Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Devel
[PATCH 01/19] libxl: introduce XSM relabel on build
dgdegra at tycho
Nov 16, 2012, 10:28 AM
Post #1 of 3 (124 views)
Permalink
Allow a domain to be built under one security label and run using a
different label. This can be used to prevent the domain builder or
control domain from having the ability to access a guest domain's memory
via map_foreign_range except during the build process where this is
required.

Note: this does not provide complete protection from a malicious dom0;
mappings created during the build process may persist after the relabel,
and could be used to indirectly access the guest's memory.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
---
tools/libxc/xc_flask.c | 10 ++++++++++
tools/libxc/xenctrl.h | 1 +
tools/libxl/libxl_create.c | 4 ++++
tools/libxl/libxl_types.idl | 1 +
tools/libxl/xl_cmdimpl.c | 20 +++++++++++++++++++-
5 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c
index 80c5a2d..face1e0 100644
--- a/tools/libxc/xc_flask.c
+++ b/tools/libxc/xc_flask.c
@@ -422,6 +422,16 @@ int xc_flask_setavc_threshold(xc_interface *xch, int threshold)
return xc_flask_op(xch, &op);
}

+int xc_flask_relabel_domain(xc_interface *xch, int domid, uint32_t sid)
+{
+ DECLARE_FLASK_OP;
+ op.cmd = FLASK_RELABEL_DOMAIN;
+ op.u.relabel.domid = domid;
+ op.u.relabel.sid = sid;
+
+ return xc_flask_op(xch, &op);
+}
+
/*
* Local variables:
* mode: C
diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h
index 7eb5743..60391c6 100644
--- a/tools/libxc/xenctrl.h
+++ b/tools/libxc/xenctrl.h
@@ -2158,6 +2158,7 @@ int xc_flask_policyvers(xc_interface *xc_handle);
int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size);
int xc_flask_getavc_threshold(xc_interface *xc_handle);
int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold);
+int xc_flask_relabel_domain(xc_interface *xch, int domid, uint32_t sid);

struct elf_binary;
void xc_elf_set_logfile(xc_interface *xch, struct elf_binary *elf,
diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c
index 9d20086..b183255 100644
--- a/tools/libxl/libxl_create.c
+++ b/tools/libxl/libxl_create.c
@@ -1182,6 +1182,10 @@ static void domcreate_complete(libxl__egc *egc,
int rc)
{
STATE_AO_GC(dcs->ao);
+ libxl_domain_config *const d_config = dcs->guest_config;
+
+ if (!rc && d_config->b_info.exec_ssidref)
+ rc = xc_flask_relabel_domain(CTX->xch, dcs->guest_domid, d_config->b_info.exec_ssidref);

if (rc) {
if (dcs->guest_domid) {
diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
index 7eac4a8..93524f0 100644
--- a/tools/libxl/libxl_types.idl
+++ b/tools/libxl/libxl_types.idl
@@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
("video_memkb", MemKB),
("shadow_memkb", MemKB),
("rtc_timeoffset", uint32),
+ ("exec_ssidref", uint32),
("localtime", libxl_defbool),
("disable_migrate", libxl_defbool),
("cpuid", libxl_cpuid_policy_list),
diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
index 5d444a8..4d67fdf 100644
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -596,16 +596,34 @@ static void parse_config_data(const char *config_source,
exit(1);
}

- if (!xlu_cfg_get_string (config, "seclabel", &buf, 0)) {
+ if (!xlu_cfg_get_string (config, "init_seclabel", &buf, 0)) {
e = libxl_flask_context_to_sid(ctx, (char *)buf, strlen(buf),
&c_info->ssidref);
if (e) {
if (errno == ENOSYS) {
+ fprintf(stderr, "XSM Disabled: init_seclabel not supported\n");
+ } else {
+ fprintf(stderr, "Invalid init_seclabel: %s\n", buf);
+ exit(1);
+ }
+ }
+ }
+
+ if (!xlu_cfg_get_string (config, "seclabel", &buf, 0)) {
+ uint32_t ssidref;
+ e = libxl_flask_context_to_sid(ctx, (char *)buf, strlen(buf),
+ &ssidref);
+ if (e) {
+ if (errno == ENOSYS) {
fprintf(stderr, "XSM Disabled: seclabel not supported\n");
} else {
fprintf(stderr, "Invalid seclabel: %s\n", buf);
exit(1);
}
+ } else if (c_info->ssidref) {
+ b_info->exec_ssidref = ssidref;
+ } else {
+ c_info->ssidref = ssidref;
}
}

--
1.7.11.7


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [PATCH 01/19] libxl: introduce XSM relabel on build [ In reply to ]
Ian.Campbell at citrix
Nov 19, 2012, 2:42 AM
Post #2 of 3 (116 views)
Permalink
On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote:
> Allow a domain to be built under one security label and run using a
> different label. This can be used to prevent the domain builder or
> control domain from having the ability to access a guest domain's memory
> via map_foreign_range except during the build process where this is
> required.
>
> Note: this does not provide complete protection from a malicious dom0;
> mappings created during the build process may persist after the relabel,
> and could be used to indirectly access the guest's memory.
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
> Cc: Ian Campbell <ian.campbell@citrix.com>
> ---
> tools/libxc/xc_flask.c | 10 ++++++++++
> tools/libxc/xenctrl.h | 1 +
> tools/libxl/libxl_create.c | 4 ++++
> tools/libxl/libxl_types.idl | 1 +
> tools/libxl/xl_cmdimpl.c | 20 +++++++++++++++++++-

docs/man... please

> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
> index 7eac4a8..93524f0 100644
> --- a/tools/libxl/libxl_types.idl
> +++ b/tools/libxl/libxl_types.idl
> @@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
> ("video_memkb", MemKB),
> ("shadow_memkb", MemKB),
> ("rtc_timeoffset", uint32),
> + ("exec_ssidref", uint32),

What is the significance of the "exec_" bit of the name?

> ("localtime", libxl_defbool),
> ("disable_migrate", libxl_defbool),
> ("cpuid", libxl_cpuid_policy_list),

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [PATCH 01/19] libxl: introduce XSM relabel on build [ In reply to ]
dgdegra at tycho
Nov 20, 2012, 8:38 AM
Post #3 of 3 (118 views)
Permalink
On 11/19/2012 05:42 AM, Ian Campbell wrote:
> On Fri, 2012-11-16 at 18:28 +0000, Daniel De Graaf wrote:
>> Allow a domain to be built under one security label and run using a
>> different label. This can be used to prevent the domain builder or
>> control domain from having the ability to access a guest domain's memory
>> via map_foreign_range except during the build process where this is
>> required.
>>
>> Note: this does not provide complete protection from a malicious dom0;
>> mappings created during the build process may persist after the relabel,
>> and could be used to indirectly access the guest's memory.
>>
>> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
>> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
>> Cc: Ian Campbell <ian.campbell@citrix.com>
>> ---
>> tools/libxc/xc_flask.c | 10 ++++++++++
>> tools/libxc/xenctrl.h | 1 +
>> tools/libxl/libxl_create.c | 4 ++++
>> tools/libxl/libxl_types.idl | 1 +
>> tools/libxl/xl_cmdimpl.c | 20 +++++++++++++++++++-
>
> docs/man... please

The following will be included in the next version:

--- a/docs/man/xl.cfg.pod.5
+++ b/docs/man/xl.cfg.pod.5
@@ -270,6 +270,15 @@ UUID will be generated.

Assign an XSM security label to this domain.

+=item B<init_seclabel="LABEL">
+
+Specify an XSM security label used for this domain temporarily during
+its build. The domain's XSM label will be changed to the execution
+seclabel (specified by "seclabel") once the build is complete, prior to
+unpausing the domain. With a properly constructed security policy (such
+as nomigrate_t in the example policy), this can be used to build a
+domain whose memory is not accessible to the toolstack domain.
+
=item B<nomigrate=BOOLEAN>

>> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
>> index 7eac4a8..93524f0 100644
>> --- a/tools/libxl/libxl_types.idl
>> +++ b/tools/libxl/libxl_types.idl
>> @@ -268,6 +268,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
>> ("video_memkb", MemKB),
>> ("shadow_memkb", MemKB),
>> ("rtc_timeoffset", uint32),
>> + ("exec_ssidref", uint32),
>
> What is the significance of the "exec_" bit of the name?

This ssidref is the one used during execution of the domain (as opposed to
during build). I chose to add this rather than adding a field called
init_ssidref because the new functionality is the ability to change the label
prior to execution: the existing ssidref is already used at creation.

>> ("localtime", libxl_defbool),
>> ("disable_migrate", libxl_defbool),
>> ("cpuid", libxl_cpuid_policy_list),
>
> Ian.
>

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal