[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v5 2/2] flask: implement xsm_set_system_active
On Mon, May 2, 2022 at 9:31 AM Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote: > @@ -188,14 +188,20 @@ static int cf_check flask_domain_alloc_security(struct > domain *d) > > static int cf_check flask_set_system_active(void) > { > + struct domain_security_struct *dsec; > struct domain *d = current->domain; > > + dsec = d->ssid; > + ASSERT(dsec->sid == SECINITSID_XENBOOT); > + > if ( d->domain_id != DOMID_IDLE ) > { > printk("xsm_set_system_active should only be called by idle > domain\n"); > return -EPERM; > } > > + dsec->self_sid = dsec->sid = SECINITSID_XEN; I think you want to re-add setting is_privileged to false. I think from the other thread Roger just thought it should also have the matching assert. It doesn't matter for flask decisions, but it changes the return of is_control_domain. It seems to me it would be better to have idle domains consistent between flask and non-flask instead of having a potentially subtle difference. Regards, Jason
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |