From: Julien Grall <julien.grall@citrix.com>
To: Ian Campbell <ian.campbell@citrix.com>,
xen-devel@lists.xen.org, ian.jackson@eu.citrix.com,
wei.liu2@citrix.com
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH] libxl: assigned a default ssid_label (XSM label) to guests
Date: Thu, 14 May 2015 12:21:55 +0100 [thread overview]
Message-ID: <55548553.7060700@citrix.com> (raw)
In-Reply-To: <1431599625-9572-1-git-send-email-ian.campbell@citrix.com>
Hi Ian,
On 14/05/15 11:33, Ian Campbell wrote:
> system_u:system_r:domU_t is defined in the default policy and makes as
> much sense as anything for a default.
So you rule out the possibility to run an unlabelled domain? This is
possible if the policy explicitly authorized it. That's a significant
change in the libxl behavior.
IHMO, having a default policy doesn't mean libxl should set a default
ssid to make XSM transparent to the user.
The explicit ssid makes clear that the guest is using a ssid foo and if
it's not provided then it will fail to boot.
Setting a default value may hide a bigger issue and take the wrong
policy the user forgot to set up an ssid.
> This change required moving the call to domain_create_info_setdefault
> to be before the ssid_label is translated into ssidref, which also
> moves it before some other stuff which consumes things from c_info,
> which is correct since setdefault should always be called first. Apart
> from the SSID handling there should be no functional change (since
> setdefault doesn't actually act on anything which that other stuff
> uses).
>
> There is no need to set exec_ssid_label since the default is to leave
> the domain using the ssid_label after build.
By setting a ssid label, libxl will print a new warning on Xen not built
with XSM which will confuse the user:
libxl: warning: libxl_create.c:813:initiate_domain_create: XSM Disabled:
init_seclabel not supported
>
> I haven't done anything with the device model ssid.
>
> Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
> Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Wei.Liu2@citrix.com
> ---
> docs/man/xl.cfg.pod.5 | 4 +++-
> tools/libxl/libxl_create.c | 11 ++++++++---
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> index 8e4154f..fcca1cc 100644
> --- a/docs/man/xl.cfg.pod.5
> +++ b/docs/man/xl.cfg.pod.5
> @@ -437,7 +437,9 @@ UUID will be generated.
>
> =item B<seclabel="LABEL">
>
> -Assign an XSM security label to this domain.
> +Assign an XSM security label to this domain. By default a domain is
> +assigned the label B<system_u:system_r:domU_t>, which is defined in
> +the default policy.
It's not easy to know that seclabel will be stored in ssid_label.
It would be good to have this explanation into the toolstack API.
Regards,
--
Julien Grall
next prev parent reply other threads:[~2015-05-14 11:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-14 10:33 [PATCH] libxl: assigned a default ssid_label (XSM label) to guests Ian Campbell
2015-05-14 11:21 ` Julien Grall [this message]
2015-05-14 11:54 ` Ian Campbell
2015-05-14 14:18 ` Julien Grall
2015-05-14 23:09 ` Daniel De Graaf
2015-05-15 9:39 ` Ian Campbell
2015-05-15 17:09 ` Daniel De Graaf
2015-05-18 10:56 ` Ian Campbell
2015-05-18 12:38 ` Ian Campbell
2015-05-18 22:37 ` Daniel De Graaf
2015-05-19 10:43 ` Ian Campbell
2015-05-14 11:58 ` Wei Liu
2015-05-14 12:32 ` Ian Campbell
2015-05-14 12:39 ` Wei Liu
2015-05-14 14:05 ` Julien Grall
2015-05-14 14:11 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55548553.7060700@citrix.com \
--to=julien.grall@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).