|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xsm/flask: remove unneeded create_sid field
# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1347912639 -3600
# Node ID 383f0b427494a2b0f03ccd51b19d10042999f20e
# Parent 6804e90926708152edecbf15e9b6689fbc402b52
xsm/flask: remove unneeded create_sid field
This field was only used to populate the ssid of dom0, which can be
handled explicitly in the domain creation hook. This also removes the
unnecessary permission check on the creation of dom0.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Committed-by: Keir Fraser <keir@xxxxxxx>
---
diff -r 6804e9092670 -r 383f0b427494
tools/flask/policy/policy/modules/xen/xen.te
--- a/tools/flask/policy/policy/modules/xen/xen.te Mon Sep 17 21:10:07
2012 +0100
+++ b/tools/flask/policy/policy/modules/xen/xen.te Mon Sep 17 21:10:39
2012 +0100
@@ -52,8 +52,6 @@ type device_t, resource_type;
# Rules required to boot the hypervisor and dom0
#
################################################################################
-allow xen_t dom0_t:domain { create };
-
allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
scheduler physinfo heap quirk readconsole writeconsole settime
getcpuinfo
microcode cpupool_op sched_op pm_op };
diff -r 6804e9092670 -r 383f0b427494 xen/xsm/flask/hooks.c
--- a/xen/xsm/flask/hooks.c Mon Sep 17 21:10:07 2012 +0100
+++ b/xen/xsm/flask/hooks.c Mon Sep 17 21:10:39 2012 +0100
@@ -108,12 +108,10 @@ static int flask_domain_alloc_security(s
memset(dsec, 0, sizeof(struct domain_security_struct));
- dsec->create_sid = SECSID_NULL;
switch ( d->domain_id )
{
case DOMID_IDLE:
dsec->sid = SECINITSID_XEN;
- dsec->create_sid = SECINITSID_DOM0;
break;
case DOMID_XEN:
dsec->sid = SECINITSID_DOMXEN;
@@ -489,25 +487,24 @@ static int flask_domain_create(struct do
int rc;
struct domain_security_struct *dsec1;
struct domain_security_struct *dsec2;
+ static int dom0_created = 0;
dsec1 = current->domain->ssid;
+ dsec2 = d->ssid;
- if ( dsec1->create_sid == SECSID_NULL )
- dsec1->create_sid = ssidref;
+ if ( is_idle_domain(current->domain) && !dom0_created )
+ {
+ dsec2->sid = SECINITSID_DOM0;
+ dom0_created = 1;
+ return 0;
+ }
- rc = avc_has_perm(dsec1->sid, dsec1->create_sid, SECCLASS_DOMAIN,
+ rc = avc_has_perm(dsec1->sid, ssidref, SECCLASS_DOMAIN,
DOMAIN__CREATE, NULL);
if ( rc )
- {
- dsec1->create_sid = SECSID_NULL;
return rc;
- }
- dsec2 = d->ssid;
- dsec2->sid = dsec1->create_sid;
-
- dsec1->create_sid = SECSID_NULL;
- dsec2->create_sid = SECSID_NULL;
+ dsec2->sid = ssidref;
return rc;
}
diff -r 6804e9092670 -r 383f0b427494 xen/xsm/flask/include/objsec.h
--- a/xen/xsm/flask/include/objsec.h Mon Sep 17 21:10:07 2012 +0100
+++ b/xen/xsm/flask/include/objsec.h Mon Sep 17 21:10:39 2012 +0100
@@ -19,7 +19,6 @@
struct domain_security_struct {
u32 sid; /* current SID */
- u32 create_sid;
};
struct evtchn_security_struct {
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |