[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[XEN PATCH] tools/xl: Add device_model_stubdomain_init_seclabel option to xl.cfg



This adds an option to the xl domain configuration syntax for specifying
a build-time XSM security label for device-model stubdomains separate from
the run-time label specified by 'device_model_stubdomain_seclabel'. Fields
are also added to the 'libxl_domain_build_info' struct to contain the new
information, and a new call to 'xc_flask_relabel_domain' inserted to
affect the change at the appropriate time.

The implementation mirrors that of the 'seclabel' and 'init_seclabel'
options for user domains. When all used in concert, this enables the
creation of security policies that minimize run-time privileges between
the toolstack domain, device-model stubdomains, and user domains.

Signed-off-by: Scott Davis <scott.davis@xxxxxxxxxx>
---
 docs/man/xl.cfg.5.pod.in             | 10 ++++++++++
 tools/golang/xenlight/helpers.gen.go |  5 +++++
 tools/golang/xenlight/types.gen.go   |  2 ++
 tools/include/libxl.h                | 10 ++++++++++
 tools/libs/light/libxl_create.c      | 28 ++++++++++++++++++++++++++--
 tools/libs/light/libxl_dm.c          | 14 +++++++++-----
 tools/libs/light/libxl_types.idl     |  2 ++
 tools/xl/xl_parse.c                  | 12 +++++++++++-
 8 files changed, 75 insertions(+), 8 deletions(-)

diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
index 56370a37db..3458d357fc 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
@@ -2762,6 +2762,16 @@ you have selected.
 
 Assign an XSM security label to the device-model stubdomain.
 
+=item B<device_model_stubdomain_init_seclabel="LABEL">
+
+Specify a temporary XSM security label for the device-model stubdomain used
+during creation of it and its associated guest. The stubdomain's XSM label will
+then be changed to the execution seclabel (as specified by
+B<device_model_stubdomain_seclabel>) once creation is complete, prior to
+unpausing the stubdomain's guest. With proper (re)labeling, a security policy
+can be constructed that minimizes run-time privileges between the toolstack
+domain, device-model stubdomains, and user domains.
+
 =item B<device_model_args=[ "ARG", "ARG", ...]>
 
 Pass additional arbitrary options on the device-model command
diff --git a/tools/golang/xenlight/helpers.gen.go 
b/tools/golang/xenlight/helpers.gen.go
index db82537b42..e961cb5f75 100644
--- a/tools/golang/xenlight/helpers.gen.go
+++ b/tools/golang/xenlight/helpers.gen.go
@@ -1022,6 +1022,8 @@ x.StubdomainRamdisk = C.GoString(xc.stubdomain_ramdisk)
 x.DeviceModel = C.GoString(xc.device_model)
 x.DeviceModelSsidref = uint32(xc.device_model_ssidref)
 x.DeviceModelSsidLabel = C.GoString(xc.device_model_ssid_label)
+x.DeviceModelExecSsidref = uint32(xc.device_model_exec_ssidref)
+x.DeviceModelExecSsidLabel = C.GoString(xc.device_model_exec_ssid_label)
 x.DeviceModelUser = C.GoString(xc.device_model_user)
 if err := x.Extra.fromC(&xc.extra);err != nil {
 return fmt.Errorf("converting field Extra: %v", err)
@@ -1351,6 +1353,9 @@ xc.device_model = C.CString(x.DeviceModel)}
 xc.device_model_ssidref = C.uint32_t(x.DeviceModelSsidref)
 if x.DeviceModelSsidLabel != "" {
 xc.device_model_ssid_label = C.CString(x.DeviceModelSsidLabel)}
+xc.device_model_exec_ssidref = C.uint32_t(x.DeviceModelExecSsidref)
+if x.DeviceModelExecSsidLabel != "" {
+xc.device_model_exec_ssid_label = C.CString(x.DeviceModelExecSsidLabel)}
 if x.DeviceModelUser != "" {
 xc.device_model_user = C.CString(x.DeviceModelUser)}
 if err := x.Extra.toC(&xc.extra); err != nil {
diff --git a/tools/golang/xenlight/types.gen.go 
b/tools/golang/xenlight/types.gen.go
index a214dd9df6..45061d1afa 100644
--- a/tools/golang/xenlight/types.gen.go
+++ b/tools/golang/xenlight/types.gen.go
@@ -487,6 +487,8 @@ StubdomainRamdisk string
 DeviceModel string
 DeviceModelSsidref uint32
 DeviceModelSsidLabel string
+DeviceModelExecSsidref uint32
+DeviceModelExecSsidLabel string
 DeviceModelUser string
 Extra StringList
 ExtraPv StringList
diff --git a/tools/include/libxl.h b/tools/include/libxl.h
index ae7fe27c1f..62b69222f6 100644
--- a/tools/include/libxl.h
+++ b/tools/include/libxl.h
@@ -1069,6 +1069,16 @@ typedef struct libxl__ctx libxl_ctx;
  */
 #define LIBXL_HAVE_SSID_LABEL 1
 
