[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 2/2] flask: implement xsm_set_system_active

On Mon, May 2, 2022 at 9:31 AM Daniel P. Smith
<dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:

> @@ -188,14 +188,20 @@ static int cf_check flask_domain_alloc_security(struct 
> domain *d)
>
>  static int cf_check flask_set_system_active(void)
>  {
> +    struct domain_security_struct *dsec;
>      struct domain *d = current->domain;
>
> +    dsec = d->ssid;
> +    ASSERT(dsec->sid == SECINITSID_XENBOOT);
> +
>      if ( d->domain_id != DOMID_IDLE )
>      {
>          printk("xsm_set_system_active should only be called by idle 
> domain\n");
>          return -EPERM;
>      }
>
> +    dsec->self_sid = dsec->sid = SECINITSID_XEN;

I think you want to re-add setting is_privileged to false.  I think
from the other thread Roger just thought it should also have the
matching assert.  It doesn't matter for flask decisions, but it
changes the return of is_control_domain.  It seems to me it would be
better to have idle domains consistent between flask and non-flask
instead of having a potentially subtle difference.

Regards,
Jason

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.