[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v11] xsm: refactor flask sid alloc and domain check

  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 3 Aug 2022 17:26:37 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BWbPPtiBfqNGS5wxu/ZVhDZ21YGlbWqmW7a1ODdsy/8=; b=ge1nNvhDZgVosmZGyZGZwTrIpSCmj87twVDlFj63NUn3pr50bFhzV1LvLDto5WUm0mOsVkIpfb1f7mvt1qDu2opdRzrNQLcZNFWtjGMOGRt5t/2gpr1lAhkA24sksZxqxfj1qI5PglCVtir0JnOoepAyXTomPDN1DNiL0Zm1HAHggxME80e0dRzsdWBNhgkHaAh75rQA5nBKCahSf7o/AsCvv4/d5TmHd+rvOmljMchcXnWtVBtSu0L8cI0cMimdrGU6ST8EcPzkanH9mwIdr8XHcWb0nzctYEtPhhktMsKiM0Pf1Gaj6E4pX40Ox8zKdfRmObwGGzN5TFc5BuY3tQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jdeQ0k1JnShDdh/9xn+h4PyGUNLLlKcS5wAzDhCSEcRAwj8hzwU2bbQjwY7SbM8WOc4XxFV3bWu3I8EFlKiSVUhVTiBxVVSWB/tWXTj4Ejk9OZYjZlpbjgOz47Skaud8We1jcN/BGeXujaRnLGHQQpbLoH2/hs0PHSuFM+lS9Y+nw/lrXErXfoDsTaEnWIaK+8qIJuRPo3tgByw/W2pYVzy200yHu+4kBjVssG4loKIydmIv1uqUA0/4HBHqV/ViO3HLjZR/QtHm6lMAU8SGD/igXNFdF9DoskwLyajyzuRjk2xYBNYpDpNy7osJxeQoDzqtMrqol0FmL/PMG+GERA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: jandryuk@xxxxxxxxx, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 03 Aug 2022 15:26:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 03.08.2022 17:17, Daniel P. Smith wrote:
> Changes in v11:
> - put back dom0_created variable in flask_domain_create() to ensure the
>   enforcement that dom0_t is a singleton label

Stale patch or bad rev log?

> @@ -548,22 +556,19 @@ static int cf_check flask_domain_create(struct domain 
> *d, uint32_t ssidref)
>  {
>      int rc;
>      struct domain_security_struct *dsec = d->ssid;
> -    static int dom0_created = 0;

The variable is going away here, and it is not re-appearing elsewhere.

Jan

> -    if ( is_idle_domain(current->domain) && !dom0_created )
> -    {
> -        dsec->sid = SECINITSID_DOM0;
> -        dom0_created = 1;
> -    }
> -    else
> -    {
> -        rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN,
> -                          DOMAIN__CREATE, NULL);
> -        if ( rc )
> -            return rc;
> +    /*
> +     * If the null label is passed, then use the label from security context
> +     * allocation.
> +     */
> +    if ( ssidref == 0 )
> +        ssidref = dsec->sid;
>  
> -        dsec->sid = ssidref;
> -    }
> +    rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE, 
> NULL);
> +    if ( rc )
> +        return rc;
> +
> +    dsec->sid = ssidref;
>      dsec->self_sid = dsec->sid;
>  
>      rc = security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN,

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.