From: Scott Davis <scottwd@gmail.com>
To: xen-devel@lists.xenproject.org
Cc: Scott Davis <scott.davis@starlab.io>,
Ian Jackson <iwj@xenproject.org>, Wei Liu <wl@xen.org>,
George Dunlap <george.dunlap@citrix.com>,
Nick Rosbrook <rosbrookn@ainfosec.com>,
Anthony PERARD <anthony.perard@citrix.com>,
Juergen Gross <jgross@suse.com>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>,
"Daniel P . Smith" <dpsmith@apertussolutions.com>
Subject: [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg
Date: Fri, 23 Jul 2021 00:47:31 -0400 [thread overview]
Message-ID: <8ee22fab0731347dd7f998c5f336eac804785c28.1627014699.git.scott.davis@starlab.io> (raw)
This adds an option to the xl domain configuration syntax for specifying
a build-time XSM security label for device-model stubdomains separate from
the run-time label specified by 'device_model_stubdomain_seclabel'. Fields
are also added to the 'libxl_domain_build_info' struct to contain the new
information, and a new call to 'xc_flask_relabel_domain' inserted to
affect the change at the appropriate time.
The implementation mirrors that of the 'seclabel' and 'init_seclabel'
options for user domains. When all used in concert, this enables the
creation of security policies that minimize run-time privileges between
the toolstack domain, device-model stubdomains, and user domains.
Signed-off-by: Scott Davis <scott.davis@starlab.io>
---
docs/man/xl.cfg.5.pod.in | 10 ++++++++++
tools/golang/xenlight/helpers.gen.go | 5 +++++
tools/golang/xenlight/types.gen.go | 2 ++
tools/include/libxl.h | 10 ++++++++++
tools/libs/light/libxl_create.c | 28 ++++++++++++++++++++++++++--
tools/libs/light/libxl_dm.c | 14 +++++++++-----
tools/libs/light/libxl_types.idl | 2 ++
tools/xl/xl_parse.c | 12 +++++++++++-
8 files changed, 75 insertions(+), 8 deletions(-)
diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
index 56370a37db..3458d357fc 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
@@ -2762,6 +2762,16 @@ you have selected.
Assign an XSM security label to the device-model stubdomain.
+=item B<device_model_stubdomain_init_seclabel="LABEL">
+
+Specify a temporary XSM security label for the device-model stubdomain used
+during creation of it and its associated guest. The stubdomain's XSM label will
+then be changed to the execution seclabel (as specified by
+B<device_model_stubdomain_seclabel>) once creation is complete, prior to
+unpausing the stubdomain's guest. With proper (re)labeling, a security policy
+can be constructed that minimizes run-time privileges between the toolstack
+domain, device-model stubdomains, and user domains.
+
=item B<device_model_args=[ "ARG", "ARG", ...]>
Pass additional arbitrary options on the device-model command
diff --git a/tools/golang/xenlight/helpers.gen.go b/tools/golang/xenlight/helpers.gen.go
index db82537b42..e961cb5f75 100644
--- a/tools/golang/xenlight/helpers.gen.go
+++ b/tools/golang/xenlight/helpers.gen.go
@@ -1022,6 +1022,8 @@ x.StubdomainRamdisk = C.GoString(xc.stubdomain_ramdisk)
x.DeviceModel = C.GoString(xc.device_model)
x.DeviceModelSsidref = uint32(xc.device_model_ssidref)
x.DeviceModelSsidLabel = C.GoString(xc.device_model_ssid_label)
+x.DeviceModelExecSsidref = uint32(xc.device_model_exec_ssidref)
+x.DeviceModelExecSsidLabel = C.GoString(xc.device_model_exec_ssid_label)
x.DeviceModelUser = C.GoString(xc.device_model_user)
if err := x.Extra.fromC(&xc.extra);err != nil {
return fmt.Errorf("converting field Extra: %v", err)
@@ -1351,6 +1353,9 @@ xc.device_model = C.CString(x.DeviceModel)}
xc.device_model_ssidref = C.uint32_t(x.DeviceModelSsidref)
if x.DeviceModelSsidLabel != "" {
xc.device_model_ssid_label = C.CString(x.DeviceModelSsidLabel)}
+xc.device_model_exec_ssidref = C.uint32_t(x.DeviceModelExecSsidref)
+if x.DeviceModelExecSsidLabel != "" {
+xc.device_model_exec_ssid_label = C.CString(x.DeviceModelExecSsidLabel)}
if x.DeviceModelUser != "" {
xc.device_model_user = C.CString(x.DeviceModelUser)}
if err := x.Extra.toC(&xc.extra); err != nil {
diff --git a/tools/golang/xenlight/types.gen.go b/tools/golang/xenlight/types.gen.go
index a214dd9df6..45061d1afa 100644
--- a/tools/golang/xenlight/types.gen.go
+++ b/tools/golang/xenlight/types.gen.go
@@ -487,6 +487,8 @@ StubdomainRamdisk string
DeviceModel string
DeviceModelSsidref uint32
DeviceModelSsidLabel string
+DeviceModelExecSsidref uint32
+DeviceModelExecSsidLabel string
DeviceModelUser string
Extra StringList
ExtraPv StringList
diff --git a/tools/include/libxl.h b/tools/include/libxl.h
index ae7fe27c1f..62b69222f6 100644
--- a/tools/include/libxl.h
+++ b/tools/include/libxl.h
@@ -1069,6 +1069,16 @@ typedef struct libxl__ctx libxl_ctx;
*/
#define LIBXL_HAVE_SSID_LABEL 1
+/*
+ * LIBXL_HAVE_BUILDINFO_DEVICE_MODEL_STUBDOMAIN_EXEC_SSID
+ *
+ * If this is defined, then the libxl_domain_build_info structure will
+ * contain 'device_model_exec_ssidref' and 'device_model_exec_ssid_label' for
+ * specifying a run-time XSM security label separate from the build-time label
+ * specified in 'device_model_ssidref' and 'device_model_ssid_label'.
+ */
+#define LIBXL_HAVE_BUILDINFO_DEVICE_MODEL_STUBDOMAIN_EXEC_SSID 1
+
/*
* LIBXL_HAVE_CPUPOOL_NAME
*
diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c
index e356b2106d..a12da5531d 100644
--- a/tools/libs/light/libxl_create.c
+++ b/tools/libs/light/libxl_create.c
@@ -1060,13 +1060,31 @@ int libxl__domain_config_setdefault(libxl__gc *gc,
char *s = d_config->b_info.device_model_ssid_label;
ret = libxl_flask_context_to_sid(ctx, s, strlen(s),
&d_config->b_info.device_model_ssidref);
+ if (ret) {
+ if (errno == ENOSYS) {
+ LOGD(WARN, domid,
+ "XSM Disabled: device_model_stubdomain_init_seclabel not supported");
+ ret = 0;
+ } else {
+ LOGD(ERROR, domid,
+ "Invalid device_model_stubdomain_init_seclabel: %s", s);
+ goto error_out;
+ }
+ }
+ }
+
+ if (d_config->b_info.device_model_exec_ssid_label) {
+ char *s = d_config->b_info.device_model_exec_ssid_label;
+ ret = libxl_flask_context_to_sid(ctx, s, strlen(s),
+ &d_config->b_info.device_model_exec_ssidref);
if (ret) {
if (errno == ENOSYS) {
LOGD(WARN, domid,
"XSM Disabled: device_model_stubdomain_seclabel not supported");
ret = 0;
} else {
- LOGD(ERROR, domid, "Invalid device_model_stubdomain_seclabel: %s", s);
+ LOGD(ERROR, domid,
+ "Invalid device_model_stubdomain_seclabel: %s", s);
goto error_out;
}
}
@@ -1935,7 +1953,13 @@ static void domcreate_complete(libxl__egc *egc,
libxl__domain_build_state_dispose(&dcs->build_state);
if (!rc && d_config->b_info.exec_ssidref)
- rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);
+ rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid,
+ d_config->b_info.exec_ssidref);
+
+ if (!rc && dcs->sdss.pvqemu.guest_domid != INVALID_DOMID &&
+ d_config->b_info.device_model_exec_ssidref)
+ rc = xc_flask_relabel_domain(CTX->xch, dcs->sdss.pvqemu.guest_domid,
+ d_config->b_info.device_model_exec_ssidref);
bool retain_domain = !rc || rc == ERROR_ABORTED;
diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c
index dbd3c7f278..2b69b207c4 100644
--- a/tools/libs/light/libxl_dm.c
+++ b/tools/libs/light/libxl_dm.c
@@ -2300,20 +2300,24 @@ void libxl__spawn_stub_dm(libxl__egc *egc, libxl__stub_dm_spawn_state *sdss)
sdss->pvqemu.guest_domid = INVALID_DOMID;
libxl_domain_create_info_init(&dm_config->c_info);
+ libxl_domain_build_info_init(&dm_config->b_info);
+ libxl_domain_build_info_init_type(&dm_config->b_info, LIBXL_DOMAIN_TYPE_PV);
+
dm_config->c_info.type = LIBXL_DOMAIN_TYPE_PV;
dm_config->c_info.name = libxl__stub_dm_name(gc,
libxl__domid_to_name(gc, guest_domid));
- /* When we are here to launch stubdom, ssidref is a valid value
- * already, no need to parse it again.
+
+ /* When we are here to launch stubdom, ssidrefs are valid values already,
+ * no need to parse them again.
*/
dm_config->c_info.ssidref = guest_config->b_info.device_model_ssidref;
dm_config->c_info.ssid_label = NULL;
+ dm_config->b_info.exec_ssidref =
+ guest_config->b_info.device_model_exec_ssidref;
+ dm_config->b_info.exec_ssid_label = NULL;
libxl_uuid_generate(&dm_config->c_info.uuid);
- libxl_domain_build_info_init(&dm_config->b_info);
- libxl_domain_build_info_init_type(&dm_config->b_info, LIBXL_DOMAIN_TYPE_PV);
-
dm_config->b_info.shadow_memkb = 0;
dm_config->b_info.max_vcpus = 1;
dm_config->b_info.max_memkb = guest_config->b_info.stubdomain_memkb;
diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl
index f45adddab0..b483729b9c 100644
--- a/tools/libs/light/libxl_types.idl
+++ b/tools/libs/light/libxl_types.idl
@@ -528,6 +528,8 @@ libxl_domain_build_info = Struct("domain_build_info",[
("device_model", string),
("device_model_ssidref", uint32),
("device_model_ssid_label", string),
+ ("device_model_exec_ssidref", uint32),
+ ("device_model_exec_ssid_label", string),
("device_model_user", string),
# extra parameters pass directly to qemu, NULL terminated
diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c
index 9fb0791429..236f8b2fc0 100644
--- a/tools/xl/xl_parse.c
+++ b/tools/xl/xl_parse.c
@@ -2523,10 +2523,20 @@ skip_usbdev:
xlu_cfg_get_defbool (config, "device_model_stubdomain_override",
&b_info->device_model_stubdomain, 0);
- if (!xlu_cfg_get_string (config, "device_model_stubdomain_seclabel",
+ if (!xlu_cfg_get_string (config, "device_model_stubdomain_init_seclabel",
&buf, 0))
+ xlu_cfg_replace_string(config, "device_model_stubdomain_init_seclabel",
+ &b_info->device_model_ssid_label, 0);
+
+ if (!xlu_cfg_get_string (config, "device_model_stubdomain_seclabel",
+ &buf, 0)) {
+ if (b_info->device_model_ssid_label)
+ xlu_cfg_replace_string(config, "device_model_stubdomain_seclabel",
+ &b_info->device_model_exec_ssid_label, 0);
+ else
xlu_cfg_replace_string(config, "device_model_stubdomain_seclabel",
&b_info->device_model_ssid_label, 0);
+ }
xlu_cfg_replace_string(config, "device_model_user",
&b_info->device_model_user, 0);
--
2.25.1
next reply other threads:[~2021-07-23 4:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 4:47 Scott Davis [this message]
2021-07-26 13:07 ` [XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg Jason Andryuk
2021-07-27 12:19 ` Marek Marczykowski-Górecki
2021-07-27 13:32 ` Ian Jackson
2021-07-27 13:50 ` Jason Andryuk
2021-07-28 12:19 ` Anthony PERARD
2021-07-28 22:11 ` Scott Davis
2021-07-27 11:45 ` Andrew Cooper
2021-07-27 13:30 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ee22fab0731347dd7f998c5f336eac804785c28.1627014699.git.scott.davis@starlab.io \
--to=scottwd@gmail.com \
--cc=anthony.perard@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=dpsmith@apertussolutions.com \
--cc=george.dunlap@citrix.com \
--cc=iwj@xenproject.org \
--cc=jgross@suse.com \
--cc=rosbrookn@ainfosec.com \
--cc=scott.davis@starlab.io \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.