[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 02/18] xsm/flask: remove unneeded create_sid field



This field was only used to populate the ssid of dom0, which can be
handled explicitly in the domain creation hook. This also removes the
unnecessary permission check on the creation of dom0.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 tools/flask/policy/policy/modules/xen/xen.te |  2 --
 xen/xsm/flask/hooks.c                        | 23 ++++++++++-------------
 xen/xsm/flask/include/objsec.h               |  1 -
 3 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index 29885c4..3d2e351 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -52,8 +52,6 @@ type device_t, resource_type;
 # Rules required to boot the hypervisor and dom0
 #
 
################################################################################
-allow xen_t dom0_t:domain { create };
-
 allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
        scheduler physinfo heap quirk readconsole writeconsole settime
        microcode cpupool_op sched_op };
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 62771bf..9262d34 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -111,12 +111,10 @@ static int flask_domain_alloc_security(struct domain *d)
     if ( is_idle_domain(d) )
     {
         dsec->sid = SECINITSID_XEN;
-        dsec->create_sid = SECINITSID_DOM0;
     }
     else
     {
         dsec->sid = SECINITSID_UNLABELED;
-        dsec->create_sid = SECSID_NULL;
     }
 
     d->ssid = dsec;
@@ -549,25 +547,24 @@ static int flask_domain_create(struct domain *d, u32 
ssidref)
     int rc;
     struct domain_security_struct *dsec1;
     struct domain_security_struct *dsec2;
+    static int dom0_created = 0;
 
     dsec1 = current->domain->ssid;
+    dsec2 = d->ssid;
 
-    if ( dsec1->create_sid == SECSID_NULL ) 
-        dsec1->create_sid = ssidref;
+    if ( is_idle_domain(current->domain) && !dom0_created )
+    {
+        dsec2->sid = SECINITSID_DOM0;
+        dom0_created = 1;
+        return 0;
+    }
 
-    rc = avc_has_perm(dsec1->sid, dsec1->create_sid, SECCLASS_DOMAIN, 
+    rc = avc_has_perm(dsec1->sid, ssidref, SECCLASS_DOMAIN,
                       DOMAIN__CREATE, NULL);
     if ( rc )
-    {
-        dsec1->create_sid = SECSID_NULL;
         return rc;
-    }
-
-    dsec2 = d->ssid;
-    dsec2->sid = dsec1->create_sid;
 
-    dsec1->create_sid = SECSID_NULL;
-    dsec2->create_sid = SECSID_NULL;
+    dsec2->sid = ssidref;
 
     return rc;
 }
diff --git a/xen/xsm/flask/include/objsec.h b/xen/xsm/flask/include/objsec.h
index df5baee..4ff52be 100644
--- a/xen/xsm/flask/include/objsec.h
+++ b/xen/xsm/flask/include/objsec.h
@@ -19,7 +19,6 @@
 
 struct domain_security_struct {
     u32 sid;               /* current SID */
-    u32 create_sid;
 };
 
 struct evtchn_security_struct {
-- 
1.7.11.2


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.