[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 01/19] libxl: introduce XSM relabel on build



On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote:
> Allow a domain to be built under one security label and run using a
> different label. This can be used to prevent the domain builder or
> control domain from having the ability to access a guest domain's memory
> via map_foreign_range except during the build process where this is
> required.
> 
> Note: this does not provide complete protection from a malicious dom0;
> mappings created during the build process may persist after the relabel,
> and could be used to indirectly access the guest's memory.
> 
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
> Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>
> ---
>  tools/libxc/xc_flask.c      | 10 ++++++++++
>  tools/libxc/xenctrl.h       |  1 +
>  tools/libxl/libxl_create.c  |  4 ++++
>  tools/libxl/libxl_types.idl |  1 +
>  tools/libxl/xl_cmdimpl.c    | 20 +++++++++++++++++++-

   docs/man... please

> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
> index 7eac4a8..93524f0 100644
> --- a/tools/libxl/libxl_types.idl
> +++ b/tools/libxl/libxl_types.idl
> @@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
>      ("video_memkb",     MemKB),
>      ("shadow_memkb",    MemKB),
>      ("rtc_timeoffset",  uint32),
> +    ("exec_ssidref",    uint32),

What is the significance of the "exec_" bit of the name?

>      ("localtime",       libxl_defbool),
>      ("disable_migrate", libxl_defbool),
>      ("cpuid",           libxl_cpuid_policy_list),

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.