[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 01/19] libxl: introduce XSM relabel on build

On 11/19/2012 05:42 AM, Ian Campbell wrote:
> On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote:
>> Allow a domain to be built under one security label and run using a
>> different label. This can be used to prevent the domain builder or
>> control domain from having the ability to access a guest domain's memory
>> via map_foreign_range except during the build process where this is
>> required.
>>
>> Note: this does not provide complete protection from a malicious dom0;
>> mappings created during the build process may persist after the relabel,
>> and could be used to indirectly access the guest's memory.
>>
>> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
>> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
>> Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>
>> ---
>>  tools/libxc/xc_flask.c      | 10 ++++++++++
>>  tools/libxc/xenctrl.h       |  1 +
>>  tools/libxl/libxl_create.c  |  4 ++++
>>  tools/libxl/libxl_types.idl |  1 +
>>  tools/libxl/xl_cmdimpl.c    | 20 +++++++++++++++++++-
> 
>    docs/man... please

The following will be included in the next version:

--- a/docs/man/xl.cfg.pod.5
+++ b/docs/man/xl.cfg.pod.5
@@ -270,6 +270,15 @@ UUID will be generated.
 
 Assign an XSM security label to this domain.
 
+=item B<init_seclabel="LABEL">
+
+Specify an XSM security label used for this domain temporarily during
+its build. The domain's XSM label will be changed to the execution
+seclabel (specified by "seclabel") once the build is complete, prior to
+unpausing the domain. With a properly constructed security policy (such
+as nomigrate_t in the example policy), this can be used to build a
+domain whose memory is not accessible to the toolstack domain.
+
 =item B<nomigrate=BOOLEAN>
 
>> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
>> index 7eac4a8..93524f0 100644
>> --- a/tools/libxl/libxl_types.idl
>> +++ b/tools/libxl/libxl_types.idl
>> @@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
>>      ("video_memkb",     MemKB),
>>      ("shadow_memkb",    MemKB),
>>      ("rtc_timeoffset",  uint32),
>> +    ("exec_ssidref",    uint32),
> 
> What is the significance of the "exec_" bit of the name?

This ssidref is the one used during execution of the domain (as opposed to
during build). I chose to add this rather than adding a field called
init_ssidref because the new functionality is the ability to change the label
prior to execution: the existing ssidref is already used at creation.

>>      ("localtime",       libxl_defbool),
>>      ("disable_migrate", libxl_defbool),
>>      ("cpuid",           libxl_cpuid_policy_list),
> 
> Ian.
> 

-- 
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.