From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DF1DCC433F5 for ; Mon, 25 Apr 2022 16:43:10 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.313162.530629 (Exim 4.92) (envelope-from ) id 1nj1ne-0004Cx-Ma; Mon, 25 Apr 2022 16:42:58 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 313162.530629; Mon, 25 Apr 2022 16:42:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nj1ne-0004Cq-IB; Mon, 25 Apr 2022 16:42:58 +0000 Received: by outflank-mailman (input) for mailman id 313162; Mon, 25 Apr 2022 16:42:57 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1nj1nc-0004Ch-Ux for xen-devel@lists.xenproject.org; Mon, 25 Apr 2022 16:42:56 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id c1180422-c4b6-11ec-8fc2-03012f2f19d4; Mon, 25 Apr 2022 18:42:55 +0200 (CEST) Received: from [10.10.1.138] (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1650904970169140.77981176062337; Mon, 25 Apr 2022 09:42:50 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: c1180422-c4b6-11ec-8fc2-03012f2f19d4 ARC-Seal: i=1; a=rsa-sha256; t=1650904972; cv=none; d=zohomail.com; s=zohoarc; b=GOZuL7rHmbOLcLD18zgWFg8YXScDUFvS8LClTmJEE6CNiQvrd7QApmLutrqWOCajaM7MTHEsljL9i05CD1+076/fHrcmErzm9lkHqDFt1JDnmbktLI4BxxOpSv3rn+mNf0duPHtEgEjgV2PPs99Wzm2ScAszNEXN2aAkrYRNLkI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1650904972; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=fdPdl1eYR2TgNCzIg4GWQ8agZHJt3bxu/2KlgAWoj+0=; b=EHl1h23WA0SY8CwLbQUkq5UxlTy2PoOPMVwmEcdf/zDVy8rJKhdd4GTxkbi89BtumiPOuU7kEp/+wjdrYa3xYwQAP+b6dEq8Zl+VgvJvPg7qZ8z7jVIUaF9a/aFez5YwBGFRy41GTNA4/q6F4toj35QWzbtuu/UQ7vJO+gvUrZY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1650904972; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=Message-ID:Date:Date:MIME-Version:Subject:Subject:To:To:Cc:Cc:References:From:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=fdPdl1eYR2TgNCzIg4GWQ8agZHJt3bxu/2KlgAWoj+0=; b=aNxrWD9mG/lmMNYjdSR8sq2bLFX0TGRIb39MOQvcxm7RFlgnmElDSIRUbqFwad96 IkYoQbEBP4k94qao/D5GnoEnAY4lcmFw5GyAfQCRlLOXtDE+b3Eqrv8AeHsl8RBZmsG IgT7A1dc6w+a0RgZYhn0eCTgCvOR+tYA9GNmsH24= Message-ID: Date: Mon, 25 Apr 2022 12:42:02 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v3 2/2] flask: implement xsm_set_system_active Content-Language: en-US To: Jason Andryuk Cc: xen-devel , Scott Davis , Daniel De Graaf , Wei Liu , Anthony PERARD References: <20220422163458.30170-1-dpsmith@apertussolutions.com> <20220422163458.30170-3-dpsmith@apertussolutions.com> From: "Daniel P. Smith" In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ZohoMailClient: External On 4/22/22 12:58, Jason Andryuk wrote: > On Fri, Apr 22, 2022 at 12:35 PM Daniel P. Smith > wrote: >> >> This commit implements full support for starting the idle domain privileged by >> introducing a new flask label xenboot_t which the idle domain is labeled with >> at creation. It then provides the implementation for the XSM hook >> xsm_set_system_active to relabel the idle domain to the existing xen_t flask >> label. >> >> In the reference flask policy a new macro, xen_build_domain(target), is >> introduced for creating policies for dom0less/hyperlaunch allowing the >> hypervisor to create and assign the necessary resources for domain >> construction. >> >> Signed-off-by: Daniel P. Smith >> --- > >> @@ -188,8 +188,12 @@ static int cf_check flask_domain_alloc_security(struct domain *d) >> >> static int cf_check flask_set_system_active(void) >> { >> + struct domain_security_struct *dsec; >> struct domain *d = current->domain; >> >> + dsec = d->ssid; >> + ASSERT( dsec->sid == SECINITSID_XENBOOT); > > Extra space before dsec. Ack. > With that fixed, > Reviewed-by: Jason Andryuk