+/*
+ * LIBXL_HAVE_BUILDINFO_DEVICE_MODEL_STUBDOMAIN_EXEC_SSID
+ *
+ * If this is defined, then the libxl_domain_build_info structure will
+ * contain 'device_model_exec_ssidref' and 'device_model_exec_ssid_label' for
+ * specifying a run-time XSM security label separate from the build-time label
+ * specified in 'device_model_ssidref' and 'device_model_ssid_label'.
+ */
+#define LIBXL_HAVE_BUILDINFO_DEVICE_MODEL_STUBDOMAIN_EXEC_SSID 1
+
 /*
  * LIBXL_HAVE_CPUPOOL_NAME
  *
diff --git a/tools/libs/light/libxl_create.c b/tools/libs/light/libxl_create.c
index e356b2106d..a12da5531d 100644
--- a/tools/libs/light/libxl_create.c
+++ b/tools/libs/light/libxl_create.c
@@ -1060,13 +1060,31 @@ int libxl__domain_config_setdefault(libxl__gc *gc,
         char *s = d_config->b_info.device_model_ssid_label;
         ret = libxl_flask_context_to_sid(ctx, s, strlen(s),
                                          
&d_config->b_info.device_model_ssidref);
+        if (ret) {
+            if (errno == ENOSYS) {
+                LOGD(WARN, domid,
+                     "XSM Disabled: device_model_stubdomain_init_seclabel not 
supported");
+                ret = 0;
+            } else {
+                LOGD(ERROR, domid,
+                     "Invalid device_model_stubdomain_init_seclabel: %s", s);
+                goto error_out;
+            }
+        }
+    }
+
+    if (d_config->b_info.device_model_exec_ssid_label) {
+        char *s = d_config->b_info.device_model_exec_ssid_label;
+        ret = libxl_flask_context_to_sid(ctx, s, strlen(s),
+                                         
&d_config->b_info.device_model_exec_ssidref);
         if (ret) {
             if (errno == ENOSYS) {
                 LOGD(WARN, domid,
                      "XSM Disabled: device_model_stubdomain_seclabel not 
supported");
                 ret = 0;
             } else {
-                LOGD(ERROR, domid, "Invalid device_model_stubdomain_seclabel: 
%s", s);
+                LOGD(ERROR, domid,
+                     "Invalid device_model_stubdomain_seclabel: %s", s);
                 goto error_out;
             }
         }
@@ -1935,7 +1953,13 @@ static void domcreate_complete(libxl__egc *egc,
     libxl__domain_build_state_dispose(&dcs->build_state);
 
     if (!rc && d_config->b_info.exec_ssidref)
-        rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, 
d_config->b_info.exec_ssidref);
+        rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid,
+                                     d_config->b_info.exec_ssidref);
+
+    if (!rc && dcs->sdss.pvqemu.guest_domid != INVALID_DOMID &&
+        d_config->b_info.device_model_exec_ssidref)
+        rc = xc_flask_relabel_domain(CTX->xch, dcs->sdss.pvqemu.guest_domid,
+                                     
d_config->b_info.device_model_exec_ssidref);
 
