Xen project Mailing List

Re: [PATCH v2 2/2] flask: implement xsm_transtion_running

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 21 Apr 2022 10:39:38 -0400

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1650552026; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=INRJ/oYyZWUNGp0FaIjHRLa1bulSIckxyOMlagQ3NGc=; b=l0tzb3V9O08FUO6S2NOObjAjxYqEyC6p0stPQSfQLDMZbZCpkixbZl5dZ4uuKuu73WGumbaugfcUEc/N5UwDwiJLM78EICYgBpFXtErtT2Rx4IaGyYBayZpZTexv0VRdioLMvvs+Apn4NkR9IhsQIXuxZdvEa5qusOCbrAMULs8=

Arc-seal: i=1; a=rsa-sha256; t=1650552026; cv=none; d=zohomail.com; s=zohoarc; b=fj+mQqyhFd+gi98MLfSQqZZ31QCRNBG1/Fw/zW1oqrKc0Gg1jR1LLHTQvf/QYXsRJcKMtG8xHzpjvSVi2zaev0iJzqmHXJnRiQ4VFtfOASOLWyAh6GFr2EDQRIocxCFqVVAUgNH95s4t1/Uc3JO3tb3e6YLF0e3Augxxvv5myzA=

Cc: scott.davis@xxxxxxxxxx, jandryuk@xxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 21 Apr 2022 14:40:41 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 4/21/22 05:22, Jan Beulich wrote: > On 21.04.2022 00:28, Daniel P. Smith wrote: >> --- a/xen/xsm/flask/hooks.c >> +++ b/xen/xsm/flask/hooks.c >> @@ -168,7 +168,7 @@ static int cf_check flask_domain_alloc_security(struct >> domain *d) >> switch ( d->domain_id ) >> { >> case DOMID_IDLE: >> - dsec->sid = SECINITSID_XEN; >> + dsec->sid = SECINITSID_XENBOOT; >> break; >> case DOMID_XEN: >> dsec->sid = SECINITSID_DOMXEN; >> @@ -188,6 +188,7 @@ static int cf_check flask_domain_alloc_security(struct >> domain *d) >> >> static void cf_check flask_transition_running(void) >> { >> + struct domain_security_struct *dsec; >> struct domain *d = current->domain; >> >> if ( d->domain_id != DOMID_IDLE ) >> @@ -198,6 +199,10 @@ static void cf_check flask_transition_running(void) >> * set to false for the consistency check(s) in the setup code. >> */ >> d->is_privileged = false; >> + >> + dsec = d->ssid; >> + dsec->sid = SECINITSID_XEN; >> + dsec->self_sid = dsec->sid; >> } > > If replacing SIDs is an okay thing to do, perhaps assert that the > values haven't changed from SECINITSID_XENBOOT prior to replacing > them? Yes, changing a domain's SID is a legitimate action that could be done today via the FLASK_RELABEL_DOMAIN subop of xsm_op hypercall that ends up calling flask_relabel_domain(), when using flask policy. This is where Jason was concerned if I was going to be using that call to change the SID, which would require a policy rule to allow xenboot_t to relabel itself as xen_t. As flask works today, the system domains use initial SIDs which are effectively compile-time labels, which means the policy rule is a static, fixed rule, i.e. it is not possible to use a different set of labels, that must always be present. This also introduces the risk for a custom policy writer to inadvertently leave the xenboot_t to xen_t transitional rule out resulting in a failed access attempt which would lead to a panic. This is unnecessary pain when we can just handle the transition internal to the hypervisor as that where it is all really occurring. As for the ASSERT, that is a good point since there is a specific state we are expecting to enter the hook. Pair that with some thinking I have had to do in answering Jason, Roger, and yourself, I am going to rewire the hook to return a success/error return value and move the panic outside the check. v/r, dps

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.