From nobody Mon Feb 9 00:55:22 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) ARC-Seal: i=2; a=rsa-sha256; t=1659379839; cv=pass; d=zohomail.com; s=zohoarc; b=evcmwoNdnFW5Uc16EvmcUaswlB2scXk2i/A7yXJCgSaOj+xNylp/dYP0x43KA2bGmwAoHCt0SmFphElpoQ4EnUk8NOXqqziLt7Oeov76aAF726t76nafDh7zI2px5bYCs9UH1ztf2k2GfkrHamvv+Oux2bO/3N790oWEBSIqWZ0= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1659379839; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=cpjxkhtgIS46NAqzn+lFjzbvDxK+C/y4xCBDpUybEIY=; b=e6FlR+xQlLRXMKbTm1IAKtTwVKKneqgJ4n8v7LXAYd97UToZJS2uXXKtV1aLj4o2o8rtg1Xkr2TbumjolHCNhtmWruHmu8H03AHnz6v5jwpyhMFYCCT1zjA6WzeCSwcB0S5C6yIKvOA9fpoTDL03fdkBvESbPsMvx7vvs5b/ZRE= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass header.i=dpsmith@apertussolutions.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; arc=pass (i=1 dmarc=pass fromdomain=apertussolutions.com) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1659379839614454.0840725900516; Mon, 1 Aug 2022 11:50:39 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.379039.612312 (Exim 4.92) (envelope-from ) id 1oIaUg-00036a-Ur; Mon, 01 Aug 2022 18:50:22 +0000 Received: by outflank-mailman (output) from mailman id 379039.612312; Mon, 01 Aug 2022 18:50:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1oIaUg-00036P-RH; Mon, 01 Aug 2022 18:50:22 +0000 Received: by outflank-mailman (input) for mailman id 379039; Mon, 01 Aug 2022 18:50:22 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1oIaUf-00033M-UQ for xen-devel@lists.xenproject.org; Mon, 01 Aug 2022 18:50:22 +0000 Received: from sender4-of-o51.zoho.com (sender4-of-o51.zoho.com [136.143.188.51]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id ca68af3f-11ca-11ed-924f-1f966e50362f; Mon, 01 Aug 2022 20:50:20 +0200 (CEST) Received: from sisyou.hme. (static-72-81-132-2.bltmmd.fios.verizon.net [72.81.132.2]) by mx.zohomail.com with SMTPS id 165937978515485.11645410728738; Mon, 1 Aug 2022 11:49:45 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: ca68af3f-11ca-11ed-924f-1f966e50362f ARC-Seal: i=1; a=rsa-sha256; t=1659379789; cv=none; d=zohomail.com; s=zohoarc; b=DxN0kxPhr5x3cABPIiCbkjAeSiDhcQYP4CrTPaDAzmwvFl8Zoz4gjYKMAA950oh/FcCh6XbL5eRPSDptH0pq54DjwodP7WR9t3VSTiABrkrj73wsmslqWxRDffOXjD39PtHK6gD9SX4TuilAeAG+zzPRyXCk44ygW+DQukQhujI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1659379789; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=cpjxkhtgIS46NAqzn+lFjzbvDxK+C/y4xCBDpUybEIY=; b=oAlFN9QvwQShmihItl6l7W/ILxT00mZiOI8ZS+T5BnInUamzEOPuQ6T/gw7tpTsxmoMM7PmbD8lsteCEelQoByDTpGKHY7QQreCkheAzLVMxBQMbq4VxGdjXSMZeFsealE2pXenybDZJ+BXX292kM1eDHl0GApguj5R0lp8qa0k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@apertussolutions.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1659379789; s=zoho; d=apertussolutions.com; i=dpsmith@apertussolutions.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=cpjxkhtgIS46NAqzn+lFjzbvDxK+C/y4xCBDpUybEIY=; b=eoNvb2GMcL0CnT61/Znvn9gJu1zkwmdm+qeqO80Wwta5cVU017osy8NRxzrIgxek IU6BSfxEKDLBLhexvD/TvcVteMw0mM70goGsVmPz5Y63RV+wnBi3TJm1Nzxx1R5Nm6h NEVWuMRODblPfmgk2F34I6ElFMKAWhIqO7tt5ass= From: "Daniel P. Smith" To: xen-devel@lists.xenproject.org, "Daniel P. Smith" Cc: jandryuk@gmail.com, Luca Fancellu , Rahul Singh , Henry Wang , Daniel De Graaf , Wei Liu , Anthony PERARD Subject: [PATCH v10 2/3] flask: implement xsm_set_system_active Date: Mon, 1 Aug 2022 14:49:27 -0400 Message-Id: <20220801184928.28522-3-dpsmith@apertussolutions.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20220801184928.28522-1-dpsmith@apertussolutions.com> References: <20220801184928.28522-1-dpsmith@apertussolutions.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-ZohoMail-DKIM: pass (identity dpsmith@apertussolutions.com) X-ZM-MESSAGEID: 1659379840536100001 Content-Type: text/plain; charset="utf-8" This commit implements full support for starting the idle domain privileged= by introducing a new flask label xenboot_t which the idle domain is labeled wi= th at creation. It then provides the implementation for the XSM hook xsm_set_system_active to relabel the idle domain to the existing xen_t flask label. In the reference flask policy a new macro, xen_build_domain(target), is introduced for creating policies for dom0less/hyperlaunch allowing the hypervisor to create and assign the necessary resources for domain construction. Signed-off-by: Daniel P. Smith Reviewed-by: Jason Andryuk Reviewed-by: Luca Fancellu Tested-by: Luca Fancellu Reviewed-by: Rahul Singh Tested-by: Rahul Singh Tested-by: Henry Wang --- tools/flask/policy/modules/xen.if | 7 +++++++ tools/flask/policy/modules/xen.te | 1 + tools/flask/policy/policy/initial_sids | 1 + xen/xsm/flask/hooks.c | 9 ++++++++- xen/xsm/flask/policy/initial_sids | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules= /xen.if index 5e2aa472b6..424daab6a0 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -62,6 +62,13 @@ define(`create_domain_common', ` setparam altp2mhvm altp2mhvm_op dm }; ') =20 +# xen_build_domain(target) +# Allow a domain to be created at boot by the hypervisor +define(`xen_build_domain', ` + allow xenboot_t $1:domain create; + allow xenboot_t $1_channel:event create; +') + # create_domain(priv, target) # Allow a domain to be created directly define(`create_domain', ` diff --git a/tools/flask/policy/modules/xen.te b/tools/flask/policy/modules= /xen.te index 3dbf93d2b8..de98206fdd 100644 --- a/tools/flask/policy/modules/xen.te +++ b/tools/flask/policy/modules/xen.te @@ -24,6 +24,7 @@ attribute mls_priv; ##########################################################################= ###### =20 # The hypervisor itself +type xenboot_t, xen_type, mls_priv; type xen_t, xen_type, mls_priv; =20 # Domain 0 diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/po= licy/initial_sids index 6b7b7eff21..ec729d3ba3 100644 --- a/tools/flask/policy/policy/initial_sids +++ b/tools/flask/policy/policy/initial_sids @@ -2,6 +2,7 @@ # objects created before the policy is loaded or for objects that do not h= ave a # label defined in some other manner. =20 +sid xenboot gen_context(system_u:system_r:xenboot_t,s0) sid xen gen_context(system_u:system_r:xen_t,s0) sid dom0 gen_context(system_u:system_r:dom0_t,s0) sid domxen gen_context(system_u:system_r:domxen_t,s0) diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index c97c44f803..8c9cd0f297 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -173,7 +173,7 @@ static int cf_check flask_domain_alloc_security(struct = domain *d) switch ( d->domain_id ) { case DOMID_IDLE: - dsec->sid =3D SECINITSID_XEN; + dsec->sid =3D SECINITSID_XENBOOT; break; case DOMID_XEN: dsec->sid =3D SECINITSID_DOMXEN; @@ -193,9 +193,14 @@ static int cf_check flask_domain_alloc_security(struct= domain *d) =20 static int cf_check flask_set_system_active(void) { + struct domain_security_struct *dsec; struct domain *d =3D current->domain; =20 + dsec =3D d->ssid; + ASSERT(d->is_privileged); + ASSERT(dsec->sid =3D=3D SECINITSID_XENBOOT); + ASSERT(dsec->self_sid =3D=3D SECINITSID_XENBOOT); =20 if ( d->domain_id !=3D DOMID_IDLE ) { @@ -210,6 +215,8 @@ static int cf_check flask_set_system_active(void) */ d->is_privileged =3D false; =20 + dsec->self_sid =3D dsec->sid =3D SECINITSID_XEN; + return 0; } =20 diff --git a/xen/xsm/flask/policy/initial_sids b/xen/xsm/flask/policy/initi= al_sids index 7eca70d339..e8b55b8368 100644 --- a/xen/xsm/flask/policy/initial_sids +++ b/xen/xsm/flask/policy/initial_sids @@ -3,6 +3,7 @@ # # Define initial security identifiers=20 # +sid xenboot sid xen sid dom0 sid domio --=20 2.20.1