[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 01/19] libxl: introduce XSM relabel on build
On 11/19/2012 05:42 AM, Ian Campbell wrote: > On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote: >> Allow a domain to be built under one security label and run using a >> different label. This can be used to prevent the domain builder or >> control domain from having the ability to access a guest domain's memory >> via map_foreign_range except during the build process where this is >> required. >> >> Note: this does not provide complete protection from a malicious dom0; >> mappings created during the build process may persist after the relabel, >> and could be used to indirectly access the guest's memory. >> >> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> >> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> >> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> >> Cc: Ian Campbell <ian.campbell@xxxxxxxxxx> >> --- >> tools/libxc/xc_flask.c | 10 ++++++++++ >> tools/libxc/xenctrl.h | 1 + >> tools/libxl/libxl_create.c | 4 ++++ >> tools/libxl/libxl_types.idl | 1 + >> tools/libxl/xl_cmdimpl.c | 20 +++++++++++++++++++- > > docs/man... please The following will be included in the next version: --- a/docs/man/xl.cfg.pod.5 +++ b/docs/man/xl.cfg.pod.5 @@ -270,6 +270,15 @@ UUID will be generated. Assign an XSM security label to this domain. +=item B<init_seclabel="LABEL"> + +Specify an XSM security label used for this domain temporarily during +its build. The domain's XSM label will be changed to the execution +seclabel (specified by "seclabel") once the build is complete, prior to +unpausing the domain. With a properly constructed security policy (such +as nomigrate_t in the example policy), this can be used to build a +domain whose memory is not accessible to the toolstack domain. + =item B<nomigrate=BOOLEAN> >> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl >> index 7eac4a8..93524f0 100644 >> --- a/tools/libxl/libxl_types.idl >> +++ b/tools/libxl/libxl_types.idl >> @@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ >> ("video_memkb", MemKB), >> ("shadow_memkb", MemKB), >> ("rtc_timeoffset", uint32), >> + ("exec_ssidref", uint32), > > What is the significance of the "exec_" bit of the name? This ssidref is the one used during execution of the domain (as opposed to during build). I chose to add this rather than adding a field called init_ssidref because the new functionality is the ability to change the label prior to execution: the existing ssidref is already used at creation. >> ("localtime", libxl_defbool), >> ("disable_migrate", libxl_defbool), >> ("cpuid", libxl_cpuid_policy_list), > > Ian. > -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |