From nobody Fri May 3 14:30:59 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) ARC-Seal: i=2; a=rsa-sha256; t=1656555713; cv=pass; d=zohomail.com; s=zohoarc; b=XT6eRGS8I7zL1V1Fc5bC1E0MT9Xh6EQZO3xWWJntma6BmpUOZJYIMCFLuq+OCW1iWPB3684jsjB6qLILASwIZwgaSOhLrs1QHFedW3PV6GvvBtEXZOQ6g2y/krXkoGgv8tMDZk3ywGJwJQFWvnvz1hEq86aQkdR5q7fh+aujtjA= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656555713; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Y1u1KN5rb+4xb8wageG1qE7t6SXe6Jl3PmiVFY61+kE=; b=OcxkMqpHPoDKGpLnco7DF5pGysbiT+pSI6oz3RgFIqnhvctnCgPlRqFncq/tGMz1+vh5xnYbOxHUkpFrSnh+9XRBxwI3wZVW+mRs7CGol81M+l/fKB/evBbhgfYAQk+I1YaKWV0UNPd+rMeN0ZPcB7ncTcCF5Tm0Ave86CyfOvM= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1656555713529609.5926242509988; Wed, 29 Jun 2022 19:21:53 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.358151.587192 (Exim 4.92) (envelope-from ) id 1o6joC-0007UE-Fn; Thu, 30 Jun 2022 02:21:32 +0000 Received: by outflank-mailman (output) from mailman id 358151.587192; Thu, 30 Jun 2022 02:21:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1o6joC-0007U7-B8; Thu, 30 Jun 2022 02:21:32 +0000 Received: by outflank-mailman (input) for mailman id 358151; Thu, 30 Jun 2022 02:21:32 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1o6joB-0007DT-Vd for xen-devel@lists.xenproject.org; Thu, 30 Jun 2022 02:21:32 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 5987cd99-f81b-11ec-bdce-3d151da133c5; Thu, 30 Jun 2022 04:21:30 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1656555681174357.5298548276269; Wed, 29 Jun 2022 19:21:21 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 5987cd99-f81b-11ec-bdce-3d151da133c5 ARC-Seal: i=1; a=rsa-sha256; t=1656555683; cv=none; d=zohomail.com; s=zohoarc; b=KkZjrAWhyCzxuaTfk4HyOQcABlZH9V2u2VGeNfUtgSBEPaiW8EcX25QVk+aThyW9bcgg3bJqrM95slVa9TIxdA4h+yGvABsf5rTdS/k22BZQLN2GL90Gzdtwy9/U2MuPUzn9sbVwTZPi39AjjdcwEZpgv4QXQOXCjwozdBvFwbw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656555683; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=Y1u1KN5rb+4xb8wageG1qE7t6SXe6Jl3PmiVFY61+kE=; b=Zn8YMEOXaaK+TNIthX1/WdUBSMd7zWqTnMRnbG1IGteneXA8OGbhNdOL9NTDN/Nf2Gy13oA4JkaVf03ejogINWyH479y/V9pPQmPUIai1km+MjHkC0YYMLxa9scilQzKOPwhGWD/KJRfPh7p6rZJ2bBiIhbICD35UUoPRRGsdDw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1656555683; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding:Reply-To; bh=Y1u1KN5rb+4xb8wageG1qE7t6SXe6Jl3PmiVFY61+kE=; b=CDFj8biAa4oX+RJ4/e8TqpgpEsW22yRnV8rI/aB9bOpWv1qSh0wC7xxo1sEJfX76 5CJOpU4FvTl4JNGrYX6Yswzl6qAaIJr8hTww9bPjv1nCyoy2+AHp67JNaL3OpfDPZ9G 51UOBOTGIiXMDRkpj3Xs8gI2OrqMKnFrBz+WfYA8= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, Volodymyr Babchuk , Wei Liu , "Daniel P. Smith" Cc: scott.davis@starlab.io, jandryuk@gmail.com, christopher.clark@starlab.io, Luca Fancellu , Julien Grall , Rahul Singh , Stefano Stabellini , Julien Grall , Bertrand Marquis , Jan Beulich , Andrew Cooper , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , George Dunlap , Dario Faggioli , Daniel De Graaf Subject: [PATCH v9 1/3] xsm: create idle domain privileged and demote after setup Date: Wed, 29 Jun 2022 22:21:08 -0400 Message-Id: <20220630022110.31555-2-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220630022110.31555-1-dpsmith@apertussolutions.com> References: <20220630022110.31555-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-ZohoMail-DKIM: pass (identity dpsmith@apertussolutions.com) X-ZM-MESSAGEID: 1656555714221100003 There are new capabilities, dom0less and hyperlaunch, that introduce intern= al hypervisor logic, which needs to make resource allocation calls that are protected by XSM access checks. The need for these resource allocations are necessary for dom0less and hyperlaunch when they are constructing the initi= al domain(s). =C2=A0This creates an issue as a subset of the hypervisor code is executed under a system domain, the idle domain, that is represented by a per-CPU non-privileged struct domain. To enable these new capabilities to function correctly but in a controlled manner, this commit changes the idle system domain to be created as a privileged domain under the default policy= and demoted before transitioning to running. A new XSM hook, xsm_set_system_active(), is introduced to allow each XSM policy type to dem= ote the idle domain appropriately for that policy type. In the case of SILO, it inherits the default policy's hook for xsm_set_system_active(). For flask, a stub is added to ensure that flask policy system will function correctly with this patch until flask is extended with support for starting= the idle domain privileged and properly demoting it on the call to xsm_set_system_active(). Signed-off-by: Daniel P. Smith Reviewed-by: Jason Andryuk Reviewed-by: Luca Fancellu Acked-by: Julien Grall # arm Reviewed-by: Rahul Singh Tested-by: Rahul Singh Acked-by: Roger Pau Monn=C3=A9 --- xen/arch/arm/setup.c | 3 +++ xen/arch/x86/setup.c | 4 ++++ xen/common/sched/core.c | 7 ++++++- xen/include/xsm/dummy.h | 17 +++++++++++++++++ xen/include/xsm/xsm.h | 6 ++++++ xen/xsm/dummy.c | 1 + xen/xsm/flask/hooks.c | 23 +++++++++++++++++++++++ 7 files changed, 60 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index 577c54e6fb..85ff956ec2 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -1063,6 +1063,9 @@ void __init start_xen(unsigned long boot_phys_offset, /* Hide UART from DOM0 if we're using it */ serial_endboot(); =20 + if ( (rc =3D xsm_set_system_active()) !=3D 0 ) + panic("xsm: unable to switch to SYSTEM_ACTIVE privilege: %d\n", rc= ); + system_state =3D SYS_STATE_active; =20 for_each_domain( d ) diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 53a73010e0..f08b07b8de 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -619,6 +619,10 @@ static void noreturn init_done(void) { void *va; unsigned long start, end; + int err; + + if ( (err =3D xsm_set_system_active()) !=3D 0 ) + panic("xsm: unable to switch to SYSTEM_ACTIVE privilege: %d\n", er= r); =20 system_state =3D SYS_STATE_active; =20 diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 8c73489654..250207038e 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -3033,7 +3033,12 @@ void __init scheduler_init(void) sched_ratelimit_us =3D SCHED_DEFAULT_RATELIMIT_US; } =20 - idle_domain =3D domain_create(DOMID_IDLE, NULL, 0); + /* + * The idle dom is created privileged to ensure unrestricted access du= ring + * setup and will be demoted by xsm_set_system_active() when setup is + * complete. + */ + idle_domain =3D domain_create(DOMID_IDLE, NULL, CDF_privileged); BUG_ON(IS_ERR(idle_domain)); BUG_ON(nr_cpu_ids > ARRAY_SIZE(idle_vcpu)); idle_domain->vcpu =3D idle_vcpu; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 58afc1d589..77f27e7163 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -101,6 +101,23 @@ static always_inline int xsm_default_action( } } =20 +static XSM_INLINE int cf_check xsm_set_system_active(void) +{ + struct domain *d =3D current->domain; + + ASSERT(d->is_privileged); + + if ( d->domain_id !