diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-12-13 11:44:02 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-12-13 11:44:02 +0000 |
commit | a31ed4edbe48c8f24b4a7f1f41c7cc9d7453721e (patch) | |
tree | 6f4794c68644445b60cd3c77df161077543bdcb7 /tools/libxc | |
parent | b051ddb41617ba543ee8de5cfc3258a0a2b71aa6 (diff) | |
download | xen-a31ed4edbe48c8f24b4a7f1f41c7cc9d7453721e.tar.gz xen-a31ed4edbe48c8f24b4a7f1f41c7cc9d7453721e.tar.bz2 xen-a31ed4edbe48c8f24b4a7f1f41c7cc9d7453721e.zip |
libxl: introduce XSM relabel on build
Allow a domain to be built under one security label and run using a
different label. This can be used to prevent the domain builder or
control domain from having the ability to access a guest domain's memory
via map_foreign_range except during the build process where this is
required.
Example domain configuration snippet:
seclabel='customer_1:vm_r:nomigrate_t'
init_seclabel='customer_1:vm_r:nomigrate_t_building'
Note: this does not provide complete protection from a malicious dom0;
mappings created during the build process may persist after the relabel,
and could be used to indirectly access the guest's memory. However, if
dom0 correctly unmaps the domain upon building, a the domU is protected
against dom0 becoming malicious in the future.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
Diffstat (limited to 'tools/libxc')
-rw-r--r-- | tools/libxc/xc_flask.c | 10 | ||||
-rw-r--r-- | tools/libxc/xenctrl.h | 1 |
2 files changed, 11 insertions, 0 deletions
diff --git a/tools/libxc/xc_flask.c b/tools/libxc/xc_flask.c index 80c5a2d942..face1e049a 100644 --- a/tools/libxc/xc_flask.c +++ b/tools/libxc/xc_flask.c @@ -422,6 +422,16 @@ int xc_flask_setavc_threshold(xc_interface *xch, int threshold) return xc_flask_op(xch, &op); } +int xc_flask_relabel_domain(xc_interface *xch, int domid, uint32_t sid) +{ + DECLARE_FLASK_OP; + op.cmd = FLASK_RELABEL_DOMAIN; + op.u.relabel.domid = domid; + op.u.relabel.sid = sid; + + return xc_flask_op(xch, &op); +} + /* * Local variables: * mode: C diff --git a/tools/libxc/xenctrl.h b/tools/libxc/xenctrl.h index 1cd13c1b34..32122fd303 100644 --- a/tools/libxc/xenctrl.h +++ b/tools/libxc/xenctrl.h @@ -2169,6 +2169,7 @@ int xc_flask_policyvers(xc_interface *xc_handle); int xc_flask_avc_hashstats(xc_interface *xc_handle, char *buf, int size); int xc_flask_getavc_threshold(xc_interface *xc_handle); int xc_flask_setavc_threshold(xc_interface *xc_handle, int threshold); +int xc_flask_relabel_domain(xc_interface *xch, int domid, uint32_t sid); struct elf_binary; void xc_elf_set_logfile(xc_interface *xch, struct elf_binary *elf, |