This adds the ability to change a domain's XSM label after creation.
The new label will be used for all future access checks; however,
existing event channels and memory mappings will remain valid even if
their creation would be denied by the new label.
With appropriate security policy and hooks in the domain builder, this
can be used to create domains that the domain builder does not have
access to after building. It can also be used to allow a domain to
drop privileges - for example, prior to launching a user-supplied
kernel loaded by a pv-grub stubdom.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
set_virq_handler
}
+class domain2
+{
+ relabelfrom
+ relabelto
+ relabelself
+}
+
class hvm
{
sethvmc
class xen
class domain
+class domain2
class hvm
class mmu
class resource
################################################################################
# Domains must be declared using domain_type
-neverallow * ~domain_type:domain create;
+neverallow * ~domain_type:domain { create transition };
# Resources must be declared using resource_type
neverallow * ~resource_type:resource use;
uint32_t sid;
};
+struct xen_flask_relabel {
+ /* IN */
+ uint32_t domid;
+ uint32_t sid;
+};
+
struct xen_flask_op {
uint32_t cmd;
#define FLASK_LOAD 1
#define FLASK_ADD_OCONTEXT 21
#define FLASK_DEL_OCONTEXT 22
#define FLASK_GET_PEER_SID 23
+#define FLASK_RELABEL_DOMAIN 24
uint32_t interface_version; /* XEN_FLASK_INTERFACE_VERSION */
union {
struct xen_flask_load load;
/* FLASK_ADD_OCONTEXT, FLASK_DEL_OCONTEXT */
struct xen_flask_ocontext ocontext;
struct xen_flask_peersid peersid;
+ struct xen_flask_relabel relabel;
} u;
};
typedef struct xen_flask_op xen_flask_op_t;
return rv;
}
+static int flask_relabel_domain(struct xen_flask_relabel *arg)
+{
+ int rc;
+ struct domain *d;
+ struct domain_security_struct *csec = current->domain->ssid;
+ struct domain_security_struct *dsec;
+ struct avc_audit_data ad;
+ AVC_AUDIT_DATA_INIT(&ad, NONE);
+
+ d = rcu_lock_domain_by_any_id(arg->domid);
+ if ( d == NULL )
+ return -ESRCH;
+
+ ad.sdom = current->domain;
+ ad.tdom = d;
+ dsec = d->ssid;
+
+ if ( arg->domid == DOMID_SELF )
+ {
+ rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, &ad);
+ if ( rc )
+ goto out;
+ }
+ else
+ {
+ rc = avc_has_perm(csec->sid, dsec->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, &ad);
+ if ( rc )
+ goto out;
+
+ rc = avc_has_perm(csec->sid, arg->sid, SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, &ad);
+ if ( rc )
+ goto out;
+ }
+
+ rc = avc_has_perm(dsec->sid, arg->sid, SECCLASS_DOMAIN, DOMAIN__TRANSITION, &ad);
+ if ( rc )
+ goto out;
+
+ dsec->sid = arg->sid;
+
+ out:
+ rcu_unlock_domain(d);
+ return rc;
+}
+
long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op)
{
xen_flask_op_t op;
rv = flask_get_peer_sid(&op.u.peersid);
break;
+ case FLASK_RELABEL_DOMAIN:
+ rv = flask_relabel_domain(&op.u.relabel);
+ break;
+
default:
rv = -ENOSYS;
}
S_(SECCLASS_DOMAIN, DOMAIN__SETPODTARGET, "setpodtarget")
S_(SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO, "set_misc_info")
S_(SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER, "set_virq_handler")
+ S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELFROM, "relabelfrom")
+ S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELTO, "relabelto")
+ S_(SECCLASS_DOMAIN2, DOMAIN2__RELABELSELF, "relabelself")
S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc")
S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc")
S_(SECCLASS_HVM, HVM__SETPARAM, "setparam")
#define DOMAIN__SET_MISC_INFO 0x40000000UL
#define DOMAIN__SET_VIRQ_HANDLER 0x80000000UL
+#define DOMAIN2__RELABELFROM 0x00000001UL
+#define DOMAIN2__RELABELTO 0x00000002UL
+#define DOMAIN2__RELABELSELF 0x00000004UL
+
#define HVM__SETHVMC 0x00000001UL
#define HVM__GETHVMC 0x00000002UL
#define HVM__SETPARAM 0x00000004UL
S_("null")
S_("xen")
S_("domain")
+ S_("domain2")
S_("hvm")
S_("mmu")
S_("resource")
*/
#define SECCLASS_XEN 1
#define SECCLASS_DOMAIN 2
-#define SECCLASS_HVM 3
-#define SECCLASS_MMU 4
-#define SECCLASS_RESOURCE 5
-#define SECCLASS_SHADOW 6
-#define SECCLASS_EVENT 7
-#define SECCLASS_GRANT 8
-#define SECCLASS_SECURITY 9
+#define SECCLASS_DOMAIN2 3
+#define SECCLASS_HVM 4
+#define SECCLASS_MMU 5
+#define SECCLASS_RESOURCE 6
+#define SECCLASS_SHADOW 7
+#define SECCLASS_EVENT 8
+#define SECCLASS_GRANT 9
+#define SECCLASS_SECURITY 10
/*
* Security identifier indices for initial entities
projects / xen.git / commitdiff