=3D DOMID_IDLE ) + { + printk("%s: should only be called by idle domain\n", __func__); + return -EPERM; + } + + d->is_privileged =3D false; + + return 0; +} + static XSM_INLINE void cf_check xsm_security_domaininfo( struct domain *d, struct xen_domctl_getdomaininfo *info) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3e2b7fe3db..8dad03fd3d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -52,6 +52,7 @@ typedef enum xsm_default xsm_default_t; * !!! WARNING !!! */ struct xsm_ops { + int (*set_system_active)(void); void (*security_domaininfo)(struct domain *d, struct xen_domctl_getdomaininfo *info); int (*domain_create)(struct domain *d, uint32_t ssidref); @@ -208,6 +209,11 @@ extern struct xsm_ops xsm_ops; =20 #ifndef XSM_NO_WRAPPERS =20 +static inline int xsm_set_system_active(void) +{ + return alternative_call(xsm_ops.set_system_active); +} + static inline void xsm_security_domaininfo( struct domain *d, struct xen_domctl_getdomaininfo *info) { diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 8c044ef615..e6ffa948f7 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -14,6 +14,7 @@ #include =20 static const struct xsm_ops __initconst_cf_clobber dummy_ops =3D { + .set_system_active =3D xsm_set_system_active, .security_domaininfo =3D xsm_security_domaininfo, .domain_create =3D xsm_domain_create, .getdomaininfo =3D xsm_getdomaininfo, diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 6ffafc2f44..c97c44f803 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -191,6 +191,28 @@ static int cf_check flask_domain_alloc_security(struct= domain *d) return 0; } =20 +static int cf_check flask_set_system_active(void) +{ + struct domain *d =3D current->domain; + + ASSERT(d->is_privileged); + + if ( d->domain_id !=3D DOMID_IDLE ) + { + printk("%s: should only be called by idle domain\n", __func__); + return -EPERM; + } + + /* + * While is_privileged has no significant meaning under flask, set to = false + * as is_privileged is not only used for a privilege check but also as= a + * type of domain check, specifically if the domain is the control dom= ain. + */ + d->is_privileged =3D false; + + return 0; +} + static void cf_check flask_domain_free_security(struct domain *d) { struct domain_security_struct *dsec =3D d->ssid; @@ -1774,6 +1796,7 @@ static int cf_check flask_argo_send( #endif =20 static const struct xsm_ops __initconst_cf_clobber flask_ops =3D { + .set_system_active =3D flask_set_system_active, .security_domaininfo =3D flask_security_domaininfo, .domain_create =3D flask_domain_create, .getdomaininfo =3D flask_getdomaininfo, --=20 2.20.1 From nobody Fri May 3 14:30:59 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) ARC-Seal: i=2; a=rsa-sha256; t=1656555752; cv=pass; d=zohomail.com; s=zohoarc; b=aA9fPLFlzV3FItAp62V26nHUPsUrfoMCm6WA4M+8ozJ14QJDF5mY6DcScCcWoKzcrzEjLINNX0Pbfduvt6WUeZ1jvgZDYJPAog/jTekxhzhp98byM4hsTMdwKKCl5hkGdwWOh1zlcN6ICwZBVnUUKNPKS8kHOoQ6JVMHzM5K+ro= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656555752; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=lgQtLIGn/s1ADo/YMy42iciFpzQ0Han+37xft97wtw4=; b=KU6xW5LBMxYdBJxJOOOc2RLWYuft6YtyUTmpVWGuALmccnPVSXxb9qXXMzviS5vomUHMM7xqPVnVvuFxVu40EUltVW/jFUzF8HeW+3E9G3fDjvQas6s9gpH0g7cEBTd3vkdqNXNDQIV8Sdy5CtGCXs892IMRJNOwgNeaxndIf5I= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1656555752339832.9750186093847; Wed, 29 Jun 2022 19:22:32 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.358159.587203 (Exim 4.92) (envelope-from ) id 1o6joi-0008G5-OK; Thu, 30 Jun 2022 02:22:04 +0000 Received: by outflank-mailman (output) from mailman id 358159.587203; Thu, 30 Jun 2022 02:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1o6joi-0008Ep-Jo; Thu, 30 Jun 2022 02:22:04 +0000 Received: by outflank-mailman (input) for mailman id 358159; Thu, 30 Jun 2022 02:22:03 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1o6joh-0008BT-A4 for xen-devel@lists.xenproject.org; Thu, 30 Jun 2022 02:22:03 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 6beadad3-f81b-11ec-bd2d-47488cf2e6aa; Thu, 30 Jun 2022 04:22:01 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1656555682878122.91886337918402; Wed, 29 Jun 2022 19:21:22 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 6beadad3-f81b-11ec-bd2d-47488cf2e6aa ARC-Seal: i=1; a=rsa-sha256; t=1656555685; cv=none; d=zohomail.com; s=zohoarc; b=beWn45PMRfvxFhMizYRNdnezsGJT5qkQk2GeVtvsU4doaI4qGTEH92PNUfVkzgOCP19hPXkZ4neQMnQqWwEE8FLs0RR7xC2oaJg7LxODwyXeg+CcF6gamkP4pPaH+pAAIgiiSh6/J7MtBzgmLcKA8a2d7YUA6VnR3jO+t/Q21JE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656555685; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=lgQtLIGn/s1ADo/YMy42iciFpzQ0Han+37xft97wtw4=; b=mOUUOw+SCuiGAlKPfFqV32hrboan+vKN9hsj6xxFGVIUd+D7YhhvypbiNE4dDZZXYQcYIiUOqT+kmOhpP6SXQ1npX7VteJmtHNK8jHfn6PNZv0cio8LW21vQRy0SVlfn9rLaYEuBJdQWP0U7Ngqv5g7bfoiuFltRQS5CtSYk5Z8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1656555685; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=lgQtLIGn/s1ADo/YMy42iciFpzQ0Han+37xft97wtw4=; b=jqaEV/m+/820i+9oBGJS2fZd+R8jU6KNKf8cUovdFCAei597pVP1g19wEyIXtEi6 ffYNQ4uC280IlUL9/Umjye0SLXunFLGxj8yW3RjcJ3P7DuH1Y0t1Q3TzUmlAo5JY+oh 5lKx4GYFNIf/NjuCoxxTtzu8pruzoTJ2u0vXe1cE= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, "Daniel P. Smith" Cc: scott.davis@starlab.io, jandryuk@gmail.com, christopher.clark@starlab.io, Luca Fancellu , Rahul Singh , Daniel De Graaf , Wei Liu , Anthony PERARD Subject: [PATCH v9 2/3] flask: implement xsm_set_system_active Date: Wed, 29 Jun 2022 22:21:09 -0400 Message-Id: <20220630022110.31555-3-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220630022110.31555-1-dpsmith@apertussolutions.com> References: <20220630022110.31555-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-ZohoMail-DKIM: pass (identity dpsmith@apertussolutions.com) X-ZM-MESSAGEID: 1656555754412100001 Content-Type: text/plain; charset="utf-8" This commit implements full support for starting the idle domain privileged= by introducing a new flask label xenboot_t which the idle domain is labeled wi= th at creation. It then provides the implementation for the XSM hook xsm_set_system_active to relabel the idle domain to the existing xen_t flask label. In the reference flask policy a new macro, xen_build_domain(target), is introduced for creating policies for dom0less/hyperlaunch allowing the hypervisor to create and assign the necessary resources for domain construction. Signed-off-by: Daniel P. Smith Reviewed-by: Jason Andryuk Reviewed-by: Luca Fancellu Tested-by: Luca Fancellu Reviewed-by: Rahul Singh Tested-by: Rahul Singh --- tools/flask/policy/modules/xen.if | 7 +++++++ tools/flask/policy/modules/xen.te | 1 + tools/flask/policy/policy/initial_sids | 1 + xen/xsm/flask/hooks.c | 9 ++++++++- xen/xsm/flask/policy/initial_sids | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules= /xen.if index 5e2aa472b6..424daab6a0 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -62,6 +62,13 @@ define(`create_domain_common', ` setparam altp2mhvm altp2mhvm_op dm }; ') =20 +# xen_build_domain(target) +# Allow a domain to be created at boot by the hypervisor +define(`xen_build_domain', ` + allow xenboot_t $1:domain create; + allow xenboot_t $1_channel:event create; +') + # create_domain(priv, target) # Allow a domain to be created directly define(`create_domain', ` diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules= /xen.te index 3dbf93d2b8..de98206fdd 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -24,6 +24,7 @@ attribute mls_priv; ##########################################################################= ###### =20 # The hypervisor itself +type xenboot_t, xen_type, mls_priv; type xen_t, xen_type, mls_priv; =20 # Domain 0 diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/po= licy/initial_sids index 6b7b7eff21..ec729d3ba3 100644 --- a/tools/flask/policy/policy/initial_sids +++ b/tools/flask/policy/policy/initial_sids @@ -2,6 +2,7 @@ # objects created before the policy is loaded or for objects that do not h= ave a # label defined in some other manner. =20 +sid xenboot gen_context(system_u:system_r:xenboot_t,s0) sid xen gen_context(system_u:system_r:xen_t,s0) sid dom0 gen_context(system_u:system_r:dom0_t,s0) sid domxen gen_context(system_u:system_r:domxen_t,s0) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c97c44f803..8c9cd0f297 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -173,7 +173,7 @@ static int cf_check flask_domain_alloc_security(struct = domain *d) switch ( d->domain_id ) { case DOMID_IDLE: - dsec->sid =3D SECINITSID_XEN; + dsec->sid =3D SECINITSID_XENBOOT; break; case DOMID_XEN: dsec->sid =3D SECINITSID_DOMXEN; @@ -193,9 +193,14 @@ static int cf_check flask_domain_alloc_security(struct= domain *d) =20 static int cf_check flask_set_system_active(void) { + struct domain_security_struct *dsec; struct domain *d =3D current->domain; =20 + dsec =3D d->ssid; + ASSERT(d->is_privileged); + ASSERT(dsec->sid =3D=3D SECINITSID_XENBOOT); + ASSERT(dsec->self_sid =3D=3D SECINITSID_XENBOOT); =20 if ( d->domain_id !=3D DOMID_IDLE ) { @@ -210,6 +215,8 @@ static int cf_check flask_set_system_active(void) */ d->is_privileged =3D false; =20 + dsec->self_sid =3D dsec->sid =3D SECINITSID_XEN; + return 0; } =20 diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initi= al_sids index 7eca70d339..e8b55b8368 100644 --- a/xen/xsm/flask/policy/initial_sids +++ b/xen/xsm/flask/policy/initial_sids @@ -3,6 +3,7 @@ # # Define initial security identifiers=20 # +sid xenboot sid xen sid dom0 sid domio --=20 2.20.1 From nobody Fri May 3 14:30:59 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) ARC-Seal: i=2; a=rsa-sha256; t=1656555763; cv=pass; d=zohomail.com; s=zohoarc; b=nooYTle3RDDVvPaIGiDcmHMFvDhx3Uuz4DNQM1HyaHJiL1qAXJM6GzSA/9sXrWUgx/LluKxzIKtktDUA/qcjwe3fRSPJ9/Ng+7H3/j57aR1IvQF4ow7p0t6EMCz6F7lISI8LDy8Df9cWNQnggCDZVtfCHrHi9/SO5PiRhKIHNbU= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656555763; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=tlQWv3Rz2gRTz+BpNK92sdZYks2PMVMJJttWyeIdrUk=; b=T+0j9AT1IPTQK3uklTDymHKeQS6Nnc7kmfkGYrKjnrCJMKOMsNjSftd10V6xnLAmuAUpJpUMISCyWIauDWvKed8UqIeuPrBlbFQphUZux0lQgHc8Sa5+ycV1YY7+kflHzFzZTQ3m4XnrmnqZhJxgCd7wOAOMMqbbTFQtrvO21LU= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1656555763443832.7715421436841; Wed, 29 Jun 2022 19:22:43 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.358162.587213 (Exim 4.92) (envelope-from ) id 1o6jp5-0000JA-0m; Thu, 30 Jun 2022 02:22:27 +0000 Received: by outflank-mailman (output) from mailman id 358162.587213; Thu, 30 Jun 2022 02:22:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1o6jp4-0000J3-U4; Thu, 30 Jun 2022 02:22:26 +0000 Received: by outflank-mailman (input) for mailman id 358162; Thu, 30 Jun 2022 02:22:25 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1o6jp3-0008BT-FC for xen-devel@lists.xenproject.org; Thu, 30 Jun 2022 02:22:25 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 79b04c7c-f81b-11ec-bd2d-47488cf2e6aa; Thu, 30 Jun 2022 04:22:24 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 1656555684266753.5376810279763; Wed, 29 Jun 2022 19:21:24 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 79b04c7c-f81b-11ec-bd2d-47488cf2e6aa ARC-Seal: i=1; a=rsa-sha256; t=1656555685; cv=none; d=zohomail.com; s=zohoarc; b=mYop27cKJl+Hmae0mmbw30oqw52xmdc7fV5P5iUOIyOt8fZiB3e7AEI34J+ZuOOhDSE4+gfFgiGzZZnujk01tQQSLEBvkMjwNhZngt6hx2Hvhc5n+rXkt8ZTANbiiD6baa+RwzuD9X8JOhl4zt6glPVRpm5Y9BGoQmH7XXuzoBU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656555685; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=tlQWv3Rz2gRTz+BpNK92sdZYks2PMVMJJttWyeIdrUk=; b=Jnb6FbLXL0hEpkIFCRP+1kxfAE85YAgZCzWa2i90pzYWf1BulCvO9egCf7WZylXUmT5tuMmyVSy0kmN5ZD/MZCkgKvjyXvIZEhqaQ2UHh+KG+UWWnRc1X4YTP+qhcJsF7IbKr5UIgFtmJCBpgtVnJOpUGdyqoho53Nk0p7Emx6A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1656555685; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding:Reply-To; bh=tlQWv3Rz2gRTz+BpNK92sdZYks2PMVMJJttWyeIdrUk=; b=n9weZOBj6+lDaTHCecVjlcFGekNIr0LkNffiAlFm7i5Pw0k76kRQM89psgp4IRDz NS7ZiJJsmrahuUXDZ6S5hVT+NULP5yM3OrbQbguLlvj8CV8yswTOaiWb5YfcIR81sw5 /9ad6XlXHtQ9zekJumjJY2dvKhQYySQNA/U4HzP0= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, "Daniel P. Smith" Cc: scott.davis@starlab.io, jandryuk@gmail.com, christopher.clark@starlab.io, Daniel De Graaf , Wei Liu , Anthony PERARD Subject: [PATCH v9 3/3] xsm: refactor flask sid alloc and domain check Date: Wed, 29 Jun 2022 22:21:10 -0400 Message-Id: <20220630022110.31555-4-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220630022110.31555-1-dpsmith@apertussolutions.com> References: <20220630022110.31555-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-ZohoMail-DKIM: pass (identity dpsmith@apertussolutions.com) X-ZM-MESSAGEID: 1656555764214100001 The function flask_domain_alloc_security() is where a default sid should be assigned to a domain under construction. For reasons unknown, the initial domain would be assigned unlabeled_t and then fixed up under flask_domain_create(). =C2=A0With the introduction of xenboot_t it is now p= ossible to distinguish when the hypervisor is in the boot state. This commit looks to correct this by using a check to see if the hypervisor= is under the xenboot_t context in flask_domain_alloc_security(). If it is, the= n it will inspect the domain's is_privileged field, and select the appropriate default label, dom0_t or domU_t, for the domain. The logic for flask_domain_create() was changed to allow the incoming sid to override the default label. The base policy was adjusted to allow the idle domain under the xenboot_t context to be able to construct domains of both types, dom0 and domU. Signed-off-by: Daniel P. Smith Tested-by: Henry Wang --- tools/flask/policy/modules/dom0.te | 3 +++ tools/flask/policy/modules/domU.te | 3 +++ xen/xsm/flask/hooks.c | 34 ++++++++++++++++++------------ 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/module= s/dom0.te index 0a63ce15b6..2022bb9636 100644 --- a/tools/flask/policy/modules/dom0.te +++ b/tools/flask/policy/modules/dom0.te @@ -75,3 +75,6 @@ admin_device(dom0_t, ioport_t) admin_device(dom0_t, iomem_t) =20 domain_comms(dom0_t, dom0_t) + +# Allow they hypervisor to build domains of type dom0_t +xen_build_domain(dom0_t) diff --git a/tools/flask/policy/modules/domU.te b/tools/flask/policy/module= s/domU.te index b77df29d56..73fc90c3c6 100644 --- a/tools/flask/policy/modules/domU.te +++ b/tools/flask/policy/modules/domU.te @@ -13,6 +13,9 @@ domain_comms(domU_t, domU_t) migrate_domain_out(dom0_t, domU_t) domain_self_comms(domU_t) =20 +# Allow they hypervisor to build domains of type domU_t +xen_build_domain(domU_t) + # Device model for domU_t. You can define distinct types for device model= s for # domains of other types, or add more make_device_model lines for this typ= e. declare_domain(dm_dom_t) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 8c9cd0f297..caa0ae7d4c 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -182,7 +182,15 @@ static int cf_check flask_domain_alloc_security(struct= domain *d) dsec->sid =3D SECINITSID_DOMIO; break; default: - dsec->sid =3D SECINITSID_UNLABELED; + if ( domain_sid(current->domain) =3D=3D SECINITSID_XENBOOT ) + { + if ( d->is_privileged ) + dsec->sid =3D SECINITSID_DOM0; + else + dsec->sid =3D SECINITSID_DOMU; + } + else + dsec->sid =3D SECINITSID_UNLABELED; } =20 dsec->self_sid =3D dsec->sid; @@ -548,23 +556,21 @@ static int cf_check flask_domain_create(struct domain= *d, uint32_t ssidref) { int rc; struct domain_security_struct *dsec =3D d->ssid; - static int dom0_created =3D 0; =20 - if ( is_idle_domain(current->domain) && !dom0_created ) - { - dsec->sid =3D SECINITSID_DOM0; - dom0_created =3D 1; - } - else + /* + * If domain has not already been labeled or a valid new label is prov= ided, + * then use the provided label, otherwise use the existing label. + */ + if ( dsec->sid =3D=3D SECINITSID_UNLABELED || ssidref > 0 ) { - rc =3D avc_current_has_perm(ssidref, SECCLASS_DOMAIN, - DOMAIN__CREATE, NULL); - if ( rc ) - return rc; - dsec->sid =3D ssidref; + dsec->self_sid =3D dsec->sid; } - dsec->self_sid =3D dsec->sid; + + rc =3D avc_current_has_perm(dsec->sid, SECCLASS_DOMAIN, + DOMAIN__CREATE, NULL); + if ( rc ) + return rc; =20 rc =3D security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN, &dsec->self_sid); --=20 2.20.1