     bool retain_domain = !rc || rc == ERROR_ABORTED;
 
diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c
index dbd3c7f278..2b69b207c4 100644
--- a/tools/libs/light/libxl_dm.c
+++ b/tools/libs/light/libxl_dm.c
@@ -2300,20 +2300,24 @@ void libxl__spawn_stub_dm(libxl__egc *egc, 
libxl__stub_dm_spawn_state *sdss)
     sdss->pvqemu.guest_domid = INVALID_DOMID;
 
     libxl_domain_create_info_init(&dm_config->c_info);
+    libxl_domain_build_info_init(&dm_config->b_info);
+    libxl_domain_build_info_init_type(&dm_config->b_info, 
LIBXL_DOMAIN_TYPE_PV);
+
     dm_config->c_info.type = LIBXL_DOMAIN_TYPE_PV;
     dm_config->c_info.name = libxl__stub_dm_name(gc,
                                     libxl__domid_to_name(gc, guest_domid));
-    /* When we are here to launch stubdom, ssidref is a valid value
-     * already, no need to parse it again.
+
+    /* When we are here to launch stubdom, ssidrefs are valid values already,
+     * no need to parse them again.
      */
     dm_config->c_info.ssidref = guest_config->b_info.device_model_ssidref;
     dm_config->c_info.ssid_label = NULL;
+    dm_config->b_info.exec_ssidref =
+        guest_config->b_info.device_model_exec_ssidref;
+    dm_config->b_info.exec_ssid_label = NULL;
 
     libxl_uuid_generate(&dm_config->c_info.uuid);
 
-    libxl_domain_build_info_init(&dm_config->b_info);
-    libxl_domain_build_info_init_type(&dm_config->b_info, 
LIBXL_DOMAIN_TYPE_PV);
-
     dm_config->b_info.shadow_memkb = 0;
     dm_config->b_info.max_vcpus = 1;
     dm_config->b_info.max_memkb = guest_config->b_info.stubdomain_memkb;
diff --git a/tools/libs/light/libxl_types.idl b/tools/libs/light/libxl_types.idl
index f45adddab0..b483729b9c 100644
--- a/tools/libs/light/libxl_types.idl
+++ b/tools/libs/light/libxl_types.idl
@@ -528,6 +528,8 @@ libxl_domain_build_info = Struct("domain_build_info",[
     ("device_model",     string),
     ("device_model_ssidref", uint32),
     ("device_model_ssid_label", string),
+    ("device_model_exec_ssidref",    uint32),
+    ("device_model_exec_ssid_label", string),
     ("device_model_user", string),
 
     # extra parameters pass directly to qemu, NULL terminated
diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c
index 9fb0791429..236f8b2fc0 100644
--- a/tools/xl/xl_parse.c
+++ b/tools/xl/xl_parse.c
@@ -2523,10 +2523,20 @@ skip_usbdev:
     xlu_cfg_get_defbool (config, "device_model_stubdomain_override",
                          &b_info->device_model_stubdomain, 0);
 
-    if (!xlu_cfg_get_string (config, "device_model_stubdomain_seclabel",
+    if (!xlu_cfg_get_string (config, "device_model_stubdomain_init_seclabel",
                              &buf, 0))
+        xlu_cfg_replace_string(config, "device_model_stubdomain_init_seclabel",
+                               &b_info->device_model_ssid_label, 0);
+
+    if (!xlu_cfg_get_string (config, "device_model_stubdomain_seclabel",
+                             &buf, 0)) {
+        if (b_info->device_model_ssid_label)
+            xlu_cfg_replace_string(config, "device_model_stubdomain_seclabel",
+                                   &b_info->device_model_exec_ssid_label, 0);
+        else
             xlu_cfg_replace_string(config, "device_model_stubdomain_seclabel",
                                    &b_info->device_model_ssid_label, 0);
+    }
 
     xlu_cfg_replace_string(config, "device_model_user",
                            &b_info->device_model_user, 0);
-- 
2.25.1




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.