xen gen_context(system_u:system_r:xen_t,s0)
> sid dom0 gen_context(system_u:system_r:dom0_t,s0)
> sid domxen gen_context(system_u:system_r:domxen_t,s0)
> diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
> index 54745e6c6a..80b36cc2d8 100644
> --- a/xen/xsm/flask/hooks.c
> +++ b/xen/xsm/flask/hooks.c
> @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct domain *d)
>     switch ( d->domain_id )
>     {
>     case DOMID_IDLE:
> -        dsec->sid = SECINITSID_XEN;
> +        dsec->sid = SECINITSID_XENBOOT;
>         break;
>     case DOMID_XEN:
>         dsec->sid = SECINITSID_DOMXEN;
> @@ -188,9 +188,14 @@ static int cf_check flask_domain_alloc_security(struct domain *d)
> 
> static int cf_check flask_set_system_active(void)
> {
> +    struct domain_security_struct *dsec;
>     struct domain *d = current->domain;
> 
> +    dsec = d->ssid;
> +
>     ASSERT(d->is_privileged);
> +    ASSERT(dsec->sid == SECINITSID_XENBOOT);
> +    ASSERT(dsec->self_sid == SECINITSID_XENBOOT);
> 
>     if ( d->domain_id != DOMID_IDLE )
>     {
> @@ -205,6 +210,8 @@ static int cf_check flask_set_system_active(void)
>      */
>     d->is_privileged = false;
> 
> +    dsec->self_sid = dsec->sid = SECINITSID_XEN;
> +
>     return 0;
> }
> 
> diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initial_sids
> index 7eca70d339..e8b55b8368 100644
> --- a/xen/xsm/flask/policy/initial_sids
> +++ b/xen/xsm/flask/policy/initial_sids
> @@ -3,6 +3,7 @@
> #
> # Define initial security identifiers 
> #
> +sid xenboot
> sid xen
> sid dom0
> sid domio
> -- 
> 2.20.1
> 
> 