|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 01/19] libxl: introduce XSM relabel on build
On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote:
> Allow a domain to be built under one security label and run using a
> different label. This can be used to prevent the domain builder or
> control domain from having the ability to access a guest domain's memory
> via map_foreign_range except during the build process where this is
> required.
>
> Note: this does not provide complete protection from a malicious dom0;
> mappings created during the build process may persist after the relabel,
> and could be used to indirectly access the guest's memory.
>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
> Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>
> ---
> tools/libxc/xc_flask.c | 10 ++++++++++
> tools/libxc/xenctrl.h | 1 +
> tools/libxl/libxl_create.c | 4 ++++
> tools/libxl/libxl_types.idl | 1 +
> tools/libxl/xl_cmdimpl.c | 20 +++++++++++++++++++-
docs/man... please
> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
> index 7eac4a8..93524f0 100644
> --- a/tools/libxl/libxl_types.idl
> +++ b/tools/libxl/libxl_types.idl
> @@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
> ("video_memkb", MemKB),
> ("shadow_memkb", MemKB),
> ("rtc_timeoffset", uint32),
> + ("exec_ssidref", uint32),
What is the significance of the "exec_" bit of the name?
> ("localtime", libxl_defbool),
> ("disable_migrate", libxl_defbool),
> ("cpuid", libxl_cpuid_policy_list),
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |